@nextera.one/axis-server-sdk 0.9.2 → 1.0.0

package/dist/index.mjs

@@ -1368,10 +1368,10 @@ function tlv(type, value) {
   ]);
 }
 function buildTLVs(items, opts) {
-  const allow2 = opts?.allowDupTypes ?? /* @__PURE__ */ new Set();
+  const allow = opts?.allowDupTypes ?? /* @__PURE__ */ new Set();
   const sorted = [...items].sort((a, b) => a.type - b.type);
   for (let i = 1; i < sorted.length; i++) {
-    if (sorted[i].type === sorted[i - 1].type && !allow2.has(sorted[i].type)) {
+    if (sorted[i].type === sorted[i - 1].type && !allow.has(sorted[i].type)) {
       throw new Error(`TLV_DUP_TYPE_${sorted[i].type}`);
     }
   }
@@ -2181,425 +2181,6 @@ function isTimestampValid(ts, skewSeconds = 120) {
   const diff = Math.abs(now - ts);
   return diff <= skewSeconds;
 }
-
-// src/nestflow/types.ts
-var DeviceType = /* @__PURE__ */ ((DeviceType2) => {
-  DeviceType2["MOBILE"] = "mobile";
-  DeviceType2["BROWSER"] = "browser";
-  DeviceType2["CLI"] = "cli";
-  DeviceType2["SERVICE"] = "service";
-  return DeviceType2;
-})(DeviceType || {});
-var DeviceTrustLevel = /* @__PURE__ */ ((DeviceTrustLevel2) => {
-  DeviceTrustLevel2["PRIMARY"] = "primary";
-  DeviceTrustLevel2["TRUSTED"] = "trusted";
-  DeviceTrustLevel2["EPHEMERAL"] = "ephemeral";
-  return DeviceTrustLevel2;
-})(DeviceTrustLevel || {});
-var DeviceStatus = /* @__PURE__ */ ((DeviceStatus2) => {
-  DeviceStatus2["ACTIVE"] = "active";
-  DeviceStatus2["REVOKED"] = "revoked";
-  DeviceStatus2["SUSPENDED"] = "suspended";
-  return DeviceStatus2;
-})(DeviceStatus || {});
-var LoginChallengeStatus = /* @__PURE__ */ ((LoginChallengeStatus3) => {
-  LoginChallengeStatus3["PENDING"] = "pending";
-  LoginChallengeStatus3["SCANNED"] = "scanned";
-  LoginChallengeStatus3["APPROVED"] = "approved";
-  LoginChallengeStatus3["REJECTED"] = "rejected";
-  LoginChallengeStatus3["EXPIRED"] = "expired";
-  return LoginChallengeStatus3;
-})(LoginChallengeStatus || {});
-var TickAuthChallengeStatus = /* @__PURE__ */ ((TickAuthChallengeStatus2) => {
-  TickAuthChallengeStatus2["PENDING"] = "pending";
-  TickAuthChallengeStatus2["FULFILLED"] = "fulfilled";
-  TickAuthChallengeStatus2["REJECTED"] = "rejected";
-  TickAuthChallengeStatus2["EXPIRED"] = "expired";
-  return TickAuthChallengeStatus2;
-})(TickAuthChallengeStatus || {});
-var NestFlowCapsuleType = /* @__PURE__ */ ((NestFlowCapsuleType2) => {
-  NestFlowCapsuleType2["LOGIN"] = "login";
-  NestFlowCapsuleType2["DEVICE_REGISTRATION"] = "device_registration";
-  NestFlowCapsuleType2["STEP_UP"] = "step_up";
-  NestFlowCapsuleType2["RECOVERY"] = "recovery";
-  return NestFlowCapsuleType2;
-})(NestFlowCapsuleType || {});
-var CapsuleStatus = /* @__PURE__ */ ((CapsuleStatus2) => {
-  CapsuleStatus2["ACTIVE"] = "active";
-  CapsuleStatus2["CONSUMED"] = "consumed";
-  CapsuleStatus2["REVOKED"] = "revoked";
-  CapsuleStatus2["EXPIRED"] = "expired";
-  return CapsuleStatus2;
-})(CapsuleStatus || {});
-var SessionStatus = /* @__PURE__ */ ((SessionStatus2) => {
-  SessionStatus2["ACTIVE"] = "active";
-  SessionStatus2["EXPIRED"] = "expired";
-  SessionStatus2["REVOKED"] = "revoked";
-  return SessionStatus2;
-})(SessionStatus || {});
-var TrustLinkType = /* @__PURE__ */ ((TrustLinkType2) => {
-  TrustLinkType2["LOGIN"] = "login";
-  TrustLinkType2["PROMOTION"] = "promotion";
-  TrustLinkType2["RECOVERY"] = "recovery";
-  return TrustLinkType2;
-})(TrustLinkType || {});
-var TrustLinkStatus = /* @__PURE__ */ ((TrustLinkStatus2) => {
-  TrustLinkStatus2["ACTIVE"] = "active";
-  TrustLinkStatus2["REVOKED"] = "revoked";
-  return TrustLinkStatus2;
-})(TrustLinkStatus || {});
-var AuthLevel = /* @__PURE__ */ ((AuthLevel2) => {
-  AuthLevel2["SESSION"] = "session";
-  AuthLevel2["SESSION_BROWSER"] = "session_browser";
-  AuthLevel2["STEP_UP"] = "step_up";
-  AuthLevel2["PRIMARY_DEVICE"] = "primary_device";
-  return AuthLevel2;
-})(AuthLevel || {});
-
-// src/nestflow/intents.ts
-var NESTFLOW_INTENTS = {
-  // Auth
-  AUTH_WEB_LOGIN_REQUEST: "auth.web.login.request",
-  AUTH_WEB_LOGIN_SCAN: "auth.web.login.scan",
-  // TickAuth
-  TICKAUTH_CHALLENGE_CREATE: "tickauth.challenge.create",
-  TICKAUTH_CHALLENGE_FULFILL: "tickauth.challenge.fulfill",
-  TICKAUTH_CHALLENGE_REJECT: "tickauth.challenge.reject",
-  // Capsule
-  CAPSULE_ISSUE_LOGIN: "capsule.issue.login",
-  CAPSULE_ISSUE_DEVICE_REGISTRATION: "capsule.issue.device_registration",
-  CAPSULE_ISSUE_STEP_UP: "capsule.issue.step_up",
-  CAPSULE_ISSUE_RECOVERY: "capsule.issue.recovery",
-  // Session
-  SESSION_ACTIVATE: "session.activate",
-  SESSION_REFRESH: "session.refresh",
-  SESSION_LOGOUT: "session.logout",
-  // Device Trust
-  DEVICE_TRUST_REQUEST: "device.trust.request",
-  DEVICE_TRUST_PROMOTE: "device.trust.promote",
-  DEVICE_REVOKE: "device.revoke",
-  DEVICE_LIST: "device.list",
-  DEVICE_RENAME: "device.rename",
-  // Protected Operations
-  FLOW_PUBLISH: "flow.publish",
-  FLOW_DELETE: "flow.delete",
-  NODE_DELETE: "node.delete",
-  SECRET_ROTATE: "secret.rotate",
-  ORG_SECURITY_UPDATE: "org.security.update",
-  PRODUCTION_EXECUTION_APPROVE: "production.execution.approve",
-  // Recovery
-  IDENTITY_RECOVERY_START: "identity.recovery.start",
-  IDENTITY_RECOVERY_COMPLETE: "identity.recovery.complete",
-  PRIMARY_DEVICE_ROTATE: "primary.device.rotate",
-  IDENTITY_LOCK: "identity.lock",
-  IDENTITY_UNLOCK: "identity.unlock"
-};
-var NESTFLOW_INTENT_SET = new Set(
-  Object.values(NESTFLOW_INTENTS)
-);
-function isNestFlowIntent(intent) {
-  return NESTFLOW_INTENT_SET.has(intent);
-}
-
-// src/nestflow/policy-map.ts
-var NESTFLOW_POLICY_MAP = {
-  // Auth — unauthenticated initiator (session issued after)
-  [NESTFLOW_INTENTS.AUTH_WEB_LOGIN_REQUEST]: "session" /* SESSION */,
-  [NESTFLOW_INTENTS.AUTH_WEB_LOGIN_SCAN]: "primary_device" /* PRIMARY_DEVICE */,
-  // TickAuth — primary device handles challenges
-  [NESTFLOW_INTENTS.TICKAUTH_CHALLENGE_CREATE]: "session" /* SESSION */,
-  [NESTFLOW_INTENTS.TICKAUTH_CHALLENGE_FULFILL]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.TICKAUTH_CHALLENGE_REJECT]: "primary_device" /* PRIMARY_DEVICE */,
-  // Capsule issuance — varies per type
-  [NESTFLOW_INTENTS.CAPSULE_ISSUE_LOGIN]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.CAPSULE_ISSUE_DEVICE_REGISTRATION]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.CAPSULE_ISSUE_STEP_UP]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.CAPSULE_ISSUE_RECOVERY]: "primary_device" /* PRIMARY_DEVICE */,
-  // Session management
-  [NESTFLOW_INTENTS.SESSION_ACTIVATE]: "session" /* SESSION */,
-  [NESTFLOW_INTENTS.SESSION_REFRESH]: "session_browser" /* SESSION_BROWSER */,
-  [NESTFLOW_INTENTS.SESSION_LOGOUT]: "session" /* SESSION */,
-  // Device trust management
-  [NESTFLOW_INTENTS.DEVICE_TRUST_REQUEST]: "session_browser" /* SESSION_BROWSER */,
-  [NESTFLOW_INTENTS.DEVICE_TRUST_PROMOTE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.DEVICE_REVOKE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.DEVICE_LIST]: "session" /* SESSION */,
-  [NESTFLOW_INTENTS.DEVICE_RENAME]: "session_browser" /* SESSION_BROWSER */,
-  // Protected operations — require step-up auth
-  [NESTFLOW_INTENTS.FLOW_PUBLISH]: "session_browser" /* SESSION_BROWSER */,
-  [NESTFLOW_INTENTS.FLOW_DELETE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.NODE_DELETE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.SECRET_ROTATE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.ORG_SECURITY_UPDATE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.PRODUCTION_EXECUTION_APPROVE]: "step_up" /* STEP_UP */,
-  // Recovery — highest privilege
-  [NESTFLOW_INTENTS.IDENTITY_RECOVERY_START]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.IDENTITY_RECOVERY_COMPLETE]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.PRIMARY_DEVICE_ROTATE]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.IDENTITY_LOCK]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.IDENTITY_UNLOCK]: "primary_device" /* PRIMARY_DEVICE */
-};
-function getRequiredAuthLevel(intent) {
-  return NESTFLOW_POLICY_MAP[intent];
-}
-var AUTH_LEVEL_ORDER = [
-  "session" /* SESSION */,
-  "session_browser" /* SESSION_BROWSER */,
-  "step_up" /* STEP_UP */,
-  "primary_device" /* PRIMARY_DEVICE */
-];
-function satisfiesAuthLevel(provided, required) {
-  const providedIdx = AUTH_LEVEL_ORDER.indexOf(provided);
-  const requiredIdx = AUTH_LEVEL_ORDER.indexOf(required);
-  return providedIdx >= requiredIdx;
-}
-
-// src/nestflow/guards.ts
-var allow = () => ({ allowed: true });
-var deny = (reason) => ({ allowed: false, reason });
-function checkIntentPolicy(intent, currentAuthLevel) {
-  const required = getRequiredAuthLevel(intent);
-  if (!required) {
-    return allow();
-  }
-  if (satisfiesAuthLevel(currentAuthLevel, required)) {
-    return allow();
-  }
-  return {
-    allowed: false,
-    reason: `Intent '${intent}' requires auth level '${required}', got '${currentAuthLevel}'`,
-    step_up_intent: required === "step_up" /* STEP_UP */ ? intent : void 0
-  };
-}
-function checkSession(session) {
-  if (!session) {
-    return deny("No session found");
-  }
-  if (session.status !== "active" /* ACTIVE */) {
-    return deny(`Session status is '${session.status}', expected 'active'`);
-  }
-  if (new Date(session.expires_at).getTime() < Date.now()) {
-    return deny("Session has expired");
-  }
-  return allow();
-}
-function checkBrowserProof(proof, expectedNonce) {
-  if (!proof) {
-    return deny("Browser proof-of-possession required but not provided");
-  }
-  if (!proof.server_nonce || !proof.signature || !proof.signature_algorithm) {
-    return deny("Browser proof is missing required fields");
-  }
-  if (proof.server_nonce !== expectedNonce) {
-    return deny("Browser proof nonce does not match expected server nonce");
-  }
-  return allow();
-}
-var TRUST_ORDER = [
-  "ephemeral" /* EPHEMERAL */,
-  "trusted" /* TRUSTED */,
-  "primary" /* PRIMARY */
-];
-function checkDeviceTrust(device, minimumTrust) {
-  if (!device) {
-    return deny("Device not found");
-  }
-  if (device.status !== "active" /* ACTIVE */) {
-    return deny(`Device status is '${device.status}', expected 'active'`);
-  }
-  const deviceIdx = TRUST_ORDER.indexOf(device.trust_level);
-  const requiredIdx = TRUST_ORDER.indexOf(minimumTrust);
-  if (deviceIdx < requiredIdx) {
-    return deny(
-      `Device trust level '${device.trust_level}' does not meet minimum '${minimumTrust}'`
-    );
-  }
-  return allow();
-}
-function checkCapsule(capsule, intent, requestingDeviceUid) {
-  if (!capsule) {
-    return deny("Capsule not found");
-  }
-  if (capsule.status !== "active" /* ACTIVE */) {
-    return deny(`Capsule status is '${capsule.status}', expected 'active'`);
-  }
-  if (new Date(capsule.expires_at).getTime() < Date.now()) {
-    return deny("Capsule has expired");
-  }
-  const intentAllowed = capsule.intents.some((pattern) => {
-    if (pattern === "*") return true;
-    if (pattern === intent) return true;
-    if (pattern.endsWith(".*")) {
-      return intent.startsWith(pattern.slice(0, -1));
-    }
-    return false;
-  });
-  if (!intentAllowed) {
-    return deny(`Capsule does not authorize intent '${intent}'`);
-  }
-  if (capsule.device_uid && requestingDeviceUid && capsule.device_uid !== requestingDeviceUid) {
-    return deny("Capsule is bound to a different device");
-  }
-  return allow();
-}
-function checkLoginChallenge(challenge, expectedStatus) {
-  if (!challenge) {
-    return deny("Login challenge not found");
-  }
-  if (new Date(challenge.expires_at).getTime() < Date.now()) {
-    return deny("Login challenge has expired");
-  }
-  if (challenge.status !== expectedStatus) {
-    return deny(
-      `Login challenge status is '${challenge.status}', expected '${expectedStatus}'`
-    );
-  }
-  return allow();
-}
-function checkTickAuth(challenge) {
-  if (!challenge) {
-    return deny("TickAuth challenge not found");
-  }
-  if (challenge.status !== "pending" /* PENDING */) {
-    return deny(
-      `TickAuth challenge status is '${challenge.status}', expected 'pending'`
-    );
-  }
-  const now = Date.now();
-  const start = new Date(challenge.tick_window.start).getTime();
-  const end = new Date(challenge.tick_window.end).getTime();
-  if (now < start || now > end) {
-    return deny("TickAuth challenge is outside its tick window");
-  }
-  return allow();
-}
-async function checkReplayProtection(nonce, store, windowMs = 5 * 60 * 1e3) {
-  if (!nonce) {
-    return deny("Nonce is required for replay protection");
-  }
-  const seen = await store.has(nonce);
-  if (seen) {
-    return deny("Nonce has already been used (replay detected)");
-  }
-  await store.add(nonce, new Date(Date.now() + windowMs));
-  return allow();
-}
-
-// src/nestflow/invariants.ts
-var LOGIN_CHALLENGE_TRANSITIONS = {
-  ["pending" /* PENDING */]: [
-    "scanned" /* SCANNED */,
-    "expired" /* EXPIRED */
-  ],
-  ["scanned" /* SCANNED */]: [
-    "approved" /* APPROVED */,
-    "rejected" /* REJECTED */,
-    "expired" /* EXPIRED */
-  ],
-  ["approved" /* APPROVED */]: [],
-  ["rejected" /* REJECTED */]: [],
-  ["expired" /* EXPIRED */]: []
-};
-var TICKAUTH_TRANSITIONS = {
-  ["pending" /* PENDING */]: [
-    "fulfilled" /* FULFILLED */,
-    "rejected" /* REJECTED */,
-    "expired" /* EXPIRED */
-  ],
-  ["fulfilled" /* FULFILLED */]: [],
-  ["rejected" /* REJECTED */]: [],
-  ["expired" /* EXPIRED */]: []
-};
-var CAPSULE_TRANSITIONS = {
-  ["active" /* ACTIVE */]: [
-    "consumed" /* CONSUMED */,
-    "revoked" /* REVOKED */,
-    "expired" /* EXPIRED */
-  ],
-  ["consumed" /* CONSUMED */]: [],
-  ["revoked" /* REVOKED */]: [],
-  ["expired" /* EXPIRED */]: []
-};
-var SESSION_TRANSITIONS = {
-  ["active" /* ACTIVE */]: ["expired" /* EXPIRED */, "revoked" /* REVOKED */],
-  ["expired" /* EXPIRED */]: [],
-  ["revoked" /* REVOKED */]: []
-};
-var DEVICE_TRANSITIONS = {
-  ["active" /* ACTIVE */]: ["suspended" /* SUSPENDED */, "revoked" /* REVOKED */],
-  ["suspended" /* SUSPENDED */]: ["active" /* ACTIVE */, "revoked" /* REVOKED */],
-  ["revoked" /* REVOKED */]: []
-};
-var TRUST_LINK_TRANSITIONS = {
-  ["active" /* ACTIVE */]: ["revoked" /* REVOKED */],
-  ["revoked" /* REVOKED */]: []
-};
-function checkTransition(entity, transitions, from, to) {
-  const allowed = transitions[from];
-  if (!allowed) {
-    return {
-      valid: false,
-      reason: `${entity}: unknown current state '${from}'`
-    };
-  }
-  if (!allowed.includes(to)) {
-    return {
-      valid: false,
-      reason: `${entity}: invalid transition '${from}' \u2192 '${to}'. Allowed: [${allowed.join(", ")}]`
-    };
-  }
-  return { valid: true };
-}
-function validateLoginChallengeTransition(from, to) {
-  return checkTransition(
-    "LoginChallenge",
-    LOGIN_CHALLENGE_TRANSITIONS,
-    from,
-    to
-  );
-}
-function validateTickAuthTransition(from, to) {
-  return checkTransition("TickAuthChallenge", TICKAUTH_TRANSITIONS, from, to);
-}
-function validateCapsuleTransition(from, to) {
-  return checkTransition("Capsule", CAPSULE_TRANSITIONS, from, to);
-}
-function validateSessionTransition(from, to) {
-  return checkTransition("Session", SESSION_TRANSITIONS, from, to);
-}
-function validateDeviceTransition(from, to) {
-  return checkTransition("Device", DEVICE_TRANSITIONS, from, to);
-}
-function validateTrustLinkTransition(from, to) {
-  return checkTransition("TrustLink", TRUST_LINK_TRANSITIONS, from, to);
-}
-function isLoginChallengeTerminal(status) {
-  return [
-    "approved" /* APPROVED */,
-    "rejected" /* REJECTED */,
-    "expired" /* EXPIRED */
-  ].includes(status);
-}
-function isTickAuthTerminal(status) {
-  return [
-    "fulfilled" /* FULFILLED */,
-    "rejected" /* REJECTED */,
-    "expired" /* EXPIRED */
-  ].includes(status);
-}
-function isCapsuleTerminal(status) {
-  return [
-    "consumed" /* CONSUMED */,
-    "revoked" /* REVOKED */,
-    "expired" /* EXPIRED */
-  ].includes(status);
-}
-function isSessionTerminal(status) {
-  return ["expired" /* EXPIRED */, "revoked" /* REVOKED */].includes(status);
-}
-function isDeviceTerminal(status) {
-  return status === "revoked" /* REVOKED */;
-}
 export {
   ATS1_HDR,
   ATS1_SCHEMA,
@@ -2607,19 +2188,14 @@ export {
   AXIS_OPCODES,
   AXIS_VERSION,
   ats1_exports as Ats1Codec,
-  AuthLevel,
   AxisFrameZ,
   T as AxisPacketTags,
   BodyProfile,
   CAPABILITIES,
-  CapsuleStatus,
   ContractViolationError,
   DEFAULT_CONTRACTS,
   DEFAULT_TIMEOUT,
   Decision,
-  DeviceStatus,
-  DeviceTrustLevel,
-  DeviceType,
   ERR_BAD_SIGNATURE,
   ERR_CONTRACT_VIOLATION,
   ERR_INVALID_PACKET,
@@ -2638,7 +2214,6 @@ export {
   Intent,
   IntentRouter,
   IntentSensitivity,
-  LoginChallengeStatus,
   MAX_BODY_LEN,
   MAX_FRAME_LEN,
   MAX_HDR_LEN,
@@ -2653,10 +2228,6 @@ export {
   NCERT_PUB,
   NCERT_SCOPE,
   NCERT_SIG,
-  NESTFLOW_INTENTS,
-  NESTFLOW_INTENT_SET,
-  NESTFLOW_POLICY_MAP,
-  NestFlowCapsuleType,
   PROOF_CAPABILITIES,
   PROOF_CAPSULE,
   PROOF_JWT,
@@ -2671,7 +2242,6 @@ export {
   Schema2012_PasskeyLoginVerifyRes,
   Schema2021_PasskeyRegisterOptionsReq,
   SensorDecisions,
-  SessionStatus,
   TLV_ACTOR_ID,
   TLV_AUD,
   TLV_BODY_ARR,
@@ -2703,9 +2273,6 @@ export {
   TLV_TRACE_ID,
   TLV_TS,
   TLV_UPLOAD_ID,
-  TickAuthChallengeStatus,
-  TrustLinkStatus,
-  TrustLinkType,
   axis1SigningBytes,
   b64urlDecode,
   b64urlDecodeString,
@@ -2719,14 +2286,6 @@ export {
   canAccessResource,
   canonicalJson,
   canonicalJsonExcluding,
-  checkBrowserProof,
-  checkCapsule,
-  checkDeviceTrust,
-  checkIntentPolicy,
-  checkLoginChallenge,
-  checkReplayProtection,
-  checkSession,
-  checkTickAuth,
   classifyIntent,
   computeReceiptHash,
   computeSignaturePayload,
@@ -2743,17 +2302,10 @@ export {
   encodeTLVs,
   encodeVarint,
   generateEd25519KeyPair,
-  getRequiredAuthLevel,
   getSignTarget,
   hasScope,
   isAdminOpcode,
-  isCapsuleTerminal,
-  isDeviceTerminal,
   isKnownOpcode,
-  isLoginChallengeTerminal,
-  isNestFlowIntent,
-  isSessionTerminal,
-  isTickAuthTerminal,
   isTimestampValid,
   nonce16,
   normalizeSensorDecision,
@@ -2764,7 +2316,6 @@ export {
   packPasskeyRegisterOptionsReq,
   parseScope,
   resolveTimeout,
-  satisfiesAuthLevel,
   sensitivityName,
   sha256,
   signFrame,
@@ -2774,13 +2325,7 @@ export {
   unpackPasskeyLoginVerifyReq,
   unpackPasskeyRegisterOptionsReq,
   utf8,
-  validateCapsuleTransition,
-  validateDeviceTransition,
   validateFrameShape,
-  validateLoginChallengeTransition,
-  validateSessionTransition,
-  validateTickAuthTransition,
-  validateTrustLinkTransition,
   varintLength,
   varintU,
   verifyFrameSignature