@nextera.one/axis-server-sdk 0.9.2 → 1.0.0

package/dist/index.js

@@ -43,19 +43,14 @@ __export(index_exports, {
   AXIS_OPCODES: () => AXIS_OPCODES,
   AXIS_VERSION: () => AXIS_VERSION,
   Ats1Codec: () => ats1_exports,
-  AuthLevel: () => AuthLevel,
   AxisFrameZ: () => AxisFrameZ,
   AxisPacketTags: () => T,
   BodyProfile: () => BodyProfile,
   CAPABILITIES: () => CAPABILITIES,
-  CapsuleStatus: () => CapsuleStatus,
   ContractViolationError: () => ContractViolationError,
   DEFAULT_CONTRACTS: () => DEFAULT_CONTRACTS,
   DEFAULT_TIMEOUT: () => DEFAULT_TIMEOUT,
   Decision: () => Decision,
-  DeviceStatus: () => DeviceStatus,
-  DeviceTrustLevel: () => DeviceTrustLevel,
-  DeviceType: () => DeviceType,
   ERR_BAD_SIGNATURE: () => ERR_BAD_SIGNATURE,
   ERR_CONTRACT_VIOLATION: () => ERR_CONTRACT_VIOLATION,
   ERR_INVALID_PACKET: () => ERR_INVALID_PACKET,
@@ -74,7 +69,6 @@ __export(index_exports, {
   Intent: () => Intent,
   IntentRouter: () => IntentRouter,
   IntentSensitivity: () => IntentSensitivity,
-  LoginChallengeStatus: () => LoginChallengeStatus,
   MAX_BODY_LEN: () => MAX_BODY_LEN,
   MAX_FRAME_LEN: () => MAX_FRAME_LEN,
   MAX_HDR_LEN: () => MAX_HDR_LEN,
@@ -89,10 +83,6 @@ __export(index_exports, {
   NCERT_PUB: () => NCERT_PUB,
   NCERT_SCOPE: () => NCERT_SCOPE,
   NCERT_SIG: () => NCERT_SIG,
-  NESTFLOW_INTENTS: () => NESTFLOW_INTENTS,
-  NESTFLOW_INTENT_SET: () => NESTFLOW_INTENT_SET,
-  NESTFLOW_POLICY_MAP: () => NESTFLOW_POLICY_MAP,
-  NestFlowCapsuleType: () => NestFlowCapsuleType,
   PROOF_CAPABILITIES: () => PROOF_CAPABILITIES,
   PROOF_CAPSULE: () => PROOF_CAPSULE,
   PROOF_JWT: () => PROOF_JWT,
@@ -107,7 +97,6 @@ __export(index_exports, {
   Schema2012_PasskeyLoginVerifyRes: () => Schema2012_PasskeyLoginVerifyRes,
   Schema2021_PasskeyRegisterOptionsReq: () => Schema2021_PasskeyRegisterOptionsReq,
   SensorDecisions: () => SensorDecisions,
-  SessionStatus: () => SessionStatus,
   TLV_ACTOR_ID: () => TLV_ACTOR_ID,
   TLV_AUD: () => TLV_AUD,
   TLV_BODY_ARR: () => TLV_BODY_ARR,
@@ -139,9 +128,6 @@ __export(index_exports, {
   TLV_TRACE_ID: () => TLV_TRACE_ID,
   TLV_TS: () => TLV_TS,
   TLV_UPLOAD_ID: () => TLV_UPLOAD_ID,
-  TickAuthChallengeStatus: () => TickAuthChallengeStatus,
-  TrustLinkStatus: () => TrustLinkStatus,
-  TrustLinkType: () => TrustLinkType,
   axis1SigningBytes: () => axis1SigningBytes,
   b64urlDecode: () => b64urlDecode,
   b64urlDecodeString: () => b64urlDecodeString,
@@ -155,14 +141,6 @@ __export(index_exports, {
   canAccessResource: () => canAccessResource,
   canonicalJson: () => canonicalJson,
   canonicalJsonExcluding: () => canonicalJsonExcluding,
-  checkBrowserProof: () => checkBrowserProof,
-  checkCapsule: () => checkCapsule,
-  checkDeviceTrust: () => checkDeviceTrust,
-  checkIntentPolicy: () => checkIntentPolicy,
-  checkLoginChallenge: () => checkLoginChallenge,
-  checkReplayProtection: () => checkReplayProtection,
-  checkSession: () => checkSession,
-  checkTickAuth: () => checkTickAuth,
   classifyIntent: () => classifyIntent,
   computeReceiptHash: () => computeReceiptHash,
   computeSignaturePayload: () => computeSignaturePayload,
@@ -179,17 +157,10 @@ __export(index_exports, {
   encodeTLVs: () => encodeTLVs,
   encodeVarint: () => encodeVarint,
   generateEd25519KeyPair: () => generateEd25519KeyPair,
-  getRequiredAuthLevel: () => getRequiredAuthLevel,
   getSignTarget: () => getSignTarget,
   hasScope: () => hasScope,
   isAdminOpcode: () => isAdminOpcode,
-  isCapsuleTerminal: () => isCapsuleTerminal,
-  isDeviceTerminal: () => isDeviceTerminal,
   isKnownOpcode: () => isKnownOpcode,
-  isLoginChallengeTerminal: () => isLoginChallengeTerminal,
-  isNestFlowIntent: () => isNestFlowIntent,
-  isSessionTerminal: () => isSessionTerminal,
-  isTickAuthTerminal: () => isTickAuthTerminal,
   isTimestampValid: () => isTimestampValid,
   nonce16: () => nonce16,
   normalizeSensorDecision: () => normalizeSensorDecision,
@@ -200,7 +171,6 @@ __export(index_exports, {
   packPasskeyRegisterOptionsReq: () => packPasskeyRegisterOptionsReq,
   parseScope: () => parseScope,
   resolveTimeout: () => resolveTimeout,
-  satisfiesAuthLevel: () => satisfiesAuthLevel,
   sensitivityName: () => sensitivityName,
   sha256: () => sha256,
   signFrame: () => signFrame,
@@ -210,13 +180,7 @@ __export(index_exports, {
   unpackPasskeyLoginVerifyReq: () => unpackPasskeyLoginVerifyReq,
   unpackPasskeyRegisterOptionsReq: () => unpackPasskeyRegisterOptionsReq,
   utf8: () => utf8,
-  validateCapsuleTransition: () => validateCapsuleTransition,
-  validateDeviceTransition: () => validateDeviceTransition,
   validateFrameShape: () => validateFrameShape,
-  validateLoginChallengeTransition: () => validateLoginChallengeTransition,
-  validateSessionTransition: () => validateSessionTransition,
-  validateTickAuthTransition: () => validateTickAuthTransition,
-  validateTrustLinkTransition: () => validateTrustLinkTransition,
   varintLength: () => varintLength,
   varintU: () => varintU,
   verifyFrameSignature: () => verifyFrameSignature
@@ -1572,10 +1536,10 @@ function tlv(type, value) {
   ]);
 }
 function buildTLVs(items, opts) {
-  const allow2 = opts?.allowDupTypes ?? /* @__PURE__ */ new Set();
+  const allow = opts?.allowDupTypes ?? /* @__PURE__ */ new Set();
   const sorted = [...items].sort((a, b) => a.type - b.type);
   for (let i = 1; i < sorted.length; i++) {
-    if (sorted[i].type === sorted[i - 1].type && !allow2.has(sorted[i].type)) {
+    if (sorted[i].type === sorted[i - 1].type && !allow.has(sorted[i].type)) {
       throw new Error(`TLV_DUP_TYPE_${sorted[i].type}`);
     }
   }
@@ -2385,425 +2349,6 @@ function isTimestampValid(ts, skewSeconds = 120) {
   const diff = Math.abs(now - ts);
   return diff <= skewSeconds;
 }
-
-// src/nestflow/types.ts
-var DeviceType = /* @__PURE__ */ ((DeviceType2) => {
-  DeviceType2["MOBILE"] = "mobile";
-  DeviceType2["BROWSER"] = "browser";
-  DeviceType2["CLI"] = "cli";
-  DeviceType2["SERVICE"] = "service";
-  return DeviceType2;
-})(DeviceType || {});
-var DeviceTrustLevel = /* @__PURE__ */ ((DeviceTrustLevel2) => {
-  DeviceTrustLevel2["PRIMARY"] = "primary";
-  DeviceTrustLevel2["TRUSTED"] = "trusted";
-  DeviceTrustLevel2["EPHEMERAL"] = "ephemeral";
-  return DeviceTrustLevel2;
-})(DeviceTrustLevel || {});
-var DeviceStatus = /* @__PURE__ */ ((DeviceStatus2) => {
-  DeviceStatus2["ACTIVE"] = "active";
-  DeviceStatus2["REVOKED"] = "revoked";
-  DeviceStatus2["SUSPENDED"] = "suspended";
-  return DeviceStatus2;
-})(DeviceStatus || {});
-var LoginChallengeStatus = /* @__PURE__ */ ((LoginChallengeStatus3) => {
-  LoginChallengeStatus3["PENDING"] = "pending";
-  LoginChallengeStatus3["SCANNED"] = "scanned";
-  LoginChallengeStatus3["APPROVED"] = "approved";
-  LoginChallengeStatus3["REJECTED"] = "rejected";
-  LoginChallengeStatus3["EXPIRED"] = "expired";
-  return LoginChallengeStatus3;
-})(LoginChallengeStatus || {});
-var TickAuthChallengeStatus = /* @__PURE__ */ ((TickAuthChallengeStatus2) => {
-  TickAuthChallengeStatus2["PENDING"] = "pending";
-  TickAuthChallengeStatus2["FULFILLED"] = "fulfilled";
-  TickAuthChallengeStatus2["REJECTED"] = "rejected";
-  TickAuthChallengeStatus2["EXPIRED"] = "expired";
-  return TickAuthChallengeStatus2;
-})(TickAuthChallengeStatus || {});
-var NestFlowCapsuleType = /* @__PURE__ */ ((NestFlowCapsuleType2) => {
-  NestFlowCapsuleType2["LOGIN"] = "login";
-  NestFlowCapsuleType2["DEVICE_REGISTRATION"] = "device_registration";
-  NestFlowCapsuleType2["STEP_UP"] = "step_up";
-  NestFlowCapsuleType2["RECOVERY"] = "recovery";
-  return NestFlowCapsuleType2;
-})(NestFlowCapsuleType || {});
-var CapsuleStatus = /* @__PURE__ */ ((CapsuleStatus2) => {
-  CapsuleStatus2["ACTIVE"] = "active";
-  CapsuleStatus2["CONSUMED"] = "consumed";
-  CapsuleStatus2["REVOKED"] = "revoked";
-  CapsuleStatus2["EXPIRED"] = "expired";
-  return CapsuleStatus2;
-})(CapsuleStatus || {});
-var SessionStatus = /* @__PURE__ */ ((SessionStatus2) => {
-  SessionStatus2["ACTIVE"] = "active";
-  SessionStatus2["EXPIRED"] = "expired";
-  SessionStatus2["REVOKED"] = "revoked";
-  return SessionStatus2;
-})(SessionStatus || {});
-var TrustLinkType = /* @__PURE__ */ ((TrustLinkType2) => {
-  TrustLinkType2["LOGIN"] = "login";
-  TrustLinkType2["PROMOTION"] = "promotion";
-  TrustLinkType2["RECOVERY"] = "recovery";
-  return TrustLinkType2;
-})(TrustLinkType || {});
-var TrustLinkStatus = /* @__PURE__ */ ((TrustLinkStatus2) => {
-  TrustLinkStatus2["ACTIVE"] = "active";
-  TrustLinkStatus2["REVOKED"] = "revoked";
-  return TrustLinkStatus2;
-})(TrustLinkStatus || {});
-var AuthLevel = /* @__PURE__ */ ((AuthLevel2) => {
-  AuthLevel2["SESSION"] = "session";
-  AuthLevel2["SESSION_BROWSER"] = "session_browser";
-  AuthLevel2["STEP_UP"] = "step_up";
-  AuthLevel2["PRIMARY_DEVICE"] = "primary_device";
-  return AuthLevel2;
-})(AuthLevel || {});
-
-// src/nestflow/intents.ts
-var NESTFLOW_INTENTS = {
-  // Auth
-  AUTH_WEB_LOGIN_REQUEST: "auth.web.login.request",
-  AUTH_WEB_LOGIN_SCAN: "auth.web.login.scan",
-  // TickAuth
-  TICKAUTH_CHALLENGE_CREATE: "tickauth.challenge.create",
-  TICKAUTH_CHALLENGE_FULFILL: "tickauth.challenge.fulfill",
-  TICKAUTH_CHALLENGE_REJECT: "tickauth.challenge.reject",
-  // Capsule
-  CAPSULE_ISSUE_LOGIN: "capsule.issue.login",
-  CAPSULE_ISSUE_DEVICE_REGISTRATION: "capsule.issue.device_registration",
-  CAPSULE_ISSUE_STEP_UP: "capsule.issue.step_up",
-  CAPSULE_ISSUE_RECOVERY: "capsule.issue.recovery",
-  // Session
-  SESSION_ACTIVATE: "session.activate",
-  SESSION_REFRESH: "session.refresh",
-  SESSION_LOGOUT: "session.logout",
-  // Device Trust
-  DEVICE_TRUST_REQUEST: "device.trust.request",
-  DEVICE_TRUST_PROMOTE: "device.trust.promote",
-  DEVICE_REVOKE: "device.revoke",
-  DEVICE_LIST: "device.list",
-  DEVICE_RENAME: "device.rename",
-  // Protected Operations
-  FLOW_PUBLISH: "flow.publish",
-  FLOW_DELETE: "flow.delete",
-  NODE_DELETE: "node.delete",
-  SECRET_ROTATE: "secret.rotate",
-  ORG_SECURITY_UPDATE: "org.security.update",
-  PRODUCTION_EXECUTION_APPROVE: "production.execution.approve",
-  // Recovery
-  IDENTITY_RECOVERY_START: "identity.recovery.start",
-  IDENTITY_RECOVERY_COMPLETE: "identity.recovery.complete",
-  PRIMARY_DEVICE_ROTATE: "primary.device.rotate",
-  IDENTITY_LOCK: "identity.lock",
-  IDENTITY_UNLOCK: "identity.unlock"
-};
-var NESTFLOW_INTENT_SET = new Set(
-  Object.values(NESTFLOW_INTENTS)
-);
-function isNestFlowIntent(intent) {
-  return NESTFLOW_INTENT_SET.has(intent);
-}
-
-// src/nestflow/policy-map.ts
-var NESTFLOW_POLICY_MAP = {
-  // Auth — unauthenticated initiator (session issued after)
-  [NESTFLOW_INTENTS.AUTH_WEB_LOGIN_REQUEST]: "session" /* SESSION */,
-  [NESTFLOW_INTENTS.AUTH_WEB_LOGIN_SCAN]: "primary_device" /* PRIMARY_DEVICE */,
-  // TickAuth — primary device handles challenges
-  [NESTFLOW_INTENTS.TICKAUTH_CHALLENGE_CREATE]: "session" /* SESSION */,
-  [NESTFLOW_INTENTS.TICKAUTH_CHALLENGE_FULFILL]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.TICKAUTH_CHALLENGE_REJECT]: "primary_device" /* PRIMARY_DEVICE */,
-  // Capsule issuance — varies per type
-  [NESTFLOW_INTENTS.CAPSULE_ISSUE_LOGIN]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.CAPSULE_ISSUE_DEVICE_REGISTRATION]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.CAPSULE_ISSUE_STEP_UP]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.CAPSULE_ISSUE_RECOVERY]: "primary_device" /* PRIMARY_DEVICE */,
-  // Session management
-  [NESTFLOW_INTENTS.SESSION_ACTIVATE]: "session" /* SESSION */,
-  [NESTFLOW_INTENTS.SESSION_REFRESH]: "session_browser" /* SESSION_BROWSER */,
-  [NESTFLOW_INTENTS.SESSION_LOGOUT]: "session" /* SESSION */,
-  // Device trust management
-  [NESTFLOW_INTENTS.DEVICE_TRUST_REQUEST]: "session_browser" /* SESSION_BROWSER */,
-  [NESTFLOW_INTENTS.DEVICE_TRUST_PROMOTE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.DEVICE_REVOKE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.DEVICE_LIST]: "session" /* SESSION */,
-  [NESTFLOW_INTENTS.DEVICE_RENAME]: "session_browser" /* SESSION_BROWSER */,
-  // Protected operations — require step-up auth
-  [NESTFLOW_INTENTS.FLOW_PUBLISH]: "session_browser" /* SESSION_BROWSER */,
-  [NESTFLOW_INTENTS.FLOW_DELETE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.NODE_DELETE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.SECRET_ROTATE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.ORG_SECURITY_UPDATE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.PRODUCTION_EXECUTION_APPROVE]: "step_up" /* STEP_UP */,
-  // Recovery — highest privilege
-  [NESTFLOW_INTENTS.IDENTITY_RECOVERY_START]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.IDENTITY_RECOVERY_COMPLETE]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.PRIMARY_DEVICE_ROTATE]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.IDENTITY_LOCK]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.IDENTITY_UNLOCK]: "primary_device" /* PRIMARY_DEVICE */
-};
-function getRequiredAuthLevel(intent) {
-  return NESTFLOW_POLICY_MAP[intent];
-}
-var AUTH_LEVEL_ORDER = [
-  "session" /* SESSION */,
-  "session_browser" /* SESSION_BROWSER */,
-  "step_up" /* STEP_UP */,
-  "primary_device" /* PRIMARY_DEVICE */
-];
-function satisfiesAuthLevel(provided, required) {
-  const providedIdx = AUTH_LEVEL_ORDER.indexOf(provided);
-  const requiredIdx = AUTH_LEVEL_ORDER.indexOf(required);
-  return providedIdx >= requiredIdx;
-}
-
-// src/nestflow/guards.ts
-var allow = () => ({ allowed: true });
-var deny = (reason) => ({ allowed: false, reason });
-function checkIntentPolicy(intent, currentAuthLevel) {
-  const required = getRequiredAuthLevel(intent);
-  if (!required) {
-    return allow();
-  }
-  if (satisfiesAuthLevel(currentAuthLevel, required)) {
-    return allow();
-  }
-  return {
-    allowed: false,
-    reason: `Intent '${intent}' requires auth level '${required}', got '${currentAuthLevel}'`,
-    step_up_intent: required === "step_up" /* STEP_UP */ ? intent : void 0
-  };
-}
-function checkSession(session) {
-  if (!session) {
-    return deny("No session found");
-  }
-  if (session.status !== "active" /* ACTIVE */) {
-    return deny(`Session status is '${session.status}', expected 'active'`);
-  }
-  if (new Date(session.expires_at).getTime() < Date.now()) {
-    return deny("Session has expired");
-  }
-  return allow();
-}
-function checkBrowserProof(proof, expectedNonce) {
-  if (!proof) {
-    return deny("Browser proof-of-possession required but not provided");
-  }
-  if (!proof.server_nonce || !proof.signature || !proof.signature_algorithm) {
-    return deny("Browser proof is missing required fields");
-  }
-  if (proof.server_nonce !== expectedNonce) {
-    return deny("Browser proof nonce does not match expected server nonce");
-  }
-  return allow();
-}
-var TRUST_ORDER = [
-  "ephemeral" /* EPHEMERAL */,
-  "trusted" /* TRUSTED */,
-  "primary" /* PRIMARY */
-];
-function checkDeviceTrust(device, minimumTrust) {
-  if (!device) {
-    return deny("Device not found");
-  }
-  if (device.status !== "active" /* ACTIVE */) {
-    return deny(`Device status is '${device.status}', expected 'active'`);
-  }
-  const deviceIdx = TRUST_ORDER.indexOf(device.trust_level);
-  const requiredIdx = TRUST_ORDER.indexOf(minimumTrust);
-  if (deviceIdx < requiredIdx) {
-    return deny(
-      `Device trust level '${device.trust_level}' does not meet minimum '${minimumTrust}'`
-    );
-  }
-  return allow();
-}
-function checkCapsule(capsule, intent, requestingDeviceUid) {
-  if (!capsule) {
-    return deny("Capsule not found");
-  }
-  if (capsule.status !== "active" /* ACTIVE */) {
-    return deny(`Capsule status is '${capsule.status}', expected 'active'`);
-  }
-  if (new Date(capsule.expires_at).getTime() < Date.now()) {
-    return deny("Capsule has expired");
-  }
-  const intentAllowed = capsule.intents.some((pattern) => {
-    if (pattern === "*") return true;
-    if (pattern === intent) return true;
-    if (pattern.endsWith(".*")) {
-      return intent.startsWith(pattern.slice(0, -1));
-    }
-    return false;
-  });
-  if (!intentAllowed) {
-    return deny(`Capsule does not authorize intent '${intent}'`);
-  }
-  if (capsule.device_uid && requestingDeviceUid && capsule.device_uid !== requestingDeviceUid) {
-    return deny("Capsule is bound to a different device");
-  }
-  return allow();
-}
-function checkLoginChallenge(challenge, expectedStatus) {
-  if (!challenge) {
-    return deny("Login challenge not found");
-  }
-  if (new Date(challenge.expires_at).getTime() < Date.now()) {
-    return deny("Login challenge has expired");
-  }
-  if (challenge.status !== expectedStatus) {
-    return deny(
-      `Login challenge status is '${challenge.status}', expected '${expectedStatus}'`
-    );
-  }
-  return allow();
-}
-function checkTickAuth(challenge) {
-  if (!challenge) {
-    return deny("TickAuth challenge not found");
-  }
-  if (challenge.status !== "pending" /* PENDING */) {
-    return deny(
-      `TickAuth challenge status is '${challenge.status}', expected 'pending'`
-    );
-  }
-  const now = Date.now();
-  const start = new Date(challenge.tick_window.start).getTime();
-  const end = new Date(challenge.tick_window.end).getTime();
-  if (now < start || now > end) {
-    return deny("TickAuth challenge is outside its tick window");
-  }
-  return allow();
-}
-async function checkReplayProtection(nonce, store, windowMs = 5 * 60 * 1e3) {
-  if (!nonce) {
-    return deny("Nonce is required for replay protection");
-  }
-  const seen = await store.has(nonce);
-  if (seen) {
-    return deny("Nonce has already been used (replay detected)");
-  }
-  await store.add(nonce, new Date(Date.now() + windowMs));
-  return allow();
-}
-
-// src/nestflow/invariants.ts
-var LOGIN_CHALLENGE_TRANSITIONS = {
-  ["pending" /* PENDING */]: [
-    "scanned" /* SCANNED */,
-    "expired" /* EXPIRED */
-  ],
-  ["scanned" /* SCANNED */]: [
-    "approved" /* APPROVED */,
-    "rejected" /* REJECTED */,
-    "expired" /* EXPIRED */
-  ],
-  ["approved" /* APPROVED */]: [],
-  ["rejected" /* REJECTED */]: [],
-  ["expired" /* EXPIRED */]: []
-};
-var TICKAUTH_TRANSITIONS = {
-  ["pending" /* PENDING */]: [
-    "fulfilled" /* FULFILLED */,
-    "rejected" /* REJECTED */,
-    "expired" /* EXPIRED */
-  ],
-  ["fulfilled" /* FULFILLED */]: [],
-  ["rejected" /* REJECTED */]: [],
-  ["expired" /* EXPIRED */]: []
-};
-var CAPSULE_TRANSITIONS = {
-  ["active" /* ACTIVE */]: [
-    "consumed" /* CONSUMED */,
-    "revoked" /* REVOKED */,
-    "expired" /* EXPIRED */
-  ],
-  ["consumed" /* CONSUMED */]: [],
-  ["revoked" /* REVOKED */]: [],
-  ["expired" /* EXPIRED */]: []
-};
-var SESSION_TRANSITIONS = {
-  ["active" /* ACTIVE */]: ["expired" /* EXPIRED */, "revoked" /* REVOKED */],
-  ["expired" /* EXPIRED */]: [],
-  ["revoked" /* REVOKED */]: []
-};
-var DEVICE_TRANSITIONS = {
-  ["active" /* ACTIVE */]: ["suspended" /* SUSPENDED */, "revoked" /* REVOKED */],
-  ["suspended" /* SUSPENDED */]: ["active" /* ACTIVE */, "revoked" /* REVOKED */],
-  ["revoked" /* REVOKED */]: []
-};
-var TRUST_LINK_TRANSITIONS = {
-  ["active" /* ACTIVE */]: ["revoked" /* REVOKED */],
-  ["revoked" /* REVOKED */]: []
-};
-function checkTransition(entity, transitions, from, to) {
-  const allowed = transitions[from];
-  if (!allowed) {
-    return {
-      valid: false,
-      reason: `${entity}: unknown current state '${from}'`
-    };
-  }
-  if (!allowed.includes(to)) {
-    return {
-      valid: false,
-      reason: `${entity}: invalid transition '${from}' \u2192 '${to}'. Allowed: [${allowed.join(", ")}]`
-    };
-  }
-  return { valid: true };
-}
-function validateLoginChallengeTransition(from, to) {
-  return checkTransition(
-    "LoginChallenge",
-    LOGIN_CHALLENGE_TRANSITIONS,
-    from,
-    to
-  );
-}
-function validateTickAuthTransition(from, to) {
-  return checkTransition("TickAuthChallenge", TICKAUTH_TRANSITIONS, from, to);
-}
-function validateCapsuleTransition(from, to) {
-  return checkTransition("Capsule", CAPSULE_TRANSITIONS, from, to);
-}
-function validateSessionTransition(from, to) {
-  return checkTransition("Session", SESSION_TRANSITIONS, from, to);
-}
-function validateDeviceTransition(from, to) {
-  return checkTransition("Device", DEVICE_TRANSITIONS, from, to);
-}
-function validateTrustLinkTransition(from, to) {
-  return checkTransition("TrustLink", TRUST_LINK_TRANSITIONS, from, to);
-}
-function isLoginChallengeTerminal(status) {
-  return [
-    "approved" /* APPROVED */,
-    "rejected" /* REJECTED */,
-    "expired" /* EXPIRED */
-  ].includes(status);
-}
-function isTickAuthTerminal(status) {
-  return [
-    "fulfilled" /* FULFILLED */,
-    "rejected" /* REJECTED */,
-    "expired" /* EXPIRED */
-  ].includes(status);
-}
-function isCapsuleTerminal(status) {
-  return [
-    "consumed" /* CONSUMED */,
-    "revoked" /* REVOKED */,
-    "expired" /* EXPIRED */
-  ].includes(status);
-}
-function isSessionTerminal(status) {
-  return ["expired" /* EXPIRED */, "revoked" /* REVOKED */].includes(status);
-}
-function isDeviceTerminal(status) {
-  return status === "revoked" /* REVOKED */;
-}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ATS1_HDR,
@@ -2812,19 +2357,14 @@ function isDeviceTerminal(status) {
   AXIS_OPCODES,
   AXIS_VERSION,
   Ats1Codec,
-  AuthLevel,
   AxisFrameZ,
   AxisPacketTags,
   BodyProfile,
   CAPABILITIES,
-  CapsuleStatus,
   ContractViolationError,
   DEFAULT_CONTRACTS,
   DEFAULT_TIMEOUT,
   Decision,
-  DeviceStatus,
-  DeviceTrustLevel,
-  DeviceType,
   ERR_BAD_SIGNATURE,
   ERR_CONTRACT_VIOLATION,
   ERR_INVALID_PACKET,
@@ -2843,7 +2383,6 @@ function isDeviceTerminal(status) {
   Intent,
   IntentRouter,
   IntentSensitivity,
-  LoginChallengeStatus,
   MAX_BODY_LEN,
   MAX_FRAME_LEN,
   MAX_HDR_LEN,
@@ -2858,10 +2397,6 @@ function isDeviceTerminal(status) {
   NCERT_PUB,
   NCERT_SCOPE,
   NCERT_SIG,
-  NESTFLOW_INTENTS,
-  NESTFLOW_INTENT_SET,
-  NESTFLOW_POLICY_MAP,
-  NestFlowCapsuleType,
   PROOF_CAPABILITIES,
   PROOF_CAPSULE,
   PROOF_JWT,
@@ -2876,7 +2411,6 @@ function isDeviceTerminal(status) {
   Schema2012_PasskeyLoginVerifyRes,
   Schema2021_PasskeyRegisterOptionsReq,
   SensorDecisions,
-  SessionStatus,
   TLV_ACTOR_ID,
   TLV_AUD,
   TLV_BODY_ARR,
@@ -2908,9 +2442,6 @@ function isDeviceTerminal(status) {
   TLV_TRACE_ID,
   TLV_TS,
   TLV_UPLOAD_ID,
-  TickAuthChallengeStatus,
-  TrustLinkStatus,
-  TrustLinkType,
   axis1SigningBytes,
   b64urlDecode,
   b64urlDecodeString,
@@ -2924,14 +2455,6 @@ function isDeviceTerminal(status) {
   canAccessResource,
   canonicalJson,
   canonicalJsonExcluding,
-  checkBrowserProof,
-  checkCapsule,
-  checkDeviceTrust,
-  checkIntentPolicy,
-  checkLoginChallenge,
-  checkReplayProtection,
-  checkSession,
-  checkTickAuth,
   classifyIntent,
   computeReceiptHash,
   computeSignaturePayload,
@@ -2948,17 +2471,10 @@ function isDeviceTerminal(status) {
   encodeTLVs,
   encodeVarint,
   generateEd25519KeyPair,
-  getRequiredAuthLevel,
   getSignTarget,
   hasScope,
   isAdminOpcode,
-  isCapsuleTerminal,
-  isDeviceTerminal,
   isKnownOpcode,
-  isLoginChallengeTerminal,
-  isNestFlowIntent,
-  isSessionTerminal,
-  isTickAuthTerminal,
   isTimestampValid,
   nonce16,
   normalizeSensorDecision,
@@ -2969,7 +2485,6 @@ function isDeviceTerminal(status) {
   packPasskeyRegisterOptionsReq,
   parseScope,
   resolveTimeout,
-  satisfiesAuthLevel,
   sensitivityName,
   sha256,
   signFrame,
@@ -2979,13 +2494,7 @@ function isDeviceTerminal(status) {
   unpackPasskeyLoginVerifyReq,
   unpackPasskeyRegisterOptionsReq,
   utf8,
-  validateCapsuleTransition,
-  validateDeviceTransition,
   validateFrameShape,
-  validateLoginChallengeTransition,
-  validateSessionTransition,
-  validateTickAuthTransition,
-  validateTrustLinkTransition,
   varintLength,
   varintU,
   verifyFrameSignature