@nextera.one/axis-server-sdk 0.2.0 → 0.4.0

package/dist/index.js

@@ -37,13 +37,22 @@ var __decorateClass = (decorators, target, key, kind) => {
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  ATS1_HDR: () => ATS1_HDR,
+  ATS1_SCHEMA: () => ATS1_SCHEMA,
   AXIS_MAGIC: () => AXIS_MAGIC,
   AXIS_VERSION: () => AXIS_VERSION,
+  Ats1Codec: () => ats1_exports,
   AxisFrameZ: () => AxisFrameZ,
+  AxisPacketTags: () => T,
+  ContractViolationError: () => ContractViolationError,
+  DEFAULT_CONTRACTS: () => DEFAULT_CONTRACTS,
+  Decision: () => Decision,
   ERR_BAD_SIGNATURE: () => ERR_BAD_SIGNATURE,
   ERR_CONTRACT_VIOLATION: () => ERR_CONTRACT_VIOLATION,
   ERR_INVALID_PACKET: () => ERR_INVALID_PACKET,
   ERR_REPLAY_DETECTED: () => ERR_REPLAY_DETECTED,
+  ExecutionMeter: () => ExecutionMeter,
+  FALLBACK_CONTRACT: () => FALLBACK_CONTRACT,
   FLAG_BODY_TLV: () => FLAG_BODY_TLV,
   FLAG_CHAIN_REQ: () => FLAG_CHAIN_REQ,
   FLAG_HAS_WITNESS: () => FLAG_HAS_WITNESS,
@@ -60,6 +69,11 @@ __export(index_exports, {
   PROOF_JWT: () => PROOF_JWT,
   PROOF_LOOM: () => PROOF_LOOM,
   PROOF_MTLS: () => PROOF_MTLS,
+  Schema2002_PasskeyLoginOptionsRes: () => Schema2002_PasskeyLoginOptionsRes,
+  Schema2011_PasskeyLoginVerifyReq: () => Schema2011_PasskeyLoginVerifyReq,
+  Schema2012_PasskeyLoginVerifyRes: () => Schema2012_PasskeyLoginVerifyRes,
+  Schema2021_PasskeyRegisterOptionsReq: () => Schema2021_PasskeyRegisterOptionsReq,
+  SensorDecisions: () => SensorDecisions,
   TLV_ACTOR_ID: () => TLV_ACTOR_ID,
   TLV_AUD: () => TLV_AUD,
   TLV_EFFECT: () => TLV_EFFECT,
@@ -79,26 +93,55 @@ __export(index_exports, {
   TLV_PREV_HASH: () => TLV_PREV_HASH,
   TLV_PROOF_REF: () => TLV_PROOF_REF,
   TLV_PROOF_TYPE: () => TLV_PROOF_TYPE,
+  TLV_REALM: () => TLV_REALM,
   TLV_RECEIPT_HASH: () => TLV_RECEIPT_HASH,
   TLV_RID: () => TLV_RID,
   TLV_TRACE_ID: () => TLV_TRACE_ID,
   TLV_TS: () => TLV_TS,
+  axis1SigningBytes: () => axis1SigningBytes,
+  b64urlDecode: () => b64urlDecode,
+  b64urlDecodeString: () => b64urlDecodeString,
+  b64urlEncode: () => b64urlEncode,
+  b64urlEncodeString: () => b64urlEncodeString,
+  buildAts1Hdr: () => buildAts1Hdr,
+  buildPacket: () => buildPacket,
+  buildTLVs: () => buildTLVs,
+  bytes: () => bytes,
+  canonicalJson: () => canonicalJson,
+  canonicalJsonExcluding: () => canonicalJsonExcluding,
   computeReceiptHash: () => computeReceiptHash,
   computeSignaturePayload: () => computeSignaturePayload,
   decodeArray: () => decodeArray,
+  decodeAxis1Frame: () => decodeAxis1Frame,
   decodeFrame: () => decodeFrame,
   decodeObject: () => decodeObject,
   decodeTLVs: () => decodeTLVs,
   decodeTLVsList: () => decodeTLVsList,
   decodeVarint: () => decodeVarint,
+  encVarint: () => encVarint,
+  encodeAxis1Frame: () => encodeAxis1Frame,
   encodeFrame: () => encodeFrame,
   encodeTLVs: () => encodeTLVs,
   encodeVarint: () => encodeVarint,
   generateEd25519KeyPair: () => generateEd25519KeyPair,
   getSignTarget: () => getSignTarget,
+  nonce16: () => nonce16,
+  normalizeSensorDecision: () => normalizeSensorDecision,
+  packPasskeyLoginOptionsReq: () => packPasskeyLoginOptionsReq,
+  packPasskeyLoginOptionsRes: () => packPasskeyLoginOptionsRes,
+  packPasskeyLoginVerifyReq: () => packPasskeyLoginVerifyReq,
+  packPasskeyLoginVerifyRes: () => packPasskeyLoginVerifyRes,
+  packPasskeyRegisterOptionsReq: () => packPasskeyRegisterOptionsReq,
   sha256: () => sha256,
   signFrame: () => signFrame,
+  tlv: () => tlv,
+  u64be: () => u64be,
+  unpackPasskeyLoginOptionsReq: () => unpackPasskeyLoginOptionsReq,
+  unpackPasskeyLoginVerifyReq: () => unpackPasskeyLoginVerifyReq,
+  unpackPasskeyRegisterOptionsReq: () => unpackPasskeyRegisterOptionsReq,
+  utf8: () => utf8,
   varintLength: () => varintLength,
+  varintU: () => varintU,
   verifyFrameSignature: () => verifyFrameSignature
 });
 module.exports = __toCommonJS(index_exports);
@@ -309,6 +352,7 @@ var TLV_PROOF_TYPE = 5;
 var TLV_PROOF_REF = 6;
 var TLV_NONCE = 7;
 var TLV_AUD = 8;
+var TLV_REALM = TLV_AUD;
 var TLV_NODE = 9;
 var TLV_TRACE_ID = 10;
 var TLV_KID = 11;
@@ -336,17 +380,17 @@ var ERR_CONTRACT_VIOLATION = "CONTRACT_VIOLATION";
 // src/core/varint.ts
 function encodeVarint(value) {
   if (value < 0) throw new Error("Varint must be unsigned");
-  const bytes = [];
+  const bytes2 = [];
   while (true) {
     const byte = value & 127;
     value >>>= 7;
     if (value === 0) {
-      bytes.push(byte);
+      bytes2.push(byte);
       break;
     }
-    bytes.push(byte | 128);
+    bytes2.push(byte | 128);
   }
-  return new Uint8Array(bytes);
+  return new Uint8Array(bytes2);
 }
 function decodeVarint(buf, offset = 0) {
   let value = 0;
@@ -447,25 +491,28 @@ function decodeTLVs(buf) {
   }
   return map2;
 }
-function decodeObject(bytes, depth = 0, limits = { maxDepth: 8, maxItems: 128 }) {
+function decodeObject(bytes2, depth = 0, limits = { maxDepth: 8, maxItems: 128 }) {
   if (depth > limits.maxDepth) {
     throw new Error("OBJECT_DEPTH_EXCEEDED");
   }
-  const map2 = decodeTLVs(bytes);
+  const map2 = decodeTLVs(bytes2);
   return map2;
 }
-function decodeArray(bytes, itemType, maxItems = 256) {
-  const list = decodeTLVsList(bytes, maxItems);
+function decodeArray(bytes2, itemType, maxItems = 256) {
+  const list = decodeTLVsList(bytes2, maxItems);
   const items = [];
-  for (const tlv of list) {
-    if (tlv.type !== itemType) {
-      throw new Error(`INVALID_ARRAY_ITEM:${tlv.type}`);
+  for (const tlv2 of list) {
+    if (tlv2.type !== itemType) {
+      throw new Error(`INVALID_ARRAY_ITEM:${tlv2.type}`);
     }
-    items.push(tlv.value);
+    items.push(tlv2.value);
   }
   return items;
 }
 
+// src/core/signature.ts
+var crypto = __toESM(require("crypto"));
+
 // src/core/axis-bin.ts
 var z = __toESM(require("zod"));
 var AxisFrameZ = z.object({
@@ -563,7 +610,6 @@ function getSignTarget(frame) {
 }
 
 // src/core/signature.ts
-var crypto = __toESM(require("crypto"));
 function computeSignaturePayload(frame) {
   const frameWithoutSig = {
     ...frame,
@@ -680,15 +726,1273 @@ function computeReceiptHash(receiptBytes, prevHash) {
   }
   return hasher.digest();
 }
+
+// src/codec/ats1.constants.ts
+var ATS1_HDR = {
+  INTENT_ID: 1,
+  // uvarint
+  ACTOR_KEY_ID: 2,
+  // bytes (key fingerprint / credentialId hash)
+  CAPSULE_ID: 3,
+  // bytes or varint
+  NONCE: 4,
+  // 16 bytes
+  TS_MS: 5,
+  // u64be (8)
+  SCHEMA_ID: 6,
+  // uvarint
+  BODY_HASH: 7,
+  // 32 bytes (sha256)
+  TRACE_ID: 8
+  // 16 bytes
+};
+var ATS1_SCHEMA = {
+  PASSKEY_LOGIN_OPTIONS_REQ: 2001,
+  PASSKEY_LOGIN_OPTIONS_RES: 2002,
+  PASSKEY_LOGIN_VERIFY_REQ: 2011,
+  PASSKEY_LOGIN_VERIFY_RES: 2012,
+  PASSKEY_REGISTER_OPTIONS_REQ: 2021,
+  PASSKEY_REGISTER_OPTIONS_RES: 2022,
+  PASSKEY_REGISTER_VERIFY_REQ: 2031,
+  PASSKEY_REGISTER_VERIFY_RES: 2032
+};
+
+// src/codec/ats1.ts
+var ats1_exports = {};
+__export(ats1_exports, {
+  DEFAULT_LIMITS: () => DEFAULT_LIMITS,
+  HDR_TAGS: () => HDR_TAGS,
+  Schema2001_PasskeyLoginOptionsReq: () => Schema2001_PasskeyLoginOptionsReq,
+  Schema3100_DeviceContext: () => Schema3100_DeviceContext,
+  Schema4001_LoginWithDeviceReq: () => Schema4001_LoginWithDeviceReq,
+  decodeAxisHeaderFromTLVs: () => decodeAxisHeaderFromTLVs,
+  decodeAxisRequestBinary: () => decodeAxisRequestBinary,
+  decodeTLVStream: () => decodeTLVStream,
+  decodeU64BE: () => decodeU64BE,
+  decodeUVarint: () => decodeUVarint,
+  encodeAxisHeaderToTLVs: () => encodeAxisHeaderToTLVs,
+  encodeAxisRequestBinary: () => encodeAxisRequestBinary,
+  encodeTLV: () => encodeTLV,
+  encodeTLVStreamCanonical: () => encodeTLVStreamCanonical,
+  encodeU64BE: () => encodeU64BE,
+  encodeUVarint: () => encodeUVarint,
+  logicalBodyToTLVs: () => logicalBodyToTLVs,
+  sha256: () => sha2562,
+  tlvsToLogicalBody: () => tlvsToLogicalBody,
+  tlvsToMap: () => tlvsToMap,
+  validateTLVsAgainstSchema: () => validateTLVsAgainstSchema
+});
+var import_crypto = require("crypto");
+var DEFAULT_LIMITS = {
+  maxVarintBytes: 10,
+  maxTlvCount: 512,
+  maxValueBytes: 1048576,
+  // 1 MiB
+  maxNestingDepth: 4
+};
+function encodeUVarint(n) {
+  let x = typeof n === "bigint" ? n : BigInt(n);
+  if (x < 0n) throw new Error("encodeUVarint: negative not allowed");
+  const out = [];
+  while (x >= 0x80n) {
+    out.push(Number(x & 0x7fn | 0x80n));
+    x >>= 7n;
+  }
+  out.push(Number(x));
+  return Buffer.from(out);
+}
+function decodeUVarint(buf, offset, limits = DEFAULT_LIMITS) {
+  let x = 0n;
+  let shift = 0n;
+  const start = offset;
+  for (let i = 0; i < limits.maxVarintBytes; i++) {
+    if (offset >= buf.length) throw new Error("decodeUVarint: truncated");
+    const b = buf[offset++];
+    x |= BigInt(b & 127) << shift;
+    if ((b & 128) === 0) {
+      const bytesRead = offset - start;
+      const re = encodeUVarint(x);
+      const original = buf.subarray(start, offset);
+      if (!re.equals(original))
+        throw new Error("decodeUVarint: non-minimal varint");
+      return { value: x, offset, bytesRead };
+    }
+    shift += 7n;
+  }
+  throw new Error("decodeUVarint: too long");
+}
+function encodeU64BE(n) {
+  if (n < 0n) throw new Error("encodeU64BE: negative not allowed");
+  const b = Buffer.alloc(8);
+  b.writeBigUInt64BE(n, 0);
+  return b;
+}
+function decodeU64BE(buf) {
+  if (buf.length !== 8) throw new Error("decodeU64BE: length must be 8");
+  return buf.readBigUInt64BE(0);
+}
+function sha2562(data) {
+  return (0, import_crypto.createHash)("sha256").update(data).digest();
+}
+function encodeTLV(tag, value) {
+  if (!Number.isInteger(tag) || tag <= 0)
+    throw new Error("encodeTLV: tag must be positive int");
+  const t = encodeUVarint(tag);
+  const l = encodeUVarint(value.length);
+  return Buffer.concat([t, l, value]);
+}
+function encodeTLVStreamCanonical(entries) {
+  const sorted = [...entries].sort((a, b) => a.tag - b.tag);
+  const parts = [];
+  for (const e of sorted) parts.push(encodeTLV(e.tag, e.value));
+  return Buffer.concat(parts);
+}
+function decodeTLVStream(stream, limits = DEFAULT_LIMITS) {
+  const out = [];
+  let off = 0;
+  while (off < stream.length) {
+    if (out.length >= limits.maxTlvCount)
+      throw new Error("decodeTLVStream: too many TLVs");
+    const tagRes = decodeUVarint(stream, off, limits);
+    const tag = Number(tagRes.value);
+    off = tagRes.offset;
+    const lenRes = decodeUVarint(stream, off, limits);
+    const len = Number(lenRes.value);
+    off = lenRes.offset;
+    if (len < 0) throw new Error("decodeTLVStream: negative length");
+    if (len > limits.maxValueBytes)
+      throw new Error("decodeTLVStream: value too large");
+    if (off + len > stream.length)
+      throw new Error("decodeTLVStream: truncated value");
+    const value = stream.subarray(off, off + len);
+    off += len;
+    out.push({ tag, value: Buffer.from(value) });
+  }
+  for (let i = 1; i < out.length; i++) {
+    if (out[i].tag < out[i - 1].tag)
+      throw new Error("decodeTLVStream: non-canonical tag order");
+  }
+  return out;
+}
+function tlvsToMap(entries) {
+  const m = /* @__PURE__ */ new Map();
+  for (const e of entries) {
+    const arr = m.get(e.tag) ?? [];
+    arr.push(e.value);
+    m.set(e.tag, arr);
+  }
+  return m;
+}
+function validateTLVsAgainstSchema(schema, tlvs, depth = 0, limits = DEFAULT_LIMITS) {
+  if (depth > Math.min(schema.maxNestingDepth, limits.maxNestingDepth)) {
+    throw new Error("validateTLVsAgainstSchema: nesting depth exceeded");
+  }
+  if (schema.maxBodyBytes && tlvsBytes(tlvs) > schema.maxBodyBytes) {
+    throw new Error("validateTLVsAgainstSchema: body too large");
+  }
+  const byTag = /* @__PURE__ */ new Map();
+  for (const t of tlvs) {
+    if (!byTag.has(t.tag)) byTag.set(t.tag, []);
+    byTag.get(t.tag).push(t);
+  }
+  const fieldByTag = new Map(schema.fields.map((f) => [f.tag, f]));
+  if (schema.strict) {
+    for (const tag of byTag.keys()) {
+      if (!fieldByTag.has(tag))
+        throw new Error(`validateTLVsAgainstSchema: unknown tag ${tag}`);
+    }
+  }
+  for (const f of schema.fields) {
+    const vals = byTag.get(f.tag) ?? [];
+    if (f.required && vals.length === 0)
+      throw new Error(`validateTLVsAgainstSchema: missing ${f.name}`);
+    if (!f.repeated && vals.length > 1) {
+      throw new Error(
+        `validateTLVsAgainstSchema: duplicate tag not allowed for ${f.name}`
+      );
+    }
+    if (typeof f.maxLen === "number") {
+      for (const v of vals) {
+        if (v.value.length > f.maxLen)
+          throw new Error(`validateTLVsAgainstSchema: ${f.name} too long`);
+      }
+    }
+    for (const v of vals) {
+      switch (f.type) {
+        case "u64be":
+          if (v.value.length !== 8)
+            throw new Error(
+              `validateTLVsAgainstSchema: ${f.name} u64be must be 8 bytes`
+            );
+          break;
+        case "nested": {
+          if (!f.nestedSchema)
+            throw new Error(
+              `validateTLVsAgainstSchema: ${f.name} missing nestedSchema`
+            );
+          const nestedTlvs = decodeTLVStream(v.value, limits);
+          validateTLVsAgainstSchema(
+            f.nestedSchema,
+            nestedTlvs,
+            depth + 1,
+            limits
+          );
+          break;
+        }
+        default:
+          break;
+      }
+    }
+  }
+}
+function tlvsBytes(tlvs) {
+  let n = 0;
+  for (const t of tlvs) {
+    n += encodeUVarint(t.tag).length + encodeUVarint(t.value.length).length + t.value.length;
+  }
+  return n;
+}
+function logicalBodyToTLVs(schema, body, limits = DEFAULT_LIMITS) {
+  if (body.schemaId !== schema.schemaId)
+    throw new Error("logicalBodyToTLVs: schemaId mismatch");
+  const fieldsByName = new Map(schema.fields.map((f) => [f.name, f]));
+  const tlvs = [];
+  for (const [name, val] of Object.entries(body.fields ?? {})) {
+    const f = fieldsByName.get(name);
+    if (!f) {
+      if (schema.strict)
+        throw new Error(`logicalBodyToTLVs: unknown field ${name}`);
+      continue;
+    }
+    const pushOne = (v) => {
+      const valueBuf = encodeFieldValue(f, v, limits);
+      if (valueBuf.length > limits.maxValueBytes)
+        throw new Error("logicalBodyToTLVs: value too large");
+      tlvs.push({ tag: f.tag, value: valueBuf });
+    };
+    if (f.repeated) {
+      if (!Array.isArray(val))
+        throw new Error(
+          `logicalBodyToTLVs: repeated field ${name} must be array`
+        );
+      for (const item of val) pushOne(item);
+    } else {
+      pushOne(val);
+    }
+  }
+  validateTLVsAgainstSchema(schema, tlvs, 0, limits);
+  return tlvs;
+}
+function encodeFieldValue(f, val, limits) {
+  switch (f.type) {
+    case "bytes":
+      if (Buffer.isBuffer(val)) return Buffer.from(val);
+      if (val instanceof Uint8Array) return Buffer.from(val);
+      throw new Error(`encodeFieldValue: ${f.name} expects bytes`);
+    case "utf8":
+      if (typeof val !== "string")
+        throw new Error(`encodeFieldValue: ${f.name} expects string`);
+      return Buffer.from(val, "utf8");
+    case "uvarint":
+      if (typeof val !== "number" && typeof val !== "bigint")
+        throw new Error(`encodeFieldValue: ${f.name} expects number/bigint`);
+      return encodeUVarint(val);
+    case "u64be":
+      if (typeof val !== "bigint")
+        throw new Error(`encodeFieldValue: ${f.name} expects bigint`);
+      return encodeU64BE(val);
+    case "nested": {
+      if (!f.nestedSchema)
+        throw new Error(`encodeFieldValue: ${f.name} missing nestedSchema`);
+      const nestedFields = val && typeof val === "object" && "fields" in val ? val.fields : val;
+      if (!nestedFields || typeof nestedFields !== "object")
+        throw new Error(`encodeFieldValue: ${f.name} expects object`);
+      const nestedBody = {
+        schemaId: f.nestedSchema.schemaId,
+        fields: nestedFields
+      };
+      const nestedTlvs = logicalBodyToTLVs(f.nestedSchema, nestedBody, limits);
+      const nestedBytes = encodeTLVStreamCanonical(nestedTlvs);
+      const re = decodeTLVStream(nestedBytes, limits);
+      validateTLVsAgainstSchema(f.nestedSchema, re, 1, limits);
+      return nestedBytes;
+    }
+    default:
+      throw new Error(`encodeFieldValue: unsupported type ${f.type}`);
+  }
+}
+function tlvsToLogicalBody(schema, tlvs, limits = DEFAULT_LIMITS) {
+  validateTLVsAgainstSchema(schema, tlvs, 0, limits);
+  const fields = {};
+  const fieldByTag = new Map(schema.fields.map((f) => [f.tag, f]));
+  for (const t of tlvs) {
+    const f = fieldByTag.get(t.tag);
+    if (!f) {
+      if (schema.strict)
+        throw new Error(`tlvsToLogicalBody: unknown tag ${t.tag}`);
+      continue;
+    }
+    const decoded = decodeFieldValue(f, t.value, limits);
+    if (f.repeated) {
+      if (!Array.isArray(fields[f.name])) fields[f.name] = [];
+      fields[f.name].push(decoded);
+    } else {
+      fields[f.name] = decoded;
+    }
+  }
+  return { schemaId: schema.schemaId, fields };
+}
+function decodeFieldValue(f, value, limits) {
+  switch (f.type) {
+    case "bytes":
+      return Buffer.from(value);
+    case "utf8":
+      return value.toString("utf8");
+    case "uvarint": {
+      const r = decodeUVarint(value, 0, limits);
+      if (r.offset !== value.length)
+        throw new Error(
+          `decodeFieldValue: ${f.name} uvarint has trailing bytes`
+        );
+      const asNum = Number(r.value);
+      return Number.isSafeInteger(asNum) ? asNum : r.value;
+    }
+    case "u64be":
+      return decodeU64BE(value);
+    case "nested": {
+      if (!f.nestedSchema)
+        throw new Error(`decodeFieldValue: ${f.name} missing nestedSchema`);
+      const nestedTlvs = decodeTLVStream(value, limits);
+      const nestedBody = tlvsToLogicalBody(f.nestedSchema, nestedTlvs, limits);
+      return nestedBody.fields;
+    }
+    default:
+      throw new Error(`decodeFieldValue: unsupported type ${f.type}`);
+  }
+}
+var HDR_TAGS = {
+  intent_id: 1,
+  actor_key_id: 2,
+  capsule_id: 3,
+  nonce: 4,
+  ts_ms: 5,
+  schema_id: 6,
+  body_hash: 7,
+  trace_id: 8
+};
+function encodeAxisHeaderToTLVs(hdr) {
+  if (hdr.nonce.byteLength !== 16)
+    throw new Error("encodeAxisHeaderToTLVs: nonce must be 16 bytes");
+  if (hdr.bodyHash.byteLength !== 32)
+    throw new Error("encodeAxisHeaderToTLVs: bodyHash must be 32 bytes");
+  if (hdr.traceId && hdr.traceId.byteLength !== 16)
+    throw new Error("encodeAxisHeaderToTLVs: traceId must be 16 bytes");
+  const tlvs = [
+    { tag: HDR_TAGS.intent_id, value: encodeUVarint(hdr.intentId) },
+    { tag: HDR_TAGS.actor_key_id, value: Buffer.from(hdr.actorKeyId) },
+    { tag: HDR_TAGS.nonce, value: Buffer.from(hdr.nonce) },
+    { tag: HDR_TAGS.ts_ms, value: encodeU64BE(hdr.tsMs) },
+    { tag: HDR_TAGS.schema_id, value: encodeUVarint(hdr.schemaId) },
+    { tag: HDR_TAGS.body_hash, value: Buffer.from(hdr.bodyHash) }
+  ];
+  if (hdr.capsuleId)
+    tlvs.push({ tag: HDR_TAGS.capsule_id, value: Buffer.from(hdr.capsuleId) });
+  if (hdr.traceId)
+    tlvs.push({ tag: HDR_TAGS.trace_id, value: Buffer.from(hdr.traceId) });
+  return tlvs;
+}
+function decodeAxisHeaderFromTLVs(hdrTlvs, limits = DEFAULT_LIMITS) {
+  const m = tlvsToMap(hdrTlvs);
+  const get1 = (tag) => {
+    const arr = m.get(tag);
+    if (!arr || arr.length !== 1)
+      throw new Error(
+        `decodeAxisHeaderFromTLVs: missing/dup header tag ${tag}`
+      );
+    return arr[0];
+  };
+  const getOpt1 = (tag) => {
+    const arr = m.get(tag);
+    if (!arr) return void 0;
+    if (arr.length !== 1)
+      throw new Error(`decodeAxisHeaderFromTLVs: dup header tag ${tag}`);
+    return arr[0];
+  };
+  const intentIdVar = decodeUVarint(get1(HDR_TAGS.intent_id), 0, limits);
+  if (intentIdVar.offset !== get1(HDR_TAGS.intent_id).length)
+    throw new Error("decodeAxisHeaderFromTLVs: intent_id trailing bytes");
+  const schemaIdVar = decodeUVarint(get1(HDR_TAGS.schema_id), 0, limits);
+  if (schemaIdVar.offset !== get1(HDR_TAGS.schema_id).length)
+    throw new Error("decodeAxisHeaderFromTLVs: schema_id trailing bytes");
+  const ts = decodeU64BE(get1(HDR_TAGS.ts_ms));
+  const nonce = get1(HDR_TAGS.nonce);
+  if (nonce.length !== 16)
+    throw new Error("decodeAxisHeaderFromTLVs: nonce must be 16 bytes");
+  const bodyHash = get1(HDR_TAGS.body_hash);
+  if (bodyHash.length !== 32)
+    throw new Error("decodeAxisHeaderFromTLVs: body_hash must be 32 bytes");
+  const trace = getOpt1(HDR_TAGS.trace_id);
+  if (trace && trace.length !== 16)
+    throw new Error("decodeAxisHeaderFromTLVs: trace_id must be 16 bytes");
+  return {
+    intentId: Number(intentIdVar.value),
+    actorKeyId: Buffer.from(get1(HDR_TAGS.actor_key_id)),
+    capsuleId: getOpt1(HDR_TAGS.capsule_id) ? Buffer.from(getOpt1(HDR_TAGS.capsule_id)) : void 0,
+    nonce: Buffer.from(nonce),
+    tsMs: ts,
+    schemaId: Number(schemaIdVar.value),
+    bodyHash: Buffer.from(bodyHash),
+    traceId: trace ? Buffer.from(trace) : void 0
+  };
+}
+function encodeAxisRequestBinary(schema, req, limits = DEFAULT_LIMITS) {
+  const bodyTlvs = logicalBodyToTLVs(schema, req.body, limits);
+  const bodyBytes = encodeTLVStreamCanonical(bodyTlvs);
+  const bodyHash = sha2562(bodyBytes);
+  const hdr = {
+    ...req.hdr,
+    schemaId: schema.schemaId,
+    bodyHash
+  };
+  const hdrTlvs = encodeAxisHeaderToTLVs(hdr);
+  const hdrBytes = encodeTLVStreamCanonical(hdrTlvs);
+  return { hdrBytes, bodyBytes, bodyHash };
+}
+function decodeAxisRequestBinary(schema, hdrBytes, bodyBytes, limits = DEFAULT_LIMITS) {
+  const hdrTlvs = decodeTLVStream(hdrBytes, limits);
+  const bodyTlvs = decodeTLVStream(bodyBytes, limits);
+  const hdr = decodeAxisHeaderFromTLVs(hdrTlvs, limits);
+  if (hdr.schemaId !== schema.schemaId)
+    throw new Error("decodeAxisRequestBinary: schemaId mismatch");
+  const bh = sha2562(bodyBytes);
+  if (!Buffer.from(hdr.bodyHash).equals(bh))
+    throw new Error("decodeAxisRequestBinary: body_hash mismatch");
+  const body = tlvsToLogicalBody(schema, bodyTlvs, limits);
+  const sensorInput = {
+    hdrTLVs: tlvsToMap(hdrTlvs),
+    bodyTLVs: tlvsToMap(bodyTlvs),
+    schemaId: hdr.schemaId,
+    intentId: hdr.intentId
+  };
+  return { hdr, body, sensorInput };
+}
+var Schema3100_DeviceContext = {
+  schemaId: 3100,
+  name: "device.context",
+  strict: true,
+  maxNestingDepth: 4,
+  fields: [
+    { tag: 1, name: "deviceId", type: "bytes", required: true, maxLen: 128 },
+    { tag: 2, name: "os", type: "utf8", required: true, maxLen: 64 },
+    { tag: 3, name: "hw", type: "utf8", required: true, maxLen: 64 }
+  ]
+};
+var Schema2001_PasskeyLoginOptionsReq = {
+  schemaId: 2001,
+  name: "axis.auth.passkey.login.options.req",
+  strict: true,
+  maxNestingDepth: 4,
+  fields: [
+    { tag: 1, name: "username", type: "utf8", required: true, maxLen: 128 }
+  ]
+};
+var Schema4001_LoginWithDeviceReq = {
+  schemaId: 4001,
+  name: "axis.auth.login.with_device.req",
+  strict: true,
+  maxNestingDepth: 4,
+  fields: [
+    { tag: 1, name: "username", type: "utf8", required: true, maxLen: 128 },
+    {
+      tag: 2,
+      name: "device",
+      type: "nested",
+      required: true,
+      nestedSchema: Schema3100_DeviceContext
+    }
+  ]
+};
+
+// src/codec/ats1.passkey.schemas.ts
+function buildAts1Hdr(params) {
+  const hdr = {
+    intentId: params.intentId,
+    schemaId: params.schemaId,
+    actorKeyId: params.actorKeyId ?? Buffer.alloc(0),
+    capsuleId: params.capsuleId,
+    nonce: params.nonce ?? require("crypto").randomBytes(16),
+    tsMs: params.tsMs ?? BigInt(Date.now()),
+    bodyHash: params.bodyHash ?? Buffer.alloc(32),
+    traceId: params.traceId
+  };
+  const tlvs = encodeAxisHeaderToTLVs(hdr);
+  return encodeTLVStreamCanonical(tlvs);
+}
+function packPasskeyLoginOptionsReq(params) {
+  const bodyTlvs = logicalBodyToTLVs(
+    Schema2001_PasskeyLoginOptionsReq,
+    {
+      schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_REQ,
+      fields: { username: params.username }
+    }
+  );
+  const body = encodeTLVStreamCanonical(bodyTlvs);
+  const bodyHash = sha2562(body);
+  const hdr = buildAts1Hdr({
+    intentId: params.intentId,
+    schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_REQ,
+    actorKeyId: params.actorKeyId,
+    capsuleId: params.capsuleId,
+    traceId: params.traceId,
+    bodyHash
+  });
+  return { hdr, body };
+}
+function unpackPasskeyLoginOptionsReq(body) {
+  const tlvs = decodeTLVStream(body);
+  const decoded = tlvsToLogicalBody(
+    Schema2001_PasskeyLoginOptionsReq,
+    tlvs
+  );
+  return { username: decoded.fields.username };
+}
+var Schema2021_PasskeyRegisterOptionsReq = {
+  schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,
+  name: "axis.auth.passkey.register.options.req",
+  strict: true,
+  maxNestingDepth: 4,
+  fields: [
+    { tag: 1, name: "username", type: "utf8", required: true, maxLen: 128 }
+  ]
+};
+var Schema2011_PasskeyLoginVerifyReq = {
+  schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,
+  name: "axis.auth.passkey.login.verify.req",
+  strict: true,
+  maxNestingDepth: 4,
+  fields: [
+    { tag: 1, name: "username", type: "utf8", required: true, maxLen: 128 },
+    {
+      tag: 2,
+      name: "credentialId",
+      type: "bytes",
+      required: true,
+      maxLen: 1024
+    },
+    {
+      tag: 3,
+      name: "clientDataJSON",
+      type: "bytes",
+      required: true,
+      maxLen: 4096
+    },
+    {
+      tag: 4,
+      name: "authenticatorData",
+      type: "bytes",
+      required: true,
+      maxLen: 1024
+    },
+    { tag: 5, name: "signature", type: "bytes", required: true, maxLen: 1024 },
+    { tag: 6, name: "userHandle", type: "bytes", required: false, maxLen: 128 }
+  ]
+};
+function packPasskeyRegisterOptionsReq(params) {
+  const bodyTlvs = logicalBodyToTLVs(
+    Schema2021_PasskeyRegisterOptionsReq,
+    {
+      schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,
+      fields: { username: params.username }
+    }
+  );
+  const body = encodeTLVStreamCanonical(bodyTlvs);
+  const bodyHash = sha2562(body);
+  const hdr = buildAts1Hdr({
+    intentId: params.intentId,
+    schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,
+    actorKeyId: params.actorKeyId,
+    traceId: params.traceId,
+    bodyHash
+  });
+  return { hdr, body };
+}
+function unpackPasskeyRegisterOptionsReq(body) {
+  const tlvs = decodeTLVStream(body);
+  const decoded = tlvsToLogicalBody(
+    Schema2021_PasskeyRegisterOptionsReq,
+    tlvs
+  );
+  return { username: decoded.fields.username };
+}
+function packPasskeyLoginVerifyReq(params) {
+  const bodyTlvs = logicalBodyToTLVs(Schema2011_PasskeyLoginVerifyReq, {
+    schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,
+    fields: {
+      username: params.username,
+      credentialId: params.credentialId,
+      clientDataJSON: params.clientDataJSON,
+      authenticatorData: params.authenticatorData,
+      signature: params.signature,
+      userHandle: params.userHandle
+    }
+  });
+  const body = encodeTLVStreamCanonical(bodyTlvs);
+  const bodyHash = sha2562(body);
+  const hdr = buildAts1Hdr({
+    intentId: params.intentId,
+    schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,
+    actorKeyId: params.actorKeyId,
+    traceId: params.traceId,
+    bodyHash
+  });
+  return { hdr, body };
+}
+function unpackPasskeyLoginVerifyReq(body) {
+  const tlvs = decodeTLVStream(body);
+  const decoded = tlvsToLogicalBody(
+    Schema2011_PasskeyLoginVerifyReq,
+    tlvs
+  );
+  const f = decoded.fields;
+  return {
+    username: f.username,
+    credentialId: f.credentialId,
+    clientDataJSON: f.clientDataJSON,
+    authenticatorData: f.authenticatorData,
+    signature: f.signature,
+    userHandle: f.userHandle
+  };
+}
+var Schema2002_PasskeyLoginOptionsRes = {
+  schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_RES,
+  name: "axis.auth.passkey.login.options.res",
+  strict: false,
+  // allow extra fields from WebAuthn library
+  maxNestingDepth: 4,
+  fields: [
+    { tag: 1, name: "challenge", type: "utf8", required: true },
+    // base64url string
+    { tag: 2, name: "timeout", type: "uvarint", required: false },
+    { tag: 3, name: "rpId", type: "utf8", required: false },
+    { tag: 4, name: "userVerification", type: "utf8", required: false },
+    { tag: 5, name: "allowCredentialsJson", type: "utf8", required: false }
+    // JSON array for simplicity
+  ]
+};
+function packPasskeyLoginOptionsRes(params) {
+  const fields = {
+    challenge: params.challenge
+  };
+  if (params.timeout !== void 0) fields.timeout = params.timeout;
+  if (params.rpId) fields.rpId = params.rpId;
+  if (params.userVerification)
+    fields.userVerification = params.userVerification;
+  if (params.allowCredentials)
+    fields.allowCredentialsJson = JSON.stringify(params.allowCredentials);
+  const bodyTlvs = logicalBodyToTLVs(Schema2002_PasskeyLoginOptionsRes, {
+    schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_RES,
+    fields
+  });
+  return encodeTLVStreamCanonical(bodyTlvs);
+}
+var Schema2012_PasskeyLoginVerifyRes = {
+  schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_RES,
+  name: "axis.auth.passkey.login.verify.res",
+  strict: true,
+  maxNestingDepth: 4,
+  fields: [
+    { tag: 1, name: "actorId", type: "utf8", required: true, maxLen: 256 },
+    { tag: 2, name: "keyId", type: "utf8", required: true, maxLen: 256 },
+    { tag: 3, name: "capsule", type: "bytes", required: true, maxLen: 4096 },
+    { tag: 4, name: "expiresAt", type: "u64be", required: true }
+  ]
+};
+function packPasskeyLoginVerifyRes(params) {
+  const bodyTlvs = logicalBodyToTLVs(Schema2012_PasskeyLoginVerifyRes, {
+    schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_RES,
+    fields: {
+      actorId: params.actorId,
+      keyId: params.keyId,
+      capsule: params.capsule,
+      expiresAt: params.expiresAt
+    }
+  });
+  return encodeTLVStreamCanonical(bodyTlvs);
+}
+
+// src/codec/tlv.encode.ts
+var import_crypto2 = require("crypto");
+function encVarint(x) {
+  if (x < 0n) throw new Error("VARINT_NEG");
+  const out = [];
+  while (x >= 0x80n) {
+    out.push(Number(x & 0x7fn | 0x80n));
+    x >>= 7n;
+  }
+  out.push(Number(x));
+  return Buffer.from(out);
+}
+function varintU(x) {
+  const v = typeof x === "number" ? BigInt(x) : x;
+  return encVarint(v);
+}
+function u64be(x) {
+  if (x < 0n) throw new Error("U64_NEG");
+  const b = Buffer.alloc(8);
+  b.writeBigUInt64BE(x, 0);
+  return b;
+}
+function utf8(s) {
+  return Buffer.from(s, "utf8");
+}
+function bytes(b) {
+  return Buffer.isBuffer(b) ? b : Buffer.from(b);
+}
+function nonce16() {
+  return (0, import_crypto2.randomBytes)(16);
+}
+function tlv(type, value) {
+  if (!Number.isSafeInteger(type) || type < 0) throw new Error("TLV_BAD_TYPE");
+  return Buffer.concat([
+    encVarint(BigInt(type)),
+    encVarint(BigInt(value.length)),
+    value
+  ]);
+}
+function buildTLVs(items, opts) {
+  const allow = opts?.allowDupTypes ?? /* @__PURE__ */ new Set();
+  const sorted = [...items].sort((a, b) => a.type - b.type);
+  for (let i = 1; i < sorted.length; i++) {
+    if (sorted[i].type === sorted[i - 1].type && !allow.has(sorted[i].type)) {
+      throw new Error(`TLV_DUP_TYPE_${sorted[i].type}`);
+    }
+  }
+  return Buffer.concat(sorted.map((it) => tlv(it.type, it.value)));
+}
+
+// src/codec/axis1.encode.ts
+var MAGIC = Buffer.from("AXIS1", "ascii");
+function encodeAxis1Frame(f) {
+  if (!Buffer.isBuffer(f.hdr) || !Buffer.isBuffer(f.body) || !Buffer.isBuffer(f.sig)) {
+    throw new Error("AXIS1_BAD_BUFFERS");
+  }
+  if (f.ver !== 1) throw new Error("AXIS1_BAD_VER");
+  const hdrLen = encVarint(BigInt(f.hdr.length));
+  const bodyLen = encVarint(BigInt(f.body.length));
+  const sigLen = encVarint(BigInt(f.sig.length));
+  return Buffer.concat([
+    MAGIC,
+    Buffer.from([f.ver & 255]),
+    Buffer.from([f.flags & 255]),
+    hdrLen,
+    bodyLen,
+    sigLen,
+    f.hdr,
+    f.body,
+    f.sig
+  ]);
+}
+
+// src/codec/axis1.signing.ts
+var MAGIC2 = Buffer.from("AXIS1", "ascii");
+function axis1SigningBytes(params) {
+  if (params.ver !== 1) throw new Error("AXIS1_BAD_VER");
+  const hdrLen = encVarint(BigInt(params.hdr.length));
+  const bodyLen = encVarint(BigInt(params.body.length));
+  const sigLenZero = encVarint(0n);
+  return Buffer.concat([
+    MAGIC2,
+    Buffer.from([params.ver & 255]),
+    Buffer.from([params.flags & 255]),
+    hdrLen,
+    bodyLen,
+    sigLenZero,
+    params.hdr,
+    params.body
+  ]);
+}
+
+// src/crypto/b64url.ts
+function b64urlEncode(buf) {
+  return buf.toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function b64urlDecode(str) {
+  const pad = str.length % 4 ? "=".repeat(4 - str.length % 4) : "";
+  const base64 = (str + pad).replace(/-/g, "+").replace(/_/g, "/");
+  return Buffer.from(base64, "base64");
+}
+function b64urlEncodeString(str, encoding = "utf8") {
+  return b64urlEncode(Buffer.from(str, encoding));
+}
+function b64urlDecodeString(str, encoding = "utf8") {
+  return b64urlDecode(str).toString(encoding);
+}
+
+// src/crypto/canonical-json.ts
+function sortRec(value) {
+  if (value === null) {
+    return null;
+  }
+  if (value === void 0) {
+    return void 0;
+  }
+  if (Array.isArray(value)) {
+    return value.map(sortRec);
+  }
+  if (typeof value === "object") {
+    const sorted = {};
+    const keys = Object.keys(value).sort();
+    for (const key of keys) {
+      const sortedValue = sortRec(value[key]);
+      if (sortedValue !== void 0) {
+        sorted[key] = sortedValue;
+      }
+    }
+    return sorted;
+  }
+  return value;
+}
+function canonicalJson(value) {
+  return JSON.stringify(sortRec(value));
+}
+function canonicalJsonExcluding(obj, exclude) {
+  const filtered = {};
+  for (const key in obj) {
+    if (!exclude.includes(key) && obj[key] !== void 0) {
+      filtered[key] = obj[key];
+    }
+  }
+  return canonicalJson(filtered);
+}
+
+// src/contract/execution-meter.ts
+var ContractViolationError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.code = code;
+    this.name = "ContractViolationError";
+  }
+};
+var ExecutionMeter = class {
+  // ExecutionContract
+  constructor(contract) {
+    this.dbWrites = 0;
+    this.dbReads = 0;
+    this.externalCalls = 0;
+    this.contract = contract;
+    this.startTime = Date.now();
+  }
+  recordDbWrite() {
+    this.dbWrites++;
+    if (this.dbWrites > this.contract.maxDbWrites) {
+      throw new ContractViolationError(
+        "MAX_DB_WRITES_EXCEEDED",
+        `DB writes exceeded: ${this.dbWrites}/${this.contract.maxDbWrites}`
+      );
+    }
+  }
+  recordDbRead() {
+    this.dbReads++;
+    if (this.contract.maxDbReads && this.dbReads > this.contract.maxDbReads) {
+      throw new ContractViolationError(
+        "MAX_DB_READS_EXCEEDED",
+        `DB reads exceeded: ${this.dbReads}/${this.contract.maxDbReads}`
+      );
+    }
+  }
+  recordExternalCall() {
+    this.externalCalls++;
+    if (this.externalCalls > this.contract.maxExternalCalls) {
+      throw new ContractViolationError(
+        "MAX_EXTERNAL_CALLS_EXCEEDED",
+        `External calls exceeded: ${this.externalCalls}/${this.contract.maxExternalCalls}`
+      );
+    }
+  }
+  checkTime() {
+    const elapsed = Date.now() - this.startTime;
+    if (elapsed > this.contract.maxTimeMs) {
+      throw new ContractViolationError(
+        "MAX_TIME_EXCEEDED",
+        `Execution time exceeded: ${elapsed}ms/${this.contract.maxTimeMs}ms`
+      );
+    }
+  }
+  validateEffect(effect) {
+    if (this.contract.allowedEffects.includes("*")) {
+      return;
+    }
+    if (!this.contract.allowedEffects.includes(effect)) {
+      throw new ContractViolationError(
+        "INVALID_EFFECT",
+        `Effect '${effect}' not allowed. Allowed: ${this.contract.allowedEffects.join(", ")}`
+      );
+    }
+  }
+  getMetrics() {
+    return {
+      dbWrites: this.dbWrites,
+      dbReads: this.dbReads,
+      externalCalls: this.externalCalls,
+      elapsedMs: Date.now() - this.startTime
+    };
+  }
+  getContract() {
+    return this.contract;
+  }
+};
+
+// src/contract/contract.interface.ts
+var DEFAULT_CONTRACTS = {
+  // System intents
+  "system.ping": {
+    maxDbWrites: 0,
+    maxExternalCalls: 0,
+    maxTimeMs: 100,
+    allowedEffects: ["system.pong"]
+  },
+  // Catalog intents
+  "catalog.list": {
+    maxDbWrites: 0,
+    maxExternalCalls: 0,
+    maxTimeMs: 200,
+    allowedEffects: ["catalog.listed"]
+  },
+  "catalog.search": {
+    maxDbWrites: 0,
+    maxExternalCalls: 0,
+    maxTimeMs: 300,
+    allowedEffects: ["catalog.searched"]
+  },
+  // Passport intents
+  "passport.issue": {
+    maxDbWrites: 10,
+    maxExternalCalls: 0,
+    maxTimeMs: 500,
+    allowedEffects: ["passport.issued", "passport.rejected"]
+  },
+  "passport.revoke": {
+    maxDbWrites: 5,
+    maxExternalCalls: 0,
+    maxTimeMs: 300,
+    allowedEffects: ["passport.revoked", "passport.revoke_failed"]
+  },
+  // File intents
+  "file.init": {
+    maxDbWrites: 2,
+    maxExternalCalls: 0,
+    maxTimeMs: 200,
+    allowedEffects: ["file.initialized"]
+  },
+  "file.chunk": {
+    maxDbWrites: 2,
+    maxExternalCalls: 0,
+    maxTimeMs: 1e3,
+    allowedEffects: ["file.chunk.stored"]
+  },
+  "file.finalize": {
+    maxDbWrites: 2,
+    maxExternalCalls: 0,
+    maxTimeMs: 500,
+    allowedEffects: ["file.finalized"]
+  },
+  // Stream intents
+  "stream.publish": {
+    maxDbWrites: 1,
+    maxExternalCalls: 0,
+    maxTimeMs: 200,
+    allowedEffects: ["stream.published"]
+  },
+  "stream.read": {
+    maxDbWrites: 0,
+    maxExternalCalls: 0,
+    maxTimeMs: 300,
+    allowedEffects: ["stream.data"]
+  },
+  // Mail intents
+  "mail.send": {
+    maxDbWrites: 3,
+    maxExternalCalls: 1,
+    // Email service
+    maxTimeMs: 2e3,
+    allowedEffects: ["mail.sent", "mail.failed"]
+  }
+};
+var FALLBACK_CONTRACT = {
+  maxDbWrites: 10,
+  maxExternalCalls: 0,
+  maxTimeMs: 1e3,
+  allowedEffects: ["*"]
+  // Allow any effect
+};
+
+// src/types/tlv.ts
+function decVarint(buf, off) {
+  let shift = 0n;
+  let x = 0n;
+  while (true) {
+    if (off >= buf.length) throw new Error("varint overflow");
+    const b = BigInt(buf[off++]);
+    x |= (b & 0x7fn) << shift;
+    if ((b & 0x80n) === 0n) break;
+    shift += 7n;
+    if (shift > 63n) throw new Error("varint too large");
+  }
+  return { val: x, off };
+}
+function parseTLVs(buf, maxItems = 512) {
+  const out = [];
+  let off = 0;
+  while (off < buf.length) {
+    if (out.length >= maxItems) throw new Error("TLV_TOO_MANY_ITEMS");
+    const t1 = decVarint(buf, off);
+    off = t1.off;
+    const t2 = decVarint(buf, off);
+    off = t2.off;
+    const type = Number(t1.val);
+    const len = Number(t2.val);
+    if (len < 0 || off + len > buf.length) {
+      throw new Error("TLV_LEN_INVALID");
+    }
+    const value = buf.subarray(off, off + len);
+    off += len;
+    out.push({ type, value });
+  }
+  return out;
+}
+function tlvMap(buf) {
+  const m = /* @__PURE__ */ new Map();
+  for (const it of parseTLVs(buf)) {
+    const arr = m.get(it.type) ?? [];
+    arr.push(it.value);
+    m.set(it.type, arr);
+  }
+  return m;
+}
+function asUtf8(b) {
+  if (!b) return void 0;
+  return b.toString("utf8");
+}
+function asBigintVarint(b) {
+  if (!b) return void 0;
+  const { val, off } = decVarint(b, 0);
+  if (off !== b.length) throw new Error("VARINT_TRAILING_BYTES");
+  return val;
+}
+function asBigint64BE(b) {
+  if (!b) return void 0;
+  if (b.length !== 8) throw new Error("Expected 8 bytes for u64");
+  return b.readBigUInt64BE(0);
+}
+
+// src/types/frame.ts
+var MAGIC3 = Buffer.from("AXIS1", "ascii");
+function decodeAxis1Frame(buf) {
+  let off = 0;
+  const magic = buf.subarray(off, off + 5);
+  off += 5;
+  if (magic.length !== 5 || !magic.equals(MAGIC3))
+    throw new Error("AXIS1_BAD_MAGIC");
+  if (off + 2 > buf.length) throw new Error("AXIS1_TRUNCATED");
+  const ver = buf[off++];
+  const flags = buf[off++];
+  const h1 = decVarint(buf, off);
+  off = h1.off;
+  const b1 = decVarint(buf, off);
+  off = b1.off;
+  const s1 = decVarint(buf, off);
+  off = s1.off;
+  const hdrLen = Number(h1.val);
+  const bodyLen = Number(b1.val);
+  const sigLen = Number(s1.val);
+  if (hdrLen < 0 || bodyLen < 0 || sigLen < 0) throw new Error("AXIS1_LEN_NEG");
+  if (off + hdrLen + bodyLen + sigLen > buf.length)
+    throw new Error("AXIS1_TRUNCATED_PAYLOAD");
+  const hdr = buf.subarray(off, off + hdrLen);
+  off += hdrLen;
+  const body = buf.subarray(off, off + bodyLen);
+  off += bodyLen;
+  const sig = buf.subarray(off, off + sigLen);
+  off += sigLen;
+  if (off !== buf.length) throw new Error("AXIS1_TRAILING_BYTES");
+  return { ver, flags, hdr, body, sig, frameSize: buf.length };
+}
+
+// src/types/packet.ts
+var T = {
+  /** The specific intent or action (e.g., 'vault.create') */
+  INTENT: TLV_INTENT,
+  /** Package identifier / ID */
+  PID: TLV_PID,
+  /** Versioning of the intent schema */
+  INTENT_VERSION: 10,
+  // Defaulting to TRACE_ID for now or a new tag if available
+  /** Unique identifier for the requesting actor */
+  ACTOR_ID: TLV_ACTOR_ID,
+  /** Optional Capability Token identifier (16 bytes) */
+  CAPSULE_ID: TLV_PROOF_REF,
+  /** Unique session/request identifier (16 bytes) */
+  NONCE: TLV_NONCE,
+  /** High-precision Unix timestamp in milliseconds */
+  TS_MS: TLV_TS,
+  /** Proof type */
+  PROOF_TYPE: TLV_PROOF_TYPE,
+  /** Standard binary body tag */
+  BODY: 100,
+  /** Standard JSON-encoded body tag */
+  JSON: 200
+};
+function buildPacket(hdr, body, sig, flags = 0) {
+  const hm = tlvMap(hdr);
+  const BODY_IS_TLV = 1;
+  const bm = flags & BODY_IS_TLV ? tlvMap(body) : /* @__PURE__ */ new Map();
+  const intent = asUtf8(hm.get(T.INTENT)?.[0]);
+  const intentVerRaw = hm.get(T.INTENT_VERSION)?.[0];
+  const intentVer = intentVerRaw ? Number(asBigintVarint(intentVerRaw)) : 1;
+  const actorIdRaw = hm.get(T.ACTOR_ID)?.[0];
+  const actorId = actorIdRaw ? actorIdRaw.toString("hex") : void 0;
+  const capsuleId = hm.get(T.CAPSULE_ID)?.[0];
+  const pid = hm.get(T.PID)?.[0] || hm.get(T.NONCE)?.[0];
+  const nonce = hm.get(T.NONCE)?.[0];
+  const tsMs = asBigint64BE(hm.get(T.TS_MS)?.[0]);
+  if (!intent) throw new Error("PACKET_MISSING_INTENT");
+  if (!actorId) throw new Error("PACKET_MISSING_ACTOR_ID");
+  if (!nonce || nonce.length < 16 || nonce.length > 32)
+    throw new Error("PACKET_BAD_NONCE");
+  if (!pid) throw new Error("PACKET_MISSING_PID");
+  if (!tsMs) throw new Error("PACKET_MISSING_TS");
+  return {
+    intent,
+    intentVersion: intentVer,
+    actorId,
+    capsuleId,
+    pid,
+    nonce,
+    tsMs,
+    headersMap: hm,
+    bodyMap: bm,
+    hdrBytes: hdr,
+    bodyBytes: body,
+    sig
+  };
+}
+
+// src/sensor/axis-sensor.ts
+var Decision = /* @__PURE__ */ ((Decision2) => {
+  Decision2["ALLOW"] = "ALLOW";
+  Decision2["DENY"] = "DENY";
+  Decision2["THROTTLE"] = "THROTTLE";
+  Decision2["FLAG"] = "FLAG";
+  return Decision2;
+})(Decision || {});
+function normalizeSensorDecision(sensorDecision) {
+  if ("action" in sensorDecision) {
+    switch (sensorDecision.action) {
+      case "ALLOW":
+        return {
+          allow: true,
+          riskScore: 0,
+          reasons: [],
+          meta: sensorDecision.meta
+        };
+      case "DENY":
+        return {
+          allow: false,
+          riskScore: 100,
+          reasons: [sensorDecision.code, sensorDecision.reason].filter(
+            Boolean
+          ),
+          meta: sensorDecision.meta,
+          retryAfterMs: sensorDecision.retryAfterMs
+        };
+      case "THROTTLE":
+        return {
+          allow: false,
+          riskScore: 50,
+          reasons: ["RATE_LIMIT"],
+          retryAfterMs: sensorDecision.retryAfterMs,
+          meta: sensorDecision.meta
+        };
+      case "FLAG":
+        return {
+          allow: true,
+          riskScore: sensorDecision.scoreDelta,
+          reasons: sensorDecision.reasons,
+          meta: sensorDecision.meta
+        };
+    }
+  }
+  return {
+    allow: sensorDecision.allow,
+    riskScore: sensorDecision.riskScore,
+    reasons: sensorDecision.reasons,
+    tags: sensorDecision.tags,
+    meta: sensorDecision.meta,
+    tighten: sensorDecision.tighten,
+    retryAfterMs: sensorDecision.retryAfterMs
+  };
+}
+var SensorDecisions = {
+  allow(meta, tags) {
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: [],
+      tags,
+      meta
+    };
+  },
+  deny(code, reason, meta) {
+    return {
+      decision: "DENY" /* DENY */,
+      allow: false,
+      riskScore: 100,
+      code,
+      reasons: [code, reason].filter(Boolean),
+      meta
+    };
+  },
+  throttle(retryAfterMs, meta) {
+    return {
+      decision: "THROTTLE" /* THROTTLE */,
+      allow: false,
+      riskScore: 50,
+      retryAfterMs,
+      code: "RATE_LIMIT",
+      reasons: ["RATE_LIMIT"],
+      meta
+    };
+  },
+  flag(scoreDelta, reasons, meta) {
+    return {
+      decision: "FLAG" /* FLAG */,
+      allow: true,
+      riskScore: scoreDelta,
+      scoreDelta,
+      reasons,
+      meta
+    };
+  }
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  ATS1_HDR,
+  ATS1_SCHEMA,
   AXIS_MAGIC,
   AXIS_VERSION,
+  Ats1Codec,
   AxisFrameZ,
+  AxisPacketTags,
+  ContractViolationError,
+  DEFAULT_CONTRACTS,
+  Decision,
   ERR_BAD_SIGNATURE,
   ERR_CONTRACT_VIOLATION,
   ERR_INVALID_PACKET,
   ERR_REPLAY_DETECTED,
+  ExecutionMeter,
+  FALLBACK_CONTRACT,
   FLAG_BODY_TLV,
   FLAG_CHAIN_REQ,
   FLAG_HAS_WITNESS,
@@ -705,6 +2009,11 @@ function computeReceiptHash(receiptBytes, prevHash) {
   PROOF_JWT,
   PROOF_LOOM,
   PROOF_MTLS,
+  Schema2002_PasskeyLoginOptionsRes,
+  Schema2011_PasskeyLoginVerifyReq,
+  Schema2012_PasskeyLoginVerifyRes,
+  Schema2021_PasskeyRegisterOptionsReq,
+  SensorDecisions,
   TLV_ACTOR_ID,
   TLV_AUD,
   TLV_EFFECT,
@@ -724,26 +2033,55 @@ function computeReceiptHash(receiptBytes, prevHash) {
   TLV_PREV_HASH,
   TLV_PROOF_REF,
   TLV_PROOF_TYPE,
+  TLV_REALM,
   TLV_RECEIPT_HASH,
   TLV_RID,
   TLV_TRACE_ID,
   TLV_TS,
+  axis1SigningBytes,
+  b64urlDecode,
+  b64urlDecodeString,
+  b64urlEncode,
+  b64urlEncodeString,
+  buildAts1Hdr,
+  buildPacket,
+  buildTLVs,
+  bytes,
+  canonicalJson,
+  canonicalJsonExcluding,
   computeReceiptHash,
   computeSignaturePayload,
   decodeArray,
+  decodeAxis1Frame,
   decodeFrame,
   decodeObject,
   decodeTLVs,
   decodeTLVsList,
   decodeVarint,
+  encVarint,
+  encodeAxis1Frame,
   encodeFrame,
   encodeTLVs,
   encodeVarint,
   generateEd25519KeyPair,
   getSignTarget,
+  nonce16,
+  normalizeSensorDecision,
+  packPasskeyLoginOptionsReq,
+  packPasskeyLoginOptionsRes,
+  packPasskeyLoginVerifyReq,
+  packPasskeyLoginVerifyRes,
+  packPasskeyRegisterOptionsReq,
   sha256,
   signFrame,
+  tlv,
+  u64be,
+  unpackPasskeyLoginOptionsReq,
+  unpackPasskeyLoginVerifyReq,
+  unpackPasskeyRegisterOptionsReq,
+  utf8,
   varintLength,
+  varintU,
   verifyFrameSignature
 });
 //# sourceMappingURL=index.js.map