feat: add owner_type and enforce protection for platform-owned versions (ACC-29)

Author: stainless-app[bot]

.stats.yml

@@ -1,4 +1,4 @@
 configured_endpoints: 106
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/keycard%2Fkeycard-api-03f7de343b8ffa831ef87a5c388a5ae56dec933807487c3fdf3d0748214d347e.yml
-openapi_spec_hash: 125d9774561f361cbb4c83e143706895
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/keycard%2Fkeycard-api-ff839635f0b0cd1d66e886c2c67387c078bf0eb5599376c45af77fd1c7b161fa.yml
+openapi_spec_hash: c8b5fdab443323fe491f196a855b4f1d
 config_hash: 8fdc6a9c1185417459f79052b1222ff0

src/keycardai_api/types/zones/__init__.py

@@ -19,7 +19,6 @@
 from .public_key import PublicKey as PublicKey
 from .user_agent import UserAgent as UserAgent
 from .application import Application as Application
-from .attestation import Attestation as Attestation
 from .base_fields import BaseFields as BaseFields
 from .zone_member import ZoneMember as ZoneMember
 from .metadata_param import MetadataParam as MetadataParam
@@ -44,6 +43,7 @@
 from .secret_create_params import SecretCreateParams as SecretCreateParams
 from .secret_list_response import SecretListResponse as SecretListResponse
 from .secret_update_params import SecretUpdateParams as SecretUpdateParams
+from .attestation_statement import AttestationStatement as AttestationStatement
 from .metadata_update_param import MetadataUpdateParam as MetadataUpdateParam
 from .session_list_response import SessionListResponse as SessionListResponse
 from .session_update_params import SessionUpdateParams as SessionUpdateParams

src/keycardai_api/types/zones/attestation.py

@@ -0,0 +1,51 @@
+# File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
+
+from datetime import datetime
+from typing_extensions import Literal
+
+from ..._models import BaseModel
+
+__all__ = ["AttestationStatement"]
+
+
+class AttestationStatement(BaseModel):
+    """Decoded content of an Attestation JWS payload.
+
+    Describes the exact policy set version composition at attestation time. This schema defines what consumers see after base64url-decoding the Attestation.payload field.
+    """
+
+    attested_at: datetime
+
+    attested_by: str
+
+    key_id: str
+    """Key ID of the signing key used to produce the attestation signature.
+
+    Matches the "kid" in the JWS protected header.
+    """
+
+    manifest_sha: str
+    """SHA-256 of the policy set version manifest.
+
+    Verifiers MUST check this matches the policy_set_version.manifest_sha to detect
+    attestation/version mismatches.
+    """
+
+    policy_set_id: str
+
+    policy_set_version: int
+
+    status: Literal["created", "re_signed"]
+    """Event that produced this attestation.
+
+    "created" is the initial attestation at version creation; "re_signed" is a
+    re-attestation after key rotation (same content, new signature).
+    """
+
+    type: Literal["policy_set_attestation"]
+    """Statement type discriminator"""
+
+    v: Literal[1]
+    """Statement schema version"""
+
+    zone_id: str

src/keycardai_api/types/zones/attestation_statement.py

@@ -2,6 +2,7 @@
 
 from typing import Optional
 from datetime import datetime
+from typing_extensions import Literal
 
 from ...._models import BaseModel
 
@@ -15,6 +16,13 @@ class PolicyVersion(BaseModel):
 
     created_by: str
 
+    owner_type: Literal["platform", "customer"]
+    """Who manages this policy version:
+
+    - `"platform"` — managed by the Keycard platform (system policy versions).
+    - `"customer"` — managed by the tenant (custom policy versions).
+    """
+
     policy_id: str
 
     schema_version: str

src/keycardai_api/types/zones/policies/policy_version.py

@@ -2,10 +2,11 @@
 
 from typing import Optional
 from datetime import datetime
+from typing_extensions import Literal
 
 from ...._models import BaseModel
-from ..attestation import Attestation
 from ..policy_set_manifest import PolicySetManifest
+from ..attestation_statement import AttestationStatement
 
 __all__ = ["PolicySetVersion"]
 
@@ -22,6 +23,13 @@ class PolicySetVersion(BaseModel):
     manifest_sha: str
     """Hex-encoded SHA-256 of the canonicalized manifest"""
 
+    owner_type: Literal["platform", "customer"]
+    """Who manages this policy set version:
+
+    - `"platform"` — managed by the Keycard platform (system policy set versions).
+    - `"customer"` — managed by the tenant (custom policy set versions).
+    """
+
     policy_set_id: str
 
     schema_version: str
@@ -39,12 +47,10 @@ class PolicySetVersion(BaseModel):
 
     archived_by: Optional[str] = None
 
-    attestation: Optional[Attestation] = None
-    """JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation.
+    attestation: Optional[AttestationStatement] = None
+    """Decoded content of an Attestation JWS payload.
 
-    The protected header carries the signing algorithm and key identifier; the
-    payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785
-    (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with
-    RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header
-    — no envelope changes required.
+    Describes the exact policy set version composition at attestation time. This
+    schema defines what consumers see after base64url-decoding the
+    Attestation.payload field.
     """