@nextera.one/axis-server-sdk 1.1.0 → 1.2.1

package/dist/index.mjs

@@ -18,6 +18,7 @@ var __decorateClass = (decorators, target, key, kind) => {
   if (kind && result) __defProp(target, key, result);
   return result;
 };
+var __decorateParam = (index, decorator) => (target, key) => decorator(target, key, index);
 
 // src/decorators/handler.decorator.ts
 import { Injectable, SetMetadata } from "@nestjs/common";
@@ -56,6 +57,24 @@ function Intent(action, options) {
   };
 }
 
+// src/decorators/intent-body.decorator.ts
+import "reflect-metadata";
+var INTENT_BODY_KEY = "axis:intent:body";
+function IntentBody(decoder) {
+  return (target, propertyKey) => {
+    Reflect.defineMetadata(INTENT_BODY_KEY, decoder, target, propertyKey);
+  };
+}
+
+// src/decorators/intent-sensors.decorator.ts
+import "reflect-metadata";
+var INTENT_SENSORS_KEY = "axis:intent:sensors";
+function IntentSensors(sensors) {
+  return (target, propertyKey) => {
+    Reflect.defineMetadata(INTENT_SENSORS_KEY, sensors, target, propertyKey);
+  };
+}
+
 // src/decorators/tlv-field.decorator.ts
 import "reflect-metadata";
 var TLV_FIELDS_KEY = "axis:tlv:fields";
@@ -117,142 +136,19 @@ function TlvRange(min, max, message) {
 // src/decorators/dto-schema.util.ts
 import "reflect-metadata";
 
-// src/core/varint.ts
-function encodeVarint(value) {
-  if (value < 0) throw new Error("Varint must be unsigned");
-  const bytes2 = [];
-  while (true) {
-    const byte = value & 127;
-    value >>>= 7;
-    if (value === 0) {
-      bytes2.push(byte);
-      break;
-    }
-    bytes2.push(byte | 128);
-  }
-  return new Uint8Array(bytes2);
-}
-function decodeVarint(buf, offset = 0) {
-  let value = 0;
-  let shift = 0;
-  let length = 0;
-  while (true) {
-    if (offset + length >= buf.length) {
-      throw new Error("Varint decode out of bounds");
-    }
-    const byte = buf[offset + length];
-    value += (byte & 127) * Math.pow(2, shift);
-    length++;
-    shift += 7;
-    if ((byte & 128) === 0) {
-      break;
-    }
-    if (length > 8) throw new Error("Varint too large");
-  }
-  return { value, length };
-}
-function varintLength(value) {
-  if (value < 0) throw new Error("Varint must be unsigned");
-  let len = 0;
-  do {
-    value >>>= 7;
-    len++;
-  } while (value !== 0);
-  return len;
-}
-
 // src/core/tlv.ts
-function encodeTLVs(tlvs) {
-  const sorted = [...tlvs].sort((a, b) => a.type - b.type);
-  for (let i = 0; i < sorted.length - 1; i++) {
-    if (sorted[i].type === sorted[i + 1].type) {
-      throw new Error(`Duplicate TLV type: ${sorted[i].type}`);
-    }
-  }
-  let totalSize = 0;
-  for (const t of sorted) {
-    totalSize += varintLength(t.type);
-    totalSize += varintLength(t.value.length);
-    totalSize += t.value.length;
-  }
-  const buf = new Uint8Array(totalSize);
-  let offset = 0;
-  for (const t of sorted) {
-    const typeBytes = encodeVarint(t.type);
-    buf.set(typeBytes, offset);
-    offset += typeBytes.length;
-    const lenBytes = encodeVarint(t.value.length);
-    buf.set(lenBytes, offset);
-    offset += lenBytes.length;
-    buf.set(t.value, offset);
-    offset += t.value.length;
-  }
-  return buf;
-}
-function decodeTLVsList(buf, maxItems = 1024) {
-  const list = [];
-  let offset = 0;
-  while (offset < buf.length) {
-    if (list.length >= maxItems) throw new Error("TLV_LIMIT");
-    const { value: type, length: typeLen } = decodeVarint(buf, offset);
-    offset += typeLen;
-    const { value: len, length: lenLen } = decodeVarint(buf, offset);
-    offset += lenLen;
-    if (offset + len > buf.length) {
-      throw new Error(`TLV violation: Length ${len} exceeds buffer`);
-    }
-    const value = buf.slice(offset, offset + len);
-    list.push({ type, value });
-    offset += len;
-  }
-  return list;
-}
-function decodeTLVs(buf) {
-  const map2 = /* @__PURE__ */ new Map();
-  let offset = 0;
-  let lastType = -1;
-  while (offset < buf.length) {
-    const { value: type, length: typeLen } = decodeVarint(buf, offset);
-    offset += typeLen;
-    if (type <= lastType) {
-      throw new Error(
-        `TLV violation: Unsorted or duplicate type ${type} after ${lastType}`
-      );
-    }
-    lastType = type;
-    const { value: len, length: lenLen } = decodeVarint(buf, offset);
-    offset += lenLen;
-    if (offset + len > buf.length) {
-      throw new Error(`TLV violation: Length ${len} exceeds buffer`);
-    }
-    const value = buf.slice(offset, offset + len);
-    map2.set(type, value);
-    offset += len;
-  }
-  return map2;
-}
-function decodeObject(bytes2, depth = 0, limits = { maxDepth: 8, maxItems: 128 }) {
-  if (depth > limits.maxDepth) {
-    throw new Error("OBJECT_DEPTH_EXCEEDED");
-  }
-  const map2 = decodeTLVs(bytes2);
-  return map2;
-}
-function decodeArray(bytes2, itemType, maxItems = 256) {
-  const list = decodeTLVsList(bytes2, maxItems);
-  const items = [];
-  for (const tlv2 of list) {
-    if (tlv2.type !== itemType) {
-      throw new Error(`INVALID_ARRAY_ITEM:${tlv2.type}`);
-    }
-    items.push(tlv2.value);
-  }
-  return items;
-}
+import {
+  TLV,
+  encodeTLVs,
+  decodeTLVs,
+  decodeTLVsList,
+  decodeObject,
+  decodeArray
+} from "@nextera.one/axis-protocol";
 
 // src/decorators/dto-schema.util.ts
 function extractDtoSchema(dto) {
-  const fieldMetas = Reflect.getOwnMetadata(TLV_FIELDS_KEY, dto) || [];
+  const fieldMetas = Reflect.getMetadata(TLV_FIELDS_KEY, dto) || [];
   if (fieldMetas.length === 0) {
     throw new Error(
       `DTO class ${dto.name} has no @TlvField decorators \u2014 nothing to validate`
@@ -271,7 +167,7 @@ function extractDtoSchema(dto) {
       scope: m.options.scope
     };
   });
-  const validatorMetas = Reflect.getOwnMetadata(TLV_VALIDATORS_KEY, dto) || [];
+  const validatorMetas = Reflect.getMetadata(TLV_VALIDATORS_KEY, dto) || [];
   const validators = /* @__PURE__ */ new Map();
   for (const vm of validatorMetas) {
     const tag = tagByProp.get(vm.property);
@@ -286,7 +182,7 @@ function extractDtoSchema(dto) {
   return { fields, validators };
 }
 function buildDtoDecoder(dto) {
-  const fieldMetas = Reflect.getOwnMetadata(TLV_FIELDS_KEY, dto) || [];
+  const fieldMetas = Reflect.getMetadata(TLV_FIELDS_KEY, dto) || [];
   if (fieldMetas.length === 0) {
     throw new Error(
       `DTO class ${dto.name} has no @TlvField decorators \u2014 cannot build decoder`
@@ -392,11 +288,146 @@ __decorateClass([
 ], AxisResponseDto.prototype, "updated_by", 2);
 
 // src/engine/intent.router.ts
-import { Injectable as Injectable2 } from "@nestjs/common";
+import { Injectable as Injectable2, Logger, Optional } from "@nestjs/common";
+
+// src/sensor/axis-sensor.ts
+var Decision = /* @__PURE__ */ ((Decision2) => {
+  Decision2["ALLOW"] = "ALLOW";
+  Decision2["DENY"] = "DENY";
+  Decision2["THROTTLE"] = "THROTTLE";
+  Decision2["FLAG"] = "FLAG";
+  return Decision2;
+})(Decision || {});
+function normalizeSensorDecision(sensorDecision) {
+  if ("action" in sensorDecision) {
+    switch (sensorDecision.action) {
+      case "ALLOW":
+        return {
+          allow: true,
+          riskScore: 0,
+          reasons: [],
+          meta: sensorDecision.meta
+        };
+      case "DENY":
+        return {
+          allow: false,
+          riskScore: 100,
+          reasons: [sensorDecision.code, sensorDecision.reason].filter(
+            Boolean
+          ),
+          meta: sensorDecision.meta,
+          retryAfterMs: sensorDecision.retryAfterMs
+        };
+      case "THROTTLE":
+        return {
+          allow: false,
+          riskScore: 50,
+          reasons: ["RATE_LIMIT"],
+          retryAfterMs: sensorDecision.retryAfterMs,
+          meta: sensorDecision.meta
+        };
+      case "FLAG":
+        return {
+          allow: true,
+          riskScore: sensorDecision.scoreDelta,
+          reasons: sensorDecision.reasons,
+          meta: sensorDecision.meta
+        };
+    }
+  }
+  return {
+    allow: sensorDecision.allow,
+    riskScore: sensorDecision.riskScore,
+    reasons: sensorDecision.reasons,
+    tags: sensorDecision.tags,
+    meta: sensorDecision.meta,
+    tighten: sensorDecision.tighten,
+    retryAfterMs: sensorDecision.retryAfterMs
+  };
+}
+var SensorDecisions = {
+  allow(meta, tags) {
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: [],
+      tags,
+      meta
+    };
+  },
+  deny(code, reason, meta) {
+    return {
+      decision: "DENY" /* DENY */,
+      allow: false,
+      riskScore: 100,
+      code,
+      reasons: [code, reason].filter(Boolean),
+      meta
+    };
+  },
+  throttle(retryAfterMs, meta) {
+    return {
+      decision: "THROTTLE" /* THROTTLE */,
+      allow: false,
+      riskScore: 50,
+      retryAfterMs,
+      code: "RATE_LIMIT",
+      reasons: ["RATE_LIMIT"],
+      meta
+    };
+  },
+  flag(scoreDelta, reasons, meta) {
+    return {
+      decision: "FLAG" /* FLAG */,
+      allow: true,
+      riskScore: scoreDelta,
+      scoreDelta,
+      reasons,
+      meta
+    };
+  }
+};
+
+// src/engine/intent.router.ts
 var IntentRouter = class {
-  constructor() {
+  constructor(moduleRef) {
+    this.moduleRef = moduleRef;
+    this.logger = new Logger(IntentRouter.name);
     /** Internal registry of dynamic intent handlers */
     this.handlers = /* @__PURE__ */ new Map();
+    /** Per-intent sensor classes (resolved at call time) */
+    this.intentSensors = /* @__PURE__ */ new Map();
+    /** Per-intent body decoders */
+    this.intentDecoders = /* @__PURE__ */ new Map();
+    /** Per-intent TLV schemas */
+    this.intentSchemas = /* @__PURE__ */ new Map();
+    /** Per-intent custom validators */
+    this.intentValidators = /* @__PURE__ */ new Map();
+    /** Per-intent operation kind */
+    this.intentKinds = /* @__PURE__ */ new Map();
+  }
+  getSchema(intent) {
+    return this.intentSchemas.get(intent);
+  }
+  getValidators(intent) {
+    return this.intentValidators.get(intent);
+  }
+  has(intent) {
+    return this.handlers.has(intent) || IntentRouter.BUILTIN_INTENTS.has(intent);
+  }
+  getRegisteredIntents() {
+    return [...IntentRouter.BUILTIN_INTENTS, ...this.handlers.keys()];
+  }
+  getIntentEntry(intent) {
+    if (!this.has(intent)) return null;
+    return {
+      schema: this.intentSchemas.get(intent),
+      validators: this.intentValidators.get(intent),
+      hasSensors: this.intentSensors.has(intent),
+      builtin: IntentRouter.BUILTIN_INTENTS.has(intent),
+      kind: this.intentKinds.get(intent)
+    };
   }
   /**
    * Registers a handler for a specific intent.
@@ -432,6 +463,16 @@ var IntentRouter = class {
       } else {
         this.register(intentName, fn);
       }
+      this.registerIntentMeta(intentName, Object.getPrototypeOf(instance), String(route.methodName));
+    }
+    const proto = Object.getPrototypeOf(instance);
+    for (const key of Object.getOwnPropertyNames(proto)) {
+      const meta = Reflect.getMetadata(INTENT_METADATA_KEY, proto, key);
+      if (!meta?.intent) continue;
+      if (!this.handlers.has(meta.intent)) {
+        this.register(meta.intent, instance[key].bind(instance));
+      }
+      this.registerIntentMeta(meta.intent, proto, key);
     }
   }
   /**
@@ -455,6 +496,7 @@ var IntentRouter = class {
       intent = new TextDecoder().decode(intentBytes);
       let effect;
       if (intent === "system.ping" || intent === "public.ping") {
+        this.logger.debug("PING received");
         effect = {
           ok: true,
           effect: "pong",
@@ -495,6 +537,7 @@ var IntentRouter = class {
           if (!innerIntent) {
             throw new Error("INTENT.EXEC missing inner intent");
           }
+          this.logger.debug(`EXEC: routing to inner intent '${innerIntent}'`);
           const innerFrame = {
             ...frame,
             headers: new Map(frame.headers),
@@ -510,8 +553,23 @@ var IntentRouter = class {
         if (!handler) {
           throw new Error(`Intent not found: ${intent}`);
         }
+        const sensorClasses = this.intentSensors.get(intent);
+        if (sensorClasses && sensorClasses.length > 0) {
+          await this.runIntentSensors(sensorClasses, intent, frame);
+        }
+        const decoder = this.intentDecoders.get(intent);
+        let decodedBody = frame.body;
+        if (decoder) {
+          try {
+            decodedBody = decoder(Buffer.from(frame.body));
+          } catch (decodeErr) {
+            throw new Error(
+              `IntentBody decode failed for ${intent}: ${decodeErr.message}`
+            );
+          }
+        }
         if (typeof handler === "function") {
-          const resultBody = await handler(frame.body, frame.headers);
+          const resultBody = decoder ? await handler(decodedBody, frame.headers) : await handler(frame.body, frame.headers);
           effect = {
             ok: true,
             effect: "complete",
@@ -521,10 +579,7 @@ var IntentRouter = class {
           if (typeof handler.handle === "function") {
             effect = await handler.handle(frame);
           } else if (typeof handler.execute === "function") {
-            const bodyRes = await handler.execute(
-              frame.body,
-              frame.headers
-            );
+            const bodyRes = decoder ? await handler.execute(decodedBody, frame.headers) : await handler.execute(frame.body, frame.headers);
             effect = {
               ok: true,
               effect: "complete",
@@ -537,99 +592,200 @@ var IntentRouter = class {
           }
         }
       }
-      this.recordLatency(intent, start);
+      this.logIntent(intent, start, true);
       return effect;
     } catch (e) {
-      console.error(`Error routing intent ${intent}:`, e.message);
+      this.logIntent(intent, start, false, e.message);
       throw e;
     }
   }
-  recordLatency(intent, start) {
+  logIntent(intent, start, ok, error) {
     const diff = process.hrtime(start);
-    void diff;
+    const ms = (diff[0] * 1e3 + diff[1] / 1e6).toFixed(2);
+    if (ok) {
+      this.logger.debug(`${intent} completed in ${ms}ms`);
+    } else {
+      this.logger.warn(`${intent} failed in ${ms}ms - ${error}`);
+    }
+  }
+  registerIntentMeta(intent, proto, methodName) {
+    const decoder = Reflect.getMetadata(INTENT_BODY_KEY, proto, methodName);
+    if (decoder) {
+      this.intentDecoders.set(intent, decoder);
+    }
+    const sensors = Reflect.getMetadata(INTENT_SENSORS_KEY, proto, methodName);
+    if (sensors && Array.isArray(sensors) && sensors.length > 0) {
+      this.intentSensors.set(intent, sensors);
+    }
+    const meta = Reflect.getMetadata(INTENT_METADATA_KEY, proto, methodName);
+    if (meta) {
+      this.storeSchema(meta);
+      if (meta.kind) {
+        this.intentKinds.set(intent, meta.kind);
+      }
+    }
+  }
+  async runIntentSensors(sensorClasses, intent, frame) {
+    if (!this.moduleRef) return;
+    for (const SensorClass of sensorClasses) {
+      let sensor;
+      try {
+        sensor = this.moduleRef.get(SensorClass, { strict: false });
+      } catch {
+        this.logger.warn(
+          `@IntentSensors: could not resolve ${SensorClass.name} for ${intent}`
+        );
+        continue;
+      }
+      const sensorInput = {
+        rawBytes: frame.body,
+        intent,
+        body: frame.body,
+        headerTLVs: frame.headers,
+        metadata: { phase: "intent", intent }
+      };
+      if (sensor.supports && !sensor.supports(sensorInput)) continue;
+      const decision = normalizeSensorDecision(await sensor.run(sensorInput));
+      if (!decision.allow) {
+        const reason = decision.reasons[0] || `${sensor.name}:DENIED`;
+        this.logger.warn(
+          `Intent sensor ${sensor.name} denied ${intent}: ${reason}`
+        );
+        throw new Error(`SENSOR_DENY:${reason}`);
+      }
+    }
+  }
+  storeSchema(meta) {
+    if (meta.dto) {
+      if (meta.tlv && meta.tlv.length > 0) {
+        this.logger.warn(
+          `${meta.intent}: both 'dto' and 'tlv' specified - using dto, ignoring tlv`
+        );
+      }
+      const extracted = extractDtoSchema(meta.dto);
+      const schema2 = {
+        intent: meta.intent,
+        version: 1,
+        bodyProfile: meta.bodyProfile || "TLV_MAP",
+        fields: extracted.fields.map((f) => ({
+          name: f.name,
+          tlv: f.tag,
+          kind: f.kind,
+          required: f.required,
+          maxLen: f.maxLen,
+          max: f.max,
+          scope: f.scope
+        }))
+      };
+      this.intentSchemas.set(meta.intent, schema2);
+      if (extracted.validators.size > 0) {
+        this.intentValidators.set(meta.intent, extracted.validators);
+      }
+      if (!this.intentDecoders.has(meta.intent)) {
+        this.intentDecoders.set(meta.intent, buildDtoDecoder(meta.dto));
+      }
+      return;
+    }
+    if (!meta.tlv || meta.tlv.length === 0) return;
+    const schema = {
+      intent: meta.intent,
+      version: 1,
+      bodyProfile: meta.bodyProfile || "TLV_MAP",
+      fields: meta.tlv.map((f) => ({
+        name: f.name,
+        tlv: f.tag,
+        kind: f.kind,
+        required: f.required,
+        maxLen: f.maxLen,
+        max: f.max,
+        scope: f.scope
+      }))
+    };
+    this.intentSchemas.set(meta.intent, schema);
   }
 };
+/** Intents handled inline in route() — not in `handlers` map */
+IntentRouter.BUILTIN_INTENTS = /* @__PURE__ */ new Set([
+  "system.ping",
+  "public.ping",
+  "system.time",
+  "system.echo",
+  "INTENT.EXEC",
+  "axis.intent.exec"
+]);
 IntentRouter = __decorateClass([
-  Injectable2()
+  Injectable2(),
+  __decorateParam(0, Optional())
 ], IntentRouter);
 
 // src/core/constants.ts
-var AXIS_MAGIC = new Uint8Array([65, 88, 73, 83, 49]);
-var AXIS_VERSION = 1;
-var MAX_HDR_LEN = 2048;
-var MAX_BODY_LEN = 65536;
-var MAX_SIG_LEN = 128;
-var MAX_FRAME_LEN = 70 * 1024;
-var FLAG_BODY_TLV = 1;
-var FLAG_CHAIN_REQ = 2;
-var FLAG_HAS_WITNESS = 4;
-var TLV_PID = 1;
-var TLV_TS = 2;
-var TLV_INTENT = 3;
-var TLV_ACTOR_ID = 4;
-var TLV_PROOF_TYPE = 5;
-var TLV_PROOF_REF = 6;
-var TLV_NONCE = 7;
-var TLV_AUD = 8;
-var TLV_REALM = TLV_AUD;
-var TLV_NODE = 9;
-var TLV_TRACE_ID = 10;
-var TLV_KID = 11;
-var TLV_RID = 15;
-var TLV_OK = 16;
-var TLV_EFFECT = 17;
-var TLV_ERROR_CODE = 18;
-var TLV_ERROR_MSG = 19;
-var TLV_PREV_HASH = 20;
-var TLV_RECEIPT_HASH = 21;
-var TLV_NODE_KID = 30;
-var TLV_NODE_CERT_HASH = 34;
-var TLV_LOOM_PRESENCE_ID = 91;
-var TLV_LOOM_WRIT = 92;
-var TLV_LOOM_THREAD_HASH = 93;
-var TLV_UPLOAD_ID = 70;
-var TLV_INDEX = 71;
-var TLV_OFFSET = 72;
-var TLV_SHA256_CHUNK = 73;
-var TLV_CAPSULE = 90;
-var TLV_BODY_OBJ = 254;
-var TLV_BODY_ARR = 255;
-var NCERT_NODE_ID = 1;
-var NCERT_KID = 2;
-var NCERT_ALG = 3;
-var NCERT_PUB = 4;
-var NCERT_NBF = 5;
-var NCERT_EXP = 6;
-var NCERT_SCOPE = 7;
-var NCERT_ISSUER_KID = 8;
-var NCERT_PAYLOAD = 50;
-var NCERT_SIG = 51;
-var PROOF_NONE = 0;
-var PROOF_CAPSULE = 1;
-var PROOF_JWT = 2;
-var PROOF_MTLS = 3;
-var PROOF_LOOM = 4;
-var PROOF_WITNESS = 5;
-var ProofType = /* @__PURE__ */ ((ProofType2) => {
-  ProofType2[ProofType2["NONE"] = 0] = "NONE";
-  ProofType2[ProofType2["CAPSULE"] = 1] = "CAPSULE";
-  ProofType2[ProofType2["JWT"] = 2] = "JWT";
-  ProofType2[ProofType2["MTLS"] = 3] = "MTLS";
-  ProofType2[ProofType2["LOOM"] = 4] = "LOOM";
-  ProofType2[ProofType2["WITNESS"] = 5] = "WITNESS";
-  return ProofType2;
-})(ProofType || {});
-var BodyProfile = /* @__PURE__ */ ((BodyProfile2) => {
-  BodyProfile2[BodyProfile2["RAW"] = 0] = "RAW";
-  BodyProfile2[BodyProfile2["TLV_MAP"] = 1] = "TLV_MAP";
-  BodyProfile2[BodyProfile2["OBJ"] = 2] = "OBJ";
-  BodyProfile2[BodyProfile2["ARR"] = 3] = "ARR";
-  return BodyProfile2;
-})(BodyProfile || {});
-var ERR_INVALID_PACKET = "INVALID_PACKET";
-var ERR_BAD_SIGNATURE = "BAD_SIGNATURE";
-var ERR_REPLAY_DETECTED = "REPLAY_DETECTED";
-var ERR_CONTRACT_VIOLATION = "CONTRACT_VIOLATION";
+import {
+  AXIS_MAGIC,
+  AXIS_VERSION,
+  MAX_HDR_LEN,
+  MAX_BODY_LEN,
+  MAX_SIG_LEN,
+  MAX_FRAME_LEN,
+  FLAG_BODY_TLV,
+  FLAG_CHAIN_REQ,
+  FLAG_HAS_WITNESS,
+  TLV_PID,
+  TLV_TS,
+  TLV_INTENT,
+  TLV_ACTOR_ID,
+  TLV_PROOF_TYPE,
+  TLV_PROOF_REF,
+  TLV_NONCE,
+  TLV_AUD,
+  TLV_REALM,
+  TLV_NODE,
+  TLV_TRACE_ID,
+  TLV_KID,
+  TLV_RID,
+  TLV_OK,
+  TLV_EFFECT,
+  TLV_ERROR_CODE,
+  TLV_ERROR_MSG,
+  TLV_PREV_HASH,
+  TLV_RECEIPT_HASH,
+  TLV_NODE_KID,
+  TLV_NODE_CERT_HASH,
+  TLV_LOOM_PRESENCE_ID,
+  TLV_LOOM_WRIT,
+  TLV_LOOM_THREAD_HASH,
+  TLV_UPLOAD_ID,
+  TLV_INDEX,
+  TLV_OFFSET,
+  TLV_SHA256_CHUNK,
+  TLV_CAPSULE,
+  TLV_BODY_OBJ,
+  TLV_BODY_ARR,
+  NCERT_NODE_ID,
+  NCERT_KID,
+  NCERT_ALG,
+  NCERT_PUB,
+  NCERT_NBF,
+  NCERT_EXP,
+  NCERT_SCOPE,
+  NCERT_ISSUER_KID,
+  NCERT_PAYLOAD,
+  NCERT_SIG,
+  PROOF_NONE,
+  PROOF_CAPSULE,
+  PROOF_JWT,
+  PROOF_MTLS,
+  PROOF_LOOM,
+  PROOF_WITNESS,
+  ProofType,
+  BodyProfile,
+  ERR_INVALID_PACKET,
+  ERR_BAD_SIGNATURE,
+  ERR_REPLAY_DETECTED,
+  ERR_CONTRACT_VIOLATION
+} from "@nextera.one/axis-protocol";
+
+// src/core/varint.ts
+import { encodeVarint, decodeVarint, varintLength } from "@nextera.one/axis-protocol";
 
 // src/core/signature.ts
 import * as crypto from "crypto";
@@ -1998,105 +2154,6 @@ function buildPacket(hdr, body, sig, flags = 0) {
   };
 }
 
-// src/sensor/axis-sensor.ts
-var Decision = /* @__PURE__ */ ((Decision2) => {
-  Decision2["ALLOW"] = "ALLOW";
-  Decision2["DENY"] = "DENY";
-  Decision2["THROTTLE"] = "THROTTLE";
-  Decision2["FLAG"] = "FLAG";
-  return Decision2;
-})(Decision || {});
-function normalizeSensorDecision(sensorDecision) {
-  if ("action" in sensorDecision) {
-    switch (sensorDecision.action) {
-      case "ALLOW":
-        return {
-          allow: true,
-          riskScore: 0,
-          reasons: [],
-          meta: sensorDecision.meta
-        };
-      case "DENY":
-        return {
-          allow: false,
-          riskScore: 100,
-          reasons: [sensorDecision.code, sensorDecision.reason].filter(
-            Boolean
-          ),
-          meta: sensorDecision.meta,
-          retryAfterMs: sensorDecision.retryAfterMs
-        };
-      case "THROTTLE":
-        return {
-          allow: false,
-          riskScore: 50,
-          reasons: ["RATE_LIMIT"],
-          retryAfterMs: sensorDecision.retryAfterMs,
-          meta: sensorDecision.meta
-        };
-      case "FLAG":
-        return {
-          allow: true,
-          riskScore: sensorDecision.scoreDelta,
-          reasons: sensorDecision.reasons,
-          meta: sensorDecision.meta
-        };
-    }
-  }
-  return {
-    allow: sensorDecision.allow,
-    riskScore: sensorDecision.riskScore,
-    reasons: sensorDecision.reasons,
-    tags: sensorDecision.tags,
-    meta: sensorDecision.meta,
-    tighten: sensorDecision.tighten,
-    retryAfterMs: sensorDecision.retryAfterMs
-  };
-}
-var SensorDecisions = {
-  allow(meta, tags) {
-    return {
-      decision: "ALLOW" /* ALLOW */,
-      allow: true,
-      riskScore: 0,
-      reasons: [],
-      tags,
-      meta
-    };
-  },
-  deny(code, reason, meta) {
-    return {
-      decision: "DENY" /* DENY */,
-      allow: false,
-      riskScore: 100,
-      code,
-      reasons: [code, reason].filter(Boolean),
-      meta
-    };
-  },
-  throttle(retryAfterMs, meta) {
-    return {
-      decision: "THROTTLE" /* THROTTLE */,
-      allow: false,
-      riskScore: 50,
-      retryAfterMs,
-      code: "RATE_LIMIT",
-      reasons: ["RATE_LIMIT"],
-      meta
-    };
-  },
-  flag(scoreDelta, reasons, meta) {
-    return {
-      decision: "FLAG" /* FLAG */,
-      allow: true,
-      riskScore: scoreDelta,
-      scoreDelta,
-      reasons,
-      meta
-    };
-  }
-};
-
 // src/security/scopes.ts
 function hasScope(scopes, required) {
   if (!Array.isArray(scopes) || scopes.length === 0) {
@@ -2394,13 +2451,245 @@ function isTimestampValid(ts, skewSeconds = 120) {
   const diff = Math.abs(now - ts);
   return diff <= skewSeconds;
 }
+
+// src/upload/axis-files.handlers.ts
+import { Inject, Injectable as Injectable3, Logger as Logger2, Optional as Optional2 } from "@nestjs/common";
+import * as crypto2 from "crypto";
+
+// src/upload/upload.tokens.ts
+var AXIS_UPLOAD_SESSION_STORE = "AXIS_UPLOAD_SESSION_STORE";
+var AXIS_UPLOAD_FILE_STORE = "AXIS_UPLOAD_FILE_STORE";
+var AXIS_UPLOAD_RECEIPT_SIGNER = "AXIS_UPLOAD_RECEIPT_SIGNER";
+
+// src/upload/axis-files.handlers.ts
+var AxisFilesDownloadHandler = class {
+  constructor(sessions, files) {
+    this.sessions = sessions;
+    this.files = files;
+    this.logger = new Logger2(AxisFilesDownloadHandler.name);
+    this.name = "axis.files.download";
+    this.open = true;
+    this.description = "File download handler";
+  }
+  async execute(body, headers) {
+    const h = headers;
+    if (!h) throw new Error("MISSING_HEADERS");
+    const uploadIdBytes = h.get(20);
+    if (!uploadIdBytes) throw new Error("MISSING_UPLOAD_ID");
+    const uploadId = new TextDecoder().decode(uploadIdBytes);
+    let rangeStart = 0;
+    let rangeLen = -1;
+    const startBytes = h.get(21);
+    if (startBytes) {
+      const { value } = decodeVarint(startBytes);
+      rangeStart = value;
+    }
+    const lenBytes = h.get(22);
+    if (lenBytes) {
+      const { value } = decodeVarint(lenBytes);
+      rangeLen = value;
+    }
+    const session = await this.sessions.findByFileId(uploadId);
+    if (!session) {
+      throw new Error(`SESSION_NOT_FOUND: ${uploadId}`);
+    }
+    if (session.status !== "COMPLETE") {
+      throw new Error(`FILE_NOT_READY: Status is ${session.status}`);
+    }
+    const stat = await this.files.statFinal(
+      uploadId,
+      session.filename
+    );
+    const fileSize = stat.size;
+    if (rangeStart < 0) rangeStart = 0;
+    if (rangeStart >= fileSize) throw new Error("RANGE_OUT_OF_BOUNDS");
+    let end = fileSize;
+    if (rangeLen >= 0) {
+      end = Math.min(rangeStart + rangeLen, fileSize);
+    }
+    const actualLen = end - rangeStart;
+    const buffer = await this.files.readFinalRange(
+      uploadId,
+      session.filename,
+      rangeStart,
+      actualLen
+    );
+    const responseHeaders = /* @__PURE__ */ new Map();
+    responseHeaders.set(30, encodeVarint(fileSize));
+    responseHeaders.set(31, encodeVarint(rangeStart));
+    responseHeaders.set(32, encodeVarint(actualLen));
+    return {
+      ok: true,
+      effect: "FILE_PART",
+      body: buffer,
+      headers: responseHeaders
+    };
+  }
+};
+__decorateClass([
+  Intent("file.download", { absolute: true, kind: "read" })
+], AxisFilesDownloadHandler.prototype, "execute", 1);
+AxisFilesDownloadHandler = __decorateClass([
+  Handler("axis.files.download"),
+  Injectable3(),
+  __decorateParam(0, Inject(AXIS_UPLOAD_SESSION_STORE)),
+  __decorateParam(1, Inject(AXIS_UPLOAD_FILE_STORE))
+], AxisFilesDownloadHandler);
+var AxisFilesFinalizeHandler = class {
+  constructor(sessions, files, keyring) {
+    this.sessions = sessions;
+    this.files = files;
+    this.keyring = keyring;
+    this.logger = new Logger2(AxisFilesFinalizeHandler.name);
+    this.name = "axis.files.finalize";
+    this.open = false;
+    this.description = "File upload finalization handler";
+  }
+  async execute(body, headers) {
+    const bodyStr = new TextDecoder().decode(body);
+    const req = JSON.parse(bodyStr);
+    const { fileId, expectedHash } = req;
+    if (!fileId) throw new Error("MISSING_FILE_ID");
+    const session = await this.sessions.findByFileId(fileId);
+    if (!session) throw new Error("SESSION_NOT_FOUND");
+    if (!await this.files.hasTemp(fileId)) {
+      throw new Error("CHUNKS_NOT_FOUND");
+    }
+    const hash = crypto2.createHash("sha256");
+    const rs = this.files.createTempReadStream(fileId);
+    for await (const chunk of rs) {
+      hash.update(chunk);
+    }
+    const finalHash = hash.digest("hex");
+    if (expectedHash && finalHash !== expectedHash) {
+      throw new Error("HASH_MISMATCH");
+    }
+    const finalPath = await this.files.moveTempToFinal(
+      fileId,
+      session.filename
+    );
+    await this.sessions.updateStatus(fileId, "COMPLETE", null);
+    if (!this.keyring) {
+      this.logger.warn("Receipt signer not configured; returning unsigned receipt");
+      return {
+        ok: true,
+        effect: "FILE_FINALIZED",
+        body: new TextEncoder().encode(
+          JSON.stringify({
+            uploadId: fileId,
+            sha256_final: finalHash,
+            totalSize: session.totalSize,
+            tsMs: Date.now(),
+            path: finalPath
+          })
+        )
+      };
+    }
+    const receiptData = {
+      uploadId: fileId,
+      sha256_final: finalHash,
+      totalSize: session.totalSize,
+      tsMs: Date.now()
+    };
+    const receiptJson = JSON.stringify(receiptData);
+    const receiptBody = new TextEncoder().encode(receiptJson);
+    const SIG_PRESENT = 1;
+    const responseFrame = {
+      flags: SIG_PRESENT,
+      headers: /* @__PURE__ */ new Map(),
+      body: receiptBody,
+      sig: new Uint8Array(0)
+    };
+    const signTarget = getSignTarget(responseFrame);
+    const { sig, kid } = this.keyring.signActive(signTarget);
+    responseFrame.sig = sig;
+    return {
+      ok: true,
+      effect: "FILE_FINALIZED",
+      data: encodeFrame(responseFrame),
+      headers: /* @__PURE__ */ new Map([[1, new TextEncoder().encode(kid)]])
+    };
+  }
+};
+__decorateClass([
+  Intent("file.finalize", { absolute: true, kind: "action" })
+], AxisFilesFinalizeHandler.prototype, "execute", 1);
+AxisFilesFinalizeHandler = __decorateClass([
+  Handler("axis.files.finalize"),
+  Injectable3(),
+  __decorateParam(0, Inject(AXIS_UPLOAD_SESSION_STORE)),
+  __decorateParam(1, Inject(AXIS_UPLOAD_FILE_STORE)),
+  __decorateParam(2, Optional2()),
+  __decorateParam(2, Inject(AXIS_UPLOAD_RECEIPT_SIGNER))
+], AxisFilesFinalizeHandler);
+
+// src/upload/disk-upload-file.store.ts
+import * as fs from "fs";
+import * as path from "path";
+var DiskUploadFileStore = class {
+  constructor(options) {
+    this.uploadDir = options.uploadDir;
+    this.chunkDir = options.chunkDir;
+  }
+  getFinalPath(fileId, filename) {
+    const safeFilename = filename ? path.basename(filename) : fileId;
+    return path.join(this.uploadDir, safeFilename);
+  }
+  getTempPath(fileId) {
+    const safeId = path.basename(fileId);
+    return path.join(this.chunkDir, safeId);
+  }
+  async statFinal(fileId, filename) {
+    const finalPath = this.getFinalPath(fileId, filename);
+    if (!fs.existsSync(finalPath)) {
+      throw new Error("FILE_MISSING_ON_DISK");
+    }
+    const stat = fs.statSync(finalPath);
+    return { path: finalPath, size: stat.size };
+  }
+  async readFinalRange(fileId, filename, start, length) {
+    const finalPath = this.getFinalPath(fileId, filename);
+    const buffer = Buffer.alloc(length);
+    const fd = fs.openSync(finalPath, "r");
+    try {
+      fs.readSync(fd, buffer, 0, length, start);
+    } finally {
+      fs.closeSync(fd);
+    }
+    return buffer;
+  }
+  async hasTemp(fileId) {
+    const tempPath = this.getTempPath(fileId);
+    return fs.existsSync(tempPath);
+  }
+  async moveTempToFinal(fileId, filename) {
+    const tempPath = this.getTempPath(fileId);
+    const finalPath = this.getFinalPath(fileId, filename);
+    try {
+      await fs.promises.rename(tempPath, finalPath);
+    } catch {
+      await fs.promises.copyFile(tempPath, finalPath);
+      await fs.promises.unlink(tempPath);
+    }
+    return finalPath;
+  }
+  createTempReadStream(fileId) {
+    const tempPath = this.getTempPath(fileId);
+    return fs.createReadStream(tempPath);
+  }
+};
 export {
   ATS1_HDR,
   ATS1_SCHEMA,
   AXIS_MAGIC,
   AXIS_OPCODES,
+  AXIS_UPLOAD_FILE_STORE,
+  AXIS_UPLOAD_RECEIPT_SIGNER,
+  AXIS_UPLOAD_SESSION_STORE,
   AXIS_VERSION,
   ats1_exports as Ats1Codec,
+  AxisFilesDownloadHandler,
+  AxisFilesFinalizeHandler,
   AxisFrameZ,
   AxisIdDto,
   T as AxisPacketTags,
@@ -2413,6 +2702,7 @@ export {
   DEFAULT_CONTRACTS,
   DEFAULT_TIMEOUT,
   Decision,
+  DiskUploadFileStore,
   ERR_BAD_SIGNATURE,
   ERR_CONTRACT_VIOLATION,
   ERR_INVALID_PACKET,
@@ -2424,14 +2714,18 @@ export {
   FLAG_HAS_WITNESS,
   HANDLER_METADATA_KEY,
   Handler,
+  INTENT_BODY_KEY,
   INTENT_METADATA_KEY,
   INTENT_REQUIREMENTS,
   INTENT_ROUTES_KEY,
   INTENT_SENSITIVITY_MAP,
+  INTENT_SENSORS_KEY,
   INTENT_TIMEOUTS,
   Intent,
+  IntentBody,
   IntentRouter,
   IntentSensitivity,
+  IntentSensors,
   MAX_BODY_LEN,
   MAX_FRAME_LEN,
   MAX_HDR_LEN,
@@ -2465,6 +2759,7 @@ export {
   Schema2012_PasskeyLoginVerifyRes,
   Schema2021_PasskeyRegisterOptionsReq,
   SensorDecisions,
+  TLV,
   TLV_ACTOR_ID,
   TLV_AUD,
   TLV_BODY_ARR,