@openvtc/trust-tasks 0.1.0 → 0.2.1

package/src/auth/step-up/policy/0.1/payload.ts

@@ -0,0 +1,45 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/auth/step-up/policy/0.1/payload.schema.json
+ */
+
+/**
+ * The relying party's (ACL maintainer's) system-wide step-up policy: the per-operation-class floor that decides whether — and how — a step-up to a higher assurance level is required before a gated operation proceeds. Set by an administrator; resolved per request against per-entry overrides (see acl/_shared AclEntry.stepUp).
+ */
+export interface AuthStepUpPolicyPayload {
+  /**
+   * Master switch. `false` (the shipping default) ⇒ step-up is NOT enforced anywhere; every operation proceeds at AAL1 regardless of `floors`, because a freshly-provisioned maintainer has no registered approver and could not otherwise be administered (chicken-and-egg). The maintainer SHOULD surface this 'not enforced' state prominently. `true` ⇒ the `floors` are enforced.
+   */
+  enabled: boolean;
+  /**
+   * The system-wide minimum step-up requirement per operation-class — the maintainer-owned floor. Per-entry `stepUp` settings on an AclEntry MAY raise the requirement for a given subject but MUST NOT lower it (additive-only). The effective requirement for a request is the strictest of (matching floor, caller's per-entry setting).
+   */
+  floors: StepUpFloor[];
+  ext?: Ext;
+}
+export interface StepUpFloor {
+  /**
+   * The operation-class this floor governs: a Trust Task type URI or slug (e.g. `acl/grant`, `acl/swap-key`, `context/delete`, `key/revoke`, `vault/release`), or `*` for the catch-all default applied when no more-specific floor matches.
+   */
+  operation: string;
+  /**
+   * Minimum mode required to perform the operation. `none` = AAL1 permitted (no step-up). `self` = the caller must elevate its own session (AAL2 via its own authenticator). `delegated` = a separate approver named on the caller's AclEntry (`stepUp.approver`) MUST ratify (AAL2 via auth/step-up/approve-request). `delegated-any` = any VID satisfying the maintainer's approver criterion MAY ratify. Strictness order for floor/override resolution: none < self < delegated-any < delegated.
+   */
+  mode: "none" | "self" | "delegated" | "delegated-any";
+  /**
+   * Carve-out for non-escalating self-service operations (notably acl/swap-key key-rotation and method-enrolment). When `true` and the maintainer verifies the request does not escalate (its resulting AclEntry's role and scopes are a subset of the caller's existing entry, and the caller acts on its own entry), the operation is admitted at AAL1 even though `mode` requires AAL2 — so a holder with no authenticator yet can still bootstrap/rotate. Omitted is equivalent to `false` (the correct default for escalating operations such as acl/grant, change-role, revoke, context/delete, key/revoke): a caller lacking a usable step-up method is denied (fail-closed) rather than silently downgraded to AAL1.
+   */
+  allowAal1IfNonEscalating?: boolean;
+}
+/**
+ * Ecosystem-defined extension members per SPEC.md §4.5.1.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/auth/step-up/policy/0.1" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/auth/step-up/policy/0.1#response" as const;

package/src/auth/step-up/policy/0.2/payload.ts

@@ -0,0 +1,45 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/auth/step-up/policy/0.2/payload.schema.json
+ */
+
+/**
+ * The relying party's (ACL maintainer's) system-wide step-up policy: the per-operation-class floor that decides whether — and how — a step-up to a higher assurance level is required before a gated operation proceeds. Set by an administrator; resolved per request against per-entry overrides (see acl/_shared AclEntry.stepUp).
+ */
+export interface AuthStepUpPolicyPayload {
+  /**
+   * Master switch. `false` (the shipping default) ⇒ step-up is NOT enforced anywhere; every operation proceeds at AAL1 regardless of `floors`, because a freshly-provisioned maintainer has no registered approver and could not otherwise be administered (chicken-and-egg). The maintainer SHOULD surface this 'not enforced' state prominently. `true` ⇒ the `floors` are enforced.
+   */
+  enabled: boolean;
+  /**
+   * The system-wide minimum step-up requirement per operation-class — the maintainer-owned floor. Per-entry `stepUp` settings on an AclEntry MAY raise the requirement for a given subject but MUST NOT lower it (additive-only). The effective requirement for a request is the strictest of (matching floor, caller's per-entry setting).
+   */
+  floors: StepUpFloor[];
+  ext?: Ext;
+}
+export interface StepUpFloor {
+  /**
+   * The operation-class this floor governs: a Trust Task type URI or slug (e.g. `acl/grant`, `acl/swap-key`, `context/delete`, `key/revoke`, `vault/release`), or `*` for the catch-all default applied when no more-specific floor matches.
+   */
+  operation: string;
+  /**
+   * Minimum mode required to perform the operation. `none` = AAL1 permitted (no step-up). `self` = the caller must elevate its own session (AAL2 via its own authenticator). `delegated` = a separate approver named on the caller's AclEntry (`stepUp.approver`) MUST ratify (AAL2 via auth/step-up/approve-request). `delegatedAny` = any VID satisfying the maintainer's approver criterion MAY ratify. Strictness order for floor/override resolution: none < self < delegated-any < delegated.
+   */
+  mode: "none" | "self" | "delegated" | "delegatedAny";
+  /**
+   * Carve-out for non-escalating self-service operations (notably acl/swap-key key-rotation and method-enrolment). When `true` and the maintainer verifies the request does not escalate (its resulting AclEntry's role and scopes are a subset of the caller's existing entry, and the caller acts on its own entry), the operation is admitted at AAL1 even though `mode` requires AAL2 — so a holder with no authenticator yet can still bootstrap/rotate. Omitted is equivalent to `false` (the correct default for escalating operations such as acl/grant, change-role, revoke, context/delete, key/revoke): a caller lacking a usable step-up method is denied (fail-closed) rather than silently downgraded to AAL1.
+   */
+  allowAal1IfNonEscalating?: boolean;
+}
+/**
+ * Ecosystem-defined extension members per SPEC.md §4.5.1.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/auth/step-up/policy/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/auth/step-up/policy/0.2#response" as const;

package/src/device/_shared/0.2/device-binding.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/device/_shared/0.2/device-binding.schema.json
+ */
+
+/**
+ * Canonical metadata view of a registered consumer device — a Companion (browser plugin, mobile app, desktop app) or a Service (mediator, AI agent, daemon) enrolled to a VTA. Referenced by every device/* specification. Pairs with the ACL: a DeviceBinding is the device-facing half of an AclEntry. Most fields are maintainer-side observations (device id, attestation, timestamps); a few are consumer-supplied at registration time (form factor, display name).
+ */
+export interface DeviceBindingSharedDefinitionForTheDeviceSpecFamily {
+  [k: string]: unknown | undefined;
+}

package/src/device/heartbeat/0.2/payload.ts

@@ -0,0 +1,31 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/device/heartbeat/0.2/payload.schema.json
+ */
+
+/**
+ * Periodic check-in from a Companion or Service. Refreshes `lastSeenAt`, carries optional state digests, and gives the maintainer a chance to deliver queued operations (notably queued wipes for targets that were offline at issuance).
+ */
+export interface DeviceHeartbeatPayload {
+  /**
+   * Updated platform descriptor if it changed since registration (e.g. browser updated).
+   */
+  platform?: string;
+  /**
+   * Optional — consumer's current sync baseline. If the maintainer notices a gap (consumer is behind), the response can hint that a vault/sync is due.
+   */
+  vaultSeq?: number;
+  ext?: Ext;
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/device/heartbeat/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/device/heartbeat/0.2#response" as const;

package/src/device/list/0.2/payload.ts

@@ -0,0 +1,48 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/device/list/0.2/payload.schema.json
+ */
+
+/**
+ * Fine-grained capability flag scoped to the device's allowed contexts. See SPEC.md for the full semantics of each.
+ */
+export type Capability =
+  | "vaultRead"
+  | "vaultWrite"
+  | "proxyLogin"
+  | "fillRelease"
+  | "policyAdmin"
+  | "deviceAdmin"
+  | "sign"
+  | "keyMint";
+
+/**
+ * List DeviceBindings known to the maintainer, optionally filtered by consumer kind, capability, status, and last-seen time.
+ */
+export interface DeviceListPayload {
+  consumerKindFilter?: "companion" | "service";
+  formFactorFilter?: "browser" | "mobile" | "desktop";
+  serviceKindFilter?: "mediator" | "aiAgent" | "daemon";
+  capabilityFilter?: Capability;
+  /**
+   * When true, include devices with `disabledAt` set. Default omits disabled.
+   */
+  includeDisabled?: boolean;
+  includeWiped?: boolean;
+  lastSeenSince?: string;
+  pageSize?: number;
+  cursor?: string;
+  ext?: Ext;
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/device/list/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/device/list/0.2#response" as const;

package/src/device/register/0.1/payload.ts

@@ -26,6 +26,7 @@ export interface DeviceRegisterPayload {
   displayName: string;
   platform?: string;
   attestation?: DeviceAttestation;
+  keyCustody?: KeyCustody;
   /**
    * X25519 public key (did:key form) the maintainer will use to HPKE-seal sensitive payloads to this device (sealed secrets, session blobs, sync events). REQUIRED — every Companion/Service needs a recipient key.
    */
@@ -74,6 +75,23 @@ export interface NitroEnclave {
 export interface NoAttestation {
   kind: "none";
 }
+/**
+ * OPTIONAL. How the device custodies its private keys (tier + algorithms). RECOMMENDED for mobile Companions. Maintainer policy input — see docs/design-notes/mobile-key-custody-profile.md.
+ */
+export interface KeyCustody {
+  /**
+   * `hardware`: the key is non-exportable in the secure keystore (iOS Secure Enclave / Android StrongBox) and every signing / key-agreement operation runs in-chip — achievable only with P-256. `software`: the key is held in app memory during use, stored hardware-wrapped at rest. Maintainers MAY apply stricter policy (shorter sessions, more frequent step-up) to `software`-tier devices.
+   */
+  tier: "hardware" | "software";
+  /**
+   * JOSE `alg` of the holder's signing key, e.g. `ES256` (hardware-custodiable on mobile) or `EdDSA` (not).
+   */
+  signingAlg?: string;
+  /**
+   * Curve of the holder's keyAgreement key, e.g. `P-256` (hardware-custodiable on mobile) or `X25519` (not).
+   */
+  keyAgreementCurve?: string;
+}
 /**
  * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
  */

package/src/device/register/0.2/payload.ts

@@ -0,0 +1,106 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/device/register/0.2/payload.schema.json
+ */
+
+/**
+ * Discriminator: is this consumer a user-driven Companion or a headless Service?
+ */
+export type ConsumerKind = Companion | Service;
+/**
+ * Producer-supplied attestation at registration time, verifiable by the maintainer against the platform's attestation infrastructure. Tagged union over the discriminator `kind`.
+ */
+export type DeviceAttestation =
+  | WebAuthnAttestation
+  | AppleAppAttest
+  | PlayIntegrity
+  | Tpm
+  | NitroEnclave
+  | NoAttestation;
+
+/**
+ * Public discovery surface that wraps the maintainer's existing two-phase enrolment (provision-integration → acl/swap-key). A new Companion or Service hands the maintainer its long-term VTA-derived key, its consumer kind, display name, and an optional device attestation; the maintainer creates the DeviceBinding and returns it. Phase 1 (provision-integration) is assumed to have already happened — this task is the post-bootstrap claim step.
+ */
+export interface DeviceRegisterPayload {
+  consumerKind: ConsumerKind;
+  displayName: string;
+  platform?: string;
+  attestation?: DeviceAttestation;
+  keyCustody?: KeyCustody;
+  /**
+   * X25519 public key (did:key form) the maintainer will use to HPKE-seal sensitive payloads to this device (sealed secrets, session blobs, sync events). REQUIRED — every Companion/Service needs a recipient key.
+   */
+  hpkePublicKey?: string;
+  ext?: Ext;
+}
+export interface Companion {
+  kind: "companion";
+  formFactor: "browser" | "mobile" | "desktop";
+}
+export interface Service {
+  kind: "service";
+  serviceKind: "mediator" | "aiAgent" | "daemon";
+}
+export interface WebAuthnAttestation {
+  kind: "webauthn";
+  /**
+   * WebAuthn Authenticator AAGUID (UUID).
+   */
+  aaguid: string;
+  /**
+   * Base64url-encoded WebAuthn attestation statement, when supplied by the platform.
+   */
+  attestationStatement?: string;
+}
+export interface AppleAppAttest {
+  kind: "appleAppAttest";
+  keyId: string;
+  attestation: string;
+}
+export interface PlayIntegrity {
+  kind: "playIntegrity";
+  token: string;
+}
+export interface Tpm {
+  kind: "tpm";
+  quote: string;
+}
+export interface NitroEnclave {
+  kind: "nitroEnclave";
+  quote: string;
+}
+/**
+ * No device-level attestation is available. Maintainers MAY still register the device but SHOULD apply stricter policy (shorter session TTL, more frequent step-up).
+ */
+export interface NoAttestation {
+  kind: "none";
+}
+/**
+ * OPTIONAL. How the device custodies its private keys (tier + algorithms). RECOMMENDED for mobile Companions. Maintainer policy input — see docs/design-notes/mobile-key-custody-profile.md.
+ */
+export interface KeyCustody {
+  /**
+   * `hardware`: the key is non-exportable in the secure keystore (iOS Secure Enclave / Android StrongBox) and every signing / key-agreement operation runs in-chip — achievable only with P-256. `software`: the key is held in app memory during use, stored hardware-wrapped at rest. Maintainers MAY apply stricter policy (shorter sessions, more frequent step-up) to `software`-tier devices.
+   */
+  tier: "hardware" | "software";
+  /**
+   * JOSE `alg` of the holder's signing key, e.g. `ES256` (hardware-custodiable on mobile) or `EdDSA` (not).
+   */
+  signingAlg?: string;
+  /**
+   * Curve of the holder's keyAgreement key, e.g. `P-256` (hardware-custodiable on mobile) or `X25519` (not).
+   */
+  keyAgreementCurve?: string;
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/device/register/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/device/register/0.2#response" as const;

package/src/device/set-wake/0.1/payload.ts

@@ -0,0 +1,45 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/device/set-wake/0.1/payload.schema.json
+ */
+
+/**
+ * A device conveys to its VTA the opaque WakeHandle it obtained from a push gateway, so the VTA can own the trigger allowlist and provision the gateway. Carries no platform push token — only the handle. Present `wakeHandle` sets/replaces the wake channel; absent clears it (device becomes non-wakeable). Idempotent; re-issued on token rotation. See the push wake-up binding (https://trusttasks.org/binding/push/0.1).
+ */
+export interface DeviceSetWakePayload {
+  wakeHandle?: WakeHandle;
+  /**
+   * OPTIONAL, advisory. The abstract platform behind the handle, for device/list visibility only. The VTA never sees the token; this is a non-authoritative hint.
+   */
+  pushPlatform?: "apns" | "fcm" | "webpush";
+  /**
+   * OPTIONAL, advisory. DIDs the device suggests as wake triggers (e.g. its mediator). The VTA owns the allowlist and MAY ignore this entirely — it is a hint, not an instruction.
+   */
+  suggestedTriggers?: string[];
+  ext?: Ext;
+}
+/**
+ * OPTIONAL. The opaque gateway-issued handle for this device's push channel. Omit to clear the wake channel (the VTA empties the gateway allowlist; the device becomes non-wakeable).
+ */
+export interface WakeHandle {
+  /**
+   * The push gateway that issued this handle and acts on it — a DID (DIDComm-reachable gateway) or an https URL (REST gateway). A trigger sends its contentless wake request here.
+   */
+  gateway: string;
+  /**
+   * Opaque gateway-issued identifier for the device's push channel. Reveals no platform token. Rotates whenever the device re-registers a new platform token with the gateway; the device then re-conveys the fresh handle via device/set-wake.
+   */
+  handle: string;
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/device/set-wake/0.1" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/device/set-wake/0.1#response" as const;

package/src/device/set-wake/0.2/payload.ts

@@ -0,0 +1,45 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/device/set-wake/0.2/payload.schema.json
+ */
+
+/**
+ * A device conveys to its VTA the opaque WakeHandle it obtained from a push gateway, so the VTA can own the trigger allowlist and provision the gateway. Carries no platform push token — only the handle. Present `wakeHandle` sets/replaces the wake channel; absent clears it (device becomes non-wakeable). Idempotent; re-issued on token rotation. See the push wake-up binding (https://trusttasks.org/binding/push/0.1).
+ */
+export interface DeviceSetWakePayload {
+  wakeHandle?: WakeHandle;
+  /**
+   * OPTIONAL, advisory. The abstract platform behind the handle, for device/list visibility only. The VTA never sees the token; this is a non-authoritative hint.
+   */
+  pushPlatform?: "apns" | "fcm" | "webpush";
+  /**
+   * OPTIONAL, advisory. DIDs the device suggests as wake triggers (e.g. its mediator). The VTA owns the allowlist and MAY ignore this entirely — it is a hint, not an instruction.
+   */
+  suggestedTriggers?: string[];
+  ext?: Ext;
+}
+/**
+ * OPTIONAL. The opaque gateway-issued handle for this device's push channel. Omit to clear the wake channel (the VTA empties the gateway allowlist; the device becomes non-wakeable).
+ */
+export interface WakeHandle {
+  /**
+   * The push gateway that issued this handle and acts on it — a DID (DIDComm-reachable gateway) or an https URL (REST gateway). A trigger sends its contentless wake request here.
+   */
+  gateway: string;
+  /**
+   * Opaque gateway-issued identifier for the device's push channel. Reveals no platform token. Rotates whenever the device re-registers a new platform token with the gateway; the device then re-conveys the fresh handle via device/set-wake.
+   */
+  handle: string;
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/device/set-wake/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/device/set-wake/0.2#response" as const;

package/src/device/wipe/0.2/payload.ts

@@ -0,0 +1,39 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/device/wipe/0.2/payload.schema.json
+ */
+
+/**
+ * The maintainer issues a wipe to a Companion or Service. The target is expected to destroy its local cache and (depending on scope) its device-local key material. The action is best-effort — a compromised device may silently drop the wipe — so the maintainer additionally revokes ACL access and rotates the device's cache-key derivation root, so that defence in depth means a non-compliant device is still neutralised.
+ */
+export interface DeviceWipePayload {
+  deviceId: string;
+  /**
+   * How aggressively the target should wipe:
+   * - `cache` — discard the encrypted vault cache; consumer can re-sync with valid creds.
+   * - `cacheAndKeys` — discard cache + device-local key material; consumer must re-onboard.
+   * - `full` — `cacheAndKeys` + clear all extension/app storage + revoke OS credential-provider registration where APIs permit.
+   */
+  scope: "cache" | "cacheAndKeys" | "full";
+  /**
+   * Human-readable reason. Required (not optional) because every wipe is consequential and the audit log must capture intent.
+   */
+  reason: string;
+  /**
+   * Wipe-issuance timestamp; identical to the document's `issuedAt`, repeated here so the body is self-contained for offline-queued delivery.
+   */
+  issuedAt?: string;
+  ext?: Ext;
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/device/wipe/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/device/wipe/0.2#response" as const;

package/src/did-management/did/check-name/0.1/payload.ts

@@ -4,9 +4,12 @@
  */
 
 export interface DIDManagementCheckNamePayload {
-  path: string;
   /**
-   * When true and the path is available, atomically reserve it under the caller and return the resulting DidRecord.
+   * Local path to test. REQUIRED for an availability probe (`reserve: false`). OPTIONAL when `reserve: true`: omit it to ask the host to auto-assign a fresh, server-generated mnemonic for the reservation.
+   */
+  path?: string;
+  /**
+   * When true and the path is available — or, when `path` is omitted, always — atomically reserve a slot under the caller and return the resulting DidRecord. When `path` is omitted the host generates a fresh unused mnemonic (auto-assign).
    */
   reserve?: boolean;
   /**

package/src/index.ts

@@ -1,41 +1,55 @@
 /** Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND. */
 
-export * as FrameworkShared from "./_framework/0.1/framework";
-export * as AclEntryShared from "./acl/_shared/0.1/acl-entry";
+export * as FrameworkShared_v0_1 from "./_framework/0.1/framework";
+export * as FrameworkShared_v0_2 from "./_framework/0.2/framework";
+export * as AclEntryShared_v0_1 from "./acl/_shared/0.1/acl-entry";
 export * as AclChangeRole_v0_1 from "./acl/change-role/0.1/payload";
 export * as AclGrant_v0_1 from "./acl/grant/0.1/payload";
 export * as AclList_v0_1 from "./acl/list/0.1/payload";
 export * as AclRevoke_v0_1 from "./acl/revoke/0.1/payload";
 export * as AclShow_v0_1 from "./acl/show/0.1/payload";
 export * as AclSwapKey_v0_1 from "./acl/swap-key/0.1/payload";
-export * as SessionShared from "./auth/_shared/0.1/session";
-export * as TokensShared from "./auth/_shared/0.1/tokens";
-export * as WebauthnShared from "./auth/_shared/0.1/webauthn";
+export * as SessionShared_v0_1 from "./auth/_shared/0.1/session";
+export * as TokensShared_v0_1 from "./auth/_shared/0.1/tokens";
+export * as WebauthnShared_v0_1 from "./auth/_shared/0.1/webauthn";
 export * as AuthAuthenticate_v0_1 from "./auth/authenticate/0.1/payload";
 export * as AuthChallenge_v0_1 from "./auth/challenge/0.1/payload";
 export * as AuthPasskeyEnrollFinish_v0_1 from "./auth/passkey/enroll/finish/0.1/payload";
 export * as AuthPasskeyEnrollInvite_v0_1 from "./auth/passkey/enroll/invite/0.1/payload";
 export * as AuthPasskeyEnrollStart_v0_1 from "./auth/passkey/enroll/start/0.1/payload";
 export * as AuthPasskeyLoginFinish_v0_1 from "./auth/passkey/login/finish/0.1/payload";
+export * as AuthPasskeyLoginFinish_v0_2 from "./auth/passkey/login/finish/0.2/payload";
 export * as AuthPasskeyLoginStart_v0_1 from "./auth/passkey/login/start/0.1/payload";
+export * as AuthPasskeyLoginStart_v0_2 from "./auth/passkey/login/start/0.2/payload";
 export * as AuthRefresh_v0_1 from "./auth/refresh/0.1/payload";
 export * as AuthRevokeSession_v0_1 from "./auth/revoke-session/0.1/payload";
 export * as AuthSessionsList_v0_1 from "./auth/sessions/list/0.1/payload";
 export * as AuthStepUpApproveRequest_v0_1 from "./auth/step-up/approve-request/0.1/payload";
+export * as AuthStepUpApproveRequest_v0_2 from "./auth/step-up/approve-request/0.2/payload";
 export * as AuthStepUpApproveResponse_v0_1 from "./auth/step-up/approve-response/0.1/payload";
+export * as AuthStepUpApproveResponse_v0_2 from "./auth/step-up/approve-response/0.2/payload";
+export * as AuthStepUpPolicy_v0_1 from "./auth/step-up/policy/0.1/payload";
+export * as AuthStepUpPolicy_v0_2 from "./auth/step-up/policy/0.2/payload";
 export * as AuthWhoami_v0_1 from "./auth/whoami/0.1/payload";
 export * as ConfirmRequest_v0_1 from "./confirm/request/0.1/payload";
 export * as ConfirmResponse_v0_1 from "./confirm/response/0.1/payload";
-export * as DeviceBindingShared from "./device/_shared/0.1/device-binding";
+export * as DeviceBindingShared_v0_1 from "./device/_shared/0.1/device-binding";
+export * as DeviceBindingShared_v0_2 from "./device/_shared/0.2/device-binding";
 export * as DeviceDisable_v0_1 from "./device/disable/0.1/payload";
 export * as DeviceHeartbeat_v0_1 from "./device/heartbeat/0.1/payload";
+export * as DeviceHeartbeat_v0_2 from "./device/heartbeat/0.2/payload";
 export * as DeviceList_v0_1 from "./device/list/0.1/payload";
+export * as DeviceList_v0_2 from "./device/list/0.2/payload";
 export * as DeviceRegister_v0_1 from "./device/register/0.1/payload";
+export * as DeviceRegister_v0_2 from "./device/register/0.2/payload";
+export * as DeviceSetWake_v0_1 from "./device/set-wake/0.1/payload";
+export * as DeviceSetWake_v0_2 from "./device/set-wake/0.2/payload";
 export * as DeviceWipe_v0_1 from "./device/wipe/0.1/payload";
-export * as WebvhShared from "./did-management/_shared/0.1/did-method-extensions/webvh";
-export * as DidRecordShared from "./did-management/_shared/0.1/did-record";
-export * as DomainEntryShared from "./did-management/_shared/0.1/domain-entry";
-export * as ServiceInstanceShared from "./did-management/_shared/0.1/service-instance";
+export * as DeviceWipe_v0_2 from "./device/wipe/0.2/payload";
+export * as WebvhShared_v0_1 from "./did-management/_shared/0.1/did-method-extensions/webvh";
+export * as DidRecordShared_v0_1 from "./did-management/_shared/0.1/did-record";
+export * as DomainEntryShared_v0_1 from "./did-management/_shared/0.1/domain-entry";
+export * as ServiceInstanceShared_v0_1 from "./did-management/_shared/0.1/service-instance";
 export * as DidManagementDidChangeOwner_v0_1 from "./did-management/did/change-owner/0.1/payload";
 export * as DidManagementDidCheckName_v0_1 from "./did-management/did/check-name/0.1/payload";
 export * as DidManagementDidDelete_v0_1 from "./did-management/did/delete/0.1/payload";
@@ -61,30 +75,62 @@ export * as DidManagementRegistryDeregister_v0_1 from "./did-management/registry
 export * as DidManagementServerHealth_v0_1 from "./did-management/server/health/0.1/payload";
 export * as DidManagementServerRegister_v0_1 from "./did-management/server/register/0.1/payload";
 export * as DidManagementServerStatsSync_v0_1 from "./did-management/server/stats-sync/0.1/payload";
-export * as PolicyShared from "./policy/_shared/0.1/policy";
+export * as PolicyShared_v0_1 from "./policy/_shared/0.1/policy";
+export * as PolicyShared_v0_2 from "./policy/_shared/0.2/policy";
 export * as PolicyDelete_v0_1 from "./policy/delete/0.1/payload";
 export * as PolicyEvaluate_v0_1 from "./policy/evaluate/0.1/payload";
+export * as PolicyEvaluate_v0_2 from "./policy/evaluate/0.2/payload";
 export * as PolicyList_v0_1 from "./policy/list/0.1/payload";
+export * as PolicyList_v0_2 from "./policy/list/0.2/payload";
 export * as PolicyUpsert_v0_1 from "./policy/upsert/0.1/payload";
+export * as PolicyUpsert_v0_2 from "./policy/upsert/0.2/payload";
 export * as ProvisionIntegration_v0_1 from "./provision/integration/0.1/payload";
-export * as SyncEventShared from "./sync/_shared/0.1/sync-event";
+export * as ProvisionIntegration_v0_2 from "./provision/integration/0.2/payload";
+export * as PushProvision_v0_1 from "./push/provision/0.1/payload";
+export * as PushProvision_v0_2 from "./push/provision/0.2/payload";
+export * as PushRegister_v0_1 from "./push/register/0.1/payload";
+export * as PushRegister_v0_2 from "./push/register/0.2/payload";
+export * as PushWake_v0_1 from "./push/wake/0.1/payload";
+export * as PushWake_v0_2 from "./push/wake/0.2/payload";
+export * as SyncEventShared_v0_1 from "./sync/_shared/0.1/sync-event";
+export * as SyncEventShared_v0_2 from "./sync/_shared/0.2/sync-event";
 export * as SyncEvent_v0_1 from "./sync/event/0.1/payload";
+export * as SyncEvent_v0_2 from "./sync/event/0.2/payload";
 export * as TrustTaskDiscovery_v0_1 from "./trust-task-discovery/0.1/payload";
 export * as TrustTaskError_v0_1 from "./trust-task-error/0.1/payload";
-export * as ConsumerContextShared from "./vault/_shared/0.1/consumer-context";
-export * as SealedEnvelopeShared from "./vault/_shared/0.1/sealed-envelope";
-export * as SessionBlobShared from "./vault/_shared/0.1/session-blob";
-export * as VaultEntryShared from "./vault/_shared/0.1/vault-entry";
-export * as VaultSecretShared from "./vault/_shared/0.1/vault-secret";
+export * as TrustTaskError_v0_2 from "./trust-task-error/0.2/payload";
+export * as ConsumerContextShared_v0_1 from "./vault/_shared/0.1/consumer-context";
+export * as SealedEnvelopeShared_v0_1 from "./vault/_shared/0.1/sealed-envelope";
+export * as SessionBlobShared_v0_1 from "./vault/_shared/0.1/session-blob";
+export * as VaultEntryShared_v0_1 from "./vault/_shared/0.1/vault-entry";
+export * as VaultSecretShared_v0_1 from "./vault/_shared/0.1/vault-secret";
+export * as ConsumerContextShared_v0_2 from "./vault/_shared/0.2/consumer-context";
+export * as SealedEnvelopeShared_v0_2 from "./vault/_shared/0.2/sealed-envelope";
+export * as SessionBlobShared_v0_2 from "./vault/_shared/0.2/session-blob";
+export * as VaultEntryShared_v0_2 from "./vault/_shared/0.2/vault-entry";
+export * as VaultSecretShared_v0_2 from "./vault/_shared/0.2/vault-secret";
 export * as VaultDelete_v0_1 from "./vault/delete/0.1/payload";
 export * as VaultGet_v0_1 from "./vault/get/0.1/payload";
+export * as VaultGet_v0_2 from "./vault/get/0.2/payload";
 export * as VaultList_v0_1 from "./vault/list/0.1/payload";
+export * as VaultList_v0_2 from "./vault/list/0.2/payload";
 export * as VaultProxyLogin_v0_1 from "./vault/proxy-login/0.1/payload";
+export * as VaultProxyLogin_v0_2 from "./vault/proxy-login/0.2/payload";
 export * as VaultRelease_v0_1 from "./vault/release/0.1/payload";
+export * as VaultRelease_v0_2 from "./vault/release/0.2/payload";
 export * as VaultSignTrustTask_v0_1 from "./vault/sign-trust-task/0.1/payload";
+export * as VaultSignTrustTask_v0_2 from "./vault/sign-trust-task/0.2/payload";
 export * as VaultSync_v0_1 from "./vault/sync/0.1/payload";
+export * as VaultSync_v0_2 from "./vault/sync/0.2/payload";
 export * as VaultUpsert_v0_1 from "./vault/upsert/0.1/payload";
+export * as VaultUpsert_v0_2 from "./vault/upsert/0.2/payload";
 export * as VaultUsage_v0_1 from "./vault/usage/0.1/payload";
+export * as VaultUsage_v0_2 from "./vault/usage/0.2/payload";
+export * as PasskeyVmShared_v0_1 from "./vta/_shared/0.1/passkey-vm";
+export * as VtaPasskeyVmsEnrollChallenge_v0_1 from "./vta/passkey-vms/enroll-challenge/0.1/payload";
+export * as VtaPasskeyVmsEnrollSubmit_v0_1 from "./vta/passkey-vms/enroll-submit/0.1/payload";
+export * as VtaPasskeyVmsList_v0_1 from "./vta/passkey-vms/list/0.1/payload";
+export * as VtaPasskeyVmsRevoke_v0_1 from "./vta/passkey-vms/revoke/0.1/payload";
 export * as WebvhSyncDelete_v0_1 from "./webvh/sync/delete/0.1/payload";
 export * as WebvhSyncUpdate_v0_1 from "./webvh/sync/update/0.1/payload";
 export * as WebvhWitnessPublish_v0_1 from "./webvh/witness/publish/0.1/payload";

package/src/policy/_shared/0.2/policy.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/policy/_shared/0.2/policy.schema.json
+ */
+
+/**
+ * Shared Rego policy types referenced by the policy/* spec family. The maintainer evaluates these against PolicyInput (the request context) to decide proxy_login vs fill, release vs deny, and step-up demands. Engine: embedded Rego via `regorus` (pure-Rust evaluator) in the canonical maintainer implementation; other implementations MAY use a different engine if they accept the same Rego syntax.
+ */
+export interface PolicySharedDefinitions {
+  [k: string]: unknown | undefined;
+}