@nextera.one/axis-server-sdk 0.5.0 → 0.7.0

package/dist/index.d.mts

@@ -1,5 +1,5 @@
 import { AxisFrame } from './core/index.mjs';
-export { AXIS_MAGIC, AXIS_VERSION, AxisBinaryFrame, AxisFrameZ, TLV as AxisTlvType, ERR_BAD_SIGNATURE, ERR_CONTRACT_VIOLATION, ERR_INVALID_PACKET, ERR_REPLAY_DETECTED, FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS, MAX_BODY_LEN, MAX_FRAME_LEN, MAX_HDR_LEN, MAX_SIG_LEN, PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, TLV, TLV_ACTOR_ID, TLV_AUD, TLV_CAPSULE, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG, TLV_INDEX, TLV_INTENT, TLV_KID, TLV_LOOM_PRESENCE_ID, TLV_LOOM_THREAD_HASH, TLV_LOOM_WRIT, TLV_NODE, TLV_NODE_CERT_HASH, TLV_NODE_KID, TLV_NONCE, TLV_OFFSET, TLV_OK, TLV_PID, TLV_PREV_HASH, TLV_PROOF_REF, TLV_PROOF_TYPE, TLV_REALM, TLV_RECEIPT_HASH, TLV_RID, TLV_SHA256_CHUNK, TLV_TRACE_ID, TLV_TS, TLV_UPLOAD_ID, computeReceiptHash, computeSignaturePayload, decodeArray, decodeFrame, decodeObject, decodeTLVs, decodeTLVsList, decodeVarint, encodeFrame, encodeTLVs, encodeVarint, generateEd25519KeyPair, getSignTarget, sha256, signFrame, varintLength, verifyFrameSignature } from './core/index.mjs';
+export { AXIS_MAGIC, AXIS_VERSION, AxisBinaryFrame, AxisFrameZ, TLV as AxisTlvType, BodyProfile, ERR_BAD_SIGNATURE, ERR_CONTRACT_VIOLATION, ERR_INVALID_PACKET, ERR_REPLAY_DETECTED, FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS, MAX_BODY_LEN, MAX_FRAME_LEN, MAX_HDR_LEN, MAX_SIG_LEN, NCERT_ALG, NCERT_EXP, NCERT_ISSUER_KID, NCERT_KID, NCERT_NBF, NCERT_NODE_ID, NCERT_PAYLOAD, NCERT_PUB, NCERT_SCOPE, NCERT_SIG, PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, PROOF_NONE, PROOF_WITNESS, ProofType, TLV, TLV_ACTOR_ID, TLV_AUD, TLV_BODY_ARR, TLV_BODY_OBJ, TLV_CAPSULE, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG, TLV_INDEX, TLV_INTENT, TLV_KID, TLV_LOOM_PRESENCE_ID, TLV_LOOM_THREAD_HASH, TLV_LOOM_WRIT, TLV_NODE, TLV_NODE_CERT_HASH, TLV_NODE_KID, TLV_NONCE, TLV_OFFSET, TLV_OK, TLV_PID, TLV_PREV_HASH, TLV_PROOF_REF, TLV_PROOF_TYPE, TLV_REALM, TLV_RECEIPT_HASH, TLV_RID, TLV_SHA256_CHUNK, TLV_TRACE_ID, TLV_TS, TLV_UPLOAD_ID, computeReceiptHash, computeSignaturePayload, decodeArray, decodeFrame, decodeObject, decodeTLVs, decodeTLVsList, decodeVarint, encodeFrame, encodeTLVs, encodeVarint, generateEd25519KeyPair, getSignTarget, sha256, signFrame, varintLength, verifyFrameSignature } from './core/index.mjs';
 import { OnModuleInit } from '@nestjs/common';
 import 'zod';
 
@@ -683,4 +683,60 @@ interface AxisCrudHandler extends AxisHandlerInit {
     remove(body: Uint8Array, headers?: Map<number, Uint8Array>): Promise<Uint8Array>;
 }
 
-export { ATS1_HDR, ATS1_SCHEMA, type ActorKeyRecord, ats1 as Ats1Codec, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsule, type AxisCapsuleConstraints, type AxisCapsulePayload, type AxisCrudHandler, type AxisEffect, type AxisHandler, type AxisHandlerInit, type AxisObservedContext, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, type AxisPostSensor, type AxisPreSensor, type AxisRequestContext, type AxisResponse, type AxisSensor, type AxisSensorInit, type AxisSig, type CapsuleBatchBody, type CapsuleBatchResult, type CapsuleIssueBody, type CapsuleIssueResult, type CapsuleMode, type CapsuleRecord, type CapsuleRevokeBody, type CapsuleStatus, ContractViolationError, DEFAULT_CONTRACTS, Decision, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, HANDLER_METADATA_KEY, Handler, INTENT_ROUTES_KEY, Intent, type IntentExecBody, type IntentOptions, type IntentRoute, IntentRouter, type IssuerKeyRecord, type KeyStatus, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, type SensorDecision, SensorDecisions, type SensorInput, type SensorMinifiedDecision, type SensorPhaseMetadata, type TickWindow, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildPacket, buildTLVs, bytes, canonicalJson, canonicalJsonExcluding, decodeAxis1Frame, encVarint, encodeAxis1Frame, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, varintU };
+declare function hasScope(scopes: string[], required: string): boolean;
+declare function parseScope(scope: string): {
+    resource: string;
+    id: string;
+} | null;
+declare function canAccessResource(scopes: string[], resourceType: string, resourceId: string): boolean;
+
+declare const CAPABILITIES: {
+    readonly read: "read";
+    readonly write: "write";
+    readonly execute: "execute";
+    readonly admin: "admin";
+    readonly sign: "sign";
+    readonly witness: "witness";
+};
+type Capability = keyof typeof CAPABILITIES;
+declare const PROOF_CAPABILITIES: Record<number, Capability[]>;
+declare const INTENT_REQUIREMENTS: Record<string, Capability[]>;
+
+declare function validateFrameShape(frame: any): boolean;
+declare function isTimestampValid(ts: number, skewSeconds?: number): boolean;
+
+declare const AXIS_OPCODES: Set<string>;
+declare function isKnownOpcode(op: string): boolean;
+declare function isAdminOpcode(op: string): boolean;
+
+type ReceiptEffect = 'ALLOW' | 'DENY' | 'ERROR';
+declare function buildReceiptHash(prevHash: Buffer | null, pid: Buffer, actorId: string, intent: string, effect: ReceiptEffect, ts: bigint): Buffer;
+
+declare enum IntentSensitivity {
+    LOW = 1,
+    MEDIUM = 2,
+    HIGH = 3,
+    CRITICAL = 4
+}
+declare const INTENT_SENSITIVITY_MAP: Record<string, IntentSensitivity>;
+declare function classifyIntent(intent: string): IntentSensitivity;
+declare function sensitivityName(level: IntentSensitivity): string;
+
+declare const INTENT_TIMEOUTS: Record<string, number>;
+declare const DEFAULT_TIMEOUT = 10000;
+declare function resolveTimeout(intent: string): number;
+
+interface IntentDefinition {
+    intent: string;
+    description: string;
+    sensitivity: 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
+    requiredProof: string[];
+    contract: {
+        maxDbWrites: number;
+        maxTimeMs: number;
+    };
+    examples?: string[];
+    deprecated?: boolean;
+}
+
+export { ATS1_HDR, ATS1_SCHEMA, AXIS_OPCODES, type ActorKeyRecord, ats1 as Ats1Codec, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsule, type AxisCapsuleConstraints, type AxisCapsulePayload, type AxisCrudHandler, type AxisEffect, type AxisHandler, type AxisHandlerInit, type AxisObservedContext, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, type AxisPostSensor, type AxisPreSensor, type AxisRequestContext, type AxisResponse, type AxisSensor, type AxisSensorInit, type AxisSig, CAPABILITIES, type Capability, type CapsuleBatchBody, type CapsuleBatchResult, type CapsuleIssueBody, type CapsuleIssueResult, type CapsuleMode, type CapsuleRecord, type CapsuleRevokeBody, type CapsuleStatus, ContractViolationError, DEFAULT_CONTRACTS, DEFAULT_TIMEOUT, Decision, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, HANDLER_METADATA_KEY, Handler, INTENT_REQUIREMENTS, INTENT_ROUTES_KEY, INTENT_SENSITIVITY_MAP, INTENT_TIMEOUTS, Intent, type IntentDefinition, type IntentExecBody, type IntentOptions, type IntentRoute, IntentRouter, IntentSensitivity, type IssuerKeyRecord, type KeyStatus, PROOF_CAPABILITIES, type ReceiptEffect, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, type SensorDecision, SensorDecisions, type SensorInput, type SensorMinifiedDecision, type SensorPhaseMetadata, type TickWindow, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildPacket, buildReceiptHash, buildTLVs, bytes, canAccessResource, canonicalJson, canonicalJsonExcluding, classifyIntent, decodeAxis1Frame, encVarint, encodeAxis1Frame, hasScope, isAdminOpcode, isKnownOpcode, isTimestampValid, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, parseScope, resolveTimeout, sensitivityName, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, validateFrameShape, varintU };

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 import { AxisFrame } from './core/index.js';
-export { AXIS_MAGIC, AXIS_VERSION, AxisBinaryFrame, AxisFrameZ, TLV as AxisTlvType, ERR_BAD_SIGNATURE, ERR_CONTRACT_VIOLATION, ERR_INVALID_PACKET, ERR_REPLAY_DETECTED, FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS, MAX_BODY_LEN, MAX_FRAME_LEN, MAX_HDR_LEN, MAX_SIG_LEN, PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, TLV, TLV_ACTOR_ID, TLV_AUD, TLV_CAPSULE, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG, TLV_INDEX, TLV_INTENT, TLV_KID, TLV_LOOM_PRESENCE_ID, TLV_LOOM_THREAD_HASH, TLV_LOOM_WRIT, TLV_NODE, TLV_NODE_CERT_HASH, TLV_NODE_KID, TLV_NONCE, TLV_OFFSET, TLV_OK, TLV_PID, TLV_PREV_HASH, TLV_PROOF_REF, TLV_PROOF_TYPE, TLV_REALM, TLV_RECEIPT_HASH, TLV_RID, TLV_SHA256_CHUNK, TLV_TRACE_ID, TLV_TS, TLV_UPLOAD_ID, computeReceiptHash, computeSignaturePayload, decodeArray, decodeFrame, decodeObject, decodeTLVs, decodeTLVsList, decodeVarint, encodeFrame, encodeTLVs, encodeVarint, generateEd25519KeyPair, getSignTarget, sha256, signFrame, varintLength, verifyFrameSignature } from './core/index.js';
+export { AXIS_MAGIC, AXIS_VERSION, AxisBinaryFrame, AxisFrameZ, TLV as AxisTlvType, BodyProfile, ERR_BAD_SIGNATURE, ERR_CONTRACT_VIOLATION, ERR_INVALID_PACKET, ERR_REPLAY_DETECTED, FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS, MAX_BODY_LEN, MAX_FRAME_LEN, MAX_HDR_LEN, MAX_SIG_LEN, NCERT_ALG, NCERT_EXP, NCERT_ISSUER_KID, NCERT_KID, NCERT_NBF, NCERT_NODE_ID, NCERT_PAYLOAD, NCERT_PUB, NCERT_SCOPE, NCERT_SIG, PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, PROOF_NONE, PROOF_WITNESS, ProofType, TLV, TLV_ACTOR_ID, TLV_AUD, TLV_BODY_ARR, TLV_BODY_OBJ, TLV_CAPSULE, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG, TLV_INDEX, TLV_INTENT, TLV_KID, TLV_LOOM_PRESENCE_ID, TLV_LOOM_THREAD_HASH, TLV_LOOM_WRIT, TLV_NODE, TLV_NODE_CERT_HASH, TLV_NODE_KID, TLV_NONCE, TLV_OFFSET, TLV_OK, TLV_PID, TLV_PREV_HASH, TLV_PROOF_REF, TLV_PROOF_TYPE, TLV_REALM, TLV_RECEIPT_HASH, TLV_RID, TLV_SHA256_CHUNK, TLV_TRACE_ID, TLV_TS, TLV_UPLOAD_ID, computeReceiptHash, computeSignaturePayload, decodeArray, decodeFrame, decodeObject, decodeTLVs, decodeTLVsList, decodeVarint, encodeFrame, encodeTLVs, encodeVarint, generateEd25519KeyPair, getSignTarget, sha256, signFrame, varintLength, verifyFrameSignature } from './core/index.js';
 import { OnModuleInit } from '@nestjs/common';
 import 'zod';
 
@@ -683,4 +683,60 @@ interface AxisCrudHandler extends AxisHandlerInit {
     remove(body: Uint8Array, headers?: Map<number, Uint8Array>): Promise<Uint8Array>;
 }
 
-export { ATS1_HDR, ATS1_SCHEMA, type ActorKeyRecord, ats1 as Ats1Codec, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsule, type AxisCapsuleConstraints, type AxisCapsulePayload, type AxisCrudHandler, type AxisEffect, type AxisHandler, type AxisHandlerInit, type AxisObservedContext, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, type AxisPostSensor, type AxisPreSensor, type AxisRequestContext, type AxisResponse, type AxisSensor, type AxisSensorInit, type AxisSig, type CapsuleBatchBody, type CapsuleBatchResult, type CapsuleIssueBody, type CapsuleIssueResult, type CapsuleMode, type CapsuleRecord, type CapsuleRevokeBody, type CapsuleStatus, ContractViolationError, DEFAULT_CONTRACTS, Decision, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, HANDLER_METADATA_KEY, Handler, INTENT_ROUTES_KEY, Intent, type IntentExecBody, type IntentOptions, type IntentRoute, IntentRouter, type IssuerKeyRecord, type KeyStatus, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, type SensorDecision, SensorDecisions, type SensorInput, type SensorMinifiedDecision, type SensorPhaseMetadata, type TickWindow, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildPacket, buildTLVs, bytes, canonicalJson, canonicalJsonExcluding, decodeAxis1Frame, encVarint, encodeAxis1Frame, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, varintU };
+declare function hasScope(scopes: string[], required: string): boolean;
+declare function parseScope(scope: string): {
+    resource: string;
+    id: string;
+} | null;
+declare function canAccessResource(scopes: string[], resourceType: string, resourceId: string): boolean;
+
+declare const CAPABILITIES: {
+    readonly read: "read";
+    readonly write: "write";
+    readonly execute: "execute";
+    readonly admin: "admin";
+    readonly sign: "sign";
+    readonly witness: "witness";
+};
+type Capability = keyof typeof CAPABILITIES;
+declare const PROOF_CAPABILITIES: Record<number, Capability[]>;
+declare const INTENT_REQUIREMENTS: Record<string, Capability[]>;
+
+declare function validateFrameShape(frame: any): boolean;
+declare function isTimestampValid(ts: number, skewSeconds?: number): boolean;
+
+declare const AXIS_OPCODES: Set<string>;
+declare function isKnownOpcode(op: string): boolean;
+declare function isAdminOpcode(op: string): boolean;
+
+type ReceiptEffect = 'ALLOW' | 'DENY' | 'ERROR';
+declare function buildReceiptHash(prevHash: Buffer | null, pid: Buffer, actorId: string, intent: string, effect: ReceiptEffect, ts: bigint): Buffer;
+
+declare enum IntentSensitivity {
+    LOW = 1,
+    MEDIUM = 2,
+    HIGH = 3,
+    CRITICAL = 4
+}
+declare const INTENT_SENSITIVITY_MAP: Record<string, IntentSensitivity>;
+declare function classifyIntent(intent: string): IntentSensitivity;
+declare function sensitivityName(level: IntentSensitivity): string;
+
+declare const INTENT_TIMEOUTS: Record<string, number>;
+declare const DEFAULT_TIMEOUT = 10000;
+declare function resolveTimeout(intent: string): number;
+
+interface IntentDefinition {
+    intent: string;
+    description: string;
+    sensitivity: 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
+    requiredProof: string[];
+    contract: {
+        maxDbWrites: number;
+        maxTimeMs: number;
+    };
+    examples?: string[];
+    deprecated?: boolean;
+}
+
+export { ATS1_HDR, ATS1_SCHEMA, AXIS_OPCODES, type ActorKeyRecord, ats1 as Ats1Codec, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsule, type AxisCapsuleConstraints, type AxisCapsulePayload, type AxisCrudHandler, type AxisEffect, type AxisHandler, type AxisHandlerInit, type AxisObservedContext, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, type AxisPostSensor, type AxisPreSensor, type AxisRequestContext, type AxisResponse, type AxisSensor, type AxisSensorInit, type AxisSig, CAPABILITIES, type Capability, type CapsuleBatchBody, type CapsuleBatchResult, type CapsuleIssueBody, type CapsuleIssueResult, type CapsuleMode, type CapsuleRecord, type CapsuleRevokeBody, type CapsuleStatus, ContractViolationError, DEFAULT_CONTRACTS, DEFAULT_TIMEOUT, Decision, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, HANDLER_METADATA_KEY, Handler, INTENT_REQUIREMENTS, INTENT_ROUTES_KEY, INTENT_SENSITIVITY_MAP, INTENT_TIMEOUTS, Intent, type IntentDefinition, type IntentExecBody, type IntentOptions, type IntentRoute, IntentRouter, IntentSensitivity, type IssuerKeyRecord, type KeyStatus, PROOF_CAPABILITIES, type ReceiptEffect, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, type SensorDecision, SensorDecisions, type SensorInput, type SensorMinifiedDecision, type SensorPhaseMetadata, type TickWindow, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildPacket, buildReceiptHash, buildTLVs, bytes, canAccessResource, canonicalJson, canonicalJsonExcluding, classifyIntent, decodeAxis1Frame, encVarint, encodeAxis1Frame, hasScope, isAdminOpcode, isKnownOpcode, isTimestampValid, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, parseScope, resolveTimeout, sensitivityName, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, validateFrameShape, varintU };

package/dist/index.js

@@ -40,12 +40,16 @@ __export(index_exports, {
   ATS1_HDR: () => ATS1_HDR,
   ATS1_SCHEMA: () => ATS1_SCHEMA,
   AXIS_MAGIC: () => AXIS_MAGIC,
+  AXIS_OPCODES: () => AXIS_OPCODES,
   AXIS_VERSION: () => AXIS_VERSION,
   Ats1Codec: () => ats1_exports,
   AxisFrameZ: () => AxisFrameZ,
   AxisPacketTags: () => T,
+  BodyProfile: () => BodyProfile,
+  CAPABILITIES: () => CAPABILITIES,
   ContractViolationError: () => ContractViolationError,
   DEFAULT_CONTRACTS: () => DEFAULT_CONTRACTS,
+  DEFAULT_TIMEOUT: () => DEFAULT_TIMEOUT,
   Decision: () => Decision,
   ERR_BAD_SIGNATURE: () => ERR_BAD_SIGNATURE,
   ERR_CONTRACT_VIOLATION: () => ERR_CONTRACT_VIOLATION,
@@ -58,17 +62,35 @@ __export(index_exports, {
   FLAG_HAS_WITNESS: () => FLAG_HAS_WITNESS,
   HANDLER_METADATA_KEY: () => HANDLER_METADATA_KEY,
   Handler: () => Handler,
+  INTENT_REQUIREMENTS: () => INTENT_REQUIREMENTS,
   INTENT_ROUTES_KEY: () => INTENT_ROUTES_KEY,
+  INTENT_SENSITIVITY_MAP: () => INTENT_SENSITIVITY_MAP,
+  INTENT_TIMEOUTS: () => INTENT_TIMEOUTS,
   Intent: () => Intent,
   IntentRouter: () => IntentRouter,
+  IntentSensitivity: () => IntentSensitivity,
   MAX_BODY_LEN: () => MAX_BODY_LEN,
   MAX_FRAME_LEN: () => MAX_FRAME_LEN,
   MAX_HDR_LEN: () => MAX_HDR_LEN,
   MAX_SIG_LEN: () => MAX_SIG_LEN,
+  NCERT_ALG: () => NCERT_ALG,
+  NCERT_EXP: () => NCERT_EXP,
+  NCERT_ISSUER_KID: () => NCERT_ISSUER_KID,
+  NCERT_KID: () => NCERT_KID,
+  NCERT_NBF: () => NCERT_NBF,
+  NCERT_NODE_ID: () => NCERT_NODE_ID,
+  NCERT_PAYLOAD: () => NCERT_PAYLOAD,
+  NCERT_PUB: () => NCERT_PUB,
+  NCERT_SCOPE: () => NCERT_SCOPE,
+  NCERT_SIG: () => NCERT_SIG,
+  PROOF_CAPABILITIES: () => PROOF_CAPABILITIES,
   PROOF_CAPSULE: () => PROOF_CAPSULE,
   PROOF_JWT: () => PROOF_JWT,
   PROOF_LOOM: () => PROOF_LOOM,
   PROOF_MTLS: () => PROOF_MTLS,
+  PROOF_NONE: () => PROOF_NONE,
+  PROOF_WITNESS: () => PROOF_WITNESS,
+  ProofType: () => ProofType,
   Schema2002_PasskeyLoginOptionsRes: () => Schema2002_PasskeyLoginOptionsRes,
   Schema2011_PasskeyLoginVerifyReq: () => Schema2011_PasskeyLoginVerifyReq,
   Schema2012_PasskeyLoginVerifyRes: () => Schema2012_PasskeyLoginVerifyRes,
@@ -76,6 +98,8 @@ __export(index_exports, {
   SensorDecisions: () => SensorDecisions,
   TLV_ACTOR_ID: () => TLV_ACTOR_ID,
   TLV_AUD: () => TLV_AUD,
+  TLV_BODY_ARR: () => TLV_BODY_ARR,
+  TLV_BODY_OBJ: () => TLV_BODY_OBJ,
   TLV_CAPSULE: () => TLV_CAPSULE,
   TLV_EFFECT: () => TLV_EFFECT,
   TLV_ERROR_CODE: () => TLV_ERROR_CODE,
@@ -110,10 +134,13 @@ __export(index_exports, {
   b64urlEncodeString: () => b64urlEncodeString,
   buildAts1Hdr: () => buildAts1Hdr,
   buildPacket: () => buildPacket,
+  buildReceiptHash: () => buildReceiptHash,
   buildTLVs: () => buildTLVs,
   bytes: () => bytes,
+  canAccessResource: () => canAccessResource,
   canonicalJson: () => canonicalJson,
   canonicalJsonExcluding: () => canonicalJsonExcluding,
+  classifyIntent: () => classifyIntent,
   computeReceiptHash: () => computeReceiptHash,
   computeSignaturePayload: () => computeSignaturePayload,
   decodeArray: () => decodeArray,
@@ -130,6 +157,10 @@ __export(index_exports, {
   encodeVarint: () => encodeVarint,
   generateEd25519KeyPair: () => generateEd25519KeyPair,
   getSignTarget: () => getSignTarget,
+  hasScope: () => hasScope,
+  isAdminOpcode: () => isAdminOpcode,
+  isKnownOpcode: () => isKnownOpcode,
+  isTimestampValid: () => isTimestampValid,
   nonce16: () => nonce16,
   normalizeSensorDecision: () => normalizeSensorDecision,
   packPasskeyLoginOptionsReq: () => packPasskeyLoginOptionsReq,
@@ -137,6 +168,9 @@ __export(index_exports, {
   packPasskeyLoginVerifyReq: () => packPasskeyLoginVerifyReq,
   packPasskeyLoginVerifyRes: () => packPasskeyLoginVerifyRes,
   packPasskeyRegisterOptionsReq: () => packPasskeyRegisterOptionsReq,
+  parseScope: () => parseScope,
+  resolveTimeout: () => resolveTimeout,
+  sensitivityName: () => sensitivityName,
   sha256: () => sha256,
   signFrame: () => signFrame,
   tlv: () => tlv,
@@ -145,6 +179,7 @@ __export(index_exports, {
   unpackPasskeyLoginVerifyReq: () => unpackPasskeyLoginVerifyReq,
   unpackPasskeyRegisterOptionsReq: () => unpackPasskeyRegisterOptionsReq,
   utf8: () => utf8,
+  validateFrameShape: () => validateFrameShape,
   varintLength: () => varintLength,
   varintU: () => varintU,
   verifyFrameSignature: () => verifyFrameSignature
@@ -378,10 +413,40 @@ var TLV_INDEX = 71;
 var TLV_OFFSET = 72;
 var TLV_SHA256_CHUNK = 73;
 var TLV_CAPSULE = 90;
+var TLV_BODY_OBJ = 254;
+var TLV_BODY_ARR = 255;
+var NCERT_NODE_ID = 1;
+var NCERT_KID = 2;
+var NCERT_ALG = 3;
+var NCERT_PUB = 4;
+var NCERT_NBF = 5;
+var NCERT_EXP = 6;
+var NCERT_SCOPE = 7;
+var NCERT_ISSUER_KID = 8;
+var NCERT_PAYLOAD = 50;
+var NCERT_SIG = 51;
+var PROOF_NONE = 0;
 var PROOF_CAPSULE = 1;
 var PROOF_JWT = 2;
 var PROOF_MTLS = 3;
 var PROOF_LOOM = 4;
+var PROOF_WITNESS = 5;
+var ProofType = /* @__PURE__ */ ((ProofType2) => {
+  ProofType2[ProofType2["NONE"] = 0] = "NONE";
+  ProofType2[ProofType2["CAPSULE"] = 1] = "CAPSULE";
+  ProofType2[ProofType2["JWT"] = 2] = "JWT";
+  ProofType2[ProofType2["MTLS"] = 3] = "MTLS";
+  ProofType2[ProofType2["LOOM"] = 4] = "LOOM";
+  ProofType2[ProofType2["WITNESS"] = 5] = "WITNESS";
+  return ProofType2;
+})(ProofType || {});
+var BodyProfile = /* @__PURE__ */ ((BodyProfile2) => {
+  BodyProfile2[BodyProfile2["RAW"] = 0] = "RAW";
+  BodyProfile2[BodyProfile2["TLV_MAP"] = 1] = "TLV_MAP";
+  BodyProfile2[BodyProfile2["OBJ"] = 2] = "OBJ";
+  BodyProfile2[BodyProfile2["ARR"] = 3] = "ARR";
+  return BodyProfile2;
+})(BodyProfile || {});
 var ERR_INVALID_PACKET = "INVALID_PACKET";
 var ERR_BAD_SIGNATURE = "BAD_SIGNATURE";
 var ERR_REPLAY_DETECTED = "REPLAY_DETECTED";
@@ -1985,17 +2050,244 @@ var SensorDecisions = {
     };
   }
 };
+
+// src/security/scopes.ts
+function hasScope(scopes, required) {
+  if (!Array.isArray(scopes) || scopes.length === 0) {
+    return false;
+  }
+  if (scopes.includes(required)) {
+    return true;
+  }
+  const [resource, id] = required.split(":");
+  if (resource && id) {
+    const wildcard = `${resource}:*`;
+    if (scopes.includes(wildcard)) {
+      return true;
+    }
+  }
+  return false;
+}
+function parseScope(scope) {
+  const parts = scope.split(":");
+  if (parts.length !== 2) return null;
+  return { resource: parts[0], id: parts[1] };
+}
+function canAccessResource(scopes, resourceType, resourceId) {
+  const required = `${resourceType}:${resourceId}`;
+  return hasScope(scopes, required);
+}
+
+// src/security/capabilities.ts
+var CAPABILITIES = {
+  read: "read",
+  write: "write",
+  execute: "execute",
+  admin: "admin",
+  sign: "sign",
+  witness: "witness"
+};
+var PROOF_CAPABILITIES = {
+  [PROOF_NONE]: [],
+  [PROOF_CAPSULE]: ["read", "write", "execute"],
+  [PROOF_JWT]: ["read"],
+  [PROOF_MTLS]: ["read", "write", "admin"],
+  [PROOF_LOOM]: ["read", "write", "execute"],
+  [PROOF_WITNESS]: ["read", "write", "execute", "witness"]
+};
+var INTENT_REQUIREMENTS = {
+  "public.*": [],
+  "schema.*": [],
+  "catalog.*": [],
+  "health.*": [],
+  "system.*": [],
+  "file.upload": ["write"],
+  "file.download": ["read"],
+  "file.delete": ["write", "admin"],
+  "passport.issue": ["write", "execute"],
+  "passport.revoke": ["write", "witness"],
+  "stream.publish": ["write"],
+  "stream.subscribe": ["read"],
+  "admin.*": ["admin"]
+};
+
+// src/core/frame-validator.ts
+function validateFrameShape(frame) {
+  if (!frame || typeof frame !== "object") {
+    return false;
+  }
+  if (frame.v !== 1) {
+    return false;
+  }
+  const requiredStrings = ["pid", "nonce", "actorId", "opcode"];
+  for (const key of requiredStrings) {
+    if (typeof frame[key] !== "string" || frame[key].length < 6) {
+      return false;
+    }
+  }
+  if (typeof frame.ts !== "number" || !Number.isFinite(frame.ts)) {
+    return false;
+  }
+  if (frame.aud !== void 0 && (typeof frame.aud !== "string" || frame.aud.length === 0)) {
+    return false;
+  }
+  if (!frame.sig || typeof frame.sig !== "object") {
+    return false;
+  }
+  if (frame.sig.alg !== "EdDSA") {
+    return false;
+  }
+  if (typeof frame.sig.kid !== "string" || frame.sig.kid.length < 8) {
+    return false;
+  }
+  if (typeof frame.sig.value !== "string" || frame.sig.value.length < 32) {
+    return false;
+  }
+  if (typeof frame.body !== "object" || frame.body === null) {
+    return false;
+  }
+  return true;
+}
+function isTimestampValid(ts, skewSeconds = 120) {
+  const now = Math.floor(Date.now() / 1e3);
+  const diff = Math.abs(now - ts);
+  return diff <= skewSeconds;
+}
+
+// src/core/opcodes.ts
+var AXIS_OPCODES = /* @__PURE__ */ new Set([
+  "CAPSULE.ISSUE",
+  "CAPSULE.BATCH",
+  "CAPSULE.REVOKE",
+  "INTENT.EXEC",
+  "ACTOR.KEY.ROTATE",
+  "ACTOR.KEY.REVOKE",
+  "ISSUER.KEY.ROTATE"
+]);
+function isKnownOpcode(op) {
+  return AXIS_OPCODES.has(op);
+}
+function isAdminOpcode(op) {
+  return op.startsWith("ACTOR.KEY.") || op.startsWith("ISSUER.KEY.");
+}
+
+// src/core/receipt.ts
+var import_crypto3 = require("crypto");
+function buildReceiptHash(prevHash, pid, actorId, intent, effect, ts) {
+  const h = (0, import_crypto3.createHash)("sha256");
+  if (prevHash) h.update(prevHash);
+  h.update(pid);
+  h.update(Buffer.from(actorId, "utf8"));
+  h.update(Buffer.from(intent, "utf8"));
+  h.update(Buffer.from(effect, "utf8"));
+  h.update(Buffer.from(ts.toString(), "utf8"));
+  return h.digest();
+}
+
+// src/core/intent-sensitivity.ts
+var IntentSensitivity = /* @__PURE__ */ ((IntentSensitivity2) => {
+  IntentSensitivity2[IntentSensitivity2["LOW"] = 1] = "LOW";
+  IntentSensitivity2[IntentSensitivity2["MEDIUM"] = 2] = "MEDIUM";
+  IntentSensitivity2[IntentSensitivity2["HIGH"] = 3] = "HIGH";
+  IntentSensitivity2[IntentSensitivity2["CRITICAL"] = 4] = "CRITICAL";
+  return IntentSensitivity2;
+})(IntentSensitivity || {});
+var INTENT_SENSITIVITY_MAP = {
+  // System intents
+  "system.ping": 1 /* LOW */,
+  // Catalog intents
+  "catalog.list": 1 /* LOW */,
+  "catalog.search": 1 /* LOW */,
+  "catalog.intent.describe": 1 /* LOW */,
+  "catalog.intent.complete": 1 /* LOW */,
+  // Stream intents
+  "stream.publish": 2 /* MEDIUM */,
+  "stream.read": 2 /* MEDIUM */,
+  "stream.subscribe": 2 /* MEDIUM */,
+  // File intents
+  "file.init": 2 /* MEDIUM */,
+  "file.chunk": 2 /* MEDIUM */,
+  "file.finalize": 2 /* MEDIUM */,
+  "file.status": 1 /* LOW */,
+  // Passport intents
+  "passport.issue": 3 /* HIGH */,
+  "passport.verify": 2 /* MEDIUM */,
+  "passport.revoke": 4 /* CRITICAL */,
+  // Mail intents
+  "mail.send": 3 /* HIGH */,
+  // Admin intents
+  "admin.create_capsule": 4 /* CRITICAL */,
+  "admin.revoke_capsule": 4 /* CRITICAL */,
+  "admin.issue_node_cert": 4 /* CRITICAL */
+};
+function classifyIntent(intent) {
+  if (INTENT_SENSITIVITY_MAP[intent]) {
+    return INTENT_SENSITIVITY_MAP[intent];
+  }
+  const realm = intent.split(".")[0];
+  const wildcardKey = `${realm}.*`;
+  if (INTENT_SENSITIVITY_MAP[wildcardKey]) {
+    return INTENT_SENSITIVITY_MAP[wildcardKey];
+  }
+  return 2 /* MEDIUM */;
+}
+function sensitivityName(level) {
+  switch (level) {
+    case 1 /* LOW */:
+      return "LOW";
+    case 2 /* MEDIUM */:
+      return "MEDIUM";
+    case 3 /* HIGH */:
+      return "HIGH";
+    case 4 /* CRITICAL */:
+      return "CRITICAL";
+  }
+}
+
+// src/core/timeouts.ts
+var INTENT_TIMEOUTS = {
+  "public.*": 5e3,
+  "schema.*": 5e3,
+  "catalog.*": 5e3,
+  "health.*": 2e3,
+  "file.upload": 6e4,
+  "file.download": 6e4,
+  "file.chunk": 3e4,
+  "file.finalize": 3e4,
+  "stream.*": 3e4,
+  "passport.*": 15e3,
+  "admin.*": 3e4
+};
+var DEFAULT_TIMEOUT = 1e4;
+function resolveTimeout(intent) {
+  if (INTENT_TIMEOUTS[intent]) {
+    return INTENT_TIMEOUTS[intent];
+  }
+  for (const [pattern, timeout] of Object.entries(INTENT_TIMEOUTS)) {
+    if (pattern.endsWith(".*")) {
+      const prefix = pattern.slice(0, -1);
+      if (intent.startsWith(prefix)) {
+        return timeout;
+      }
+    }
+  }
+  return DEFAULT_TIMEOUT;
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ATS1_HDR,
   ATS1_SCHEMA,
   AXIS_MAGIC,
+  AXIS_OPCODES,
   AXIS_VERSION,
   Ats1Codec,
   AxisFrameZ,
   AxisPacketTags,
+  BodyProfile,
+  CAPABILITIES,
   ContractViolationError,
   DEFAULT_CONTRACTS,
+  DEFAULT_TIMEOUT,
   Decision,
   ERR_BAD_SIGNATURE,
   ERR_CONTRACT_VIOLATION,
@@ -2008,17 +2300,35 @@ var SensorDecisions = {
   FLAG_HAS_WITNESS,
   HANDLER_METADATA_KEY,
   Handler,
+  INTENT_REQUIREMENTS,
   INTENT_ROUTES_KEY,
+  INTENT_SENSITIVITY_MAP,
+  INTENT_TIMEOUTS,
   Intent,
   IntentRouter,
+  IntentSensitivity,
   MAX_BODY_LEN,
   MAX_FRAME_LEN,
   MAX_HDR_LEN,
   MAX_SIG_LEN,
+  NCERT_ALG,
+  NCERT_EXP,
+  NCERT_ISSUER_KID,
+  NCERT_KID,
+  NCERT_NBF,
+  NCERT_NODE_ID,
+  NCERT_PAYLOAD,
+  NCERT_PUB,
+  NCERT_SCOPE,
+  NCERT_SIG,
+  PROOF_CAPABILITIES,
   PROOF_CAPSULE,
   PROOF_JWT,
   PROOF_LOOM,
   PROOF_MTLS,
+  PROOF_NONE,
+  PROOF_WITNESS,
+  ProofType,
   Schema2002_PasskeyLoginOptionsRes,
   Schema2011_PasskeyLoginVerifyReq,
   Schema2012_PasskeyLoginVerifyRes,
@@ -2026,6 +2336,8 @@ var SensorDecisions = {
   SensorDecisions,
   TLV_ACTOR_ID,
   TLV_AUD,
+  TLV_BODY_ARR,
+  TLV_BODY_OBJ,
   TLV_CAPSULE,
   TLV_EFFECT,
   TLV_ERROR_CODE,
@@ -2060,10 +2372,13 @@ var SensorDecisions = {
   b64urlEncodeString,
   buildAts1Hdr,
   buildPacket,
+  buildReceiptHash,
   buildTLVs,
   bytes,
+  canAccessResource,
   canonicalJson,
   canonicalJsonExcluding,
+  classifyIntent,
   computeReceiptHash,
   computeSignaturePayload,
   decodeArray,
@@ -2080,6 +2395,10 @@ var SensorDecisions = {
   encodeVarint,
   generateEd25519KeyPair,
   getSignTarget,
+  hasScope,
+  isAdminOpcode,
+  isKnownOpcode,
+  isTimestampValid,
   nonce16,
   normalizeSensorDecision,
   packPasskeyLoginOptionsReq,
@@ -2087,6 +2406,9 @@ var SensorDecisions = {
   packPasskeyLoginVerifyReq,
   packPasskeyLoginVerifyRes,
   packPasskeyRegisterOptionsReq,
+  parseScope,
+  resolveTimeout,
+  sensitivityName,
   sha256,
   signFrame,
   tlv,
@@ -2095,6 +2417,7 @@ var SensorDecisions = {
   unpackPasskeyLoginVerifyReq,
   unpackPasskeyRegisterOptionsReq,
   utf8,
+  validateFrameShape,
   varintLength,
   varintU,
   verifyFrameSignature