@nextera.one/axis-server-sdk 0.9.3 → 1.0.0

package/dist/index.d.mts

@@ -335,7 +335,7 @@ interface AxisCapsuleConstraints {
     sessionIdLock?: string;
     nonceRequired?: boolean;
 }
-interface TickWindow$1 {
+interface TickWindow {
     start: number;
     end: number;
 }
@@ -352,7 +352,7 @@ interface AxisCapsulePayload {
     iat: number;
     nbf?: number;
     exp: number;
-    tickWindow?: TickWindow$1;
+    tickWindow?: TickWindow;
     mode: CapsuleMode;
     maxUses: number;
     nonceSeed?: string;
@@ -681,246 +681,4 @@ interface IntentDefinition {
 declare function validateFrameShape(frame: any): boolean;
 declare function isTimestampValid(ts: number, skewSeconds?: number): boolean;
 
-declare enum DeviceType {
-    MOBILE = "mobile",
-    BROWSER = "browser",
-    CLI = "cli",
-    SERVICE = "service"
-}
-declare enum DeviceTrustLevel {
-    PRIMARY = "primary",
-    TRUSTED = "trusted",
-    EPHEMERAL = "ephemeral"
-}
-declare enum DeviceStatus {
-    ACTIVE = "active",
-    REVOKED = "revoked",
-    SUSPENDED = "suspended"
-}
-interface DeviceRecord {
-    device_uid: string;
-    user_uid: string;
-    name: string;
-    type: DeviceType;
-    trust_level: DeviceTrustLevel;
-    status: DeviceStatus;
-    public_key: string;
-    key_algorithm: string;
-    created_at: string;
-    last_seen_at?: string;
-    revoked_at?: string;
-    revoked_reason?: string;
-}
-declare enum LoginChallengeStatus {
-    PENDING = "pending",
-    SCANNED = "scanned",
-    APPROVED = "approved",
-    REJECTED = "rejected",
-    EXPIRED = "expired"
-}
-interface LoginChallengeRecord {
-    challenge_uid: string;
-    status: LoginChallengeStatus;
-    browser_public_key: string;
-    browser_key_algorithm: string;
-    browser_label?: string;
-    requested_trust: DeviceTrustLevel;
-    origin?: string;
-    qr_hash: string;
-    created_at: string;
-    expires_at: string;
-    scanned_at?: string;
-    scanned_by_device_uid?: string;
-    approved_at?: string;
-}
-declare enum TickAuthChallengeStatus {
-    PENDING = "pending",
-    FULFILLED = "fulfilled",
-    REJECTED = "rejected",
-    EXPIRED = "expired"
-}
-interface TickWindow {
-    start: string;
-    end: string;
-}
-interface TickAuthChallengeRecord {
-    challenge_uid: string;
-    login_challenge_uid?: string;
-    status: TickAuthChallengeStatus;
-    tick_window: TickWindow;
-    purpose: string;
-    payload_hash?: string;
-    fulfilled_at?: string;
-    fulfilled_by_device_uid?: string;
-}
-declare enum NestFlowCapsuleType {
-    LOGIN = "login",
-    DEVICE_REGISTRATION = "device_registration",
-    STEP_UP = "step_up",
-    RECOVERY = "recovery"
-}
-declare enum CapsuleStatus {
-    ACTIVE = "active",
-    CONSUMED = "consumed",
-    REVOKED = "revoked",
-    EXPIRED = "expired"
-}
-interface NestFlowCapsuleScope {
-    type: NestFlowCapsuleType;
-    intents: string[];
-    device_uid?: string;
-    login_challenge_uid?: string;
-}
-declare enum SessionStatus {
-    ACTIVE = "active",
-    EXPIRED = "expired",
-    REVOKED = "revoked"
-}
-interface SessionRecord {
-    session_uid: string;
-    user_uid: string;
-    device_uid: string;
-    capsule_uid: string;
-    status: SessionStatus;
-    issued_at: string;
-    expires_at: string;
-    last_refreshed_at?: string;
-    revoked_at?: string;
-    revoked_reason?: string;
-}
-declare enum TrustLinkType {
-    LOGIN = "login",
-    PROMOTION = "promotion",
-    RECOVERY = "recovery"
-}
-declare enum TrustLinkStatus {
-    ACTIVE = "active",
-    REVOKED = "revoked"
-}
-interface DeviceTrustLinkRecord {
-    link_uid: string;
-    issuer_device_uid: string;
-    target_device_uid: string;
-    type: TrustLinkType;
-    status: TrustLinkStatus;
-    issued_at: string;
-    revoked_at?: string;
-}
-declare enum AuthLevel {
-    SESSION = "session",
-    SESSION_BROWSER = "session_browser",
-    STEP_UP = "step_up",
-    PRIMARY_DEVICE = "primary_device"
-}
-interface BrowserProof {
-    server_nonce: string;
-    signature: string;
-    signature_algorithm: string;
-}
-
-declare const NESTFLOW_INTENTS: {
-    readonly AUTH_WEB_LOGIN_REQUEST: "auth.web.login.request";
-    readonly AUTH_WEB_LOGIN_SCAN: "auth.web.login.scan";
-    readonly TICKAUTH_CHALLENGE_CREATE: "tickauth.challenge.create";
-    readonly TICKAUTH_CHALLENGE_FULFILL: "tickauth.challenge.fulfill";
-    readonly TICKAUTH_CHALLENGE_REJECT: "tickauth.challenge.reject";
-    readonly CAPSULE_ISSUE_LOGIN: "capsule.issue.login";
-    readonly CAPSULE_ISSUE_DEVICE_REGISTRATION: "capsule.issue.device_registration";
-    readonly CAPSULE_ISSUE_STEP_UP: "capsule.issue.step_up";
-    readonly CAPSULE_ISSUE_RECOVERY: "capsule.issue.recovery";
-    readonly SESSION_ACTIVATE: "session.activate";
-    readonly SESSION_REFRESH: "session.refresh";
-    readonly SESSION_LOGOUT: "session.logout";
-    readonly DEVICE_TRUST_REQUEST: "device.trust.request";
-    readonly DEVICE_TRUST_PROMOTE: "device.trust.promote";
-    readonly DEVICE_REVOKE: "device.revoke";
-    readonly DEVICE_LIST: "device.list";
-    readonly DEVICE_RENAME: "device.rename";
-    readonly FLOW_PUBLISH: "flow.publish";
-    readonly FLOW_DELETE: "flow.delete";
-    readonly NODE_DELETE: "node.delete";
-    readonly SECRET_ROTATE: "secret.rotate";
-    readonly ORG_SECURITY_UPDATE: "org.security.update";
-    readonly PRODUCTION_EXECUTION_APPROVE: "production.execution.approve";
-    readonly IDENTITY_RECOVERY_START: "identity.recovery.start";
-    readonly IDENTITY_RECOVERY_COMPLETE: "identity.recovery.complete";
-    readonly PRIMARY_DEVICE_ROTATE: "primary.device.rotate";
-    readonly IDENTITY_LOCK: "identity.lock";
-    readonly IDENTITY_UNLOCK: "identity.unlock";
-};
-type NestFlowIntent = (typeof NESTFLOW_INTENTS)[keyof typeof NESTFLOW_INTENTS];
-declare const NESTFLOW_INTENT_SET: Set<string>;
-declare function isNestFlowIntent(intent: string): boolean;
-
-declare const NESTFLOW_POLICY_MAP: Record<string, AuthLevel>;
-declare function getRequiredAuthLevel(intent: string): AuthLevel | undefined;
-declare function satisfiesAuthLevel(provided: AuthLevel, required: AuthLevel): boolean;
-
-interface GuardResult {
-    allowed: boolean;
-    reason?: string;
-    step_up_intent?: string;
-}
-declare function checkIntentPolicy(intent: string, currentAuthLevel: AuthLevel): GuardResult;
-interface SessionContext {
-    session_uid: string;
-    status: SessionStatus;
-    expires_at: string;
-    device_uid: string;
-    user_uid: string;
-}
-declare function checkSession(session: SessionContext | null): GuardResult;
-declare function checkBrowserProof(proof: BrowserProof | null | undefined, expectedNonce: string): GuardResult;
-interface DeviceContext {
-    device_uid: string;
-    trust_level: DeviceTrustLevel;
-    status: DeviceStatus;
-}
-declare function checkDeviceTrust(device: DeviceContext | null, minimumTrust: DeviceTrustLevel): GuardResult;
-interface CapsuleContext {
-    capsule_uid: string;
-    status: CapsuleStatus;
-    type: string;
-    intents: string[];
-    device_uid?: string;
-    expires_at: string;
-}
-declare function checkCapsule(capsule: CapsuleContext | null, intent: string, requestingDeviceUid?: string): GuardResult;
-interface LoginChallengeContext {
-    challenge_uid: string;
-    status: LoginChallengeStatus;
-    expires_at: string;
-}
-declare function checkLoginChallenge(challenge: LoginChallengeContext | null, expectedStatus: LoginChallengeStatus): GuardResult;
-interface TickAuthContext {
-    challenge_uid: string;
-    status: TickAuthChallengeStatus;
-    tick_window: {
-        start: string;
-        end: string;
-    };
-}
-declare function checkTickAuth(challenge: TickAuthContext | null): GuardResult;
-interface NonceStore {
-    has(nonce: string): Promise<boolean>;
-    add(nonce: string, expiresAt: Date): Promise<void>;
-}
-declare function checkReplayProtection(nonce: string, store: NonceStore, windowMs?: number): Promise<GuardResult>;
-
-interface TransitionResult {
-    valid: boolean;
-    reason?: string;
-}
-declare function validateLoginChallengeTransition(from: LoginChallengeStatus, to: LoginChallengeStatus): TransitionResult;
-declare function validateTickAuthTransition(from: TickAuthChallengeStatus, to: TickAuthChallengeStatus): TransitionResult;
-declare function validateCapsuleTransition(from: CapsuleStatus, to: CapsuleStatus): TransitionResult;
-declare function validateSessionTransition(from: SessionStatus, to: SessionStatus): TransitionResult;
-declare function validateDeviceTransition(from: DeviceStatus, to: DeviceStatus): TransitionResult;
-declare function validateTrustLinkTransition(from: TrustLinkStatus, to: TrustLinkStatus): TransitionResult;
-declare function isLoginChallengeTerminal(status: LoginChallengeStatus): boolean;
-declare function isTickAuthTerminal(status: TickAuthChallengeStatus): boolean;
-declare function isCapsuleTerminal(status: CapsuleStatus): boolean;
-declare function isSessionTerminal(status: SessionStatus): boolean;
-declare function isDeviceTerminal(status: DeviceStatus): boolean;
-
-export { ATS1_HDR, ATS1_SCHEMA, AXIS_OPCODES, ats1 as Ats1Codec, AuthLevel, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg$1 as AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsuleConstraints, type AxisCapsulePayload, type AxisCrudHandler, type AxisEffect, type AxisHandler, type AxisHandlerInit, type AxisAlg as AxisJsonAlg, type AxisFrame as AxisJsonFrame, type AxisResponse as AxisJsonResponse, type AxisSig as AxisJsonSig, type AxisObservedContext, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, type AxisPostSensor, type AxisPreSensor, type AxisRequestContext, type AxisSensor, type AxisSensorInit, type AxisSig$1 as AxisSig, type BrowserProof, CAPABILITIES, type Capability, type CapsuleContext, type CapsuleMode, CapsuleStatus, ContractViolationError, DEFAULT_CONTRACTS, DEFAULT_TIMEOUT, Decision, type DeviceContext, type DeviceRecord, DeviceStatus, DeviceTrustLevel, type DeviceTrustLinkRecord, DeviceType, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, type GuardResult, HANDLER_METADATA_KEY, Handler, INTENT_REQUIREMENTS, INTENT_ROUTES_KEY, INTENT_SENSITIVITY_MAP, INTENT_TIMEOUTS, Intent, type IntentDefinition, type IntentOptions, type IntentRoute, IntentRouter, IntentSensitivity, type KeyStatus, type LoginChallengeContext, type LoginChallengeRecord, LoginChallengeStatus, NESTFLOW_INTENTS, NESTFLOW_INTENT_SET, NESTFLOW_POLICY_MAP, type NestFlowCapsuleScope, NestFlowCapsuleType, type NestFlowIntent, type NonceStore, PROOF_CAPABILITIES, type ReceiptEffect, RiskDecision, type RiskEvaluation, type RiskSignal, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, type SensorDecision, SensorDecisions, type SensorInput, type SensorMinifiedDecision, type SensorPhaseMetadata, type SessionContext, type SessionRecord, SessionStatus, type TickAuthChallengeRecord, TickAuthChallengeStatus, type TickAuthContext, type TickWindow, type TransitionResult, TrustLinkStatus, TrustLinkType, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildPacket, buildReceiptHash, buildTLVs, bytes, canAccessResource, canonicalJson, canonicalJsonExcluding, checkBrowserProof, checkCapsule, checkDeviceTrust, checkIntentPolicy, checkLoginChallenge, checkReplayProtection, checkSession, checkTickAuth, classifyIntent, decodeAxis1Frame, encVarint, encodeAxis1Frame, getRequiredAuthLevel, hasScope, isAdminOpcode, isCapsuleTerminal, isDeviceTerminal, isKnownOpcode, isLoginChallengeTerminal, isNestFlowIntent, isSessionTerminal, isTickAuthTerminal, isTimestampValid, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, parseScope, resolveTimeout, satisfiesAuthLevel, sensitivityName, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, validateCapsuleTransition, validateDeviceTransition, validateFrameShape, validateLoginChallengeTransition, validateSessionTransition, validateTickAuthTransition, validateTrustLinkTransition, varintU };
+export { ATS1_HDR, ATS1_SCHEMA, AXIS_OPCODES, ats1 as Ats1Codec, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg$1 as AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsuleConstraints, type AxisCapsulePayload, type AxisCrudHandler, type AxisEffect, type AxisHandler, type AxisHandlerInit, type AxisAlg as AxisJsonAlg, type AxisFrame as AxisJsonFrame, type AxisResponse as AxisJsonResponse, type AxisSig as AxisJsonSig, type AxisObservedContext, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, type AxisPostSensor, type AxisPreSensor, type AxisRequestContext, type AxisSensor, type AxisSensorInit, type AxisSig$1 as AxisSig, CAPABILITIES, type Capability, type CapsuleMode, ContractViolationError, DEFAULT_CONTRACTS, DEFAULT_TIMEOUT, Decision, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, HANDLER_METADATA_KEY, Handler, INTENT_REQUIREMENTS, INTENT_ROUTES_KEY, INTENT_SENSITIVITY_MAP, INTENT_TIMEOUTS, Intent, type IntentDefinition, type IntentOptions, type IntentRoute, IntentRouter, IntentSensitivity, type KeyStatus, PROOF_CAPABILITIES, type ReceiptEffect, RiskDecision, type RiskEvaluation, type RiskSignal, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, type SensorDecision, SensorDecisions, type SensorInput, type SensorMinifiedDecision, type SensorPhaseMetadata, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildPacket, buildReceiptHash, buildTLVs, bytes, canAccessResource, canonicalJson, canonicalJsonExcluding, classifyIntent, decodeAxis1Frame, encVarint, encodeAxis1Frame, hasScope, isAdminOpcode, isKnownOpcode, isTimestampValid, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, parseScope, resolveTimeout, sensitivityName, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, validateFrameShape, varintU };

package/dist/index.d.ts

@@ -335,7 +335,7 @@ interface AxisCapsuleConstraints {
     sessionIdLock?: string;
     nonceRequired?: boolean;
 }
-interface TickWindow$1 {
+interface TickWindow {
     start: number;
     end: number;
 }
@@ -352,7 +352,7 @@ interface AxisCapsulePayload {
     iat: number;
     nbf?: number;
     exp: number;
-    tickWindow?: TickWindow$1;
+    tickWindow?: TickWindow;
     mode: CapsuleMode;
     maxUses: number;
     nonceSeed?: string;
@@ -681,246 +681,4 @@ interface IntentDefinition {
 declare function validateFrameShape(frame: any): boolean;
 declare function isTimestampValid(ts: number, skewSeconds?: number): boolean;
 
-declare enum DeviceType {
-    MOBILE = "mobile",
-    BROWSER = "browser",
-    CLI = "cli",
-    SERVICE = "service"
-}
-declare enum DeviceTrustLevel {
-    PRIMARY = "primary",
-    TRUSTED = "trusted",
-    EPHEMERAL = "ephemeral"
-}
-declare enum DeviceStatus {
-    ACTIVE = "active",
-    REVOKED = "revoked",
-    SUSPENDED = "suspended"
-}
-interface DeviceRecord {
-    device_uid: string;
-    user_uid: string;
-    name: string;
-    type: DeviceType;
-    trust_level: DeviceTrustLevel;
-    status: DeviceStatus;
-    public_key: string;
-    key_algorithm: string;
-    created_at: string;
-    last_seen_at?: string;
-    revoked_at?: string;
-    revoked_reason?: string;
-}
-declare enum LoginChallengeStatus {
-    PENDING = "pending",
-    SCANNED = "scanned",
-    APPROVED = "approved",
-    REJECTED = "rejected",
-    EXPIRED = "expired"
-}
-interface LoginChallengeRecord {
-    challenge_uid: string;
-    status: LoginChallengeStatus;
-    browser_public_key: string;
-    browser_key_algorithm: string;
-    browser_label?: string;
-    requested_trust: DeviceTrustLevel;
-    origin?: string;
-    qr_hash: string;
-    created_at: string;
-    expires_at: string;
-    scanned_at?: string;
-    scanned_by_device_uid?: string;
-    approved_at?: string;
-}
-declare enum TickAuthChallengeStatus {
-    PENDING = "pending",
-    FULFILLED = "fulfilled",
-    REJECTED = "rejected",
-    EXPIRED = "expired"
-}
-interface TickWindow {
-    start: string;
-    end: string;
-}
-interface TickAuthChallengeRecord {
-    challenge_uid: string;
-    login_challenge_uid?: string;
-    status: TickAuthChallengeStatus;
-    tick_window: TickWindow;
-    purpose: string;
-    payload_hash?: string;
-    fulfilled_at?: string;
-    fulfilled_by_device_uid?: string;
-}
-declare enum NestFlowCapsuleType {
-    LOGIN = "login",
-    DEVICE_REGISTRATION = "device_registration",
-    STEP_UP = "step_up",
-    RECOVERY = "recovery"
-}
-declare enum CapsuleStatus {
-    ACTIVE = "active",
-    CONSUMED = "consumed",
-    REVOKED = "revoked",
-    EXPIRED = "expired"
-}
-interface NestFlowCapsuleScope {
-    type: NestFlowCapsuleType;
-    intents: string[];
-    device_uid?: string;
-    login_challenge_uid?: string;
-}
-declare enum SessionStatus {
-    ACTIVE = "active",
-    EXPIRED = "expired",
-    REVOKED = "revoked"
-}
-interface SessionRecord {
-    session_uid: string;
-    user_uid: string;
-    device_uid: string;
-    capsule_uid: string;
-    status: SessionStatus;
-    issued_at: string;
-    expires_at: string;
-    last_refreshed_at?: string;
-    revoked_at?: string;
-    revoked_reason?: string;
-}
-declare enum TrustLinkType {
-    LOGIN = "login",
-    PROMOTION = "promotion",
-    RECOVERY = "recovery"
-}
-declare enum TrustLinkStatus {
-    ACTIVE = "active",
-    REVOKED = "revoked"
-}
-interface DeviceTrustLinkRecord {
-    link_uid: string;
-    issuer_device_uid: string;
-    target_device_uid: string;
-    type: TrustLinkType;
-    status: TrustLinkStatus;
-    issued_at: string;
-    revoked_at?: string;
-}
-declare enum AuthLevel {
-    SESSION = "session",
-    SESSION_BROWSER = "session_browser",
-    STEP_UP = "step_up",
-    PRIMARY_DEVICE = "primary_device"
-}
-interface BrowserProof {
-    server_nonce: string;
-    signature: string;
-    signature_algorithm: string;
-}
-
-declare const NESTFLOW_INTENTS: {
-    readonly AUTH_WEB_LOGIN_REQUEST: "auth.web.login.request";
-    readonly AUTH_WEB_LOGIN_SCAN: "auth.web.login.scan";
-    readonly TICKAUTH_CHALLENGE_CREATE: "tickauth.challenge.create";
-    readonly TICKAUTH_CHALLENGE_FULFILL: "tickauth.challenge.fulfill";
-    readonly TICKAUTH_CHALLENGE_REJECT: "tickauth.challenge.reject";
-    readonly CAPSULE_ISSUE_LOGIN: "capsule.issue.login";
-    readonly CAPSULE_ISSUE_DEVICE_REGISTRATION: "capsule.issue.device_registration";
-    readonly CAPSULE_ISSUE_STEP_UP: "capsule.issue.step_up";
-    readonly CAPSULE_ISSUE_RECOVERY: "capsule.issue.recovery";
-    readonly SESSION_ACTIVATE: "session.activate";
-    readonly SESSION_REFRESH: "session.refresh";
-    readonly SESSION_LOGOUT: "session.logout";
-    readonly DEVICE_TRUST_REQUEST: "device.trust.request";
-    readonly DEVICE_TRUST_PROMOTE: "device.trust.promote";
-    readonly DEVICE_REVOKE: "device.revoke";
-    readonly DEVICE_LIST: "device.list";
-    readonly DEVICE_RENAME: "device.rename";
-    readonly FLOW_PUBLISH: "flow.publish";
-    readonly FLOW_DELETE: "flow.delete";
-    readonly NODE_DELETE: "node.delete";
-    readonly SECRET_ROTATE: "secret.rotate";
-    readonly ORG_SECURITY_UPDATE: "org.security.update";
-    readonly PRODUCTION_EXECUTION_APPROVE: "production.execution.approve";
-    readonly IDENTITY_RECOVERY_START: "identity.recovery.start";
-    readonly IDENTITY_RECOVERY_COMPLETE: "identity.recovery.complete";
-    readonly PRIMARY_DEVICE_ROTATE: "primary.device.rotate";
-    readonly IDENTITY_LOCK: "identity.lock";
-    readonly IDENTITY_UNLOCK: "identity.unlock";
-};
-type NestFlowIntent = (typeof NESTFLOW_INTENTS)[keyof typeof NESTFLOW_INTENTS];
-declare const NESTFLOW_INTENT_SET: Set<string>;
-declare function isNestFlowIntent(intent: string): boolean;
-
-declare const NESTFLOW_POLICY_MAP: Record<string, AuthLevel>;
-declare function getRequiredAuthLevel(intent: string): AuthLevel | undefined;
-declare function satisfiesAuthLevel(provided: AuthLevel, required: AuthLevel): boolean;
-
-interface GuardResult {
-    allowed: boolean;
-    reason?: string;
-    step_up_intent?: string;
-}
-declare function checkIntentPolicy(intent: string, currentAuthLevel: AuthLevel): GuardResult;
-interface SessionContext {
-    session_uid: string;
-    status: SessionStatus;
-    expires_at: string;
-    device_uid: string;
-    user_uid: string;
-}
-declare function checkSession(session: SessionContext | null): GuardResult;
-declare function checkBrowserProof(proof: BrowserProof | null | undefined, expectedNonce: string): GuardResult;
-interface DeviceContext {
-    device_uid: string;
-    trust_level: DeviceTrustLevel;
-    status: DeviceStatus;
-}
-declare function checkDeviceTrust(device: DeviceContext | null, minimumTrust: DeviceTrustLevel): GuardResult;
-interface CapsuleContext {
-    capsule_uid: string;
-    status: CapsuleStatus;
-    type: string;
-    intents: string[];
-    device_uid?: string;
-    expires_at: string;
-}
-declare function checkCapsule(capsule: CapsuleContext | null, intent: string, requestingDeviceUid?: string): GuardResult;
-interface LoginChallengeContext {
-    challenge_uid: string;
-    status: LoginChallengeStatus;
-    expires_at: string;
-}
-declare function checkLoginChallenge(challenge: LoginChallengeContext | null, expectedStatus: LoginChallengeStatus): GuardResult;
-interface TickAuthContext {
-    challenge_uid: string;
-    status: TickAuthChallengeStatus;
-    tick_window: {
-        start: string;
-        end: string;
-    };
-}
-declare function checkTickAuth(challenge: TickAuthContext | null): GuardResult;
-interface NonceStore {
-    has(nonce: string): Promise<boolean>;
-    add(nonce: string, expiresAt: Date): Promise<void>;
-}
-declare function checkReplayProtection(nonce: string, store: NonceStore, windowMs?: number): Promise<GuardResult>;
-
-interface TransitionResult {
-    valid: boolean;
-    reason?: string;
-}
-declare function validateLoginChallengeTransition(from: LoginChallengeStatus, to: LoginChallengeStatus): TransitionResult;
-declare function validateTickAuthTransition(from: TickAuthChallengeStatus, to: TickAuthChallengeStatus): TransitionResult;
-declare function validateCapsuleTransition(from: CapsuleStatus, to: CapsuleStatus): TransitionResult;
-declare function validateSessionTransition(from: SessionStatus, to: SessionStatus): TransitionResult;
-declare function validateDeviceTransition(from: DeviceStatus, to: DeviceStatus): TransitionResult;
-declare function validateTrustLinkTransition(from: TrustLinkStatus, to: TrustLinkStatus): TransitionResult;
-declare function isLoginChallengeTerminal(status: LoginChallengeStatus): boolean;
-declare function isTickAuthTerminal(status: TickAuthChallengeStatus): boolean;
-declare function isCapsuleTerminal(status: CapsuleStatus): boolean;
-declare function isSessionTerminal(status: SessionStatus): boolean;
-declare function isDeviceTerminal(status: DeviceStatus): boolean;
-
-export { ATS1_HDR, ATS1_SCHEMA, AXIS_OPCODES, ats1 as Ats1Codec, AuthLevel, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg$1 as AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsuleConstraints, type AxisCapsulePayload, type AxisCrudHandler, type AxisEffect, type AxisHandler, type AxisHandlerInit, type AxisAlg as AxisJsonAlg, type AxisFrame as AxisJsonFrame, type AxisResponse as AxisJsonResponse, type AxisSig as AxisJsonSig, type AxisObservedContext, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, type AxisPostSensor, type AxisPreSensor, type AxisRequestContext, type AxisSensor, type AxisSensorInit, type AxisSig$1 as AxisSig, type BrowserProof, CAPABILITIES, type Capability, type CapsuleContext, type CapsuleMode, CapsuleStatus, ContractViolationError, DEFAULT_CONTRACTS, DEFAULT_TIMEOUT, Decision, type DeviceContext, type DeviceRecord, DeviceStatus, DeviceTrustLevel, type DeviceTrustLinkRecord, DeviceType, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, type GuardResult, HANDLER_METADATA_KEY, Handler, INTENT_REQUIREMENTS, INTENT_ROUTES_KEY, INTENT_SENSITIVITY_MAP, INTENT_TIMEOUTS, Intent, type IntentDefinition, type IntentOptions, type IntentRoute, IntentRouter, IntentSensitivity, type KeyStatus, type LoginChallengeContext, type LoginChallengeRecord, LoginChallengeStatus, NESTFLOW_INTENTS, NESTFLOW_INTENT_SET, NESTFLOW_POLICY_MAP, type NestFlowCapsuleScope, NestFlowCapsuleType, type NestFlowIntent, type NonceStore, PROOF_CAPABILITIES, type ReceiptEffect, RiskDecision, type RiskEvaluation, type RiskSignal, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, type SensorDecision, SensorDecisions, type SensorInput, type SensorMinifiedDecision, type SensorPhaseMetadata, type SessionContext, type SessionRecord, SessionStatus, type TickAuthChallengeRecord, TickAuthChallengeStatus, type TickAuthContext, type TickWindow, type TransitionResult, TrustLinkStatus, TrustLinkType, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildPacket, buildReceiptHash, buildTLVs, bytes, canAccessResource, canonicalJson, canonicalJsonExcluding, checkBrowserProof, checkCapsule, checkDeviceTrust, checkIntentPolicy, checkLoginChallenge, checkReplayProtection, checkSession, checkTickAuth, classifyIntent, decodeAxis1Frame, encVarint, encodeAxis1Frame, getRequiredAuthLevel, hasScope, isAdminOpcode, isCapsuleTerminal, isDeviceTerminal, isKnownOpcode, isLoginChallengeTerminal, isNestFlowIntent, isSessionTerminal, isTickAuthTerminal, isTimestampValid, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, parseScope, resolveTimeout, satisfiesAuthLevel, sensitivityName, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, validateCapsuleTransition, validateDeviceTransition, validateFrameShape, validateLoginChallengeTransition, validateSessionTransition, validateTickAuthTransition, validateTrustLinkTransition, varintU };
+export { ATS1_HDR, ATS1_SCHEMA, AXIS_OPCODES, ats1 as Ats1Codec, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg$1 as AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsuleConstraints, type AxisCapsulePayload, type AxisCrudHandler, type AxisEffect, type AxisHandler, type AxisHandlerInit, type AxisAlg as AxisJsonAlg, type AxisFrame as AxisJsonFrame, type AxisResponse as AxisJsonResponse, type AxisSig as AxisJsonSig, type AxisObservedContext, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, type AxisPostSensor, type AxisPreSensor, type AxisRequestContext, type AxisSensor, type AxisSensorInit, type AxisSig$1 as AxisSig, CAPABILITIES, type Capability, type CapsuleMode, ContractViolationError, DEFAULT_CONTRACTS, DEFAULT_TIMEOUT, Decision, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, HANDLER_METADATA_KEY, Handler, INTENT_REQUIREMENTS, INTENT_ROUTES_KEY, INTENT_SENSITIVITY_MAP, INTENT_TIMEOUTS, Intent, type IntentDefinition, type IntentOptions, type IntentRoute, IntentRouter, IntentSensitivity, type KeyStatus, PROOF_CAPABILITIES, type ReceiptEffect, RiskDecision, type RiskEvaluation, type RiskSignal, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, type SensorDecision, SensorDecisions, type SensorInput, type SensorMinifiedDecision, type SensorPhaseMetadata, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildPacket, buildReceiptHash, buildTLVs, bytes, canAccessResource, canonicalJson, canonicalJsonExcluding, classifyIntent, decodeAxis1Frame, encVarint, encodeAxis1Frame, hasScope, isAdminOpcode, isKnownOpcode, isTimestampValid, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, parseScope, resolveTimeout, sensitivityName, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, validateFrameShape, varintU };