@openvtc/trust-tasks 0.2.0 → 0.2.1

package/dist/sync/event/0.2/payload.d.ts

@@ -0,0 +1,208 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/sync/event/0.2/payload.schema.json
+ */
+export type SyncEvent = VaultUpsertedEvent | VaultDeletedEvent | AclChangedEvent | PolicyChangedEvent;
+/**
+ * A single binding target for a vault entry. Tagged union over the discriminator `kind`. A VaultEntry's `targets` array MAY mix any number of these.
+ */
+export type SiteTarget = WebOrigin | Did | IosApp | AndroidApp;
+/**
+ * Discriminator for the kind of secret this entry holds. The secret material itself is NEVER returned in metadata views; the kind is exposed so consumers can render an appropriate UI affordance and so policy decisions can route by kind.
+ */
+export type SecretKind = "password" | "passkey" | "oauthTokens" | "didSelfIssued" | "didcommPeer" | "bearerToken" | "sshKey" | "custom";
+/**
+ * One-way push notification from the maintainer to a subscribing consumer. Carries a single SyncEvent (vault.upserted, vault.deleted, acl.changed, policy.changed). The consumer updates its cache and does NOT respond — there is no #response form. For offline catch-up the consumer uses vault/sync/0.1 to pull missed events.
+ */
+export interface SyncEventPayload {
+    event: SyncEvent;
+    ext?: Ext1;
+}
+export interface VaultUpsertedEvent {
+    kind: "vaultUpserted";
+    seq: number;
+    occurredAt: string;
+    entry: VaultEntry;
+}
+export interface VaultEntry {
+    /**
+     * Opaque vault-maintainer-assigned identifier for the entry. ULID/UUID/base32 are common; the wire spec only requires non-empty string equality.
+     */
+    id: string;
+    /**
+     * Identifier of the trust context (persona) the entry belongs to. Opaque string interpreted by the vault maintainer; corresponds to a single ContextRecord on the VTA side.
+     */
+    contextId: string;
+    /**
+     * One or more binding targets — web origins, mobile app identifiers, and/or DIDs — that this credential applies to. A request from any matching target uses this entry. A typical entry for a service that exists as both a website and mobile apps will list a web origin, an iOS bundle id, and an Android package id; passkeys for that service typically list only the origin (because iOS Associated Domains and Android Asset Links bind apps to the domain at the OS level).
+     *
+     * @minItems 1
+     */
+    targets: [SiteTarget, ...SiteTarget[]];
+    /**
+     * Human-readable display name (e.g. "Work GitHub", "Personal bank — checking"). Maintainers MAY enforce a maximum length; the wire spec does not.
+     */
+    label: string;
+    secretKind: SecretKind;
+    /**
+     * User-defined tags for organisation and filtering (e.g. ["family", "finance"]). Maintainers MAY enforce a maximum count; the wire spec does not.
+     */
+    tags?: string[];
+    /**
+     * Non-sensitive notes the user attached to the entry. Visible in metadata view (suitable for support contact, account number, expiry policy memos). SENSITIVE notes belong in the secret payload as a `secureNotes` field — those are only released by vault/release/0.1.
+     */
+    notes?: string;
+    /**
+     * Optional URI of an icon to display in the consumer UI. Maintainers MAY fetch and cache; consumers SHOULD treat as untrusted content and fetch via a sandboxed pipeline.
+     */
+    favicon?: string;
+    /**
+     * Opaque maintainer-defined selector strings fed to the policy engine when this entry is requested (e.g. "recent_uv_required", "network_class=corp", "step_up_push"). Consumers MUST treat selectors as opaque; they exist for policy authoring on the maintainer side.
+     */
+    selectors?: string[];
+    /**
+     * Names of additional fields the user has attached (e.g. ["security-question-1", "account-number"]). The VALUES live in the secret payload and are only delivered by vault/release/0.1. Exposing names in metadata lets the consumer render the right form layout before requesting release.
+     */
+    customFieldNames?: string[];
+    /**
+     * References to encrypted blobs associated with the entry (recovery codes, PEM files, screenshots of authenticator setup). The blobs themselves are fetched via a separate mechanism the maintainer documents; metadata view exposes only the descriptor.
+     */
+    attachments?: AttachmentRef[];
+    /**
+     * Optional time after which the credential is no longer expected to be valid (e.g. an OAuth refresh token's known expiry, a time-limited API token, an enterprise password rotation policy). Maintainers MAY surface this in the consumer UI as a warning.
+     */
+    expiresAt?: string;
+    /**
+     * Set by the maintainer (via HIBP integration or equivalent) when the password material associated with this entry is known to appear in a public breach. Consumers SHOULD surface this prominently. Cleared when the user rotates the password and the new password is not in any known breach.
+     */
+    breachedAt?: string;
+    /**
+     * Set whenever the password component of the secret payload is rotated. Maintainers MUST update this on every secret-material change for entries of kind `password` (or any kind that carries a password component). Used by consumers to surface rotation-overdue warnings.
+     */
+    passwordChangedAt?: string;
+    createdAt: string;
+    /**
+     * VID of the consumer that originally created the entry.
+     */
+    createdBy?: string;
+    updatedAt: string;
+    /**
+     * VID of the consumer that last modified the entry.
+     */
+    updatedBy?: string;
+    /**
+     * Most recent time the entry was used (either released or proxy-login performed). Maintainers MAY return this with reduced precision (e.g. hour-floored) when releasing to a less-trusted consumer.
+     */
+    lastUsedAt?: string;
+    /**
+     * Monotonic version counter incremented on every mutation. Used by consumers for optimistic-concurrency checks on vault/upsert and as the seq baseline for vault/sync.
+     */
+    version: number;
+    /**
+     * Optional cached DID the entry will act AS for DID-shaped flows — mirrors the `did` field of the entry's secret payload when `secretKind` carries one (`didSelfIssued`, `didcommPeer`). Absent for kinds that have no DID concept (`password`, `passkey`, `oauthTokens`, `bearerToken`, `sshKey`, `custom`). MAINTAINER-DERIVED, NOT CONSUMER-SUPPLIED: the maintainer MUST recompute this from the canonical secret at every upsert / secret rotation; a producer-supplied value on `vault/upsert/0.1` MUST be ignored (no error, but no honour). Read-only on the wire, present in metadata views so consumers can drive RP-side flows (e.g. fetch `/auth/challenge` keyed on the principal DID before requesting a proxy-login) without releasing the secret.
+     */
+    principalDid?: string;
+    ext?: Ext;
+}
+export interface WebOrigin {
+    kind: "webOrigin";
+    /**
+     * Web origin per RFC 6454 (scheme + host + optional port), e.g. "https://github.com". Compared by exact string equality after canonicalisation (lowercase host, default port elided). Consumers wanting subdomain coverage SHOULD add multiple targets, not encode a wildcard.
+     */
+    origin: string;
+}
+export interface Did {
+    kind: "did";
+    /**
+     * DID identifying the relying party (e.g. did:web:rp.example). The vault maintainer is responsible for any DID resolution required to act on this entry.
+     */
+    did: string;
+}
+export interface IosApp {
+    kind: "iosApp";
+    /**
+     * iOS bundle identifier in reverse-DNS form (e.g. "com.github.stwalkerster.codehub"). Compared by exact string equality. Matches when an iOS Companion identifies the requesting app via its bundle id (typically via the OS Credential Manager integration).
+     */
+    bundleId: string;
+    /**
+     * Optional Apple Developer Team identifier (10-character alphanumeric). When supplied, the maintainer SHOULD also verify the team id of the requesting app before matching — defense in depth against bundle-id squatting on jailbroken devices.
+     */
+    teamId?: string;
+}
+export interface AndroidApp {
+    kind: "androidApp";
+    /**
+     * Android package name in reverse-DNS form (e.g. "com.github.android").
+     */
+    packageName: string;
+    /**
+     * SHA-256 fingerprints of the app's signing certificates, in colon-separated hex (the format `apksigner` and the Play Console emit). At least one fingerprint MUST be present. The maintainer matches when ANY of the provided fingerprints matches the requesting app's signature — this supports apps signed by multiple keys (e.g. during certificate rotation via Play App Signing).
+     *
+     * @minItems 1
+     */
+    sha256CertFingerprints: [string, ...string[]];
+}
+export interface AttachmentRef {
+    /**
+     * Opaque maintainer-assigned id for this attachment; used to fetch the blob via a separate mechanism.
+     */
+    id: string;
+    /**
+     * User-supplied filename (e.g. "recovery-codes.txt").
+     */
+    name: string;
+    /**
+     * Size of the encrypted blob in bytes. Maintainers MAY enforce a maximum per attachment and per entry.
+     */
+    sizeBytes: number;
+    /**
+     * Hex-encoded SHA-256 of the encrypted blob bytes (post-encryption). Lets the consumer verify integrity after fetch.
+     */
+    sha256: string;
+    /**
+     * Optional MIME type hint for the consumer UI (e.g. "text/plain", "application/x-pem-file").
+     */
+    contentType?: string;
+}
+/**
+ * Ecosystem-defined extension members per SPEC.md §4.5.1. Reverse-DNS-namespaced; consumers MUST ignore unrecognized namespaces.
+ */
+export interface Ext {
+    [k: string]: unknown | undefined;
+}
+export interface VaultDeletedEvent {
+    kind: "vaultDeleted";
+    seq: number;
+    occurredAt: string;
+    id: string;
+    contextId: string;
+    graceUntil: string;
+}
+export interface AclChangedEvent {
+    kind: "aclChanged";
+    seq: number;
+    occurredAt: string;
+    /**
+     * DID of the consumer whose ACL entry changed.
+     */
+    subject: string;
+    change: "granted" | "revoked" | "roleChanged" | "swapped" | "deviceDisabled" | "deviceWiped";
+}
+export interface PolicyChangedEvent {
+    kind: "policyChanged";
+    seq: number;
+    occurredAt: string;
+    policyId: string;
+    change: "created" | "updated" | "deleted";
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext1 {
+    [k: string]: unknown | undefined;
+}
+/** Trust Task type URI. */
+export declare const TYPE_URI: "https://trusttasks.org/spec/sync/event/0.2";
+/** Trust Task response type URI (request type URI + "#response"). */
+export declare const RESPONSE_TYPE_URI: "https://trusttasks.org/spec/sync/event/0.2#response";
+//# sourceMappingURL=payload.d.ts.map

package/dist/sync/event/0.2/payload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"payload.d.ts","sourceRoot":"","sources":["../../../../src/sync/event/0.2/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,MAAM,SAAS,GAAG,kBAAkB,GAAG,iBAAiB,GAAG,eAAe,GAAG,kBAAkB,CAAC;AACtG;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG,SAAS,GAAG,GAAG,GAAG,MAAM,GAAG,UAAU,CAAC;AAC/D;;GAEG;AACH,MAAM,MAAM,UAAU,GAClB,UAAU,GACV,SAAS,GACT,aAAa,GACb,eAAe,GACf,aAAa,GACb,aAAa,GACb,QAAQ,GACR,QAAQ,CAAC;AAEb;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,SAAS,CAAC;IACjB,GAAG,CAAC,EAAE,IAAI,CAAC;CACZ;AACD,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,eAAe,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,UAAU,CAAC;CACnB;AACD,MAAM,WAAW,UAAU;IACzB;;OAEG;IACH,EAAE,EAAE,MAAM,CAAC;IACX;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,OAAO,EAAE,CAAC,UAAU,EAAE,GAAG,UAAU,EAAE,CAAC,CAAC;IACvC;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,UAAU,CAAC;IACvB;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB;;OAEG;IACH,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B;;OAEG;IACH,WAAW,CAAC,EAAE,aAAa,EAAE,CAAC;IAC9B;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AACD,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,WAAW,CAAC;IAClB;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC;CAChB;AACD,MAAM,WAAW,GAAG;IAClB,IAAI,EAAE,KAAK,CAAC;IACZ;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;CACb;AACD,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,QAAQ,CAAC;IACf;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AACD,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,YAAY,CAAC;IACnB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,sBAAsB,EAAE,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAC;CAC/C;AACD,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,EAAE,EAAE,MAAM,CAAC;IACX;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AACD;;GAEG;AACH,MAAM,WAAW,GAAG;IAClB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC;AACD,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,cAAc,CAAC;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AACD,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,YAAY,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,aAAa,GAAG,SAAS,GAAG,gBAAgB,GAAG,aAAa,CAAC;CAC9F;AACD,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,eAAe,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;CAC3C;AACD;;GAEG;AACH,MAAM,WAAW,IAAI;IACnB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC;AAED,2BAA2B;AAC3B,eAAO,MAAM,QAAQ,EAAG,4CAAqD,CAAC;AAE9E,qEAAqE;AACrE,eAAO,MAAM,iBAAiB,EAAG,qDAA8D,CAAC"}

package/dist/sync/event/0.2/payload.js

@@ -0,0 +1,9 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/sync/event/0.2/payload.schema.json
+ */
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/sync/event/0.2";
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/sync/event/0.2#response";
+//# sourceMappingURL=payload.js.map

package/dist/sync/event/0.2/payload.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"payload.js","sourceRoot":"","sources":["../../../../src/sync/event/0.2/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAmNH,2BAA2B;AAC3B,MAAM,CAAC,MAAM,QAAQ,GAAG,4CAAqD,CAAC;AAE9E,qEAAqE;AACrE,MAAM,CAAC,MAAM,iBAAiB,GAAG,qDAA8D,CAAC"}

package/dist/trust-task-error/0.2/payload.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/trust-task-error/0.2/payload.schema.json
+ */
+/**
+ * The canonical error-response payload per SPEC.md §8.2.
+ */
+export interface TrustTaskErrorPayload {
+    /**
+     * Short identifier for the failure category. MUST be either a framework standard code (SPEC.md §8.3) or an extended code namespaced by the originating spec's slug (SPEC.md §8.5, e.g. 'acl/grant:role_not_recognized').
+     */
+    code: (("malformedRequest" | "unsupportedType" | "unsupportedVersion" | "expired" | "proofRequired" | "proofInvalid" | "permissionDenied" | "wrongRecipient" | "identityMismatch" | "taskFailed" | "unavailable" | "internalError") | {
+        [k: string]: unknown | undefined;
+    }) & string;
+    /**
+     * Human-readable description of the error. Non-normative; intended for logs and operator UI.
+     */
+    message?: string;
+    /**
+     * true if the producer of the original document MAY retry; false if retrying with the same document is not expected to succeed.
+     */
+    retryable: boolean;
+    /**
+     * RFC 3339 timestamp before which the producer SHOULD NOT retry. Meaningful only when retryable is true.
+     */
+    retryAfter?: string;
+    /**
+     * Optional task-specific extension data. Per-spec error code declarations may pin the shape via a JSON Schema fragment.
+     */
+    details?: {};
+}
+/** Trust Task type URI. */
+export declare const TYPE_URI: "https://trusttasks.org/spec/trust-task-error/0.2";
+/** Trust Task response type URI (request type URI + "#response"). */
+export declare const RESPONSE_TYPE_URI: "https://trusttasks.org/spec/trust-task-error/0.2#response";
+//# sourceMappingURL=payload.d.ts.map

package/dist/trust-task-error/0.2/payload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"payload.d.ts","sourceRoot":"","sources":["../../../src/trust-task-error/0.2/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;OAEG;IACH,IAAI,EAAE,CACF,CACI,kBAAkB,GAClB,iBAAiB,GACjB,oBAAoB,GACpB,SAAS,GACT,eAAe,GACf,cAAc,GACd,kBAAkB,GAClB,gBAAgB,GAChB,kBAAkB,GAClB,YAAY,GACZ,aAAa,GACb,eAAe,CAClB,GACD;QACE,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;KAClC,CACJ,GACC,MAAM,CAAC;IACT;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,SAAS,EAAE,OAAO,CAAC;IACnB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,OAAO,CAAC,EAAE,EAAE,CAAC;CACd;AAED,2BAA2B;AAC3B,eAAO,MAAM,QAAQ,EAAG,kDAA2D,CAAC;AAEpF,qEAAqE;AACrE,eAAO,MAAM,iBAAiB,EAAG,2DAAoE,CAAC"}

package/dist/trust-task-error/0.2/payload.js

@@ -0,0 +1,9 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/trust-task-error/0.2/payload.schema.json
+ */
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/trust-task-error/0.2";
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/trust-task-error/0.2#response";
+//# sourceMappingURL=payload.js.map

package/dist/trust-task-error/0.2/payload.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"payload.js","sourceRoot":"","sources":["../../../src/trust-task-error/0.2/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AA+CH,2BAA2B;AAC3B,MAAM,CAAC,MAAM,QAAQ,GAAG,kDAA2D,CAAC;AAEpF,qEAAqE;AACrE,MAAM,CAAC,MAAM,iBAAiB,GAAG,2DAAoE,CAAC"}

package/dist/vault/_shared/0.2/consumer-context.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vault/_shared/0.2/consumer-context.schema.json
+ */
+/**
+ * Reused by vault/proxy-login, vault/release, and any future vault task that needs to feed situational context to the maintainer's policy engine or carry the response to a step-up demand. Producer-supplied fields are advisory — the maintainer cross-checks anything security-relevant against its own state.
+ */
+export interface ConsumerContextStepUpProofSharedDefinitionsUsedByVaultTasksThatHitThePolicyEngine {
+    [k: string]: unknown | undefined;
+}
+//# sourceMappingURL=consumer-context.d.ts.map

package/dist/vault/_shared/0.2/consumer-context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"consumer-context.d.ts","sourceRoot":"","sources":["../../../../src/vault/_shared/0.2/consumer-context.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,WAAW,iFAAiF;IAChG,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC"}

package/dist/vault/_shared/0.2/consumer-context.js

@@ -0,0 +1,6 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vault/_shared/0.2/consumer-context.schema.json
+ */
+export {};
+//# sourceMappingURL=consumer-context.js.map

package/dist/vault/_shared/0.2/consumer-context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"consumer-context.js","sourceRoot":"","sources":["../../../../src/vault/_shared/0.2/consumer-context.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/vault/_shared/0.2/sealed-envelope.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vault/_shared/0.2/sealed-envelope.schema.json
+ */
+/**
+ * Discriminated union over `envelope` kind, used by every vault task that ships secret material across the wire (vault/upsert/0.1 → SealedSecret, vault/release/0.1 → SealedSecret in the response, vault/proxy-login/0.1 → SealedSessionBlob in the response). The cleartext shape sitting INSIDE the envelope is task-specific — VaultSecret for the secret variants, SessionBlob for the proxy-login variant — and is referenced from each task's spec.
+ *
+ * Consumers dispatch on `envelope`. An unknown envelope kind MUST be rejected (`<task>:envelope_unsupported` error code) rather than silently accepted — there is no fallback to "try parsing as DIDComm". Producers SHOULD advertise the envelope kinds they emit via `trust-task-discovery/0.1`.
+ *
+ * Forward compatibility: this union starts with three variants for the OpenVTC stack today. New variants (KERI/ACDC envelopes, a future TSP successor, hardware-attested envelopes for TEE-to-TEE transfer, etc.) land as additional `oneOf` entries — never as silent schema relaxations on an existing variant.
+ */
+export interface SealedEnvelopePluggableCipherBearingEnvelopeForVaultPayloads {
+    [k: string]: unknown | undefined;
+}
+//# sourceMappingURL=sealed-envelope.d.ts.map

package/dist/vault/_shared/0.2/sealed-envelope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sealed-envelope.d.ts","sourceRoot":"","sources":["../../../../src/vault/_shared/0.2/sealed-envelope.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;;;GAMG;AACH,MAAM,WAAW,4DAA4D;IAC3E,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC"}

package/dist/vault/_shared/0.2/sealed-envelope.js

@@ -0,0 +1,6 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vault/_shared/0.2/sealed-envelope.schema.json
+ */
+export {};
+//# sourceMappingURL=sealed-envelope.js.map

package/dist/vault/_shared/0.2/sealed-envelope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sealed-envelope.js","sourceRoot":"","sources":["../../../../src/vault/_shared/0.2/sealed-envelope.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/vault/_shared/0.2/session-blob.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vault/_shared/0.2/session-blob.schema.json
+ */
+/**
+ * Cleartext shape of the session material returned by vault/proxy-login/0.1. Like VaultSecret, this is documented for both sides to code-generate against; the wire-form is carried inside an HPKE-sealed envelope.
+ *
+ * A SessionBlob represents an active session at the third-party service the VTA logged in to on the holder's behalf. The Companion uses it to operate the session (e.g. inject cookies into the browser, set an Authorization header) without ever seeing the long-term credential. The session has a finite TTL; the Companion MUST discard the blob when `expiresAt` passes.
+ */
+export interface SessionBlobSharedDefinitionForTheResultOfAProxyLogin {
+    [k: string]: unknown | undefined;
+}
+//# sourceMappingURL=session-blob.d.ts.map

package/dist/vault/_shared/0.2/session-blob.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-blob.d.ts","sourceRoot":"","sources":["../../../../src/vault/_shared/0.2/session-blob.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;GAIG;AACH,MAAM,WAAW,oDAAoD;IACnE,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC"}

package/dist/vault/_shared/0.2/session-blob.js

@@ -0,0 +1,6 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vault/_shared/0.2/session-blob.schema.json
+ */
+export {};
+//# sourceMappingURL=session-blob.js.map

package/dist/vault/_shared/0.2/session-blob.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-blob.js","sourceRoot":"","sources":["../../../../src/vault/_shared/0.2/session-blob.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/vault/_shared/0.2/vault-entry.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vault/_shared/0.2/vault-entry.schema.json
+ */
+/**
+ * Canonical metadata view of a single vault entry — a credential the holder has stored for use against a third-party site, mobile app, or DID-identified relying party. Referenced by every vault/* specification that returns entry metadata (vault/list, vault/get, vault/upsert response, vault/sync, vault/usage). This definition is the metadata-only view: it deliberately does NOT include secret material. Secrets are released only via vault/release/0.1, and even then are carried inside HPKE-sealed envelopes that the vault Trust Task itself does not parse. The `_shared` folder is skipped by the registry build and by the codegen.
+ *
+ * Timestamp invariants (SHOULD-level, prose — not expressible in JSON Schema): when both `createdAt` and `updatedAt` are present, `updatedAt >= createdAt`; when `lastUsedAt` is present, `lastUsedAt >= createdAt`; when `expiresAt` is present, `expiresAt > createdAt`. Consumers SHOULD reject documents that violate any of these.
+ */
+export interface VaultEntrySharedDefinitionForTheVaultSpecFamily {
+    [k: string]: unknown | undefined;
+}
+//# sourceMappingURL=vault-entry.d.ts.map

package/dist/vault/_shared/0.2/vault-entry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-entry.d.ts","sourceRoot":"","sources":["../../../../src/vault/_shared/0.2/vault-entry.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;GAIG;AACH,MAAM,WAAW,+CAA+C;IAC9D,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC"}

package/dist/vault/_shared/0.2/vault-entry.js

@@ -0,0 +1,6 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vault/_shared/0.2/vault-entry.schema.json
+ */
+export {};
+//# sourceMappingURL=vault-entry.js.map

package/dist/vault/_shared/0.2/vault-entry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-entry.js","sourceRoot":"","sources":["../../../../src/vault/_shared/0.2/vault-entry.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/vault/_shared/0.2/vault-secret.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vault/_shared/0.2/vault-secret.schema.json
+ */
+/**
+ * Schema for the cleartext secret payload of a vault entry. Documents the shape both sides of a vault/release/0.1 transfer code-generate against. The secret payload is NEVER transmitted as plaintext JSON on the wire: vault/release/0.1 returns it inside an HPKE-sealed envelope (see SealedSecret in the vault/release payload schema). This shared schema is the authoritative description of the bytes inside that envelope.
+ *
+ * Sensitive fields (`password`, `privateKey`, `refreshToken`, `secureNotes`, etc.) MUST be zeroised by consumers as soon as their use is complete. Consumers MUST NOT log, persist beyond cache lifetime, or transmit the cleartext outside the release-time scope.
+ *
+ * Discriminated by `kind`, which mirrors VaultEntry.secretKind on the metadata side. The `kind` value MUST equal the metadata view's `secretKind` for the same entry.
+ */
+export interface VaultSecretSharedDefinitionForVaultSecretMaterial {
+    [k: string]: unknown | undefined;
+}
+//# sourceMappingURL=vault-secret.d.ts.map

package/dist/vault/_shared/0.2/vault-secret.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-secret.d.ts","sourceRoot":"","sources":["../../../../src/vault/_shared/0.2/vault-secret.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;;;GAMG;AACH,MAAM,WAAW,iDAAiD;IAChE,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC"}

package/dist/vault/_shared/0.2/vault-secret.js

@@ -0,0 +1,6 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vault/_shared/0.2/vault-secret.schema.json
+ */
+export {};
+//# sourceMappingURL=vault-secret.js.map

package/dist/vault/_shared/0.2/vault-secret.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-secret.js","sourceRoot":"","sources":["../../../../src/vault/_shared/0.2/vault-secret.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/vault/get/0.2/payload.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vault/get/0.2/payload.schema.json
+ */
+/**
+ * Fetch the metadata view of a single vault entry by id. Returns the same VaultEntry shape vault/list does, but for one specific entry. Secret material is NEVER returned by this task; use vault/release/0.1 to obtain secret bytes.
+ */
+export interface VaultGetPayload {
+    /**
+     * Vault entry id (as returned in a prior vault/list or vault/sync response).
+     */
+    id: string;
+    ext?: Ext;
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+    [k: string]: unknown | undefined;
+}
+/** Trust Task type URI. */
+export declare const TYPE_URI: "https://trusttasks.org/spec/vault/get/0.2";
+/** Trust Task response type URI (request type URI + "#response"). */
+export declare const RESPONSE_TYPE_URI: "https://trusttasks.org/spec/vault/get/0.2#response";
+//# sourceMappingURL=payload.d.ts.map

package/dist/vault/get/0.2/payload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"payload.d.ts","sourceRoot":"","sources":["../../../../src/vault/get/0.2/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AACD;;GAEG;AACH,MAAM,WAAW,GAAG;IAClB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC;AAED,2BAA2B;AAC3B,eAAO,MAAM,QAAQ,EAAG,2CAAoD,CAAC;AAE7E,qEAAqE;AACrE,eAAO,MAAM,iBAAiB,EAAG,oDAA6D,CAAC"}

package/dist/vault/get/0.2/payload.js

@@ -0,0 +1,9 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vault/get/0.2/payload.schema.json
+ */
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/vault/get/0.2";
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/vault/get/0.2#response";
+//# sourceMappingURL=payload.js.map

package/dist/vault/get/0.2/payload.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"payload.js","sourceRoot":"","sources":["../../../../src/vault/get/0.2/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAmBH,2BAA2B;AAC3B,MAAM,CAAC,MAAM,QAAQ,GAAG,2CAAoD,CAAC;AAE7E,qEAAqE;AACrE,MAAM,CAAC,MAAM,iBAAiB,GAAG,oDAA6D,CAAC"}

package/dist/vault/list/0.2/payload.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vault/list/0.2/payload.schema.json
+ */
+/**
+ * Optional filter — only entries of this secret kind are returned.
+ */
+export type SecretKind = "password" | "passkey" | "oauthTokens" | "didSelfIssued" | "didcommPeer" | "bearerToken" | "sshKey" | "custom";
+/**
+ * Query a vault maintainer for the metadata view of stored entries. All filters are AND-combined. Pagination is opaque-cursor based; the maintainer chooses page size within the caller's bound and its own ceiling. Secret material is NEVER returned by this task — even when the requesting consumer has VaultRead capability for the entry, the secret is only released via vault/release/0.1.
+ */
+export interface VaultListPayload {
+    /**
+     * Optional filter — only entries belonging to this trust context (persona) are returned. Omit to query across all contexts the requesting consumer has VaultRead on.
+     */
+    contextId?: string;
+    /**
+     * Optional filter — only entries with at least one `targets[]` entry of kind `webOrigin` whose origin starts with this prefix. Useful for "all my github.* logins". Maintainers MUST canonicalise (lowercase host) before comparison.
+     */
+    targetOriginPrefix?: string;
+    /**
+     * Optional filter — only entries with at least one `targets[]` entry of kind `did` exactly equal to this value.
+     */
+    targetDid?: string;
+    /**
+     * Optional filter — only entries with at least one `targets[]` entry of kind `iosApp` whose `bundleId` exactly equals this value. The typical iOS Companion lookup.
+     */
+    targetIosBundleId?: string;
+    /**
+     * Optional filter — only entries with at least one `targets[]` entry of kind `androidApp` whose `packageName` exactly equals this value. The typical Android Companion lookup.
+     */
+    targetAndroidPackage?: string;
+    secretKind?: SecretKind;
+    /**
+     * Optional filter — only entries whose `tags` array contains this tag.
+     */
+    tag?: string;
+    /**
+     * Optional filter — only entries whose `lastUsedAt` is greater than or equal to this timestamp are returned. Entries that have never been used are excluded when this filter is present.
+     */
+    usedSince?: string;
+    /**
+     * Optional filter — when true, only entries with no `lastUsedAt` are returned. Mutually exclusive with `usedSince`; maintainers MUST reject documents that supply both.
+     */
+    neverUsed?: boolean;
+    /**
+     * Optional filter — only entries whose `expiresAt` is less than this timestamp are returned. Useful for "what's about to expire" panels.
+     */
+    expiresBefore?: string;
+    /**
+     * Optional filter — when true, only entries with `breachedAt` set are returned; when false, only entries with `breachedAt` absent are returned.
+     */
+    breached?: boolean;
+    /**
+     * Maximum number of entries to return. Maintainer-defined default and ceiling; the maintainer MAY return fewer.
+     */
+    pageSize?: number;
+    /**
+     * Opaque continuation token returned by the maintainer in a previous response. Consumers MUST treat the cursor as opaque and re-send it verbatim.
+     */
+    cursor?: string;
+    ext?: Ext;
+}
+/**
+ * Ecosystem-defined extension members per SPEC.md §4.5.1.
+ */
+export interface Ext {
+    [k: string]: unknown | undefined;
+}
+/** Trust Task type URI. */
+export declare const TYPE_URI: "https://trusttasks.org/spec/vault/list/0.2";
+/** Trust Task response type URI (request type URI + "#response"). */
+export declare const RESPONSE_TYPE_URI: "https://trusttasks.org/spec/vault/list/0.2#response";
+//# sourceMappingURL=payload.d.ts.map

package/dist/vault/list/0.2/payload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"payload.d.ts","sourceRoot":"","sources":["../../../../src/vault/list/0.2/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,MAAM,UAAU,GAClB,UAAU,GACV,SAAS,GACT,aAAa,GACb,eAAe,GACf,aAAa,GACb,aAAa,GACb,QAAQ,GACR,QAAQ,CAAC;AAEb;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;OAEG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AACD;;GAEG;AACH,MAAM,WAAW,GAAG;IAClB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC;AAED,2BAA2B;AAC3B,eAAO,MAAM,QAAQ,EAAG,4CAAqD,CAAC;AAE9E,qEAAqE;AACrE,eAAO,MAAM,iBAAiB,EAAG,qDAA8D,CAAC"}

package/dist/vault/list/0.2/payload.js

@@ -0,0 +1,9 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/vault/list/0.2/payload.schema.json
+ */
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/vault/list/0.2";
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/vault/list/0.2#response";
+//# sourceMappingURL=payload.js.map

package/dist/vault/list/0.2/payload.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"payload.js","sourceRoot":"","sources":["../../../../src/vault/list/0.2/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AA6EH,2BAA2B;AAC3B,MAAM,CAAC,MAAM,QAAQ,GAAG,4CAAqD,CAAC;AAE9E,qEAAqE;AACrE,MAAM,CAAC,MAAM,iBAAiB,GAAG,qDAA8D,CAAC"}