@nextera.one/axis-server-sdk 0.9.1 → 0.9.3

package/dist/core/index.d.mts

@@ -5,7 +5,7 @@ declare const AxisFrameZ: z.ZodObject<{
     headers: z.ZodMap<z.ZodNumber, z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>>;
     body: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
     sig: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
-}, z.z.core.$strip>;
+}, z.core.$strip>;
 type AxisFrame = z.infer<typeof AxisFrameZ>;
 type AxisBinaryFrame = AxisFrame;
 declare function encodeFrame(frame: AxisFrame): Uint8Array;

package/dist/core/index.d.ts

@@ -5,7 +5,7 @@ declare const AxisFrameZ: z.ZodObject<{
     headers: z.ZodMap<z.ZodNumber, z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>>;
     body: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
     sig: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
-}, z.z.core.$strip>;
+}, z.core.$strip>;
 type AxisFrame = z.infer<typeof AxisFrameZ>;
 type AxisBinaryFrame = AxisFrame;
 declare function encodeFrame(frame: AxisFrame): Uint8Array;

package/dist/index.d.mts

@@ -308,7 +308,6 @@ declare function canonicalJson(value: any): string;
 declare function canonicalJsonExcluding(obj: Record<string, any>, exclude: string[]): string;
 
 type AxisAlg$1 = 'EdDSA' | 'ES256' | 'RS256';
-type CapsuleStatus = 'ACTIVE' | 'CONSUMED' | 'REVOKED' | 'EXPIRED';
 type CapsuleMode = 'SINGLE_USE' | 'MULTI_USE';
 type KeyStatus = 'ACTIVE' | 'GRACE' | 'REVOKED' | 'RETIRED';
 interface AxisSig$1 {
@@ -336,7 +335,7 @@ interface AxisCapsuleConstraints {
     sessionIdLock?: string;
     nonceRequired?: boolean;
 }
-interface TickWindow {
+interface TickWindow$1 {
     start: number;
     end: number;
 }
@@ -353,7 +352,7 @@ interface AxisCapsulePayload {
     iat: number;
     nbf?: number;
     exp: number;
-    tickWindow?: TickWindow;
+    tickWindow?: TickWindow$1;
     mode: CapsuleMode;
     maxUses: number;
     nonceSeed?: string;
@@ -362,40 +361,6 @@ interface AxisCapsulePayload {
     constraints?: AxisCapsuleConstraints;
     meta?: Record<string, unknown>;
 }
-interface AxisCapsule {
-    payload: AxisCapsulePayload;
-    sig: AxisSig$1;
-}
-interface CapsuleIssueBody {
-    intent: string;
-    audience: string;
-    scopes: string[];
-    subject?: string;
-    mode: CapsuleMode;
-    maxUses?: number;
-    expSeconds?: number;
-    constraints?: AxisCapsuleConstraints;
-    hints?: {
-        ip?: string;
-        ua?: string;
-        deviceId?: string;
-        geo?: string;
-    };
-}
-interface CapsuleBatchBody extends Omit<CapsuleIssueBody, 'mode' | 'maxUses'> {
-    count: number;
-    mode: 'SINGLE_USE';
-}
-interface IntentExecBody {
-    intent: string;
-    capsule: AxisCapsule;
-    execNonce?: string;
-    args: Record<string, any>;
-}
-interface CapsuleRevokeBody {
-    capsuleId: string;
-    reason: string;
-}
 interface AxisResponse$1<T = any> {
     ok: boolean;
     pid: string;
@@ -405,71 +370,6 @@ interface AxisResponse$1<T = any> {
     data?: T;
     meta?: Record<string, unknown>;
 }
-interface CapsuleIssueResult {
-    capsule: AxisCapsule;
-}
-interface CapsuleBatchResult {
-    capsules: AxisCapsule[];
-}
-interface ActorKeyRecord {
-    id: Buffer;
-    actor_id: string;
-    key_id: string;
-    algorithm: string;
-    public_key: Buffer;
-    purpose: string;
-    status: KeyStatus;
-    is_primary: boolean;
-    not_before: Date | null;
-    expires_at: Date | null;
-    rotated_from_key_id: string | null;
-    revoked_at: Date | null;
-    revocation_reason: string | null;
-    metadata: any;
-    created_at: Date;
-    updated_at: Date;
-}
-interface IssuerKeyRecord {
-    id: Buffer;
-    kid: string;
-    issuer_id: string;
-    alg: string;
-    public_key_pem: string;
-    status: KeyStatus;
-    not_before: Date | null;
-    not_after: Date | null;
-    fingerprint: string | null;
-    metadata: any;
-    created_at: Date;
-    updated_at: Date;
-}
-interface CapsuleRecord {
-    id: Buffer;
-    capsule_id: string;
-    actor_id: string;
-    intent: string;
-    audience: string;
-    issuer: string;
-    subject: string | null;
-    status: CapsuleStatus;
-    mode: CapsuleMode;
-    max_uses: number;
-    used_count: number;
-    iat: Date;
-    nbf: Date | null;
-    exp: Date;
-    scopes_json: any;
-    constraints_json: any;
-    policy_refs_json: any;
-    risk_score: number | null;
-    payload_hash: Buffer;
-    sig_alg: string;
-    sig_kid: string;
-    sig_value: Buffer;
-    created_at: Date;
-    updated_at: Date;
-    last_used_at: Date | null;
-}
 
 declare class ContractViolationError extends Error {
     code: string;
@@ -781,4 +681,246 @@ interface IntentDefinition {
 declare function validateFrameShape(frame: any): boolean;
 declare function isTimestampValid(ts: number, skewSeconds?: number): boolean;
 
-export { ATS1_HDR, ATS1_SCHEMA, AXIS_OPCODES, type ActorKeyRecord, ats1 as Ats1Codec, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg$1 as AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsule, type AxisCapsuleConstraints, type AxisCapsulePayload, type AxisCrudHandler, type AxisEffect, type AxisHandler, type AxisHandlerInit, type AxisAlg as AxisJsonAlg, type AxisFrame as AxisJsonFrame, type AxisResponse as AxisJsonResponse, type AxisSig as AxisJsonSig, type AxisObservedContext, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, type AxisPostSensor, type AxisPreSensor, type AxisRequestContext, type AxisResponse$1 as AxisResponse, type AxisSensor, type AxisSensorInit, type AxisSig$1 as AxisSig, CAPABILITIES, type Capability, type CapsuleBatchBody, type CapsuleBatchResult, type CapsuleIssueBody, type CapsuleIssueResult, type CapsuleMode, type CapsuleRecord, type CapsuleRevokeBody, type CapsuleStatus, ContractViolationError, DEFAULT_CONTRACTS, DEFAULT_TIMEOUT, Decision, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, HANDLER_METADATA_KEY, Handler, INTENT_REQUIREMENTS, INTENT_ROUTES_KEY, INTENT_SENSITIVITY_MAP, INTENT_TIMEOUTS, Intent, type IntentDefinition, type IntentExecBody, type IntentOptions, type IntentRoute, IntentRouter, IntentSensitivity, type IssuerKeyRecord, type KeyStatus, PROOF_CAPABILITIES, type ReceiptEffect, RiskDecision, type RiskEvaluation, type RiskSignal, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, type SensorDecision, SensorDecisions, type SensorInput, type SensorMinifiedDecision, type SensorPhaseMetadata, type TickWindow, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildPacket, buildReceiptHash, buildTLVs, bytes, canAccessResource, canonicalJson, canonicalJsonExcluding, classifyIntent, decodeAxis1Frame, encVarint, encodeAxis1Frame, hasScope, isAdminOpcode, isKnownOpcode, isTimestampValid, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, parseScope, resolveTimeout, sensitivityName, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, validateFrameShape, varintU };
+declare enum DeviceType {
+    MOBILE = "mobile",
+    BROWSER = "browser",
+    CLI = "cli",
+    SERVICE = "service"
+}
+declare enum DeviceTrustLevel {
+    PRIMARY = "primary",
+    TRUSTED = "trusted",
+    EPHEMERAL = "ephemeral"
+}
+declare enum DeviceStatus {
+    ACTIVE = "active",
+    REVOKED = "revoked",
+    SUSPENDED = "suspended"
+}
+interface DeviceRecord {
+    device_uid: string;
+    user_uid: string;
+    name: string;
+    type: DeviceType;
+    trust_level: DeviceTrustLevel;
+    status: DeviceStatus;
+    public_key: string;
+    key_algorithm: string;
+    created_at: string;
+    last_seen_at?: string;
+    revoked_at?: string;
+    revoked_reason?: string;
+}
+declare enum LoginChallengeStatus {
+    PENDING = "pending",
+    SCANNED = "scanned",
+    APPROVED = "approved",
+    REJECTED = "rejected",
+    EXPIRED = "expired"
+}
+interface LoginChallengeRecord {
+    challenge_uid: string;
+    status: LoginChallengeStatus;
+    browser_public_key: string;
+    browser_key_algorithm: string;
+    browser_label?: string;
+    requested_trust: DeviceTrustLevel;
+    origin?: string;
+    qr_hash: string;
+    created_at: string;
+    expires_at: string;
+    scanned_at?: string;
+    scanned_by_device_uid?: string;
+    approved_at?: string;
+}
+declare enum TickAuthChallengeStatus {
+    PENDING = "pending",
+    FULFILLED = "fulfilled",
+    REJECTED = "rejected",
+    EXPIRED = "expired"
+}
+interface TickWindow {
+    start: string;
+    end: string;
+}
+interface TickAuthChallengeRecord {
+    challenge_uid: string;
+    login_challenge_uid?: string;
+    status: TickAuthChallengeStatus;
+    tick_window: TickWindow;
+    purpose: string;
+    payload_hash?: string;
+    fulfilled_at?: string;
+    fulfilled_by_device_uid?: string;
+}
+declare enum NestFlowCapsuleType {
+    LOGIN = "login",
+    DEVICE_REGISTRATION = "device_registration",
+    STEP_UP = "step_up",
+    RECOVERY = "recovery"
+}
+declare enum CapsuleStatus {
+    ACTIVE = "active",
+    CONSUMED = "consumed",
+    REVOKED = "revoked",
+    EXPIRED = "expired"
+}
+interface NestFlowCapsuleScope {
+    type: NestFlowCapsuleType;
+    intents: string[];
+    device_uid?: string;
+    login_challenge_uid?: string;
+}
+declare enum SessionStatus {
+    ACTIVE = "active",
+    EXPIRED = "expired",
+    REVOKED = "revoked"
+}
+interface SessionRecord {
+    session_uid: string;
+    user_uid: string;
+    device_uid: string;
+    capsule_uid: string;
+    status: SessionStatus;
+    issued_at: string;
+    expires_at: string;
+    last_refreshed_at?: string;
+    revoked_at?: string;
+    revoked_reason?: string;
+}
+declare enum TrustLinkType {
+    LOGIN = "login",
+    PROMOTION = "promotion",
+    RECOVERY = "recovery"
+}
+declare enum TrustLinkStatus {
+    ACTIVE = "active",
+    REVOKED = "revoked"
+}
+interface DeviceTrustLinkRecord {
+    link_uid: string;
+    issuer_device_uid: string;
+    target_device_uid: string;
+    type: TrustLinkType;
+    status: TrustLinkStatus;
+    issued_at: string;
+    revoked_at?: string;
+}
+declare enum AuthLevel {
+    SESSION = "session",
+    SESSION_BROWSER = "session_browser",
+    STEP_UP = "step_up",
+    PRIMARY_DEVICE = "primary_device"
+}
+interface BrowserProof {
+    server_nonce: string;
+    signature: string;
+    signature_algorithm: string;
+}
+
+declare const NESTFLOW_INTENTS: {
+    readonly AUTH_WEB_LOGIN_REQUEST: "auth.web.login.request";
+    readonly AUTH_WEB_LOGIN_SCAN: "auth.web.login.scan";
+    readonly TICKAUTH_CHALLENGE_CREATE: "tickauth.challenge.create";
+    readonly TICKAUTH_CHALLENGE_FULFILL: "tickauth.challenge.fulfill";
+    readonly TICKAUTH_CHALLENGE_REJECT: "tickauth.challenge.reject";
+    readonly CAPSULE_ISSUE_LOGIN: "capsule.issue.login";
+    readonly CAPSULE_ISSUE_DEVICE_REGISTRATION: "capsule.issue.device_registration";
+    readonly CAPSULE_ISSUE_STEP_UP: "capsule.issue.step_up";
+    readonly CAPSULE_ISSUE_RECOVERY: "capsule.issue.recovery";
+    readonly SESSION_ACTIVATE: "session.activate";
+    readonly SESSION_REFRESH: "session.refresh";
+    readonly SESSION_LOGOUT: "session.logout";
+    readonly DEVICE_TRUST_REQUEST: "device.trust.request";
+    readonly DEVICE_TRUST_PROMOTE: "device.trust.promote";
+    readonly DEVICE_REVOKE: "device.revoke";
+    readonly DEVICE_LIST: "device.list";
+    readonly DEVICE_RENAME: "device.rename";
+    readonly FLOW_PUBLISH: "flow.publish";
+    readonly FLOW_DELETE: "flow.delete";
+    readonly NODE_DELETE: "node.delete";
+    readonly SECRET_ROTATE: "secret.rotate";
+    readonly ORG_SECURITY_UPDATE: "org.security.update";
+    readonly PRODUCTION_EXECUTION_APPROVE: "production.execution.approve";
+    readonly IDENTITY_RECOVERY_START: "identity.recovery.start";
+    readonly IDENTITY_RECOVERY_COMPLETE: "identity.recovery.complete";
+    readonly PRIMARY_DEVICE_ROTATE: "primary.device.rotate";
+    readonly IDENTITY_LOCK: "identity.lock";
+    readonly IDENTITY_UNLOCK: "identity.unlock";
+};
+type NestFlowIntent = (typeof NESTFLOW_INTENTS)[keyof typeof NESTFLOW_INTENTS];
+declare const NESTFLOW_INTENT_SET: Set<string>;
+declare function isNestFlowIntent(intent: string): boolean;
+
+declare const NESTFLOW_POLICY_MAP: Record<string, AuthLevel>;
+declare function getRequiredAuthLevel(intent: string): AuthLevel | undefined;
+declare function satisfiesAuthLevel(provided: AuthLevel, required: AuthLevel): boolean;
+
+interface GuardResult {
+    allowed: boolean;
+    reason?: string;
+    step_up_intent?: string;
+}
+declare function checkIntentPolicy(intent: string, currentAuthLevel: AuthLevel): GuardResult;
+interface SessionContext {
+    session_uid: string;
+    status: SessionStatus;
+    expires_at: string;
+    device_uid: string;
+    user_uid: string;
+}
+declare function checkSession(session: SessionContext | null): GuardResult;
+declare function checkBrowserProof(proof: BrowserProof | null | undefined, expectedNonce: string): GuardResult;
+interface DeviceContext {
+    device_uid: string;
+    trust_level: DeviceTrustLevel;
+    status: DeviceStatus;
+}
+declare function checkDeviceTrust(device: DeviceContext | null, minimumTrust: DeviceTrustLevel): GuardResult;
+interface CapsuleContext {
+    capsule_uid: string;
+    status: CapsuleStatus;
+    type: string;
+    intents: string[];
+    device_uid?: string;
+    expires_at: string;
+}
+declare function checkCapsule(capsule: CapsuleContext | null, intent: string, requestingDeviceUid?: string): GuardResult;
+interface LoginChallengeContext {
+    challenge_uid: string;
+    status: LoginChallengeStatus;
+    expires_at: string;
+}
+declare function checkLoginChallenge(challenge: LoginChallengeContext | null, expectedStatus: LoginChallengeStatus): GuardResult;
+interface TickAuthContext {
+    challenge_uid: string;
+    status: TickAuthChallengeStatus;
+    tick_window: {
+        start: string;
+        end: string;
+    };
+}
+declare function checkTickAuth(challenge: TickAuthContext | null): GuardResult;
+interface NonceStore {
+    has(nonce: string): Promise<boolean>;
+    add(nonce: string, expiresAt: Date): Promise<void>;
+}
+declare function checkReplayProtection(nonce: string, store: NonceStore, windowMs?: number): Promise<GuardResult>;
+
+interface TransitionResult {
+    valid: boolean;
+    reason?: string;
+}
+declare function validateLoginChallengeTransition(from: LoginChallengeStatus, to: LoginChallengeStatus): TransitionResult;
+declare function validateTickAuthTransition(from: TickAuthChallengeStatus, to: TickAuthChallengeStatus): TransitionResult;
+declare function validateCapsuleTransition(from: CapsuleStatus, to: CapsuleStatus): TransitionResult;
+declare function validateSessionTransition(from: SessionStatus, to: SessionStatus): TransitionResult;
+declare function validateDeviceTransition(from: DeviceStatus, to: DeviceStatus): TransitionResult;
+declare function validateTrustLinkTransition(from: TrustLinkStatus, to: TrustLinkStatus): TransitionResult;
+declare function isLoginChallengeTerminal(status: LoginChallengeStatus): boolean;
+declare function isTickAuthTerminal(status: TickAuthChallengeStatus): boolean;
+declare function isCapsuleTerminal(status: CapsuleStatus): boolean;
+declare function isSessionTerminal(status: SessionStatus): boolean;
+declare function isDeviceTerminal(status: DeviceStatus): boolean;
+
+export { ATS1_HDR, ATS1_SCHEMA, AXIS_OPCODES, ats1 as Ats1Codec, AuthLevel, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg$1 as AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsuleConstraints, type AxisCapsulePayload, type AxisCrudHandler, type AxisEffect, type AxisHandler, type AxisHandlerInit, type AxisAlg as AxisJsonAlg, type AxisFrame as AxisJsonFrame, type AxisResponse as AxisJsonResponse, type AxisSig as AxisJsonSig, type AxisObservedContext, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, type AxisPostSensor, type AxisPreSensor, type AxisRequestContext, type AxisSensor, type AxisSensorInit, type AxisSig$1 as AxisSig, type BrowserProof, CAPABILITIES, type Capability, type CapsuleContext, type CapsuleMode, CapsuleStatus, ContractViolationError, DEFAULT_CONTRACTS, DEFAULT_TIMEOUT, Decision, type DeviceContext, type DeviceRecord, DeviceStatus, DeviceTrustLevel, type DeviceTrustLinkRecord, DeviceType, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, type GuardResult, HANDLER_METADATA_KEY, Handler, INTENT_REQUIREMENTS, INTENT_ROUTES_KEY, INTENT_SENSITIVITY_MAP, INTENT_TIMEOUTS, Intent, type IntentDefinition, type IntentOptions, type IntentRoute, IntentRouter, IntentSensitivity, type KeyStatus, type LoginChallengeContext, type LoginChallengeRecord, LoginChallengeStatus, NESTFLOW_INTENTS, NESTFLOW_INTENT_SET, NESTFLOW_POLICY_MAP, type NestFlowCapsuleScope, NestFlowCapsuleType, type NestFlowIntent, type NonceStore, PROOF_CAPABILITIES, type ReceiptEffect, RiskDecision, type RiskEvaluation, type RiskSignal, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, type SensorDecision, SensorDecisions, type SensorInput, type SensorMinifiedDecision, type SensorPhaseMetadata, type SessionContext, type SessionRecord, SessionStatus, type TickAuthChallengeRecord, TickAuthChallengeStatus, type TickAuthContext, type TickWindow, type TransitionResult, TrustLinkStatus, TrustLinkType, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildPacket, buildReceiptHash, buildTLVs, bytes, canAccessResource, canonicalJson, canonicalJsonExcluding, checkBrowserProof, checkCapsule, checkDeviceTrust, checkIntentPolicy, checkLoginChallenge, checkReplayProtection, checkSession, checkTickAuth, classifyIntent, decodeAxis1Frame, encVarint, encodeAxis1Frame, getRequiredAuthLevel, hasScope, isAdminOpcode, isCapsuleTerminal, isDeviceTerminal, isKnownOpcode, isLoginChallengeTerminal, isNestFlowIntent, isSessionTerminal, isTickAuthTerminal, isTimestampValid, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, parseScope, resolveTimeout, satisfiesAuthLevel, sensitivityName, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, validateCapsuleTransition, validateDeviceTransition, validateFrameShape, validateLoginChallengeTransition, validateSessionTransition, validateTickAuthTransition, validateTrustLinkTransition, varintU };