@nextera.one/axis-server-sdk 0.1.0 → 0.2.0

package/dist/core/index.d.mts

@@ -0,0 +1,85 @@
+import * as z from 'zod';
+
+declare const AxisFrameZ: z.ZodObject<{
+    flags: z.ZodNumber;
+    headers: z.ZodMap<z.ZodNumber, z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>>;
+    body: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
+    sig: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
+}, z.z.core.$strip>;
+type AxisFrame = z.infer<typeof AxisFrameZ>;
+declare function encodeFrame(frame: AxisFrame): Uint8Array;
+declare function decodeFrame(buf: Uint8Array): AxisFrame;
+declare function getSignTarget(frame: AxisFrame): Uint8Array;
+
+declare const AXIS_MAGIC: Uint8Array<ArrayBuffer>;
+declare const AXIS_VERSION = 1;
+declare const MAX_HDR_LEN = 2048;
+declare const MAX_BODY_LEN = 65536;
+declare const MAX_SIG_LEN = 128;
+declare const MAX_FRAME_LEN: number;
+declare const FLAG_BODY_TLV = 1;
+declare const FLAG_CHAIN_REQ = 2;
+declare const FLAG_HAS_WITNESS = 4;
+declare const TLV_PID = 1;
+declare const TLV_TS = 2;
+declare const TLV_INTENT = 3;
+declare const TLV_ACTOR_ID = 4;
+declare const TLV_PROOF_TYPE = 5;
+declare const TLV_PROOF_REF = 6;
+declare const TLV_NONCE = 7;
+declare const TLV_AUD = 8;
+declare const TLV_NODE = 9;
+declare const TLV_TRACE_ID = 10;
+declare const TLV_KID = 11;
+declare const TLV_RID = 15;
+declare const TLV_OK = 16;
+declare const TLV_EFFECT = 17;
+declare const TLV_ERROR_CODE = 18;
+declare const TLV_ERROR_MSG = 19;
+declare const TLV_PREV_HASH = 20;
+declare const TLV_RECEIPT_HASH = 21;
+declare const TLV_NODE_KID = 30;
+declare const TLV_NODE_CERT_HASH = 34;
+declare const TLV_LOOM_PRESENCE_ID = 91;
+declare const TLV_LOOM_WRIT = 92;
+declare const TLV_LOOM_THREAD_HASH = 93;
+declare const PROOF_CAPSULE = 1;
+declare const PROOF_JWT = 2;
+declare const PROOF_MTLS = 3;
+declare const PROOF_LOOM = 4;
+declare const ERR_INVALID_PACKET = "INVALID_PACKET";
+declare const ERR_BAD_SIGNATURE = "BAD_SIGNATURE";
+declare const ERR_REPLAY_DETECTED = "REPLAY_DETECTED";
+declare const ERR_CONTRACT_VIOLATION = "CONTRACT_VIOLATION";
+
+declare function encodeVarint(value: number): Uint8Array;
+declare function decodeVarint(buf: Uint8Array, offset?: number): {
+    value: number;
+    length: number;
+};
+declare function varintLength(value: number): number;
+
+interface TLV {
+    type: number;
+    value: Uint8Array;
+}
+declare function encodeTLVs(tlvs: TLV[]): Uint8Array;
+declare function decodeTLVsList(buf: Uint8Array, maxItems?: number): TLV[];
+declare function decodeTLVs(buf: Uint8Array): Map<number, Uint8Array>;
+declare function decodeObject(bytes: Uint8Array, depth?: number, limits?: {
+    maxDepth: number;
+    maxItems: number;
+}): Map<number, any>;
+declare function decodeArray(bytes: Uint8Array, itemType: number, maxItems?: number): Uint8Array[];
+
+declare function computeSignaturePayload(frame: AxisFrame): Buffer;
+declare function signFrame(frame: AxisFrame, privateKey: Buffer): Buffer;
+declare function verifyFrameSignature(frame: AxisFrame, publicKey: Buffer): boolean;
+declare function generateEd25519KeyPair(): {
+    privateKey: Buffer;
+    publicKey: Buffer;
+};
+declare function sha256(data: Buffer | Uint8Array): Buffer;
+declare function computeReceiptHash(receiptBytes: Buffer | Uint8Array, prevHash?: Buffer | Uint8Array): Buffer;
+
+export { AXIS_MAGIC, AXIS_VERSION, type AxisFrame, AxisFrameZ, ERR_BAD_SIGNATURE, ERR_CONTRACT_VIOLATION, ERR_INVALID_PACKET, ERR_REPLAY_DETECTED, FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS, MAX_BODY_LEN, MAX_FRAME_LEN, MAX_HDR_LEN, MAX_SIG_LEN, PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, type TLV, TLV_ACTOR_ID, TLV_AUD, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG, TLV_INTENT, TLV_KID, TLV_LOOM_PRESENCE_ID, TLV_LOOM_THREAD_HASH, TLV_LOOM_WRIT, TLV_NODE, TLV_NODE_CERT_HASH, TLV_NODE_KID, TLV_NONCE, TLV_OK, TLV_PID, TLV_PREV_HASH, TLV_PROOF_REF, TLV_PROOF_TYPE, TLV_RECEIPT_HASH, TLV_RID, TLV_TRACE_ID, TLV_TS, computeReceiptHash, computeSignaturePayload, decodeArray, decodeFrame, decodeObject, decodeTLVs, decodeTLVsList, decodeVarint, encodeFrame, encodeTLVs, encodeVarint, generateEd25519KeyPair, getSignTarget, sha256, signFrame, varintLength, verifyFrameSignature };

package/dist/core/index.d.ts

@@ -0,0 +1,85 @@
+import * as z from 'zod';
+
+declare const AxisFrameZ: z.ZodObject<{
+    flags: z.ZodNumber;
+    headers: z.ZodMap<z.ZodNumber, z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>>;
+    body: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
+    sig: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
+}, z.z.core.$strip>;
+type AxisFrame = z.infer<typeof AxisFrameZ>;
+declare function encodeFrame(frame: AxisFrame): Uint8Array;
+declare function decodeFrame(buf: Uint8Array): AxisFrame;
+declare function getSignTarget(frame: AxisFrame): Uint8Array;
+
+declare const AXIS_MAGIC: Uint8Array<ArrayBuffer>;
+declare const AXIS_VERSION = 1;
+declare const MAX_HDR_LEN = 2048;
+declare const MAX_BODY_LEN = 65536;
+declare const MAX_SIG_LEN = 128;
+declare const MAX_FRAME_LEN: number;
+declare const FLAG_BODY_TLV = 1;
+declare const FLAG_CHAIN_REQ = 2;
+declare const FLAG_HAS_WITNESS = 4;
+declare const TLV_PID = 1;
+declare const TLV_TS = 2;
+declare const TLV_INTENT = 3;
+declare const TLV_ACTOR_ID = 4;
+declare const TLV_PROOF_TYPE = 5;
+declare const TLV_PROOF_REF = 6;
+declare const TLV_NONCE = 7;
+declare const TLV_AUD = 8;
+declare const TLV_NODE = 9;
+declare const TLV_TRACE_ID = 10;
+declare const TLV_KID = 11;
+declare const TLV_RID = 15;
+declare const TLV_OK = 16;
+declare const TLV_EFFECT = 17;
+declare const TLV_ERROR_CODE = 18;
+declare const TLV_ERROR_MSG = 19;
+declare const TLV_PREV_HASH = 20;
+declare const TLV_RECEIPT_HASH = 21;
+declare const TLV_NODE_KID = 30;
+declare const TLV_NODE_CERT_HASH = 34;
+declare const TLV_LOOM_PRESENCE_ID = 91;
+declare const TLV_LOOM_WRIT = 92;
+declare const TLV_LOOM_THREAD_HASH = 93;
+declare const PROOF_CAPSULE = 1;
+declare const PROOF_JWT = 2;
+declare const PROOF_MTLS = 3;
+declare const PROOF_LOOM = 4;
+declare const ERR_INVALID_PACKET = "INVALID_PACKET";
+declare const ERR_BAD_SIGNATURE = "BAD_SIGNATURE";
+declare const ERR_REPLAY_DETECTED = "REPLAY_DETECTED";
+declare const ERR_CONTRACT_VIOLATION = "CONTRACT_VIOLATION";
+
+declare function encodeVarint(value: number): Uint8Array;
+declare function decodeVarint(buf: Uint8Array, offset?: number): {
+    value: number;
+    length: number;
+};
+declare function varintLength(value: number): number;
+
+interface TLV {
+    type: number;
+    value: Uint8Array;
+}
+declare function encodeTLVs(tlvs: TLV[]): Uint8Array;
+declare function decodeTLVsList(buf: Uint8Array, maxItems?: number): TLV[];
+declare function decodeTLVs(buf: Uint8Array): Map<number, Uint8Array>;
+declare function decodeObject(bytes: Uint8Array, depth?: number, limits?: {
+    maxDepth: number;
+    maxItems: number;
+}): Map<number, any>;
+declare function decodeArray(bytes: Uint8Array, itemType: number, maxItems?: number): Uint8Array[];
+
+declare function computeSignaturePayload(frame: AxisFrame): Buffer;
+declare function signFrame(frame: AxisFrame, privateKey: Buffer): Buffer;
+declare function verifyFrameSignature(frame: AxisFrame, publicKey: Buffer): boolean;
+declare function generateEd25519KeyPair(): {
+    privateKey: Buffer;
+    publicKey: Buffer;
+};
+declare function sha256(data: Buffer | Uint8Array): Buffer;
+declare function computeReceiptHash(receiptBytes: Buffer | Uint8Array, prevHash?: Buffer | Uint8Array): Buffer;
+
+export { AXIS_MAGIC, AXIS_VERSION, type AxisFrame, AxisFrameZ, ERR_BAD_SIGNATURE, ERR_CONTRACT_VIOLATION, ERR_INVALID_PACKET, ERR_REPLAY_DETECTED, FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS, MAX_BODY_LEN, MAX_FRAME_LEN, MAX_HDR_LEN, MAX_SIG_LEN, PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, type TLV, TLV_ACTOR_ID, TLV_AUD, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG, TLV_INTENT, TLV_KID, TLV_LOOM_PRESENCE_ID, TLV_LOOM_THREAD_HASH, TLV_LOOM_WRIT, TLV_NODE, TLV_NODE_CERT_HASH, TLV_NODE_KID, TLV_NONCE, TLV_OK, TLV_PID, TLV_PREV_HASH, TLV_PROOF_REF, TLV_PROOF_TYPE, TLV_RECEIPT_HASH, TLV_RID, TLV_TRACE_ID, TLV_TS, computeReceiptHash, computeSignaturePayload, decodeArray, decodeFrame, decodeObject, decodeTLVs, decodeTLVsList, decodeVarint, encodeFrame, encodeTLVs, encodeVarint, generateEd25519KeyPair, getSignTarget, sha256, signFrame, varintLength, verifyFrameSignature };

package/dist/core/index.js

@@ -0,0 +1,543 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/core/index.ts
+var core_exports = {};
+__export(core_exports, {
+  AXIS_MAGIC: () => AXIS_MAGIC,
+  AXIS_VERSION: () => AXIS_VERSION,
+  AxisFrameZ: () => AxisFrameZ,
+  ERR_BAD_SIGNATURE: () => ERR_BAD_SIGNATURE,
+  ERR_CONTRACT_VIOLATION: () => ERR_CONTRACT_VIOLATION,
+  ERR_INVALID_PACKET: () => ERR_INVALID_PACKET,
+  ERR_REPLAY_DETECTED: () => ERR_REPLAY_DETECTED,
+  FLAG_BODY_TLV: () => FLAG_BODY_TLV,
+  FLAG_CHAIN_REQ: () => FLAG_CHAIN_REQ,
+  FLAG_HAS_WITNESS: () => FLAG_HAS_WITNESS,
+  MAX_BODY_LEN: () => MAX_BODY_LEN,
+  MAX_FRAME_LEN: () => MAX_FRAME_LEN,
+  MAX_HDR_LEN: () => MAX_HDR_LEN,
+  MAX_SIG_LEN: () => MAX_SIG_LEN,
+  PROOF_CAPSULE: () => PROOF_CAPSULE,
+  PROOF_JWT: () => PROOF_JWT,
+  PROOF_LOOM: () => PROOF_LOOM,
+  PROOF_MTLS: () => PROOF_MTLS,
+  TLV_ACTOR_ID: () => TLV_ACTOR_ID,
+  TLV_AUD: () => TLV_AUD,
+  TLV_EFFECT: () => TLV_EFFECT,
+  TLV_ERROR_CODE: () => TLV_ERROR_CODE,
+  TLV_ERROR_MSG: () => TLV_ERROR_MSG,
+  TLV_INTENT: () => TLV_INTENT,
+  TLV_KID: () => TLV_KID,
+  TLV_LOOM_PRESENCE_ID: () => TLV_LOOM_PRESENCE_ID,
+  TLV_LOOM_THREAD_HASH: () => TLV_LOOM_THREAD_HASH,
+  TLV_LOOM_WRIT: () => TLV_LOOM_WRIT,
+  TLV_NODE: () => TLV_NODE,
+  TLV_NODE_CERT_HASH: () => TLV_NODE_CERT_HASH,
+  TLV_NODE_KID: () => TLV_NODE_KID,
+  TLV_NONCE: () => TLV_NONCE,
+  TLV_OK: () => TLV_OK,
+  TLV_PID: () => TLV_PID,
+  TLV_PREV_HASH: () => TLV_PREV_HASH,
+  TLV_PROOF_REF: () => TLV_PROOF_REF,
+  TLV_PROOF_TYPE: () => TLV_PROOF_TYPE,
+  TLV_RECEIPT_HASH: () => TLV_RECEIPT_HASH,
+  TLV_RID: () => TLV_RID,
+  TLV_TRACE_ID: () => TLV_TRACE_ID,
+  TLV_TS: () => TLV_TS,
+  computeReceiptHash: () => computeReceiptHash,
+  computeSignaturePayload: () => computeSignaturePayload,
+  decodeArray: () => decodeArray,
+  decodeFrame: () => decodeFrame,
+  decodeObject: () => decodeObject,
+  decodeTLVs: () => decodeTLVs,
+  decodeTLVsList: () => decodeTLVsList,
+  decodeVarint: () => decodeVarint,
+  encodeFrame: () => encodeFrame,
+  encodeTLVs: () => encodeTLVs,
+  encodeVarint: () => encodeVarint,
+  generateEd25519KeyPair: () => generateEd25519KeyPair,
+  getSignTarget: () => getSignTarget,
+  sha256: () => sha256,
+  signFrame: () => signFrame,
+  varintLength: () => varintLength,
+  verifyFrameSignature: () => verifyFrameSignature
+});
+module.exports = __toCommonJS(core_exports);
+
+// src/core/constants.ts
+var AXIS_MAGIC = new Uint8Array([65, 88, 73, 83, 49]);
+var AXIS_VERSION = 1;
+var MAX_HDR_LEN = 2048;
+var MAX_BODY_LEN = 65536;
+var MAX_SIG_LEN = 128;
+var MAX_FRAME_LEN = 70 * 1024;
+var FLAG_BODY_TLV = 1;
+var FLAG_CHAIN_REQ = 2;
+var FLAG_HAS_WITNESS = 4;
+var TLV_PID = 1;
+var TLV_TS = 2;
+var TLV_INTENT = 3;
+var TLV_ACTOR_ID = 4;
+var TLV_PROOF_TYPE = 5;
+var TLV_PROOF_REF = 6;
+var TLV_NONCE = 7;
+var TLV_AUD = 8;
+var TLV_NODE = 9;
+var TLV_TRACE_ID = 10;
+var TLV_KID = 11;
+var TLV_RID = 15;
+var TLV_OK = 16;
+var TLV_EFFECT = 17;
+var TLV_ERROR_CODE = 18;
+var TLV_ERROR_MSG = 19;
+var TLV_PREV_HASH = 20;
+var TLV_RECEIPT_HASH = 21;
+var TLV_NODE_KID = 30;
+var TLV_NODE_CERT_HASH = 34;
+var TLV_LOOM_PRESENCE_ID = 91;
+var TLV_LOOM_WRIT = 92;
+var TLV_LOOM_THREAD_HASH = 93;
+var PROOF_CAPSULE = 1;
+var PROOF_JWT = 2;
+var PROOF_MTLS = 3;
+var PROOF_LOOM = 4;
+var ERR_INVALID_PACKET = "INVALID_PACKET";
+var ERR_BAD_SIGNATURE = "BAD_SIGNATURE";
+var ERR_REPLAY_DETECTED = "REPLAY_DETECTED";
+var ERR_CONTRACT_VIOLATION = "CONTRACT_VIOLATION";
+
+// src/core/varint.ts
+function encodeVarint(value) {
+  if (value < 0) throw new Error("Varint must be unsigned");
+  const bytes = [];
+  while (true) {
+    const byte = value & 127;
+    value >>>= 7;
+    if (value === 0) {
+      bytes.push(byte);
+      break;
+    }
+    bytes.push(byte | 128);
+  }
+  return new Uint8Array(bytes);
+}
+function decodeVarint(buf, offset = 0) {
+  let value = 0;
+  let shift = 0;
+  let length = 0;
+  while (true) {
+    if (offset + length >= buf.length) {
+      throw new Error("Varint decode out of bounds");
+    }
+    const byte = buf[offset + length];
+    value += (byte & 127) * Math.pow(2, shift);
+    length++;
+    shift += 7;
+    if ((byte & 128) === 0) {
+      break;
+    }
+    if (length > 8) throw new Error("Varint too large");
+  }
+  return { value, length };
+}
+function varintLength(value) {
+  if (value < 0) throw new Error("Varint must be unsigned");
+  let len = 0;
+  do {
+    value >>>= 7;
+    len++;
+  } while (value !== 0);
+  return len;
+}
+
+// src/core/tlv.ts
+function encodeTLVs(tlvs) {
+  const sorted = [...tlvs].sort((a, b) => a.type - b.type);
+  for (let i = 0; i < sorted.length - 1; i++) {
+    if (sorted[i].type === sorted[i + 1].type) {
+      throw new Error(`Duplicate TLV type: ${sorted[i].type}`);
+    }
+  }
+  let totalSize = 0;
+  for (const t of sorted) {
+    totalSize += varintLength(t.type);
+    totalSize += varintLength(t.value.length);
+    totalSize += t.value.length;
+  }
+  const buf = new Uint8Array(totalSize);
+  let offset = 0;
+  for (const t of sorted) {
+    const typeBytes = encodeVarint(t.type);
+    buf.set(typeBytes, offset);
+    offset += typeBytes.length;
+    const lenBytes = encodeVarint(t.value.length);
+    buf.set(lenBytes, offset);
+    offset += lenBytes.length;
+    buf.set(t.value, offset);
+    offset += t.value.length;
+  }
+  return buf;
+}
+function decodeTLVsList(buf, maxItems = 1024) {
+  const list = [];
+  let offset = 0;
+  while (offset < buf.length) {
+    if (list.length >= maxItems) throw new Error("TLV_LIMIT");
+    const { value: type, length: typeLen } = decodeVarint(buf, offset);
+    offset += typeLen;
+    const { value: len, length: lenLen } = decodeVarint(buf, offset);
+    offset += lenLen;
+    if (offset + len > buf.length) {
+      throw new Error(`TLV violation: Length ${len} exceeds buffer`);
+    }
+    const value = buf.slice(offset, offset + len);
+    list.push({ type, value });
+    offset += len;
+  }
+  return list;
+}
+function decodeTLVs(buf) {
+  const map2 = /* @__PURE__ */ new Map();
+  let offset = 0;
+  let lastType = -1;
+  while (offset < buf.length) {
+    const { value: type, length: typeLen } = decodeVarint(buf, offset);
+    offset += typeLen;
+    if (type <= lastType) {
+      throw new Error(
+        `TLV violation: Unsorted or duplicate type ${type} after ${lastType}`
+      );
+    }
+    lastType = type;
+    const { value: len, length: lenLen } = decodeVarint(buf, offset);
+    offset += lenLen;
+    if (offset + len > buf.length) {
+      throw new Error(`TLV violation: Length ${len} exceeds buffer`);
+    }
+    const value = buf.slice(offset, offset + len);
+    map2.set(type, value);
+    offset += len;
+  }
+  return map2;
+}
+function decodeObject(bytes, depth = 0, limits = { maxDepth: 8, maxItems: 128 }) {
+  if (depth > limits.maxDepth) {
+    throw new Error("OBJECT_DEPTH_EXCEEDED");
+  }
+  const map2 = decodeTLVs(bytes);
+  return map2;
+}
+function decodeArray(bytes, itemType, maxItems = 256) {
+  const list = decodeTLVsList(bytes, maxItems);
+  const items = [];
+  for (const tlv of list) {
+    if (tlv.type !== itemType) {
+      throw new Error(`INVALID_ARRAY_ITEM:${tlv.type}`);
+    }
+    items.push(tlv.value);
+  }
+  return items;
+}
+
+// src/core/axis-bin.ts
+var z = __toESM(require("zod"));
+var AxisFrameZ = z.object({
+  /** Flag bits for protocol control (e.g., encryption, compression) */
+  flags: z.number().int().nonnegative(),
+  /** A map of TLV headers where key=Tag and value=BinaryData */
+  headers: z.map(
+    z.number(),
+    z.custom((v) => v instanceof Uint8Array)
+  ),
+  /** The main payload of the frame */
+  body: z.custom((v) => v instanceof Uint8Array),
+  /** The cryptographic signature covering the frame (except the signature itself) */
+  sig: z.custom((v) => v instanceof Uint8Array)
+});
+function encodeFrame(frame) {
+  const hdrBytes = encodeTLVs(
+    Array.from(frame.headers.entries()).map(([t, v]) => ({
+      type: t,
+      value: v
+    }))
+  );
+  if (hdrBytes.length > MAX_HDR_LEN) throw new Error("Header too large");
+  if (frame.body.length > MAX_BODY_LEN) throw new Error("Body too large");
+  if (frame.sig.length > MAX_SIG_LEN) throw new Error("Signature too large");
+  const hdrLenBytes = encodeVarint(hdrBytes.length);
+  const bodyLenBytes = encodeVarint(frame.body.length);
+  const sigLenBytes = encodeVarint(frame.sig.length);
+  const totalLen = 5 + // Magic (AXIS1)
+  1 + // Version
+  1 + // Flags
+  hdrLenBytes.length + bodyLenBytes.length + sigLenBytes.length + hdrBytes.length + frame.body.length + frame.sig.length;
+  if (totalLen > MAX_FRAME_LEN) throw new Error("Total frame too large");
+  const buf = new Uint8Array(totalLen);
+  let offset = 0;
+  buf.set(AXIS_MAGIC, offset);
+  offset += 5;
+  buf[offset++] = AXIS_VERSION;
+  buf[offset++] = frame.flags;
+  buf.set(hdrLenBytes, offset);
+  offset += hdrLenBytes.length;
+  buf.set(bodyLenBytes, offset);
+  offset += bodyLenBytes.length;
+  buf.set(sigLenBytes, offset);
+  offset += sigLenBytes.length;
+  buf.set(hdrBytes, offset);
+  offset += hdrBytes.length;
+  buf.set(frame.body, offset);
+  offset += frame.body.length;
+  buf.set(frame.sig, offset);
+  offset += frame.sig.length;
+  return buf;
+}
+function decodeFrame(buf) {
+  let offset = 0;
+  if (offset + 5 > buf.length) throw new Error("Packet too short");
+  for (let i = 0; i < 5; i++) {
+    if (buf[offset + i] !== AXIS_MAGIC[i]) throw new Error("Invalid Magic");
+  }
+  offset += 5;
+  const ver = buf[offset++];
+  if (ver !== AXIS_VERSION) throw new Error(`Unsupported version: ${ver}`);
+  const flags = buf[offset++];
+  const { value: hdrLen, length: hlLen } = decodeVarint(buf, offset);
+  offset += hlLen;
+  if (hdrLen > MAX_HDR_LEN) throw new Error("Header limit exceeded");
+  const { value: bodyLen, length: blLen } = decodeVarint(buf, offset);
+  offset += blLen;
+  if (bodyLen > MAX_BODY_LEN) throw new Error("Body limit exceeded");
+  const { value: sigLen, length: slLen } = decodeVarint(buf, offset);
+  offset += slLen;
+  if (sigLen > MAX_SIG_LEN) throw new Error("Signature limit exceeded");
+  if (offset + hdrLen + bodyLen + sigLen > buf.length) {
+    throw new Error("Frame truncated");
+  }
+  const hdrBytes = buf.slice(offset, offset + hdrLen);
+  offset += hdrLen;
+  const bodyBytes = buf.slice(offset, offset + bodyLen);
+  offset += bodyLen;
+  const sigBytes = buf.slice(offset, offset + sigLen);
+  offset += sigLen;
+  const headers = decodeTLVs(hdrBytes);
+  return {
+    flags,
+    headers,
+    body: bodyBytes,
+    sig: sigBytes
+  };
+}
+function getSignTarget(frame) {
+  return encodeFrame({
+    ...frame,
+    sig: new Uint8Array(0)
+  });
+}
+
+// src/core/signature.ts
+var crypto = __toESM(require("crypto"));
+function computeSignaturePayload(frame) {
+  const frameWithoutSig = {
+    ...frame,
+    sig: new Uint8Array(0)
+  };
+  const encoded = encodeFrame(frameWithoutSig);
+  return Buffer.from(encoded);
+}
+function signFrame(frame, privateKey) {
+  const payload = computeSignaturePayload(frame);
+  let keyObject;
+  if (privateKey.length === 32) {
+    const pkcs8Prefix = Buffer.from([
+      48,
+      46,
+      2,
+      1,
+      0,
+      48,
+      5,
+      6,
+      3,
+      43,
+      101,
+      112,
+      4,
+      34,
+      4,
+      32
+    ]);
+    const pkcs8Key = Buffer.concat([pkcs8Prefix, privateKey]);
+    keyObject = crypto.createPrivateKey({
+      key: pkcs8Key,
+      format: "der",
+      type: "pkcs8"
+    });
+  } else {
+    keyObject = crypto.createPrivateKey({
+      key: privateKey,
+      format: "der",
+      type: "pkcs8"
+    });
+  }
+  const signature = crypto.sign(null, payload, keyObject);
+  if (signature.length !== 64) {
+    throw new Error("Ed25519 signature must be 64 bytes");
+  }
+  return signature;
+}
+function verifyFrameSignature(frame, publicKey) {
+  if (frame.sig.length === 0) {
+    return false;
+  }
+  if (frame.sig.length !== 64) {
+    throw new Error("Ed25519 signature must be 64 bytes");
+  }
+  const payload = computeSignaturePayload(frame);
+  try {
+    let keyObject;
+    if (publicKey.length === 32) {
+      const spkiPrefix = Buffer.from([
+        48,
+        42,
+        48,
+        5,
+        6,
+        3,
+        43,
+        101,
+        112,
+        3,
+        33,
+        0
+      ]);
+      const spkiKey = Buffer.concat([spkiPrefix, publicKey]);
+      keyObject = crypto.createPublicKey({
+        key: spkiKey,
+        format: "der",
+        type: "spki"
+      });
+    } else {
+      keyObject = crypto.createPublicKey({
+        key: publicKey,
+        format: "der",
+        type: "spki"
+      });
+    }
+    const valid = crypto.verify(
+      null,
+      payload,
+      keyObject,
+      Buffer.from(frame.sig)
+    );
+    return valid;
+  } catch (error) {
+    return false;
+  }
+}
+function generateEd25519KeyPair() {
+  const { privateKey, publicKey } = crypto.generateKeyPairSync("ed25519");
+  return {
+    privateKey: privateKey.export({ type: "pkcs8", format: "der" }),
+    publicKey: publicKey.export({ type: "spki", format: "der" })
+  };
+}
+function sha256(data) {
+  return crypto.createHash("sha256").update(data).digest();
+}
+function computeReceiptHash(receiptBytes, prevHash) {
+  const hasher = crypto.createHash("sha256");
+  hasher.update(receiptBytes);
+  if (prevHash && prevHash.length > 0) {
+    hasher.update(prevHash);
+  }
+  return hasher.digest();
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AXIS_MAGIC,
+  AXIS_VERSION,
+  AxisFrameZ,
+  ERR_BAD_SIGNATURE,
+  ERR_CONTRACT_VIOLATION,
+  ERR_INVALID_PACKET,
+  ERR_REPLAY_DETECTED,
+  FLAG_BODY_TLV,
+  FLAG_CHAIN_REQ,
+  FLAG_HAS_WITNESS,
+  MAX_BODY_LEN,
+  MAX_FRAME_LEN,
+  MAX_HDR_LEN,
+  MAX_SIG_LEN,
+  PROOF_CAPSULE,
+  PROOF_JWT,
+  PROOF_LOOM,
+  PROOF_MTLS,
+  TLV_ACTOR_ID,
+  TLV_AUD,
+  TLV_EFFECT,
+  TLV_ERROR_CODE,
+  TLV_ERROR_MSG,
+  TLV_INTENT,
+  TLV_KID,
+  TLV_LOOM_PRESENCE_ID,
+  TLV_LOOM_THREAD_HASH,
+  TLV_LOOM_WRIT,
+  TLV_NODE,
+  TLV_NODE_CERT_HASH,
+  TLV_NODE_KID,
+  TLV_NONCE,
+  TLV_OK,
+  TLV_PID,
+  TLV_PREV_HASH,
+  TLV_PROOF_REF,
+  TLV_PROOF_TYPE,
+  TLV_RECEIPT_HASH,
+  TLV_RID,
+  TLV_TRACE_ID,
+  TLV_TS,
+  computeReceiptHash,
+  computeSignaturePayload,
+  decodeArray,
+  decodeFrame,
+  decodeObject,
+  decodeTLVs,
+  decodeTLVsList,
+  decodeVarint,
+  encodeFrame,
+  encodeTLVs,
+  encodeVarint,
+  generateEd25519KeyPair,
+  getSignTarget,
+  sha256,
+  signFrame,
+  varintLength,
+  verifyFrameSignature
+});
+//# sourceMappingURL=index.js.map