@nextera.one/axis-server-sdk 0.8.0 → 0.9.2

package/dist/index.js

@@ -43,14 +43,19 @@ __export(index_exports, {
   AXIS_OPCODES: () => AXIS_OPCODES,
   AXIS_VERSION: () => AXIS_VERSION,
   Ats1Codec: () => ats1_exports,
+  AuthLevel: () => AuthLevel,
   AxisFrameZ: () => AxisFrameZ,
   AxisPacketTags: () => T,
   BodyProfile: () => BodyProfile,
   CAPABILITIES: () => CAPABILITIES,
+  CapsuleStatus: () => CapsuleStatus,
   ContractViolationError: () => ContractViolationError,
   DEFAULT_CONTRACTS: () => DEFAULT_CONTRACTS,
   DEFAULT_TIMEOUT: () => DEFAULT_TIMEOUT,
   Decision: () => Decision,
+  DeviceStatus: () => DeviceStatus,
+  DeviceTrustLevel: () => DeviceTrustLevel,
+  DeviceType: () => DeviceType,
   ERR_BAD_SIGNATURE: () => ERR_BAD_SIGNATURE,
   ERR_CONTRACT_VIOLATION: () => ERR_CONTRACT_VIOLATION,
   ERR_INVALID_PACKET: () => ERR_INVALID_PACKET,
@@ -69,6 +74,7 @@ __export(index_exports, {
   Intent: () => Intent,
   IntentRouter: () => IntentRouter,
   IntentSensitivity: () => IntentSensitivity,
+  LoginChallengeStatus: () => LoginChallengeStatus,
   MAX_BODY_LEN: () => MAX_BODY_LEN,
   MAX_FRAME_LEN: () => MAX_FRAME_LEN,
   MAX_HDR_LEN: () => MAX_HDR_LEN,
@@ -83,6 +89,10 @@ __export(index_exports, {
   NCERT_PUB: () => NCERT_PUB,
   NCERT_SCOPE: () => NCERT_SCOPE,
   NCERT_SIG: () => NCERT_SIG,
+  NESTFLOW_INTENTS: () => NESTFLOW_INTENTS,
+  NESTFLOW_INTENT_SET: () => NESTFLOW_INTENT_SET,
+  NESTFLOW_POLICY_MAP: () => NESTFLOW_POLICY_MAP,
+  NestFlowCapsuleType: () => NestFlowCapsuleType,
   PROOF_CAPABILITIES: () => PROOF_CAPABILITIES,
   PROOF_CAPSULE: () => PROOF_CAPSULE,
   PROOF_JWT: () => PROOF_JWT,
@@ -91,11 +101,13 @@ __export(index_exports, {
   PROOF_NONE: () => PROOF_NONE,
   PROOF_WITNESS: () => PROOF_WITNESS,
   ProofType: () => ProofType,
+  RiskDecision: () => RiskDecision,
   Schema2002_PasskeyLoginOptionsRes: () => Schema2002_PasskeyLoginOptionsRes,
   Schema2011_PasskeyLoginVerifyReq: () => Schema2011_PasskeyLoginVerifyReq,
   Schema2012_PasskeyLoginVerifyRes: () => Schema2012_PasskeyLoginVerifyRes,
   Schema2021_PasskeyRegisterOptionsReq: () => Schema2021_PasskeyRegisterOptionsReq,
   SensorDecisions: () => SensorDecisions,
+  SessionStatus: () => SessionStatus,
   TLV_ACTOR_ID: () => TLV_ACTOR_ID,
   TLV_AUD: () => TLV_AUD,
   TLV_BODY_ARR: () => TLV_BODY_ARR,
@@ -127,6 +139,9 @@ __export(index_exports, {
   TLV_TRACE_ID: () => TLV_TRACE_ID,
   TLV_TS: () => TLV_TS,
   TLV_UPLOAD_ID: () => TLV_UPLOAD_ID,
+  TickAuthChallengeStatus: () => TickAuthChallengeStatus,
+  TrustLinkStatus: () => TrustLinkStatus,
+  TrustLinkType: () => TrustLinkType,
   axis1SigningBytes: () => axis1SigningBytes,
   b64urlDecode: () => b64urlDecode,
   b64urlDecodeString: () => b64urlDecodeString,
@@ -140,6 +155,14 @@ __export(index_exports, {
   canAccessResource: () => canAccessResource,
   canonicalJson: () => canonicalJson,
   canonicalJsonExcluding: () => canonicalJsonExcluding,
+  checkBrowserProof: () => checkBrowserProof,
+  checkCapsule: () => checkCapsule,
+  checkDeviceTrust: () => checkDeviceTrust,
+  checkIntentPolicy: () => checkIntentPolicy,
+  checkLoginChallenge: () => checkLoginChallenge,
+  checkReplayProtection: () => checkReplayProtection,
+  checkSession: () => checkSession,
+  checkTickAuth: () => checkTickAuth,
   classifyIntent: () => classifyIntent,
   computeReceiptHash: () => computeReceiptHash,
   computeSignaturePayload: () => computeSignaturePayload,
@@ -156,10 +179,18 @@ __export(index_exports, {
   encodeTLVs: () => encodeTLVs,
   encodeVarint: () => encodeVarint,
   generateEd25519KeyPair: () => generateEd25519KeyPair,
+  getRequiredAuthLevel: () => getRequiredAuthLevel,
   getSignTarget: () => getSignTarget,
   hasScope: () => hasScope,
   isAdminOpcode: () => isAdminOpcode,
+  isCapsuleTerminal: () => isCapsuleTerminal,
+  isDeviceTerminal: () => isDeviceTerminal,
   isKnownOpcode: () => isKnownOpcode,
+  isLoginChallengeTerminal: () => isLoginChallengeTerminal,
+  isNestFlowIntent: () => isNestFlowIntent,
+  isSessionTerminal: () => isSessionTerminal,
+  isTickAuthTerminal: () => isTickAuthTerminal,
+  isTimestampValid: () => isTimestampValid,
   nonce16: () => nonce16,
   normalizeSensorDecision: () => normalizeSensorDecision,
   packPasskeyLoginOptionsReq: () => packPasskeyLoginOptionsReq,
@@ -169,6 +200,7 @@ __export(index_exports, {
   packPasskeyRegisterOptionsReq: () => packPasskeyRegisterOptionsReq,
   parseScope: () => parseScope,
   resolveTimeout: () => resolveTimeout,
+  satisfiesAuthLevel: () => satisfiesAuthLevel,
   sensitivityName: () => sensitivityName,
   sha256: () => sha256,
   signFrame: () => signFrame,
@@ -178,6 +210,13 @@ __export(index_exports, {
   unpackPasskeyLoginVerifyReq: () => unpackPasskeyLoginVerifyReq,
   unpackPasskeyRegisterOptionsReq: () => unpackPasskeyRegisterOptionsReq,
   utf8: () => utf8,
+  validateCapsuleTransition: () => validateCapsuleTransition,
+  validateDeviceTransition: () => validateDeviceTransition,
+  validateFrameShape: () => validateFrameShape,
+  validateLoginChallengeTransition: () => validateLoginChallengeTransition,
+  validateSessionTransition: () => validateSessionTransition,
+  validateTickAuthTransition: () => validateTickAuthTransition,
+  validateTrustLinkTransition: () => validateTrustLinkTransition,
   varintLength: () => varintLength,
   varintU: () => varintU,
   verifyFrameSignature: () => verifyFrameSignature
@@ -1533,10 +1572,10 @@ function tlv(type, value) {
   ]);
 }
 function buildTLVs(items, opts) {
-  const allow = opts?.allowDupTypes ?? /* @__PURE__ */ new Set();
+  const allow2 = opts?.allowDupTypes ?? /* @__PURE__ */ new Set();
   const sorted = [...items].sort((a, b) => a.type - b.type);
   for (let i = 1; i < sorted.length; i++) {
-    if (sorted[i].type === sorted[i - 1].type && !allow.has(sorted[i].type)) {
+    if (sorted[i].type === sorted[i - 1].type && !allow2.has(sorted[i].type)) {
       throw new Error(`TLV_DUP_TYPE_${sorted[i].type}`);
     }
   }
@@ -2106,9 +2145,33 @@ var INTENT_REQUIREMENTS = {
   "passport.revoke": ["write", "witness"],
   "stream.publish": ["write"],
   "stream.subscribe": ["read"],
+  // NestFlow intents
+  "auth.web.login.*": ["execute"],
+  "tickauth.challenge.*": ["execute"],
+  "capsule.issue.*": ["write", "execute"],
+  "session.*": ["execute"],
+  "device.list": ["read"],
+  "device.rename": ["write"],
+  "device.trust.*": ["write", "execute"],
+  "device.revoke": ["write", "execute"],
+  "identity.*": ["admin", "execute"],
+  "primary.device.*": ["admin", "execute"],
+  "secret.rotate": ["admin"],
+  "org.security.*": ["admin"],
+  "production.execution.*": ["admin", "execute"],
   "admin.*": ["admin"]
 };
 
+// src/risk/index.ts
+var RiskDecision = /* @__PURE__ */ ((RiskDecision2) => {
+  RiskDecision2["ALLOW"] = "ALLOW";
+  RiskDecision2["THROTTLE"] = "THROTTLE";
+  RiskDecision2["STEP_UP"] = "STEP_UP";
+  RiskDecision2["WITNESS"] = "WITNESS";
+  RiskDecision2["DENY"] = "DENY";
+  return RiskDecision2;
+})(RiskDecision || {});
+
 // src/core/opcodes.ts
 var AXIS_OPCODES = /* @__PURE__ */ new Set([
   "CAPSULE.ISSUE",
@@ -2117,13 +2180,29 @@ var AXIS_OPCODES = /* @__PURE__ */ new Set([
   "INTENT.EXEC",
   "ACTOR.KEY.ROTATE",
   "ACTOR.KEY.REVOKE",
-  "ISSUER.KEY.ROTATE"
+  "ISSUER.KEY.ROTATE",
+  // NestFlow opcodes
+  "AUTH.WEB.LOGIN",
+  "AUTH.WEB.SCAN",
+  "TICKAUTH.CREATE",
+  "TICKAUTH.FULFILL",
+  "TICKAUTH.REJECT",
+  "SESSION.ACTIVATE",
+  "SESSION.REFRESH",
+  "SESSION.LOGOUT",
+  "DEVICE.TRUST",
+  "DEVICE.PROMOTE",
+  "DEVICE.REVOKE",
+  "DEVICE.LIST",
+  "DEVICE.RENAME",
+  "IDENTITY.RECOVERY",
+  "IDENTITY.LOCK"
 ]);
 function isKnownOpcode(op) {
   return AXIS_OPCODES.has(op);
 }
 function isAdminOpcode(op) {
-  return op.startsWith("ACTOR.KEY.") || op.startsWith("ISSUER.KEY.");
+  return op.startsWith("ACTOR.KEY.") || op.startsWith("ISSUER.KEY.") || op.startsWith("IDENTITY.");
 }
 
 // src/core/receipt.ts
@@ -2173,7 +2252,42 @@ var INTENT_SENSITIVITY_MAP = {
   // Admin intents
   "admin.create_capsule": 4 /* CRITICAL */,
   "admin.revoke_capsule": 4 /* CRITICAL */,
-  "admin.issue_node_cert": 4 /* CRITICAL */
+  "admin.issue_node_cert": 4 /* CRITICAL */,
+  // NestFlow: Auth
+  "auth.web.login.request": 2 /* MEDIUM */,
+  "auth.web.login.scan": 3 /* HIGH */,
+  // NestFlow: TickAuth
+  "tickauth.challenge.create": 2 /* MEDIUM */,
+  "tickauth.challenge.fulfill": 3 /* HIGH */,
+  "tickauth.challenge.reject": 2 /* MEDIUM */,
+  // NestFlow: Capsule issuance
+  "capsule.issue.login": 3 /* HIGH */,
+  "capsule.issue.device_registration": 3 /* HIGH */,
+  "capsule.issue.step_up": 3 /* HIGH */,
+  "capsule.issue.recovery": 4 /* CRITICAL */,
+  // NestFlow: Session
+  "session.activate": 3 /* HIGH */,
+  "session.refresh": 2 /* MEDIUM */,
+  "session.logout": 1 /* LOW */,
+  // NestFlow: Device trust
+  "device.trust.request": 3 /* HIGH */,
+  "device.trust.promote": 4 /* CRITICAL */,
+  "device.revoke": 4 /* CRITICAL */,
+  "device.list": 1 /* LOW */,
+  "device.rename": 1 /* LOW */,
+  // NestFlow: Protected operations
+  "flow.publish": 2 /* MEDIUM */,
+  "flow.delete": 3 /* HIGH */,
+  "node.delete": 4 /* CRITICAL */,
+  "secret.rotate": 4 /* CRITICAL */,
+  "org.security.update": 4 /* CRITICAL */,
+  "production.execution.approve": 4 /* CRITICAL */,
+  // NestFlow: Recovery
+  "identity.recovery.start": 4 /* CRITICAL */,
+  "identity.recovery.complete": 4 /* CRITICAL */,
+  "primary.device.rotate": 4 /* CRITICAL */,
+  "identity.lock": 4 /* CRITICAL */,
+  "identity.unlock": 4 /* CRITICAL */
 };
 function classifyIntent(intent) {
   if (INTENT_SENSITIVITY_MAP[intent]) {
@@ -2228,6 +2342,468 @@ function resolveTimeout(intent) {
   }
   return DEFAULT_TIMEOUT;
 }
+
+// src/core/frame-validator.ts
+function validateFrameShape(frame) {
+  if (!frame || typeof frame !== "object") {
+    return false;
+  }
+  if (frame.v !== 1) {
+    return false;
+  }
+  const requiredStrings = ["pid", "nonce", "actorId", "opcode"];
+  for (const key of requiredStrings) {
+    if (typeof frame[key] !== "string" || frame[key].length < 6) {
+      return false;
+    }
+  }
+  if (typeof frame.ts !== "number" || !Number.isFinite(frame.ts)) {
+    return false;
+  }
+  if (frame.aud !== void 0 && (typeof frame.aud !== "string" || frame.aud.length === 0)) {
+    return false;
+  }
+  if (!frame.sig || typeof frame.sig !== "object") {
+    return false;
+  }
+  if (frame.sig.alg !== "EdDSA") {
+    return false;
+  }
+  if (typeof frame.sig.kid !== "string" || frame.sig.kid.length < 8) {
+    return false;
+  }
+  if (typeof frame.sig.value !== "string" || frame.sig.value.length < 32) {
+    return false;
+  }
+  if (typeof frame.body !== "object" || frame.body === null) {
+    return false;
+  }
+  return true;
+}
+function isTimestampValid(ts, skewSeconds = 120) {
+  const now = Math.floor(Date.now() / 1e3);
+  const diff = Math.abs(now - ts);
+  return diff <= skewSeconds;
+}
+
+// src/nestflow/types.ts
+var DeviceType = /* @__PURE__ */ ((DeviceType2) => {
+  DeviceType2["MOBILE"] = "mobile";
+  DeviceType2["BROWSER"] = "browser";
+  DeviceType2["CLI"] = "cli";
+  DeviceType2["SERVICE"] = "service";
+  return DeviceType2;
+})(DeviceType || {});
+var DeviceTrustLevel = /* @__PURE__ */ ((DeviceTrustLevel2) => {
+  DeviceTrustLevel2["PRIMARY"] = "primary";
+  DeviceTrustLevel2["TRUSTED"] = "trusted";
+  DeviceTrustLevel2["EPHEMERAL"] = "ephemeral";
+  return DeviceTrustLevel2;
+})(DeviceTrustLevel || {});
+var DeviceStatus = /* @__PURE__ */ ((DeviceStatus2) => {
+  DeviceStatus2["ACTIVE"] = "active";
+  DeviceStatus2["REVOKED"] = "revoked";
+  DeviceStatus2["SUSPENDED"] = "suspended";
+  return DeviceStatus2;
+})(DeviceStatus || {});
+var LoginChallengeStatus = /* @__PURE__ */ ((LoginChallengeStatus3) => {
+  LoginChallengeStatus3["PENDING"] = "pending";
+  LoginChallengeStatus3["SCANNED"] = "scanned";
+  LoginChallengeStatus3["APPROVED"] = "approved";
+  LoginChallengeStatus3["REJECTED"] = "rejected";
+  LoginChallengeStatus3["EXPIRED"] = "expired";
+  return LoginChallengeStatus3;
+})(LoginChallengeStatus || {});
+var TickAuthChallengeStatus = /* @__PURE__ */ ((TickAuthChallengeStatus2) => {
+  TickAuthChallengeStatus2["PENDING"] = "pending";
+  TickAuthChallengeStatus2["FULFILLED"] = "fulfilled";
+  TickAuthChallengeStatus2["REJECTED"] = "rejected";
+  TickAuthChallengeStatus2["EXPIRED"] = "expired";
+  return TickAuthChallengeStatus2;
+})(TickAuthChallengeStatus || {});
+var NestFlowCapsuleType = /* @__PURE__ */ ((NestFlowCapsuleType2) => {
+  NestFlowCapsuleType2["LOGIN"] = "login";
+  NestFlowCapsuleType2["DEVICE_REGISTRATION"] = "device_registration";
+  NestFlowCapsuleType2["STEP_UP"] = "step_up";
+  NestFlowCapsuleType2["RECOVERY"] = "recovery";
+  return NestFlowCapsuleType2;
+})(NestFlowCapsuleType || {});
+var CapsuleStatus = /* @__PURE__ */ ((CapsuleStatus2) => {
+  CapsuleStatus2["ACTIVE"] = "active";
+  CapsuleStatus2["CONSUMED"] = "consumed";
+  CapsuleStatus2["REVOKED"] = "revoked";
+  CapsuleStatus2["EXPIRED"] = "expired";
+  return CapsuleStatus2;
+})(CapsuleStatus || {});
+var SessionStatus = /* @__PURE__ */ ((SessionStatus2) => {
+  SessionStatus2["ACTIVE"] = "active";
+  SessionStatus2["EXPIRED"] = "expired";
+  SessionStatus2["REVOKED"] = "revoked";
+  return SessionStatus2;
+})(SessionStatus || {});
+var TrustLinkType = /* @__PURE__ */ ((TrustLinkType2) => {
+  TrustLinkType2["LOGIN"] = "login";
+  TrustLinkType2["PROMOTION"] = "promotion";
+  TrustLinkType2["RECOVERY"] = "recovery";
+  return TrustLinkType2;
+})(TrustLinkType || {});
+var TrustLinkStatus = /* @__PURE__ */ ((TrustLinkStatus2) => {
+  TrustLinkStatus2["ACTIVE"] = "active";
+  TrustLinkStatus2["REVOKED"] = "revoked";
+  return TrustLinkStatus2;
+})(TrustLinkStatus || {});
+var AuthLevel = /* @__PURE__ */ ((AuthLevel2) => {
+  AuthLevel2["SESSION"] = "session";
+  AuthLevel2["SESSION_BROWSER"] = "session_browser";
+  AuthLevel2["STEP_UP"] = "step_up";
+  AuthLevel2["PRIMARY_DEVICE"] = "primary_device";
+  return AuthLevel2;
+})(AuthLevel || {});
+
+// src/nestflow/intents.ts
+var NESTFLOW_INTENTS = {
+  // Auth
+  AUTH_WEB_LOGIN_REQUEST: "auth.web.login.request",
+  AUTH_WEB_LOGIN_SCAN: "auth.web.login.scan",
+  // TickAuth
+  TICKAUTH_CHALLENGE_CREATE: "tickauth.challenge.create",
+  TICKAUTH_CHALLENGE_FULFILL: "tickauth.challenge.fulfill",
+  TICKAUTH_CHALLENGE_REJECT: "tickauth.challenge.reject",
+  // Capsule
+  CAPSULE_ISSUE_LOGIN: "capsule.issue.login",
+  CAPSULE_ISSUE_DEVICE_REGISTRATION: "capsule.issue.device_registration",
+  CAPSULE_ISSUE_STEP_UP: "capsule.issue.step_up",
+  CAPSULE_ISSUE_RECOVERY: "capsule.issue.recovery",
+  // Session
+  SESSION_ACTIVATE: "session.activate",
+  SESSION_REFRESH: "session.refresh",
+  SESSION_LOGOUT: "session.logout",
+  // Device Trust
+  DEVICE_TRUST_REQUEST: "device.trust.request",
+  DEVICE_TRUST_PROMOTE: "device.trust.promote",
+  DEVICE_REVOKE: "device.revoke",
+  DEVICE_LIST: "device.list",
+  DEVICE_RENAME: "device.rename",
+  // Protected Operations
+  FLOW_PUBLISH: "flow.publish",
+  FLOW_DELETE: "flow.delete",
+  NODE_DELETE: "node.delete",
+  SECRET_ROTATE: "secret.rotate",
+  ORG_SECURITY_UPDATE: "org.security.update",
+  PRODUCTION_EXECUTION_APPROVE: "production.execution.approve",
+  // Recovery
+  IDENTITY_RECOVERY_START: "identity.recovery.start",
+  IDENTITY_RECOVERY_COMPLETE: "identity.recovery.complete",
+  PRIMARY_DEVICE_ROTATE: "primary.device.rotate",
+  IDENTITY_LOCK: "identity.lock",
+  IDENTITY_UNLOCK: "identity.unlock"
+};
+var NESTFLOW_INTENT_SET = new Set(
+  Object.values(NESTFLOW_INTENTS)
+);
+function isNestFlowIntent(intent) {
+  return NESTFLOW_INTENT_SET.has(intent);
+}
+
+// src/nestflow/policy-map.ts
+var NESTFLOW_POLICY_MAP = {
+  // Auth — unauthenticated initiator (session issued after)
+  [NESTFLOW_INTENTS.AUTH_WEB_LOGIN_REQUEST]: "session" /* SESSION */,
+  [NESTFLOW_INTENTS.AUTH_WEB_LOGIN_SCAN]: "primary_device" /* PRIMARY_DEVICE */,
+  // TickAuth — primary device handles challenges
+  [NESTFLOW_INTENTS.TICKAUTH_CHALLENGE_CREATE]: "session" /* SESSION */,
+  [NESTFLOW_INTENTS.TICKAUTH_CHALLENGE_FULFILL]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.TICKAUTH_CHALLENGE_REJECT]: "primary_device" /* PRIMARY_DEVICE */,
+  // Capsule issuance — varies per type
+  [NESTFLOW_INTENTS.CAPSULE_ISSUE_LOGIN]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.CAPSULE_ISSUE_DEVICE_REGISTRATION]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.CAPSULE_ISSUE_STEP_UP]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.CAPSULE_ISSUE_RECOVERY]: "primary_device" /* PRIMARY_DEVICE */,
+  // Session management
+  [NESTFLOW_INTENTS.SESSION_ACTIVATE]: "session" /* SESSION */,
+  [NESTFLOW_INTENTS.SESSION_REFRESH]: "session_browser" /* SESSION_BROWSER */,
+  [NESTFLOW_INTENTS.SESSION_LOGOUT]: "session" /* SESSION */,
+  // Device trust management
+  [NESTFLOW_INTENTS.DEVICE_TRUST_REQUEST]: "session_browser" /* SESSION_BROWSER */,
+  [NESTFLOW_INTENTS.DEVICE_TRUST_PROMOTE]: "step_up" /* STEP_UP */,
+  [NESTFLOW_INTENTS.DEVICE_REVOKE]: "step_up" /* STEP_UP */,
+  [NESTFLOW_INTENTS.DEVICE_LIST]: "session" /* SESSION */,
+  [NESTFLOW_INTENTS.DEVICE_RENAME]: "session_browser" /* SESSION_BROWSER */,
+  // Protected operations — require step-up auth
+  [NESTFLOW_INTENTS.FLOW_PUBLISH]: "session_browser" /* SESSION_BROWSER */,
+  [NESTFLOW_INTENTS.FLOW_DELETE]: "step_up" /* STEP_UP */,
+  [NESTFLOW_INTENTS.NODE_DELETE]: "step_up" /* STEP_UP */,
+  [NESTFLOW_INTENTS.SECRET_ROTATE]: "step_up" /* STEP_UP */,
+  [NESTFLOW_INTENTS.ORG_SECURITY_UPDATE]: "step_up" /* STEP_UP */,
+  [NESTFLOW_INTENTS.PRODUCTION_EXECUTION_APPROVE]: "step_up" /* STEP_UP */,
+  // Recovery — highest privilege
+  [NESTFLOW_INTENTS.IDENTITY_RECOVERY_START]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.IDENTITY_RECOVERY_COMPLETE]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.PRIMARY_DEVICE_ROTATE]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.IDENTITY_LOCK]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.IDENTITY_UNLOCK]: "primary_device" /* PRIMARY_DEVICE */
+};
+function getRequiredAuthLevel(intent) {
+  return NESTFLOW_POLICY_MAP[intent];
+}
+var AUTH_LEVEL_ORDER = [
+  "session" /* SESSION */,
+  "session_browser" /* SESSION_BROWSER */,
+  "step_up" /* STEP_UP */,
+  "primary_device" /* PRIMARY_DEVICE */
+];
+function satisfiesAuthLevel(provided, required) {
+  const providedIdx = AUTH_LEVEL_ORDER.indexOf(provided);
+  const requiredIdx = AUTH_LEVEL_ORDER.indexOf(required);
+  return providedIdx >= requiredIdx;
+}
+
+// src/nestflow/guards.ts
+var allow = () => ({ allowed: true });
+var deny = (reason) => ({ allowed: false, reason });
+function checkIntentPolicy(intent, currentAuthLevel) {
+  const required = getRequiredAuthLevel(intent);
+  if (!required) {
+    return allow();
+  }
+  if (satisfiesAuthLevel(currentAuthLevel, required)) {
+    return allow();
+  }
+  return {
+    allowed: false,
+    reason: `Intent '${intent}' requires auth level '${required}', got '${currentAuthLevel}'`,
+    step_up_intent: required === "step_up" /* STEP_UP */ ? intent : void 0
+  };
+}
+function checkSession(session) {
+  if (!session) {
+    return deny("No session found");
+  }
+  if (session.status !== "active" /* ACTIVE */) {
+    return deny(`Session status is '${session.status}', expected 'active'`);
+  }
+  if (new Date(session.expires_at).getTime() < Date.now()) {
+    return deny("Session has expired");
+  }
+  return allow();
+}
+function checkBrowserProof(proof, expectedNonce) {
+  if (!proof) {
+    return deny("Browser proof-of-possession required but not provided");
+  }
+  if (!proof.server_nonce || !proof.signature || !proof.signature_algorithm) {
+    return deny("Browser proof is missing required fields");
+  }
+  if (proof.server_nonce !== expectedNonce) {
+    return deny("Browser proof nonce does not match expected server nonce");
+  }
+  return allow();
+}
+var TRUST_ORDER = [
+  "ephemeral" /* EPHEMERAL */,
+  "trusted" /* TRUSTED */,
+  "primary" /* PRIMARY */
+];
+function checkDeviceTrust(device, minimumTrust) {
+  if (!device) {
+    return deny("Device not found");
+  }
+  if (device.status !== "active" /* ACTIVE */) {
+    return deny(`Device status is '${device.status}', expected 'active'`);
+  }
+  const deviceIdx = TRUST_ORDER.indexOf(device.trust_level);
+  const requiredIdx = TRUST_ORDER.indexOf(minimumTrust);
+  if (deviceIdx < requiredIdx) {
+    return deny(
+      `Device trust level '${device.trust_level}' does not meet minimum '${minimumTrust}'`
+    );
+  }
+  return allow();
+}
+function checkCapsule(capsule, intent, requestingDeviceUid) {
+  if (!capsule) {
+    return deny("Capsule not found");
+  }
+  if (capsule.status !== "active" /* ACTIVE */) {
+    return deny(`Capsule status is '${capsule.status}', expected 'active'`);
+  }
+  if (new Date(capsule.expires_at).getTime() < Date.now()) {
+    return deny("Capsule has expired");
+  }
+  const intentAllowed = capsule.intents.some((pattern) => {
+    if (pattern === "*") return true;
+    if (pattern === intent) return true;
+    if (pattern.endsWith(".*")) {
+      return intent.startsWith(pattern.slice(0, -1));
+    }
+    return false;
+  });
+  if (!intentAllowed) {
+    return deny(`Capsule does not authorize intent '${intent}'`);
+  }
+  if (capsule.device_uid && requestingDeviceUid && capsule.device_uid !== requestingDeviceUid) {
+    return deny("Capsule is bound to a different device");
+  }
+  return allow();
+}
+function checkLoginChallenge(challenge, expectedStatus) {
+  if (!challenge) {
+    return deny("Login challenge not found");
+  }
+  if (new Date(challenge.expires_at).getTime() < Date.now()) {
+    return deny("Login challenge has expired");
+  }
+  if (challenge.status !== expectedStatus) {
+    return deny(
+      `Login challenge status is '${challenge.status}', expected '${expectedStatus}'`
+    );
+  }
+  return allow();
+}
+function checkTickAuth(challenge) {
+  if (!challenge) {
+    return deny("TickAuth challenge not found");
+  }
+  if (challenge.status !== "pending" /* PENDING */) {
+    return deny(
+      `TickAuth challenge status is '${challenge.status}', expected 'pending'`
+    );
+  }
+  const now = Date.now();
+  const start = new Date(challenge.tick_window.start).getTime();
+  const end = new Date(challenge.tick_window.end).getTime();
+  if (now < start || now > end) {
+    return deny("TickAuth challenge is outside its tick window");
+  }
+  return allow();
+}
+async function checkReplayProtection(nonce, store, windowMs = 5 * 60 * 1e3) {
+  if (!nonce) {
+    return deny("Nonce is required for replay protection");
+  }
+  const seen = await store.has(nonce);
+  if (seen) {
+    return deny("Nonce has already been used (replay detected)");
+  }
+  await store.add(nonce, new Date(Date.now() + windowMs));
+  return allow();
+}
+
+// src/nestflow/invariants.ts
+var LOGIN_CHALLENGE_TRANSITIONS = {
+  ["pending" /* PENDING */]: [
+    "scanned" /* SCANNED */,
+    "expired" /* EXPIRED */
+  ],
+  ["scanned" /* SCANNED */]: [
+    "approved" /* APPROVED */,
+    "rejected" /* REJECTED */,
+    "expired" /* EXPIRED */
+  ],
+  ["approved" /* APPROVED */]: [],
+  ["rejected" /* REJECTED */]: [],
+  ["expired" /* EXPIRED */]: []
+};
+var TICKAUTH_TRANSITIONS = {
+  ["pending" /* PENDING */]: [
+    "fulfilled" /* FULFILLED */,
+    "rejected" /* REJECTED */,
+    "expired" /* EXPIRED */
+  ],
+  ["fulfilled" /* FULFILLED */]: [],
+  ["rejected" /* REJECTED */]: [],
+  ["expired" /* EXPIRED */]: []
+};
+var CAPSULE_TRANSITIONS = {
+  ["active" /* ACTIVE */]: [
+    "consumed" /* CONSUMED */,
+    "revoked" /* REVOKED */,
+    "expired" /* EXPIRED */
+  ],
+  ["consumed" /* CONSUMED */]: [],
+  ["revoked" /* REVOKED */]: [],
+  ["expired" /* EXPIRED */]: []
+};
+var SESSION_TRANSITIONS = {
+  ["active" /* ACTIVE */]: ["expired" /* EXPIRED */, "revoked" /* REVOKED */],
+  ["expired" /* EXPIRED */]: [],
+  ["revoked" /* REVOKED */]: []
+};
+var DEVICE_TRANSITIONS = {
+  ["active" /* ACTIVE */]: ["suspended" /* SUSPENDED */, "revoked" /* REVOKED */],
+  ["suspended" /* SUSPENDED */]: ["active" /* ACTIVE */, "revoked" /* REVOKED */],
+  ["revoked" /* REVOKED */]: []
+};
+var TRUST_LINK_TRANSITIONS = {
+  ["active" /* ACTIVE */]: ["revoked" /* REVOKED */],
+  ["revoked" /* REVOKED */]: []
+};
+function checkTransition(entity, transitions, from, to) {
+  const allowed = transitions[from];
+  if (!allowed) {
+    return {
+      valid: false,
+      reason: `${entity}: unknown current state '${from}'`
+    };
+  }
+  if (!allowed.includes(to)) {
+    return {
+      valid: false,
+      reason: `${entity}: invalid transition '${from}' \u2192 '${to}'. Allowed: [${allowed.join(", ")}]`
+    };
+  }
+  return { valid: true };
+}
+function validateLoginChallengeTransition(from, to) {
+  return checkTransition(
+    "LoginChallenge",
+    LOGIN_CHALLENGE_TRANSITIONS,
+    from,
+    to
+  );
+}
+function validateTickAuthTransition(from, to) {
+  return checkTransition("TickAuthChallenge", TICKAUTH_TRANSITIONS, from, to);
+}
+function validateCapsuleTransition(from, to) {
+  return checkTransition("Capsule", CAPSULE_TRANSITIONS, from, to);
+}
+function validateSessionTransition(from, to) {
+  return checkTransition("Session", SESSION_TRANSITIONS, from, to);
+}
+function validateDeviceTransition(from, to) {
+  return checkTransition("Device", DEVICE_TRANSITIONS, from, to);
+}
+function validateTrustLinkTransition(from, to) {
+  return checkTransition("TrustLink", TRUST_LINK_TRANSITIONS, from, to);
+}
+function isLoginChallengeTerminal(status) {
+  return [
+    "approved" /* APPROVED */,
+    "rejected" /* REJECTED */,
+    "expired" /* EXPIRED */
+  ].includes(status);
+}
+function isTickAuthTerminal(status) {
+  return [
+    "fulfilled" /* FULFILLED */,
+    "rejected" /* REJECTED */,
+    "expired" /* EXPIRED */
+  ].includes(status);
+}
+function isCapsuleTerminal(status) {
+  return [
+    "consumed" /* CONSUMED */,
+    "revoked" /* REVOKED */,
+    "expired" /* EXPIRED */
+  ].includes(status);
+}
+function isSessionTerminal(status) {
+  return ["expired" /* EXPIRED */, "revoked" /* REVOKED */].includes(status);
+}
+function isDeviceTerminal(status) {
+  return status === "revoked" /* REVOKED */;
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ATS1_HDR,
@@ -2236,14 +2812,19 @@ function resolveTimeout(intent) {
   AXIS_OPCODES,
   AXIS_VERSION,
   Ats1Codec,
+  AuthLevel,
   AxisFrameZ,
   AxisPacketTags,
   BodyProfile,
   CAPABILITIES,
+  CapsuleStatus,
   ContractViolationError,
   DEFAULT_CONTRACTS,
   DEFAULT_TIMEOUT,
   Decision,
+  DeviceStatus,
+  DeviceTrustLevel,
+  DeviceType,
   ERR_BAD_SIGNATURE,
   ERR_CONTRACT_VIOLATION,
   ERR_INVALID_PACKET,
@@ -2262,6 +2843,7 @@ function resolveTimeout(intent) {
   Intent,
   IntentRouter,
   IntentSensitivity,
+  LoginChallengeStatus,
   MAX_BODY_LEN,
   MAX_FRAME_LEN,
   MAX_HDR_LEN,
@@ -2276,6 +2858,10 @@ function resolveTimeout(intent) {
   NCERT_PUB,
   NCERT_SCOPE,
   NCERT_SIG,
+  NESTFLOW_INTENTS,
+  NESTFLOW_INTENT_SET,
+  NESTFLOW_POLICY_MAP,
+  NestFlowCapsuleType,
   PROOF_CAPABILITIES,
   PROOF_CAPSULE,
   PROOF_JWT,
@@ -2284,11 +2870,13 @@ function resolveTimeout(intent) {
   PROOF_NONE,
   PROOF_WITNESS,
   ProofType,
+  RiskDecision,
   Schema2002_PasskeyLoginOptionsRes,
   Schema2011_PasskeyLoginVerifyReq,
   Schema2012_PasskeyLoginVerifyRes,
   Schema2021_PasskeyRegisterOptionsReq,
   SensorDecisions,
+  SessionStatus,
   TLV_ACTOR_ID,
   TLV_AUD,
   TLV_BODY_ARR,
@@ -2320,6 +2908,9 @@ function resolveTimeout(intent) {
   TLV_TRACE_ID,
   TLV_TS,
   TLV_UPLOAD_ID,
+  TickAuthChallengeStatus,
+  TrustLinkStatus,
+  TrustLinkType,
   axis1SigningBytes,
   b64urlDecode,
   b64urlDecodeString,
@@ -2333,6 +2924,14 @@ function resolveTimeout(intent) {
   canAccessResource,
   canonicalJson,
   canonicalJsonExcluding,
+  checkBrowserProof,
+  checkCapsule,
+  checkDeviceTrust,
+  checkIntentPolicy,
+  checkLoginChallenge,
+  checkReplayProtection,
+  checkSession,
+  checkTickAuth,
   classifyIntent,
   computeReceiptHash,
   computeSignaturePayload,
@@ -2349,10 +2948,18 @@ function resolveTimeout(intent) {
   encodeTLVs,
   encodeVarint,
   generateEd25519KeyPair,
+  getRequiredAuthLevel,
   getSignTarget,
   hasScope,
   isAdminOpcode,
+  isCapsuleTerminal,
+  isDeviceTerminal,
   isKnownOpcode,
+  isLoginChallengeTerminal,
+  isNestFlowIntent,
+  isSessionTerminal,
+  isTickAuthTerminal,
+  isTimestampValid,
   nonce16,
   normalizeSensorDecision,
   packPasskeyLoginOptionsReq,
@@ -2362,6 +2969,7 @@ function resolveTimeout(intent) {
   packPasskeyRegisterOptionsReq,
   parseScope,
   resolveTimeout,
+  satisfiesAuthLevel,
   sensitivityName,
   sha256,
   signFrame,
@@ -2371,6 +2979,13 @@ function resolveTimeout(intent) {
   unpackPasskeyLoginVerifyReq,
   unpackPasskeyRegisterOptionsReq,
   utf8,
+  validateCapsuleTransition,
+  validateDeviceTransition,
+  validateFrameShape,
+  validateLoginChallengeTransition,
+  validateSessionTransition,
+  validateTickAuthTransition,
+  validateTrustLinkTransition,
   varintLength,
   varintU,
   verifyFrameSignature