@nextera.one/axis-server-sdk 0.8.0 → 0.9.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/core/index.d.mts +1 -1
- package/dist/core/index.d.ts +1 -1
- package/dist/index.d.mts +296 -110
- package/dist/index.d.ts +296 -110
- package/dist/index.js +620 -5
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +581 -5
- package/dist/index.mjs.map +1 -1
- package/package.json +6 -6
package/dist/core/index.d.mts
CHANGED
|
@@ -5,7 +5,7 @@ declare const AxisFrameZ: z.ZodObject<{
|
|
|
5
5
|
headers: z.ZodMap<z.ZodNumber, z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>>;
|
|
6
6
|
body: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
|
|
7
7
|
sig: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
|
|
8
|
-
}, z.
|
|
8
|
+
}, z.core.$strip>;
|
|
9
9
|
type AxisFrame = z.infer<typeof AxisFrameZ>;
|
|
10
10
|
type AxisBinaryFrame = AxisFrame;
|
|
11
11
|
declare function encodeFrame(frame: AxisFrame): Uint8Array;
|
package/dist/core/index.d.ts
CHANGED
|
@@ -5,7 +5,7 @@ declare const AxisFrameZ: z.ZodObject<{
|
|
|
5
5
|
headers: z.ZodMap<z.ZodNumber, z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>>;
|
|
6
6
|
body: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
|
|
7
7
|
sig: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
|
|
8
|
-
}, z.
|
|
8
|
+
}, z.core.$strip>;
|
|
9
9
|
type AxisFrame = z.infer<typeof AxisFrameZ>;
|
|
10
10
|
type AxisBinaryFrame = AxisFrame;
|
|
11
11
|
declare function encodeFrame(frame: AxisFrame): Uint8Array;
|
package/dist/index.d.mts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { AxisFrame } from './core/index.mjs';
|
|
1
|
+
import { AxisFrame as AxisFrame$1 } from './core/index.mjs';
|
|
2
2
|
export { AXIS_MAGIC, AXIS_VERSION, AxisBinaryFrame, AxisFrameZ, TLV as AxisTlvType, BodyProfile, ERR_BAD_SIGNATURE, ERR_CONTRACT_VIOLATION, ERR_INVALID_PACKET, ERR_REPLAY_DETECTED, FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS, MAX_BODY_LEN, MAX_FRAME_LEN, MAX_HDR_LEN, MAX_SIG_LEN, NCERT_ALG, NCERT_EXP, NCERT_ISSUER_KID, NCERT_KID, NCERT_NBF, NCERT_NODE_ID, NCERT_PAYLOAD, NCERT_PUB, NCERT_SCOPE, NCERT_SIG, PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, PROOF_NONE, PROOF_WITNESS, ProofType, TLV, TLV_ACTOR_ID, TLV_AUD, TLV_BODY_ARR, TLV_BODY_OBJ, TLV_CAPSULE, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG, TLV_INDEX, TLV_INTENT, TLV_KID, TLV_LOOM_PRESENCE_ID, TLV_LOOM_THREAD_HASH, TLV_LOOM_WRIT, TLV_NODE, TLV_NODE_CERT_HASH, TLV_NODE_KID, TLV_NONCE, TLV_OFFSET, TLV_OK, TLV_PID, TLV_PREV_HASH, TLV_PROOF_REF, TLV_PROOF_TYPE, TLV_REALM, TLV_RECEIPT_HASH, TLV_RID, TLV_SHA256_CHUNK, TLV_TRACE_ID, TLV_TS, TLV_UPLOAD_ID, computeReceiptHash, computeSignaturePayload, decodeArray, decodeFrame, decodeObject, decodeTLVs, decodeTLVsList, decodeVarint, encodeFrame, encodeTLVs, encodeVarint, generateEd25519KeyPair, getSignTarget, sha256, signFrame, varintLength, verifyFrameSignature } from './core/index.mjs';
|
|
3
3
|
import 'zod';
|
|
4
4
|
|
|
@@ -29,7 +29,7 @@ declare class IntentRouter {
|
|
|
29
29
|
private handlers;
|
|
30
30
|
register(intent: string, handler: any): void;
|
|
31
31
|
registerHandler(instance: any): void;
|
|
32
|
-
route(frame: AxisFrame): Promise<AxisEffect>;
|
|
32
|
+
route(frame: AxisFrame$1): Promise<AxisEffect>;
|
|
33
33
|
private recordLatency;
|
|
34
34
|
}
|
|
35
35
|
|
|
@@ -307,12 +307,11 @@ declare function b64urlDecodeString(str: string, encoding?: BufferEncoding): str
|
|
|
307
307
|
declare function canonicalJson(value: any): string;
|
|
308
308
|
declare function canonicalJsonExcluding(obj: Record<string, any>, exclude: string[]): string;
|
|
309
309
|
|
|
310
|
-
type AxisAlg = 'EdDSA' | 'ES256' | 'RS256';
|
|
311
|
-
type CapsuleStatus = 'ACTIVE' | 'CONSUMED' | 'REVOKED' | 'EXPIRED';
|
|
310
|
+
type AxisAlg$1 = 'EdDSA' | 'ES256' | 'RS256';
|
|
312
311
|
type CapsuleMode = 'SINGLE_USE' | 'MULTI_USE';
|
|
313
312
|
type KeyStatus = 'ACTIVE' | 'GRACE' | 'REVOKED' | 'RETIRED';
|
|
314
|
-
interface AxisSig {
|
|
315
|
-
alg: AxisAlg;
|
|
313
|
+
interface AxisSig$1 {
|
|
314
|
+
alg: AxisAlg$1;
|
|
316
315
|
kid: string;
|
|
317
316
|
value: string;
|
|
318
317
|
}
|
|
@@ -324,7 +323,7 @@ interface AxisPacket$1<T = any> {
|
|
|
324
323
|
actorId: string;
|
|
325
324
|
opcode: string;
|
|
326
325
|
body: T;
|
|
327
|
-
sig: AxisSig;
|
|
326
|
+
sig: AxisSig$1;
|
|
328
327
|
}
|
|
329
328
|
interface AxisCapsuleConstraints {
|
|
330
329
|
maxAmount?: number;
|
|
@@ -336,7 +335,7 @@ interface AxisCapsuleConstraints {
|
|
|
336
335
|
sessionIdLock?: string;
|
|
337
336
|
nonceRequired?: boolean;
|
|
338
337
|
}
|
|
339
|
-
interface TickWindow {
|
|
338
|
+
interface TickWindow$1 {
|
|
340
339
|
start: number;
|
|
341
340
|
end: number;
|
|
342
341
|
}
|
|
@@ -353,7 +352,7 @@ interface AxisCapsulePayload {
|
|
|
353
352
|
iat: number;
|
|
354
353
|
nbf?: number;
|
|
355
354
|
exp: number;
|
|
356
|
-
tickWindow?: TickWindow;
|
|
355
|
+
tickWindow?: TickWindow$1;
|
|
357
356
|
mode: CapsuleMode;
|
|
358
357
|
maxUses: number;
|
|
359
358
|
nonceSeed?: string;
|
|
@@ -362,41 +361,7 @@ interface AxisCapsulePayload {
|
|
|
362
361
|
constraints?: AxisCapsuleConstraints;
|
|
363
362
|
meta?: Record<string, unknown>;
|
|
364
363
|
}
|
|
365
|
-
interface
|
|
366
|
-
payload: AxisCapsulePayload;
|
|
367
|
-
sig: AxisSig;
|
|
368
|
-
}
|
|
369
|
-
interface CapsuleIssueBody {
|
|
370
|
-
intent: string;
|
|
371
|
-
audience: string;
|
|
372
|
-
scopes: string[];
|
|
373
|
-
subject?: string;
|
|
374
|
-
mode: CapsuleMode;
|
|
375
|
-
maxUses?: number;
|
|
376
|
-
expSeconds?: number;
|
|
377
|
-
constraints?: AxisCapsuleConstraints;
|
|
378
|
-
hints?: {
|
|
379
|
-
ip?: string;
|
|
380
|
-
ua?: string;
|
|
381
|
-
deviceId?: string;
|
|
382
|
-
geo?: string;
|
|
383
|
-
};
|
|
384
|
-
}
|
|
385
|
-
interface CapsuleBatchBody extends Omit<CapsuleIssueBody, 'mode' | 'maxUses'> {
|
|
386
|
-
count: number;
|
|
387
|
-
mode: 'SINGLE_USE';
|
|
388
|
-
}
|
|
389
|
-
interface IntentExecBody {
|
|
390
|
-
intent: string;
|
|
391
|
-
capsule: AxisCapsule;
|
|
392
|
-
execNonce?: string;
|
|
393
|
-
args: Record<string, any>;
|
|
394
|
-
}
|
|
395
|
-
interface CapsuleRevokeBody {
|
|
396
|
-
capsuleId: string;
|
|
397
|
-
reason: string;
|
|
398
|
-
}
|
|
399
|
-
interface AxisResponse<T = any> {
|
|
364
|
+
interface AxisResponse$1<T = any> {
|
|
400
365
|
ok: boolean;
|
|
401
366
|
pid: string;
|
|
402
367
|
decisionId: string;
|
|
@@ -405,71 +370,6 @@ interface AxisResponse<T = any> {
|
|
|
405
370
|
data?: T;
|
|
406
371
|
meta?: Record<string, unknown>;
|
|
407
372
|
}
|
|
408
|
-
interface CapsuleIssueResult {
|
|
409
|
-
capsule: AxisCapsule;
|
|
410
|
-
}
|
|
411
|
-
interface CapsuleBatchResult {
|
|
412
|
-
capsules: AxisCapsule[];
|
|
413
|
-
}
|
|
414
|
-
interface ActorKeyRecord {
|
|
415
|
-
id: Buffer;
|
|
416
|
-
actor_id: string;
|
|
417
|
-
key_id: string;
|
|
418
|
-
algorithm: string;
|
|
419
|
-
public_key: Buffer;
|
|
420
|
-
purpose: string;
|
|
421
|
-
status: KeyStatus;
|
|
422
|
-
is_primary: boolean;
|
|
423
|
-
not_before: Date | null;
|
|
424
|
-
expires_at: Date | null;
|
|
425
|
-
rotated_from_key_id: string | null;
|
|
426
|
-
revoked_at: Date | null;
|
|
427
|
-
revocation_reason: string | null;
|
|
428
|
-
metadata: any;
|
|
429
|
-
created_at: Date;
|
|
430
|
-
updated_at: Date;
|
|
431
|
-
}
|
|
432
|
-
interface IssuerKeyRecord {
|
|
433
|
-
id: Buffer;
|
|
434
|
-
kid: string;
|
|
435
|
-
issuer_id: string;
|
|
436
|
-
alg: string;
|
|
437
|
-
public_key_pem: string;
|
|
438
|
-
status: KeyStatus;
|
|
439
|
-
not_before: Date | null;
|
|
440
|
-
not_after: Date | null;
|
|
441
|
-
fingerprint: string | null;
|
|
442
|
-
metadata: any;
|
|
443
|
-
created_at: Date;
|
|
444
|
-
updated_at: Date;
|
|
445
|
-
}
|
|
446
|
-
interface CapsuleRecord {
|
|
447
|
-
id: Buffer;
|
|
448
|
-
capsule_id: string;
|
|
449
|
-
actor_id: string;
|
|
450
|
-
intent: string;
|
|
451
|
-
audience: string;
|
|
452
|
-
issuer: string;
|
|
453
|
-
subject: string | null;
|
|
454
|
-
status: CapsuleStatus;
|
|
455
|
-
mode: CapsuleMode;
|
|
456
|
-
max_uses: number;
|
|
457
|
-
used_count: number;
|
|
458
|
-
iat: Date;
|
|
459
|
-
nbf: Date | null;
|
|
460
|
-
exp: Date;
|
|
461
|
-
scopes_json: any;
|
|
462
|
-
constraints_json: any;
|
|
463
|
-
policy_refs_json: any;
|
|
464
|
-
risk_score: number | null;
|
|
465
|
-
payload_hash: Buffer;
|
|
466
|
-
sig_alg: string;
|
|
467
|
-
sig_kid: string;
|
|
468
|
-
sig_value: Buffer;
|
|
469
|
-
created_at: Date;
|
|
470
|
-
updated_at: Date;
|
|
471
|
-
last_used_at: Date | null;
|
|
472
|
-
}
|
|
473
373
|
|
|
474
374
|
declare class ContractViolationError extends Error {
|
|
475
375
|
code: string;
|
|
@@ -546,6 +446,26 @@ type AxisPacket = {
|
|
|
546
446
|
};
|
|
547
447
|
declare function buildPacket(hdr: Buffer, body: Buffer, sig: Buffer, flags?: number): AxisPacket;
|
|
548
448
|
|
|
449
|
+
type AxisAlg = Extract<AxisAlg$1, 'EdDSA'>;
|
|
450
|
+
type AxisSig = AxisSig$1 & {
|
|
451
|
+
alg: AxisAlg;
|
|
452
|
+
};
|
|
453
|
+
interface AxisFrame<T = any> {
|
|
454
|
+
v: 1;
|
|
455
|
+
pid: string;
|
|
456
|
+
nonce: string;
|
|
457
|
+
ts: number;
|
|
458
|
+
actorId: string;
|
|
459
|
+
aud?: string;
|
|
460
|
+
opcode: string;
|
|
461
|
+
headers: Map<number, Uint8Array>;
|
|
462
|
+
body: T;
|
|
463
|
+
sig: AxisSig;
|
|
464
|
+
}
|
|
465
|
+
type AxisResponse<T = any> = AxisResponse$1<T> & {
|
|
466
|
+
policyRefs?: string[];
|
|
467
|
+
riskScore?: number;
|
|
468
|
+
};
|
|
549
469
|
interface AxisObservedContext {
|
|
550
470
|
ip?: string;
|
|
551
471
|
ua?: string;
|
|
@@ -703,6 +623,27 @@ type Capability = keyof typeof CAPABILITIES;
|
|
|
703
623
|
declare const PROOF_CAPABILITIES: Record<number, Capability[]>;
|
|
704
624
|
declare const INTENT_REQUIREMENTS: Record<string, Capability[]>;
|
|
705
625
|
|
|
626
|
+
interface RiskSignal {
|
|
627
|
+
type: string;
|
|
628
|
+
severity: 'low' | 'medium' | 'high' | 'critical';
|
|
629
|
+
value: any;
|
|
630
|
+
message: string;
|
|
631
|
+
}
|
|
632
|
+
declare enum RiskDecision {
|
|
633
|
+
ALLOW = "ALLOW",
|
|
634
|
+
THROTTLE = "THROTTLE",
|
|
635
|
+
STEP_UP = "STEP_UP",
|
|
636
|
+
WITNESS = "WITNESS",
|
|
637
|
+
DENY = "DENY"
|
|
638
|
+
}
|
|
639
|
+
interface RiskEvaluation {
|
|
640
|
+
decision: RiskDecision;
|
|
641
|
+
reason?: string;
|
|
642
|
+
retryAfterMs?: number;
|
|
643
|
+
confidence: number;
|
|
644
|
+
signals: RiskSignal[];
|
|
645
|
+
}
|
|
646
|
+
|
|
706
647
|
declare const AXIS_OPCODES: Set<string>;
|
|
707
648
|
declare function isKnownOpcode(op: string): boolean;
|
|
708
649
|
declare function isAdminOpcode(op: string): boolean;
|
|
@@ -737,4 +678,249 @@ interface IntentDefinition {
|
|
|
737
678
|
deprecated?: boolean;
|
|
738
679
|
}
|
|
739
680
|
|
|
740
|
-
|
|
681
|
+
declare function validateFrameShape(frame: any): boolean;
|
|
682
|
+
declare function isTimestampValid(ts: number, skewSeconds?: number): boolean;
|
|
683
|
+
|
|
684
|
+
declare enum DeviceType {
|
|
685
|
+
MOBILE = "mobile",
|
|
686
|
+
BROWSER = "browser",
|
|
687
|
+
CLI = "cli",
|
|
688
|
+
SERVICE = "service"
|
|
689
|
+
}
|
|
690
|
+
declare enum DeviceTrustLevel {
|
|
691
|
+
PRIMARY = "primary",
|
|
692
|
+
TRUSTED = "trusted",
|
|
693
|
+
EPHEMERAL = "ephemeral"
|
|
694
|
+
}
|
|
695
|
+
declare enum DeviceStatus {
|
|
696
|
+
ACTIVE = "active",
|
|
697
|
+
REVOKED = "revoked",
|
|
698
|
+
SUSPENDED = "suspended"
|
|
699
|
+
}
|
|
700
|
+
interface DeviceRecord {
|
|
701
|
+
device_uid: string;
|
|
702
|
+
user_uid: string;
|
|
703
|
+
name: string;
|
|
704
|
+
type: DeviceType;
|
|
705
|
+
trust_level: DeviceTrustLevel;
|
|
706
|
+
status: DeviceStatus;
|
|
707
|
+
public_key: string;
|
|
708
|
+
key_algorithm: string;
|
|
709
|
+
created_at: string;
|
|
710
|
+
last_seen_at?: string;
|
|
711
|
+
revoked_at?: string;
|
|
712
|
+
revoked_reason?: string;
|
|
713
|
+
}
|
|
714
|
+
declare enum LoginChallengeStatus {
|
|
715
|
+
PENDING = "pending",
|
|
716
|
+
SCANNED = "scanned",
|
|
717
|
+
APPROVED = "approved",
|
|
718
|
+
REJECTED = "rejected",
|
|
719
|
+
EXPIRED = "expired"
|
|
720
|
+
}
|
|
721
|
+
interface LoginChallengeRecord {
|
|
722
|
+
challenge_uid: string;
|
|
723
|
+
status: LoginChallengeStatus;
|
|
724
|
+
browser_public_key: string;
|
|
725
|
+
browser_key_algorithm: string;
|
|
726
|
+
browser_label?: string;
|
|
727
|
+
requested_trust: DeviceTrustLevel;
|
|
728
|
+
origin?: string;
|
|
729
|
+
qr_hash: string;
|
|
730
|
+
created_at: string;
|
|
731
|
+
expires_at: string;
|
|
732
|
+
scanned_at?: string;
|
|
733
|
+
scanned_by_device_uid?: string;
|
|
734
|
+
approved_at?: string;
|
|
735
|
+
}
|
|
736
|
+
declare enum TickAuthChallengeStatus {
|
|
737
|
+
PENDING = "pending",
|
|
738
|
+
FULFILLED = "fulfilled",
|
|
739
|
+
REJECTED = "rejected",
|
|
740
|
+
EXPIRED = "expired"
|
|
741
|
+
}
|
|
742
|
+
interface TickWindow {
|
|
743
|
+
start: string;
|
|
744
|
+
end: string;
|
|
745
|
+
}
|
|
746
|
+
interface TickAuthChallengeRecord {
|
|
747
|
+
challenge_uid: string;
|
|
748
|
+
login_challenge_uid?: string;
|
|
749
|
+
status: TickAuthChallengeStatus;
|
|
750
|
+
tick_window: TickWindow;
|
|
751
|
+
purpose: string;
|
|
752
|
+
payload_hash?: string;
|
|
753
|
+
fulfilled_at?: string;
|
|
754
|
+
fulfilled_by_device_uid?: string;
|
|
755
|
+
}
|
|
756
|
+
declare enum NestFlowCapsuleType {
|
|
757
|
+
LOGIN = "login",
|
|
758
|
+
DEVICE_REGISTRATION = "device_registration",
|
|
759
|
+
STEP_UP = "step_up",
|
|
760
|
+
RECOVERY = "recovery"
|
|
761
|
+
}
|
|
762
|
+
declare enum CapsuleStatus {
|
|
763
|
+
ACTIVE = "active",
|
|
764
|
+
CONSUMED = "consumed",
|
|
765
|
+
REVOKED = "revoked",
|
|
766
|
+
EXPIRED = "expired"
|
|
767
|
+
}
|
|
768
|
+
interface NestFlowCapsuleScope {
|
|
769
|
+
type: NestFlowCapsuleType;
|
|
770
|
+
intents: string[];
|
|
771
|
+
device_uid?: string;
|
|
772
|
+
login_challenge_uid?: string;
|
|
773
|
+
}
|
|
774
|
+
declare enum SessionStatus {
|
|
775
|
+
ACTIVE = "active",
|
|
776
|
+
EXPIRED = "expired",
|
|
777
|
+
REVOKED = "revoked"
|
|
778
|
+
}
|
|
779
|
+
interface SessionRecord {
|
|
780
|
+
session_uid: string;
|
|
781
|
+
user_uid: string;
|
|
782
|
+
device_uid: string;
|
|
783
|
+
capsule_uid: string;
|
|
784
|
+
status: SessionStatus;
|
|
785
|
+
issued_at: string;
|
|
786
|
+
expires_at: string;
|
|
787
|
+
last_refreshed_at?: string;
|
|
788
|
+
revoked_at?: string;
|
|
789
|
+
revoked_reason?: string;
|
|
790
|
+
}
|
|
791
|
+
declare enum TrustLinkType {
|
|
792
|
+
LOGIN = "login",
|
|
793
|
+
PROMOTION = "promotion",
|
|
794
|
+
RECOVERY = "recovery"
|
|
795
|
+
}
|
|
796
|
+
declare enum TrustLinkStatus {
|
|
797
|
+
ACTIVE = "active",
|
|
798
|
+
REVOKED = "revoked"
|
|
799
|
+
}
|
|
800
|
+
interface DeviceTrustLinkRecord {
|
|
801
|
+
link_uid: string;
|
|
802
|
+
issuer_device_uid: string;
|
|
803
|
+
target_device_uid: string;
|
|
804
|
+
type: TrustLinkType;
|
|
805
|
+
status: TrustLinkStatus;
|
|
806
|
+
issued_at: string;
|
|
807
|
+
revoked_at?: string;
|
|
808
|
+
}
|
|
809
|
+
declare enum AuthLevel {
|
|
810
|
+
SESSION = "session",
|
|
811
|
+
SESSION_BROWSER = "session_browser",
|
|
812
|
+
STEP_UP = "step_up",
|
|
813
|
+
PRIMARY_DEVICE = "primary_device"
|
|
814
|
+
}
|
|
815
|
+
interface BrowserProof {
|
|
816
|
+
server_nonce: string;
|
|
817
|
+
signature: string;
|
|
818
|
+
signature_algorithm: string;
|
|
819
|
+
}
|
|
820
|
+
|
|
821
|
+
declare const NESTFLOW_INTENTS: {
|
|
822
|
+
readonly AUTH_WEB_LOGIN_REQUEST: "auth.web.login.request";
|
|
823
|
+
readonly AUTH_WEB_LOGIN_SCAN: "auth.web.login.scan";
|
|
824
|
+
readonly TICKAUTH_CHALLENGE_CREATE: "tickauth.challenge.create";
|
|
825
|
+
readonly TICKAUTH_CHALLENGE_FULFILL: "tickauth.challenge.fulfill";
|
|
826
|
+
readonly TICKAUTH_CHALLENGE_REJECT: "tickauth.challenge.reject";
|
|
827
|
+
readonly CAPSULE_ISSUE_LOGIN: "capsule.issue.login";
|
|
828
|
+
readonly CAPSULE_ISSUE_DEVICE_REGISTRATION: "capsule.issue.device_registration";
|
|
829
|
+
readonly CAPSULE_ISSUE_STEP_UP: "capsule.issue.step_up";
|
|
830
|
+
readonly CAPSULE_ISSUE_RECOVERY: "capsule.issue.recovery";
|
|
831
|
+
readonly SESSION_ACTIVATE: "session.activate";
|
|
832
|
+
readonly SESSION_REFRESH: "session.refresh";
|
|
833
|
+
readonly SESSION_LOGOUT: "session.logout";
|
|
834
|
+
readonly DEVICE_TRUST_REQUEST: "device.trust.request";
|
|
835
|
+
readonly DEVICE_TRUST_PROMOTE: "device.trust.promote";
|
|
836
|
+
readonly DEVICE_REVOKE: "device.revoke";
|
|
837
|
+
readonly DEVICE_LIST: "device.list";
|
|
838
|
+
readonly DEVICE_RENAME: "device.rename";
|
|
839
|
+
readonly FLOW_PUBLISH: "flow.publish";
|
|
840
|
+
readonly FLOW_DELETE: "flow.delete";
|
|
841
|
+
readonly NODE_DELETE: "node.delete";
|
|
842
|
+
readonly SECRET_ROTATE: "secret.rotate";
|
|
843
|
+
readonly ORG_SECURITY_UPDATE: "org.security.update";
|
|
844
|
+
readonly PRODUCTION_EXECUTION_APPROVE: "production.execution.approve";
|
|
845
|
+
readonly IDENTITY_RECOVERY_START: "identity.recovery.start";
|
|
846
|
+
readonly IDENTITY_RECOVERY_COMPLETE: "identity.recovery.complete";
|
|
847
|
+
readonly PRIMARY_DEVICE_ROTATE: "primary.device.rotate";
|
|
848
|
+
readonly IDENTITY_LOCK: "identity.lock";
|
|
849
|
+
readonly IDENTITY_UNLOCK: "identity.unlock";
|
|
850
|
+
};
|
|
851
|
+
type NestFlowIntent = (typeof NESTFLOW_INTENTS)[keyof typeof NESTFLOW_INTENTS];
|
|
852
|
+
declare const NESTFLOW_INTENT_SET: Set<string>;
|
|
853
|
+
declare function isNestFlowIntent(intent: string): boolean;
|
|
854
|
+
|
|
855
|
+
declare const NESTFLOW_POLICY_MAP: Record<string, AuthLevel>;
|
|
856
|
+
declare function getRequiredAuthLevel(intent: string): AuthLevel | undefined;
|
|
857
|
+
declare function satisfiesAuthLevel(provided: AuthLevel, required: AuthLevel): boolean;
|
|
858
|
+
|
|
859
|
+
interface GuardResult {
|
|
860
|
+
allowed: boolean;
|
|
861
|
+
reason?: string;
|
|
862
|
+
step_up_intent?: string;
|
|
863
|
+
}
|
|
864
|
+
declare function checkIntentPolicy(intent: string, currentAuthLevel: AuthLevel): GuardResult;
|
|
865
|
+
interface SessionContext {
|
|
866
|
+
session_uid: string;
|
|
867
|
+
status: SessionStatus;
|
|
868
|
+
expires_at: string;
|
|
869
|
+
device_uid: string;
|
|
870
|
+
user_uid: string;
|
|
871
|
+
}
|
|
872
|
+
declare function checkSession(session: SessionContext | null): GuardResult;
|
|
873
|
+
declare function checkBrowserProof(proof: BrowserProof | null | undefined, expectedNonce: string): GuardResult;
|
|
874
|
+
interface DeviceContext {
|
|
875
|
+
device_uid: string;
|
|
876
|
+
trust_level: DeviceTrustLevel;
|
|
877
|
+
status: DeviceStatus;
|
|
878
|
+
}
|
|
879
|
+
declare function checkDeviceTrust(device: DeviceContext | null, minimumTrust: DeviceTrustLevel): GuardResult;
|
|
880
|
+
interface CapsuleContext {
|
|
881
|
+
capsule_uid: string;
|
|
882
|
+
status: CapsuleStatus;
|
|
883
|
+
type: string;
|
|
884
|
+
intents: string[];
|
|
885
|
+
device_uid?: string;
|
|
886
|
+
expires_at: string;
|
|
887
|
+
}
|
|
888
|
+
declare function checkCapsule(capsule: CapsuleContext | null, intent: string, requestingDeviceUid?: string): GuardResult;
|
|
889
|
+
interface LoginChallengeContext {
|
|
890
|
+
challenge_uid: string;
|
|
891
|
+
status: LoginChallengeStatus;
|
|
892
|
+
expires_at: string;
|
|
893
|
+
}
|
|
894
|
+
declare function checkLoginChallenge(challenge: LoginChallengeContext | null, expectedStatus: LoginChallengeStatus): GuardResult;
|
|
895
|
+
interface TickAuthContext {
|
|
896
|
+
challenge_uid: string;
|
|
897
|
+
status: TickAuthChallengeStatus;
|
|
898
|
+
tick_window: {
|
|
899
|
+
start: string;
|
|
900
|
+
end: string;
|
|
901
|
+
};
|
|
902
|
+
}
|
|
903
|
+
declare function checkTickAuth(challenge: TickAuthContext | null): GuardResult;
|
|
904
|
+
interface NonceStore {
|
|
905
|
+
has(nonce: string): Promise<boolean>;
|
|
906
|
+
add(nonce: string, expiresAt: Date): Promise<void>;
|
|
907
|
+
}
|
|
908
|
+
declare function checkReplayProtection(nonce: string, store: NonceStore, windowMs?: number): Promise<GuardResult>;
|
|
909
|
+
|
|
910
|
+
interface TransitionResult {
|
|
911
|
+
valid: boolean;
|
|
912
|
+
reason?: string;
|
|
913
|
+
}
|
|
914
|
+
declare function validateLoginChallengeTransition(from: LoginChallengeStatus, to: LoginChallengeStatus): TransitionResult;
|
|
915
|
+
declare function validateTickAuthTransition(from: TickAuthChallengeStatus, to: TickAuthChallengeStatus): TransitionResult;
|
|
916
|
+
declare function validateCapsuleTransition(from: CapsuleStatus, to: CapsuleStatus): TransitionResult;
|
|
917
|
+
declare function validateSessionTransition(from: SessionStatus, to: SessionStatus): TransitionResult;
|
|
918
|
+
declare function validateDeviceTransition(from: DeviceStatus, to: DeviceStatus): TransitionResult;
|
|
919
|
+
declare function validateTrustLinkTransition(from: TrustLinkStatus, to: TrustLinkStatus): TransitionResult;
|
|
920
|
+
declare function isLoginChallengeTerminal(status: LoginChallengeStatus): boolean;
|
|
921
|
+
declare function isTickAuthTerminal(status: TickAuthChallengeStatus): boolean;
|
|
922
|
+
declare function isCapsuleTerminal(status: CapsuleStatus): boolean;
|
|
923
|
+
declare function isSessionTerminal(status: SessionStatus): boolean;
|
|
924
|
+
declare function isDeviceTerminal(status: DeviceStatus): boolean;
|
|
925
|
+
|
|
926
|
+
export { ATS1_HDR, ATS1_SCHEMA, AXIS_OPCODES, ats1 as Ats1Codec, AuthLevel, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg$1 as AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsuleConstraints, type AxisCapsulePayload, type AxisCrudHandler, type AxisEffect, type AxisHandler, type AxisHandlerInit, type AxisAlg as AxisJsonAlg, type AxisFrame as AxisJsonFrame, type AxisResponse as AxisJsonResponse, type AxisSig as AxisJsonSig, type AxisObservedContext, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, type AxisPostSensor, type AxisPreSensor, type AxisRequestContext, type AxisSensor, type AxisSensorInit, type AxisSig$1 as AxisSig, type BrowserProof, CAPABILITIES, type Capability, type CapsuleContext, type CapsuleMode, CapsuleStatus, ContractViolationError, DEFAULT_CONTRACTS, DEFAULT_TIMEOUT, Decision, type DeviceContext, type DeviceRecord, DeviceStatus, DeviceTrustLevel, type DeviceTrustLinkRecord, DeviceType, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, type GuardResult, HANDLER_METADATA_KEY, Handler, INTENT_REQUIREMENTS, INTENT_ROUTES_KEY, INTENT_SENSITIVITY_MAP, INTENT_TIMEOUTS, Intent, type IntentDefinition, type IntentOptions, type IntentRoute, IntentRouter, IntentSensitivity, type KeyStatus, type LoginChallengeContext, type LoginChallengeRecord, LoginChallengeStatus, NESTFLOW_INTENTS, NESTFLOW_INTENT_SET, NESTFLOW_POLICY_MAP, type NestFlowCapsuleScope, NestFlowCapsuleType, type NestFlowIntent, type NonceStore, PROOF_CAPABILITIES, type ReceiptEffect, RiskDecision, type RiskEvaluation, type RiskSignal, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, type SensorDecision, SensorDecisions, type SensorInput, type SensorMinifiedDecision, type SensorPhaseMetadata, type SessionContext, type SessionRecord, SessionStatus, type TickAuthChallengeRecord, TickAuthChallengeStatus, type TickAuthContext, type TickWindow, type TransitionResult, TrustLinkStatus, TrustLinkType, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildPacket, buildReceiptHash, buildTLVs, bytes, canAccessResource, canonicalJson, canonicalJsonExcluding, checkBrowserProof, checkCapsule, checkDeviceTrust, checkIntentPolicy, checkLoginChallenge, checkReplayProtection, checkSession, checkTickAuth, classifyIntent, decodeAxis1Frame, encVarint, encodeAxis1Frame, getRequiredAuthLevel, hasScope, isAdminOpcode, isCapsuleTerminal, isDeviceTerminal, isKnownOpcode, isLoginChallengeTerminal, isNestFlowIntent, isSessionTerminal, isTickAuthTerminal, isTimestampValid, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, parseScope, resolveTimeout, satisfiesAuthLevel, sensitivityName, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, validateCapsuleTransition, validateDeviceTransition, validateFrameShape, validateLoginChallengeTransition, validateSessionTransition, validateTickAuthTransition, validateTrustLinkTransition, varintU };
|