@witnium-tech/witniumchain 0.3.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/FRONTEND-INTEGRATION.md +265 -0
  2. package/README.md +95 -19
  3. package/dist/index.d.mts +4439 -62
  4. package/dist/index.d.ts +4439 -62
  5. package/dist/index.js +812 -28
  6. package/dist/index.js.map +1 -1
  7. package/dist/index.mjs +808 -29
  8. package/dist/index.mjs.map +1 -1
  9. package/package.json +17 -7
  10. package/README.md.bak +0 -160
package/dist/index.d.mts CHANGED
@@ -1,8 +1,40 @@
1
+ /**
2
+ * PKCE (RFC 7636) primitives for the Authorization Code + PKCE OAuth flow.
3
+ *
4
+ * Two functions and one storage interface, all browser-only (the OAuth helpers
5
+ * that consume them only make sense in a browser context — PKCE state has to
6
+ * survive the authorize redirect via sessionStorage or an equivalent).
7
+ *
8
+ * The maths is small: a random verifier, SHA-256 of the verifier base64url-
9
+ * encoded as the challenge, `S256` as the method. The server stores the
10
+ * challenge at /auth time and recomputes it from the verifier at /token time.
11
+ */
12
+ /**
13
+ * Storage for the PKCE verifier between `beginOAuthLogin` (which writes) and
14
+ * `completeOAuthLogin` (which reads + clears). Keyed by the OAuth `state`
15
+ * value so concurrent in-flight logins don't collide.
16
+ *
17
+ * Default implementation in {@link defaultVerifierStorage} wraps the browser's
18
+ * `sessionStorage` under namespaced keys. Tests inject a Map-backed mock.
19
+ */
20
+ interface PkceVerifierStorage {
21
+ set(stateKey: string, verifier: string): void;
22
+ get(stateKey: string): string | null;
23
+ remove(stateKey: string): void;
24
+ }
25
+ /**
26
+ * Default {@link PkceVerifierStorage} backed by `globalThis.sessionStorage`.
27
+ * Throws at construction time if sessionStorage is unavailable — the SDK
28
+ * shouldn't silently degrade to in-memory storage that loses state across
29
+ * the authorize redirect.
30
+ */
31
+ declare function defaultVerifierStorage(): PkceVerifierStorage;
32
+
1
33
  /**
2
34
  * This file was auto-generated by openapi-typescript.
3
35
  * Do not make direct changes to the file.
4
36
  */
5
- interface paths {
37
+ interface paths$1 {
6
38
  "/v1/auth/signup": {
7
39
  parameters: {
8
40
  query?: never;
@@ -883,6 +915,139 @@ interface paths {
883
915
  patch?: never;
884
916
  trace?: never;
885
917
  };
918
+ "/v1/orgs": {
919
+ parameters: {
920
+ query?: never;
921
+ header?: never;
922
+ path?: never;
923
+ cookie?: never;
924
+ };
925
+ get?: never;
926
+ put?: never;
927
+ /**
928
+ * Create an organisation with client-generated keys
929
+ * @description Phase RBAC Thread D — explicit org creation. The caller generates the owner key and the initial signing key client-side; Witnium never holds the private bytes. The response includes the freshly-deployed contract address and a one-time email-verify token.
930
+ */
931
+ post: {
932
+ parameters: {
933
+ query?: never;
934
+ header?: never;
935
+ path?: never;
936
+ cookie?: never;
937
+ };
938
+ requestBody?: {
939
+ content: {
940
+ "application/json": {
941
+ /** @description Display name of the organisation. */
942
+ orgName: string;
943
+ /**
944
+ * Format: email
945
+ * @description Email of the founding org-admin. Receives the email-verify link.
946
+ * @example user@example.com
947
+ */
948
+ adminEmail: string;
949
+ /** @description Password for the founding org-admin. argon2id-hashed server-side. Minimum 12 chars; callers are expected to gate via a strength meter. */
950
+ adminPassword: string;
951
+ /**
952
+ * @description Client-generated Ed25519 public key that controls signing-key add/revoke on the new contract. Witnium never sees the private bytes (non-custodial).
953
+ * @example 4cdde7a3e3a1d8a48d2b9eaf2bcbe2db1d57d3e1a8d6c20e0a86c0f9c4b6cf2e
954
+ */
955
+ ownerPublicKey: string;
956
+ /**
957
+ * @description First signing key registered on the contract. Often the same identity as the org-admin's browser-held key (Mode 1) but may also be the public half of a separately-registered Vault-Transit delegated key (Mode 3).
958
+ * @example 4cdde7a3e3a1d8a48d2b9eaf2bcbe2db1d57d3e1a8d6c20e0a86c0f9c4b6cf2e
959
+ */
960
+ initialSigningPublicKey: string;
961
+ /** @description Captcha proof. Not yet wired (no captcha provider configured); reserved for when one is added. Public endpoint without it relies on downstream billing/credit-ledger gates against abuse. */
962
+ captchaToken?: string;
963
+ };
964
+ };
965
+ };
966
+ responses: {
967
+ /** @description Success */
968
+ 200: {
969
+ headers: {
970
+ [name: string]: unknown;
971
+ };
972
+ content: {
973
+ "application/json": {
974
+ /**
975
+ * @description UUID v4
976
+ * @example 550e8400-e29b-41d4-a716-446655440000
977
+ */
978
+ orgId: string;
979
+ /**
980
+ * @description UUID v4
981
+ * @example 550e8400-e29b-41d4-a716-446655440000
982
+ */
983
+ userId: string;
984
+ /** @description Address of the freshly-deployed contract. */
985
+ contractAddress: string;
986
+ /** @description Semantic on-chain Solidity version (e.g. "5.0.0"). */
987
+ contractVersion: string;
988
+ /** @description Email-verify token. Already sent to adminEmail; echoed here for flows that prefer to surface a "click this link" in their own UI. */
989
+ emailVerifyToken: string;
990
+ };
991
+ };
992
+ };
993
+ /** @description Bad Request — validation failed */
994
+ 400: {
995
+ headers: {
996
+ [name: string]: unknown;
997
+ };
998
+ content: {
999
+ "application/json": {
1000
+ /**
1001
+ * @description HTTP status code
1002
+ * @example 400
1003
+ */
1004
+ statusCode?: number;
1005
+ /**
1006
+ * @description Short error label
1007
+ * @example Bad Request
1008
+ */
1009
+ error?: string;
1010
+ /**
1011
+ * @description Human-readable error message. Validation errors from `ZodError.flatten()` may be returned as an array.
1012
+ * @example Validation failed
1013
+ */
1014
+ message: string | string[];
1015
+ };
1016
+ };
1017
+ };
1018
+ /** @description Conflict */
1019
+ 409: {
1020
+ headers: {
1021
+ [name: string]: unknown;
1022
+ };
1023
+ content: {
1024
+ "application/json": {
1025
+ /**
1026
+ * @description HTTP status code
1027
+ * @example 400
1028
+ */
1029
+ statusCode?: number;
1030
+ /**
1031
+ * @description Short error label
1032
+ * @example Bad Request
1033
+ */
1034
+ error?: string;
1035
+ /**
1036
+ * @description Human-readable error message. Validation errors from `ZodError.flatten()` may be returned as an array.
1037
+ * @example Validation failed
1038
+ */
1039
+ message: string | string[];
1040
+ };
1041
+ };
1042
+ };
1043
+ };
1044
+ };
1045
+ delete?: never;
1046
+ options?: never;
1047
+ head?: never;
1048
+ patch?: never;
1049
+ trace?: never;
1050
+ };
886
1051
  "/v1/orgs/me": {
887
1052
  parameters: {
888
1053
  query?: never;
@@ -2596,9 +2761,13 @@ interface paths {
2596
2761
  get?: never;
2597
2762
  put?: never;
2598
2763
  /**
2599
- * Sign arbitrary bytes with a delegated key
2764
+ * Sign bytes with a delegated key
2600
2765
  * @description Vault Transit signs the supplied payload using the user's delegated key. Vault returns the signature; the accounts-service process never sees the private bytes (delegated keys are created with `exportable=false`).
2601
2766
  *
2767
+ * **Use:** sign the canonical-intent JSON returned by chain-api `POST /v5/contracts/.../witnesses/propose` (and the analogous v4 endpoint). The endpoint signs whatever bytes you submit because sign:write is an explicit grant to use the user's key — the on-chain authority of the key is bounded to witness ops on the user's contract, and nothing else in Witnium currently consumes these signatures. Future signing surfaces that need different keys or scopes get their own.
2768
+ *
2769
+ * **Limits:** payload ≤ 8 KiB (16384 hex chars), per-user rate-limited at 20 signs/minute (429 + Retry-After on excess). Both are resource bounds, not access-control fences.
2770
+ *
2602
2771
  * Optional `X-Request-Id` request header gets forwarded into the audit-log line; a UUID is generated if absent.
2603
2772
  */
2604
2773
  post: {
@@ -2616,7 +2785,7 @@ interface paths {
2616
2785
  * @example 550e8400-e29b-41d4-a716-446655440000
2617
2786
  */
2618
2787
  delegatedKeyId: string;
2619
- /** @description Hex-encoded bytes to sign (no 0x prefix). Must have an even length. Witnium never logs the bytes themselves — only their SHA-256 hash is recorded for audit cross-correlation with Vault. */
2788
+ /** @description Hex-encoded bytes to sign (no 0x prefix). Must have an even length and at most 16384 hex characters (8 KiB raw). The expected use is signing the UTF-8 bytes of a v5 canonical-intent JSON returned by chain-api `/propose`, but the endpoint signs whatever bytes you submit — sign:write is an explicit grant to use the user's key. Witnium never logs the bytes; only their SHA-256 hash is recorded for audit cross-correlation with Vault. */
2620
2789
  payload: string;
2621
2790
  };
2622
2791
  };
@@ -5108,18 +5277,20 @@ interface paths {
5108
5277
  patch?: never;
5109
5278
  trace?: never;
5110
5279
  };
5111
- "/health/live": {
5280
+ "/v1/account/mfa/totp/enroll": {
5112
5281
  parameters: {
5113
5282
  query?: never;
5114
5283
  header?: never;
5115
5284
  path?: never;
5116
5285
  cookie?: never;
5117
5286
  };
5287
+ get?: never;
5288
+ put?: never;
5118
5289
  /**
5119
- * Liveness probe
5120
- * @description Returns 200/`{status:"ok"}` whenever the process is running. Used by Kubernetes to decide whether to restart the pod.
5290
+ * Start TOTP enrolment
5291
+ * @description Generates a fresh TOTP secret + otpauth URL. The user scans the QR (rendered client-side from `otpauthUrl`) into their authenticator app and then calls `/v1/account/mfa/totp/confirm` with the first 6-digit code. The enrolment is NOT a usable second factor until confirmed.
5121
5292
  */
5122
- get: {
5293
+ post: {
5123
5294
  parameters: {
5124
5295
  query?: never;
5125
5296
  header?: never;
@@ -5135,40 +5306,108 @@ interface paths {
5135
5306
  };
5136
5307
  content: {
5137
5308
  "application/json": {
5138
- /** @enum {string} */
5139
- status: "ok";
5309
+ /**
5310
+ * @description Base32 TOTP secret. Show to the user as a typeable fallback alongside the QR code rendered from `otpauthUrl`.
5311
+ * @example JBSWY3DPEHPK3PXP
5312
+ */
5313
+ secret: string;
5314
+ /**
5315
+ * @description Standard `otpauth://totp/...` URL. The dashboard renders this as a QR code; the user scans it with an authenticator app.
5316
+ * @example otpauth://totp/WitniumChain:alice%40example.com?secret=JBSWY3DPEHPK3PXP&issuer=WitniumChain&algorithm=SHA1&digits=6&period=30
5317
+ */
5318
+ otpauthUrl: string;
5319
+ };
5320
+ };
5321
+ };
5322
+ /** @description Bad Request — validation failed */
5323
+ 400: {
5324
+ headers: {
5325
+ [name: string]: unknown;
5326
+ };
5327
+ content: {
5328
+ "application/json": {
5329
+ /**
5330
+ * @description HTTP status code
5331
+ * @example 400
5332
+ */
5333
+ statusCode?: number;
5334
+ /**
5335
+ * @description Short error label
5336
+ * @example Bad Request
5337
+ */
5338
+ error?: string;
5339
+ /**
5340
+ * @description Human-readable error message. Validation errors from `ZodError.flatten()` may be returned as an array.
5341
+ * @example Validation failed
5342
+ */
5343
+ message: string | string[];
5344
+ };
5345
+ };
5346
+ };
5347
+ /** @description Unauthorized — authentication required or invalid */
5348
+ 401: {
5349
+ headers: {
5350
+ [name: string]: unknown;
5351
+ };
5352
+ content: {
5353
+ "application/json": {
5354
+ /**
5355
+ * @description HTTP status code
5356
+ * @example 400
5357
+ */
5358
+ statusCode?: number;
5359
+ /**
5360
+ * @description Short error label
5361
+ * @example Bad Request
5362
+ */
5363
+ error?: string;
5364
+ /**
5365
+ * @description Human-readable error message. Validation errors from `ZodError.flatten()` may be returned as an array.
5366
+ * @example Validation failed
5367
+ */
5368
+ message: string | string[];
5140
5369
  };
5141
5370
  };
5142
5371
  };
5143
5372
  };
5144
5373
  };
5145
- put?: never;
5146
- post?: never;
5147
5374
  delete?: never;
5148
5375
  options?: never;
5149
5376
  head?: never;
5150
5377
  patch?: never;
5151
5378
  trace?: never;
5152
5379
  };
5153
- "/health/ready": {
5380
+ "/v1/account/mfa/totp/confirm": {
5154
5381
  parameters: {
5155
5382
  query?: never;
5156
5383
  header?: never;
5157
5384
  path?: never;
5158
5385
  cookie?: never;
5159
5386
  };
5387
+ get?: never;
5388
+ put?: never;
5160
5389
  /**
5161
- * Readiness probe
5162
- * @description Returns 200/`{status:"ok"}` once a trivial `SELECT 1` succeeds against PostgreSQL. 503 if the DB is unreachable.
5390
+ * Confirm TOTP enrolment
5391
+ * @description Validates the first user-supplied code against the secret minted by `/enroll`, marks the enrolment confirmed, and returns 10 single-use recovery codes. The recovery codes appear ONCE in this response and are never readable again — the dashboard must show them immediately and prompt the user to store them.
5163
5392
  */
5164
- get: {
5393
+ post: {
5165
5394
  parameters: {
5166
5395
  query?: never;
5167
5396
  header?: never;
5168
5397
  path?: never;
5169
5398
  cookie?: never;
5170
5399
  };
5171
- requestBody?: never;
5400
+ requestBody?: {
5401
+ content: {
5402
+ "application/json": {
5403
+ /**
5404
+ * @description Current 6-digit TOTP code shown by the authenticator app.
5405
+ * @example 123456
5406
+ */
5407
+ code: string;
5408
+ };
5409
+ };
5410
+ };
5172
5411
  responses: {
5173
5412
  /** @description Success */
5174
5413
  200: {
@@ -5177,13 +5416,38 @@ interface paths {
5177
5416
  };
5178
5417
  content: {
5179
5418
  "application/json": {
5180
- /** @enum {string} */
5181
- status: "ok";
5419
+ /** @description Ten single-use recovery codes. Shown ONCE and never returned again — the user must store them now. Each code is consumed atomically when used in place of a TOTP code at MFA challenge time. */
5420
+ recoveryCodes: string[];
5182
5421
  };
5183
5422
  };
5184
5423
  };
5185
- /** @description Service Unavailable */
5186
- 503: {
5424
+ /** @description Bad Request — validation failed */
5425
+ 400: {
5426
+ headers: {
5427
+ [name: string]: unknown;
5428
+ };
5429
+ content: {
5430
+ "application/json": {
5431
+ /**
5432
+ * @description HTTP status code
5433
+ * @example 400
5434
+ */
5435
+ statusCode?: number;
5436
+ /**
5437
+ * @description Short error label
5438
+ * @example Bad Request
5439
+ */
5440
+ error?: string;
5441
+ /**
5442
+ * @description Human-readable error message. Validation errors from `ZodError.flatten()` may be returned as an array.
5443
+ * @example Validation failed
5444
+ */
5445
+ message: string | string[];
5446
+ };
5447
+ };
5448
+ };
5449
+ /** @description Unauthorized — authentication required or invalid */
5450
+ 401: {
5187
5451
  headers: {
5188
5452
  [name: string]: unknown;
5189
5453
  };
@@ -5209,34 +5473,3787 @@ interface paths {
5209
5473
  };
5210
5474
  };
5211
5475
  };
5212
- put?: never;
5213
- post?: never;
5214
5476
  delete?: never;
5215
5477
  options?: never;
5216
5478
  head?: never;
5217
5479
  patch?: never;
5218
5480
  trace?: never;
5219
5481
  };
5220
- }
5221
-
5222
- /**
5223
- * Type shortcuts over the openapi-typescript-generated `paths` interface.
5224
- *
5225
- * Patterns mirror chain-sdk-v5/src/types.ts: each request/response shape is
5226
- * `Req<path, method>` / `Res<path, method, status>` so callers see named,
5227
- * ergonomic types without losing the single-source-of-truth guarantee — the
5228
- * types are derived from the generated openapi types, not hand-rolled.
5229
- */
5230
-
5231
- type JsonBody<T> = T extends {
5232
- content: {
5233
- 'application/json': infer B;
5234
- };
5482
+ "/v1/account/mfa/totp": {
5483
+ parameters: {
5484
+ query?: never;
5485
+ header?: never;
5486
+ path?: never;
5487
+ cookie?: never;
5488
+ };
5489
+ get?: never;
5490
+ put?: never;
5491
+ post?: never;
5492
+ /**
5493
+ * Disable TOTP and clear recovery codes
5494
+ * @description Wipes the TOTP secret and all recovery codes. The user re-enrolls from scratch with `/enroll`. Future versions of this endpoint will require a recent MFA assertion (step-up) — Thread E of Phase AUTH.
5495
+ */
5496
+ delete: {
5497
+ parameters: {
5498
+ query?: never;
5499
+ header?: never;
5500
+ path?: never;
5501
+ cookie?: never;
5502
+ };
5503
+ requestBody?: never;
5504
+ responses: {
5505
+ /** @description Success */
5506
+ 200: {
5507
+ headers: {
5508
+ [name: string]: unknown;
5509
+ };
5510
+ content: {
5511
+ "application/json": {
5512
+ /** @enum {boolean} */
5513
+ disabled: true;
5514
+ };
5515
+ };
5516
+ };
5517
+ /** @description Unauthorized — authentication required or invalid */
5518
+ 401: {
5519
+ headers: {
5520
+ [name: string]: unknown;
5521
+ };
5522
+ content: {
5523
+ "application/json": {
5524
+ /**
5525
+ * @description HTTP status code
5526
+ * @example 400
5527
+ */
5528
+ statusCode?: number;
5529
+ /**
5530
+ * @description Short error label
5531
+ * @example Bad Request
5532
+ */
5533
+ error?: string;
5534
+ /**
5535
+ * @description Human-readable error message. Validation errors from `ZodError.flatten()` may be returned as an array.
5536
+ * @example Validation failed
5537
+ */
5538
+ message: string | string[];
5539
+ };
5540
+ };
5541
+ };
5542
+ };
5543
+ };
5544
+ options?: never;
5545
+ head?: never;
5546
+ patch?: never;
5547
+ trace?: never;
5548
+ };
5549
+ "/v1/account/mfa/recovery-codes/regenerate": {
5550
+ parameters: {
5551
+ query?: never;
5552
+ header?: never;
5553
+ path?: never;
5554
+ cookie?: never;
5555
+ };
5556
+ get?: never;
5557
+ put?: never;
5558
+ /**
5559
+ * Generate a fresh set of recovery codes
5560
+ * @description Invalidates the prior set and issues 10 new codes. Future versions will require step-up auth.
5561
+ */
5562
+ post: {
5563
+ parameters: {
5564
+ query?: never;
5565
+ header?: never;
5566
+ path?: never;
5567
+ cookie?: never;
5568
+ };
5569
+ requestBody?: never;
5570
+ responses: {
5571
+ /** @description Success */
5572
+ 200: {
5573
+ headers: {
5574
+ [name: string]: unknown;
5575
+ };
5576
+ content: {
5577
+ "application/json": {
5578
+ /** @description Ten single-use recovery codes. Shown ONCE and never returned again — the user must store them now. Each code is consumed atomically when used in place of a TOTP code at MFA challenge time. */
5579
+ recoveryCodes: string[];
5580
+ };
5581
+ };
5582
+ };
5583
+ /** @description Bad Request — validation failed */
5584
+ 400: {
5585
+ headers: {
5586
+ [name: string]: unknown;
5587
+ };
5588
+ content: {
5589
+ "application/json": {
5590
+ /**
5591
+ * @description HTTP status code
5592
+ * @example 400
5593
+ */
5594
+ statusCode?: number;
5595
+ /**
5596
+ * @description Short error label
5597
+ * @example Bad Request
5598
+ */
5599
+ error?: string;
5600
+ /**
5601
+ * @description Human-readable error message. Validation errors from `ZodError.flatten()` may be returned as an array.
5602
+ * @example Validation failed
5603
+ */
5604
+ message: string | string[];
5605
+ };
5606
+ };
5607
+ };
5608
+ /** @description Unauthorized — authentication required or invalid */
5609
+ 401: {
5610
+ headers: {
5611
+ [name: string]: unknown;
5612
+ };
5613
+ content: {
5614
+ "application/json": {
5615
+ /**
5616
+ * @description HTTP status code
5617
+ * @example 400
5618
+ */
5619
+ statusCode?: number;
5620
+ /**
5621
+ * @description Short error label
5622
+ * @example Bad Request
5623
+ */
5624
+ error?: string;
5625
+ /**
5626
+ * @description Human-readable error message. Validation errors from `ZodError.flatten()` may be returned as an array.
5627
+ * @example Validation failed
5628
+ */
5629
+ message: string | string[];
5630
+ };
5631
+ };
5632
+ };
5633
+ };
5634
+ };
5635
+ delete?: never;
5636
+ options?: never;
5637
+ head?: never;
5638
+ patch?: never;
5639
+ trace?: never;
5640
+ };
5641
+ "/health/live": {
5642
+ parameters: {
5643
+ query?: never;
5644
+ header?: never;
5645
+ path?: never;
5646
+ cookie?: never;
5647
+ };
5648
+ /**
5649
+ * Liveness probe
5650
+ * @description Returns 200/`{status:"ok"}` whenever the process is running. Used by Kubernetes to decide whether to restart the pod.
5651
+ */
5652
+ get: {
5653
+ parameters: {
5654
+ query?: never;
5655
+ header?: never;
5656
+ path?: never;
5657
+ cookie?: never;
5658
+ };
5659
+ requestBody?: never;
5660
+ responses: {
5661
+ /** @description Success */
5662
+ 200: {
5663
+ headers: {
5664
+ [name: string]: unknown;
5665
+ };
5666
+ content: {
5667
+ "application/json": {
5668
+ /** @enum {string} */
5669
+ status: "ok";
5670
+ };
5671
+ };
5672
+ };
5673
+ };
5674
+ };
5675
+ put?: never;
5676
+ post?: never;
5677
+ delete?: never;
5678
+ options?: never;
5679
+ head?: never;
5680
+ patch?: never;
5681
+ trace?: never;
5682
+ };
5683
+ "/health/ready": {
5684
+ parameters: {
5685
+ query?: never;
5686
+ header?: never;
5687
+ path?: never;
5688
+ cookie?: never;
5689
+ };
5690
+ /**
5691
+ * Readiness probe
5692
+ * @description Returns 200/`{status:"ok"}` once a trivial `SELECT 1` succeeds against PostgreSQL. 503 if the DB is unreachable.
5693
+ */
5694
+ get: {
5695
+ parameters: {
5696
+ query?: never;
5697
+ header?: never;
5698
+ path?: never;
5699
+ cookie?: never;
5700
+ };
5701
+ requestBody?: never;
5702
+ responses: {
5703
+ /** @description Success */
5704
+ 200: {
5705
+ headers: {
5706
+ [name: string]: unknown;
5707
+ };
5708
+ content: {
5709
+ "application/json": {
5710
+ /** @enum {string} */
5711
+ status: "ok";
5712
+ };
5713
+ };
5714
+ };
5715
+ /** @description Service Unavailable */
5716
+ 503: {
5717
+ headers: {
5718
+ [name: string]: unknown;
5719
+ };
5720
+ content: {
5721
+ "application/json": {
5722
+ /**
5723
+ * @description HTTP status code
5724
+ * @example 400
5725
+ */
5726
+ statusCode?: number;
5727
+ /**
5728
+ * @description Short error label
5729
+ * @example Bad Request
5730
+ */
5731
+ error?: string;
5732
+ /**
5733
+ * @description Human-readable error message. Validation errors from `ZodError.flatten()` may be returned as an array.
5734
+ * @example Validation failed
5735
+ */
5736
+ message: string | string[];
5737
+ };
5738
+ };
5739
+ };
5740
+ };
5741
+ };
5742
+ put?: never;
5743
+ post?: never;
5744
+ delete?: never;
5745
+ options?: never;
5746
+ head?: never;
5747
+ patch?: never;
5748
+ trace?: never;
5749
+ };
5750
+ }
5751
+
5752
+ /**
5753
+ * This file was auto-generated by openapi-typescript.
5754
+ * Do not make direct changes to the file.
5755
+ */
5756
+ interface paths {
5757
+ "/v5/contracts/deploy": {
5758
+ parameters: {
5759
+ query?: never;
5760
+ header?: never;
5761
+ path?: never;
5762
+ cookie?: never;
5763
+ };
5764
+ get?: never;
5765
+ put?: never;
5766
+ /**
5767
+ * Deploy a WitnessRegistry v5 contract (Admin)
5768
+ * @description Deploy a v5 contract with owner key + initial signing key. V5 adds optional drand IBE time-lock per witness (see /v5/contracts/{addr}/witnesses/propose).
5769
+ */
5770
+ post: {
5771
+ parameters: {
5772
+ query?: never;
5773
+ header?: never;
5774
+ path?: never;
5775
+ cookie?: never;
5776
+ };
5777
+ requestBody?: {
5778
+ content: {
5779
+ "application/json": {
5780
+ contractId: string;
5781
+ /**
5782
+ * Ed25519PublicKey
5783
+ * @description 32-byte Ed25519 public key (hex, no 0x prefix)
5784
+ */
5785
+ ownerPublicKey: string;
5786
+ /**
5787
+ * Ed25519PublicKey
5788
+ * @description 32-byte Ed25519 public key (hex, no 0x prefix)
5789
+ */
5790
+ initialSigningPublicKey: string;
5791
+ strictSeries: boolean;
5792
+ metadata?: {
5793
+ [key: string]: unknown;
5794
+ };
5795
+ };
5796
+ };
5797
+ };
5798
+ responses: {
5799
+ /** @description Success */
5800
+ 200: {
5801
+ headers: {
5802
+ [name: string]: unknown;
5803
+ };
5804
+ content: {
5805
+ "application/json": {
5806
+ /**
5807
+ * @description Ethereum address (0x + 40 hex characters)
5808
+ * @example 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
5809
+ */
5810
+ contractAddress: string;
5811
+ /**
5812
+ * @description Ethereum address (0x + 40 hex characters)
5813
+ * @example 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
5814
+ */
5815
+ walletAddress: string;
5816
+ /**
5817
+ * @description Ethereum transaction hash (0x + 64 hex characters)
5818
+ * @example 0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
5819
+ */
5820
+ transactionHash: string;
5821
+ blockNumber: number;
5822
+ contractVersion: string;
5823
+ };
5824
+ };
5825
+ };
5826
+ /** @description Bad Request - Validation failed */
5827
+ 400: {
5828
+ headers: {
5829
+ [name: string]: unknown;
5830
+ };
5831
+ content: {
5832
+ "application/json": {
5833
+ /**
5834
+ * @description Error message
5835
+ * @example Validation failed
5836
+ */
5837
+ error: string;
5838
+ /**
5839
+ * @description Machine-readable error code
5840
+ * @example VALIDATION_FAILED
5841
+ */
5842
+ code?: string;
5843
+ /** @description Field-level validation errors */
5844
+ details?: {
5845
+ [key: string]: string[];
5846
+ };
5847
+ };
5848
+ };
5849
+ };
5850
+ /** @description Unauthorized - Authentication required */
5851
+ 401: {
5852
+ headers: {
5853
+ [name: string]: unknown;
5854
+ };
5855
+ content: {
5856
+ "application/json": {
5857
+ /**
5858
+ * @description Error message
5859
+ * @example Validation failed
5860
+ */
5861
+ error: string;
5862
+ /**
5863
+ * @description Machine-readable error code
5864
+ * @example VALIDATION_FAILED
5865
+ */
5866
+ code?: string;
5867
+ /** @description Field-level validation errors */
5868
+ details?: {
5869
+ [key: string]: string[];
5870
+ };
5871
+ };
5872
+ };
5873
+ };
5874
+ /** @description Internal Server Error */
5875
+ 500: {
5876
+ headers: {
5877
+ [name: string]: unknown;
5878
+ };
5879
+ content: {
5880
+ "application/json": {
5881
+ /**
5882
+ * @description Error message
5883
+ * @example Validation failed
5884
+ */
5885
+ error: string;
5886
+ /**
5887
+ * @description Machine-readable error code
5888
+ * @example VALIDATION_FAILED
5889
+ */
5890
+ code?: string;
5891
+ /** @description Field-level validation errors */
5892
+ details?: {
5893
+ [key: string]: string[];
5894
+ };
5895
+ };
5896
+ };
5897
+ };
5898
+ };
5899
+ };
5900
+ delete?: never;
5901
+ options?: never;
5902
+ head?: never;
5903
+ patch?: never;
5904
+ trace?: never;
5905
+ };
5906
+ "/v5/contracts/{contractAddress}/info": {
5907
+ parameters: {
5908
+ query?: never;
5909
+ header?: never;
5910
+ path?: never;
5911
+ cookie?: never;
5912
+ };
5913
+ /**
5914
+ * Get v5 contract metadata + active signing keys
5915
+ * @description Returns the contract record from chain-api storage: owner key, signing keys (with addedAt/revokedAt block timestamps), strictSeries flag, current pause state, owner nonce, and deployment block. This endpoint reads chain-api storage, not the chain directly — it returns 404 if the contract was deployed outside chain-api.
5916
+ */
5917
+ get: {
5918
+ parameters: {
5919
+ query?: never;
5920
+ header?: never;
5921
+ path: {
5922
+ /** @description Ethereum address (0x + 40 hex characters) */
5923
+ contractAddress: string;
5924
+ };
5925
+ cookie?: never;
5926
+ };
5927
+ requestBody?: never;
5928
+ responses: {
5929
+ /** @description Success */
5930
+ 200: {
5931
+ headers: {
5932
+ [name: string]: unknown;
5933
+ };
5934
+ content: {
5935
+ "application/json": {
5936
+ /**
5937
+ * @description Ethereum address (0x + 40 hex characters)
5938
+ * @example 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
5939
+ */
5940
+ contractAddress: string;
5941
+ contractId: string;
5942
+ contractVersion: string;
5943
+ /**
5944
+ * @description Ethereum address (0x + 40 hex characters)
5945
+ * @example 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
5946
+ */
5947
+ walletAddress: string;
5948
+ /**
5949
+ * Ed25519PublicKey
5950
+ * @description 32-byte Ed25519 public key (hex, no 0x prefix)
5951
+ */
5952
+ ownerKey: string;
5953
+ strictSeries: boolean;
5954
+ paused: boolean;
5955
+ ownerNonce: number;
5956
+ signingKeys: {
5957
+ /**
5958
+ * Ed25519PublicKey
5959
+ * @description 32-byte Ed25519 public key (hex, no 0x prefix)
5960
+ */
5961
+ publicKey: string;
5962
+ /** @description block.timestamp at which the signing key was added */
5963
+ addedAt: number;
5964
+ /** @description 0 if active, else block.timestamp at revocation */
5965
+ revokedAt: number;
5966
+ }[];
5967
+ deploymentBlockNumber: number;
5968
+ isActive: boolean;
5969
+ };
5970
+ };
5971
+ };
5972
+ /** @description Not Found */
5973
+ 404: {
5974
+ headers: {
5975
+ [name: string]: unknown;
5976
+ };
5977
+ content: {
5978
+ "application/json": {
5979
+ /**
5980
+ * @description Error message
5981
+ * @example Validation failed
5982
+ */
5983
+ error: string;
5984
+ /**
5985
+ * @description Machine-readable error code
5986
+ * @example VALIDATION_FAILED
5987
+ */
5988
+ code?: string;
5989
+ /** @description Field-level validation errors */
5990
+ details?: {
5991
+ [key: string]: string[];
5992
+ };
5993
+ };
5994
+ };
5995
+ };
5996
+ /** @description Internal Server Error */
5997
+ 500: {
5998
+ headers: {
5999
+ [name: string]: unknown;
6000
+ };
6001
+ content: {
6002
+ "application/json": {
6003
+ /**
6004
+ * @description Error message
6005
+ * @example Validation failed
6006
+ */
6007
+ error: string;
6008
+ /**
6009
+ * @description Machine-readable error code
6010
+ * @example VALIDATION_FAILED
6011
+ */
6012
+ code?: string;
6013
+ /** @description Field-level validation errors */
6014
+ details?: {
6015
+ [key: string]: string[];
6016
+ };
6017
+ };
6018
+ };
6019
+ };
6020
+ };
6021
+ };
6022
+ put?: never;
6023
+ post?: never;
6024
+ delete?: never;
6025
+ options?: never;
6026
+ head?: never;
6027
+ patch?: never;
6028
+ trace?: never;
6029
+ };
6030
+ "/v5/contracts/{contractAddress}/verify": {
6031
+ parameters: {
6032
+ query?: never;
6033
+ header?: never;
6034
+ path?: never;
6035
+ cookie?: never;
6036
+ };
6037
+ /**
6038
+ * Check whether an address has deployed contract bytecode
6039
+ * @description Lightweight existence check: returns `exists: true` if `eth_getCode` returns non-empty bytecode at the address. Does NOT verify the contract is a WitnessRegistry V5 — that requires `/info`.
6040
+ */
6041
+ get: {
6042
+ parameters: {
6043
+ query?: never;
6044
+ header?: never;
6045
+ path: {
6046
+ /** @description Ethereum address (0x + 40 hex characters) */
6047
+ contractAddress: string;
6048
+ };
6049
+ cookie?: never;
6050
+ };
6051
+ requestBody?: never;
6052
+ responses: {
6053
+ /** @description Success */
6054
+ 200: {
6055
+ headers: {
6056
+ [name: string]: unknown;
6057
+ };
6058
+ content: {
6059
+ "application/json": {
6060
+ /**
6061
+ * @description Ethereum address (0x + 40 hex characters)
6062
+ * @example 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
6063
+ */
6064
+ contractAddress: string;
6065
+ /** @description true if the address has deployed bytecode on the chain (any contract). Does NOT verify that the bytecode is a WitnessRegistry V5 — use /info for that. */
6066
+ exists: boolean;
6067
+ };
6068
+ };
6069
+ };
6070
+ /** @description Internal Server Error */
6071
+ 500: {
6072
+ headers: {
6073
+ [name: string]: unknown;
6074
+ };
6075
+ content: {
6076
+ "application/json": {
6077
+ /**
6078
+ * @description Error message
6079
+ * @example Validation failed
6080
+ */
6081
+ error: string;
6082
+ /**
6083
+ * @description Machine-readable error code
6084
+ * @example VALIDATION_FAILED
6085
+ */
6086
+ code?: string;
6087
+ /** @description Field-level validation errors */
6088
+ details?: {
6089
+ [key: string]: string[];
6090
+ };
6091
+ };
6092
+ };
6093
+ };
6094
+ };
6095
+ };
6096
+ put?: never;
6097
+ post?: never;
6098
+ delete?: never;
6099
+ options?: never;
6100
+ head?: never;
6101
+ patch?: never;
6102
+ trace?: never;
6103
+ };
6104
+ "/v5/contracts/{contractAddress}/witnesses/propose": {
6105
+ parameters: {
6106
+ query?: never;
6107
+ header?: never;
6108
+ path?: never;
6109
+ cookie?: never;
6110
+ };
6111
+ get?: never;
6112
+ put?: never;
6113
+ /**
6114
+ * Propose a v5 witness
6115
+ * @description Propose a v5 witness, optionally with a drand IBE time-lock pair (drandRound + tlockCiphertext). Returns intentId + canonical intent payload to sign. Each required signer calls /sign before /finalize. The witnessId is unknown until /finalize completes.
6116
+ */
6117
+ post: {
6118
+ parameters: {
6119
+ query?: never;
6120
+ header?: never;
6121
+ path: {
6122
+ /** @description Ethereum address (0x + 40 hex characters) */
6123
+ contractAddress: string;
6124
+ };
6125
+ cookie?: never;
6126
+ };
6127
+ requestBody?: {
6128
+ content: {
6129
+ "application/json": {
6130
+ /**
6131
+ * DataIdV5
6132
+ * @description SHA256 hash of the witnessed data (64 hex chars)
6133
+ */
6134
+ dataId: string;
6135
+ requiredSigners: string[];
6136
+ /**
6137
+ * UserTimestamp
6138
+ * @description User-asserted event time as ISO 8601 UTC second-precision. Optional; when omitted, the witness has no user timestamp.
6139
+ * @example 2026-05-19T08:14:04Z
6140
+ */
6141
+ userTimestamp?: string;
6142
+ /**
6143
+ * WitnessIdV5
6144
+ * @description 32-byte contract-derived witness identifier (hex, no 0x prefix)
6145
+ */
6146
+ previousWitnessId?: string;
6147
+ metadataCommitment?: string;
6148
+ revealAfter?: number;
6149
+ /**
6150
+ * DrandRound
6151
+ * @description drand quicknet round number (uint64). Must be strictly in the future, and ≥60s away in wall-clock terms.
6152
+ * @example 19000000
6153
+ */
6154
+ drandRound?: number;
6155
+ /**
6156
+ * TlockCiphertext
6157
+ * @description AGE-armored tlock ciphertext, hex-encoded UTF-8. Output of tlock-js `timelockEncrypt`. Max 4096 bytes (8192 hex chars).
6158
+ */
6159
+ tlockCiphertext?: string;
6160
+ /**
6161
+ * Format: uri
6162
+ * @description Valid URL
6163
+ * @example https://example.com/path
6164
+ */
6165
+ callbackUrl?: string;
6166
+ };
6167
+ };
6168
+ };
6169
+ responses: {
6170
+ /** @description Success */
6171
+ 200: {
6172
+ headers: {
6173
+ [name: string]: unknown;
6174
+ };
6175
+ content: {
6176
+ "application/json": {
6177
+ /**
6178
+ * IntentId
6179
+ * Format: uuid
6180
+ * @description UUID issued by chain-api at /propose time. Used to correlate /sign and /finalize calls. Distinct from the witnessId, which is only known once the contract mines the createWitness tx.
6181
+ */
6182
+ intentId: string;
6183
+ witnessNonce: string;
6184
+ /** @description Canonical intent JSON to Ed25519-sign. JSON.stringify({dataId, userTimestamp, nonce, previousWitnessId, requiredSigners, drandRound, tlockCiphertextHash}). drandRound is 0 and tlockCiphertextHash is "0".repeat(64) when no time-lock. */
6185
+ payloadToSign: string;
6186
+ expiresInSeconds: number;
6187
+ requiredSigners: string[];
6188
+ };
6189
+ };
6190
+ };
6191
+ /** @description Bad Request - Validation failed */
6192
+ 400: {
6193
+ headers: {
6194
+ [name: string]: unknown;
6195
+ };
6196
+ content: {
6197
+ "application/json": {
6198
+ /**
6199
+ * @description Error message
6200
+ * @example Validation failed
6201
+ */
6202
+ error: string;
6203
+ /**
6204
+ * @description Machine-readable error code
6205
+ * @example VALIDATION_FAILED
6206
+ */
6207
+ code?: string;
6208
+ /** @description Field-level validation errors */
6209
+ details?: {
6210
+ [key: string]: string[];
6211
+ };
6212
+ };
6213
+ };
6214
+ };
6215
+ /** @description Not Found */
6216
+ 404: {
6217
+ headers: {
6218
+ [name: string]: unknown;
6219
+ };
6220
+ content: {
6221
+ "application/json": {
6222
+ /**
6223
+ * @description Error message
6224
+ * @example Validation failed
6225
+ */
6226
+ error: string;
6227
+ /**
6228
+ * @description Machine-readable error code
6229
+ * @example VALIDATION_FAILED
6230
+ */
6231
+ code?: string;
6232
+ /** @description Field-level validation errors */
6233
+ details?: {
6234
+ [key: string]: string[];
6235
+ };
6236
+ };
6237
+ };
6238
+ };
6239
+ /** @description Conflict */
6240
+ 409: {
6241
+ headers: {
6242
+ [name: string]: unknown;
6243
+ };
6244
+ content: {
6245
+ "application/json": {
6246
+ /**
6247
+ * @description Error message
6248
+ * @example Validation failed
6249
+ */
6250
+ error: string;
6251
+ /**
6252
+ * @description Machine-readable error code
6253
+ * @example VALIDATION_FAILED
6254
+ */
6255
+ code?: string;
6256
+ /** @description Field-level validation errors */
6257
+ details?: {
6258
+ [key: string]: string[];
6259
+ };
6260
+ };
6261
+ };
6262
+ };
6263
+ /** @description Internal Server Error */
6264
+ 500: {
6265
+ headers: {
6266
+ [name: string]: unknown;
6267
+ };
6268
+ content: {
6269
+ "application/json": {
6270
+ /**
6271
+ * @description Error message
6272
+ * @example Validation failed
6273
+ */
6274
+ error: string;
6275
+ /**
6276
+ * @description Machine-readable error code
6277
+ * @example VALIDATION_FAILED
6278
+ */
6279
+ code?: string;
6280
+ /** @description Field-level validation errors */
6281
+ details?: {
6282
+ [key: string]: string[];
6283
+ };
6284
+ };
6285
+ };
6286
+ };
6287
+ };
6288
+ };
6289
+ delete?: never;
6290
+ options?: never;
6291
+ head?: never;
6292
+ patch?: never;
6293
+ trace?: never;
6294
+ };
6295
+ "/v5/contracts/{contractAddress}/witnesses/{intentId}/sign": {
6296
+ parameters: {
6297
+ query?: never;
6298
+ header?: never;
6299
+ path?: never;
6300
+ cookie?: never;
6301
+ };
6302
+ get?: never;
6303
+ put?: never;
6304
+ /**
6305
+ * Submit a signature for a pending v5 witness
6306
+ * @description Each required signer calls this with their pubkey + Ed25519 signature over the canonical intent JSON returned from /propose.
6307
+ */
6308
+ post: {
6309
+ parameters: {
6310
+ query?: never;
6311
+ header?: never;
6312
+ path: {
6313
+ /** @description Ethereum address (0x + 40 hex characters) */
6314
+ contractAddress: string;
6315
+ /** @description UUID issued by chain-api at /propose time. Used to correlate /sign and /finalize calls. Distinct from the witnessId, which is only known once the contract mines the createWitness tx. */
6316
+ intentId: string;
6317
+ };
6318
+ cookie?: never;
6319
+ };
6320
+ requestBody?: {
6321
+ content: {
6322
+ "application/json": {
6323
+ /**
6324
+ * Ed25519PublicKey
6325
+ * @description 32-byte Ed25519 public key (hex, no 0x prefix)
6326
+ */
6327
+ signerPubKey: string;
6328
+ /**
6329
+ * Ed25519Signature
6330
+ * @description 64-byte Ed25519 signature (hex, no 0x prefix)
6331
+ */
6332
+ signature: string;
6333
+ };
6334
+ };
6335
+ };
6336
+ responses: {
6337
+ /** @description Success */
6338
+ 200: {
6339
+ headers: {
6340
+ [name: string]: unknown;
6341
+ };
6342
+ content: {
6343
+ "application/json": {
6344
+ signaturesCollected: number;
6345
+ signaturesRequired: number;
6346
+ ready: boolean;
6347
+ };
6348
+ };
6349
+ };
6350
+ /** @description Bad Request - Validation failed */
6351
+ 400: {
6352
+ headers: {
6353
+ [name: string]: unknown;
6354
+ };
6355
+ content: {
6356
+ "application/json": {
6357
+ /**
6358
+ * @description Error message
6359
+ * @example Validation failed
6360
+ */
6361
+ error: string;
6362
+ /**
6363
+ * @description Machine-readable error code
6364
+ * @example VALIDATION_FAILED
6365
+ */
6366
+ code?: string;
6367
+ /** @description Field-level validation errors */
6368
+ details?: {
6369
+ [key: string]: string[];
6370
+ };
6371
+ };
6372
+ };
6373
+ };
6374
+ /** @description Unauthorized - Authentication required */
6375
+ 401: {
6376
+ headers: {
6377
+ [name: string]: unknown;
6378
+ };
6379
+ content: {
6380
+ "application/json": {
6381
+ /**
6382
+ * @description Error message
6383
+ * @example Validation failed
6384
+ */
6385
+ error: string;
6386
+ /**
6387
+ * @description Machine-readable error code
6388
+ * @example VALIDATION_FAILED
6389
+ */
6390
+ code?: string;
6391
+ /** @description Field-level validation errors */
6392
+ details?: {
6393
+ [key: string]: string[];
6394
+ };
6395
+ };
6396
+ };
6397
+ };
6398
+ /** @description Conflict */
6399
+ 409: {
6400
+ headers: {
6401
+ [name: string]: unknown;
6402
+ };
6403
+ content: {
6404
+ "application/json": {
6405
+ /**
6406
+ * @description Error message
6407
+ * @example Validation failed
6408
+ */
6409
+ error: string;
6410
+ /**
6411
+ * @description Machine-readable error code
6412
+ * @example VALIDATION_FAILED
6413
+ */
6414
+ code?: string;
6415
+ /** @description Field-level validation errors */
6416
+ details?: {
6417
+ [key: string]: string[];
6418
+ };
6419
+ };
6420
+ };
6421
+ };
6422
+ /** @description Response */
6423
+ 410: {
6424
+ headers: {
6425
+ [name: string]: unknown;
6426
+ };
6427
+ content: {
6428
+ "application/json": {
6429
+ /**
6430
+ * @description Error message
6431
+ * @example Validation failed
6432
+ */
6433
+ error: string;
6434
+ /**
6435
+ * @description Machine-readable error code
6436
+ * @example VALIDATION_FAILED
6437
+ */
6438
+ code?: string;
6439
+ /** @description Field-level validation errors */
6440
+ details?: {
6441
+ [key: string]: string[];
6442
+ };
6443
+ };
6444
+ };
6445
+ };
6446
+ /** @description Internal Server Error */
6447
+ 500: {
6448
+ headers: {
6449
+ [name: string]: unknown;
6450
+ };
6451
+ content: {
6452
+ "application/json": {
6453
+ /**
6454
+ * @description Error message
6455
+ * @example Validation failed
6456
+ */
6457
+ error: string;
6458
+ /**
6459
+ * @description Machine-readable error code
6460
+ * @example VALIDATION_FAILED
6461
+ */
6462
+ code?: string;
6463
+ /** @description Field-level validation errors */
6464
+ details?: {
6465
+ [key: string]: string[];
6466
+ };
6467
+ };
6468
+ };
6469
+ };
6470
+ };
6471
+ };
6472
+ delete?: never;
6473
+ options?: never;
6474
+ head?: never;
6475
+ patch?: never;
6476
+ trace?: never;
6477
+ };
6478
+ "/v5/contracts/{contractAddress}/witnesses/{intentId}/finalize": {
6479
+ parameters: {
6480
+ query?: never;
6481
+ header?: never;
6482
+ path?: never;
6483
+ cookie?: never;
6484
+ };
6485
+ get?: never;
6486
+ put?: never;
6487
+ /**
6488
+ * Finalize a v5 witness (broadcast + wait for receipt)
6489
+ * @description Broadcasts createWitness and blocks until the tx is mined so the contract-derived witnessId can be returned. Typical latency: 10–15s on Witnium (10s QBFT block period).
6490
+ */
6491
+ post: {
6492
+ parameters: {
6493
+ query?: never;
6494
+ header?: never;
6495
+ path: {
6496
+ /** @description Ethereum address (0x + 40 hex characters) */
6497
+ contractAddress: string;
6498
+ /** @description UUID issued by chain-api at /propose time. Used to correlate /sign and /finalize calls. Distinct from the witnessId, which is only known once the contract mines the createWitness tx. */
6499
+ intentId: string;
6500
+ };
6501
+ cookie?: never;
6502
+ };
6503
+ requestBody?: never;
6504
+ responses: {
6505
+ /** @description Success */
6506
+ 200: {
6507
+ headers: {
6508
+ [name: string]: unknown;
6509
+ };
6510
+ content: {
6511
+ "application/json": {
6512
+ /**
6513
+ * IntentId
6514
+ * Format: uuid
6515
+ * @description UUID issued by chain-api at /propose time. Used to correlate /sign and /finalize calls. Distinct from the witnessId, which is only known once the contract mines the createWitness tx.
6516
+ */
6517
+ intentId: string;
6518
+ /**
6519
+ * WitnessIdV5
6520
+ * @description 32-byte contract-derived witness identifier (hex, no 0x prefix)
6521
+ */
6522
+ witnessId: string;
6523
+ /**
6524
+ * @description Ethereum transaction hash (0x + 64 hex characters)
6525
+ * @example 0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
6526
+ */
6527
+ transactionHash: string;
6528
+ blockNumber: number;
6529
+ /** @description block.timestamp at the block that included the createWitness tx — this is the value the contract used as chainTimestamp when deriving the witnessId. */
6530
+ chainTimestamp: number;
6531
+ /** @description drand round encoded in the witness (0 when not time-locked). */
6532
+ drandRound: number;
6533
+ status: string;
6534
+ };
6535
+ };
6536
+ };
6537
+ /** @description Conflict */
6538
+ 409: {
6539
+ headers: {
6540
+ [name: string]: unknown;
6541
+ };
6542
+ content: {
6543
+ "application/json": {
6544
+ /**
6545
+ * @description Error message
6546
+ * @example Validation failed
6547
+ */
6548
+ error: string;
6549
+ /**
6550
+ * @description Machine-readable error code
6551
+ * @example VALIDATION_FAILED
6552
+ */
6553
+ code?: string;
6554
+ /** @description Field-level validation errors */
6555
+ details?: {
6556
+ [key: string]: string[];
6557
+ };
6558
+ };
6559
+ };
6560
+ };
6561
+ /** @description Response */
6562
+ 410: {
6563
+ headers: {
6564
+ [name: string]: unknown;
6565
+ };
6566
+ content: {
6567
+ "application/json": {
6568
+ /**
6569
+ * @description Error message
6570
+ * @example Validation failed
6571
+ */
6572
+ error: string;
6573
+ /**
6574
+ * @description Machine-readable error code
6575
+ * @example VALIDATION_FAILED
6576
+ */
6577
+ code?: string;
6578
+ /** @description Field-level validation errors */
6579
+ details?: {
6580
+ [key: string]: string[];
6581
+ };
6582
+ };
6583
+ };
6584
+ };
6585
+ /** @description Internal Server Error */
6586
+ 500: {
6587
+ headers: {
6588
+ [name: string]: unknown;
6589
+ };
6590
+ content: {
6591
+ "application/json": {
6592
+ /**
6593
+ * @description Error message
6594
+ * @example Validation failed
6595
+ */
6596
+ error: string;
6597
+ /**
6598
+ * @description Machine-readable error code
6599
+ * @example VALIDATION_FAILED
6600
+ */
6601
+ code?: string;
6602
+ /** @description Field-level validation errors */
6603
+ details?: {
6604
+ [key: string]: string[];
6605
+ };
6606
+ };
6607
+ };
6608
+ };
6609
+ };
6610
+ };
6611
+ delete?: never;
6612
+ options?: never;
6613
+ head?: never;
6614
+ patch?: never;
6615
+ trace?: never;
6616
+ };
6617
+ "/v5/contracts/{contractAddress}/witnesses/{witnessId}/revoke": {
6618
+ parameters: {
6619
+ query?: never;
6620
+ header?: never;
6621
+ path?: never;
6622
+ cookie?: never;
6623
+ };
6624
+ get?: never;
6625
+ put?: never;
6626
+ /** Revoke a v5 witness (tombstone) */
6627
+ post: {
6628
+ parameters: {
6629
+ query?: never;
6630
+ header?: never;
6631
+ path: {
6632
+ /** @description Ethereum address (0x + 40 hex characters) */
6633
+ contractAddress: string;
6634
+ /** @description 32-byte contract-derived witness identifier (hex, no 0x prefix) */
6635
+ witnessId: string;
6636
+ };
6637
+ cookie?: never;
6638
+ };
6639
+ requestBody?: {
6640
+ content: {
6641
+ "application/json": {
6642
+ reasonHash: string;
6643
+ /**
6644
+ * Ed25519PublicKey
6645
+ * @description 32-byte Ed25519 public key (hex, no 0x prefix)
6646
+ */
6647
+ revokerPubKey: string;
6648
+ /**
6649
+ * Ed25519Signature
6650
+ * @description 64-byte Ed25519 signature (hex, no 0x prefix)
6651
+ */
6652
+ revokerSignature: string;
6653
+ };
6654
+ };
6655
+ };
6656
+ responses: {
6657
+ /** @description Success */
6658
+ 200: {
6659
+ headers: {
6660
+ [name: string]: unknown;
6661
+ };
6662
+ content: {
6663
+ "application/json": {
6664
+ /**
6665
+ * @description Ethereum transaction hash (0x + 64 hex characters)
6666
+ * @example 0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
6667
+ */
6668
+ transactionHash: string;
6669
+ };
6670
+ };
6671
+ };
6672
+ /** @description Bad Request - Validation failed */
6673
+ 400: {
6674
+ headers: {
6675
+ [name: string]: unknown;
6676
+ };
6677
+ content: {
6678
+ "application/json": {
6679
+ /**
6680
+ * @description Error message
6681
+ * @example Validation failed
6682
+ */
6683
+ error: string;
6684
+ /**
6685
+ * @description Machine-readable error code
6686
+ * @example VALIDATION_FAILED
6687
+ */
6688
+ code?: string;
6689
+ /** @description Field-level validation errors */
6690
+ details?: {
6691
+ [key: string]: string[];
6692
+ };
6693
+ };
6694
+ };
6695
+ };
6696
+ /** @description Unauthorized - Authentication required */
6697
+ 401: {
6698
+ headers: {
6699
+ [name: string]: unknown;
6700
+ };
6701
+ content: {
6702
+ "application/json": {
6703
+ /**
6704
+ * @description Error message
6705
+ * @example Validation failed
6706
+ */
6707
+ error: string;
6708
+ /**
6709
+ * @description Machine-readable error code
6710
+ * @example VALIDATION_FAILED
6711
+ */
6712
+ code?: string;
6713
+ /** @description Field-level validation errors */
6714
+ details?: {
6715
+ [key: string]: string[];
6716
+ };
6717
+ };
6718
+ };
6719
+ };
6720
+ /** @description Conflict */
6721
+ 409: {
6722
+ headers: {
6723
+ [name: string]: unknown;
6724
+ };
6725
+ content: {
6726
+ "application/json": {
6727
+ /**
6728
+ * @description Error message
6729
+ * @example Validation failed
6730
+ */
6731
+ error: string;
6732
+ /**
6733
+ * @description Machine-readable error code
6734
+ * @example VALIDATION_FAILED
6735
+ */
6736
+ code?: string;
6737
+ /** @description Field-level validation errors */
6738
+ details?: {
6739
+ [key: string]: string[];
6740
+ };
6741
+ };
6742
+ };
6743
+ };
6744
+ /** @description Internal Server Error */
6745
+ 500: {
6746
+ headers: {
6747
+ [name: string]: unknown;
6748
+ };
6749
+ content: {
6750
+ "application/json": {
6751
+ /**
6752
+ * @description Error message
6753
+ * @example Validation failed
6754
+ */
6755
+ error: string;
6756
+ /**
6757
+ * @description Machine-readable error code
6758
+ * @example VALIDATION_FAILED
6759
+ */
6760
+ code?: string;
6761
+ /** @description Field-level validation errors */
6762
+ details?: {
6763
+ [key: string]: string[];
6764
+ };
6765
+ };
6766
+ };
6767
+ };
6768
+ };
6769
+ };
6770
+ delete?: never;
6771
+ options?: never;
6772
+ head?: never;
6773
+ patch?: never;
6774
+ trace?: never;
6775
+ };
6776
+ "/v5/contracts/{contractAddress}/keys": {
6777
+ parameters: {
6778
+ query?: never;
6779
+ header?: never;
6780
+ path?: never;
6781
+ cookie?: never;
6782
+ };
6783
+ get?: never;
6784
+ put?: never;
6785
+ /**
6786
+ * Add a signing key (owner-signed)
6787
+ * @description Add a new Ed25519 signing key to the contract. Payload is owner-signed; the bytes signed are the canonical JSON `{op:1, contract, nonce, newKey}` (UTF-8, no whitespace). The Admin bearer token authenticates the caller (typically the accounts service forwarding the owner-signed payload). Owner-op `op` codes (numeric, match on-chain): 1=addSigningKey, 2=revokeSigningKey, 3=pause, 4=unpause.
6788
+ */
6789
+ post: {
6790
+ parameters: {
6791
+ query?: never;
6792
+ header?: never;
6793
+ path: {
6794
+ /** @description Ethereum address (0x + 40 hex characters) */
6795
+ contractAddress: string;
6796
+ };
6797
+ cookie?: never;
6798
+ };
6799
+ requestBody?: {
6800
+ content: {
6801
+ "application/json": {
6802
+ /**
6803
+ * Ed25519PublicKey
6804
+ * @description 32-byte Ed25519 public key (hex, no 0x prefix)
6805
+ */
6806
+ newKey: string;
6807
+ /** @description Monotonic owner nonce. Read the current value from /v5/contracts/{addr}/info as `ownerNonce`, then use `ownerNonce + 1` here. */
6808
+ ownerNonce: number;
6809
+ /**
6810
+ * Ed25519Signature
6811
+ * @description 64-byte Ed25519 signature (hex, no 0x prefix)
6812
+ */
6813
+ ownerSignature: string;
6814
+ };
6815
+ };
6816
+ };
6817
+ responses: {
6818
+ /** @description Success */
6819
+ 200: {
6820
+ headers: {
6821
+ [name: string]: unknown;
6822
+ };
6823
+ content: {
6824
+ "application/json": {
6825
+ /**
6826
+ * @description Ethereum transaction hash (0x + 64 hex characters)
6827
+ * @example 0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
6828
+ */
6829
+ transactionHash: string;
6830
+ };
6831
+ };
6832
+ };
6833
+ /** @description Bad Request - Validation failed */
6834
+ 400: {
6835
+ headers: {
6836
+ [name: string]: unknown;
6837
+ };
6838
+ content: {
6839
+ "application/json": {
6840
+ /**
6841
+ * @description Error message
6842
+ * @example Validation failed
6843
+ */
6844
+ error: string;
6845
+ /**
6846
+ * @description Machine-readable error code
6847
+ * @example VALIDATION_FAILED
6848
+ */
6849
+ code?: string;
6850
+ /** @description Field-level validation errors */
6851
+ details?: {
6852
+ [key: string]: string[];
6853
+ };
6854
+ };
6855
+ };
6856
+ };
6857
+ /** @description Unauthorized - Authentication required */
6858
+ 401: {
6859
+ headers: {
6860
+ [name: string]: unknown;
6861
+ };
6862
+ content: {
6863
+ "application/json": {
6864
+ /**
6865
+ * @description Error message
6866
+ * @example Validation failed
6867
+ */
6868
+ error: string;
6869
+ /**
6870
+ * @description Machine-readable error code
6871
+ * @example VALIDATION_FAILED
6872
+ */
6873
+ code?: string;
6874
+ /** @description Field-level validation errors */
6875
+ details?: {
6876
+ [key: string]: string[];
6877
+ };
6878
+ };
6879
+ };
6880
+ };
6881
+ /** @description Conflict */
6882
+ 409: {
6883
+ headers: {
6884
+ [name: string]: unknown;
6885
+ };
6886
+ content: {
6887
+ "application/json": {
6888
+ /**
6889
+ * @description Error message
6890
+ * @example Validation failed
6891
+ */
6892
+ error: string;
6893
+ /**
6894
+ * @description Machine-readable error code
6895
+ * @example VALIDATION_FAILED
6896
+ */
6897
+ code?: string;
6898
+ /** @description Field-level validation errors */
6899
+ details?: {
6900
+ [key: string]: string[];
6901
+ };
6902
+ };
6903
+ };
6904
+ };
6905
+ /** @description Internal Server Error */
6906
+ 500: {
6907
+ headers: {
6908
+ [name: string]: unknown;
6909
+ };
6910
+ content: {
6911
+ "application/json": {
6912
+ /**
6913
+ * @description Error message
6914
+ * @example Validation failed
6915
+ */
6916
+ error: string;
6917
+ /**
6918
+ * @description Machine-readable error code
6919
+ * @example VALIDATION_FAILED
6920
+ */
6921
+ code?: string;
6922
+ /** @description Field-level validation errors */
6923
+ details?: {
6924
+ [key: string]: string[];
6925
+ };
6926
+ };
6927
+ };
6928
+ };
6929
+ };
6930
+ };
6931
+ delete?: never;
6932
+ options?: never;
6933
+ head?: never;
6934
+ patch?: never;
6935
+ trace?: never;
6936
+ };
6937
+ "/v5/contracts/{contractAddress}/keys/revoke": {
6938
+ parameters: {
6939
+ query?: never;
6940
+ header?: never;
6941
+ path?: never;
6942
+ cookie?: never;
6943
+ };
6944
+ get?: never;
6945
+ put?: never;
6946
+ /**
6947
+ * Revoke a signing key (owner-signed)
6948
+ * @description Revoke an existing Ed25519 signing key. Once revoked, the key cannot create new witnesses but previously-created witnesses are unaffected. The bytes signed are the canonical JSON `{op:2, contract, nonce, key}` (UTF-8, no whitespace). Owner-op `op` codes (numeric, match on-chain): 1=addSigningKey, 2=revokeSigningKey, 3=pause, 4=unpause.
6949
+ */
6950
+ post: {
6951
+ parameters: {
6952
+ query?: never;
6953
+ header?: never;
6954
+ path: {
6955
+ /** @description Ethereum address (0x + 40 hex characters) */
6956
+ contractAddress: string;
6957
+ };
6958
+ cookie?: never;
6959
+ };
6960
+ requestBody?: {
6961
+ content: {
6962
+ "application/json": {
6963
+ /**
6964
+ * Ed25519PublicKey
6965
+ * @description 32-byte Ed25519 public key (hex, no 0x prefix)
6966
+ */
6967
+ keyToRevoke: string;
6968
+ ownerNonce: number;
6969
+ /**
6970
+ * Ed25519Signature
6971
+ * @description 64-byte Ed25519 signature (hex, no 0x prefix)
6972
+ */
6973
+ ownerSignature: string;
6974
+ };
6975
+ };
6976
+ };
6977
+ responses: {
6978
+ /** @description Success */
6979
+ 200: {
6980
+ headers: {
6981
+ [name: string]: unknown;
6982
+ };
6983
+ content: {
6984
+ "application/json": {
6985
+ /**
6986
+ * @description Ethereum transaction hash (0x + 64 hex characters)
6987
+ * @example 0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
6988
+ */
6989
+ transactionHash: string;
6990
+ };
6991
+ };
6992
+ };
6993
+ /** @description Bad Request - Validation failed */
6994
+ 400: {
6995
+ headers: {
6996
+ [name: string]: unknown;
6997
+ };
6998
+ content: {
6999
+ "application/json": {
7000
+ /**
7001
+ * @description Error message
7002
+ * @example Validation failed
7003
+ */
7004
+ error: string;
7005
+ /**
7006
+ * @description Machine-readable error code
7007
+ * @example VALIDATION_FAILED
7008
+ */
7009
+ code?: string;
7010
+ /** @description Field-level validation errors */
7011
+ details?: {
7012
+ [key: string]: string[];
7013
+ };
7014
+ };
7015
+ };
7016
+ };
7017
+ /** @description Unauthorized - Authentication required */
7018
+ 401: {
7019
+ headers: {
7020
+ [name: string]: unknown;
7021
+ };
7022
+ content: {
7023
+ "application/json": {
7024
+ /**
7025
+ * @description Error message
7026
+ * @example Validation failed
7027
+ */
7028
+ error: string;
7029
+ /**
7030
+ * @description Machine-readable error code
7031
+ * @example VALIDATION_FAILED
7032
+ */
7033
+ code?: string;
7034
+ /** @description Field-level validation errors */
7035
+ details?: {
7036
+ [key: string]: string[];
7037
+ };
7038
+ };
7039
+ };
7040
+ };
7041
+ /** @description Conflict */
7042
+ 409: {
7043
+ headers: {
7044
+ [name: string]: unknown;
7045
+ };
7046
+ content: {
7047
+ "application/json": {
7048
+ /**
7049
+ * @description Error message
7050
+ * @example Validation failed
7051
+ */
7052
+ error: string;
7053
+ /**
7054
+ * @description Machine-readable error code
7055
+ * @example VALIDATION_FAILED
7056
+ */
7057
+ code?: string;
7058
+ /** @description Field-level validation errors */
7059
+ details?: {
7060
+ [key: string]: string[];
7061
+ };
7062
+ };
7063
+ };
7064
+ };
7065
+ /** @description Internal Server Error */
7066
+ 500: {
7067
+ headers: {
7068
+ [name: string]: unknown;
7069
+ };
7070
+ content: {
7071
+ "application/json": {
7072
+ /**
7073
+ * @description Error message
7074
+ * @example Validation failed
7075
+ */
7076
+ error: string;
7077
+ /**
7078
+ * @description Machine-readable error code
7079
+ * @example VALIDATION_FAILED
7080
+ */
7081
+ code?: string;
7082
+ /** @description Field-level validation errors */
7083
+ details?: {
7084
+ [key: string]: string[];
7085
+ };
7086
+ };
7087
+ };
7088
+ };
7089
+ };
7090
+ };
7091
+ delete?: never;
7092
+ options?: never;
7093
+ head?: never;
7094
+ patch?: never;
7095
+ trace?: never;
7096
+ };
7097
+ "/v5/contracts/{contractAddress}/pause": {
7098
+ parameters: {
7099
+ query?: never;
7100
+ header?: never;
7101
+ path?: never;
7102
+ cookie?: never;
7103
+ };
7104
+ get?: never;
7105
+ put?: never;
7106
+ /**
7107
+ * Pause a contract (owner-signed)
7108
+ * @description Pause witness creation on the contract. While paused, /propose/sign/finalize reject. Reads continue to work. Pair with /unpause to resume. The bytes signed are the canonical JSON `{op:3, contract, nonce}` (UTF-8, no whitespace). Owner-op `op` codes (numeric, match on-chain): 1=addSigningKey, 2=revokeSigningKey, 3=pause, 4=unpause.
7109
+ */
7110
+ post: {
7111
+ parameters: {
7112
+ query?: never;
7113
+ header?: never;
7114
+ path: {
7115
+ /** @description Ethereum address (0x + 40 hex characters) */
7116
+ contractAddress: string;
7117
+ };
7118
+ cookie?: never;
7119
+ };
7120
+ requestBody?: {
7121
+ content: {
7122
+ "application/json": {
7123
+ ownerNonce: number;
7124
+ /**
7125
+ * Ed25519Signature
7126
+ * @description 64-byte Ed25519 signature (hex, no 0x prefix)
7127
+ */
7128
+ ownerSignature: string;
7129
+ };
7130
+ };
7131
+ };
7132
+ responses: {
7133
+ /** @description Success */
7134
+ 200: {
7135
+ headers: {
7136
+ [name: string]: unknown;
7137
+ };
7138
+ content: {
7139
+ "application/json": {
7140
+ /**
7141
+ * @description Ethereum transaction hash (0x + 64 hex characters)
7142
+ * @example 0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
7143
+ */
7144
+ transactionHash: string;
7145
+ };
7146
+ };
7147
+ };
7148
+ /** @description Bad Request - Validation failed */
7149
+ 400: {
7150
+ headers: {
7151
+ [name: string]: unknown;
7152
+ };
7153
+ content: {
7154
+ "application/json": {
7155
+ /**
7156
+ * @description Error message
7157
+ * @example Validation failed
7158
+ */
7159
+ error: string;
7160
+ /**
7161
+ * @description Machine-readable error code
7162
+ * @example VALIDATION_FAILED
7163
+ */
7164
+ code?: string;
7165
+ /** @description Field-level validation errors */
7166
+ details?: {
7167
+ [key: string]: string[];
7168
+ };
7169
+ };
7170
+ };
7171
+ };
7172
+ /** @description Unauthorized - Authentication required */
7173
+ 401: {
7174
+ headers: {
7175
+ [name: string]: unknown;
7176
+ };
7177
+ content: {
7178
+ "application/json": {
7179
+ /**
7180
+ * @description Error message
7181
+ * @example Validation failed
7182
+ */
7183
+ error: string;
7184
+ /**
7185
+ * @description Machine-readable error code
7186
+ * @example VALIDATION_FAILED
7187
+ */
7188
+ code?: string;
7189
+ /** @description Field-level validation errors */
7190
+ details?: {
7191
+ [key: string]: string[];
7192
+ };
7193
+ };
7194
+ };
7195
+ };
7196
+ /** @description Conflict */
7197
+ 409: {
7198
+ headers: {
7199
+ [name: string]: unknown;
7200
+ };
7201
+ content: {
7202
+ "application/json": {
7203
+ /**
7204
+ * @description Error message
7205
+ * @example Validation failed
7206
+ */
7207
+ error: string;
7208
+ /**
7209
+ * @description Machine-readable error code
7210
+ * @example VALIDATION_FAILED
7211
+ */
7212
+ code?: string;
7213
+ /** @description Field-level validation errors */
7214
+ details?: {
7215
+ [key: string]: string[];
7216
+ };
7217
+ };
7218
+ };
7219
+ };
7220
+ /** @description Internal Server Error */
7221
+ 500: {
7222
+ headers: {
7223
+ [name: string]: unknown;
7224
+ };
7225
+ content: {
7226
+ "application/json": {
7227
+ /**
7228
+ * @description Error message
7229
+ * @example Validation failed
7230
+ */
7231
+ error: string;
7232
+ /**
7233
+ * @description Machine-readable error code
7234
+ * @example VALIDATION_FAILED
7235
+ */
7236
+ code?: string;
7237
+ /** @description Field-level validation errors */
7238
+ details?: {
7239
+ [key: string]: string[];
7240
+ };
7241
+ };
7242
+ };
7243
+ };
7244
+ };
7245
+ };
7246
+ delete?: never;
7247
+ options?: never;
7248
+ head?: never;
7249
+ patch?: never;
7250
+ trace?: never;
7251
+ };
7252
+ "/v5/contracts/{contractAddress}/unpause": {
7253
+ parameters: {
7254
+ query?: never;
7255
+ header?: never;
7256
+ path?: never;
7257
+ cookie?: never;
7258
+ };
7259
+ get?: never;
7260
+ put?: never;
7261
+ /**
7262
+ * Unpause a contract (owner-signed)
7263
+ * @description Inverse of /pause. The bytes signed are the canonical JSON `{op:4, contract, nonce}` (UTF-8, no whitespace). Owner-op `op` codes (numeric, match on-chain): 1=addSigningKey, 2=revokeSigningKey, 3=pause, 4=unpause.
7264
+ */
7265
+ post: {
7266
+ parameters: {
7267
+ query?: never;
7268
+ header?: never;
7269
+ path: {
7270
+ /** @description Ethereum address (0x + 40 hex characters) */
7271
+ contractAddress: string;
7272
+ };
7273
+ cookie?: never;
7274
+ };
7275
+ requestBody?: {
7276
+ content: {
7277
+ "application/json": {
7278
+ ownerNonce: number;
7279
+ /**
7280
+ * Ed25519Signature
7281
+ * @description 64-byte Ed25519 signature (hex, no 0x prefix)
7282
+ */
7283
+ ownerSignature: string;
7284
+ };
7285
+ };
7286
+ };
7287
+ responses: {
7288
+ /** @description Success */
7289
+ 200: {
7290
+ headers: {
7291
+ [name: string]: unknown;
7292
+ };
7293
+ content: {
7294
+ "application/json": {
7295
+ /**
7296
+ * @description Ethereum transaction hash (0x + 64 hex characters)
7297
+ * @example 0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
7298
+ */
7299
+ transactionHash: string;
7300
+ };
7301
+ };
7302
+ };
7303
+ /** @description Bad Request - Validation failed */
7304
+ 400: {
7305
+ headers: {
7306
+ [name: string]: unknown;
7307
+ };
7308
+ content: {
7309
+ "application/json": {
7310
+ /**
7311
+ * @description Error message
7312
+ * @example Validation failed
7313
+ */
7314
+ error: string;
7315
+ /**
7316
+ * @description Machine-readable error code
7317
+ * @example VALIDATION_FAILED
7318
+ */
7319
+ code?: string;
7320
+ /** @description Field-level validation errors */
7321
+ details?: {
7322
+ [key: string]: string[];
7323
+ };
7324
+ };
7325
+ };
7326
+ };
7327
+ /** @description Unauthorized - Authentication required */
7328
+ 401: {
7329
+ headers: {
7330
+ [name: string]: unknown;
7331
+ };
7332
+ content: {
7333
+ "application/json": {
7334
+ /**
7335
+ * @description Error message
7336
+ * @example Validation failed
7337
+ */
7338
+ error: string;
7339
+ /**
7340
+ * @description Machine-readable error code
7341
+ * @example VALIDATION_FAILED
7342
+ */
7343
+ code?: string;
7344
+ /** @description Field-level validation errors */
7345
+ details?: {
7346
+ [key: string]: string[];
7347
+ };
7348
+ };
7349
+ };
7350
+ };
7351
+ /** @description Conflict */
7352
+ 409: {
7353
+ headers: {
7354
+ [name: string]: unknown;
7355
+ };
7356
+ content: {
7357
+ "application/json": {
7358
+ /**
7359
+ * @description Error message
7360
+ * @example Validation failed
7361
+ */
7362
+ error: string;
7363
+ /**
7364
+ * @description Machine-readable error code
7365
+ * @example VALIDATION_FAILED
7366
+ */
7367
+ code?: string;
7368
+ /** @description Field-level validation errors */
7369
+ details?: {
7370
+ [key: string]: string[];
7371
+ };
7372
+ };
7373
+ };
7374
+ };
7375
+ /** @description Internal Server Error */
7376
+ 500: {
7377
+ headers: {
7378
+ [name: string]: unknown;
7379
+ };
7380
+ content: {
7381
+ "application/json": {
7382
+ /**
7383
+ * @description Error message
7384
+ * @example Validation failed
7385
+ */
7386
+ error: string;
7387
+ /**
7388
+ * @description Machine-readable error code
7389
+ * @example VALIDATION_FAILED
7390
+ */
7391
+ code?: string;
7392
+ /** @description Field-level validation errors */
7393
+ details?: {
7394
+ [key: string]: string[];
7395
+ };
7396
+ };
7397
+ };
7398
+ };
7399
+ };
7400
+ };
7401
+ delete?: never;
7402
+ options?: never;
7403
+ head?: never;
7404
+ patch?: never;
7405
+ trace?: never;
7406
+ };
7407
+ "/v5/contracts/{contractAddress}/witnesses": {
7408
+ parameters: {
7409
+ query?: never;
7410
+ header?: never;
7411
+ path?: never;
7412
+ cookie?: never;
7413
+ };
7414
+ /**
7415
+ * List v5 witnesses (optionally filtered by dataId)
7416
+ * @description Scans the WitnessCreated event log from contract deployment to head. The v5 event adds drandRound — non-zero means the witness carries a drand IBE ciphertext decryptable at that round. Query the full witness via /get for the ciphertext bytes.
7417
+ */
7418
+ get: {
7419
+ parameters: {
7420
+ query?: {
7421
+ dataId?: string;
7422
+ limit?: number;
7423
+ offset?: number | null;
7424
+ };
7425
+ header?: never;
7426
+ path: {
7427
+ /** @description Ethereum address (0x + 40 hex characters) */
7428
+ contractAddress: string;
7429
+ };
7430
+ cookie?: never;
7431
+ };
7432
+ requestBody?: never;
7433
+ responses: {
7434
+ /** @description Success */
7435
+ 200: {
7436
+ headers: {
7437
+ [name: string]: unknown;
7438
+ };
7439
+ content: {
7440
+ "application/json": {
7441
+ witnesses: {
7442
+ /**
7443
+ * WitnessIdV5
7444
+ * @description 32-byte contract-derived witness identifier (hex, no 0x prefix)
7445
+ */
7446
+ witnessId: string;
7447
+ dataId: string;
7448
+ timestamp: number;
7449
+ blockNumber: number;
7450
+ previousWitnessId: string | null;
7451
+ signerCount: number;
7452
+ timeLocked: boolean;
7453
+ hasUserTimestamp: boolean;
7454
+ drandRound: number;
7455
+ }[];
7456
+ hasMore: boolean;
7457
+ totalReturned: number;
7458
+ };
7459
+ };
7460
+ };
7461
+ /** @description Not Found */
7462
+ 404: {
7463
+ headers: {
7464
+ [name: string]: unknown;
7465
+ };
7466
+ content: {
7467
+ "application/json": {
7468
+ /**
7469
+ * @description Error message
7470
+ * @example Validation failed
7471
+ */
7472
+ error: string;
7473
+ /**
7474
+ * @description Machine-readable error code
7475
+ * @example VALIDATION_FAILED
7476
+ */
7477
+ code?: string;
7478
+ /** @description Field-level validation errors */
7479
+ details?: {
7480
+ [key: string]: string[];
7481
+ };
7482
+ };
7483
+ };
7484
+ };
7485
+ /** @description Internal Server Error */
7486
+ 500: {
7487
+ headers: {
7488
+ [name: string]: unknown;
7489
+ };
7490
+ content: {
7491
+ "application/json": {
7492
+ /**
7493
+ * @description Error message
7494
+ * @example Validation failed
7495
+ */
7496
+ error: string;
7497
+ /**
7498
+ * @description Machine-readable error code
7499
+ * @example VALIDATION_FAILED
7500
+ */
7501
+ code?: string;
7502
+ /** @description Field-level validation errors */
7503
+ details?: {
7504
+ [key: string]: string[];
7505
+ };
7506
+ };
7507
+ };
7508
+ };
7509
+ };
7510
+ };
7511
+ put?: never;
7512
+ post?: never;
7513
+ delete?: never;
7514
+ options?: never;
7515
+ head?: never;
7516
+ patch?: never;
7517
+ trace?: never;
7518
+ };
7519
+ "/v5/contracts/{contractAddress}/witnesses/{witnessId}": {
7520
+ parameters: {
7521
+ query?: never;
7522
+ header?: never;
7523
+ path?: never;
7524
+ cookie?: never;
7525
+ };
7526
+ /**
7527
+ * Get a single v5 witness by ID
7528
+ * @description Returns the full on-chain witness record. For time-locked witnesses (drandRound != 0), the `tlockCiphertext` is returned as hex-encoded AGE-armored bytes; decrypt it via MCP `reveal_witness` after the drand round publishes.
7529
+ */
7530
+ get: {
7531
+ parameters: {
7532
+ query?: never;
7533
+ header?: never;
7534
+ path: {
7535
+ /** @description Ethereum address (0x + 40 hex characters) */
7536
+ contractAddress: string;
7537
+ /** @description 32-byte contract-derived witness identifier (hex, no 0x prefix) */
7538
+ witnessId: string;
7539
+ };
7540
+ cookie?: never;
7541
+ };
7542
+ requestBody?: never;
7543
+ responses: {
7544
+ /** @description Success */
7545
+ 200: {
7546
+ headers: {
7547
+ [name: string]: unknown;
7548
+ };
7549
+ content: {
7550
+ "application/json": {
7551
+ /**
7552
+ * WitnessIdV5
7553
+ * @description 32-byte contract-derived witness identifier (hex, no 0x prefix)
7554
+ */
7555
+ witnessId: string;
7556
+ /** @description SHA256 of the witnessed data, as 64 hex chars. */
7557
+ dataId: string;
7558
+ /** @description block.timestamp at the block that created the witness */
7559
+ timestamp: number;
7560
+ blockNumber: number;
7561
+ /** @description Witness ID this witness chains from, or null. Used by strictSeries contracts to enforce a single linear chain. */
7562
+ previousWitnessId: string | null;
7563
+ /** @description Per-witness nonce (64 hex chars). Generated by chain-api at /propose time. */
7564
+ nonce: string;
7565
+ /** @description 32-byte commitment to off-chain metadata, or "0".repeat(64) if none. */
7566
+ metadataCommitment: string;
7567
+ /** @description Legacy time-lock unix timestamp from V3/V4 — left for shape compatibility. For real time-lock use `drandRound` + `tlockCiphertext` instead. */
7568
+ revealAfter: number;
7569
+ /** @description User-asserted event time as ISO 8601 UTC second-precision, or "" if none was supplied at propose time. */
7570
+ userTimestamp: string;
7571
+ /** @description 0 if active, else block.timestamp at revocation. */
7572
+ revokedAt: number;
7573
+ /** @description 32-byte hash of the revocation reason, or "0".repeat(64) if never revoked. */
7574
+ revokedReason: string;
7575
+ /** @description true if `revealAfter` is set and still in the future. Sealed witnesses redact `userTimestamp` to "". Not related to drand time-lock. */
7576
+ sealed: boolean;
7577
+ exists: boolean;
7578
+ /** @description drand quicknet round at which `tlockCiphertext` becomes decryptable. 0 means the witness is not drand-time-locked. */
7579
+ drandRound: number;
7580
+ /** @description AGE-armored ciphertext, hex-encoded UTF-8. Empty string when the witness is not drand-time-locked. Decrypt via MCP `reveal_witness` after `drandRound` has published. */
7581
+ tlockCiphertext: string;
7582
+ signers: {
7583
+ /**
7584
+ * Ed25519PublicKey
7585
+ * @description 32-byte Ed25519 public key (hex, no 0x prefix)
7586
+ */
7587
+ pubKey: string;
7588
+ /** @description R component of the Ed25519 signature, 32 hex chars. */
7589
+ sigR: string;
7590
+ /** @description S component of the Ed25519 signature, 32 hex chars. */
7591
+ sigS: string;
7592
+ }[];
7593
+ };
7594
+ };
7595
+ };
7596
+ /** @description Not Found */
7597
+ 404: {
7598
+ headers: {
7599
+ [name: string]: unknown;
7600
+ };
7601
+ content: {
7602
+ "application/json": {
7603
+ /**
7604
+ * @description Error message
7605
+ * @example Validation failed
7606
+ */
7607
+ error: string;
7608
+ /**
7609
+ * @description Machine-readable error code
7610
+ * @example VALIDATION_FAILED
7611
+ */
7612
+ code?: string;
7613
+ /** @description Field-level validation errors */
7614
+ details?: {
7615
+ [key: string]: string[];
7616
+ };
7617
+ };
7618
+ };
7619
+ };
7620
+ /** @description Internal Server Error */
7621
+ 500: {
7622
+ headers: {
7623
+ [name: string]: unknown;
7624
+ };
7625
+ content: {
7626
+ "application/json": {
7627
+ /**
7628
+ * @description Error message
7629
+ * @example Validation failed
7630
+ */
7631
+ error: string;
7632
+ /**
7633
+ * @description Machine-readable error code
7634
+ * @example VALIDATION_FAILED
7635
+ */
7636
+ code?: string;
7637
+ /** @description Field-level validation errors */
7638
+ details?: {
7639
+ [key: string]: string[];
7640
+ };
7641
+ };
7642
+ };
7643
+ };
7644
+ };
7645
+ };
7646
+ put?: never;
7647
+ post?: never;
7648
+ delete?: never;
7649
+ options?: never;
7650
+ head?: never;
7651
+ patch?: never;
7652
+ trace?: never;
7653
+ };
7654
+ "/v5/transactions/{txHash}": {
7655
+ parameters: {
7656
+ query?: never;
7657
+ header?: never;
7658
+ path?: never;
7659
+ cookie?: never;
7660
+ };
7661
+ /**
7662
+ * Get transaction status
7663
+ * @description Lightweight mempool + chain lookup for a tx hash. Use this to poll a tx after /finalize or any owner op until it confirms.
7664
+ */
7665
+ get: {
7666
+ parameters: {
7667
+ query?: never;
7668
+ header?: never;
7669
+ path: {
7670
+ /** @description Ethereum transaction hash (0x + 64 hex characters) */
7671
+ txHash: string;
7672
+ };
7673
+ cookie?: never;
7674
+ };
7675
+ requestBody?: never;
7676
+ responses: {
7677
+ /** @description Success */
7678
+ 200: {
7679
+ headers: {
7680
+ [name: string]: unknown;
7681
+ };
7682
+ content: {
7683
+ "application/json": {
7684
+ /**
7685
+ * @description Ethereum transaction hash (0x + 64 hex characters)
7686
+ * @example 0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
7687
+ */
7688
+ transactionHash: string;
7689
+ /** @description Block number if mined, null if still pending in mempool. */
7690
+ blockNumber: number | null;
7691
+ /**
7692
+ * @description `confirmed` once mined into a block; `pending` if in mempool but not mined; `not-found` if no node has seen it.
7693
+ * @enum {string}
7694
+ */
7695
+ status: "pending" | "confirmed" | "not-found";
7696
+ };
7697
+ };
7698
+ };
7699
+ /** @description Internal Server Error */
7700
+ 500: {
7701
+ headers: {
7702
+ [name: string]: unknown;
7703
+ };
7704
+ content: {
7705
+ "application/json": {
7706
+ /**
7707
+ * @description Error message
7708
+ * @example Validation failed
7709
+ */
7710
+ error: string;
7711
+ /**
7712
+ * @description Machine-readable error code
7713
+ * @example VALIDATION_FAILED
7714
+ */
7715
+ code?: string;
7716
+ /** @description Field-level validation errors */
7717
+ details?: {
7718
+ [key: string]: string[];
7719
+ };
7720
+ };
7721
+ };
7722
+ };
7723
+ };
7724
+ };
7725
+ put?: never;
7726
+ post?: never;
7727
+ delete?: never;
7728
+ options?: never;
7729
+ head?: never;
7730
+ patch?: never;
7731
+ trace?: never;
7732
+ };
7733
+ "/v5/contracts/{contractAddress}/transactions/{txHash}": {
7734
+ parameters: {
7735
+ query?: never;
7736
+ header?: never;
7737
+ path?: never;
7738
+ cookie?: never;
7739
+ };
7740
+ /**
7741
+ * Get full transaction details
7742
+ * @description Returns receipt-level detail: block + timestamp + gas + sender/recipient. `contractAddress` is contextual (not used in the lookup) — included so consumers can scope tx lookups to a contract namespace.
7743
+ */
7744
+ get: {
7745
+ parameters: {
7746
+ query?: never;
7747
+ header?: never;
7748
+ path: {
7749
+ /** @description Ethereum address (0x + 40 hex characters) */
7750
+ contractAddress: string;
7751
+ /** @description Ethereum transaction hash (0x + 64 hex characters) */
7752
+ txHash: string;
7753
+ };
7754
+ cookie?: never;
7755
+ };
7756
+ requestBody?: never;
7757
+ responses: {
7758
+ /** @description Success */
7759
+ 200: {
7760
+ headers: {
7761
+ [name: string]: unknown;
7762
+ };
7763
+ content: {
7764
+ "application/json": {
7765
+ /**
7766
+ * @description Ethereum transaction hash (0x + 64 hex characters)
7767
+ * @example 0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
7768
+ */
7769
+ transactionHash: string;
7770
+ blockNumber: number;
7771
+ /** @description 0x-prefixed 32-byte block hash that included the tx. */
7772
+ blockHash: string;
7773
+ /** @description block.timestamp (unix seconds) of the including block. */
7774
+ blockTimestamp: number;
7775
+ transactionIndex: number;
7776
+ /** @description Decimal string (wei units of gas units), big-int-safe. */
7777
+ gasUsed: string;
7778
+ /** @description Decimal string (wei per gas unit), big-int-safe. */
7779
+ effectiveGasPrice: string;
7780
+ /**
7781
+ * @description Ethereum address (0x + 40 hex characters)
7782
+ * @example 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
7783
+ */
7784
+ from: string;
7785
+ /**
7786
+ * @description Ethereum address (0x + 40 hex characters)
7787
+ * @example 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
7788
+ */
7789
+ to: string;
7790
+ } | null;
7791
+ };
7792
+ };
7793
+ /** @description Internal Server Error */
7794
+ 500: {
7795
+ headers: {
7796
+ [name: string]: unknown;
7797
+ };
7798
+ content: {
7799
+ "application/json": {
7800
+ /**
7801
+ * @description Error message
7802
+ * @example Validation failed
7803
+ */
7804
+ error: string;
7805
+ /**
7806
+ * @description Machine-readable error code
7807
+ * @example VALIDATION_FAILED
7808
+ */
7809
+ code?: string;
7810
+ /** @description Field-level validation errors */
7811
+ details?: {
7812
+ [key: string]: string[];
7813
+ };
7814
+ };
7815
+ };
7816
+ };
7817
+ };
7818
+ };
7819
+ put?: never;
7820
+ post?: never;
7821
+ delete?: never;
7822
+ options?: never;
7823
+ head?: never;
7824
+ patch?: never;
7825
+ trace?: never;
7826
+ };
7827
+ "/v5/wallets/{address}/balance": {
7828
+ parameters: {
7829
+ query?: never;
7830
+ header?: never;
7831
+ path?: never;
7832
+ cookie?: never;
7833
+ };
7834
+ /**
7835
+ * Get the native-token balance of an address
7836
+ * @description Returns the address balance in both ETH-formatted and wei representations. Useful for checking that a per-contract wallet has gas to fund subsequent createWitness txs.
7837
+ */
7838
+ get: {
7839
+ parameters: {
7840
+ query?: never;
7841
+ header?: never;
7842
+ path: {
7843
+ /** @description Ethereum address (0x + 40 hex characters) */
7844
+ address: string;
7845
+ };
7846
+ cookie?: never;
7847
+ };
7848
+ requestBody?: never;
7849
+ responses: {
7850
+ /** @description Success */
7851
+ 200: {
7852
+ headers: {
7853
+ [name: string]: unknown;
7854
+ };
7855
+ content: {
7856
+ "application/json": {
7857
+ /**
7858
+ * @description Ethereum address (0x + 40 hex characters)
7859
+ * @example 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
7860
+ */
7861
+ address: string;
7862
+ /**
7863
+ * @description Balance formatted as ETH (decimal string, 18-decimal place).
7864
+ * @example 1.234567890123456789
7865
+ */
7866
+ balanceEth: string;
7867
+ /**
7868
+ * @description Balance in wei (big-int as decimal string).
7869
+ * @example 1234567890123456789
7870
+ */
7871
+ balanceWei: string;
7872
+ };
7873
+ };
7874
+ };
7875
+ /** @description Internal Server Error */
7876
+ 500: {
7877
+ headers: {
7878
+ [name: string]: unknown;
7879
+ };
7880
+ content: {
7881
+ "application/json": {
7882
+ /**
7883
+ * @description Error message
7884
+ * @example Validation failed
7885
+ */
7886
+ error: string;
7887
+ /**
7888
+ * @description Machine-readable error code
7889
+ * @example VALIDATION_FAILED
7890
+ */
7891
+ code?: string;
7892
+ /** @description Field-level validation errors */
7893
+ details?: {
7894
+ [key: string]: string[];
7895
+ };
7896
+ };
7897
+ };
7898
+ };
7899
+ };
7900
+ };
7901
+ put?: never;
7902
+ post?: never;
7903
+ delete?: never;
7904
+ options?: never;
7905
+ head?: never;
7906
+ patch?: never;
7907
+ trace?: never;
7908
+ };
7909
+ "/v5/dashboard/witnesses": {
7910
+ parameters: {
7911
+ query?: never;
7912
+ header?: never;
7913
+ path?: never;
7914
+ cookie?: never;
7915
+ };
7916
+ /**
7917
+ * List the authenticated user's witnesses, filtered (newest-first)
7918
+ * @description Returns paginated witness headers for the contract resolved from the OAuth
7919
+ * JWT `contract` claim. Filters are applied during the event scan:
7920
+ *
7921
+ * - `from` / `to`: unix-second range over `block.timestamp`
7922
+ * - `timeLock`: structural filter on whether the witness carries a drandRound
7923
+ *
7924
+ * Response shape is identical to GET /v5/contracts/{addr}/witnesses; the
7925
+ * scan is always newest-first.
7926
+ */
7927
+ get: {
7928
+ parameters: {
7929
+ query?: {
7930
+ /** @description Filter to witnesses with block.timestamp >= this unix-second value. */
7931
+ from?: number;
7932
+ /** @description Filter to witnesses with block.timestamp <= this unix-second value. */
7933
+ to?: number;
7934
+ /** @description Filter by drand IBE time-lock state. "locked" = witness has a drandRound, "none" = no time-lock, "any" = no filter (default). */
7935
+ timeLock?: "locked" | "none" | "any";
7936
+ /** @description Page size, 1-200, default 50. */
7937
+ limit?: number;
7938
+ /** @description Offset into the filtered set, default 0. */
7939
+ offset?: number | null;
7940
+ };
7941
+ header?: never;
7942
+ path?: never;
7943
+ cookie?: never;
7944
+ };
7945
+ requestBody?: never;
7946
+ responses: {
7947
+ /** @description Success */
7948
+ 200: {
7949
+ headers: {
7950
+ [name: string]: unknown;
7951
+ };
7952
+ content: {
7953
+ "application/json": {
7954
+ witnesses: {
7955
+ /**
7956
+ * WitnessIdV5
7957
+ * @description 32-byte contract-derived witness identifier (hex, no 0x prefix)
7958
+ */
7959
+ witnessId: string;
7960
+ dataId: string;
7961
+ timestamp: number;
7962
+ blockNumber: number;
7963
+ previousWitnessId: string | null;
7964
+ signerCount: number;
7965
+ timeLocked: boolean;
7966
+ hasUserTimestamp: boolean;
7967
+ drandRound: number;
7968
+ }[];
7969
+ hasMore: boolean;
7970
+ totalReturned: number;
7971
+ };
7972
+ };
7973
+ };
7974
+ /** @description Unauthorized - Authentication required */
7975
+ 401: {
7976
+ headers: {
7977
+ [name: string]: unknown;
7978
+ };
7979
+ content: {
7980
+ "application/json": {
7981
+ /**
7982
+ * @description Error message
7983
+ * @example Validation failed
7984
+ */
7985
+ error: string;
7986
+ /**
7987
+ * @description Machine-readable error code
7988
+ * @example VALIDATION_FAILED
7989
+ */
7990
+ code?: string;
7991
+ /** @description Field-level validation errors */
7992
+ details?: {
7993
+ [key: string]: string[];
7994
+ };
7995
+ };
7996
+ };
7997
+ };
7998
+ /** @description Not Found */
7999
+ 404: {
8000
+ headers: {
8001
+ [name: string]: unknown;
8002
+ };
8003
+ content: {
8004
+ "application/json": {
8005
+ /**
8006
+ * @description Error message
8007
+ * @example Validation failed
8008
+ */
8009
+ error: string;
8010
+ /**
8011
+ * @description Machine-readable error code
8012
+ * @example VALIDATION_FAILED
8013
+ */
8014
+ code?: string;
8015
+ /** @description Field-level validation errors */
8016
+ details?: {
8017
+ [key: string]: string[];
8018
+ };
8019
+ };
8020
+ };
8021
+ };
8022
+ /** @description Internal Server Error */
8023
+ 500: {
8024
+ headers: {
8025
+ [name: string]: unknown;
8026
+ };
8027
+ content: {
8028
+ "application/json": {
8029
+ /**
8030
+ * @description Error message
8031
+ * @example Validation failed
8032
+ */
8033
+ error: string;
8034
+ /**
8035
+ * @description Machine-readable error code
8036
+ * @example VALIDATION_FAILED
8037
+ */
8038
+ code?: string;
8039
+ /** @description Field-level validation errors */
8040
+ details?: {
8041
+ [key: string]: string[];
8042
+ };
8043
+ };
8044
+ };
8045
+ };
8046
+ };
8047
+ };
8048
+ put?: never;
8049
+ post?: never;
8050
+ delete?: never;
8051
+ options?: never;
8052
+ head?: never;
8053
+ patch?: never;
8054
+ trace?: never;
8055
+ };
8056
+ "/v5/dashboard/contract": {
8057
+ parameters: {
8058
+ query?: never;
8059
+ header?: never;
8060
+ path?: never;
8061
+ cookie?: never;
8062
+ };
8063
+ /**
8064
+ * Get the authenticated user's contract info
8065
+ * @description Returns the contract record for the contract resolved from the OAuth JWT
8066
+ * `contract` claim — same shape as GET /v5/contracts/{addr}/info, but with
8067
+ * no address in the URL: identity is taken from the bearer token.
8068
+ */
8069
+ get: {
8070
+ parameters: {
8071
+ query?: never;
8072
+ header?: never;
8073
+ path?: never;
8074
+ cookie?: never;
8075
+ };
8076
+ requestBody?: never;
8077
+ responses: {
8078
+ /** @description Success */
8079
+ 200: {
8080
+ headers: {
8081
+ [name: string]: unknown;
8082
+ };
8083
+ content: {
8084
+ "application/json": {
8085
+ /**
8086
+ * @description Ethereum address (0x + 40 hex characters)
8087
+ * @example 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
8088
+ */
8089
+ contractAddress: string;
8090
+ contractId: string;
8091
+ contractVersion: string;
8092
+ /**
8093
+ * @description Ethereum address (0x + 40 hex characters)
8094
+ * @example 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
8095
+ */
8096
+ walletAddress: string;
8097
+ /**
8098
+ * Ed25519PublicKey
8099
+ * @description 32-byte Ed25519 public key (hex, no 0x prefix)
8100
+ */
8101
+ ownerKey: string;
8102
+ strictSeries: boolean;
8103
+ paused: boolean;
8104
+ ownerNonce: number;
8105
+ signingKeys: {
8106
+ /**
8107
+ * Ed25519PublicKey
8108
+ * @description 32-byte Ed25519 public key (hex, no 0x prefix)
8109
+ */
8110
+ publicKey: string;
8111
+ /** @description block.timestamp at which the signing key was added */
8112
+ addedAt: number;
8113
+ /** @description 0 if active, else block.timestamp at revocation */
8114
+ revokedAt: number;
8115
+ }[];
8116
+ deploymentBlockNumber: number;
8117
+ isActive: boolean;
8118
+ };
8119
+ };
8120
+ };
8121
+ /** @description Unauthorized - Authentication required */
8122
+ 401: {
8123
+ headers: {
8124
+ [name: string]: unknown;
8125
+ };
8126
+ content: {
8127
+ "application/json": {
8128
+ /**
8129
+ * @description Error message
8130
+ * @example Validation failed
8131
+ */
8132
+ error: string;
8133
+ /**
8134
+ * @description Machine-readable error code
8135
+ * @example VALIDATION_FAILED
8136
+ */
8137
+ code?: string;
8138
+ /** @description Field-level validation errors */
8139
+ details?: {
8140
+ [key: string]: string[];
8141
+ };
8142
+ };
8143
+ };
8144
+ };
8145
+ /** @description Not Found */
8146
+ 404: {
8147
+ headers: {
8148
+ [name: string]: unknown;
8149
+ };
8150
+ content: {
8151
+ "application/json": {
8152
+ /**
8153
+ * @description Error message
8154
+ * @example Validation failed
8155
+ */
8156
+ error: string;
8157
+ /**
8158
+ * @description Machine-readable error code
8159
+ * @example VALIDATION_FAILED
8160
+ */
8161
+ code?: string;
8162
+ /** @description Field-level validation errors */
8163
+ details?: {
8164
+ [key: string]: string[];
8165
+ };
8166
+ };
8167
+ };
8168
+ };
8169
+ /** @description Internal Server Error */
8170
+ 500: {
8171
+ headers: {
8172
+ [name: string]: unknown;
8173
+ };
8174
+ content: {
8175
+ "application/json": {
8176
+ /**
8177
+ * @description Error message
8178
+ * @example Validation failed
8179
+ */
8180
+ error: string;
8181
+ /**
8182
+ * @description Machine-readable error code
8183
+ * @example VALIDATION_FAILED
8184
+ */
8185
+ code?: string;
8186
+ /** @description Field-level validation errors */
8187
+ details?: {
8188
+ [key: string]: string[];
8189
+ };
8190
+ };
8191
+ };
8192
+ };
8193
+ };
8194
+ };
8195
+ put?: never;
8196
+ post?: never;
8197
+ delete?: never;
8198
+ options?: never;
8199
+ head?: never;
8200
+ patch?: never;
8201
+ trace?: never;
8202
+ };
8203
+ "/admin/validators/propose": {
8204
+ parameters: {
8205
+ query?: never;
8206
+ header?: never;
8207
+ path?: never;
8208
+ cookie?: never;
8209
+ };
8210
+ get?: never;
8211
+ put?: never;
8212
+ /**
8213
+ * Propose adding or removing a validator
8214
+ * @description Submit a vote to add or remove a validator from the network.
8215
+ */
8216
+ post: {
8217
+ parameters: {
8218
+ query?: never;
8219
+ header?: never;
8220
+ path?: never;
8221
+ cookie?: never;
8222
+ };
8223
+ requestBody?: {
8224
+ content: {
8225
+ "application/json": {
8226
+ /**
8227
+ * @description Ethereum address (0x + 40 hex characters)
8228
+ * @example 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
8229
+ */
8230
+ validatorAddress: string;
8231
+ /** @description true = vote to add, false = vote to remove */
8232
+ add: boolean;
8233
+ };
8234
+ };
8235
+ };
8236
+ responses: {
8237
+ /** @description Success */
8238
+ 200: {
8239
+ headers: {
8240
+ [name: string]: unknown;
8241
+ };
8242
+ content: {
8243
+ "application/json": {
8244
+ /** @enum {boolean} */
8245
+ success: true;
8246
+ /**
8247
+ * @description Ethereum address (0x + 40 hex characters)
8248
+ * @example 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
8249
+ */
8250
+ validatorAddress: string;
8251
+ add: boolean;
8252
+ message: string;
8253
+ };
8254
+ };
8255
+ };
8256
+ /** @description Bad Request - Validation failed */
8257
+ 400: {
8258
+ headers: {
8259
+ [name: string]: unknown;
8260
+ };
8261
+ content: {
8262
+ "application/json": {
8263
+ /**
8264
+ * @description Error message
8265
+ * @example Validation failed
8266
+ */
8267
+ error: string;
8268
+ /**
8269
+ * @description Machine-readable error code
8270
+ * @example VALIDATION_FAILED
8271
+ */
8272
+ code?: string;
8273
+ /** @description Field-level validation errors */
8274
+ details?: {
8275
+ [key: string]: string[];
8276
+ };
8277
+ };
8278
+ };
8279
+ };
8280
+ /** @description Internal Server Error */
8281
+ 500: {
8282
+ headers: {
8283
+ [name: string]: unknown;
8284
+ };
8285
+ content: {
8286
+ "application/json": {
8287
+ /**
8288
+ * @description Error message
8289
+ * @example Validation failed
8290
+ */
8291
+ error: string;
8292
+ /**
8293
+ * @description Machine-readable error code
8294
+ * @example VALIDATION_FAILED
8295
+ */
8296
+ code?: string;
8297
+ /** @description Field-level validation errors */
8298
+ details?: {
8299
+ [key: string]: string[];
8300
+ };
8301
+ };
8302
+ };
8303
+ };
8304
+ };
8305
+ };
8306
+ delete?: never;
8307
+ options?: never;
8308
+ head?: never;
8309
+ patch?: never;
8310
+ trace?: never;
8311
+ };
8312
+ "/admin/validators/vote/{address}": {
8313
+ parameters: {
8314
+ query?: never;
8315
+ header?: never;
8316
+ path?: never;
8317
+ cookie?: never;
8318
+ };
8319
+ get?: never;
8320
+ put?: never;
8321
+ post?: never;
8322
+ /**
8323
+ * Discard a vote for a validator
8324
+ * @description Remove a vote for adding or removing a validator.
8325
+ */
8326
+ delete: {
8327
+ parameters: {
8328
+ query?: never;
8329
+ header?: never;
8330
+ path: {
8331
+ /** @description Ethereum address (0x + 40 hex characters) */
8332
+ address: string;
8333
+ };
8334
+ cookie?: never;
8335
+ };
8336
+ requestBody?: never;
8337
+ responses: {
8338
+ /** @description Success */
8339
+ 200: {
8340
+ headers: {
8341
+ [name: string]: unknown;
8342
+ };
8343
+ content: {
8344
+ "application/json": {
8345
+ /** @enum {boolean} */
8346
+ success: true;
8347
+ message: string;
8348
+ };
8349
+ };
8350
+ };
8351
+ /** @description Bad Request - Validation failed */
8352
+ 400: {
8353
+ headers: {
8354
+ [name: string]: unknown;
8355
+ };
8356
+ content: {
8357
+ "application/json": {
8358
+ /**
8359
+ * @description Error message
8360
+ * @example Validation failed
8361
+ */
8362
+ error: string;
8363
+ /**
8364
+ * @description Machine-readable error code
8365
+ * @example VALIDATION_FAILED
8366
+ */
8367
+ code?: string;
8368
+ /** @description Field-level validation errors */
8369
+ details?: {
8370
+ [key: string]: string[];
8371
+ };
8372
+ };
8373
+ };
8374
+ };
8375
+ /** @description Not Found */
8376
+ 404: {
8377
+ headers: {
8378
+ [name: string]: unknown;
8379
+ };
8380
+ content: {
8381
+ "application/json": {
8382
+ /**
8383
+ * @description Error message
8384
+ * @example Validation failed
8385
+ */
8386
+ error: string;
8387
+ /**
8388
+ * @description Machine-readable error code
8389
+ * @example VALIDATION_FAILED
8390
+ */
8391
+ code?: string;
8392
+ /** @description Field-level validation errors */
8393
+ details?: {
8394
+ [key: string]: string[];
8395
+ };
8396
+ };
8397
+ };
8398
+ };
8399
+ /** @description Internal Server Error */
8400
+ 500: {
8401
+ headers: {
8402
+ [name: string]: unknown;
8403
+ };
8404
+ content: {
8405
+ "application/json": {
8406
+ /**
8407
+ * @description Error message
8408
+ * @example Validation failed
8409
+ */
8410
+ error: string;
8411
+ /**
8412
+ * @description Machine-readable error code
8413
+ * @example VALIDATION_FAILED
8414
+ */
8415
+ code?: string;
8416
+ /** @description Field-level validation errors */
8417
+ details?: {
8418
+ [key: string]: string[];
8419
+ };
8420
+ };
8421
+ };
8422
+ };
8423
+ };
8424
+ };
8425
+ options?: never;
8426
+ head?: never;
8427
+ patch?: never;
8428
+ trace?: never;
8429
+ };
8430
+ "/admin/validators": {
8431
+ parameters: {
8432
+ query?: never;
8433
+ header?: never;
8434
+ path?: never;
8435
+ cookie?: never;
8436
+ };
8437
+ /**
8438
+ * Get list of validators
8439
+ * @description Get the current list of validators in the network.
8440
+ */
8441
+ get: {
8442
+ parameters: {
8443
+ query?: never;
8444
+ header?: never;
8445
+ path?: never;
8446
+ cookie?: never;
8447
+ };
8448
+ requestBody?: never;
8449
+ responses: {
8450
+ /** @description Success */
8451
+ 200: {
8452
+ headers: {
8453
+ [name: string]: unknown;
8454
+ };
8455
+ content: {
8456
+ "application/json": {
8457
+ validators: {
8458
+ /**
8459
+ * @description Ethereum address (0x + 40 hex characters)
8460
+ * @example 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
8461
+ */
8462
+ address: string;
8463
+ added: boolean;
8464
+ }[];
8465
+ };
8466
+ };
8467
+ };
8468
+ /** @description Internal Server Error */
8469
+ 500: {
8470
+ headers: {
8471
+ [name: string]: unknown;
8472
+ };
8473
+ content: {
8474
+ "application/json": {
8475
+ /**
8476
+ * @description Error message
8477
+ * @example Validation failed
8478
+ */
8479
+ error: string;
8480
+ /**
8481
+ * @description Machine-readable error code
8482
+ * @example VALIDATION_FAILED
8483
+ */
8484
+ code?: string;
8485
+ /** @description Field-level validation errors */
8486
+ details?: {
8487
+ [key: string]: string[];
8488
+ };
8489
+ };
8490
+ };
8491
+ };
8492
+ };
8493
+ };
8494
+ put?: never;
8495
+ post?: never;
8496
+ delete?: never;
8497
+ options?: never;
8498
+ head?: never;
8499
+ patch?: never;
8500
+ trace?: never;
8501
+ };
8502
+ "/admin/validators/pending": {
8503
+ parameters: {
8504
+ query?: never;
8505
+ header?: never;
8506
+ path?: never;
8507
+ cookie?: never;
8508
+ };
8509
+ /**
8510
+ * Get list of pending validators
8511
+ * @description Get validators that have votes but are not yet added/removed.
8512
+ */
8513
+ get: {
8514
+ parameters: {
8515
+ query?: never;
8516
+ header?: never;
8517
+ path?: never;
8518
+ cookie?: never;
8519
+ };
8520
+ requestBody?: never;
8521
+ responses: {
8522
+ /** @description Success */
8523
+ 200: {
8524
+ headers: {
8525
+ [name: string]: unknown;
8526
+ };
8527
+ content: {
8528
+ "application/json": {
8529
+ pending: {
8530
+ /**
8531
+ * @description Ethereum address (0x + 40 hex characters)
8532
+ * @example 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
8533
+ */
8534
+ address: string;
8535
+ addVotes: number;
8536
+ removeVotes: number;
8537
+ }[];
8538
+ };
8539
+ };
8540
+ };
8541
+ /** @description Internal Server Error */
8542
+ 500: {
8543
+ headers: {
8544
+ [name: string]: unknown;
8545
+ };
8546
+ content: {
8547
+ "application/json": {
8548
+ /**
8549
+ * @description Error message
8550
+ * @example Validation failed
8551
+ */
8552
+ error: string;
8553
+ /**
8554
+ * @description Machine-readable error code
8555
+ * @example VALIDATION_FAILED
8556
+ */
8557
+ code?: string;
8558
+ /** @description Field-level validation errors */
8559
+ details?: {
8560
+ [key: string]: string[];
8561
+ };
8562
+ };
8563
+ };
8564
+ };
8565
+ };
8566
+ };
8567
+ put?: never;
8568
+ post?: never;
8569
+ delete?: never;
8570
+ options?: never;
8571
+ head?: never;
8572
+ patch?: never;
8573
+ trace?: never;
8574
+ };
8575
+ "/admin/network/status": {
8576
+ parameters: {
8577
+ query?: never;
8578
+ header?: never;
8579
+ path?: never;
8580
+ cookie?: never;
8581
+ };
8582
+ /**
8583
+ * Get network status
8584
+ * @description Get the current status of the blockchain network.
8585
+ */
8586
+ get: {
8587
+ parameters: {
8588
+ query?: never;
8589
+ header?: never;
8590
+ path?: never;
8591
+ cookie?: never;
8592
+ };
8593
+ requestBody?: never;
8594
+ responses: {
8595
+ /** @description Success */
8596
+ 200: {
8597
+ headers: {
8598
+ [name: string]: unknown;
8599
+ };
8600
+ content: {
8601
+ "application/json": {
8602
+ chainId: number;
8603
+ blockNumber: number;
8604
+ validatorCount: number;
8605
+ };
8606
+ };
8607
+ };
8608
+ /** @description Internal Server Error */
8609
+ 500: {
8610
+ headers: {
8611
+ [name: string]: unknown;
8612
+ };
8613
+ content: {
8614
+ "application/json": {
8615
+ /**
8616
+ * @description Error message
8617
+ * @example Validation failed
8618
+ */
8619
+ error: string;
8620
+ /**
8621
+ * @description Machine-readable error code
8622
+ * @example VALIDATION_FAILED
8623
+ */
8624
+ code?: string;
8625
+ /** @description Field-level validation errors */
8626
+ details?: {
8627
+ [key: string]: string[];
8628
+ };
8629
+ };
8630
+ };
8631
+ };
8632
+ };
8633
+ };
8634
+ put?: never;
8635
+ post?: never;
8636
+ delete?: never;
8637
+ options?: never;
8638
+ head?: never;
8639
+ patch?: never;
8640
+ trace?: never;
8641
+ };
8642
+ "/admin/network/peers": {
8643
+ parameters: {
8644
+ query?: never;
8645
+ header?: never;
8646
+ path?: never;
8647
+ cookie?: never;
8648
+ };
8649
+ /**
8650
+ * Get network peers
8651
+ * @description Get the list of connected network peers.
8652
+ */
8653
+ get: {
8654
+ parameters: {
8655
+ query?: never;
8656
+ header?: never;
8657
+ path?: never;
8658
+ cookie?: never;
8659
+ };
8660
+ requestBody?: never;
8661
+ responses: {
8662
+ /** @description Success */
8663
+ 200: {
8664
+ headers: {
8665
+ [name: string]: unknown;
8666
+ };
8667
+ content: {
8668
+ "application/json": {
8669
+ peers: {
8670
+ id: string;
8671
+ name?: string;
8672
+ enode: string;
8673
+ /** @enum {string} */
8674
+ status: "connected" | "disconnected";
8675
+ }[];
8676
+ };
8677
+ };
8678
+ };
8679
+ /** @description Internal Server Error */
8680
+ 500: {
8681
+ headers: {
8682
+ [name: string]: unknown;
8683
+ };
8684
+ content: {
8685
+ "application/json": {
8686
+ /**
8687
+ * @description Error message
8688
+ * @example Validation failed
8689
+ */
8690
+ error: string;
8691
+ /**
8692
+ * @description Machine-readable error code
8693
+ * @example VALIDATION_FAILED
8694
+ */
8695
+ code?: string;
8696
+ /** @description Field-level validation errors */
8697
+ details?: {
8698
+ [key: string]: string[];
8699
+ };
8700
+ };
8701
+ };
8702
+ };
8703
+ };
8704
+ };
8705
+ put?: never;
8706
+ /**
8707
+ * Add a network peer
8708
+ * @description Add a peer to the network.
8709
+ */
8710
+ post: {
8711
+ parameters: {
8712
+ query?: never;
8713
+ header?: never;
8714
+ path?: never;
8715
+ cookie?: never;
8716
+ };
8717
+ requestBody?: {
8718
+ content: {
8719
+ "application/json": {
8720
+ enode: string;
8721
+ };
8722
+ };
8723
+ };
8724
+ responses: {
8725
+ /** @description Success */
8726
+ 200: {
8727
+ headers: {
8728
+ [name: string]: unknown;
8729
+ };
8730
+ content: {
8731
+ "application/json": {
8732
+ /** @enum {boolean} */
8733
+ success: true;
8734
+ message: string;
8735
+ };
8736
+ };
8737
+ };
8738
+ /** @description Bad Request - Validation failed */
8739
+ 400: {
8740
+ headers: {
8741
+ [name: string]: unknown;
8742
+ };
8743
+ content: {
8744
+ "application/json": {
8745
+ /**
8746
+ * @description Error message
8747
+ * @example Validation failed
8748
+ */
8749
+ error: string;
8750
+ /**
8751
+ * @description Machine-readable error code
8752
+ * @example VALIDATION_FAILED
8753
+ */
8754
+ code?: string;
8755
+ /** @description Field-level validation errors */
8756
+ details?: {
8757
+ [key: string]: string[];
8758
+ };
8759
+ };
8760
+ };
8761
+ };
8762
+ /** @description Internal Server Error */
8763
+ 500: {
8764
+ headers: {
8765
+ [name: string]: unknown;
8766
+ };
8767
+ content: {
8768
+ "application/json": {
8769
+ /**
8770
+ * @description Error message
8771
+ * @example Validation failed
8772
+ */
8773
+ error: string;
8774
+ /**
8775
+ * @description Machine-readable error code
8776
+ * @example VALIDATION_FAILED
8777
+ */
8778
+ code?: string;
8779
+ /** @description Field-level validation errors */
8780
+ details?: {
8781
+ [key: string]: string[];
8782
+ };
8783
+ };
8784
+ };
8785
+ };
8786
+ };
8787
+ };
8788
+ /**
8789
+ * Remove a network peer
8790
+ * @description Remove a peer from the network.
8791
+ */
8792
+ delete: {
8793
+ parameters: {
8794
+ query?: never;
8795
+ header?: never;
8796
+ path?: never;
8797
+ cookie?: never;
8798
+ };
8799
+ requestBody?: {
8800
+ content: {
8801
+ "application/json": {
8802
+ enode: string;
8803
+ };
8804
+ };
8805
+ };
8806
+ responses: {
8807
+ /** @description Success */
8808
+ 200: {
8809
+ headers: {
8810
+ [name: string]: unknown;
8811
+ };
8812
+ content: {
8813
+ "application/json": {
8814
+ /** @enum {boolean} */
8815
+ success: true;
8816
+ message: string;
8817
+ };
8818
+ };
8819
+ };
8820
+ /** @description Bad Request - Validation failed */
8821
+ 400: {
8822
+ headers: {
8823
+ [name: string]: unknown;
8824
+ };
8825
+ content: {
8826
+ "application/json": {
8827
+ /**
8828
+ * @description Error message
8829
+ * @example Validation failed
8830
+ */
8831
+ error: string;
8832
+ /**
8833
+ * @description Machine-readable error code
8834
+ * @example VALIDATION_FAILED
8835
+ */
8836
+ code?: string;
8837
+ /** @description Field-level validation errors */
8838
+ details?: {
8839
+ [key: string]: string[];
8840
+ };
8841
+ };
8842
+ };
8843
+ };
8844
+ /** @description Internal Server Error */
8845
+ 500: {
8846
+ headers: {
8847
+ [name: string]: unknown;
8848
+ };
8849
+ content: {
8850
+ "application/json": {
8851
+ /**
8852
+ * @description Error message
8853
+ * @example Validation failed
8854
+ */
8855
+ error: string;
8856
+ /**
8857
+ * @description Machine-readable error code
8858
+ * @example VALIDATION_FAILED
8859
+ */
8860
+ code?: string;
8861
+ /** @description Field-level validation errors */
8862
+ details?: {
8863
+ [key: string]: string[];
8864
+ };
8865
+ };
8866
+ };
8867
+ };
8868
+ };
8869
+ };
8870
+ options?: never;
8871
+ head?: never;
8872
+ patch?: never;
8873
+ trace?: never;
8874
+ };
8875
+ "/admin/utils/pubkey-to-address": {
8876
+ parameters: {
8877
+ query?: never;
8878
+ header?: never;
8879
+ path?: never;
8880
+ cookie?: never;
8881
+ };
8882
+ get?: never;
8883
+ put?: never;
8884
+ /**
8885
+ * Convert public key to Ethereum address
8886
+ * @description Utility endpoint to convert a public key to an Ethereum address.
8887
+ */
8888
+ post: {
8889
+ parameters: {
8890
+ query?: never;
8891
+ header?: never;
8892
+ path?: never;
8893
+ cookie?: never;
8894
+ };
8895
+ requestBody?: {
8896
+ content: {
8897
+ "application/json": {
8898
+ pubkey: string;
8899
+ };
8900
+ };
8901
+ };
8902
+ responses: {
8903
+ /** @description Success */
8904
+ 200: {
8905
+ headers: {
8906
+ [name: string]: unknown;
8907
+ };
8908
+ content: {
8909
+ "application/json": {
8910
+ /**
8911
+ * @description Ethereum address (0x + 40 hex characters)
8912
+ * @example 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
8913
+ */
8914
+ address: string;
8915
+ pubkey: string;
8916
+ };
8917
+ };
8918
+ };
8919
+ /** @description Bad Request - Validation failed */
8920
+ 400: {
8921
+ headers: {
8922
+ [name: string]: unknown;
8923
+ };
8924
+ content: {
8925
+ "application/json": {
8926
+ /**
8927
+ * @description Error message
8928
+ * @example Validation failed
8929
+ */
8930
+ error: string;
8931
+ /**
8932
+ * @description Machine-readable error code
8933
+ * @example VALIDATION_FAILED
8934
+ */
8935
+ code?: string;
8936
+ /** @description Field-level validation errors */
8937
+ details?: {
8938
+ [key: string]: string[];
8939
+ };
8940
+ };
8941
+ };
8942
+ };
8943
+ /** @description Internal Server Error */
8944
+ 500: {
8945
+ headers: {
8946
+ [name: string]: unknown;
8947
+ };
8948
+ content: {
8949
+ "application/json": {
8950
+ /**
8951
+ * @description Error message
8952
+ * @example Validation failed
8953
+ */
8954
+ error: string;
8955
+ /**
8956
+ * @description Machine-readable error code
8957
+ * @example VALIDATION_FAILED
8958
+ */
8959
+ code?: string;
8960
+ /** @description Field-level validation errors */
8961
+ details?: {
8962
+ [key: string]: string[];
8963
+ };
8964
+ };
8965
+ };
8966
+ };
8967
+ };
8968
+ };
8969
+ delete?: never;
8970
+ options?: never;
8971
+ head?: never;
8972
+ patch?: never;
8973
+ trace?: never;
8974
+ };
8975
+ "/health/live": {
8976
+ parameters: {
8977
+ query?: never;
8978
+ header?: never;
8979
+ path?: never;
8980
+ cookie?: never;
8981
+ };
8982
+ /**
8983
+ * Liveness probe
8984
+ * @description Kubernetes liveness probe. Fails if queue connection lost for > 1 minute.
8985
+ */
8986
+ get: {
8987
+ parameters: {
8988
+ query?: never;
8989
+ header?: never;
8990
+ path?: never;
8991
+ cookie?: never;
8992
+ };
8993
+ requestBody?: never;
8994
+ responses: {
8995
+ /** @description Success */
8996
+ 200: {
8997
+ headers: {
8998
+ [name: string]: unknown;
8999
+ };
9000
+ content: {
9001
+ "application/json": {
9002
+ /** @enum {string} */
9003
+ status: "healthy";
9004
+ /**
9005
+ * QueueStatus
9006
+ * @description Queue health status
9007
+ */
9008
+ queue: {
9009
+ healthy: boolean;
9010
+ timeSinceLastPingMs: number;
9011
+ /** Format: date-time */
9012
+ lastPing?: string;
9013
+ };
9014
+ };
9015
+ };
9016
+ };
9017
+ /** @description Service Unavailable */
9018
+ 503: {
9019
+ headers: {
9020
+ [name: string]: unknown;
9021
+ };
9022
+ content: {
9023
+ "application/json": {
9024
+ /**
9025
+ * @description Error message
9026
+ * @example Validation failed
9027
+ */
9028
+ error: string;
9029
+ /**
9030
+ * @description Machine-readable error code
9031
+ * @example VALIDATION_FAILED
9032
+ */
9033
+ code?: string;
9034
+ /** @description Field-level validation errors */
9035
+ details?: {
9036
+ [key: string]: string[];
9037
+ };
9038
+ };
9039
+ };
9040
+ };
9041
+ };
9042
+ };
9043
+ put?: never;
9044
+ post?: never;
9045
+ delete?: never;
9046
+ options?: never;
9047
+ head?: never;
9048
+ patch?: never;
9049
+ trace?: never;
9050
+ };
9051
+ "/health/ready": {
9052
+ parameters: {
9053
+ query?: never;
9054
+ header?: never;
9055
+ path?: never;
9056
+ cookie?: never;
9057
+ };
9058
+ /**
9059
+ * Readiness probe
9060
+ * @description Kubernetes readiness probe. Fails if queue or blockchain is unhealthy.
9061
+ */
9062
+ get: {
9063
+ parameters: {
9064
+ query?: never;
9065
+ header?: never;
9066
+ path?: never;
9067
+ cookie?: never;
9068
+ };
9069
+ requestBody?: never;
9070
+ responses: {
9071
+ /** @description Success */
9072
+ 200: {
9073
+ headers: {
9074
+ [name: string]: unknown;
9075
+ };
9076
+ content: {
9077
+ "application/json": {
9078
+ /** @enum {string} */
9079
+ status: "ready";
9080
+ /**
9081
+ * QueueStatus
9082
+ * @description Queue health status
9083
+ */
9084
+ queue: {
9085
+ healthy: boolean;
9086
+ timeSinceLastPingMs: number;
9087
+ /** Format: date-time */
9088
+ lastPing?: string;
9089
+ };
9090
+ /**
9091
+ * BlockchainStatus
9092
+ * @description Blockchain connection status
9093
+ */
9094
+ blockchain: {
9095
+ connected: boolean;
9096
+ chainId?: number;
9097
+ blockNumber?: number;
9098
+ };
9099
+ };
9100
+ };
9101
+ };
9102
+ /** @description Service Unavailable */
9103
+ 503: {
9104
+ headers: {
9105
+ [name: string]: unknown;
9106
+ };
9107
+ content: {
9108
+ "application/json": {
9109
+ /**
9110
+ * @description Error message
9111
+ * @example Validation failed
9112
+ */
9113
+ error: string;
9114
+ /**
9115
+ * @description Machine-readable error code
9116
+ * @example VALIDATION_FAILED
9117
+ */
9118
+ code?: string;
9119
+ /** @description Field-level validation errors */
9120
+ details?: {
9121
+ [key: string]: string[];
9122
+ };
9123
+ };
9124
+ };
9125
+ };
9126
+ };
9127
+ };
9128
+ put?: never;
9129
+ post?: never;
9130
+ delete?: never;
9131
+ options?: never;
9132
+ head?: never;
9133
+ patch?: never;
9134
+ trace?: never;
9135
+ };
9136
+ "/health": {
9137
+ parameters: {
9138
+ query?: never;
9139
+ header?: never;
9140
+ path?: never;
9141
+ cookie?: never;
9142
+ };
9143
+ /**
9144
+ * Detailed health check
9145
+ * @description Get detailed health status for debugging. Not used for K8s probes.
9146
+ */
9147
+ get: {
9148
+ parameters: {
9149
+ query?: never;
9150
+ header?: never;
9151
+ path?: never;
9152
+ cookie?: never;
9153
+ };
9154
+ requestBody?: never;
9155
+ responses: {
9156
+ /** @description Success */
9157
+ 200: {
9158
+ headers: {
9159
+ [name: string]: unknown;
9160
+ };
9161
+ content: {
9162
+ "application/json": {
9163
+ /** @enum {string} */
9164
+ status: "healthy" | "degraded";
9165
+ /** Format: date-time */
9166
+ timestamp: string;
9167
+ /**
9168
+ * QueueStatus
9169
+ * @description Queue health status
9170
+ */
9171
+ queue: {
9172
+ healthy: boolean;
9173
+ timeSinceLastPingMs: number;
9174
+ /** Format: date-time */
9175
+ lastPing?: string;
9176
+ };
9177
+ /**
9178
+ * BlockchainStatus
9179
+ * @description Blockchain connection status
9180
+ */
9181
+ blockchain: {
9182
+ connected: boolean;
9183
+ chainId?: number;
9184
+ blockNumber?: number;
9185
+ };
9186
+ /**
9187
+ * RedisStatus
9188
+ * @description Redis connection status
9189
+ */
9190
+ redis?: {
9191
+ connected: boolean;
9192
+ };
9193
+ };
9194
+ };
9195
+ };
9196
+ /** @description Service Unavailable */
9197
+ 503: {
9198
+ headers: {
9199
+ [name: string]: unknown;
9200
+ };
9201
+ content: {
9202
+ "application/json": {
9203
+ /**
9204
+ * @description Error message
9205
+ * @example Validation failed
9206
+ */
9207
+ error: string;
9208
+ /**
9209
+ * @description Machine-readable error code
9210
+ * @example VALIDATION_FAILED
9211
+ */
9212
+ code?: string;
9213
+ /** @description Field-level validation errors */
9214
+ details?: {
9215
+ [key: string]: string[];
9216
+ };
9217
+ };
9218
+ };
9219
+ };
9220
+ };
9221
+ };
9222
+ put?: never;
9223
+ post?: never;
9224
+ delete?: never;
9225
+ options?: never;
9226
+ head?: never;
9227
+ patch?: never;
9228
+ trace?: never;
9229
+ };
9230
+ }
9231
+
9232
+ /**
9233
+ * Type shortcuts over the openapi-typescript-generated `paths` interfaces of
9234
+ * both services.
9235
+ *
9236
+ * Patterns mirror chain-sdk-v5/src/types.ts: each request/response shape is
9237
+ * `Req<path, method>` / `Res<path, method, status>` for accounts, and
9238
+ * `ChainReq<...>` / `ChainRes<...>` for chain-api. Callers see named,
9239
+ * ergonomic types without losing the single-source-of-truth guarantee — the
9240
+ * types are derived from the generated openapi types, not hand-rolled.
9241
+ */
9242
+
9243
+ type JsonBody<T> = T extends {
9244
+ content: {
9245
+ 'application/json': infer B;
9246
+ };
5235
9247
  } ? B : never;
5236
- type Req<P extends keyof paths, M extends keyof paths[P]> = JsonBody<Extract<paths[P][M], {
9248
+ type Req<P extends keyof paths$1, M extends keyof paths$1[P]> = JsonBody<Extract<paths$1[P][M], {
5237
9249
  requestBody?: unknown;
5238
9250
  }>['requestBody']>;
5239
- type Res<P extends keyof paths, M extends keyof paths[P], S extends number = 200> = paths[P][M] extends {
9251
+ type Res<P extends keyof paths$1, M extends keyof paths$1[P], S extends number = 200> = paths$1[P][M] extends {
9252
+ responses: {
9253
+ [K in S]: infer R;
9254
+ };
9255
+ } ? JsonBody<R> : never;
9256
+ type ChainRes<P extends keyof paths, M extends keyof paths[P], S extends number = 200> = paths[P][M] extends {
5240
9257
  responses: {
5241
9258
  [K in S]: infer R;
5242
9259
  };
@@ -5258,6 +9275,8 @@ type PublicOrgResponse = Res<'/v1/orgs/me', 'get'>;
5258
9275
  type CreateUserRequest = Req<'/v1/orgs/me/users', 'post'>;
5259
9276
  type CreateUserResponse = Res<'/v1/orgs/me/users', 'post'>;
5260
9277
  type ListUsersResponse = Res<'/v1/orgs/me/users', 'get'>;
9278
+ type CreateOrgRequest = Req<'/v1/orgs', 'post'>;
9279
+ type CreateOrgResponse = Res<'/v1/orgs', 'post'>;
5261
9280
  type CreateOrganizationRequest = Req<'/v1/admin/organizations', 'post'>;
5262
9281
  type CreateOrganizationResponse = Res<'/v1/admin/organizations', 'post'>;
5263
9282
  type SetAccountTypeRequest = Req<'/v1/admin/organizations/{id}/account-type', 'patch'>;
@@ -5276,11 +9295,11 @@ type SignRequest = Req<'/v1/sign', 'post'>;
5276
9295
  type SignResponse = Res<'/v1/sign', 'post'>;
5277
9296
  type ProvisionContractRequest = Req<'/v1/contracts/provision', 'post'>;
5278
9297
  type ProvisionContractResponse = Res<'/v1/contracts/provision', 'post'>;
5279
- type AddSigningKeyRequest = Req<'/v1/keys', 'post'>;
9298
+ type AddSigningKeyRequest$1 = Req<'/v1/keys', 'post'>;
5280
9299
  type AddSigningKeyResponse = Res<'/v1/keys', 'post'>;
5281
- type RevokeSigningKeyRequest = Req<'/v1/keys/revoke', 'post'>;
9300
+ type RevokeSigningKeyRequest$1 = Req<'/v1/keys/revoke', 'post'>;
5282
9301
  type RevokeSigningKeyResponse = Res<'/v1/keys/revoke', 'post'>;
5283
- type PauseRequest = Req<'/v1/contracts/pause', 'post'>;
9302
+ type PauseRequest$1 = Req<'/v1/contracts/pause', 'post'>;
5284
9303
  type PauseResponse = Res<'/v1/contracts/pause', 'post'>;
5285
9304
  type UnpauseRequest = Req<'/v1/contracts/unpause', 'post'>;
5286
9305
  type UnpauseResponse = Res<'/v1/contracts/unpause', 'post'>;
@@ -5301,19 +9320,36 @@ type RevokeWitnessV5Request = Req<'/v5/contracts/{contractAddress}/witnesses/{wi
5301
9320
  type RevokeWitnessV5Response = Res<'/v5/contracts/{contractAddress}/witnesses/{witnessId}/revoke', 'post'>;
5302
9321
  type AccountResponse = Res<'/v1/account', 'get'>;
5303
9322
  type LedgerResponse = Res<'/v1/account/ledger', 'get'>;
9323
+ type TotpEnrollResponse = Res<'/v1/account/mfa/totp/enroll', 'post'>;
9324
+ type TotpConfirmRequest = Req<'/v1/account/mfa/totp/confirm', 'post'>;
9325
+ type TotpConfirmResponse = Res<'/v1/account/mfa/totp/confirm', 'post'>;
9326
+ type TotpDisableResponse = Res<'/v1/account/mfa/totp', 'delete'>;
9327
+ type RecoveryCodesRegenerateResponse = Res<'/v1/account/mfa/recovery-codes/regenerate', 'post'>;
5304
9328
  type ListOauthSessionsResponse = Res<'/v1/oauth/sessions', 'get'>;
5305
9329
  type HealthLiveResponse = Res<'/health/live', 'get'>;
5306
9330
  type HealthReadyResponse = Res<'/health/ready', 'get'>;
9331
+ type ContractInfoResponse = ChainRes<'/v5/contracts/{contractAddress}/info', 'get'>;
9332
+ type VerifyContractResponse = ChainRes<'/v5/contracts/{contractAddress}/verify', 'get'>;
9333
+ type ListWitnessesResponse = ChainRes<'/v5/contracts/{contractAddress}/witnesses', 'get'>;
9334
+ type GetChainWitnessResponse = ChainRes<'/v5/contracts/{contractAddress}/witnesses/{witnessId}', 'get'>;
9335
+ type GetContractTransactionResponse = ChainRes<'/v5/contracts/{contractAddress}/transactions/{txHash}', 'get'>;
9336
+ type GetTransactionResponse = ChainRes<'/v5/transactions/{txHash}', 'get'>;
9337
+ type GetWalletBalanceResponse = ChainRes<'/v5/wallets/{address}/balance', 'get'>;
9338
+ type DashboardContractResponse = ChainRes<'/v5/dashboard/contract', 'get'>;
9339
+ type DashboardWitnessesResponse = ChainRes<'/v5/dashboard/witnesses', 'get'>;
5307
9340
 
5308
9341
  /**
5309
- * WitniumchainClient — typed HTTP client for the WitniumChain accounts API.
9342
+ * WitniumchainClient — typed HTTP client for the WitniumChain API surface.
9343
+ *
9344
+ * Covers both accounts (identity / billing / OAuth / delegated keys / witness
9345
+ * writes via the metered v5 proxy) and chain-api read surfaces (contract
9346
+ * info / witness lookup / wallet balance / dashboards). Three convenience
9347
+ * clients layer on top — `WitniumchainClient` (end-user),
9348
+ * `WitniumchainOrgClient` (org admin), `WitniumchainAdminClient` (sysadmin) —
9349
+ * with helpers for signup, subscriptions, and delegated-key provisioning.
5310
9350
  *
5311
- * This is the v1 "shell" client: one low-level method per OpenAPI route.
5312
- * Thread 4 (per docs/PLAN-PHASE-C-HARDEN-SURFACES.md) will layer three
5313
- * higher-level clients on top — `WitniumchainClient` (end-user),
5314
- * `WitniumchainOrgClient` (org admin), `WitniumchainAdminClient`
5315
- * (sysadmin) — with ergonomic helpers for signup, subscriptions,
5316
- * delegated-key provisioning, Stripe Connect onboarding, etc.
9351
+ * Stripe surface is intentionally Checkout + Customer Portal ONLY. Witnium is
9352
+ * not a marketplace, so there is no Stripe Connect onboarding.
5317
9353
  *
5318
9354
  * Auth model — five distinct credentials, each used by a known subset of
5319
9355
  * routes. Configure whichever you'll actually use; methods that need a
@@ -5328,10 +9364,11 @@ type HealthReadyResponse = Res<'/health/ready', 'get'>;
5328
9364
  * does the canonical-message construction; you supply
5329
9365
  * only the public key + signing callback.
5330
9366
  *
5331
- * Every request/response type is derived from the published OpenAPI spec.
5332
- * A CI drift test in the accounts repo asserts the spec matches what the
5333
- * deployed server serves; another asserts the regenerated SDK types match
5334
- * the committed `src/generated/openapi.ts`.
9367
+ * Every request/response type is derived from the published OpenAPI specs of
9368
+ * both accounts and chain-api. A CI drift test in each repo asserts the spec
9369
+ * matches what the deployed server serves; another asserts the regenerated
9370
+ * SDK types match the committed `src/generated/accounts.ts` and
9371
+ * `src/generated/chain.ts`.
5335
9372
  */
5336
9373
 
5337
9374
  interface SignedRequestSigner {
@@ -5403,12 +9440,48 @@ interface ProvisionDelegatedKeyResult {
5403
9440
  blockNumber?: number;
5404
9441
  }
5405
9442
  interface WitniumchainClientConfig {
5406
- /** Base URL, e.g. `https://auth.witniumchain.com`. Trailing slash optional. */
9443
+ /** Accounts base URL, e.g. `https://auth.witniumchain.com`. Trailing slash optional. */
5407
9444
  baseUrl: string;
9445
+ /**
9446
+ * Chain-api base URL, e.g. `https://api.witniumchain.com`. Required only if you
9447
+ * call chain-api read methods (`getWitness`, `getContractInfo`, etc.). Methods
9448
+ * that need it will throw a clear `WitniumchainApiError` at call time if
9449
+ * unconfigured. Same `accessToken` is reused — accounts mints OAuth tokens with
9450
+ * `aud=https://api.witniumchain.com`, so they're valid against both services.
9451
+ */
9452
+ chainBaseUrl?: string;
5408
9453
  /** Session cookie value (the `wac_session` cookie's body, not the full header). */
5409
9454
  sessionCookie?: string;
5410
- /** OAuth 2.1 access token (Bearer JWT). */
9455
+ /**
9456
+ * OAuth 2.1 access token (Bearer JWT). The SDK treats this as in-memory
9457
+ * mutable state — {@link WitniumchainClient.completeOAuthLogin} and
9458
+ * {@link WitniumchainClient.refreshAccessToken} both update it; reads of
9459
+ * `BearerJWT`-authed routes pick up the latest value. Pass an initial value
9460
+ * if you already have one (e.g. server-side rendering); leave it unset and
9461
+ * let `completeOAuthLogin` populate it from the OAuth flow.
9462
+ */
5411
9463
  accessToken?: string;
9464
+ /**
9465
+ * OAuth client id of the registered application using this SDK. Required if
9466
+ * you call {@link WitniumchainClient.beginOAuthLogin} OR
9467
+ * {@link WitniumchainClient.refreshAccessToken}. Methods that need it will
9468
+ * throw a clear `WitniumchainApiError` at call time when unconfigured.
9469
+ *
9470
+ * Registered via the org-admin OAuth-clients UI (Thread G of Phase AUTH).
9471
+ */
9472
+ oauthClientId?: string;
9473
+ /**
9474
+ * Storage adapter for the PKCE verifier between authorize redirect and
9475
+ * token exchange. Defaults to a `globalThis.sessionStorage` wrapper —
9476
+ * suitable for browser SPAs. Tests inject a Map-backed mock; non-browser
9477
+ * callers (Node SSR, native apps with their own storage) supply their own.
9478
+ *
9479
+ * sessionStorage is the chosen default because it's tab-scoped (resilient
9480
+ * to cross-tab interference) and cleared on tab close (no stale verifier
9481
+ * persistence). It is NOT localStorage — that would survive tab close and
9482
+ * is reachable from any same-origin script, weakening the XSS posture.
9483
+ */
9484
+ verifierStorage?: PkceVerifierStorage;
5412
9485
  /** Organisation API key (`wcorg_live_…`). */
5413
9486
  orgApiKey?: string;
5414
9487
  /** System-admin token (`Authorization: Bearer <ADMIN_TOKEN>`). */
@@ -5420,11 +9493,72 @@ interface WitniumchainClientConfig {
5420
9493
  /** Alternate fetch implementation (e.g. for tests). Default `globalThis.fetch`. */
5421
9494
  fetch?: typeof fetch;
5422
9495
  }
9496
+ /**
9497
+ * Arguments to {@link WitniumchainClient.beginOAuthLogin}. The OAuth client id
9498
+ * is sourced from `WitniumchainClientConfig.oauthClientId` at construction —
9499
+ * not repeated here — so the same client can drive multiple authorize calls
9500
+ * (e.g. retry on user cancellation) without rethreading the id every time.
9501
+ */
9502
+ interface BeginOAuthLoginArgs {
9503
+ /**
9504
+ * Where the authorization server should redirect after the user authenticates.
9505
+ * Must exactly match one of the redirect URIs registered for the OAuth client.
9506
+ * Stored alongside the PKCE verifier so {@link WitniumchainClient.completeOAuthLogin}
9507
+ * can rebuild the canonical token-exchange request without the caller having
9508
+ * to thread the same URI through twice.
9509
+ */
9510
+ redirectUri: string;
9511
+ /**
9512
+ * OAuth scopes to request. Default: `['openid', 'profile', 'email']` — the
9513
+ * standard OIDC sign-in trio. Pass a wider list if the caller's tokens need
9514
+ * additional scopes (e.g. `witnesses:write`); the authorization server
9515
+ * filters out scopes the user isn't allowed to grant.
9516
+ */
9517
+ scope?: readonly string[];
9518
+ /**
9519
+ * Custom OAuth `state` value. Default: a freshly-generated 32-byte URL-safe
9520
+ * random. Passing a custom value is useful when the caller needs to round-
9521
+ * trip application-level context through the redirect (e.g. "which page was
9522
+ * the user on before login"); the value is otherwise treated as opaque.
9523
+ */
9524
+ state?: string;
9525
+ /**
9526
+ * Standard OIDC `prompt` parameter. `'login'` forces the AS to re-prompt for
9527
+ * credentials even if the user has a live session; `'none'` asks for silent
9528
+ * SSO (returns `login_required` if not possible). Default: unset.
9529
+ */
9530
+ prompt?: 'login' | 'none';
9531
+ }
9532
+ interface BeginOAuthLoginResult {
9533
+ /** URL to redirect the user to. The caller does `window.location.assign(...)`. */
9534
+ authorizationUrl: string;
9535
+ /**
9536
+ * The state value bound to this login attempt. Same as the `state` passed
9537
+ * in (if any) or a freshly generated one. {@link WitniumchainClient.completeOAuthLogin}
9538
+ * validates that the state in the callback URL matches a value it issued.
9539
+ */
9540
+ state: string;
9541
+ }
9542
+ interface OAuthTokenSnapshot {
9543
+ /** OAuth Bearer access token. */
9544
+ accessToken: string;
9545
+ /** Unix seconds at which the access token expires. */
9546
+ expiresAt: number;
9547
+ }
5423
9548
  declare class WitniumchainClient {
5424
9549
  private readonly baseUrl;
9550
+ private readonly chainBaseUrl;
5425
9551
  private readonly cfg;
5426
9552
  private readonly timeout;
5427
9553
  private readonly fetchImpl;
9554
+ private accessToken;
9555
+ private refreshToken;
9556
+ private hasRefreshCookie;
9557
+ private readonly oauthClientId;
9558
+ private pendingLogins;
9559
+ private readonly verifierStorage;
9560
+ private discoveryCache;
9561
+ private refreshInFlight;
5428
9562
  /** Subscriptions / billing helpers. See {@link Subscriptions}. */
5429
9563
  readonly subscriptions: Subscriptions;
5430
9564
  /** Delegated-key namespace including the one-call {@link DelegatedKeys.provision} flow. */
@@ -5433,6 +9567,8 @@ declare class WitniumchainClient {
5433
9567
  readonly keys: SigningKeys;
5434
9568
  /** OAuth session management. Accessed as `client.oauth.sessions.*`. */
5435
9569
  readonly oauth: OauthNamespace;
9570
+ /** MFA self-management. Accessed as `client.mfa.totp.*` and `client.mfa.recoveryCodes.*`. */
9571
+ readonly mfa: MfaNamespace;
5436
9572
  constructor(config: WitniumchainClientConfig);
5437
9573
  /**
5438
9574
  * Convenience alias for {@link getAccount} — returns the authenticated
@@ -5440,6 +9576,17 @@ declare class WitniumchainClient {
5440
9576
  */
5441
9577
  me(): Promise<AccountResponse>;
5442
9578
  signup(body: SignupRequest): Promise<SignupResponse>;
9579
+ /**
9580
+ * Self-serve org creation (Phase RBAC Thread D). One public call that
9581
+ * creates the admin user, the org, the org-admin membership, and deploys
9582
+ * the contract with the caller's client-generated `ownerPublicKey` +
9583
+ * `initialSigningPublicKey`. Witnium never sees the private bytes.
9584
+ *
9585
+ * Returns `{ orgId, userId, contractAddress, contractVersion,
9586
+ * emailVerifyToken }`. The verify token is also emailed; it's echoed here
9587
+ * for UIs that prefer to render the verify link themselves.
9588
+ */
9589
+ createOrg(body: CreateOrgRequest): Promise<CreateOrgResponse>;
5443
9590
  verifyEmail(token: string): Promise<VerifyEmailResponse>;
5444
9591
  login(body: LoginRequest): Promise<LoginResponse>;
5445
9592
  logout(): Promise<LogoutResponse>;
@@ -5464,9 +9611,9 @@ declare class WitniumchainClient {
5464
9611
  revokeDelegatedKey(id: string): Promise<RevokeDelegatedKeyResponse>;
5465
9612
  sign(body: SignRequest, requestId?: string): Promise<SignResponse>;
5466
9613
  provisionContract(body: ProvisionContractRequest): Promise<ProvisionContractResponse>;
5467
- addSigningKey(body: AddSigningKeyRequest): Promise<AddSigningKeyResponse>;
5468
- revokeSigningKey(body: RevokeSigningKeyRequest): Promise<RevokeSigningKeyResponse>;
5469
- pauseContract(body: PauseRequest): Promise<PauseResponse>;
9614
+ addSigningKey(body: AddSigningKeyRequest$1): Promise<AddSigningKeyResponse>;
9615
+ revokeSigningKey(body: RevokeSigningKeyRequest$1): Promise<RevokeSigningKeyResponse>;
9616
+ pauseContract(body: PauseRequest$1): Promise<PauseResponse>;
5470
9617
  unpauseContract(body: UnpauseRequest): Promise<UnpauseResponse>;
5471
9618
  proposeWitness(contractAddress: string, body: ProposeWitnessRequest, idempotencyKey?: string): Promise<ProposeWitnessResponse>;
5472
9619
  signWitness(contractAddress: string, witnessId: string, body: SignWitnessRequest): Promise<SignWitnessResponse>;
@@ -5479,13 +9626,141 @@ declare class WitniumchainClient {
5479
9626
  revokeWitnessV5(contractAddress: string, witnessId: string, body: RevokeWitnessV5Request, idempotencyKey?: string): Promise<RevokeWitnessV5Response>;
5480
9627
  getAccount(): Promise<AccountResponse>;
5481
9628
  getLedger(): Promise<LedgerResponse>;
9629
+ enrollTotp(): Promise<TotpEnrollResponse>;
9630
+ confirmTotp(body: TotpConfirmRequest): Promise<TotpConfirmResponse>;
9631
+ disableTotp(): Promise<TotpDisableResponse>;
9632
+ regenerateRecoveryCodes(): Promise<RecoveryCodesRegenerateResponse>;
5482
9633
  listOauthSessions(): Promise<ListOauthSessionsResponse>;
5483
9634
  revokeOauthSession(jti: string): Promise<void>;
5484
9635
  revokeAllOauthSessions(): Promise<void>;
5485
9636
  healthLive(): Promise<HealthLiveResponse>;
5486
9637
  healthReady(): Promise<HealthReadyResponse>;
9638
+ getContractInfo(contractAddress: string): Promise<ContractInfoResponse>;
9639
+ getContractVerification(contractAddress: string): Promise<VerifyContractResponse>;
9640
+ listWitnessesV5(contractAddress: string, params?: {
9641
+ dataId?: string;
9642
+ limit?: number;
9643
+ offset?: number;
9644
+ }): Promise<ListWitnessesResponse>;
9645
+ getWitnessV5(contractAddress: string, witnessId: string): Promise<GetChainWitnessResponse>;
9646
+ getContractTransaction(contractAddress: string, txHash: string): Promise<GetContractTransactionResponse>;
9647
+ getTransaction(txHash: string): Promise<GetTransactionResponse>;
9648
+ getWalletBalance(address: string): Promise<GetWalletBalanceResponse>;
9649
+ getDashboardContract(): Promise<DashboardContractResponse>;
9650
+ getDashboardWitnesses(params?: {
9651
+ from?: number;
9652
+ to?: number;
9653
+ timeLock?: 'locked' | 'none';
9654
+ limit?: number;
9655
+ offset?: number;
9656
+ }): Promise<DashboardWitnessesResponse>;
9657
+ /**
9658
+ * Build the authorization-server URL for the start of an OAuth login flow.
9659
+ *
9660
+ * Generates a fresh PKCE verifier + challenge, stashes the verifier in the
9661
+ * configured {@link PkceVerifierStorage} under the `state` key, and returns
9662
+ * the URL the caller should redirect the user to. Side-effects:
9663
+ *
9664
+ * - sessionStorage gets a PKCE entry under `witniumchain.pkce.<state>`.
9665
+ * - The client instance remembers the `redirectUri` for this `state`
9666
+ * so {@link completeOAuthLogin} can rebuild the matching token request
9667
+ * without the caller threading the URI through twice.
9668
+ *
9669
+ * The caller is responsible for the redirect itself
9670
+ * (`window.location.assign(result.authorizationUrl)`); the SDK doesn't
9671
+ * touch `window` directly so SSR + non-browser callers are not broken.
9672
+ */
9673
+ beginOAuthLogin(args: BeginOAuthLoginArgs): Promise<BeginOAuthLoginResult>;
9674
+ /**
9675
+ * Exchange an authorization-code callback for an access token.
9676
+ *
9677
+ * Reads `code` and `state` from the callback URL, validates the state
9678
+ * against a stored verifier, exchanges the code at the token endpoint,
9679
+ * and stores the access token (and refresh token) in the client's
9680
+ * in-memory state. Returns the access token + its expiry for callers
9681
+ * who want to display the session or schedule a proactive refresh.
9682
+ *
9683
+ * Throws (without consuming the verifier) when the callback URL is
9684
+ * missing `code` or `state`, or when the state has no matching verifier
9685
+ * — the latter happens when the user opens an old/forged callback URL,
9686
+ * or when sessionStorage was cleared between authorize and callback.
9687
+ *
9688
+ * The caller is responsible for stripping `code` and `state` from the
9689
+ * browser URL afterwards (`window.history.replaceState`) so a refresh
9690
+ * doesn't re-trigger the exchange against an already-consumed code.
9691
+ */
9692
+ completeOAuthLogin(callbackUrl: string | URL): Promise<OAuthTokenSnapshot>;
9693
+ /**
9694
+ * Refresh the access token. Sends `grant_type=refresh_token` to the token
9695
+ * endpoint with the in-memory refresh token, and updates `accessToken`
9696
+ * (and the rotated refresh token) on success.
9697
+ *
9698
+ * Concurrent callers — including the 401-retry interceptor inside `req()`
9699
+ * fanning out N parallel calls — share a single in-flight refresh promise:
9700
+ * refresh tokens rotate on use, so issuing two concurrent refreshes would
9701
+ * race and one would 401 with `invalid_grant`.
9702
+ *
9703
+ * Throws `WitniumchainApiError` if the refresh token is missing (the SDK
9704
+ * was constructed without one and `completeOAuthLogin` was never called)
9705
+ * or if the AS rejects the refresh (token revoked / expired). On rejection
9706
+ * the in-memory tokens are cleared so subsequent BearerJWT calls fail fast
9707
+ * instead of retrying with a now-invalid token.
9708
+ */
9709
+ refreshAccessToken(): Promise<OAuthTokenSnapshot>;
9710
+ /**
9711
+ * End the OAuth session.
9712
+ *
9713
+ * Clears the in-memory access + refresh tokens. Best-effort revocation of
9714
+ * the server-side session would require a server endpoint that accepts a
9715
+ * Bearer-token-authenticated DELETE (today's `/v1/oauth/sessions` requires
9716
+ * the first-party `wac_session` cookie, see oauth-sessions.controller.ts).
9717
+ * That endpoint will arrive with Phase AUTH Thread E; until then,
9718
+ * `signOut` clears local state only and the access token's natural TTL
9719
+ * (currently 60 min) bounds residual risk if the refresh token is also
9720
+ * dropped — which it is, here.
9721
+ */
9722
+ signOut(): void;
9723
+ private verifierStorageOrDefault;
9724
+ private fetchDiscovery;
9725
+ private postTokenEndpoint;
9726
+ private persistTokenResponse;
9727
+ private refreshAccessTokenInternal;
5487
9728
  private req;
5488
- private buildUrl;
9729
+ /**
9730
+ * Decide whether a non-2xx response on a `BearerJWT` route should trigger
9731
+ * a refresh + single retry. Returns false (no retry) when:
9732
+ *
9733
+ * - this call IS the retry — never recurse,
9734
+ * - the auth mode isn't BearerJWT — refresh only helps Bearer tokens,
9735
+ * - the status isn't 401 — refresh doesn't unstick 403/404/500/etc,
9736
+ * - we don't have a refresh token in memory — nothing to refresh with,
9737
+ * - the response body doesn't look like an expired-token signal.
9738
+ *
9739
+ * On a positive answer, the method ALSO performs the refresh in-line:
9740
+ * the caller just gets back `true` and replays the original request,
9741
+ * which picks up the freshly-rotated `accessToken` via `applyAuth`.
9742
+ * Refresh failures are swallowed here (the caller falls through to the
9743
+ * regular error path); `refreshAccessTokenInternal` already cleared the
9744
+ * in-memory tokens so the retry won't have anything to send.
9745
+ */
9746
+ private shouldRefreshAndRetry;
9747
+ /**
9748
+ * Same decision as `shouldRefreshAndRetry` but for the JSON-parsed path,
9749
+ * where we have the body. Adds one extra gate: only retry when the parsed
9750
+ * body looks like a "token expired" signal (`error: 'token_expired'` per
9751
+ * the AUTH plan, or `error: 'invalid_token'` per RFC 6750 §3.1). A 401
9752
+ * with any other `error` label is a real authn/authz failure that refresh
9753
+ * won't fix — surface it instead of burning a refresh token.
9754
+ */
9755
+ private shouldRefreshAndRetryParsed;
9756
+ /**
9757
+ * Resolve which base URL to call. Default is accounts (`baseUrl`). When a
9758
+ * method opts into 'chain', `chainBaseUrl` must be configured — throw at call
9759
+ * time with a clear message rather than fall back silently to accounts (no
9760
+ * defaults: a wrong base URL is a real bug and would mask itself as a 404).
9761
+ */
9762
+ private resolveBaseUrl;
9763
+ private buildPathWithQuery;
5489
9764
  private applyAuth;
5490
9765
  private parseApiError;
5491
9766
  private toApiError;
@@ -5561,8 +9836,8 @@ declare class SigningKeys {
5561
9836
  * WitniumchainClient.getAccount} and returns the `signingKeys` slice.
5562
9837
  */
5563
9838
  list(): Promise<AccountResponse['signingKeys']>;
5564
- add(body: AddSigningKeyRequest): Promise<AddSigningKeyResponse>;
5565
- revoke(body: RevokeSigningKeyRequest): Promise<RevokeSigningKeyResponse>;
9839
+ add(body: AddSigningKeyRequest$1): Promise<AddSigningKeyResponse>;
9840
+ revoke(body: RevokeSigningKeyRequest$1): Promise<RevokeSigningKeyResponse>;
5566
9841
  }
5567
9842
  /** `client.oauth.sessions.*` — list and revoke active OAuth sessions. */
5568
9843
  declare class OauthNamespace {
@@ -5576,6 +9851,48 @@ declare class OauthSessions {
5576
9851
  revoke(jti: string): Promise<void>;
5577
9852
  revokeAll(): Promise<void>;
5578
9853
  }
9854
+ /**
9855
+ * `client.mfa.*` — TOTP and recovery-code self-management for the
9856
+ * authenticated user. The split into `mfa.totp.*` and `mfa.recoveryCodes.*`
9857
+ * mirrors the server-side controller structure and matches the AUTH plan's
9858
+ * D8 SDK surface (`client.mfa.totp.enroll/confirm/disable` +
9859
+ * `client.mfa.recoveryCodes.regenerate`).
9860
+ */
9861
+ declare class MfaNamespace {
9862
+ readonly totp: MfaTotp;
9863
+ readonly recoveryCodes: MfaRecoveryCodes;
9864
+ constructor(client: WitniumchainClient);
9865
+ }
9866
+ declare class MfaTotp {
9867
+ private readonly client;
9868
+ constructor(client: WitniumchainClient);
9869
+ /**
9870
+ * Start enrolment. Returns the secret + otpauth URL — render the URL as a
9871
+ * QR code in your dashboard (any QR library will do; the SDK doesn't bundle
9872
+ * one). The enrolment is NOT yet a usable second factor: call
9873
+ * {@link confirm} with the first 6-digit code from the authenticator app
9874
+ * to activate it AND receive the recovery codes.
9875
+ */
9876
+ enroll(): Promise<TotpEnrollResponse>;
9877
+ /**
9878
+ * Confirm enrolment with the first user-supplied code. Returns the 10
9879
+ * single-use recovery codes — show them to the user ONCE; the server never
9880
+ * returns them again. Throws `WitniumchainApiError` with status 400 when
9881
+ * the code is invalid or the enrolment is already confirmed.
9882
+ */
9883
+ confirm(code: string): Promise<TotpConfirmResponse>;
9884
+ /** Disable TOTP, wiping both the secret and all recovery codes. */
9885
+ disable(): Promise<TotpDisableResponse>;
9886
+ }
9887
+ declare class MfaRecoveryCodes {
9888
+ private readonly client;
9889
+ constructor(client: WitniumchainClient);
9890
+ /**
9891
+ * Issue a fresh set of 10 recovery codes, invalidating the prior ones.
9892
+ * Same as `confirm` — codes are returned ONCE and never readable again.
9893
+ */
9894
+ regenerate(): Promise<RecoveryCodesRegenerateResponse>;
9895
+ }
5579
9896
 
5580
9897
  interface WitniumchainAdminClientConfig {
5581
9898
  /** Base URL, e.g. `https://auth.witniumchain.com`. Trailing slash optional. */
@@ -5621,6 +9938,66 @@ declare class WitniumchainAdminClient {
5621
9938
  adjustCredits(orgId: string, delta: number, note?: string): Promise<AdjustCreditsResponse>;
5622
9939
  }
5623
9940
 
9941
+ type Body<T> = T extends {
9942
+ content: {
9943
+ 'application/json': infer J;
9944
+ };
9945
+ } ? J : never;
9946
+ type Resp<T> = T extends {
9947
+ content: {
9948
+ 'application/json': infer J;
9949
+ };
9950
+ } ? J : never;
9951
+ type DeployContractRequest = Body<NonNullable<paths['/v5/contracts/deploy']['post']['requestBody']>>;
9952
+ type DeployContractResponse = Resp<paths['/v5/contracts/deploy']['post']['responses']['200']>;
9953
+ type AddSigningKeyRequest = Body<NonNullable<paths['/v5/contracts/{contractAddress}/keys']['post']['requestBody']>>;
9954
+ type OwnerOpResponse = Resp<paths['/v5/contracts/{contractAddress}/keys']['post']['responses']['200']>;
9955
+ type RevokeSigningKeyRequest = {
9956
+ keyToRevoke: string;
9957
+ ownerNonce: number;
9958
+ ownerSignature: string;
9959
+ };
9960
+ type PauseRequest = {
9961
+ ownerNonce: number;
9962
+ ownerSignature: string;
9963
+ };
9964
+ interface WitniumchainChainAdminClientConfig {
9965
+ /** chain-api base URL, e.g. https://api.witniumchain.com. Trailing slash optional. */
9966
+ baseUrl: string;
9967
+ /**
9968
+ * Static bearer token (legacy `BEARER_TOKEN`). Mutually exclusive with
9969
+ * `adminTokenProvider`. Phase RBAC checkpoint 3 retires this in favour of
9970
+ * the provider.
9971
+ */
9972
+ adminToken?: string;
9973
+ /**
9974
+ * Async function that yields a fresh accounts-minted service-principal JWT
9975
+ * with `aud=https://api.witniumchain.com/admin` + `role=org-admin` on each
9976
+ * call. Implementations typically cache against the token's `exp`. Returned
9977
+ * tokens MUST satisfy chain-api's DashboardJwtGuard.
9978
+ */
9979
+ adminTokenProvider?: () => Promise<string>;
9980
+ /** Per-request timeout in milliseconds. Default 30000. */
9981
+ timeout?: number;
9982
+ /** Alternate fetch implementation, e.g. for tests. Default globalThis.fetch. */
9983
+ fetch?: typeof fetch;
9984
+ }
9985
+ declare class WitniumchainChainAdminClient {
9986
+ private readonly baseUrl;
9987
+ private readonly adminToken;
9988
+ private readonly adminTokenProvider;
9989
+ private readonly timeout;
9990
+ private readonly fetchImpl;
9991
+ constructor(config: WitniumchainChainAdminClientConfig);
9992
+ deployContract(body: DeployContractRequest): Promise<DeployContractResponse>;
9993
+ addSigningKey(contractAddress: string, body: AddSigningKeyRequest): Promise<OwnerOpResponse>;
9994
+ revokeSigningKey(contractAddress: string, body: RevokeSigningKeyRequest): Promise<OwnerOpResponse>;
9995
+ pauseContract(contractAddress: string, body: PauseRequest): Promise<OwnerOpResponse>;
9996
+ unpauseContract(contractAddress: string, body: PauseRequest): Promise<OwnerOpResponse>;
9997
+ private resolveToken;
9998
+ private req;
9999
+ }
10000
+
5624
10001
  /**
5625
10002
  * WitniumchainOrgClient — org-admin facade over the accounts API.
5626
10003
  *
@@ -5693,4 +10070,4 @@ declare class WitniumchainApiError extends Error {
5693
10070
  });
5694
10071
  }
5695
10072
 
5696
- export { type AccountResponse, type AccountType, type AddSigningKeyRequest, type AddSigningKeyResponse, type AdjustCreditsRequest, type AdjustCreditsResponse, type CheckoutRequest, type CheckoutResponse, type CreateOrganizationRequest, type CreateOrganizationResponse, type CreateUserRequest, type CreateUserResponse, DelegatedKeys, type FinalizeWitnessResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GetWitnessResponse, type HealthLiveResponse, type HealthReadyResponse, type LedgerResponse, type ListDelegatedKeysResponse, type ListOauthSessionsResponse, type ListUsersResponse, type LoginRequest, type LoginResponse, type LogoutResponse, OauthNamespace, OauthSessions, OrgUsers, type OwnerSigner, type PauseRequest, type PauseResponse, type PortalResponse, type PrepareDelegatedKeyRequest, type PreparedDelegatedKeyResponse, type ProposeWitnessRequest, type ProposeWitnessResponse, type ProvisionContractRequest, type ProvisionContractResponse, type ProvisionDelegatedKeyArgs, type ProvisionDelegatedKeyResult, type PublicOrgResponse, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDelegatedKeyResponse, type RevokeSigningKeyRequest, type RevokeSigningKeyResponse, type RevokeWitnessRequest, type RevokeWitnessResponse, type RotateApiKeyResponse, type SetAccountTypeRequest, type SetAccountTypeResponse, type SignRequest, type SignResponse, type SignWitnessRequest, type SignWitnessResponse, type SignedRequestSigner, SigningKeys, type SignupRequest, type SignupResponse, type SubmitDelegatedKeyRequest, type SubmitDelegatedKeyResponse, Subscriptions, type UnpauseRequest, type UnpauseResponse, type VerifyEmailResponse, type VerifyOrganizationResponse, WitniumchainAdminClient, type WitniumchainAdminClientConfig, WitniumchainApiError, WitniumchainClient, type WitniumchainClientConfig, WitniumchainOrgClient, type WitniumchainOrgClientConfig, type paths };
10073
+ export { type AccountResponse, type AccountType, type paths$1 as AccountsPaths, type AddSigningKeyRequest$1 as AddSigningKeyRequest, type AddSigningKeyResponse, type AdjustCreditsRequest, type AdjustCreditsResponse, type BeginOAuthLoginArgs, type BeginOAuthLoginResult, type paths as ChainPaths, type CheckoutRequest, type CheckoutResponse, type CreateOrgRequest, type CreateOrgResponse, type CreateOrganizationRequest, type CreateOrganizationResponse, type CreateUserRequest, type CreateUserResponse, DelegatedKeys, type FinalizeWitnessResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GetWitnessResponse, type HealthLiveResponse, type HealthReadyResponse, type LedgerResponse, type ListDelegatedKeysResponse, type ListOauthSessionsResponse, type ListUsersResponse, type LoginRequest, type LoginResponse, type LogoutResponse, MfaNamespace, MfaRecoveryCodes, MfaTotp, type OAuthTokenSnapshot, OauthNamespace, OauthSessions, OrgUsers, type OwnerSigner, type PauseRequest$1 as PauseRequest, type PauseResponse, type PkceVerifierStorage, type PortalResponse, type PrepareDelegatedKeyRequest, type PreparedDelegatedKeyResponse, type ProposeWitnessRequest, type ProposeWitnessResponse, type ProvisionContractRequest, type ProvisionContractResponse, type ProvisionDelegatedKeyArgs, type ProvisionDelegatedKeyResult, type PublicOrgResponse, type RecoveryCodesRegenerateResponse, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDelegatedKeyResponse, type RevokeSigningKeyRequest$1 as RevokeSigningKeyRequest, type RevokeSigningKeyResponse, type RevokeWitnessRequest, type RevokeWitnessResponse, type RotateApiKeyResponse, type SetAccountTypeRequest, type SetAccountTypeResponse, type SignRequest, type SignResponse, type SignWitnessRequest, type SignWitnessResponse, type SignedRequestSigner, SigningKeys, type SignupRequest, type SignupResponse, type SubmitDelegatedKeyRequest, type SubmitDelegatedKeyResponse, Subscriptions, type TotpConfirmRequest, type TotpConfirmResponse, type TotpDisableResponse, type TotpEnrollResponse, type UnpauseRequest, type UnpauseResponse, type VerifyEmailResponse, type VerifyOrganizationResponse, WitniumchainAdminClient, type WitniumchainAdminClientConfig, WitniumchainApiError, WitniumchainChainAdminClient, type WitniumchainChainAdminClientConfig, WitniumchainClient, type WitniumchainClientConfig, WitniumchainOrgClient, type WitniumchainOrgClientConfig, defaultVerifierStorage };