npm - @nextera.one/axis-server-sdk - Versions diffs - 0.9.1 → 0.9.3 - Mend

@nextera.one/axis-server-sdk 0.9.1 → 0.9.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.js CHANGED Viewed

@@ -43,14 +43,19 @@ __export(index_exports, {
   AXIS_OPCODES: () => AXIS_OPCODES,
   AXIS_VERSION: () => AXIS_VERSION,
   Ats1Codec: () => ats1_exports,
+  AuthLevel: () => AuthLevel,
   AxisFrameZ: () => AxisFrameZ,
   AxisPacketTags: () => T,
   BodyProfile: () => BodyProfile,
   CAPABILITIES: () => CAPABILITIES,
+  CapsuleStatus: () => CapsuleStatus,
   ContractViolationError: () => ContractViolationError,
   DEFAULT_CONTRACTS: () => DEFAULT_CONTRACTS,
   DEFAULT_TIMEOUT: () => DEFAULT_TIMEOUT,
   Decision: () => Decision,
+  DeviceStatus: () => DeviceStatus,
+  DeviceTrustLevel: () => DeviceTrustLevel,
+  DeviceType: () => DeviceType,
   ERR_BAD_SIGNATURE: () => ERR_BAD_SIGNATURE,
   ERR_CONTRACT_VIOLATION: () => ERR_CONTRACT_VIOLATION,
   ERR_INVALID_PACKET: () => ERR_INVALID_PACKET,
@@ -69,6 +74,7 @@ __export(index_exports, {
   Intent: () => Intent,
   IntentRouter: () => IntentRouter,
   IntentSensitivity: () => IntentSensitivity,
+  LoginChallengeStatus: () => LoginChallengeStatus,
   MAX_BODY_LEN: () => MAX_BODY_LEN,
   MAX_FRAME_LEN: () => MAX_FRAME_LEN,
   MAX_HDR_LEN: () => MAX_HDR_LEN,
@@ -83,6 +89,10 @@ __export(index_exports, {
   NCERT_PUB: () => NCERT_PUB,
   NCERT_SCOPE: () => NCERT_SCOPE,
   NCERT_SIG: () => NCERT_SIG,
+  NESTFLOW_INTENTS: () => NESTFLOW_INTENTS,
+  NESTFLOW_INTENT_SET: () => NESTFLOW_INTENT_SET,
+  NESTFLOW_POLICY_MAP: () => NESTFLOW_POLICY_MAP,
+  NestFlowCapsuleType: () => NestFlowCapsuleType,
   PROOF_CAPABILITIES: () => PROOF_CAPABILITIES,
   PROOF_CAPSULE: () => PROOF_CAPSULE,
   PROOF_JWT: () => PROOF_JWT,
@@ -97,6 +107,7 @@ __export(index_exports, {
   Schema2012_PasskeyLoginVerifyRes: () => Schema2012_PasskeyLoginVerifyRes,
   Schema2021_PasskeyRegisterOptionsReq: () => Schema2021_PasskeyRegisterOptionsReq,
   SensorDecisions: () => SensorDecisions,
+  SessionStatus: () => SessionStatus,
   TLV_ACTOR_ID: () => TLV_ACTOR_ID,
   TLV_AUD: () => TLV_AUD,
   TLV_BODY_ARR: () => TLV_BODY_ARR,
@@ -128,6 +139,9 @@ __export(index_exports, {
   TLV_TRACE_ID: () => TLV_TRACE_ID,
   TLV_TS: () => TLV_TS,
   TLV_UPLOAD_ID: () => TLV_UPLOAD_ID,
+  TickAuthChallengeStatus: () => TickAuthChallengeStatus,
+  TrustLinkStatus: () => TrustLinkStatus,
+  TrustLinkType: () => TrustLinkType,
   axis1SigningBytes: () => axis1SigningBytes,
   b64urlDecode: () => b64urlDecode,
   b64urlDecodeString: () => b64urlDecodeString,
@@ -141,6 +155,14 @@ __export(index_exports, {
   canAccessResource: () => canAccessResource,
   canonicalJson: () => canonicalJson,
   canonicalJsonExcluding: () => canonicalJsonExcluding,
+  checkBrowserProof: () => checkBrowserProof,
+  checkCapsule: () => checkCapsule,
+  checkDeviceTrust: () => checkDeviceTrust,
+  checkIntentPolicy: () => checkIntentPolicy,
+  checkLoginChallenge: () => checkLoginChallenge,
+  checkReplayProtection: () => checkReplayProtection,
+  checkSession: () => checkSession,
+  checkTickAuth: () => checkTickAuth,
   classifyIntent: () => classifyIntent,
   computeReceiptHash: () => computeReceiptHash,
   computeSignaturePayload: () => computeSignaturePayload,
@@ -157,10 +179,17 @@ __export(index_exports, {
   encodeTLVs: () => encodeTLVs,
   encodeVarint: () => encodeVarint,
   generateEd25519KeyPair: () => generateEd25519KeyPair,
+  getRequiredAuthLevel: () => getRequiredAuthLevel,
   getSignTarget: () => getSignTarget,
   hasScope: () => hasScope,
   isAdminOpcode: () => isAdminOpcode,
+  isCapsuleTerminal: () => isCapsuleTerminal,
+  isDeviceTerminal: () => isDeviceTerminal,
   isKnownOpcode: () => isKnownOpcode,
+  isLoginChallengeTerminal: () => isLoginChallengeTerminal,
+  isNestFlowIntent: () => isNestFlowIntent,
+  isSessionTerminal: () => isSessionTerminal,
+  isTickAuthTerminal: () => isTickAuthTerminal,
   isTimestampValid: () => isTimestampValid,
   nonce16: () => nonce16,
   normalizeSensorDecision: () => normalizeSensorDecision,
@@ -171,6 +200,7 @@ __export(index_exports, {
   packPasskeyRegisterOptionsReq: () => packPasskeyRegisterOptionsReq,
   parseScope: () => parseScope,
   resolveTimeout: () => resolveTimeout,
+  satisfiesAuthLevel: () => satisfiesAuthLevel,
   sensitivityName: () => sensitivityName,
   sha256: () => sha256,
   signFrame: () => signFrame,
@@ -180,7 +210,13 @@ __export(index_exports, {
   unpackPasskeyLoginVerifyReq: () => unpackPasskeyLoginVerifyReq,
   unpackPasskeyRegisterOptionsReq: () => unpackPasskeyRegisterOptionsReq,
   utf8: () => utf8,
+  validateCapsuleTransition: () => validateCapsuleTransition,
+  validateDeviceTransition: () => validateDeviceTransition,
   validateFrameShape: () => validateFrameShape,
+  validateLoginChallengeTransition: () => validateLoginChallengeTransition,
+  validateSessionTransition: () => validateSessionTransition,
+  validateTickAuthTransition: () => validateTickAuthTransition,
+  validateTrustLinkTransition: () => validateTrustLinkTransition,
   varintLength: () => varintLength,
   varintU: () => varintU,
   verifyFrameSignature: () => verifyFrameSignature
@@ -1536,10 +1572,10 @@ function tlv(type, value) {
   ]);
 }
 function buildTLVs(items, opts) {
-  const allow = opts?.allowDupTypes ?? /* @__PURE__ */ new Set();
+  const allow2 = opts?.allowDupTypes ?? /* @__PURE__ */ new Set();
   const sorted = [...items].sort((a, b) => a.type - b.type);
   for (let i = 1; i < sorted.length; i++) {
-    if (sorted[i].type === sorted[i - 1].type && !allow.has(sorted[i].type)) {
+    if (sorted[i].type === sorted[i - 1].type && !allow2.has(sorted[i].type)) {
       throw new Error(`TLV_DUP_TYPE_${sorted[i].type}`);
     }
   }
@@ -2109,6 +2145,20 @@ var INTENT_REQUIREMENTS = {
   "passport.revoke": ["write", "witness"],
   "stream.publish": ["write"],
   "stream.subscribe": ["read"],
+  // NestFlow intents
+  "auth.web.login.*": ["execute"],
+  "tickauth.challenge.*": ["execute"],
+  "capsule.issue.*": ["write", "execute"],
+  "session.*": ["execute"],
+  "device.list": ["read"],
+  "device.rename": ["write"],
+  "device.trust.*": ["write", "execute"],
+  "device.revoke": ["write", "execute"],
+  "identity.*": ["admin", "execute"],
+  "primary.device.*": ["admin", "execute"],
+  "secret.rotate": ["admin"],
+  "org.security.*": ["admin"],
+  "production.execution.*": ["admin", "execute"],
   "admin.*": ["admin"]
 };
@@ -2130,13 +2180,29 @@ var AXIS_OPCODES = /* @__PURE__ */ new Set([
   "INTENT.EXEC",
   "ACTOR.KEY.ROTATE",
   "ACTOR.KEY.REVOKE",
-  "ISSUER.KEY.ROTATE"
+  "ISSUER.KEY.ROTATE",
+  // NestFlow opcodes
+  "AUTH.WEB.LOGIN",
+  "AUTH.WEB.SCAN",
+  "TICKAUTH.CREATE",
+  "TICKAUTH.FULFILL",
+  "TICKAUTH.REJECT",
+  "SESSION.ACTIVATE",
+  "SESSION.REFRESH",
+  "SESSION.LOGOUT",
+  "DEVICE.TRUST",
+  "DEVICE.PROMOTE",
+  "DEVICE.REVOKE",
+  "DEVICE.LIST",
+  "DEVICE.RENAME",
+  "IDENTITY.RECOVERY",
+  "IDENTITY.LOCK"
 ]);
 function isKnownOpcode(op) {
   return AXIS_OPCODES.has(op);
 }
 function isAdminOpcode(op) {
-  return op.startsWith("ACTOR.KEY.") || op.startsWith("ISSUER.KEY.");
+  return op.startsWith("ACTOR.KEY.") || op.startsWith("ISSUER.KEY.") || op.startsWith("IDENTITY.");
 }
 // src/core/receipt.ts
@@ -2186,7 +2252,42 @@ var INTENT_SENSITIVITY_MAP = {
   // Admin intents
   "admin.create_capsule": 4 /* CRITICAL */,
   "admin.revoke_capsule": 4 /* CRITICAL */,
-  "admin.issue_node_cert": 4 /* CRITICAL */
+  "admin.issue_node_cert": 4 /* CRITICAL */,
+  // NestFlow: Auth
+  "auth.web.login.request": 2 /* MEDIUM */,
+  "auth.web.login.scan": 3 /* HIGH */,
+  // NestFlow: TickAuth
+  "tickauth.challenge.create": 2 /* MEDIUM */,
+  "tickauth.challenge.fulfill": 3 /* HIGH */,
+  "tickauth.challenge.reject": 2 /* MEDIUM */,
+  // NestFlow: Capsule issuance
+  "capsule.issue.login": 3 /* HIGH */,
+  "capsule.issue.device_registration": 3 /* HIGH */,
+  "capsule.issue.step_up": 3 /* HIGH */,
+  "capsule.issue.recovery": 4 /* CRITICAL */,
+  // NestFlow: Session
+  "session.activate": 3 /* HIGH */,
+  "session.refresh": 2 /* MEDIUM */,
+  "session.logout": 1 /* LOW */,
+  // NestFlow: Device trust
+  "device.trust.request": 3 /* HIGH */,
+  "device.trust.promote": 4 /* CRITICAL */,
+  "device.revoke": 4 /* CRITICAL */,
+  "device.list": 1 /* LOW */,
+  "device.rename": 1 /* LOW */,
+  // NestFlow: Protected operations
+  "flow.publish": 2 /* MEDIUM */,
+  "flow.delete": 3 /* HIGH */,
+  "node.delete": 4 /* CRITICAL */,
+  "secret.rotate": 4 /* CRITICAL */,
+  "org.security.update": 4 /* CRITICAL */,
+  "production.execution.approve": 4 /* CRITICAL */,
+  // NestFlow: Recovery
+  "identity.recovery.start": 4 /* CRITICAL */,
+  "identity.recovery.complete": 4 /* CRITICAL */,
+  "primary.device.rotate": 4 /* CRITICAL */,
+  "identity.lock": 4 /* CRITICAL */,
+  "identity.unlock": 4 /* CRITICAL */
 };
 function classifyIntent(intent) {
   if (INTENT_SENSITIVITY_MAP[intent]) {
@@ -2284,6 +2385,425 @@ function isTimestampValid(ts, skewSeconds = 120) {
   const diff = Math.abs(now - ts);
   return diff <= skewSeconds;
 }
+// src/nestflow/types.ts
+var DeviceType = /* @__PURE__ */ ((DeviceType2) => {
+  DeviceType2["MOBILE"] = "mobile";
+  DeviceType2["BROWSER"] = "browser";
+  DeviceType2["CLI"] = "cli";
+  DeviceType2["SERVICE"] = "service";
+  return DeviceType2;
+})(DeviceType || {});
+var DeviceTrustLevel = /* @__PURE__ */ ((DeviceTrustLevel2) => {
+  DeviceTrustLevel2["PRIMARY"] = "primary";
+  DeviceTrustLevel2["TRUSTED"] = "trusted";
+  DeviceTrustLevel2["EPHEMERAL"] = "ephemeral";
+  return DeviceTrustLevel2;
+})(DeviceTrustLevel || {});
+var DeviceStatus = /* @__PURE__ */ ((DeviceStatus2) => {
+  DeviceStatus2["ACTIVE"] = "active";
+  DeviceStatus2["REVOKED"] = "revoked";
+  DeviceStatus2["SUSPENDED"] = "suspended";
+  return DeviceStatus2;
+})(DeviceStatus || {});
+var LoginChallengeStatus = /* @__PURE__ */ ((LoginChallengeStatus3) => {
+  LoginChallengeStatus3["PENDING"] = "pending";
+  LoginChallengeStatus3["SCANNED"] = "scanned";
+  LoginChallengeStatus3["APPROVED"] = "approved";
+  LoginChallengeStatus3["REJECTED"] = "rejected";
+  LoginChallengeStatus3["EXPIRED"] = "expired";
+  return LoginChallengeStatus3;
+})(LoginChallengeStatus || {});
+var TickAuthChallengeStatus = /* @__PURE__ */ ((TickAuthChallengeStatus2) => {
+  TickAuthChallengeStatus2["PENDING"] = "pending";
+  TickAuthChallengeStatus2["FULFILLED"] = "fulfilled";
+  TickAuthChallengeStatus2["REJECTED"] = "rejected";
+  TickAuthChallengeStatus2["EXPIRED"] = "expired";
+  return TickAuthChallengeStatus2;
+})(TickAuthChallengeStatus || {});
+var NestFlowCapsuleType = /* @__PURE__ */ ((NestFlowCapsuleType2) => {
+  NestFlowCapsuleType2["LOGIN"] = "login";
+  NestFlowCapsuleType2["DEVICE_REGISTRATION"] = "device_registration";
+  NestFlowCapsuleType2["STEP_UP"] = "step_up";
+  NestFlowCapsuleType2["RECOVERY"] = "recovery";
+  return NestFlowCapsuleType2;
+})(NestFlowCapsuleType || {});
+var CapsuleStatus = /* @__PURE__ */ ((CapsuleStatus2) => {
+  CapsuleStatus2["ACTIVE"] = "active";
+  CapsuleStatus2["CONSUMED"] = "consumed";
+  CapsuleStatus2["REVOKED"] = "revoked";
+  CapsuleStatus2["EXPIRED"] = "expired";
+  return CapsuleStatus2;
+})(CapsuleStatus || {});
+var SessionStatus = /* @__PURE__ */ ((SessionStatus2) => {
+  SessionStatus2["ACTIVE"] = "active";
+  SessionStatus2["EXPIRED"] = "expired";
+  SessionStatus2["REVOKED"] = "revoked";
+  return SessionStatus2;
+})(SessionStatus || {});
+var TrustLinkType = /* @__PURE__ */ ((TrustLinkType2) => {
+  TrustLinkType2["LOGIN"] = "login";
+  TrustLinkType2["PROMOTION"] = "promotion";
+  TrustLinkType2["RECOVERY"] = "recovery";
+  return TrustLinkType2;
+})(TrustLinkType || {});
+var TrustLinkStatus = /* @__PURE__ */ ((TrustLinkStatus2) => {
+  TrustLinkStatus2["ACTIVE"] = "active";
+  TrustLinkStatus2["REVOKED"] = "revoked";
+  return TrustLinkStatus2;
+})(TrustLinkStatus || {});
+var AuthLevel = /* @__PURE__ */ ((AuthLevel2) => {
+  AuthLevel2["SESSION"] = "session";
+  AuthLevel2["SESSION_BROWSER"] = "session_browser";
+  AuthLevel2["STEP_UP"] = "step_up";
+  AuthLevel2["PRIMARY_DEVICE"] = "primary_device";
+  return AuthLevel2;
+})(AuthLevel || {});
+// src/nestflow/intents.ts
+var NESTFLOW_INTENTS = {
+  // Auth
+  AUTH_WEB_LOGIN_REQUEST: "auth.web.login.request",
+  AUTH_WEB_LOGIN_SCAN: "auth.web.login.scan",
+  // TickAuth
+  TICKAUTH_CHALLENGE_CREATE: "tickauth.challenge.create",
+  TICKAUTH_CHALLENGE_FULFILL: "tickauth.challenge.fulfill",
+  TICKAUTH_CHALLENGE_REJECT: "tickauth.challenge.reject",
+  // Capsule
+  CAPSULE_ISSUE_LOGIN: "capsule.issue.login",
+  CAPSULE_ISSUE_DEVICE_REGISTRATION: "capsule.issue.device_registration",
+  CAPSULE_ISSUE_STEP_UP: "capsule.issue.step_up",
+  CAPSULE_ISSUE_RECOVERY: "capsule.issue.recovery",
+  // Session
+  SESSION_ACTIVATE: "session.activate",
+  SESSION_REFRESH: "session.refresh",
+  SESSION_LOGOUT: "session.logout",
+  // Device Trust
+  DEVICE_TRUST_REQUEST: "device.trust.request",
+  DEVICE_TRUST_PROMOTE: "device.trust.promote",
+  DEVICE_REVOKE: "device.revoke",
+  DEVICE_LIST: "device.list",
+  DEVICE_RENAME: "device.rename",
+  // Protected Operations
+  FLOW_PUBLISH: "flow.publish",
+  FLOW_DELETE: "flow.delete",
+  NODE_DELETE: "node.delete",
+  SECRET_ROTATE: "secret.rotate",
+  ORG_SECURITY_UPDATE: "org.security.update",
+  PRODUCTION_EXECUTION_APPROVE: "production.execution.approve",
+  // Recovery
+  IDENTITY_RECOVERY_START: "identity.recovery.start",
+  IDENTITY_RECOVERY_COMPLETE: "identity.recovery.complete",
+  PRIMARY_DEVICE_ROTATE: "primary.device.rotate",
+  IDENTITY_LOCK: "identity.lock",
+  IDENTITY_UNLOCK: "identity.unlock"
+};
+var NESTFLOW_INTENT_SET = new Set(
+  Object.values(NESTFLOW_INTENTS)
+);
+function isNestFlowIntent(intent) {
+  return NESTFLOW_INTENT_SET.has(intent);
+}
+// src/nestflow/policy-map.ts
+var NESTFLOW_POLICY_MAP = {
+  // Auth — unauthenticated initiator (session issued after)
+  [NESTFLOW_INTENTS.AUTH_WEB_LOGIN_REQUEST]: "session" /* SESSION */,
+  [NESTFLOW_INTENTS.AUTH_WEB_LOGIN_SCAN]: "primary_device" /* PRIMARY_DEVICE */,
+  // TickAuth — primary device handles challenges
+  [NESTFLOW_INTENTS.TICKAUTH_CHALLENGE_CREATE]: "session" /* SESSION */,
+  [NESTFLOW_INTENTS.TICKAUTH_CHALLENGE_FULFILL]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.TICKAUTH_CHALLENGE_REJECT]: "primary_device" /* PRIMARY_DEVICE */,
+  // Capsule issuance — varies per type
+  [NESTFLOW_INTENTS.CAPSULE_ISSUE_LOGIN]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.CAPSULE_ISSUE_DEVICE_REGISTRATION]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.CAPSULE_ISSUE_STEP_UP]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.CAPSULE_ISSUE_RECOVERY]: "primary_device" /* PRIMARY_DEVICE */,
+  // Session management
+  [NESTFLOW_INTENTS.SESSION_ACTIVATE]: "session" /* SESSION */,
+  [NESTFLOW_INTENTS.SESSION_REFRESH]: "session_browser" /* SESSION_BROWSER */,
+  [NESTFLOW_INTENTS.SESSION_LOGOUT]: "session" /* SESSION */,
+  // Device trust management
+  [NESTFLOW_INTENTS.DEVICE_TRUST_REQUEST]: "session_browser" /* SESSION_BROWSER */,
+  [NESTFLOW_INTENTS.DEVICE_TRUST_PROMOTE]: "step_up" /* STEP_UP */,
+  [NESTFLOW_INTENTS.DEVICE_REVOKE]: "step_up" /* STEP_UP */,
+  [NESTFLOW_INTENTS.DEVICE_LIST]: "session" /* SESSION */,
+  [NESTFLOW_INTENTS.DEVICE_RENAME]: "session_browser" /* SESSION_BROWSER */,
+  // Protected operations — require step-up auth
+  [NESTFLOW_INTENTS.FLOW_PUBLISH]: "session_browser" /* SESSION_BROWSER */,
+  [NESTFLOW_INTENTS.FLOW_DELETE]: "step_up" /* STEP_UP */,
+  [NESTFLOW_INTENTS.NODE_DELETE]: "step_up" /* STEP_UP */,
+  [NESTFLOW_INTENTS.SECRET_ROTATE]: "step_up" /* STEP_UP */,
+  [NESTFLOW_INTENTS.ORG_SECURITY_UPDATE]: "step_up" /* STEP_UP */,
+  [NESTFLOW_INTENTS.PRODUCTION_EXECUTION_APPROVE]: "step_up" /* STEP_UP */,
+  // Recovery — highest privilege
+  [NESTFLOW_INTENTS.IDENTITY_RECOVERY_START]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.IDENTITY_RECOVERY_COMPLETE]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.PRIMARY_DEVICE_ROTATE]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.IDENTITY_LOCK]: "primary_device" /* PRIMARY_DEVICE */,
+  [NESTFLOW_INTENTS.IDENTITY_UNLOCK]: "primary_device" /* PRIMARY_DEVICE */
+};
+function getRequiredAuthLevel(intent) {
+  return NESTFLOW_POLICY_MAP[intent];
+}
+var AUTH_LEVEL_ORDER = [
+  "session" /* SESSION */,
+  "session_browser" /* SESSION_BROWSER */,
+  "step_up" /* STEP_UP */,
+  "primary_device" /* PRIMARY_DEVICE */
+];
+function satisfiesAuthLevel(provided, required) {
+  const providedIdx = AUTH_LEVEL_ORDER.indexOf(provided);
+  const requiredIdx = AUTH_LEVEL_ORDER.indexOf(required);
+  return providedIdx >= requiredIdx;
+}
+// src/nestflow/guards.ts
+var allow = () => ({ allowed: true });
+var deny = (reason) => ({ allowed: false, reason });
+function checkIntentPolicy(intent, currentAuthLevel) {
+  const required = getRequiredAuthLevel(intent);
+  if (!required) {
+    return allow();
+  }
+  if (satisfiesAuthLevel(currentAuthLevel, required)) {
+    return allow();
+  }
+  return {
+    allowed: false,
+    reason: `Intent '${intent}' requires auth level '${required}', got '${currentAuthLevel}'`,
+    step_up_intent: required === "step_up" /* STEP_UP */ ? intent : void 0
+  };
+}
+function checkSession(session) {
+  if (!session) {
+    return deny("No session found");
+  }
+  if (session.status !== "active" /* ACTIVE */) {
+    return deny(`Session status is '${session.status}', expected 'active'`);
+  }
+  if (new Date(session.expires_at).getTime() < Date.now()) {
+    return deny("Session has expired");
+  }
+  return allow();
+}
+function checkBrowserProof(proof, expectedNonce) {
+  if (!proof) {
+    return deny("Browser proof-of-possession required but not provided");
+  }
+  if (!proof.server_nonce || !proof.signature || !proof.signature_algorithm) {
+    return deny("Browser proof is missing required fields");
+  }
+  if (proof.server_nonce !== expectedNonce) {
+    return deny("Browser proof nonce does not match expected server nonce");
+  }
+  return allow();
+}
+var TRUST_ORDER = [
+  "ephemeral" /* EPHEMERAL */,
+  "trusted" /* TRUSTED */,
+  "primary" /* PRIMARY */
+];
+function checkDeviceTrust(device, minimumTrust) {
+  if (!device) {
+    return deny("Device not found");
+  }
+  if (device.status !== "active" /* ACTIVE */) {
+    return deny(`Device status is '${device.status}', expected 'active'`);
+  }
+  const deviceIdx = TRUST_ORDER.indexOf(device.trust_level);
+  const requiredIdx = TRUST_ORDER.indexOf(minimumTrust);
+  if (deviceIdx < requiredIdx) {
+    return deny(
+      `Device trust level '${device.trust_level}' does not meet minimum '${minimumTrust}'`
+    );
+  }
+  return allow();
+}
+function checkCapsule(capsule, intent, requestingDeviceUid) {
+  if (!capsule) {
+    return deny("Capsule not found");
+  }
+  if (capsule.status !== "active" /* ACTIVE */) {
+    return deny(`Capsule status is '${capsule.status}', expected 'active'`);
+  }
+  if (new Date(capsule.expires_at).getTime() < Date.now()) {
+    return deny("Capsule has expired");
+  }
+  const intentAllowed = capsule.intents.some((pattern) => {
+    if (pattern === "*") return true;
+    if (pattern === intent) return true;
+    if (pattern.endsWith(".*")) {
+      return intent.startsWith(pattern.slice(0, -1));
+    }
+    return false;
+  });
+  if (!intentAllowed) {
+    return deny(`Capsule does not authorize intent '${intent}'`);
+  }
+  if (capsule.device_uid && requestingDeviceUid && capsule.device_uid !== requestingDeviceUid) {
+    return deny("Capsule is bound to a different device");
+  }
+  return allow();
+}
+function checkLoginChallenge(challenge, expectedStatus) {
+  if (!challenge) {
+    return deny("Login challenge not found");
+  }
+  if (new Date(challenge.expires_at).getTime() < Date.now()) {
+    return deny("Login challenge has expired");
+  }
+  if (challenge.status !== expectedStatus) {
+    return deny(
+      `Login challenge status is '${challenge.status}', expected '${expectedStatus}'`
+    );
+  }
+  return allow();
+}
+function checkTickAuth(challenge) {
+  if (!challenge) {
+    return deny("TickAuth challenge not found");
+  }
+  if (challenge.status !== "pending" /* PENDING */) {
+    return deny(
+      `TickAuth challenge status is '${challenge.status}', expected 'pending'`
+    );
+  }
+  const now = Date.now();
+  const start = new Date(challenge.tick_window.start).getTime();
+  const end = new Date(challenge.tick_window.end).getTime();
+  if (now < start || now > end) {
+    return deny("TickAuth challenge is outside its tick window");
+  }
+  return allow();
+}
+async function checkReplayProtection(nonce, store, windowMs = 5 * 60 * 1e3) {
+  if (!nonce) {
+    return deny("Nonce is required for replay protection");
+  }
+  const seen = await store.has(nonce);
+  if (seen) {
+    return deny("Nonce has already been used (replay detected)");
+  }
+  await store.add(nonce, new Date(Date.now() + windowMs));
+  return allow();
+}
+// src/nestflow/invariants.ts
+var LOGIN_CHALLENGE_TRANSITIONS = {
+  ["pending" /* PENDING */]: [
+    "scanned" /* SCANNED */,
+    "expired" /* EXPIRED */
+  ],
+  ["scanned" /* SCANNED */]: [
+    "approved" /* APPROVED */,
+    "rejected" /* REJECTED */,
+    "expired" /* EXPIRED */
+  ],
+  ["approved" /* APPROVED */]: [],
+  ["rejected" /* REJECTED */]: [],
+  ["expired" /* EXPIRED */]: []
+};
+var TICKAUTH_TRANSITIONS = {
+  ["pending" /* PENDING */]: [
+    "fulfilled" /* FULFILLED */,
+    "rejected" /* REJECTED */,
+    "expired" /* EXPIRED */
+  ],
+  ["fulfilled" /* FULFILLED */]: [],
+  ["rejected" /* REJECTED */]: [],
+  ["expired" /* EXPIRED */]: []
+};
+var CAPSULE_TRANSITIONS = {
+  ["active" /* ACTIVE */]: [
+    "consumed" /* CONSUMED */,
+    "revoked" /* REVOKED */,
+    "expired" /* EXPIRED */
+  ],
+  ["consumed" /* CONSUMED */]: [],
+  ["revoked" /* REVOKED */]: [],
+  ["expired" /* EXPIRED */]: []
+};
+var SESSION_TRANSITIONS = {
+  ["active" /* ACTIVE */]: ["expired" /* EXPIRED */, "revoked" /* REVOKED */],
+  ["expired" /* EXPIRED */]: [],
+  ["revoked" /* REVOKED */]: []
+};
+var DEVICE_TRANSITIONS = {
+  ["active" /* ACTIVE */]: ["suspended" /* SUSPENDED */, "revoked" /* REVOKED */],
+  ["suspended" /* SUSPENDED */]: ["active" /* ACTIVE */, "revoked" /* REVOKED */],
+  ["revoked" /* REVOKED */]: []
+};
+var TRUST_LINK_TRANSITIONS = {
+  ["active" /* ACTIVE */]: ["revoked" /* REVOKED */],
+  ["revoked" /* REVOKED */]: []
+};
+function checkTransition(entity, transitions, from, to) {
+  const allowed = transitions[from];
+  if (!allowed) {
+    return {
+      valid: false,
+      reason: `${entity}: unknown current state '${from}'`
+    };
+  }
+  if (!allowed.includes(to)) {
+    return {
+      valid: false,
+      reason: `${entity}: invalid transition '${from}' \u2192 '${to}'. Allowed: [${allowed.join(", ")}]`
+    };
+  }
+  return { valid: true };
+}
+function validateLoginChallengeTransition(from, to) {
+  return checkTransition(
+    "LoginChallenge",
+    LOGIN_CHALLENGE_TRANSITIONS,
+    from,
+    to
+  );
+}
+function validateTickAuthTransition(from, to) {
+  return checkTransition("TickAuthChallenge", TICKAUTH_TRANSITIONS, from, to);
+}
+function validateCapsuleTransition(from, to) {
+  return checkTransition("Capsule", CAPSULE_TRANSITIONS, from, to);
+}
+function validateSessionTransition(from, to) {
+  return checkTransition("Session", SESSION_TRANSITIONS, from, to);
+}
+function validateDeviceTransition(from, to) {
+  return checkTransition("Device", DEVICE_TRANSITIONS, from, to);
+}
+function validateTrustLinkTransition(from, to) {
+  return checkTransition("TrustLink", TRUST_LINK_TRANSITIONS, from, to);
+}
+function isLoginChallengeTerminal(status) {
+  return [
+    "approved" /* APPROVED */,
+    "rejected" /* REJECTED */,
+    "expired" /* EXPIRED */
+  ].includes(status);
+}
+function isTickAuthTerminal(status) {
+  return [
+    "fulfilled" /* FULFILLED */,
+    "rejected" /* REJECTED */,
+    "expired" /* EXPIRED */
+  ].includes(status);
+}
+function isCapsuleTerminal(status) {
+  return [
+    "consumed" /* CONSUMED */,
+    "revoked" /* REVOKED */,
+    "expired" /* EXPIRED */
+  ].includes(status);
+}
+function isSessionTerminal(status) {
+  return ["expired" /* EXPIRED */, "revoked" /* REVOKED */].includes(status);
+}
+function isDeviceTerminal(status) {
+  return status === "revoked" /* REVOKED */;
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ATS1_HDR,
@@ -2292,14 +2812,19 @@ function isTimestampValid(ts, skewSeconds = 120) {
   AXIS_OPCODES,
   AXIS_VERSION,
   Ats1Codec,
+  AuthLevel,
   AxisFrameZ,
   AxisPacketTags,
   BodyProfile,
   CAPABILITIES,
+  CapsuleStatus,
   ContractViolationError,
   DEFAULT_CONTRACTS,
   DEFAULT_TIMEOUT,
   Decision,
+  DeviceStatus,
+  DeviceTrustLevel,
+  DeviceType,
   ERR_BAD_SIGNATURE,
   ERR_CONTRACT_VIOLATION,
   ERR_INVALID_PACKET,
@@ -2318,6 +2843,7 @@ function isTimestampValid(ts, skewSeconds = 120) {
   Intent,
   IntentRouter,
   IntentSensitivity,
+  LoginChallengeStatus,
   MAX_BODY_LEN,
   MAX_FRAME_LEN,
   MAX_HDR_LEN,
@@ -2332,6 +2858,10 @@ function isTimestampValid(ts, skewSeconds = 120) {
   NCERT_PUB,
   NCERT_SCOPE,
   NCERT_SIG,
+  NESTFLOW_INTENTS,
+  NESTFLOW_INTENT_SET,
+  NESTFLOW_POLICY_MAP,
+  NestFlowCapsuleType,
   PROOF_CAPABILITIES,
   PROOF_CAPSULE,
   PROOF_JWT,
@@ -2346,6 +2876,7 @@ function isTimestampValid(ts, skewSeconds = 120) {
   Schema2012_PasskeyLoginVerifyRes,
   Schema2021_PasskeyRegisterOptionsReq,
   SensorDecisions,
+  SessionStatus,
   TLV_ACTOR_ID,
   TLV_AUD,
   TLV_BODY_ARR,
@@ -2377,6 +2908,9 @@ function isTimestampValid(ts, skewSeconds = 120) {
   TLV_TRACE_ID,
   TLV_TS,
   TLV_UPLOAD_ID,
+  TickAuthChallengeStatus,
+  TrustLinkStatus,
+  TrustLinkType,
   axis1SigningBytes,
   b64urlDecode,
   b64urlDecodeString,
@@ -2390,6 +2924,14 @@ function isTimestampValid(ts, skewSeconds = 120) {
   canAccessResource,
   canonicalJson,
   canonicalJsonExcluding,
+  checkBrowserProof,
+  checkCapsule,
+  checkDeviceTrust,
+  checkIntentPolicy,
+  checkLoginChallenge,
+  checkReplayProtection,
+  checkSession,
+  checkTickAuth,
   classifyIntent,
   computeReceiptHash,
   computeSignaturePayload,
@@ -2406,10 +2948,17 @@ function isTimestampValid(ts, skewSeconds = 120) {
   encodeTLVs,
   encodeVarint,
   generateEd25519KeyPair,
+  getRequiredAuthLevel,
   getSignTarget,
   hasScope,
   isAdminOpcode,
+  isCapsuleTerminal,
+  isDeviceTerminal,
   isKnownOpcode,
+  isLoginChallengeTerminal,
+  isNestFlowIntent,
+  isSessionTerminal,
+  isTickAuthTerminal,
   isTimestampValid,
   nonce16,
   normalizeSensorDecision,
@@ -2420,6 +2969,7 @@ function isTimestampValid(ts, skewSeconds = 120) {
   packPasskeyRegisterOptionsReq,
   parseScope,
   resolveTimeout,
+  satisfiesAuthLevel,
   sensitivityName,
   sha256,
   signFrame,
@@ -2429,7 +2979,13 @@ function isTimestampValid(ts, skewSeconds = 120) {
   unpackPasskeyLoginVerifyReq,
   unpackPasskeyRegisterOptionsReq,
   utf8,
+  validateCapsuleTransition,
+  validateDeviceTransition,
   validateFrameShape,
+  validateLoginChallengeTransition,
+  validateSessionTransition,
+  validateTickAuthTransition,
+  validateTrustLinkTransition,
   varintLength,
   varintU,
   verifyFrameSignature