npm - @openvtc/trust-tasks - Versions diffs - 0.1.0 → 0.2.1 - Mend

@openvtc/trust-tasks 0.1.0 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (256) hide show

package/dist/_framework/0.2/framework.d.ts +11 -0
package/dist/_framework/0.2/framework.d.ts.map +1 -0
package/dist/_framework/0.2/framework.js +6 -0
package/dist/_framework/0.2/framework.js.map +1 -0
package/dist/acl/grant/0.1/payload.d.ts +13 -0
package/dist/acl/grant/0.1/payload.d.ts.map +1 -1
package/dist/acl/grant/0.1/payload.js.map +1 -1
package/dist/auth/passkey/login/finish/0.2/payload.d.ts +42 -0
package/dist/auth/passkey/login/finish/0.2/payload.d.ts.map +1 -0
package/dist/auth/passkey/login/finish/0.2/payload.js +9 -0
package/dist/auth/passkey/login/finish/0.2/payload.js.map +1 -0
package/dist/auth/passkey/login/start/0.2/payload.d.ts +29 -0
package/dist/auth/passkey/login/start/0.2/payload.d.ts.map +1 -0
package/dist/auth/passkey/login/start/0.2/payload.js +9 -0
package/dist/auth/passkey/login/start/0.2/payload.js.map +1 -0
package/dist/auth/step-up/approve-request/0.1/payload.d.ts +28 -0
package/dist/auth/step-up/approve-request/0.1/payload.d.ts.map +1 -1
package/dist/auth/step-up/approve-request/0.1/payload.js.map +1 -1
package/dist/auth/step-up/approve-request/0.2/payload.d.ts +73 -0
package/dist/auth/step-up/approve-request/0.2/payload.d.ts.map +1 -0
package/dist/auth/step-up/approve-request/0.2/payload.js +9 -0
package/dist/auth/step-up/approve-request/0.2/payload.js.map +1 -0
package/dist/auth/step-up/approve-response/0.1/payload.d.ts +31 -0
package/dist/auth/step-up/approve-response/0.1/payload.d.ts.map +1 -1
package/dist/auth/step-up/approve-response/0.1/payload.js.map +1 -1
package/dist/auth/step-up/approve-response/0.2/payload.d.ts +76 -0
package/dist/auth/step-up/approve-response/0.2/payload.d.ts.map +1 -0
package/dist/auth/step-up/approve-response/0.2/payload.js +9 -0
package/dist/auth/step-up/approve-response/0.2/payload.js.map +1 -0
package/dist/auth/step-up/policy/0.1/payload.d.ts +43 -0
package/dist/auth/step-up/policy/0.1/payload.d.ts.map +1 -0
package/dist/auth/step-up/policy/0.1/payload.js +9 -0
package/dist/auth/step-up/policy/0.1/payload.js.map +1 -0
package/dist/auth/step-up/policy/0.2/payload.d.ts +43 -0
package/dist/auth/step-up/policy/0.2/payload.d.ts.map +1 -0
package/dist/auth/step-up/policy/0.2/payload.js +9 -0
package/dist/auth/step-up/policy/0.2/payload.js.map +1 -0
package/dist/device/_shared/0.2/device-binding.d.ts +11 -0
package/dist/device/_shared/0.2/device-binding.d.ts.map +1 -0
package/dist/device/_shared/0.2/device-binding.js +6 -0
package/dist/device/_shared/0.2/device-binding.js.map +1 -0
package/dist/device/heartbeat/0.2/payload.d.ts +29 -0
package/dist/device/heartbeat/0.2/payload.d.ts.map +1 -0
package/dist/device/heartbeat/0.2/payload.js +9 -0
package/dist/device/heartbeat/0.2/payload.js.map +1 -0
package/dist/device/list/0.2/payload.d.ts +37 -0
package/dist/device/list/0.2/payload.d.ts.map +1 -0
package/dist/device/list/0.2/payload.js +9 -0
package/dist/device/list/0.2/payload.js.map +1 -0
package/dist/device/register/0.1/payload.d.ts +18 -0
package/dist/device/register/0.1/payload.d.ts.map +1 -1
package/dist/device/register/0.1/payload.js.map +1 -1
package/dist/device/register/0.2/payload.d.ts +97 -0
package/dist/device/register/0.2/payload.d.ts.map +1 -0
package/dist/device/register/0.2/payload.js +9 -0
package/dist/device/register/0.2/payload.js.map +1 -0
package/dist/device/set-wake/0.1/payload.d.ts +43 -0
package/dist/device/set-wake/0.1/payload.d.ts.map +1 -0
package/dist/device/set-wake/0.1/payload.js +9 -0
package/dist/device/set-wake/0.1/payload.js.map +1 -0
package/dist/device/set-wake/0.2/payload.d.ts +43 -0
package/dist/device/set-wake/0.2/payload.d.ts.map +1 -0
package/dist/device/set-wake/0.2/payload.js +9 -0
package/dist/device/set-wake/0.2/payload.js.map +1 -0
package/dist/device/wipe/0.2/payload.d.ts +37 -0
package/dist/device/wipe/0.2/payload.d.ts.map +1 -0
package/dist/device/wipe/0.2/payload.js +9 -0
package/dist/device/wipe/0.2/payload.js.map +1 -0
package/dist/did-management/did/check-name/0.1/payload.d.ts +5 -2
package/dist/did-management/did/check-name/0.1/payload.d.ts.map +1 -1
package/dist/did-management/did/check-name/0.1/payload.js.map +1 -1
package/dist/index.d.ts +63 -17
package/dist/index.d.ts.map +1 -1
package/dist/index.js +63 -17
package/dist/index.js.map +1 -1
package/dist/policy/_shared/0.2/policy.d.ts +11 -0
package/dist/policy/_shared/0.2/policy.d.ts.map +1 -0
package/dist/policy/_shared/0.2/policy.js +6 -0
package/dist/policy/_shared/0.2/policy.js.map +1 -0
package/dist/policy/evaluate/0.2/payload.d.ts +99 -0
package/dist/policy/evaluate/0.2/payload.d.ts.map +1 -0
package/dist/policy/evaluate/0.2/payload.js +9 -0
package/dist/policy/evaluate/0.2/payload.js.map +1 -0
package/dist/policy/list/0.2/payload.d.ts +22 -0
package/dist/policy/list/0.2/payload.d.ts.map +1 -0
package/dist/policy/list/0.2/payload.js +9 -0
package/dist/policy/list/0.2/payload.js.map +1 -0
package/dist/policy/upsert/0.2/payload.d.ts +29 -0
package/dist/policy/upsert/0.2/payload.d.ts.map +1 -0
package/dist/policy/upsert/0.2/payload.js +9 -0
package/dist/policy/upsert/0.2/payload.js.map +1 -0
package/dist/provision/integration/0.2/payload.d.ts +178 -0
package/dist/provision/integration/0.2/payload.d.ts.map +1 -0
package/dist/provision/integration/0.2/payload.js +9 -0
package/dist/provision/integration/0.2/payload.js.map +1 -0
package/dist/push/provision/0.1/payload.d.ts +35 -0
package/dist/push/provision/0.1/payload.d.ts.map +1 -0
package/dist/push/provision/0.1/payload.js +9 -0
package/dist/push/provision/0.1/payload.js.map +1 -0
package/dist/push/provision/0.2/payload.d.ts +35 -0
package/dist/push/provision/0.2/payload.d.ts.map +1 -0
package/dist/push/provision/0.2/payload.js +9 -0
package/dist/push/provision/0.2/payload.js.map +1 -0
package/dist/push/register/0.1/payload.d.ts +72 -0
package/dist/push/register/0.1/payload.d.ts.map +1 -0
package/dist/push/register/0.1/payload.js +9 -0
package/dist/push/register/0.1/payload.js.map +1 -0
package/dist/push/register/0.2/payload.d.ts +72 -0
package/dist/push/register/0.2/payload.d.ts.map +1 -0
package/dist/push/register/0.2/payload.js +9 -0
package/dist/push/register/0.2/payload.js.map +1 -0
package/dist/push/wake/0.1/payload.d.ts +41 -0
package/dist/push/wake/0.1/payload.d.ts.map +1 -0
package/dist/push/wake/0.1/payload.js +9 -0
package/dist/push/wake/0.1/payload.js.map +1 -0
package/dist/push/wake/0.2/payload.d.ts +41 -0
package/dist/push/wake/0.2/payload.d.ts.map +1 -0
package/dist/push/wake/0.2/payload.js +9 -0
package/dist/push/wake/0.2/payload.js.map +1 -0
package/dist/sync/_shared/0.2/sync-event.d.ts +11 -0
package/dist/sync/_shared/0.2/sync-event.d.ts.map +1 -0
package/dist/sync/_shared/0.2/sync-event.js +6 -0
package/dist/sync/_shared/0.2/sync-event.js.map +1 -0
package/dist/sync/event/0.2/payload.d.ts +208 -0
package/dist/sync/event/0.2/payload.d.ts.map +1 -0
package/dist/sync/event/0.2/payload.js +9 -0
package/dist/sync/event/0.2/payload.js.map +1 -0
package/dist/trust-task-error/0.2/payload.d.ts +36 -0
package/dist/trust-task-error/0.2/payload.d.ts.map +1 -0
package/dist/trust-task-error/0.2/payload.js +9 -0
package/dist/trust-task-error/0.2/payload.js.map +1 -0
package/dist/vault/_shared/0.2/consumer-context.d.ts +11 -0
package/dist/vault/_shared/0.2/consumer-context.d.ts.map +1 -0
package/dist/vault/_shared/0.2/consumer-context.js +6 -0
package/dist/vault/_shared/0.2/consumer-context.js.map +1 -0
package/dist/vault/_shared/0.2/sealed-envelope.d.ts +15 -0
package/dist/vault/_shared/0.2/sealed-envelope.d.ts.map +1 -0
package/dist/vault/_shared/0.2/sealed-envelope.js +6 -0
package/dist/vault/_shared/0.2/sealed-envelope.js.map +1 -0
package/dist/vault/_shared/0.2/session-blob.d.ts +13 -0
package/dist/vault/_shared/0.2/session-blob.d.ts.map +1 -0
package/dist/vault/_shared/0.2/session-blob.js +6 -0
package/dist/vault/_shared/0.2/session-blob.js.map +1 -0
package/dist/vault/_shared/0.2/vault-entry.d.ts +13 -0
package/dist/vault/_shared/0.2/vault-entry.d.ts.map +1 -0
package/dist/vault/_shared/0.2/vault-entry.js +6 -0
package/dist/vault/_shared/0.2/vault-entry.js.map +1 -0
package/dist/vault/_shared/0.2/vault-secret.d.ts +15 -0
package/dist/vault/_shared/0.2/vault-secret.d.ts.map +1 -0
package/dist/vault/_shared/0.2/vault-secret.js +6 -0
package/dist/vault/_shared/0.2/vault-secret.js.map +1 -0
package/dist/vault/get/0.2/payload.d.ts +25 -0
package/dist/vault/get/0.2/payload.d.ts.map +1 -0
package/dist/vault/get/0.2/payload.js +9 -0
package/dist/vault/get/0.2/payload.js.map +1 -0
package/dist/vault/list/0.2/payload.d.ts +74 -0
package/dist/vault/list/0.2/payload.d.ts.map +1 -0
package/dist/vault/list/0.2/payload.js +9 -0
package/dist/vault/list/0.2/payload.js.map +1 -0
package/dist/vault/proxy-login/0.2/payload.d.ts +109 -0
package/dist/vault/proxy-login/0.2/payload.d.ts.map +1 -0
package/dist/vault/proxy-login/0.2/payload.js +9 -0
package/dist/vault/proxy-login/0.2/payload.js.map +1 -0
package/dist/vault/release/0.2/payload.d.ts +102 -0
package/dist/vault/release/0.2/payload.d.ts.map +1 -0
package/dist/vault/release/0.2/payload.js +9 -0
package/dist/vault/release/0.2/payload.js.map +1 -0
package/dist/vault/sign-trust-task/0.2/payload.d.ts +99 -0
package/dist/vault/sign-trust-task/0.2/payload.d.ts.map +1 -0
package/dist/vault/sign-trust-task/0.2/payload.js +9 -0
package/dist/vault/sign-trust-task/0.2/payload.js.map +1 -0
package/dist/vault/sync/0.2/payload.d.ts +33 -0
package/dist/vault/sync/0.2/payload.d.ts.map +1 -0
package/dist/vault/sync/0.2/payload.js +9 -0
package/dist/vault/sync/0.2/payload.js.map +1 -0
package/dist/vault/upsert/0.2/payload.d.ts +150 -0
package/dist/vault/upsert/0.2/payload.d.ts.map +1 -0
package/dist/vault/upsert/0.2/payload.js +9 -0
package/dist/vault/upsert/0.2/payload.js.map +1 -0
package/dist/vault/usage/0.2/payload.d.ts +38 -0
package/dist/vault/usage/0.2/payload.d.ts.map +1 -0
package/dist/vault/usage/0.2/payload.js +9 -0
package/dist/vault/usage/0.2/payload.js.map +1 -0
package/dist/vta/_shared/0.1/passkey-vm.d.ts +11 -0
package/dist/vta/_shared/0.1/passkey-vm.d.ts.map +1 -0
package/dist/vta/_shared/0.1/passkey-vm.js +6 -0
package/dist/vta/_shared/0.1/passkey-vm.js.map +1 -0
package/dist/vta/passkey-vms/enroll-challenge/0.1/payload.d.ts +29 -0
package/dist/vta/passkey-vms/enroll-challenge/0.1/payload.d.ts.map +1 -0
package/dist/vta/passkey-vms/enroll-challenge/0.1/payload.js +9 -0
package/dist/vta/passkey-vms/enroll-challenge/0.1/payload.js.map +1 -0
package/dist/vta/passkey-vms/enroll-submit/0.1/payload.d.ts +61 -0
package/dist/vta/passkey-vms/enroll-submit/0.1/payload.d.ts.map +1 -0
package/dist/vta/passkey-vms/enroll-submit/0.1/payload.js +9 -0
package/dist/vta/passkey-vms/enroll-submit/0.1/payload.js.map +1 -0
package/dist/vta/passkey-vms/list/0.1/payload.d.ts +25 -0
package/dist/vta/passkey-vms/list/0.1/payload.d.ts.map +1 -0
package/dist/vta/passkey-vms/list/0.1/payload.js +9 -0
package/dist/vta/passkey-vms/list/0.1/payload.js.map +1 -0
package/dist/vta/passkey-vms/revoke/0.1/payload.d.ts +29 -0
package/dist/vta/passkey-vms/revoke/0.1/payload.d.ts.map +1 -0
package/dist/vta/passkey-vms/revoke/0.1/payload.js +9 -0
package/dist/vta/passkey-vms/revoke/0.1/payload.js.map +1 -0
package/package.json +2 -2
package/src/_framework/0.2/framework.ts +11 -0
package/src/acl/grant/0.1/payload.ts +13 -0
package/src/auth/passkey/login/finish/0.2/payload.ts +44 -0
package/src/auth/passkey/login/start/0.2/payload.ts +31 -0
package/src/auth/step-up/approve-request/0.1/payload.ts +28 -0
package/src/auth/step-up/approve-request/0.2/payload.ts +75 -0
package/src/auth/step-up/approve-response/0.1/payload.ts +32 -0
package/src/auth/step-up/approve-response/0.2/payload.ts +79 -0
package/src/auth/step-up/policy/0.1/payload.ts +45 -0
package/src/auth/step-up/policy/0.2/payload.ts +45 -0
package/src/device/_shared/0.2/device-binding.ts +11 -0
package/src/device/heartbeat/0.2/payload.ts +31 -0
package/src/device/list/0.2/payload.ts +48 -0
package/src/device/register/0.1/payload.ts +18 -0
package/src/device/register/0.2/payload.ts +106 -0
package/src/device/set-wake/0.1/payload.ts +45 -0
package/src/device/set-wake/0.2/payload.ts +45 -0
package/src/device/wipe/0.2/payload.ts +39 -0
package/src/did-management/did/check-name/0.1/payload.ts +5 -2
package/src/index.ts +63 -17
package/src/policy/_shared/0.2/policy.ts +11 -0
package/src/policy/evaluate/0.2/payload.ts +102 -0
package/src/policy/list/0.2/payload.ts +24 -0
package/src/policy/upsert/0.2/payload.ts +31 -0
package/src/provision/integration/0.2/payload.ts +181 -0
package/src/push/provision/0.1/payload.ts +37 -0
package/src/push/provision/0.2/payload.ts +37 -0
package/src/push/register/0.1/payload.ts +75 -0
package/src/push/register/0.2/payload.ts +75 -0
package/src/push/wake/0.1/payload.ts +43 -0
package/src/push/wake/0.2/payload.ts +43 -0
package/src/sync/_shared/0.2/sync-event.ts +11 -0
package/src/sync/event/0.2/payload.ts +219 -0
package/src/trust-task-error/0.2/payload.ts +55 -0
package/src/vault/_shared/0.2/consumer-context.ts +11 -0
package/src/vault/_shared/0.2/sealed-envelope.ts +15 -0
package/src/vault/_shared/0.2/session-blob.ts +13 -0
package/src/vault/_shared/0.2/vault-entry.ts +13 -0
package/src/vault/_shared/0.2/vault-secret.ts +15 -0
package/src/vault/get/0.2/payload.ts +27 -0
package/src/vault/list/0.2/payload.ts +85 -0
package/src/vault/proxy-login/0.2/payload.ts +112 -0
package/src/vault/release/0.2/payload.ts +105 -0
package/src/vault/sign-trust-task/0.2/payload.ts +101 -0
package/src/vault/sync/0.2/payload.ts +35 -0
package/src/vault/upsert/0.2/payload.ts +161 -0
package/src/vault/usage/0.2/payload.ts +40 -0
package/src/vta/_shared/0.1/passkey-vm.ts +11 -0
package/src/vta/passkey-vms/enroll-challenge/0.1/payload.ts +31 -0
package/src/vta/passkey-vms/enroll-submit/0.1/payload.ts +63 -0
package/src/vta/passkey-vms/list/0.1/payload.ts +27 -0
package/src/vta/passkey-vms/revoke/0.1/payload.ts +31 -0

package/dist/vault/usage/0.2/payload.js ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vault/usage/0.2/payload.schema.json
+ */
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/vault/usage/0.2";
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/vault/usage/0.2#response";
+//# sourceMappingURL=payload.js.map

package/dist/vault/usage/0.2/payload.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"payload.js","sourceRoot":"","sources":["../../../../src/vault/usage/0.2/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAgCH,2BAA2B;AAC3B,MAAM,CAAC,MAAM,QAAQ,GAAG,6CAAsD,CAAC;AAE/E,qEAAqE;AACrE,MAAM,CAAC,MAAM,iBAAiB,GAAG,sDAA+D,CAAC"}

package/dist/vta/_shared/0.1/passkey-vm.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vta/_shared/0.1/passkey-vm.schema.json
+ */
+/**
+ * A WebAuthn passkey published as a Multikey verificationMethod (purpose `authentication`) on a VTA-managed DID. Any verifier that resolves the DID can validate a WebAuthn assertion against the embedded public key — no callback to the VTA and no shared secret. Returned by vta/passkey-vms/enroll-submit (the single VM just created) and vta/passkey-vms/list (every VM on the DID). The shape mirrors the wallet-side `@pnm/core` PasskeyVerificationMethod and the VTA-side `vta_sdk::protocols::did_management::passkey_vms::PasskeyVerificationMethod`.
+ */
+export interface PasskeyVerificationMethodSharedDefinitionForTheVtaPasskeyVmsSpecFamily {
+    [k: string]: unknown | undefined;
+}
+//# sourceMappingURL=passkey-vm.d.ts.map

package/dist/vta/_shared/0.1/passkey-vm.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"passkey-vm.d.ts","sourceRoot":"","sources":["../../../../src/vta/_shared/0.1/passkey-vm.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,WAAW,sEAAsE;IACrF,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC"}

package/dist/vta/_shared/0.1/passkey-vm.js ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vta/_shared/0.1/passkey-vm.schema.json
+ */
+export {};
+//# sourceMappingURL=passkey-vm.js.map

package/dist/vta/_shared/0.1/passkey-vm.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"passkey-vm.js","sourceRoot":"","sources":["../../../../src/vta/_shared/0.1/passkey-vm.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/vta/passkey-vms/enroll-challenge/0.1/payload.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vta/passkey-vms/enroll-challenge/0.1/payload.schema.json
+ */
+/**
+ * Request a fresh WebAuthn registration challenge for adding a passkey verificationMethod to a VTA-managed DID. Step 1 of the two-step enrolment ceremony (challenge → submit). The producer must hold the admin role on the target DID's context.
+ */
+export interface VTAPasskeyVMEnrollChallengePayload {
+    /**
+     * The DID the new passkey verificationMethod will be added to. The producer MUST hold the admin role on this DID's context.
+     */
+    did: string;
+    /**
+     * Optional operator-supplied label for the new passkey (e.g. "MacBook Touch ID"). Carried through to the WebAuthn user name and, if the ceremony completes, to the published verificationMethod.
+     */
+    label?: string;
+    ext?: Ext;
+}
+/**
+ * Ecosystem-defined extension members per SPEC.md §4.5.1.
+ */
+export interface Ext {
+    [k: string]: unknown | undefined;
+}
+/** Trust Task type URI. */
+export declare const TYPE_URI: "https://trusttasks.org/spec/vta/passkey-vms/enroll-challenge/0.1";
+/** Trust Task response type URI (request type URI + "#response"). */
+export declare const RESPONSE_TYPE_URI: "https://trusttasks.org/spec/vta/passkey-vms/enroll-challenge/0.1#response";
+//# sourceMappingURL=payload.d.ts.map

package/dist/vta/passkey-vms/enroll-challenge/0.1/payload.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"payload.d.ts","sourceRoot":"","sources":["../../../../../src/vta/passkey-vms/enroll-challenge/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,WAAW,kCAAkC;IACjD;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IACZ;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AACD;;GAEG;AACH,MAAM,WAAW,GAAG;IAClB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC;AAED,2BAA2B;AAC3B,eAAO,MAAM,QAAQ,EAAG,kEAA2E,CAAC;AAEpG,qEAAqE;AACrE,eAAO,MAAM,iBAAiB,EAAG,2EAAoF,CAAC"}

package/dist/vta/passkey-vms/enroll-challenge/0.1/payload.js ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vta/passkey-vms/enroll-challenge/0.1/payload.schema.json
+ */
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/vta/passkey-vms/enroll-challenge/0.1";
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/vta/passkey-vms/enroll-challenge/0.1#response";
+//# sourceMappingURL=payload.js.map

package/dist/vta/passkey-vms/enroll-challenge/0.1/payload.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"payload.js","sourceRoot":"","sources":["../../../../../src/vta/passkey-vms/enroll-challenge/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAuBH,2BAA2B;AAC3B,MAAM,CAAC,MAAM,QAAQ,GAAG,kEAA2E,CAAC;AAEpG,qEAAqE;AACrE,MAAM,CAAC,MAAM,iBAAiB,GAAG,2EAAoF,CAAC"}

package/dist/vta/passkey-vms/enroll-submit/0.1/payload.d.ts ADDED Viewed

@@ -0,0 +1,61 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vta/passkey-vms/enroll-submit/0.1/payload.schema.json
+ */
+/**
+ * Finalise passkey enrolment by submitting the WebAuthn registration result for a ceremony opened by vta/passkey-vms/enroll-challenge. The VTA re-derives the Multikey from attestationObject.authData and rejects on mismatch with the browser-claimed publicKeyMultibase — the browser's value is NOT trusted as authoritative. On success the VTA appends the verificationMethod to the DID document via a WebVH log entry. All byte-valued fields are base64url-encoded (no padding).
+ */
+export interface VTAPasskeyVMEnrollSubmitPayload {
+    /**
+     * The DID the new verificationMethod is to be added to. MUST match the DID bound to `ceremonyId` at challenge time — a mismatch is rejected as a cross-DID replay.
+     */
+    did: string;
+    /**
+     * The `ceremonyId` returned by vta/passkey-vms/enroll-challenge. Single-use; consumed by this submission.
+     */
+    ceremonyId: string;
+    /**
+     * WebAuthn `credential.id` (base64url, no padding). The published verificationMethod `id` fragment is derived as `passkey-<base64url(sha256(credentialId))>`.
+     */
+    credentialId: string;
+    /**
+     * Browser-computed W3C Multikey for the credential public key. ADVISORY: the VTA re-derives the Multikey from `attestationObject.authData` and rejects this submission if the values differ (anti-tamper gate). The re-derived key — not this one — is what gets published.
+     */
+    publicKeyMultibase: string;
+    /**
+     * COSE algorithm identifier of the credential key (e.g. -7 for ES256, -8 for EdDSA). Must be an algorithm the VTA can convert to a Multikey.
+     */
+    coseAlgorithm: number;
+    /**
+     * Raw WebAuthn `attestationObject` — base64url-encoded CBOR. The VTA parses `authData` from this to re-derive the authoritative public key.
+     */
+    attestationObject: string;
+    /**
+     * Raw WebAuthn `clientDataJSON` (base64url, no padding). Bound to the ceremony `challenge` during WebAuthn verification.
+     */
+    clientDataJson: string;
+    /**
+     * Raw WebAuthn `authenticatorData` (base64url, no padding).
+     */
+    authenticatorData: string;
+    /**
+     * Transport hints reported by the authenticator (e.g. `internal`, `hybrid`). Advisory; carried through to the published verificationMethod's `webauthnTransports`.
+     */
+    transports?: string[];
+    /**
+     * Optional operator-supplied label (e.g. "MacBook Touch ID"), carried through to the published verificationMethod.
+     */
+    label?: string;
+    ext?: Ext;
+}
+/**
+ * Ecosystem-defined extension members per SPEC.md §4.5.1.
+ */
+export interface Ext {
+    [k: string]: unknown | undefined;
+}
+/** Trust Task type URI. */
+export declare const TYPE_URI: "https://trusttasks.org/spec/vta/passkey-vms/enroll-submit/0.1";
+/** Trust Task response type URI (request type URI + "#response"). */
+export declare const RESPONSE_TYPE_URI: "https://trusttasks.org/spec/vta/passkey-vms/enroll-submit/0.1#response";
+//# sourceMappingURL=payload.d.ts.map

package/dist/vta/passkey-vms/enroll-submit/0.1/payload.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"payload.d.ts","sourceRoot":"","sources":["../../../../../src/vta/passkey-vms/enroll-submit/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,WAAW,+BAA+B;IAC9C;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IACZ;;OAEG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB;;OAEG;IACH,kBAAkB,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,iBAAiB,EAAE,MAAM,CAAC;IAC1B;;OAEG;IACH,cAAc,EAAE,MAAM,CAAC;IACvB;;OAEG;IACH,iBAAiB,EAAE,MAAM,CAAC;IAC1B;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AACD;;GAEG;AACH,MAAM,WAAW,GAAG;IAClB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC;AAED,2BAA2B;AAC3B,eAAO,MAAM,QAAQ,EAAG,+DAAwE,CAAC;AAEjG,qEAAqE;AACrE,eAAO,MAAM,iBAAiB,EAAG,wEAAiF,CAAC"}

package/dist/vta/passkey-vms/enroll-submit/0.1/payload.js ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vta/passkey-vms/enroll-submit/0.1/payload.schema.json
+ */
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/vta/passkey-vms/enroll-submit/0.1";
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/vta/passkey-vms/enroll-submit/0.1#response";
+//# sourceMappingURL=payload.js.map

package/dist/vta/passkey-vms/enroll-submit/0.1/payload.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"payload.js","sourceRoot":"","sources":["../../../../../src/vta/passkey-vms/enroll-submit/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAuDH,2BAA2B;AAC3B,MAAM,CAAC,MAAM,QAAQ,GAAG,+DAAwE,CAAC;AAEjG,qEAAqE;AACrE,MAAM,CAAC,MAAM,iBAAiB,GAAG,wEAAiF,CAAC"}

package/dist/vta/passkey-vms/list/0.1/payload.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vta/passkey-vms/list/0.1/payload.schema.json
+ */
+/**
+ * List every passkey verificationMethod currently published on a VTA-managed DID. Admin-gated read. The returned entries are the same Multikey verificationMethods that appear in the DID document.
+ */
+export interface VTAPasskeyVMListPayload {
+    /**
+     * The DID whose passkey verificationMethods to enumerate. The producer MUST hold the admin role on this DID's context.
+     */
+    did: string;
+    ext?: Ext;
+}
+/**
+ * Ecosystem-defined extension members per SPEC.md §4.5.1.
+ */
+export interface Ext {
+    [k: string]: unknown | undefined;
+}
+/** Trust Task type URI. */
+export declare const TYPE_URI: "https://trusttasks.org/spec/vta/passkey-vms/list/0.1";
+/** Trust Task response type URI (request type URI + "#response"). */
+export declare const RESPONSE_TYPE_URI: "https://trusttasks.org/spec/vta/passkey-vms/list/0.1#response";
+//# sourceMappingURL=payload.d.ts.map

package/dist/vta/passkey-vms/list/0.1/payload.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"payload.d.ts","sourceRoot":"","sources":["../../../../../src/vta/passkey-vms/list/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AACD;;GAEG;AACH,MAAM,WAAW,GAAG;IAClB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC;AAED,2BAA2B;AAC3B,eAAO,MAAM,QAAQ,EAAG,sDAA+D,CAAC;AAExF,qEAAqE;AACrE,eAAO,MAAM,iBAAiB,EAAG,+DAAwE,CAAC"}

package/dist/vta/passkey-vms/list/0.1/payload.js ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vta/passkey-vms/list/0.1/payload.schema.json
+ */
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/vta/passkey-vms/list/0.1";
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/vta/passkey-vms/list/0.1#response";
+//# sourceMappingURL=payload.js.map

package/dist/vta/passkey-vms/list/0.1/payload.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"payload.js","sourceRoot":"","sources":["../../../../../src/vta/passkey-vms/list/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAmBH,2BAA2B;AAC3B,MAAM,CAAC,MAAM,QAAQ,GAAG,sDAA+D,CAAC;AAExF,qEAAqE;AACrE,MAAM,CAAC,MAAM,iBAAiB,GAAG,+DAAwE,CAAC"}

package/dist/vta/passkey-vms/revoke/0.1/payload.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vta/passkey-vms/revoke/0.1/payload.schema.json
+ */
+/**
+ * Remove a passkey verificationMethod from a VTA-managed DID document via a WebVH log entry. Admin-gated. The VM is identified by its URL fragment (everything after `#` in the verificationMethod id). The success response is an empty object — modelled as an object so future additive fields do not bump the version.
+ */
+export interface VTAPasskeyVMRevokePayload {
+    /**
+     * The DID the verificationMethod lives on. The producer MUST hold the admin role on this DID's context.
+     */
+    did: string;
+    /**
+     * The verificationMethod URL fragment — everything after `#` in the VM id (e.g. `passkey-3q2r1s0tUvWxYz`). MUST NOT include the leading `#`.
+     */
+    fragment: string;
+    ext?: Ext;
+}
+/**
+ * Ecosystem-defined extension members per SPEC.md §4.5.1.
+ */
+export interface Ext {
+    [k: string]: unknown | undefined;
+}
+/** Trust Task type URI. */
+export declare const TYPE_URI: "https://trusttasks.org/spec/vta/passkey-vms/revoke/0.1";
+/** Trust Task response type URI (request type URI + "#response"). */
+export declare const RESPONSE_TYPE_URI: "https://trusttasks.org/spec/vta/passkey-vms/revoke/0.1#response";
+//# sourceMappingURL=payload.d.ts.map

package/dist/vta/passkey-vms/revoke/0.1/payload.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"payload.d.ts","sourceRoot":"","sources":["../../../../../src/vta/passkey-vms/revoke/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IACZ;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AACD;;GAEG;AACH,MAAM,WAAW,GAAG;IAClB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC;AAED,2BAA2B;AAC3B,eAAO,MAAM,QAAQ,EAAG,wDAAiE,CAAC;AAE1F,qEAAqE;AACrE,eAAO,MAAM,iBAAiB,EAAG,iEAA0E,CAAC"}

package/dist/vta/passkey-vms/revoke/0.1/payload.js ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vta/passkey-vms/revoke/0.1/payload.schema.json
+ */
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/vta/passkey-vms/revoke/0.1";
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/vta/passkey-vms/revoke/0.1#response";
+//# sourceMappingURL=payload.js.map

package/dist/vta/passkey-vms/revoke/0.1/payload.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"payload.js","sourceRoot":"","sources":["../../../../../src/vta/passkey-vms/revoke/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAuBH,2BAA2B;AAC3B,MAAM,CAAC,MAAM,QAAQ,GAAG,wDAAiE,CAAC;AAE1F,qEAAqE;AACrE,MAAM,CAAC,MAAM,iBAAiB,GAAG,iEAA0E,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@openvtc/trust-tasks",
-  "version": "0.1.0",
+  "version": "0.2.1",
   "description": "Generated TypeScript bindings for the Trust Tasks framework registry.",
   "type": "module",
   "main": "./dist/index.js",
@@ -25,7 +25,7 @@
     "clean": "rm -rf dist"
   },
   "devDependencies": {
-    "typescript": "^5.6.0"
+    "typescript": "^6.0.0"
   },
   "license": "Apache-2.0",
   "repository": {

package/src/_framework/0.2/framework.ts ADDED Viewed

@@ -0,0 +1,11 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/_framework/0.2/framework.schema.json
+ */
+/**
+ * Reusable $defs cross-referenced by individual Trust Task specifications. Not itself a Trust Task specification — the `_framework` directory is skipped by the registry build (folders starting with `_` are not discovered) and by the codegen (which only triggers on payload.schema.json). See SPEC.md §4.5.1 for the normative description of `ext`.
+ */
+export interface TrustTasksFrameworkReusableJSONSchemaDefinitions {
+  [k: string]: unknown | undefined;
+}

package/src/acl/grant/0.1/payload.ts CHANGED Viewed

@@ -45,6 +45,19 @@ export interface AclEntry {
    * Optional time after which the entry is no longer effective.
    */
   expiresAt?: string;
+  /**
+   * Per-entry authentication step-up configuration, consumed by the ACL maintainer when it gates an operation behind a step-up (see auth/step-up/policy/0.1). ADDITIVE-ONLY: a per-entry setting MAY raise the assurance required of this subject above the maintainer's system-wide floor, but MUST NOT lower it. The maintainer resolves the effective requirement as the strictest of (system floor, this entry).
+   */
+  stepUp?: {
+    /**
+     * VID authorized to ratify step-up for this subject — the `recipient` the maintainer addresses an auth/step-up/approve-request to (e.g. the holder's mobile authenticator or browser companion). Absent → the subject is its own approver (mode `self`) when it holds a usable authenticator; if neither an `approver` nor a self authenticator exists, no step-up method is available for this subject and the maintainer's fail-closed rule applies.
+     */
+    approver?: string;
+    /**
+     * Minimum step-up mode this subject MUST satisfy for gated operations, raising the system floor. `self` = the subject re-authenticates its own session; `delegated` = a separate `approver` MUST ratify. Omitted → the system floor applies unchanged. A value weaker than the resolved floor is ignored (additive-only).
+     */
+    require?: "self" | "delegated";
+  };
   ext?: Ext;
 }
 /**

package/src/auth/passkey/login/finish/0.2/payload.ts ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/auth/passkey/login/finish/0.2/payload.schema.json
+ */
+/**
+ * Submit the WebAuthn assertion that completes a passkey login or step-up ceremony. On success the auth service issues a session (login) or elevates an existing session's acr (step-up).
+ */
+export interface AuthPasskeyLoginFinish {
+  /**
+   * The authId issued by the matching login/start response. Echoed verbatim.
+   */
+  authId: string;
+  credential: AuthenticatorAssertionResponseLogin;
+  ext?: Ext;
+}
+/**
+ * AuthenticatorAssertionResponse as returned by `navigator.credentials.get`. Binary fields base64url-encoded.
+ */
+export interface AuthenticatorAssertionResponseLogin {
+  id: string;
+  rawId: string;
+  type: "public-key";
+  response: {
+    clientDataJSON: string;
+    authenticatorData: string;
+    signature: string;
+    userHandle?: string | null;
+  };
+  authenticatorAttachment?: "platform" | "cross-platform";
+  clientExtensionResults?: {};
+}
+/**
+ * Ecosystem-defined extension members per SPEC.md §4.5.1.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/auth/passkey/login/finish/0.2" as const;
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/auth/passkey/login/finish/0.2#response" as const;

package/src/auth/passkey/login/start/0.2/payload.ts ADDED Viewed

@@ -0,0 +1,31 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/auth/passkey/login/start/0.2/payload.schema.json
+ */
+/**
+ * Ask the auth service to begin a WebAuthn authentication ceremony. The response carries PublicKeyCredentialRequestOptions for `navigator.credentials.get`.
+ */
+export interface AuthPasskeyLoginStart {
+  /**
+   * The VID the producer intends to authenticate as. Optional — omit for usernameless / discoverable-credential flows where any registered passkey may answer.
+   */
+  subject?: string;
+  /**
+   * Producer-declared intent. `login` issues a new session; `stepUp` elevates an existing session's `acr`. The consumer's behaviour on the matching finish differs accordingly.
+   */
+  purpose?: "login" | "stepUp";
+  ext?: Ext;
+}
+/**
+ * Ecosystem-defined extension members per SPEC.md §4.5.1.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/auth/passkey/login/start/0.2" as const;
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/auth/passkey/login/start/0.2#response" as const;

package/src/auth/step-up/approve-request/0.1/payload.ts CHANGED Viewed

@@ -27,12 +27,40 @@ export interface AuthStepUpApproveRequest {
    * The acr the relying party expects on the elevated session. Approvers MAY refuse if they cannot deliver this level.
    */
   targetAcr?: string;
+  /**
+   * Which approve-response evidence kinds the relying party will accept (see auth/step-up/approve-response `evidence`). When omitted, the approver MAY use any kind it supports. An approver that cannot satisfy any listed kind SHOULD refuse with `method_unsupported`.
+   *
+   * @minItems 1
+   */
+  acceptableEvidence?: ["did-signed" | "webauthn", ...("did-signed" | "webauthn")[]];
+  webauthn?: PublicKeyCredentialRequestOptions;
   /**
    * Seconds within which the relying party expects the approve-response. Approvers SHOULD treat as advisory — the relying party's own expiry policy is authoritative.
    */
   ttl?: number;
   ext?: Ext;
 }
+/**
+ * Optional WebAuthn `PublicKeyCredentialRequestOptions` the approver passes to the platform passkey API when producing `webauthn` evidence. When present, its `challenge` MUST equal `payload.challenge` so the resulting assertion binds the same nonce the relying party bound server-side. `rpId`/`allowCredentials` identify which credential the approver should assert with.
+ */
+export interface PublicKeyCredentialRequestOptions {
+  /**
+   * base64url-encoded one-time nonce.
+   */
+  challenge: string;
+  timeout?: number;
+  rpId?: string;
+  allowCredentials?: PublicKeyCredentialDescriptor[];
+  userVerification?: "discouraged" | "preferred" | "required";
+}
+export interface PublicKeyCredentialDescriptor {
+  type: "public-key";
+  /**
+   * base64url-encoded credential id.
+   */
+  id: string;
+  transports?: ("usb" | "nfc" | "ble" | "internal" | "hybrid")[];
+}
 /**
  * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
  */

package/src/auth/step-up/approve-request/0.2/payload.ts ADDED Viewed

@@ -0,0 +1,75 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/auth/step-up/approve-request/0.2/payload.schema.json
+ */
+/**
+ * A relying party asks an approver (typically a wallet or a VTA) to ratify an AAL elevation for a subject's session.
+ */
+export interface AuthStepUpApproveRequest {
+  /**
+   * The VID whose session is being elevated. The approver MUST verify this is a VID it can speak for.
+   */
+  subject: string;
+  /**
+   * The session the relying party wants elevated. Opaque to the approver.
+   */
+  sessionId: string;
+  /**
+   * base64url-encoded nonce the approver will include in the approve-response signature. ≥128 bits entropy.
+   */
+  challenge: string;
+  /**
+   * Human-readable explanation of WHY the relying party is asking (e.g. "confirm transfer of 1000 USD to bob.example"). Surfaced to the user by the approver for consent. SHOULD be specific enough that a user can refuse intelligently.
+   */
+  reason: string;
+  /**
+   * The acr the relying party expects on the elevated session. Approvers MAY refuse if they cannot deliver this level.
+   */
+  targetAcr?: string;
+  /**
+   * Which approve-response evidence kinds the relying party will accept (see auth/step-up/approve-response `evidence`). When omitted, the approver MAY use any kind it supports. An approver that cannot satisfy any listed kind SHOULD refuse with `method_unsupported`.
+   *
+   * @minItems 1
+   */
+  acceptableEvidence?: ["didSigned" | "webauthn", ...("didSigned" | "webauthn")[]];
+  webauthn?: PublicKeyCredentialRequestOptions;
+  /**
+   * Seconds within which the relying party expects the approve-response. Approvers SHOULD treat as advisory — the relying party's own expiry policy is authoritative.
+   */
+  ttl?: number;
+  ext?: Ext;
+}
+/**
+ * Optional WebAuthn `PublicKeyCredentialRequestOptions` the approver passes to the platform passkey API when producing `webauthn` evidence. When present, its `challenge` MUST equal `payload.challenge` so the resulting assertion binds the same nonce the relying party bound server-side. `rpId`/`allowCredentials` identify which credential the approver should assert with.
+ */
+export interface PublicKeyCredentialRequestOptions {
+  /**
+   * base64url-encoded one-time nonce.
+   */
+  challenge: string;
+  timeout?: number;
+  rpId?: string;
+  allowCredentials?: PublicKeyCredentialDescriptor[];
+  userVerification?: "discouraged" | "preferred" | "required";
+}
+export interface PublicKeyCredentialDescriptor {
+  type: "public-key";
+  /**
+   * base64url-encoded credential id.
+   */
+  id: string;
+  transports?: ("usb" | "nfc" | "ble" | "internal" | "hybrid")[];
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/auth/step-up/approve-request/0.2" as const;
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/auth/step-up/approve-request/0.2#response" as const;

package/src/auth/step-up/approve-response/0.1/payload.ts CHANGED Viewed

@@ -3,6 +3,11 @@
  * Source: specs/auth/step-up/approve-response/0.1/payload.schema.json
  */
+/**
+ * How the approver demonstrated the factor backing this elevation. A tagged union on `kind`. When `evidence` is absent the elevation is gated solely by the document's framework `proof` (equivalent to `kind: did-signed`). When `kind: webauthn` is supplied, the carried WebAuthn assertion over `challenge` is the gate and the framework `proof` MAY be omitted.
+ */
+export type StepUpEvidence = DidSigned | WebAuthn;
 /**
  * The approver's signed ratification of a step-up: subject + sessionId + challenge are echoed inside a proof-bearing document so the relying party can elevate the session.
  */
@@ -31,8 +36,35 @@ export interface AuthStepUpApproveResponse {
    * The acr the approver believes it has cryptographically demonstrated. The relying party MAY accept this, MAY upgrade to a lower value, but MUST NOT exceed it.
    */
   grantedAcr?: string;
+  evidence?: StepUpEvidence;
   ext?: Ext;
 }
+/**
+ * The elevation is gated by the document's framework `proof` — a Data Integrity signature from a key the subject controls (SPEC §4.7). This is the default when `evidence` is omitted. `amr` reflects "vta"/"did".
+ */
+export interface DidSigned {
+  kind: "did-signed";
+}
+export interface WebAuthn {
+  kind: "webauthn";
+  assertion: AuthenticatorAssertionResponseLogin;
+}
+/**
+ * The unmodified AuthenticatorAssertionResponse from the platform WebAuthn API (`navigator.credentials.get` / ASAuthorization / Credential Manager). Its `clientDataJSON` challenge MUST equal the step-up `challenge`. The relying party verifies it per WebAuthn Level 2 §7.2 exactly as auth/passkey/login/finish does; the assertion is the gate and `amr` reflects "passkey".
+ */
+export interface AuthenticatorAssertionResponseLogin {
+  id: string;
+  rawId: string;
+  type: "public-key";
+  response: {
+    clientDataJSON: string;
+    authenticatorData: string;
+    signature: string;
+    userHandle?: string | null;
+  };
+  authenticatorAttachment?: "platform" | "cross-platform";
+  clientExtensionResults?: {};
+}
 /**
  * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
  */

package/src/auth/step-up/approve-response/0.2/payload.ts ADDED Viewed

@@ -0,0 +1,79 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/auth/step-up/approve-response/0.2/payload.schema.json
+ */
+/**
+ * How the approver demonstrated the factor backing this elevation. A tagged union on `kind`. When `evidence` is absent the elevation is gated solely by the document's framework `proof` (equivalent to `kind: did-signed`). When `kind: webauthn` is supplied, the carried WebAuthn assertion over `challenge` is the gate and the framework `proof` MAY be omitted.
+ */
+export type StepUpEvidence = DidSigned | WebAuthn;
+/**
+ * The approver's signed ratification of a step-up: subject + sessionId + challenge are echoed inside a proof-bearing document so the relying party can elevate the session.
+ */
+export interface AuthStepUpApproveResponse {
+  /**
+   * Echoed from the matching approve-request. The relying party verifies it equals the session's subject.
+   */
+  subject: string;
+  /**
+   * Echoed from the matching approve-request. The relying party uses it to locate the session to elevate.
+   */
+  sessionId: string;
+  /**
+   * Echoed from the matching approve-request. The relying party verifies it equals the bound challenge.
+   */
+  challenge: string;
+  /**
+   * `approved` elevates the session per the relying party's policy. `denied` is a signed refusal — useful for audit even though it elevates nothing.
+   */
+  decision: "approved" | "denied";
+  /**
+   * Required when decision is `denied`. Human-readable rationale the user provided (or which the approver inferred).
+   */
+  deniedReason?: string;
+  /**
+   * The acr the approver believes it has cryptographically demonstrated. The relying party MAY accept this, MAY upgrade to a lower value, but MUST NOT exceed it.
+   */
+  grantedAcr?: string;
+  evidence?: StepUpEvidence;
+  ext?: Ext;
+}
+/**
+ * The elevation is gated by the document's framework `proof` — a Data Integrity signature from a key the subject controls (SPEC §4.7). This is the default when `evidence` is omitted. `amr` reflects "vta"/"did".
+ */
+export interface DidSigned {
+  kind: "didSigned";
+}
+export interface WebAuthn {
+  kind: "webauthn";
+  assertion: AuthenticatorAssertionResponseLogin;
+}
+/**
+ * The unmodified AuthenticatorAssertionResponse from the platform WebAuthn API (`navigator.credentials.get` / ASAuthorization / Credential Manager). Its `clientDataJSON` challenge MUST equal the step-up `challenge`. The relying party verifies it per WebAuthn Level 2 §7.2 exactly as auth/passkey/login/finish does; the assertion is the gate and `amr` reflects "passkey".
+ */
+export interface AuthenticatorAssertionResponseLogin {
+  id: string;
+  rawId: string;
+  type: "public-key";
+  response: {
+    clientDataJSON: string;
+    authenticatorData: string;
+    signature: string;
+    userHandle?: string | null;
+  };
+  authenticatorAttachment?: "platform" | "cross-platform";
+  clientExtensionResults?: {};
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/auth/step-up/approve-response/0.2" as const;
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/auth/step-up/approve-response/0.2#response" as const;