@witnium-tech/witniumchain 0.5.0 → 0.6.1

package/FRONTEND-INTEGRATION.md

@@ -0,0 +1,297 @@
+# WitniumChain — Frontend Integration Guide
+
+Audience: the team building the WitniumChain dashboard frontend. This is the
+contract between the backend (accounts + chain-api) and your UI. It covers the
+end-to-end user flows, where keys live, the recovery-file format, and the
+known sharp edges discovered during backend validation.
+
+The SDK that backs all of this is **`@witnium-tech/witniumchain`** (npm). Every
+flow below has a typed method on it.
+
+---
+
+## 1. The custody model — read this first
+
+Two ed25519 keys are generated **client-side** at signup and never leave the
+user's device in plaintext:
+
+| Key | Controls | Used for |
+|---|---|---|
+| **Owner key** | The contract's signing-key set (add/revoke), pause/unpause | Authorizing changes. Never signs witnesses. |
+| **Signing key** | — | Signing witnesses day-to-day |
+
+Witnium only ever receives the **public** halves. The backend enforces
+`ownerPublicKey !== initialSigningPublicKey`.
+
+**Your job on the frontend:** generate these keys, store them encrypted, let
+the user export/import them, and produce owner-key signatures when the backend
+asks for them (the MCP-CUSTODY ceremony, §6). You are the custody surface. If
+you lose the keys with no recovery file, the account's contract is
+unrecoverable — there is no server-side escrow by design.
+
+### Recommended storage (production)
+
+The throwaway test frontend stored keys as plain hex in `localStorage`. **Do
+not ship that.** The intended production design:
+
+- Wrap the two private keys with a key derived from a **WebAuthn PRF** assertion
+  (passkey). The user authenticates with their passkey to decrypt.
+- Issue **recovery codes** at signup (one-time display) as the fallback when no
+  passkey is available (new device, lost authenticator).
+- Persist the wrapped blob in IndexedDB.
+
+The backend does not need to know how you wrap the keys — it only sees public
+keys + signatures. But see §7 for the **same-origin requirement**, which is a
+hard constraint on where this storage lives.
+
+---
+
+## 2. Install
+
+```bash
+npm install @witnium-tech/witniumchain
+```
+
+```ts
+import { WitniumchainClient } from '@witnium-tech/witniumchain';
+
+const client = new WitniumchainClient({
+  baseUrl: 'https://auth.witniumchain.com',       // accounts
+  chainBaseUrl: 'https://api.witniumchain.com',   // chain-api (read methods)
+});
+```
+
+Generate keys with any ed25519 lib. The backend + SDK speak 64-hex-char
+public keys (no `0x`). Example with `@noble/ed25519`:
+
+```ts
+import * as ed from '@noble/ed25519';
+const priv = ed.utils.randomPrivateKey();
+const pub = await ed.getPublicKeyAsync(priv);   // hex-encode both halves
+```
+
+---
+
+## 3. Signup → org → contract (one call)
+
+`createOrg` is the self-serve path. It creates the admin user, the
+organization, the org-admin membership, **and deploys the contract** with the
+client-generated keys — all in one request.
+
+```ts
+const result = await client.createOrg({
+  orgName: 'Acme Inc.',
+  adminEmail: 'you@example.com',
+  adminPassword: '≥12 chars',
+  ownerPublicKey: ownerPubHex,
+  initialSigningPublicKey: signingPubHex,
+});
+// → { orgId, userId, contractAddress, contractVersion, emailVerifyToken }
+```
+
+Persist the two private keys + `contractAddress` locally (wrapped, per §1) and
+prompt a recovery-file download (§5) before doing anything else.
+
+`emailVerifyToken` is also emailed to the admin. It's echoed in the response so
+you can render a "click to verify" link inline if you prefer. **The email is
+the login gate, not the contract-deploy gate** — the contract is already live
+when this returns.
+
+---
+
+## 4. Auth flows
+
+### Email verify
+
+```ts
+await client.verifyEmail(token);   // GET /v1/auth/verify?token=…
+```
+
+> ⚠️ This is a **GET**, not POST. (Caught in testing — easy to get wrong.)
+
+### Password login
+
+```ts
+await client.login({ email, password });   // sets wac_session cookie
+```
+
+In a browser the `wac_session` cookie is set automatically (the SDK uses
+`credentials: 'include'`). Server-side callers must capture + replay the cookie.
+
+### Magic-link sign-in
+
+`beginOAuthLogin` / passwordless paths exist; see the SDK's `OauthNamespace`
+and the accounts OpenAPI for `/v1/auth/magic/*`.
+
+### MFA (TOTP)
+
+```ts
+const { secret, otpauthUrl } = await client.mfa.totp.enroll();   // render QR from otpauthUrl
+const { recoveryCodes } = await client.mfa.totp.confirm({ code }); // show ONCE
+```
+
+### OAuth 2.1 + PKCE (for when your dashboard is itself an OAuth client)
+
+```ts
+const { authorizationUrl } = await client.beginOAuthLogin({ … });
+// …redirect, then on callback:
+await client.completeOAuthLogin({ … });   // PKCE verifier from sessionStorage
+```
+
+Access token held in memory; refresh token delivered as an HttpOnly
+`wac_refresh` cookie scoped to `/token` (JS never touches it). The SDK does
+transparent single-flight refresh on 401.
+
+---
+
+## 5. Recovery-file format
+
+The throwaway frontend used this shape. **Treat it as a starting point** —
+production should wrap `record` with WebAuthn/recovery-code encryption rather
+than storing cleartext keys.
+
+```json
+{
+  "version": 1,
+  "type": "witnium-recovery",
+  "created": "<ISO 8601>",
+  "record": {
+    "email": "you@example.com",
+    "orgId": "<uuid>",
+    "userId": "<uuid>",
+    "contractAddress": "0x… (lowercase)",
+    "contractVersion": "5.0.0",
+    "ownerPublicKey": "<64 hex>",
+    "ownerPrivateKey": "<64 hex — ENCRYPT THIS>",
+    "signingPublicKey": "<64 hex>",
+    "signingPrivateKey": "<64 hex — ENCRYPT THIS>"
+  }
+}
+```
+
+Import = restore `record` into local storage. The owner private key must be
+retrievable for the MCP-CUSTODY ceremony (§6).
+
+---
+
+## 6. MCP-CUSTODY consent ceremony
+
+When a user connects an AI agent (claude.ai's MCP connector, or a self-hosted
+one) the backend runs a ceremony at OAuth-consent time that mints a **fresh
+ephemeral signing key per connection** and asks the user to sign two owner-key
+operations:
+
+1. `addSigningKey(<ephemeral key>)` — registers it on the contract (submitted now)
+2. `revokeSigningKey(<same key>)` — pre-signed, stored, fired automatically on disconnect
+
+**What the frontend must provide:** the page that collects these two
+signatures is currently *server-rendered by accounts* at
+`/interaction/:uid/sign-keys`. It runs inline JS that reads the owner key from
+`localStorage['witnium.ownerPrivateKey:<contractAddress>']`, signs both
+messages, and form-POSTs them back.
+
+You have two choices:
+
+- **Let accounts render it** (current behavior). Then your only job is to make
+  sure the owner key is in `localStorage` under that exact key, **on the
+  accounts origin** (see §7).
+- **Render it yourself** and POST the two signatures to
+  `/interaction/:uid/sign-keys` (`addOwnerSignature`, `revokeOwnerSignature`,
+  `revokeNonce`). Gives you full UX control. The signed message formats are:
+  - add: `{"op":1,"contract":"<addr>","nonce":<ownerNonce+1>,"newKey":"<pub>"}`
+  - revoke: `{"op":2,"contract":"<addr>","nonce":<ownerNonce+2>,"key":"<pub>"}`
+  (canonical JSON, signed as UTF-8 bytes with the owner key)
+
+**Dev cross-origin shortcut (pre-launch):** the accounts-rendered sign-keys
+page now also accepts a **recovery-file upload** (the §5 JSON). So while you're
+building on a different origin (e.g. Lovable), the user can export their
+recovery file from your app and upload it on the accounts sign-keys page — the
+page extracts the owner key for the matching contract. This sidesteps the
+same-origin localStorage limitation (§7) without any postMessage plumbing. It's
+a dev convenience, not the production answer; production should solve §7
+properly.
+
+To get refresh tokens (required for the agent to stay connected + for the
+disconnect-on-revoke cascade), the OAuth client **must request
+`prompt=consent`** and include `offline_access` in scope. Without
+`prompt=consent` the AS silently drops `offline_access` and no refresh token is
+issued — this is standard OIDC, not a bug.
+
+---
+
+## 7. Same-origin requirement (architectural — needs a decision)
+
+**The dashboard that stores keys and the accounts OIDC interaction pages must
+share an origin**, because `localStorage` is origin-scoped. Discovered in
+testing: keys saved on `test-frontend.witniumchain.com` were invisible to the
+sign-keys page rendered at `auth.witniumchain.com` → the ceremony couldn't find
+the owner key.
+
+Pick one:
+
+- **(Recommended) Serve the dashboard from `auth.witniumchain.com`** (a path,
+  or accounts serving the SPA). Owner key in localStorage is naturally visible
+  to the OIDC interaction pages. Simplest, no cross-origin plumbing.
+- **Cross-origin with `postMessage`** — dashboard on its own domain passes the
+  owner-key signature to the accounts interaction page via a `postMessage`
+  handshake. More moving parts; partially erodes the "keys never leave your
+  page" story. Only do this if a separate dashboard domain is a hard
+  requirement.
+
+This decision blocks the key-storage implementation, so settle it early.
+
+---
+
+## 7b. Dev workflow — reset + re-run
+
+Testing signup repeatedly piles up users/orgs/contracts. A **pre-launch-only**
+self-serve reset is available:
+
+```ts
+// Authenticated with the wac_session cookie (must be logged in).
+await fetch('https://auth.witniumchain.com/v1/account', {
+  method: 'DELETE',
+  credentials: 'include',
+});
+// → { deleted: true, userId, organizationId, vaultKeysPurged, notice }
+```
+
+Deletes the caller's user + org + contracts + delegated keys (Vault keys
+destroyed too), so you can sign up fresh. The on-chain contract is orphaned
+(immutable — fine). Returns **403** unless `WITNIUM_PRE_LAUNCH=true` on the
+server (it is, on the current dev deploy). This endpoint will be removed before
+customer onboarding; don't build product UI on it — it's purely a dev-loop tool.
+(Alternatively: just sign up with a fresh email each time, no cleanup needed.)
+
+---
+
+## 8. Known limitations / sharp edges
+
+| Issue | Impact | Status |
+|---|---|---|
+| **Pre-signed revoke nonce drift** | If a user opens several agent connections in a row without disconnecting, older connections' on-chain `revokeSigningKey` fails when finally fired (the pre-signed sig is bound to a stale ownerNonce). The Vault key is still destroyed — Witnium genuinely loses signing ability — but the on-chain key stays listed as active. | Known. On-chain cleanup is best-effort under serial grants. Mitigation TBD (revoke-then-add atomic, or periodic re-sign). |
+| **`prompt=consent` required for refresh tokens** | Omitting it silently drops `offline_access`. | Working as designed (OIDC). Document in your OAuth client. |
+| **Email verify is GET** | POST returns "Cannot POST". | Working as designed. |
+| **Same-origin localStorage** | §7. | Architectural decision required. |
+
+---
+
+## 9. API reference
+
+- **accounts OpenAPI**: `https://auth.witniumchain.com/openapi.json` (or the
+  committed `specs/accounts.openapi.json` in the SDK repo)
+- **chain-api OpenAPI**: `specs/chain-api.openapi.json` in the SDK repo
+- Every SDK method's request/response type is derived from these specs via
+  `openapi-typescript`, so they stay in lockstep. Re-export aliases (e.g.
+  `CreateOrgRequest`, `SignupResponse`) are in `src/types.ts`.
+
+## 10. SDK clients at a glance
+
+| Client | For | Auth |
+|---|---|---|
+| `WitniumchainClient` | end-users (signup, login, OAuth, MFA, delegated keys, witness reads) | session cookie / access token |
+| `WitniumchainOrgClient` | org admins managing members | org API key |
+| `WitniumchainAdminClient` | sysadmin org lifecycle | admin token |
+| `WitniumchainChainAdminClient` | **service-to-service only** — not for frontend use | admin token / service-principal JWT |
+
+The frontend lives almost entirely in `WitniumchainClient`.

package/dist/index.d.mts

@@ -915,6 +915,139 @@ interface paths$1 {
         patch?: never;
         trace?: never;
     };
+    "/v1/orgs": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        get?: never;
+        put?: never;
+        /**
+         * Create an organisation with client-generated keys
+         * @description Phase RBAC Thread D — explicit org creation. The caller generates the owner key and the initial signing key client-side; Witnium never holds the private bytes. The response includes the freshly-deployed contract address and a one-time email-verify token.
+         */
+        post: {
+            parameters: {
+                query?: never;
+                header?: never;
+                path?: never;
+                cookie?: never;
+            };
+            requestBody?: {
+                content: {
+                    "application/json": {
+                        /** @description Display name of the organisation. */
+                        orgName: string;
+                        /**
+                         * Format: email
+                         * @description Email of the founding org-admin. Receives the email-verify link.
+                         * @example user@example.com
+                         */
+                        adminEmail: string;
+                        /** @description Password for the founding org-admin. argon2id-hashed server-side. Minimum 12 chars; callers are expected to gate via a strength meter. */
+                        adminPassword: string;
+                        /**
+                         * @description Client-generated Ed25519 public key that controls signing-key add/revoke on the new contract. Witnium never sees the private bytes (non-custodial).
+                         * @example 4cdde7a3e3a1d8a48d2b9eaf2bcbe2db1d57d3e1a8d6c20e0a86c0f9c4b6cf2e
+                         */
+                        ownerPublicKey: string;
+                        /**
+                         * @description First signing key registered on the contract. Often the same identity as the org-admin's browser-held key (Mode 1) but may also be the public half of a separately-registered Vault-Transit delegated key (Mode 3).
+                         * @example 4cdde7a3e3a1d8a48d2b9eaf2bcbe2db1d57d3e1a8d6c20e0a86c0f9c4b6cf2e
+                         */
+                        initialSigningPublicKey: string;
+                        /** @description Captcha proof. Not yet wired (no captcha provider configured); reserved for when one is added. Public endpoint without it relies on downstream billing/credit-ledger gates against abuse. */
+                        captchaToken?: string;
+                    };
+                };
+            };
+            responses: {
+                /** @description Success */
+                200: {
+                    headers: {
+                        [name: string]: unknown;
+                    };
+                    content: {
+                        "application/json": {
+                            /**
+                             * @description UUID v4
+                             * @example 550e8400-e29b-41d4-a716-446655440000
+                             */
+                            orgId: string;
+                            /**
+                             * @description UUID v4
+                             * @example 550e8400-e29b-41d4-a716-446655440000
+                             */
+                            userId: string;
+                            /** @description Address of the freshly-deployed contract. */
+                            contractAddress: string;
+                            /** @description Semantic on-chain Solidity version (e.g. "5.0.0"). */
+                            contractVersion: string;
+                            /** @description Email-verify token. Already sent to adminEmail; echoed here for flows that prefer to surface a "click this link" in their own UI. */
+                            emailVerifyToken: string;
+                        };
+                    };
+                };
+                /** @description Bad Request — validation failed */
+                400: {
+                    headers: {
+                        [name: string]: unknown;
+                    };
+                    content: {
+                        "application/json": {
+                            /**
+                             * @description HTTP status code
+                             * @example 400
+                             */
+                            statusCode?: number;
+                            /**
+                             * @description Short error label
+                             * @example Bad Request
+                             */
+                            error?: string;
+                            /**
+                             * @description Human-readable error message. Validation errors from `ZodError.flatten()` may be returned as an array.
+                             * @example Validation failed
+                             */
+                            message: string | string[];
+                        };
+                    };
+                };
+                /** @description Conflict */
+                409: {
+                    headers: {
+                        [name: string]: unknown;
+                    };
+                    content: {
+                        "application/json": {
+                            /**
+                             * @description HTTP status code
+                             * @example 400
+                             */
+                            statusCode?: number;
+                            /**
+                             * @description Short error label
+                             * @example Bad Request
+                             */
+                            error?: string;
+                            /**
+                             * @description Human-readable error message. Validation errors from `ZodError.flatten()` may be returned as an array.
+                             * @example Validation failed
+                             */
+                            message: string | string[];
+                        };
+                    };
+                };
+            };
+        };
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
     "/v1/orgs/me": {
         parameters: {
             query?: never;
@@ -9142,6 +9275,8 @@ type PublicOrgResponse = Res<'/v1/orgs/me', 'get'>;
 type CreateUserRequest = Req<'/v1/orgs/me/users', 'post'>;
 type CreateUserResponse = Res<'/v1/orgs/me/users', 'post'>;
 type ListUsersResponse = Res<'/v1/orgs/me/users', 'get'>;
+type CreateOrgRequest = Req<'/v1/orgs', 'post'>;
+type CreateOrgResponse = Res<'/v1/orgs', 'post'>;
 type CreateOrganizationRequest = Req<'/v1/admin/organizations', 'post'>;
 type CreateOrganizationResponse = Res<'/v1/admin/organizations', 'post'>;
 type SetAccountTypeRequest = Req<'/v1/admin/organizations/{id}/account-type', 'patch'>;
@@ -9160,11 +9295,11 @@ type SignRequest = Req<'/v1/sign', 'post'>;
 type SignResponse = Res<'/v1/sign', 'post'>;
 type ProvisionContractRequest = Req<'/v1/contracts/provision', 'post'>;
 type ProvisionContractResponse = Res<'/v1/contracts/provision', 'post'>;
-type AddSigningKeyRequest = Req<'/v1/keys', 'post'>;
+type AddSigningKeyRequest$1 = Req<'/v1/keys', 'post'>;
 type AddSigningKeyResponse = Res<'/v1/keys', 'post'>;
-type RevokeSigningKeyRequest = Req<'/v1/keys/revoke', 'post'>;
+type RevokeSigningKeyRequest$1 = Req<'/v1/keys/revoke', 'post'>;
 type RevokeSigningKeyResponse = Res<'/v1/keys/revoke', 'post'>;
-type PauseRequest = Req<'/v1/contracts/pause', 'post'>;
+type PauseRequest$1 = Req<'/v1/contracts/pause', 'post'>;
 type PauseResponse = Res<'/v1/contracts/pause', 'post'>;
 type UnpauseRequest = Req<'/v1/contracts/unpause', 'post'>;
 type UnpauseResponse = Res<'/v1/contracts/unpause', 'post'>;
@@ -9441,6 +9576,17 @@ declare class WitniumchainClient {
      */
     me(): Promise<AccountResponse>;
     signup(body: SignupRequest): Promise<SignupResponse>;
+    /**
+     * Self-serve org creation (Phase RBAC Thread D). One public call that
+     * creates the admin user, the org, the org-admin membership, and deploys
+     * the contract with the caller's client-generated `ownerPublicKey` +
+     * `initialSigningPublicKey`. Witnium never sees the private bytes.
+     *
+     * Returns `{ orgId, userId, contractAddress, contractVersion,
+     * emailVerifyToken }`. The verify token is also emailed; it's echoed here
+     * for UIs that prefer to render the verify link themselves.
+     */
+    createOrg(body: CreateOrgRequest): Promise<CreateOrgResponse>;
     verifyEmail(token: string): Promise<VerifyEmailResponse>;
     login(body: LoginRequest): Promise<LoginResponse>;
     logout(): Promise<LogoutResponse>;
@@ -9465,9 +9611,9 @@ declare class WitniumchainClient {
     revokeDelegatedKey(id: string): Promise<RevokeDelegatedKeyResponse>;
     sign(body: SignRequest, requestId?: string): Promise<SignResponse>;
     provisionContract(body: ProvisionContractRequest): Promise<ProvisionContractResponse>;
-    addSigningKey(body: AddSigningKeyRequest): Promise<AddSigningKeyResponse>;
-    revokeSigningKey(body: RevokeSigningKeyRequest): Promise<RevokeSigningKeyResponse>;
-    pauseContract(body: PauseRequest): Promise<PauseResponse>;
+    addSigningKey(body: AddSigningKeyRequest$1): Promise<AddSigningKeyResponse>;
+    revokeSigningKey(body: RevokeSigningKeyRequest$1): Promise<RevokeSigningKeyResponse>;
+    pauseContract(body: PauseRequest$1): Promise<PauseResponse>;
     unpauseContract(body: UnpauseRequest): Promise<UnpauseResponse>;
     proposeWitness(contractAddress: string, body: ProposeWitnessRequest, idempotencyKey?: string): Promise<ProposeWitnessResponse>;
     signWitness(contractAddress: string, witnessId: string, body: SignWitnessRequest): Promise<SignWitnessResponse>;
@@ -9690,8 +9836,8 @@ declare class SigningKeys {
      * WitniumchainClient.getAccount} and returns the `signingKeys` slice.
      */
     list(): Promise<AccountResponse['signingKeys']>;
-    add(body: AddSigningKeyRequest): Promise<AddSigningKeyResponse>;
-    revoke(body: RevokeSigningKeyRequest): Promise<RevokeSigningKeyResponse>;
+    add(body: AddSigningKeyRequest$1): Promise<AddSigningKeyResponse>;
+    revoke(body: RevokeSigningKeyRequest$1): Promise<RevokeSigningKeyResponse>;
 }
 /** `client.oauth.sessions.*` — list and revoke active OAuth sessions. */
 declare class OauthNamespace {
@@ -9792,6 +9938,66 @@ declare class WitniumchainAdminClient {
     adjustCredits(orgId: string, delta: number, note?: string): Promise<AdjustCreditsResponse>;
 }
 
+type Body<T> = T extends {
+    content: {
+        'application/json': infer J;
+    };
+} ? J : never;
+type Resp<T> = T extends {
+    content: {
+        'application/json': infer J;
+    };
+} ? J : never;
+type DeployContractRequest = Body<NonNullable<paths['/v5/contracts/deploy']['post']['requestBody']>>;
+type DeployContractResponse = Resp<paths['/v5/contracts/deploy']['post']['responses']['200']>;
+type AddSigningKeyRequest = Body<NonNullable<paths['/v5/contracts/{contractAddress}/keys']['post']['requestBody']>>;
+type OwnerOpResponse = Resp<paths['/v5/contracts/{contractAddress}/keys']['post']['responses']['200']>;
+type RevokeSigningKeyRequest = {
+    keyToRevoke: string;
+    ownerNonce: number;
+    ownerSignature: string;
+};
+type PauseRequest = {
+    ownerNonce: number;
+    ownerSignature: string;
+};
+interface WitniumchainChainAdminClientConfig {
+    /** chain-api base URL, e.g. https://api.witniumchain.com. Trailing slash optional. */
+    baseUrl: string;
+    /**
+     * Static bearer token (legacy `BEARER_TOKEN`). Mutually exclusive with
+     * `adminTokenProvider`. Phase RBAC checkpoint 3 retires this in favour of
+     * the provider.
+     */
+    adminToken?: string;
+    /**
+     * Async function that yields a fresh accounts-minted service-principal JWT
+     * with `aud=https://api.witniumchain.com/admin` + `role=org-admin` on each
+     * call. Implementations typically cache against the token's `exp`. Returned
+     * tokens MUST satisfy chain-api's DashboardJwtGuard.
+     */
+    adminTokenProvider?: () => Promise<string>;
+    /** Per-request timeout in milliseconds. Default 30000. */
+    timeout?: number;
+    /** Alternate fetch implementation, e.g. for tests. Default globalThis.fetch. */
+    fetch?: typeof fetch;
+}
+declare class WitniumchainChainAdminClient {
+    private readonly baseUrl;
+    private readonly adminToken;
+    private readonly adminTokenProvider;
+    private readonly timeout;
+    private readonly fetchImpl;
+    constructor(config: WitniumchainChainAdminClientConfig);
+    deployContract(body: DeployContractRequest): Promise<DeployContractResponse>;
+    addSigningKey(contractAddress: string, body: AddSigningKeyRequest): Promise<OwnerOpResponse>;
+    revokeSigningKey(contractAddress: string, body: RevokeSigningKeyRequest): Promise<OwnerOpResponse>;
+    pauseContract(contractAddress: string, body: PauseRequest): Promise<OwnerOpResponse>;
+    unpauseContract(contractAddress: string, body: PauseRequest): Promise<OwnerOpResponse>;
+    private resolveToken;
+    private req;
+}
+
 /**
  * WitniumchainOrgClient — org-admin facade over the accounts API.
  *
@@ -9864,4 +10070,4 @@ declare class WitniumchainApiError extends Error {
     });
 }
 
-export { type AccountResponse, type AccountType, type paths$1 as AccountsPaths, type AddSigningKeyRequest, type AddSigningKeyResponse, type AdjustCreditsRequest, type AdjustCreditsResponse, type BeginOAuthLoginArgs, type BeginOAuthLoginResult, type paths as ChainPaths, type CheckoutRequest, type CheckoutResponse, type CreateOrganizationRequest, type CreateOrganizationResponse, type CreateUserRequest, type CreateUserResponse, DelegatedKeys, type FinalizeWitnessResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GetWitnessResponse, type HealthLiveResponse, type HealthReadyResponse, type LedgerResponse, type ListDelegatedKeysResponse, type ListOauthSessionsResponse, type ListUsersResponse, type LoginRequest, type LoginResponse, type LogoutResponse, MfaNamespace, MfaRecoveryCodes, MfaTotp, type OAuthTokenSnapshot, OauthNamespace, OauthSessions, OrgUsers, type OwnerSigner, type PauseRequest, type PauseResponse, type PkceVerifierStorage, type PortalResponse, type PrepareDelegatedKeyRequest, type PreparedDelegatedKeyResponse, type ProposeWitnessRequest, type ProposeWitnessResponse, type ProvisionContractRequest, type ProvisionContractResponse, type ProvisionDelegatedKeyArgs, type ProvisionDelegatedKeyResult, type PublicOrgResponse, type RecoveryCodesRegenerateResponse, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDelegatedKeyResponse, type RevokeSigningKeyRequest, type RevokeSigningKeyResponse, type RevokeWitnessRequest, type RevokeWitnessResponse, type RotateApiKeyResponse, type SetAccountTypeRequest, type SetAccountTypeResponse, type SignRequest, type SignResponse, type SignWitnessRequest, type SignWitnessResponse, type SignedRequestSigner, SigningKeys, type SignupRequest, type SignupResponse, type SubmitDelegatedKeyRequest, type SubmitDelegatedKeyResponse, Subscriptions, type TotpConfirmRequest, type TotpConfirmResponse, type TotpDisableResponse, type TotpEnrollResponse, type UnpauseRequest, type UnpauseResponse, type VerifyEmailResponse, type VerifyOrganizationResponse, WitniumchainAdminClient, type WitniumchainAdminClientConfig, WitniumchainApiError, WitniumchainClient, type WitniumchainClientConfig, WitniumchainOrgClient, type WitniumchainOrgClientConfig, defaultVerifierStorage };
+export { type AccountResponse, type AccountType, type paths$1 as AccountsPaths, type AddSigningKeyRequest$1 as AddSigningKeyRequest, type AddSigningKeyResponse, type AdjustCreditsRequest, type AdjustCreditsResponse, type BeginOAuthLoginArgs, type BeginOAuthLoginResult, type paths as ChainPaths, type CheckoutRequest, type CheckoutResponse, type CreateOrgRequest, type CreateOrgResponse, type CreateOrganizationRequest, type CreateOrganizationResponse, type CreateUserRequest, type CreateUserResponse, DelegatedKeys, type FinalizeWitnessResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GetWitnessResponse, type HealthLiveResponse, type HealthReadyResponse, type LedgerResponse, type ListDelegatedKeysResponse, type ListOauthSessionsResponse, type ListUsersResponse, type LoginRequest, type LoginResponse, type LogoutResponse, MfaNamespace, MfaRecoveryCodes, MfaTotp, type OAuthTokenSnapshot, OauthNamespace, OauthSessions, OrgUsers, type OwnerSigner, type PauseRequest$1 as PauseRequest, type PauseResponse, type PkceVerifierStorage, type PortalResponse, type PrepareDelegatedKeyRequest, type PreparedDelegatedKeyResponse, type ProposeWitnessRequest, type ProposeWitnessResponse, type ProvisionContractRequest, type ProvisionContractResponse, type ProvisionDelegatedKeyArgs, type ProvisionDelegatedKeyResult, type PublicOrgResponse, type RecoveryCodesRegenerateResponse, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDelegatedKeyResponse, type RevokeSigningKeyRequest$1 as RevokeSigningKeyRequest, type RevokeSigningKeyResponse, type RevokeWitnessRequest, type RevokeWitnessResponse, type RotateApiKeyResponse, type SetAccountTypeRequest, type SetAccountTypeResponse, type SignRequest, type SignResponse, type SignWitnessRequest, type SignWitnessResponse, type SignedRequestSigner, SigningKeys, type SignupRequest, type SignupResponse, type SubmitDelegatedKeyRequest, type SubmitDelegatedKeyResponse, Subscriptions, type TotpConfirmRequest, type TotpConfirmResponse, type TotpDisableResponse, type TotpEnrollResponse, type UnpauseRequest, type UnpauseResponse, type VerifyEmailResponse, type VerifyOrganizationResponse, WitniumchainAdminClient, type WitniumchainAdminClientConfig, WitniumchainApiError, WitniumchainChainAdminClient, type WitniumchainChainAdminClientConfig, WitniumchainClient, type WitniumchainClientConfig, WitniumchainOrgClient, type WitniumchainOrgClientConfig, defaultVerifierStorage };