@nextera.one/axis-server-sdk 0.9.3 → 1.1.0

package/dist/index.mjs

@@ -31,20 +31,366 @@ function Handler(intent) {
 
 // src/decorators/intent.decorator.ts
 import "reflect-metadata";
+var INTENT_METADATA_KEY = "axis:intent";
 var INTENT_ROUTES_KEY = "axis:intent_routes";
 function Intent(action, options) {
   return (target, propertyKey) => {
+    Reflect.defineMetadata(
+      INTENT_METADATA_KEY,
+      { intent: action, ...options },
+      target,
+      propertyKey
+    );
     const routes = Reflect.getMetadata(INTENT_ROUTES_KEY, target.constructor) || [];
     routes.push({
       action,
       methodName: propertyKey,
       absolute: options?.absolute,
-      frame: options?.frame
+      frame: options?.frame,
+      kind: options?.kind,
+      bodyProfile: options?.bodyProfile,
+      tlv: options?.tlv,
+      dto: options?.dto
     });
     Reflect.defineMetadata(INTENT_ROUTES_KEY, routes, target.constructor);
   };
 }
 
+// src/decorators/tlv-field.decorator.ts
+import "reflect-metadata";
+var TLV_FIELDS_KEY = "axis:tlv:fields";
+var TLV_VALIDATORS_KEY = "axis:tlv:validators";
+function TlvField(tag, options) {
+  return (target, propertyKey) => {
+    const existing = Reflect.getOwnMetadata(TLV_FIELDS_KEY, target.constructor) || [];
+    existing.push({
+      property: String(propertyKey),
+      tag,
+      options
+    });
+    Reflect.defineMetadata(TLV_FIELDS_KEY, existing, target.constructor);
+  };
+}
+function TlvValidate(validator) {
+  return (target, propertyKey) => {
+    const existing = Reflect.getOwnMetadata(TLV_VALIDATORS_KEY, target.constructor) || [];
+    const prop = String(propertyKey);
+    let entry = existing.find((e) => e.property === prop);
+    if (!entry) {
+      entry = { property: prop, tag: 0, validators: [] };
+      existing.push(entry);
+    }
+    entry.validators.push(validator);
+    Reflect.defineMetadata(TLV_VALIDATORS_KEY, existing, target.constructor);
+  };
+}
+function TlvUtf8Pattern(pattern, message) {
+  return TlvValidate((val, prop) => {
+    const str = new TextDecoder().decode(val);
+    return pattern.test(str) ? null : message || `${prop}: failed pattern check`;
+  });
+}
+function TlvMinLen(min, message) {
+  return TlvValidate((val, prop) => {
+    return val.length >= min ? null : message || `${prop}: too short (${val.length} < ${min})`;
+  });
+}
+function TlvEnum(allowed, message) {
+  const set = new Set(allowed);
+  return TlvValidate((val, prop) => {
+    const str = new TextDecoder().decode(val);
+    return set.has(str) ? null : message || `${prop}: must be one of [${allowed.join(", ")}]`;
+  });
+}
+function TlvRange(min, max, message) {
+  return TlvValidate((val, prop) => {
+    if (val.length !== 8) return `${prop}: u64 must be 8 bytes`;
+    let n = 0n;
+    for (const b of val) n = n << 8n | BigInt(b);
+    if (n < min || n > max) {
+      return message || `${prop}: value ${n} out of range [${min}, ${max}]`;
+    }
+    return null;
+  });
+}
+
+// src/decorators/dto-schema.util.ts
+import "reflect-metadata";
+
+// src/core/varint.ts
+function encodeVarint(value) {
+  if (value < 0) throw new Error("Varint must be unsigned");
+  const bytes2 = [];
+  while (true) {
+    const byte = value & 127;
+    value >>>= 7;
+    if (value === 0) {
+      bytes2.push(byte);
+      break;
+    }
+    bytes2.push(byte | 128);
+  }
+  return new Uint8Array(bytes2);
+}
+function decodeVarint(buf, offset = 0) {
+  let value = 0;
+  let shift = 0;
+  let length = 0;
+  while (true) {
+    if (offset + length >= buf.length) {
+      throw new Error("Varint decode out of bounds");
+    }
+    const byte = buf[offset + length];
+    value += (byte & 127) * Math.pow(2, shift);
+    length++;
+    shift += 7;
+    if ((byte & 128) === 0) {
+      break;
+    }
+    if (length > 8) throw new Error("Varint too large");
+  }
+  return { value, length };
+}
+function varintLength(value) {
+  if (value < 0) throw new Error("Varint must be unsigned");
+  let len = 0;
+  do {
+    value >>>= 7;
+    len++;
+  } while (value !== 0);
+  return len;
+}
+
+// src/core/tlv.ts
+function encodeTLVs(tlvs) {
+  const sorted = [...tlvs].sort((a, b) => a.type - b.type);
+  for (let i = 0; i < sorted.length - 1; i++) {
+    if (sorted[i].type === sorted[i + 1].type) {
+      throw new Error(`Duplicate TLV type: ${sorted[i].type}`);
+    }
+  }
+  let totalSize = 0;
+  for (const t of sorted) {
+    totalSize += varintLength(t.type);
+    totalSize += varintLength(t.value.length);
+    totalSize += t.value.length;
+  }
+  const buf = new Uint8Array(totalSize);
+  let offset = 0;
+  for (const t of sorted) {
+    const typeBytes = encodeVarint(t.type);
+    buf.set(typeBytes, offset);
+    offset += typeBytes.length;
+    const lenBytes = encodeVarint(t.value.length);
+    buf.set(lenBytes, offset);
+    offset += lenBytes.length;
+    buf.set(t.value, offset);
+    offset += t.value.length;
+  }
+  return buf;
+}
+function decodeTLVsList(buf, maxItems = 1024) {
+  const list = [];
+  let offset = 0;
+  while (offset < buf.length) {
+    if (list.length >= maxItems) throw new Error("TLV_LIMIT");
+    const { value: type, length: typeLen } = decodeVarint(buf, offset);
+    offset += typeLen;
+    const { value: len, length: lenLen } = decodeVarint(buf, offset);
+    offset += lenLen;
+    if (offset + len > buf.length) {
+      throw new Error(`TLV violation: Length ${len} exceeds buffer`);
+    }
+    const value = buf.slice(offset, offset + len);
+    list.push({ type, value });
+    offset += len;
+  }
+  return list;
+}
+function decodeTLVs(buf) {
+  const map2 = /* @__PURE__ */ new Map();
+  let offset = 0;
+  let lastType = -1;
+  while (offset < buf.length) {
+    const { value: type, length: typeLen } = decodeVarint(buf, offset);
+    offset += typeLen;
+    if (type <= lastType) {
+      throw new Error(
+        `TLV violation: Unsorted or duplicate type ${type} after ${lastType}`
+      );
+    }
+    lastType = type;
+    const { value: len, length: lenLen } = decodeVarint(buf, offset);
+    offset += lenLen;
+    if (offset + len > buf.length) {
+      throw new Error(`TLV violation: Length ${len} exceeds buffer`);
+    }
+    const value = buf.slice(offset, offset + len);
+    map2.set(type, value);
+    offset += len;
+  }
+  return map2;
+}
+function decodeObject(bytes2, depth = 0, limits = { maxDepth: 8, maxItems: 128 }) {
+  if (depth > limits.maxDepth) {
+    throw new Error("OBJECT_DEPTH_EXCEEDED");
+  }
+  const map2 = decodeTLVs(bytes2);
+  return map2;
+}
+function decodeArray(bytes2, itemType, maxItems = 256) {
+  const list = decodeTLVsList(bytes2, maxItems);
+  const items = [];
+  for (const tlv2 of list) {
+    if (tlv2.type !== itemType) {
+      throw new Error(`INVALID_ARRAY_ITEM:${tlv2.type}`);
+    }
+    items.push(tlv2.value);
+  }
+  return items;
+}
+
+// src/decorators/dto-schema.util.ts
+function extractDtoSchema(dto) {
+  const fieldMetas = Reflect.getOwnMetadata(TLV_FIELDS_KEY, dto) || [];
+  if (fieldMetas.length === 0) {
+    throw new Error(
+      `DTO class ${dto.name} has no @TlvField decorators \u2014 nothing to validate`
+    );
+  }
+  const tagByProp = /* @__PURE__ */ new Map();
+  const fields = fieldMetas.map((m) => {
+    tagByProp.set(m.property, m.tag);
+    return {
+      name: m.property,
+      tag: m.tag,
+      kind: m.options.kind,
+      required: m.options.required,
+      maxLen: m.options.maxLen,
+      max: m.options.max,
+      scope: m.options.scope
+    };
+  });
+  const validatorMetas = Reflect.getOwnMetadata(TLV_VALIDATORS_KEY, dto) || [];
+  const validators = /* @__PURE__ */ new Map();
+  for (const vm of validatorMetas) {
+    const tag = tagByProp.get(vm.property);
+    if (tag === void 0) {
+      throw new Error(
+        `@TlvValidate on ${dto.name}.${vm.property} but no @TlvField found for that property`
+      );
+    }
+    vm.tag = tag;
+    validators.set(tag, vm.validators);
+  }
+  return { fields, validators };
+}
+function buildDtoDecoder(dto) {
+  const fieldMetas = Reflect.getOwnMetadata(TLV_FIELDS_KEY, dto) || [];
+  if (fieldMetas.length === 0) {
+    throw new Error(
+      `DTO class ${dto.name} has no @TlvField decorators \u2014 cannot build decoder`
+    );
+  }
+  const tagMap = /* @__PURE__ */ new Map();
+  for (const m of fieldMetas) {
+    tagMap.set(m.tag, { property: m.property, kind: m.options.kind });
+  }
+  return (bodyBytes) => {
+    const tlvMap2 = decodeTLVs(new Uint8Array(bodyBytes));
+    const result = {};
+    for (const [tag, raw] of tlvMap2) {
+      const meta = tagMap.get(tag);
+      if (!meta) continue;
+      switch (meta.kind) {
+        case "utf8":
+          result[meta.property] = new TextDecoder().decode(raw);
+          break;
+        case "u64": {
+          let n = 0n;
+          for (let i = 0; i < raw.length; i++) {
+            n = n << 8n | BigInt(raw[i]);
+          }
+          result[meta.property] = n;
+          break;
+        }
+        case "bytes":
+        case "bytes16":
+          result[meta.property] = raw;
+          break;
+        case "bool":
+          result[meta.property] = raw.length > 0 && raw[0] !== 0;
+          break;
+        case "obj":
+        case "arr":
+          result[meta.property] = JSON.parse(new TextDecoder().decode(raw));
+          break;
+        default:
+          result[meta.property] = raw;
+      }
+    }
+    return result;
+  };
+}
+
+// src/base/axis-tlv.dto.ts
+var AxisTlvDto = class {
+};
+
+// src/base/axis-id.dto.ts
+var AxisIdDto = class extends AxisTlvDto {
+};
+__decorateClass([
+  TlvField(1, { kind: "utf8", required: true, maxLen: 128 }),
+  TlvMinLen(1, "id must not be empty")
+], AxisIdDto.prototype, "id", 2);
+
+// src/base/axis-partial-type.ts
+import "reflect-metadata";
+function AxisPartialType(BaseDto) {
+  class PartialDto extends BaseDto {
+  }
+  const fields = Reflect.getOwnMetadata(TLV_FIELDS_KEY, BaseDto) || [];
+  const partialFields = fields.map((f) => ({
+    property: f.property,
+    tag: f.tag,
+    options: { ...f.options, required: false }
+  }));
+  Reflect.defineMetadata(TLV_FIELDS_KEY, partialFields, PartialDto);
+  const validators = Reflect.getOwnMetadata(TLV_VALIDATORS_KEY, BaseDto) || [];
+  if (validators.length > 0) {
+    Reflect.defineMetadata(TLV_VALIDATORS_KEY, [...validators], PartialDto);
+  }
+  Object.defineProperty(PartialDto, "name", {
+    value: `Partial${BaseDto.name}`
+  });
+  return PartialDto;
+}
+
+// src/base/axis-response.dto.ts
+var RESPONSE_TAG_ID = 1;
+var RESPONSE_TAG_CREATED_AT = 2;
+var RESPONSE_TAG_UPDATED_AT = 3;
+var RESPONSE_TAG_CREATED_BY = 4;
+var RESPONSE_TAG_UPDATED_BY = 5;
+var AxisResponseDto = class extends AxisTlvDto {
+};
+__decorateClass([
+  TlvField(RESPONSE_TAG_ID, { kind: "utf8" })
+], AxisResponseDto.prototype, "id", 2);
+__decorateClass([
+  TlvField(RESPONSE_TAG_CREATED_AT, { kind: "u64" })
+], AxisResponseDto.prototype, "created_at", 2);
+__decorateClass([
+  TlvField(RESPONSE_TAG_UPDATED_AT, { kind: "u64" })
+], AxisResponseDto.prototype, "updated_at", 2);
+__decorateClass([
+  TlvField(RESPONSE_TAG_CREATED_BY, { kind: "utf8" })
+], AxisResponseDto.prototype, "created_by", 2);
+__decorateClass([
+  TlvField(RESPONSE_TAG_UPDATED_BY, { kind: "utf8" })
+], AxisResponseDto.prototype, "updated_by", 2);
+
 // src/engine/intent.router.ts
 import { Injectable as Injectable2 } from "@nestjs/common";
 var IntentRouter = class {
@@ -285,139 +631,6 @@ var ERR_BAD_SIGNATURE = "BAD_SIGNATURE";
 var ERR_REPLAY_DETECTED = "REPLAY_DETECTED";
 var ERR_CONTRACT_VIOLATION = "CONTRACT_VIOLATION";
 
-// src/core/varint.ts
-function encodeVarint(value) {
-  if (value < 0) throw new Error("Varint must be unsigned");
-  const bytes2 = [];
-  while (true) {
-    const byte = value & 127;
-    value >>>= 7;
-    if (value === 0) {
-      bytes2.push(byte);
-      break;
-    }
-    bytes2.push(byte | 128);
-  }
-  return new Uint8Array(bytes2);
-}
-function decodeVarint(buf, offset = 0) {
-  let value = 0;
-  let shift = 0;
-  let length = 0;
-  while (true) {
-    if (offset + length >= buf.length) {
-      throw new Error("Varint decode out of bounds");
-    }
-    const byte = buf[offset + length];
-    value += (byte & 127) * Math.pow(2, shift);
-    length++;
-    shift += 7;
-    if ((byte & 128) === 0) {
-      break;
-    }
-    if (length > 8) throw new Error("Varint too large");
-  }
-  return { value, length };
-}
-function varintLength(value) {
-  if (value < 0) throw new Error("Varint must be unsigned");
-  let len = 0;
-  do {
-    value >>>= 7;
-    len++;
-  } while (value !== 0);
-  return len;
-}
-
-// src/core/tlv.ts
-function encodeTLVs(tlvs) {
-  const sorted = [...tlvs].sort((a, b) => a.type - b.type);
-  for (let i = 0; i < sorted.length - 1; i++) {
-    if (sorted[i].type === sorted[i + 1].type) {
-      throw new Error(`Duplicate TLV type: ${sorted[i].type}`);
-    }
-  }
-  let totalSize = 0;
-  for (const t of sorted) {
-    totalSize += varintLength(t.type);
-    totalSize += varintLength(t.value.length);
-    totalSize += t.value.length;
-  }
-  const buf = new Uint8Array(totalSize);
-  let offset = 0;
-  for (const t of sorted) {
-    const typeBytes = encodeVarint(t.type);
-    buf.set(typeBytes, offset);
-    offset += typeBytes.length;
-    const lenBytes = encodeVarint(t.value.length);
-    buf.set(lenBytes, offset);
-    offset += lenBytes.length;
-    buf.set(t.value, offset);
-    offset += t.value.length;
-  }
-  return buf;
-}
-function decodeTLVsList(buf, maxItems = 1024) {
-  const list = [];
-  let offset = 0;
-  while (offset < buf.length) {
-    if (list.length >= maxItems) throw new Error("TLV_LIMIT");
-    const { value: type, length: typeLen } = decodeVarint(buf, offset);
-    offset += typeLen;
-    const { value: len, length: lenLen } = decodeVarint(buf, offset);
-    offset += lenLen;
-    if (offset + len > buf.length) {
-      throw new Error(`TLV violation: Length ${len} exceeds buffer`);
-    }
-    const value = buf.slice(offset, offset + len);
-    list.push({ type, value });
-    offset += len;
-  }
-  return list;
-}
-function decodeTLVs(buf) {
-  const map2 = /* @__PURE__ */ new Map();
-  let offset = 0;
-  let lastType = -1;
-  while (offset < buf.length) {
-    const { value: type, length: typeLen } = decodeVarint(buf, offset);
-    offset += typeLen;
-    if (type <= lastType) {
-      throw new Error(
-        `TLV violation: Unsorted or duplicate type ${type} after ${lastType}`
-      );
-    }
-    lastType = type;
-    const { value: len, length: lenLen } = decodeVarint(buf, offset);
-    offset += lenLen;
-    if (offset + len > buf.length) {
-      throw new Error(`TLV violation: Length ${len} exceeds buffer`);
-    }
-    const value = buf.slice(offset, offset + len);
-    map2.set(type, value);
-    offset += len;
-  }
-  return map2;
-}
-function decodeObject(bytes2, depth = 0, limits = { maxDepth: 8, maxItems: 128 }) {
-  if (depth > limits.maxDepth) {
-    throw new Error("OBJECT_DEPTH_EXCEEDED");
-  }
-  const map2 = decodeTLVs(bytes2);
-  return map2;
-}
-function decodeArray(bytes2, itemType, maxItems = 256) {
-  const list = decodeTLVsList(bytes2, maxItems);
-  const items = [];
-  for (const tlv2 of list) {
-    if (tlv2.type !== itemType) {
-      throw new Error(`INVALID_ARRAY_ITEM:${tlv2.type}`);
-    }
-    items.push(tlv2.value);
-  }
-  return items;
-}
-
 // src/core/signature.ts
 import * as crypto from "crypto";
 
@@ -1368,10 +1581,10 @@ function tlv(type, value) {
   ]);
 }
 function buildTLVs(items, opts) {
-  const allow2 = opts?.allowDupTypes ?? /* @__PURE__ */ new Set();
+  const allow = opts?.allowDupTypes ?? /* @__PURE__ */ new Set();
   const sorted = [...items].sort((a, b) => a.type - b.type);
   for (let i = 1; i < sorted.length; i++) {
-    if (sorted[i].type === sorted[i - 1].type && !allow2.has(sorted[i].type)) {
+    if (sorted[i].type === sorted[i - 1].type && !allow.has(sorted[i].type)) {
       throw new Error(`TLV_DUP_TYPE_${sorted[i].type}`);
     }
   }
@@ -2181,425 +2394,6 @@ function isTimestampValid(ts, skewSeconds = 120) {
   const diff = Math.abs(now - ts);
   return diff <= skewSeconds;
 }
-
-// src/nestflow/types.ts
-var DeviceType = /* @__PURE__ */ ((DeviceType2) => {
-  DeviceType2["MOBILE"] = "mobile";
-  DeviceType2["BROWSER"] = "browser";
-  DeviceType2["CLI"] = "cli";
-  DeviceType2["SERVICE"] = "service";
-  return DeviceType2;
-})(DeviceType || {});
-var DeviceTrustLevel = /* @__PURE__ */ ((DeviceTrustLevel2) => {
-  DeviceTrustLevel2["PRIMARY"] = "primary";
-  DeviceTrustLevel2["TRUSTED"] = "trusted";
-  DeviceTrustLevel2["EPHEMERAL"] = "ephemeral";
-  return DeviceTrustLevel2;
-})(DeviceTrustLevel || {});
-var DeviceStatus = /* @__PURE__ */ ((DeviceStatus2) => {
-  DeviceStatus2["ACTIVE"] = "active";
-  DeviceStatus2["REVOKED"] = "revoked";
-  DeviceStatus2["SUSPENDED"] = "suspended";
-  return DeviceStatus2;
-})(DeviceStatus || {});
-var LoginChallengeStatus = /* @__PURE__ */ ((LoginChallengeStatus3) => {
-  LoginChallengeStatus3["PENDING"] = "pending";
-  LoginChallengeStatus3["SCANNED"] = "scanned";
-  LoginChallengeStatus3["APPROVED"] = "approved";
-  LoginChallengeStatus3["REJECTED"] = "rejected";
-  LoginChallengeStatus3["EXPIRED"] = "expired";
-  return LoginChallengeStatus3;
-})(LoginChallengeStatus || {});
-var TickAuthChallengeStatus = /* @__PURE__ */ ((TickAuthChallengeStatus2) => {
-  TickAuthChallengeStatus2["PENDING"] = "pending";
-  TickAuthChallengeStatus2["FULFILLED"] = "fulfilled";
-  TickAuthChallengeStatus2["REJECTED"] = "rejected";
-  TickAuthChallengeStatus2["EXPIRED"] = "expired";
-  return TickAuthChallengeStatus2;
-})(TickAuthChallengeStatus || {});
-var NestFlowCapsuleType = /* @__PURE__ */ ((NestFlowCapsuleType2) => {
-  NestFlowCapsuleType2["LOGIN"] = "login";
-  NestFlowCapsuleType2["DEVICE_REGISTRATION"] = "device_registration";
-  NestFlowCapsuleType2["STEP_UP"] = "step_up";
-  NestFlowCapsuleType2["RECOVERY"] = "recovery";
-  return NestFlowCapsuleType2;
-})(NestFlowCapsuleType || {});
-var CapsuleStatus = /* @__PURE__ */ ((CapsuleStatus2) => {
-  CapsuleStatus2["ACTIVE"] = "active";
-  CapsuleStatus2["CONSUMED"] = "consumed";
-  CapsuleStatus2["REVOKED"] = "revoked";
-  CapsuleStatus2["EXPIRED"] = "expired";
-  return CapsuleStatus2;
-})(CapsuleStatus || {});
-var SessionStatus = /* @__PURE__ */ ((SessionStatus2) => {
-  SessionStatus2["ACTIVE"] = "active";
-  SessionStatus2["EXPIRED"] = "expired";
-  SessionStatus2["REVOKED"] = "revoked";
-  return SessionStatus2;
-})(SessionStatus || {});
-var TrustLinkType = /* @__PURE__ */ ((TrustLinkType2) => {
-  TrustLinkType2["LOGIN"] = "login";
-  TrustLinkType2["PROMOTION"] = "promotion";
-  TrustLinkType2["RECOVERY"] = "recovery";
-  return TrustLinkType2;
-})(TrustLinkType || {});
-var TrustLinkStatus = /* @__PURE__ */ ((TrustLinkStatus2) => {
-  TrustLinkStatus2["ACTIVE"] = "active";
-  TrustLinkStatus2["REVOKED"] = "revoked";
-  return TrustLinkStatus2;
-})(TrustLinkStatus || {});
-var AuthLevel = /* @__PURE__ */ ((AuthLevel2) => {
-  AuthLevel2["SESSION"] = "session";
-  AuthLevel2["SESSION_BROWSER"] = "session_browser";
-  AuthLevel2["STEP_UP"] = "step_up";
-  AuthLevel2["PRIMARY_DEVICE"] = "primary_device";
-  return AuthLevel2;
-})(AuthLevel || {});
-
-// src/nestflow/intents.ts
-var NESTFLOW_INTENTS = {
-  // Auth
-  AUTH_WEB_LOGIN_REQUEST: "auth.web.login.request",
-  AUTH_WEB_LOGIN_SCAN: "auth.web.login.scan",
-  // TickAuth
-  TICKAUTH_CHALLENGE_CREATE: "tickauth.challenge.create",
-  TICKAUTH_CHALLENGE_FULFILL: "tickauth.challenge.fulfill",
-  TICKAUTH_CHALLENGE_REJECT: "tickauth.challenge.reject",
-  // Capsule
-  CAPSULE_ISSUE_LOGIN: "capsule.issue.login",
-  CAPSULE_ISSUE_DEVICE_REGISTRATION: "capsule.issue.device_registration",
-  CAPSULE_ISSUE_STEP_UP: "capsule.issue.step_up",
-  CAPSULE_ISSUE_RECOVERY: "capsule.issue.recovery",
-  // Session
-  SESSION_ACTIVATE: "session.activate",
-  SESSION_REFRESH: "session.refresh",
-  SESSION_LOGOUT: "session.logout",
-  // Device Trust
-  DEVICE_TRUST_REQUEST: "device.trust.request",
-  DEVICE_TRUST_PROMOTE: "device.trust.promote",
-  DEVICE_REVOKE: "device.revoke",
-  DEVICE_LIST: "device.list",
-  DEVICE_RENAME: "device.rename",
-  // Protected Operations
-  FLOW_PUBLISH: "flow.publish",
-  FLOW_DELETE: "flow.delete",
-  NODE_DELETE: "node.delete",
-  SECRET_ROTATE: "secret.rotate",
-  ORG_SECURITY_UPDATE: "org.security.update",
-  PRODUCTION_EXECUTION_APPROVE: "production.execution.approve",
-  // Recovery
-  IDENTITY_RECOVERY_START: "identity.recovery.start",
-  IDENTITY_RECOVERY_COMPLETE: "identity.recovery.complete",
-  PRIMARY_DEVICE_ROTATE: "primary.device.rotate",
-  IDENTITY_LOCK: "identity.lock",
-  IDENTITY_UNLOCK: "identity.unlock"
-};
-var NESTFLOW_INTENT_SET = new Set(
-  Object.values(NESTFLOW_INTENTS)
-);
-function isNestFlowIntent(intent) {
-  return NESTFLOW_INTENT_SET.has(intent);
-}
-
-// src/nestflow/policy-map.ts
-var NESTFLOW_POLICY_MAP = {
-  // Auth — unauthenticated initiator (session issued after)
-  [NESTFLOW_INTENTS.AUTH_WEB_LOGIN_REQUEST]: "session" /* SESSION */,
-  [NESTFLOW_INTENTS.AUTH_WEB_LOGIN_SCAN]: "primary_device" /* PRIMARY_DEVICE */,
-  // TickAuth — primary device handles challenges
-  [NESTFLOW_INTENTS.TICKAUTH_CHALLENGE_CREATE]: "session" /* SESSION */,
-  [NESTFLOW_INTENTS.TICKAUTH_CHALLENGE_FULFILL]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.TICKAUTH_CHALLENGE_REJECT]: "primary_device" /* PRIMARY_DEVICE */,
-  // Capsule issuance — varies per type
-  [NESTFLOW_INTENTS.CAPSULE_ISSUE_LOGIN]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.CAPSULE_ISSUE_DEVICE_REGISTRATION]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.CAPSULE_ISSUE_STEP_UP]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.CAPSULE_ISSUE_RECOVERY]: "primary_device" /* PRIMARY_DEVICE */,
-  // Session management
-  [NESTFLOW_INTENTS.SESSION_ACTIVATE]: "session" /* SESSION */,
-  [NESTFLOW_INTENTS.SESSION_REFRESH]: "session_browser" /* SESSION_BROWSER */,
-  [NESTFLOW_INTENTS.SESSION_LOGOUT]: "session" /* SESSION */,
-  // Device trust management
-  [NESTFLOW_INTENTS.DEVICE_TRUST_REQUEST]: "session_browser" /* SESSION_BROWSER */,
-  [NESTFLOW_INTENTS.DEVICE_TRUST_PROMOTE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.DEVICE_REVOKE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.DEVICE_LIST]: "session" /* SESSION */,
-  [NESTFLOW_INTENTS.DEVICE_RENAME]: "session_browser" /* SESSION_BROWSER */,
-  // Protected operations — require step-up auth
-  [NESTFLOW_INTENTS.FLOW_PUBLISH]: "session_browser" /* SESSION_BROWSER */,
-  [NESTFLOW_INTENTS.FLOW_DELETE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.NODE_DELETE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.SECRET_ROTATE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.ORG_SECURITY_UPDATE]: "step_up" /* STEP_UP */,
-  [NESTFLOW_INTENTS.PRODUCTION_EXECUTION_APPROVE]: "step_up" /* STEP_UP */,
-  // Recovery — highest privilege
-  [NESTFLOW_INTENTS.IDENTITY_RECOVERY_START]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.IDENTITY_RECOVERY_COMPLETE]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.PRIMARY_DEVICE_ROTATE]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.IDENTITY_LOCK]: "primary_device" /* PRIMARY_DEVICE */,
-  [NESTFLOW_INTENTS.IDENTITY_UNLOCK]: "primary_device" /* PRIMARY_DEVICE */
-};
-function getRequiredAuthLevel(intent) {
-  return NESTFLOW_POLICY_MAP[intent];
-}
-var AUTH_LEVEL_ORDER = [
-  "session" /* SESSION */,
-  "session_browser" /* SESSION_BROWSER */,
-  "step_up" /* STEP_UP */,
-  "primary_device" /* PRIMARY_DEVICE */
-];
-function satisfiesAuthLevel(provided, required) {
-  const providedIdx = AUTH_LEVEL_ORDER.indexOf(provided);
-  const requiredIdx = AUTH_LEVEL_ORDER.indexOf(required);
-  return providedIdx >= requiredIdx;
-}
-
-// src/nestflow/guards.ts
-var allow = () => ({ allowed: true });
-var deny = (reason) => ({ allowed: false, reason });
-function checkIntentPolicy(intent, currentAuthLevel) {
-  const required = getRequiredAuthLevel(intent);
-  if (!required) {
-    return allow();
-  }
-  if (satisfiesAuthLevel(currentAuthLevel, required)) {
-    return allow();
-  }
-  return {
-    allowed: false,
-    reason: `Intent '${intent}' requires auth level '${required}', got '${currentAuthLevel}'`,
-    step_up_intent: required === "step_up" /* STEP_UP */ ? intent : void 0
-  };
-}
-function checkSession(session) {
-  if (!session) {
-    return deny("No session found");
-  }
-  if (session.status !== "active" /* ACTIVE */) {
-    return deny(`Session status is '${session.status}', expected 'active'`);
-  }
-  if (new Date(session.expires_at).getTime() < Date.now()) {
-    return deny("Session has expired");
-  }
-  return allow();
-}
-function checkBrowserProof(proof, expectedNonce) {
-  if (!proof) {
-    return deny("Browser proof-of-possession required but not provided");
-  }
-  if (!proof.server_nonce || !proof.signature || !proof.signature_algorithm) {
-    return deny("Browser proof is missing required fields");
-  }
-  if (proof.server_nonce !== expectedNonce) {
-    return deny("Browser proof nonce does not match expected server nonce");
-  }
-  return allow();
-}
-var TRUST_ORDER = [
-  "ephemeral" /* EPHEMERAL */,
-  "trusted" /* TRUSTED */,
-  "primary" /* PRIMARY */
-];
-function checkDeviceTrust(device, minimumTrust) {
-  if (!device) {
-    return deny("Device not found");
-  }
-  if (device.status !== "active" /* ACTIVE */) {
-    return deny(`Device status is '${device.status}', expected 'active'`);
-  }
-  const deviceIdx = TRUST_ORDER.indexOf(device.trust_level);
-  const requiredIdx = TRUST_ORDER.indexOf(minimumTrust);
-  if (deviceIdx < requiredIdx) {
-    return deny(
-      `Device trust level '${device.trust_level}' does not meet minimum '${minimumTrust}'`
-    );
-  }
-  return allow();
-}
-function checkCapsule(capsule, intent, requestingDeviceUid) {
-  if (!capsule) {
-    return deny("Capsule not found");
-  }
-  if (capsule.status !== "active" /* ACTIVE */) {
-    return deny(`Capsule status is '${capsule.status}', expected 'active'`);
-  }
-  if (new Date(capsule.expires_at).getTime() < Date.now()) {
-    return deny("Capsule has expired");
-  }
-  const intentAllowed = capsule.intents.some((pattern) => {
-    if (pattern === "*") return true;
-    if (pattern === intent) return true;
-    if (pattern.endsWith(".*")) {
-      return intent.startsWith(pattern.slice(0, -1));
-    }
-    return false;
-  });
-  if (!intentAllowed) {
-    return deny(`Capsule does not authorize intent '${intent}'`);
-  }
-  if (capsule.device_uid && requestingDeviceUid && capsule.device_uid !== requestingDeviceUid) {
-    return deny("Capsule is bound to a different device");
-  }
-  return allow();
-}
-function checkLoginChallenge(challenge, expectedStatus) {
-  if (!challenge) {
-    return deny("Login challenge not found");
-  }
-  if (new Date(challenge.expires_at).getTime() < Date.now()) {
-    return deny("Login challenge has expired");
-  }
-  if (challenge.status !== expectedStatus) {
-    return deny(
-      `Login challenge status is '${challenge.status}', expected '${expectedStatus}'`
-    );
-  }
-  return allow();
-}
-function checkTickAuth(challenge) {
-  if (!challenge) {
-    return deny("TickAuth challenge not found");
-  }
-  if (challenge.status !== "pending" /* PENDING */) {
-    return deny(
-      `TickAuth challenge status is '${challenge.status}', expected 'pending'`
-    );
-  }
-  const now = Date.now();
-  const start = new Date(challenge.tick_window.start).getTime();
-  const end = new Date(challenge.tick_window.end).getTime();
-  if (now < start || now > end) {
-    return deny("TickAuth challenge is outside its tick window");
-  }
-  return allow();
-}
-async function checkReplayProtection(nonce, store, windowMs = 5 * 60 * 1e3) {
-  if (!nonce) {
-    return deny("Nonce is required for replay protection");
-  }
-  const seen = await store.has(nonce);
-  if (seen) {
-    return deny("Nonce has already been used (replay detected)");
-  }
-  await store.add(nonce, new Date(Date.now() + windowMs));
-  return allow();
-}
-
-// src/nestflow/invariants.ts
-var LOGIN_CHALLENGE_TRANSITIONS = {
-  ["pending" /* PENDING */]: [
-    "scanned" /* SCANNED */,
-    "expired" /* EXPIRED */
-  ],
-  ["scanned" /* SCANNED */]: [
-    "approved" /* APPROVED */,
-    "rejected" /* REJECTED */,
-    "expired" /* EXPIRED */
-  ],
-  ["approved" /* APPROVED */]: [],
-  ["rejected" /* REJECTED */]: [],
-  ["expired" /* EXPIRED */]: []
-};
-var TICKAUTH_TRANSITIONS = {
-  ["pending" /* PENDING */]: [
-    "fulfilled" /* FULFILLED */,
-    "rejected" /* REJECTED */,
-    "expired" /* EXPIRED */
-  ],
-  ["fulfilled" /* FULFILLED */]: [],
-  ["rejected" /* REJECTED */]: [],
-  ["expired" /* EXPIRED */]: []
-};
-var CAPSULE_TRANSITIONS = {
-  ["active" /* ACTIVE */]: [
-    "consumed" /* CONSUMED */,
-    "revoked" /* REVOKED */,
-    "expired" /* EXPIRED */
-  ],
-  ["consumed" /* CONSUMED */]: [],
-  ["revoked" /* REVOKED */]: [],
-  ["expired" /* EXPIRED */]: []
-};
-var SESSION_TRANSITIONS = {
-  ["active" /* ACTIVE */]: ["expired" /* EXPIRED */, "revoked" /* REVOKED */],
-  ["expired" /* EXPIRED */]: [],
-  ["revoked" /* REVOKED */]: []
-};
-var DEVICE_TRANSITIONS = {
-  ["active" /* ACTIVE */]: ["suspended" /* SUSPENDED */, "revoked" /* REVOKED */],
-  ["suspended" /* SUSPENDED */]: ["active" /* ACTIVE */, "revoked" /* REVOKED */],
-  ["revoked" /* REVOKED */]: []
-};
-var TRUST_LINK_TRANSITIONS = {
-  ["active" /* ACTIVE */]: ["revoked" /* REVOKED */],
-  ["revoked" /* REVOKED */]: []
-};
-function checkTransition(entity, transitions, from, to) {
-  const allowed = transitions[from];
-  if (!allowed) {
-    return {
-      valid: false,
-      reason: `${entity}: unknown current state '${from}'`
-    };
-  }
-  if (!allowed.includes(to)) {
-    return {
-      valid: false,
-      reason: `${entity}: invalid transition '${from}' \u2192 '${to}'. Allowed: [${allowed.join(", ")}]`
-    };
-  }
-  return { valid: true };
-}
-function validateLoginChallengeTransition(from, to) {
-  return checkTransition(
-    "LoginChallenge",
-    LOGIN_CHALLENGE_TRANSITIONS,
-    from,
-    to
-  );
-}
-function validateTickAuthTransition(from, to) {
-  return checkTransition("TickAuthChallenge", TICKAUTH_TRANSITIONS, from, to);
-}
-function validateCapsuleTransition(from, to) {
-  return checkTransition("Capsule", CAPSULE_TRANSITIONS, from, to);
-}
-function validateSessionTransition(from, to) {
-  return checkTransition("Session", SESSION_TRANSITIONS, from, to);
-}
-function validateDeviceTransition(from, to) {
-  return checkTransition("Device", DEVICE_TRANSITIONS, from, to);
-}
-function validateTrustLinkTransition(from, to) {
-  return checkTransition("TrustLink", TRUST_LINK_TRANSITIONS, from, to);
-}
-function isLoginChallengeTerminal(status) {
-  return [
-    "approved" /* APPROVED */,
-    "rejected" /* REJECTED */,
-    "expired" /* EXPIRED */
-  ].includes(status);
-}
-function isTickAuthTerminal(status) {
-  return [
-    "fulfilled" /* FULFILLED */,
-    "rejected" /* REJECTED */,
-    "expired" /* EXPIRED */
-  ].includes(status);
-}
-function isCapsuleTerminal(status) {
-  return [
-    "consumed" /* CONSUMED */,
-    "revoked" /* REVOKED */,
-    "expired" /* EXPIRED */
-  ].includes(status);
-}
-function isSessionTerminal(status) {
-  return ["expired" /* EXPIRED */, "revoked" /* REVOKED */].includes(status);
-}
-function isDeviceTerminal(status) {
-  return status === "revoked" /* REVOKED */;
-}
 export {
   ATS1_HDR,
   ATS1_SCHEMA,
@@ -2607,19 +2401,18 @@ export {
   AXIS_OPCODES,
   AXIS_VERSION,
   ats1_exports as Ats1Codec,
-  AuthLevel,
   AxisFrameZ,
+  AxisIdDto,
   T as AxisPacketTags,
+  AxisPartialType,
+  AxisResponseDto,
+  AxisTlvDto,
   BodyProfile,
   CAPABILITIES,
-  CapsuleStatus,
   ContractViolationError,
   DEFAULT_CONTRACTS,
   DEFAULT_TIMEOUT,
   Decision,
-  DeviceStatus,
-  DeviceTrustLevel,
-  DeviceType,
   ERR_BAD_SIGNATURE,
   ERR_CONTRACT_VIOLATION,
   ERR_INVALID_PACKET,
@@ -2631,6 +2424,7 @@ export {
   FLAG_HAS_WITNESS,
   HANDLER_METADATA_KEY,
   Handler,
+  INTENT_METADATA_KEY,
   INTENT_REQUIREMENTS,
   INTENT_ROUTES_KEY,
   INTENT_SENSITIVITY_MAP,
@@ -2638,7 +2432,6 @@ export {
   Intent,
   IntentRouter,
   IntentSensitivity,
-  LoginChallengeStatus,
   MAX_BODY_LEN,
   MAX_FRAME_LEN,
   MAX_HDR_LEN,
@@ -2653,10 +2446,6 @@ export {
   NCERT_PUB,
   NCERT_SCOPE,
   NCERT_SIG,
-  NESTFLOW_INTENTS,
-  NESTFLOW_INTENT_SET,
-  NESTFLOW_POLICY_MAP,
-  NestFlowCapsuleType,
   PROOF_CAPABILITIES,
   PROOF_CAPSULE,
   PROOF_JWT,
@@ -2665,13 +2454,17 @@ export {
   PROOF_NONE,
   PROOF_WITNESS,
   ProofType,
+  RESPONSE_TAG_CREATED_AT,
+  RESPONSE_TAG_CREATED_BY,
+  RESPONSE_TAG_ID,
+  RESPONSE_TAG_UPDATED_AT,
+  RESPONSE_TAG_UPDATED_BY,
   RiskDecision,
   Schema2002_PasskeyLoginOptionsRes,
   Schema2011_PasskeyLoginVerifyReq,
   Schema2012_PasskeyLoginVerifyRes,
   Schema2021_PasskeyRegisterOptionsReq,
   SensorDecisions,
-  SessionStatus,
   TLV_ACTOR_ID,
   TLV_AUD,
   TLV_BODY_ARR,
@@ -2680,6 +2473,7 @@ export {
   TLV_EFFECT,
   TLV_ERROR_CODE,
   TLV_ERROR_MSG,
+  TLV_FIELDS_KEY,
   TLV_INDEX,
   TLV_INTENT,
   TLV_KID,
@@ -2703,15 +2497,20 @@ export {
   TLV_TRACE_ID,
   TLV_TS,
   TLV_UPLOAD_ID,
-  TickAuthChallengeStatus,
-  TrustLinkStatus,
-  TrustLinkType,
+  TLV_VALIDATORS_KEY,
+  TlvEnum,
+  TlvField,
+  TlvMinLen,
+  TlvRange,
+  TlvUtf8Pattern,
+  TlvValidate,
   axis1SigningBytes,
   b64urlDecode,
   b64urlDecodeString,
   b64urlEncode,
   b64urlEncodeString,
   buildAts1Hdr,
+  buildDtoDecoder,
   buildPacket,
   buildReceiptHash,
   buildTLVs,
@@ -2719,14 +2518,6 @@ export {
   canAccessResource,
   canonicalJson,
   canonicalJsonExcluding,
-  checkBrowserProof,
-  checkCapsule,
-  checkDeviceTrust,
-  checkIntentPolicy,
-  checkLoginChallenge,
-  checkReplayProtection,
-  checkSession,
-  checkTickAuth,
   classifyIntent,
   computeReceiptHash,
   computeSignaturePayload,
@@ -2742,18 +2533,12 @@ export {
   encodeFrame,
   encodeTLVs,
   encodeVarint,
+  extractDtoSchema,
   generateEd25519KeyPair,
-  getRequiredAuthLevel,
   getSignTarget,
   hasScope,
   isAdminOpcode,
-  isCapsuleTerminal,
-  isDeviceTerminal,
   isKnownOpcode,
-  isLoginChallengeTerminal,
-  isNestFlowIntent,
-  isSessionTerminal,
-  isTickAuthTerminal,
   isTimestampValid,
   nonce16,
   normalizeSensorDecision,
@@ -2764,7 +2549,6 @@ export {
   packPasskeyRegisterOptionsReq,
   parseScope,
   resolveTimeout,
-  satisfiesAuthLevel,
   sensitivityName,
   sha256,
   signFrame,
@@ -2774,13 +2558,7 @@ export {
   unpackPasskeyLoginVerifyReq,
   unpackPasskeyRegisterOptionsReq,
   utf8,
-  validateCapsuleTransition,
-  validateDeviceTransition,
   validateFrameShape,
-  validateLoginChallengeTransition,
-  validateSessionTransition,
-  validateTickAuthTransition,
-  validateTrustLinkTransition,
   varintLength,
   varintU,
   verifyFrameSignature