chore(deps): update vendored OpenAPI specs

specs/authorization/authorization.openapi.yaml

@@ -93,34 +93,36 @@ paths:
         - name: decisionRequests.actions.namespace.metadata.createdAt.seconds
           in: query
           description: |-
-            Represents seconds of UTC time since Unix epoch
-             1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
-             9999-12-31T23:59:59Z inclusive.
+            Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must
+             be between -315576000000 and 315576000000 inclusive (which corresponds to
+             0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
           schema:
             type:
               - integer
               - string
             title: seconds
             format: int64
             description: |-
-              Represents seconds of UTC time since Unix epoch
-               1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
-               9999-12-31T23:59:59Z inclusive.
+              Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must
+               be between -315576000000 and 315576000000 inclusive (which corresponds to
+               0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
         - name: decisionRequests.actions.namespace.metadata.createdAt.nanos
           in: query
           description: |-
-            Non-negative fractions of a second at nanosecond resolution. Negative
-             second values with fractions must still have non-negative nanos values
-             that count forward in time. Must be from 0 to 999,999,999
+            Non-negative fractions of a second at nanosecond resolution. This field is
+             the nanosecond portion of the duration, not an alternative to seconds.
+             Negative second values with fractions must still have non-negative nanos
+             values that count forward in time. Must be between 0 and 999,999,999
              inclusive.
           schema:
             type: integer
             title: nanos
             format: int32
             description: |-
-              Non-negative fractions of a second at nanosecond resolution. Negative
-               second values with fractions must still have non-negative nanos values
-               that count forward in time. Must be from 0 to 999,999,999
+              Non-negative fractions of a second at nanosecond resolution. This field is
+               the nanosecond portion of the duration, not an alternative to seconds.
+               Negative second values with fractions must still have non-negative nanos
+               values that count forward in time. Must be between 0 and 999,999,999
                inclusive.
         - name: decisionRequests.actions.namespace.metadata.labels.key
           in: query
@@ -387,7 +389,6 @@ components:
         Example Request Get Decisions to answer the question -  Do Bob (represented by entity chain ec1)
         and Alice (represented by entity chain ec2) have TRANSMIT authorization for
         2 resources; resource1 (attr-set-1) defined by attributes foo:bar  resource2 (attr-set-2) defined by attribute foo:bar, color:red ?
-
         {
         "actions": [
         {
@@ -459,13 +460,11 @@ components:
         Example response for a Decision Request -  Do Bob (represented by entity chain ec1)
         and Alice (represented by entity chain ec2) have TRANSMIT authorization for
         2 resources; resource1 (attr-set-1) defined by attributes foo:bar  resource2 (attr-set-2) defined by attribute foo:bar, color:red ?
-
         Results:
         - bob has permitted authorization to transmit for a resource defined by attr-set-1 attributes and has a watermark obligation
         - bob has denied authorization to transmit a for a resource defined by attr-set-2 attributes
         - alice has permitted authorization to transmit for a resource defined by attr-set-1 attributes
         - alice has denied authorization to transmit a for a resource defined by attr-set-2 attributes
-
         {
         "entityChainId":  "ec1",
         "resourceAttributesId":  "attr-set-1",
@@ -653,9 +652,7 @@ components:
       additionalProperties: false
       description: |-
         Request to get entitlements for one or more entities for an optional attribute scope
-
         Example: Get entitlements for bob and alice (both represented using an email address
-
         {
         "entities": [
         {
@@ -686,7 +683,6 @@ components:
       additionalProperties: false
       description: |-
         Example Response for a request of : Get entitlements for bob and alice (both represented using an email address
-
         {
         "entitlements":  [
         {
@@ -758,7 +754,6 @@ components:
         Example Request Get Decisions by Token to answer the question -  Do Bob and client1 (represented by token tok1)
         and Alice and client2 (represented by token tok2) have TRANSMIT authorization for
         2 resources; resource1 (attr-set-1) defined by attributes foo:bar  resource2 (attr-set-2) defined by attribute foo:bar, color:red ?
-
         {
         "actions": [
         {

specs/policy/actions/actions.openapi.yaml

@@ -720,6 +720,10 @@ components:
           items:
             $ref: '#/components/schemas/policy.RequestContext'
           title: context
+        namespace:
+          title: namespace
+          description: The source namespace for this trigger, derived from the attribute value and action.
+          $ref: '#/components/schemas/policy.Namespace'
         metadata:
           title: metadata
           $ref: '#/components/schemas/common.Metadata'

specs/policy/attributes/attributes.openapi.yaml

@@ -759,11 +759,9 @@ components:
         - SORT_DIRECTION_DESC
       description: |-
         Sorting direction shared across list APIs.
-         Notes:
-         - When a sort field is provided, UNSPECIFIED is treated as ASC.
-         - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED,
-           the endpoint's request message defines the default ordering; see the
-           specific List* request docs.
+         When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED,
+         the endpoint's request message defines the default ordering; see the
+         specific List* request docs.
     policy.SourceType:
       type: string
       title: SourceType
@@ -791,6 +789,40 @@ components:
         - SORT_ATTRIBUTES_TYPE_NAME
         - SORT_ATTRIBUTES_TYPE_CREATED_AT
         - SORT_ATTRIBUTES_TYPE_UPDATED_AT
+    common.IdFqnIdentifier:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+        fqn:
+          type: string
+          title: fqn
+          minLength: 1
+          format: uri
+      title: IdFqnIdentifier
+      additionalProperties: false
+    common.IdNameIdentifier:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+        name:
+          type: string
+          title: name
+          maxLength: 253
+          minLength: 1
+          description: |+
+            Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.:
+            ```
+            this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')
+            ```
+
+      title: IdNameIdentifier
+      additionalProperties: false
     common.Metadata:
       type: object
       properties:
@@ -1263,6 +1295,10 @@ components:
           items:
             $ref: '#/components/schemas/policy.RequestContext'
           title: context
+        namespace:
+          title: namespace
+          description: The source namespace for this trigger, derived from the attribute value and action.
+          $ref: '#/components/schemas/policy.Namespace'
         metadata:
           title: metadata
           $ref: '#/components/schemas/common.Metadata'
@@ -1710,6 +1746,30 @@ components:
       title: AttributeKeyAccessServer
       additionalProperties: false
       description: Deprecated
+    policy.attributes.AttributeValueObligationTriggerRequest:
+      type: object
+      properties:
+        obligationValue:
+          title: obligation_value
+          description: Required. Existing obligation value to associate with the newly created attribute value.
+          $ref: '#/components/schemas/common.IdFqnIdentifier'
+        action:
+          title: action
+          description: Required. Action that, together with the newly created attribute value, triggers the obligation value.
+          $ref: '#/components/schemas/common.IdNameIdentifier'
+        context:
+          title: context
+          description: Optional. Request context for the obligation trigger.
+          $ref: '#/components/schemas/policy.RequestContext'
+        metadata:
+          title: metadata
+          description: Optional. Common metadata for the obligation trigger.
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: AttributeValueObligationTriggerRequest
+      required:
+        - obligationValue
+        - action
+      additionalProperties: false
     policy.attributes.AttributesSort:
       type: object
       properties:
@@ -1803,6 +1863,14 @@ components:
             this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')
             ```
 
+        obligationTriggers:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.attributes.AttributeValueObligationTriggerRequest'
+          title: obligation_triggers
+          description: |-
+            Optional
+             Existing obligation values to trigger for the newly created attribute value.
         metadata:
           title: metadata
           description: |-
@@ -2067,7 +2135,12 @@ components:
             $ref: '#/components/schemas/policy.attributes.AttributesSort'
           title: sort
           maxItems: 1
-          description: 'Optional - CONSTRAINT: max 1 item'
+          description: |-
+            Optional - CONSTRAINT: max 1 item
+             Sort defaults:
+               - direction UNSPECIFIED defaults to DESC for the specified field
+               - field UNSPECIFIED defaults to created_at with the specified direction
+               - both UNSPECIFIED or sort omitted defaults to created_at DESC
       title: ListAttributesRequest
       additionalProperties: false
     policy.attributes.ListAttributesResponse:

specs/policy/kasregistry/key_access_server_registry.openapi.yaml

@@ -582,11 +582,9 @@ components:
         - SORT_DIRECTION_DESC
       description: |-
         Sorting direction shared across list APIs.
-         Notes:
-         - When a sort field is provided, UNSPECIFIED is treated as ASC.
-         - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED,
-           the endpoint's request message defines the default ordering; see the
-           specific List* request docs.
+         When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED,
+         the endpoint's request message defines the default ordering; see the
+         specific List* request docs.
     policy.SourceType:
       type: string
       title: SourceType
@@ -1647,8 +1645,10 @@ components:
           maxItems: 1
           description: |-
             Optional - CONSTRAINT: max 1 item
-             Default ordering when omitted or when the first entry's field is UNSPECIFIED:
-             created_at DESC, then id ASC (tie-breaker).
+             Sort defaults:
+               - direction UNSPECIFIED defaults to DESC for the specified field
+               - field UNSPECIFIED defaults to created_at with the specified direction
+               - both UNSPECIFIED or sort omitted defaults to created_at DESC
       title: ListKeyAccessServersRequest
       additionalProperties: false
     policy.kasregistry.ListKeyAccessServersResponse:
@@ -1764,8 +1764,10 @@ components:
           maxItems: 1
           description: |-
             Optional - CONSTRAINT: max 1 item
-             Default ordering when omitted or when the first entry's field is UNSPECIFIED:
-             created_at DESC.
+             Sort defaults:
+               - direction UNSPECIFIED defaults to DESC for the specified field
+               - field UNSPECIFIED defaults to created_at with the specified direction
+               - both UNSPECIFIED or sort omitted defaults to created_at DESC
       title: ListKeysRequest
       additionalProperties: false
       description: List all asymmetric keys managed by a specific Key Access Server or with a given algorithm

specs/policy/namespaces/namespaces.openapi.yaml

@@ -373,11 +373,9 @@ components:
         - SORT_DIRECTION_DESC
       description: |-
         Sorting direction shared across list APIs.
-         Notes:
-         - When a sort field is provided, UNSPECIFIED is treated as ASC.
-         - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED,
-           the endpoint's request message defines the default ordering; see the
-           specific List* request docs.
+         When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED,
+         the endpoint's request message defines the default ordering; see the
+         specific List* request docs.
     policy.SourceType:
       type: string
       title: SourceType
@@ -930,7 +928,12 @@ components:
             $ref: '#/components/schemas/policy.namespaces.NamespacesSort'
           title: sort
           maxItems: 1
-          description: Optional
+          description: |-
+            Optional - CONSTRAINT: max 1 item
+             Sort defaults:
+               - direction UNSPECIFIED defaults to DESC for the specified field
+               - field UNSPECIFIED defaults to created_at with the specified direction
+               - both UNSPECIFIED or sort omitted defaults to created_at DESC
       title: ListNamespacesRequest
       additionalProperties: false
     policy.namespaces.ListNamespacesResponse:

specs/policy/objects.openapi.yaml

@@ -639,6 +639,10 @@ components:
           items:
             $ref: '#/components/schemas/policy.RequestContext'
           title: context
+        namespace:
+          title: namespace
+          description: The source namespace for this trigger, derived from the attribute value and action.
+          $ref: '#/components/schemas/policy.Namespace'
         metadata:
           title: metadata
           $ref: '#/components/schemas/common.Metadata'
@@ -770,6 +774,9 @@ components:
           items:
             $ref: '#/components/schemas/policy.RegisteredResourceValue.ActionAttributeValue'
           title: action_attribute_values
+        fqn:
+          type: string
+          title: fqn
         metadata:
           title: metadata
           description: Common metadata
@@ -976,7 +983,6 @@ components:
         authoritative source such as an IDP (Identity Provider) or User Store.
         Examples include such ADFS/LDAP, OKTA, etc. For now, a valid property must
         contain both a selector expression & a resulting value.
-
         The external_selector_value is a specifier to select a value from a flattened
         external representation of an Entity (such as from idP/LDAP), and the
         external_value is the value selected by the external_selector_value on that

specs/policy/obligations/obligations.openapi.yaml

@@ -588,11 +588,9 @@ components:
         - SORT_DIRECTION_DESC
       description: |-
         Sorting direction shared across list APIs.
-         Notes:
-         - When a sort field is provided, UNSPECIFIED is treated as ASC.
-         - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED,
-           the endpoint's request message defines the default ordering; see the
-           specific List* request docs.
+         When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED,
+         the endpoint's request message defines the default ordering; see the
+         specific List* request docs.
     policy.SourceType:
       type: string
       title: SourceType
@@ -1127,6 +1125,10 @@ components:
           items:
             $ref: '#/components/schemas/policy.RequestContext'
           title: context
+        namespace:
+          title: namespace
+          description: The source namespace for this trigger, derived from the attribute value and action.
+          $ref: '#/components/schemas/policy.Namespace'
         metadata:
           title: metadata
           $ref: '#/components/schemas/common.Metadata'
@@ -1497,6 +1499,10 @@ components:
         - action
         - attributeValue
       additionalProperties: false
+      description: |-
+        Obligation Triggers are owned by the namespace that owns the action and attribute value, which must
+         be the same. In this way, a trigger can intentionally cross namespace boundaries: associating
+         obligation values of a different namespace than the one that owns the action being taken or the attribute value.
     policy.obligations.AddObligationTriggerResponse:
       type: object
       properties:
@@ -1846,8 +1852,10 @@ components:
           maxItems: 1
           description: |-
             Optional - CONSTRAINT: max 1 item
-             Default ordering when omitted or when the first entry's field is UNSPECIFIED:
-             created_at DESC, then id ASC (tie-breaker).
+             Sort defaults:
+               - direction UNSPECIFIED defaults to DESC for the specified field
+               - field UNSPECIFIED defaults to created_at with the specified direction
+               - both UNSPECIFIED or sort omitted defaults to created_at DESC
       title: ListObligationsRequest
       additionalProperties: false
     policy.obligations.ListObligationsResponse: