@nextera.one/axis-server-sdk 1.2.1 → 1.4.0

package/README.md

@@ -13,8 +13,27 @@ npm install @nextera.one/axis-server-sdk
 Peer dependencies:
 
 - `@nestjs/common`
+- `@nestjs/config`
 - `reflect-metadata`
 
+## Release Surface
+
+The `1.3.0` release folds the backend server runtime namespaces that previously lived in temporary internal package shells into this published package.
+
+Added grouped runtime namespaces:
+
+- `core`
+- `crypto`
+- `decorators`
+- `engine`
+- `loom`
+- `schemas`
+- `security`
+- `sensors`
+- `utils`
+
+It also exposes the `axis-generate-keys` CLI through the package `bin` entry for local key generation workflows.
+
 ## What It Exposes
 
 Root exports are split into two groups:
@@ -22,6 +41,12 @@ Root exports are split into two groups:
 - Server runtime helpers: `@Handler`, `@Intent`, `IntentRouter`, handler interfaces, sensor interfaces.
 - Shared protocol primitives: binary frame codecs, TLV/varint/constants, binary signature helpers, codec utilities, packet types.
 
+You can also import the grouped namespaces directly from the package root:
+
+```ts
+import { core, crypto, engine, sensors } from '@nextera.one/axis-server-sdk';
+```
+
 ## Shared Core API
 
 The canonical cross-SDK protocol layer is the `./core` subpath:

package/dist/bin/generate-keys.d.mts

@@ -0,0 +1,2 @@
+
+export {  }

package/dist/bin/generate-keys.d.ts

@@ -0,0 +1,2 @@
+
+export {  }

package/dist/bin/generate-keys.js

@@ -0,0 +1,159 @@
+// src/bin/generate-keys.ts
+var import_crypto = require("crypto");
+var import_crypto2 = require("crypto");
+function calculateFingerprint(publicKeyPem) {
+  const der = (0, import_crypto.createPublicKey)(publicKeyPem).export({
+    type: "spki",
+    format: "der"
+  });
+  return (0, import_crypto.createHash)("sha256").update(der).digest("hex");
+}
+function generateUuid() {
+  const bytes = (0, import_crypto2.randomBytes)(16);
+  bytes[6] = bytes[6] & 15 | 64;
+  bytes[8] = bytes[8] & 63 | 128;
+  return bytes.toString("hex");
+}
+function generateIssuerKey() {
+  const { publicKey, privateKey } = (0, import_crypto.generateKeyPairSync)("ed25519");
+  const publicKeyPem = publicKey.export({ type: "spki", format: "pem" }).toString();
+  const privateKeyPem = privateKey.export({ type: "pkcs8", format: "pem" }).toString();
+  const fingerprint = calculateFingerprint(publicKeyPem);
+  const kid = `axis_issuer_${fingerprint.slice(0, 16)}`;
+  const uuid = generateUuid();
+  const now = (/* @__PURE__ */ new Date()).toISOString().slice(0, 19).replace("T", " ");
+  const sql = `
+-- AXIS Issuer Key
+INSERT INTO axis_issuer_keys (
+  id, kid, issuer_id, alg, public_key_pem, status, 
+  fingerprint, created_at, updated_at
+) VALUES (
+  UNHEX('${uuid}'),
+  '${kid}',
+  'axis-capsule-service',
+  'EdDSA',
+  '${publicKeyPem.replace(/\n/g, "\\n")}',
+  'ACTIVE',
+  '${fingerprint}',
+  '${now}',
+  '${now}'
+);`;
+  return {
+    kid,
+    publicKeyPem,
+    privateKeyPem,
+    fingerprint,
+    sql
+  };
+}
+function generateActorKey(actorId) {
+  const { publicKey, privateKey } = (0, import_crypto.generateKeyPairSync)("ed25519");
+  const publicKeyPem = publicKey.export({ type: "spki", format: "pem" }).toString();
+  const privateKeyPem = privateKey.export({ type: "pkcs8", format: "pem" }).toString();
+  const der = publicKey.export({ type: "spki", format: "der" });
+  const publicKeyBytes = der.slice(-32);
+  const fingerprint = calculateFingerprint(publicKeyPem);
+  const kid = `${actorId}_${fingerprint.slice(0, 12)}`;
+  const uuid = generateUuid();
+  const now = (/* @__PURE__ */ new Date()).toISOString().slice(0, 19).replace("T", " ");
+  const sql = `
+-- AXIS Actor Key for ${actorId}
+INSERT INTO axis_actor_keys (
+  id, actor_id, key_id, algorithm, public_key, purpose, status,
+  is_primary, created_at, updated_at
+) VALUES (
+  UNHEX('${uuid}'),
+  '${actorId}',
+  '${kid}',
+  'ED25519',
+  UNHEX('${publicKeyBytes.toString("hex")}'),
+  'SIGN',
+  'ACTIVE',
+  1,
+  '${now}',
+  '${now}'
+);`;
+  return {
+    kid,
+    publicKeyPem,
+    privateKeyPem,
+    fingerprint,
+    sql
+  };
+}
+function main() {
+  const args = process.argv.slice(2);
+  const typeIndex = args.indexOf("--type");
+  const actorIdIndex = args.indexOf("--actor-id");
+  const type = typeIndex >= 0 ? args[typeIndex + 1] : "issuer";
+  const actorId = actorIdIndex >= 0 ? args[actorIdIndex + 1] : `actor_${Date.now()}`;
+  console.log("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  console.log("  AXIS Key Generator (Ed25519)");
+  console.log("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  console.log("");
+  let result;
+  if (type === "issuer") {
+    console.log("Generating ISSUER keypair...");
+    console.log("");
+    result = generateIssuerKey();
+  } else if (type === "actor") {
+    console.log(`Generating ACTOR keypair for: ${actorId}`);
+    console.log("");
+    result = generateActorKey(actorId);
+  } else {
+    console.error("Invalid type. Use --type issuer or --type actor");
+    process.exit(1);
+  }
+  console.log("\u2713 Keypair generated successfully");
+  console.log("");
+  console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+  console.log("KID (Key Identifier):");
+  console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+  console.log(result.kid);
+  console.log("");
+  console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+  console.log("Fingerprint (SHA-256):");
+  console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+  console.log(result.fingerprint);
+  console.log("");
+  console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+  console.log("PUBLIC KEY (PEM):");
+  console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+  console.log(result.publicKeyPem);
+  console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+  console.log("PRIVATE KEY (PEM):");
+  console.log("\u26A0\uFE0F  KEEP SECRET - Do not commit to version control");
+  console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+  console.log(result.privateKeyPem);
+  if (type === "issuer") {
+    console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+    console.log("Environment Variables (add to .env):");
+    console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+    console.log(`AXIS_ISSUER_KID=${result.kid}`);
+    console.log(`AXIS_ISSUER_ALG=EdDSA`);
+    console.log(
+      `AXIS_ISSUER_PRIVATE_KEY_PEM="${result.privateKeyPem.replace(/\n/g, "\\n")}"`
+    );
+    console.log("");
+  }
+  if (result.sql) {
+    console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+    console.log("SQL INSERT Statement:");
+    console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+    console.log(result.sql);
+  }
+  console.log("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  console.log("");
+  console.log("Next steps:");
+  if (type === "issuer") {
+    console.log("1. Add environment variables to .env");
+    console.log("2. Run SQL statement to insert public key into database");
+    console.log("3. Store private key securely (Vault/KMS in production)");
+  } else {
+    console.log("1. Run SQL statement to insert actor key into database");
+    console.log("2. Distribute private key securely to actor/device");
+  }
+  console.log("");
+}
+main();
+//# sourceMappingURL=generate-keys.js.map

package/dist/bin/generate-keys.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/bin/generate-keys.ts"],"sourcesContent":["/**\n * AXIS Key Generator\n *\n * Generates Ed25519 keypairs for AXIS issuer and actors\n * For development and testing only - use proper KMS/Vault in production\n *\n * Usage:\n *   npm run generate-keys -- --type issuer\n *   npm run generate-keys -- --type actor --actor-id user_123\n */\nimport { createHash, createPublicKey, generateKeyPairSync } from 'crypto';\nimport { randomBytes } from 'crypto';\n\ninterface KeyPairResult {\n  kid: string;\n  publicKeyPem: string;\n  privateKeyPem: string;\n  fingerprint: string;\n  sql?: string;\n}\n\n/**\n * Calculate SHA-256 fingerprint of public key\n */\nfunction calculateFingerprint(publicKeyPem: string): string {\n  const der = createPublicKey(publicKeyPem).export({\n    type: 'spki',\n    format: 'der',\n  }) as Buffer;\n  return createHash('sha256').update(der).digest('hex');\n}\n\n/**\n * Generate UUID v4 as binary hex for MySQL\n */\nfunction generateUuid(): string {\n  const bytes = randomBytes(16);\n  bytes[6] = (bytes[6] & 0x0f) | 0x40; // Version 4\n  bytes[8] = (bytes[8] & 0x3f) | 0x80; // Variant\n  return bytes.toString('hex');\n}\n\n/**\n * Generate Ed25519 keypair for AXIS issuer\n */\nfunction generateIssuerKey(): KeyPairResult {\n  const { publicKey, privateKey } = generateKeyPairSync('ed25519');\n\n  const publicKeyPem = publicKey\n    .export({ type: 'spki', format: 'pem' })\n    .toString();\n  const privateKeyPem = privateKey\n    .export({ type: 'pkcs8', format: 'pem' })\n    .toString();\n\n  const fingerprint = calculateFingerprint(publicKeyPem);\n  const kid = `axis_issuer_${fingerprint.slice(0, 16)}`;\n\n  const uuid = generateUuid();\n  const now = new Date().toISOString().slice(0, 19).replace('T', ' ');\n\n  const sql = `\n-- AXIS Issuer Key\nINSERT INTO axis_issuer_keys (\n  id, kid, issuer_id, alg, public_key_pem, status, \n  fingerprint, created_at, updated_at\n) VALUES (\n  UNHEX('${uuid}'),\n  '${kid}',\n  'axis-capsule-service',\n  'EdDSA',\n  '${publicKeyPem.replace(/\\n/g, '\\\\n')}',\n  'ACTIVE',\n  '${fingerprint}',\n  '${now}',\n  '${now}'\n);`;\n\n  return {\n    kid,\n    publicKeyPem,\n    privateKeyPem,\n    fingerprint,\n    sql,\n  };\n}\n\n/**\n * Generate Ed25519 keypair for AXIS actor\n */\nfunction generateActorKey(actorId: string): KeyPairResult {\n  const { publicKey, privateKey } = generateKeyPairSync('ed25519');\n\n  const publicKeyPem = publicKey\n    .export({ type: 'spki', format: 'pem' })\n    .toString();\n  const privateKeyPem = privateKey\n    .export({ type: 'pkcs8', format: 'pem' })\n    .toString();\n\n  // Extract raw public key bytes (32 bytes for Ed25519)\n  const der = publicKey.export({ type: 'spki', format: 'der' }) as Buffer;\n  const publicKeyBytes = der.slice(-32); // Last 32 bytes are the raw key\n\n  const fingerprint = calculateFingerprint(publicKeyPem);\n  const kid = `${actorId}_${fingerprint.slice(0, 12)}`;\n\n  const uuid = generateUuid();\n  const now = new Date().toISOString().slice(0, 19).replace('T', ' ');\n\n  const sql = `\n-- AXIS Actor Key for ${actorId}\nINSERT INTO axis_actor_keys (\n  id, actor_id, key_id, algorithm, public_key, purpose, status,\n  is_primary, created_at, updated_at\n) VALUES (\n  UNHEX('${uuid}'),\n  '${actorId}',\n  '${kid}',\n  'ED25519',\n  UNHEX('${publicKeyBytes.toString('hex')}'),\n  'SIGN',\n  'ACTIVE',\n  1,\n  '${now}',\n  '${now}'\n);`;\n\n  return {\n    kid,\n    publicKeyPem,\n    privateKeyPem,\n    fingerprint,\n    sql,\n  };\n}\n\n/**\n * Main function\n */\nfunction main() {\n  const args = process.argv.slice(2);\n  const typeIndex = args.indexOf('--type');\n  const actorIdIndex = args.indexOf('--actor-id');\n\n  const type = typeIndex >= 0 ? args[typeIndex + 1] : 'issuer';\n  const actorId =\n    actorIdIndex >= 0 ? args[actorIdIndex + 1] : `actor_${Date.now()}`;\n\n  console.log('═══════════════════════════════════════════════════════════');\n  console.log('  AXIS Key Generator (Ed25519)');\n  console.log('═══════════════════════════════════════════════════════════');\n  console.log('');\n\n  let result: KeyPairResult;\n\n  if (type === 'issuer') {\n    console.log('Generating ISSUER keypair...');\n    console.log('');\n    result = generateIssuerKey();\n  } else if (type === 'actor') {\n    console.log(`Generating ACTOR keypair for: ${actorId}`);\n    console.log('');\n    result = generateActorKey(actorId);\n  } else {\n    console.error('Invalid type. Use --type issuer or --type actor');\n    process.exit(1);\n  }\n\n  console.log('✓ Keypair generated successfully');\n  console.log('');\n  console.log('───────────────────────────────────────────────────────────');\n  console.log('KID (Key Identifier):');\n  console.log('───────────────────────────────────────────────────────────');\n  console.log(result.kid);\n  console.log('');\n  console.log('───────────────────────────────────────────────────────────');\n  console.log('Fingerprint (SHA-256):');\n  console.log('───────────────────────────────────────────────────────────');\n  console.log(result.fingerprint);\n  console.log('');\n  console.log('───────────────────────────────────────────────────────────');\n  console.log('PUBLIC KEY (PEM):');\n  console.log('───────────────────────────────────────────────────────────');\n  console.log(result.publicKeyPem);\n  console.log('───────────────────────────────────────────────────────────');\n  console.log('PRIVATE KEY (PEM):');\n  console.log('⚠️  KEEP SECRET - Do not commit to version control');\n  console.log('───────────────────────────────────────────────────────────');\n  console.log(result.privateKeyPem);\n\n  if (type === 'issuer') {\n    console.log('───────────────────────────────────────────────────────────');\n    console.log('Environment Variables (add to .env):');\n    console.log('───────────────────────────────────────────────────────────');\n    console.log(`AXIS_ISSUER_KID=${result.kid}`);\n    console.log(`AXIS_ISSUER_ALG=EdDSA`);\n    console.log(\n      `AXIS_ISSUER_PRIVATE_KEY_PEM=\"${result.privateKeyPem.replace(/\\n/g, '\\\\n')}\"`,\n    );\n    console.log('');\n  }\n\n  if (result.sql) {\n    console.log('───────────────────────────────────────────────────────────');\n    console.log('SQL INSERT Statement:');\n    console.log('───────────────────────────────────────────────────────────');\n    console.log(result.sql);\n  }\n\n  console.log('═══════════════════════════════════════════════════════════');\n  console.log('');\n  console.log('Next steps:');\n  if (type === 'issuer') {\n    console.log('1. Add environment variables to .env');\n    console.log('2. Run SQL statement to insert public key into database');\n    console.log('3. Store private key securely (Vault/KMS in production)');\n  } else {\n    console.log('1. Run SQL statement to insert actor key into database');\n    console.log('2. Distribute private key securely to actor/device');\n  }\n  console.log('');\n}\n\nmain();\n"],"mappings":";AAUA,oBAAiE;AACjE,IAAAA,iBAA4B;AAa5B,SAAS,qBAAqB,cAA8B;AAC1D,QAAM,UAAM,+BAAgB,YAAY,EAAE,OAAO;AAAA,IAC/C,MAAM;AAAA,IACN,QAAQ;AAAA,EACV,CAAC;AACD,aAAO,0BAAW,QAAQ,EAAE,OAAO,GAAG,EAAE,OAAO,KAAK;AACtD;AAKA,SAAS,eAAuB;AAC9B,QAAM,YAAQ,4BAAY,EAAE;AAC5B,QAAM,CAAC,IAAK,MAAM,CAAC,IAAI,KAAQ;AAC/B,QAAM,CAAC,IAAK,MAAM,CAAC,IAAI,KAAQ;AAC/B,SAAO,MAAM,SAAS,KAAK;AAC7B;AAKA,SAAS,oBAAmC;AAC1C,QAAM,EAAE,WAAW,WAAW,QAAI,mCAAoB,SAAS;AAE/D,QAAM,eAAe,UAClB,OAAO,EAAE,MAAM,QAAQ,QAAQ,MAAM,CAAC,EACtC,SAAS;AACZ,QAAM,gBAAgB,WACnB,OAAO,EAAE,MAAM,SAAS,QAAQ,MAAM,CAAC,EACvC,SAAS;AAEZ,QAAM,cAAc,qBAAqB,YAAY;AACrD,QAAM,MAAM,eAAe,YAAY,MAAM,GAAG,EAAE,CAAC;AAEnD,QAAM,OAAO,aAAa;AAC1B,QAAM,OAAM,oBAAI,KAAK,GAAE,YAAY,EAAE,MAAM,GAAG,EAAE,EAAE,QAAQ,KAAK,GAAG;AAElE,QAAM,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,WAMH,IAAI;AAAA,KACV,GAAG;AAAA;AAAA;AAAA,KAGH,aAAa,QAAQ,OAAO,KAAK,CAAC;AAAA;AAAA,KAElC,WAAW;AAAA,KACX,GAAG;AAAA,KACH,GAAG;AAAA;AAGN,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAKA,SAAS,iBAAiB,SAAgC;AACxD,QAAM,EAAE,WAAW,WAAW,QAAI,mCAAoB,SAAS;AAE/D,QAAM,eAAe,UAClB,OAAO,EAAE,MAAM,QAAQ,QAAQ,MAAM,CAAC,EACtC,SAAS;AACZ,QAAM,gBAAgB,WACnB,OAAO,EAAE,MAAM,SAAS,QAAQ,MAAM,CAAC,EACvC,SAAS;AAGZ,QAAM,MAAM,UAAU,OAAO,EAAE,MAAM,QAAQ,QAAQ,MAAM,CAAC;AAC5D,QAAM,iBAAiB,IAAI,MAAM,GAAG;AAEpC,QAAM,cAAc,qBAAqB,YAAY;AACrD,QAAM,MAAM,GAAG,OAAO,IAAI,YAAY,MAAM,GAAG,EAAE,CAAC;AAElD,QAAM,OAAO,aAAa;AAC1B,QAAM,OAAM,oBAAI,KAAK,GAAE,YAAY,EAAE,MAAM,GAAG,EAAE,EAAE,QAAQ,KAAK,GAAG;AAElE,QAAM,MAAM;AAAA,wBACU,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA,WAKpB,IAAI;AAAA,KACV,OAAO;AAAA,KACP,GAAG;AAAA;AAAA,WAEG,eAAe,SAAS,KAAK,CAAC;AAAA;AAAA;AAAA;AAAA,KAIpC,GAAG;AAAA,KACH,GAAG;AAAA;AAGN,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAKA,SAAS,OAAO;AACd,QAAM,OAAO,QAAQ,KAAK,MAAM,CAAC;AACjC,QAAM,YAAY,KAAK,QAAQ,QAAQ;AACvC,QAAM,eAAe,KAAK,QAAQ,YAAY;AAE9C,QAAM,OAAO,aAAa,IAAI,KAAK,YAAY,CAAC,IAAI;AACpD,QAAM,UACJ,gBAAgB,IAAI,KAAK,eAAe,CAAC,IAAI,SAAS,KAAK,IAAI,CAAC;AAElE,UAAQ,IAAI,oWAA6D;AACzE,UAAQ,IAAI,gCAAgC;AAC5C,UAAQ,IAAI,oWAA6D;AACzE,UAAQ,IAAI,EAAE;AAEd,MAAI;AAEJ,MAAI,SAAS,UAAU;AACrB,YAAQ,IAAI,8BAA8B;AAC1C,YAAQ,IAAI,EAAE;AACd,aAAS,kBAAkB;AAAA,EAC7B,WAAW,SAAS,SAAS;AAC3B,YAAQ,IAAI,iCAAiC,OAAO,EAAE;AACtD,YAAQ,IAAI,EAAE;AACd,aAAS,iBAAiB,OAAO;AAAA,EACnC,OAAO;AACL,YAAQ,MAAM,iDAAiD;AAC/D,YAAQ,KAAK,CAAC;AAAA,EAChB;AAEA,UAAQ,IAAI,uCAAkC;AAC9C,UAAQ,IAAI,EAAE;AACd,UAAQ,IAAI,oWAA6D;AACzE,UAAQ,IAAI,uBAAuB;AACnC,UAAQ,IAAI,oWAA6D;AACzE,UAAQ,IAAI,OAAO,GAAG;AACtB,UAAQ,IAAI,EAAE;AACd,UAAQ,IAAI,oWAA6D;AACzE,UAAQ,IAAI,wBAAwB;AACpC,UAAQ,IAAI,oWAA6D;AACzE,UAAQ,IAAI,OAAO,WAAW;AAC9B,UAAQ,IAAI,EAAE;AACd,UAAQ,IAAI,oWAA6D;AACzE,UAAQ,IAAI,mBAAmB;AAC/B,UAAQ,IAAI,oWAA6D;AACzE,UAAQ,IAAI,OAAO,YAAY;AAC/B,UAAQ,IAAI,oWAA6D;AACzE,UAAQ,IAAI,oBAAoB;AAChC,UAAQ,IAAI,8DAAoD;AAChE,UAAQ,IAAI,oWAA6D;AACzE,UAAQ,IAAI,OAAO,aAAa;AAEhC,MAAI,SAAS,UAAU;AACrB,YAAQ,IAAI,oWAA6D;AACzE,YAAQ,IAAI,sCAAsC;AAClD,YAAQ,IAAI,oWAA6D;AACzE,YAAQ,IAAI,mBAAmB,OAAO,GAAG,EAAE;AAC3C,YAAQ,IAAI,uBAAuB;AACnC,YAAQ;AAAA,MACN,gCAAgC,OAAO,cAAc,QAAQ,OAAO,KAAK,CAAC;AAAA,IAC5E;AACA,YAAQ,IAAI,EAAE;AAAA,EAChB;AAEA,MAAI,OAAO,KAAK;AACd,YAAQ,IAAI,oWAA6D;AACzE,YAAQ,IAAI,uBAAuB;AACnC,YAAQ,IAAI,oWAA6D;AACzE,YAAQ,IAAI,OAAO,GAAG;AAAA,EACxB;AAEA,UAAQ,IAAI,oWAA6D;AACzE,UAAQ,IAAI,EAAE;AACd,UAAQ,IAAI,aAAa;AACzB,MAAI,SAAS,UAAU;AACrB,YAAQ,IAAI,sCAAsC;AAClD,YAAQ,IAAI,yDAAyD;AACrE,YAAQ,IAAI,yDAAyD;AAAA,EACvE,OAAO;AACL,YAAQ,IAAI,wDAAwD;AACpE,YAAQ,IAAI,oDAAoD;AAAA,EAClE;AACA,UAAQ,IAAI,EAAE;AAChB;AAEA,KAAK;","names":["import_crypto"]}

package/dist/bin/generate-keys.mjs

@@ -0,0 +1,169 @@
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+
+// src/bin/generate-keys.ts
+import { createHash, createPublicKey, generateKeyPairSync } from "crypto";
+import { randomBytes } from "crypto";
+var require_generate_keys = __commonJS({
+  "src/bin/generate-keys.ts"() {
+    function calculateFingerprint(publicKeyPem) {
+      const der = createPublicKey(publicKeyPem).export({
+        type: "spki",
+        format: "der"
+      });
+      return createHash("sha256").update(der).digest("hex");
+    }
+    function generateUuid() {
+      const bytes = randomBytes(16);
+      bytes[6] = bytes[6] & 15 | 64;
+      bytes[8] = bytes[8] & 63 | 128;
+      return bytes.toString("hex");
+    }
+    function generateIssuerKey() {
+      const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+      const publicKeyPem = publicKey.export({ type: "spki", format: "pem" }).toString();
+      const privateKeyPem = privateKey.export({ type: "pkcs8", format: "pem" }).toString();
+      const fingerprint = calculateFingerprint(publicKeyPem);
+      const kid = `axis_issuer_${fingerprint.slice(0, 16)}`;
+      const uuid = generateUuid();
+      const now = (/* @__PURE__ */ new Date()).toISOString().slice(0, 19).replace("T", " ");
+      const sql = `
+-- AXIS Issuer Key
+INSERT INTO axis_issuer_keys (
+  id, kid, issuer_id, alg, public_key_pem, status, 
+  fingerprint, created_at, updated_at
+) VALUES (
+  UNHEX('${uuid}'),
+  '${kid}',
+  'axis-capsule-service',
+  'EdDSA',
+  '${publicKeyPem.replace(/\n/g, "\\n")}',
+  'ACTIVE',
+  '${fingerprint}',
+  '${now}',
+  '${now}'
+);`;
+      return {
+        kid,
+        publicKeyPem,
+        privateKeyPem,
+        fingerprint,
+        sql
+      };
+    }
+    function generateActorKey(actorId) {
+      const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+      const publicKeyPem = publicKey.export({ type: "spki", format: "pem" }).toString();
+      const privateKeyPem = privateKey.export({ type: "pkcs8", format: "pem" }).toString();
+      const der = publicKey.export({ type: "spki", format: "der" });
+      const publicKeyBytes = der.slice(-32);
+      const fingerprint = calculateFingerprint(publicKeyPem);
+      const kid = `${actorId}_${fingerprint.slice(0, 12)}`;
+      const uuid = generateUuid();
+      const now = (/* @__PURE__ */ new Date()).toISOString().slice(0, 19).replace("T", " ");
+      const sql = `
+-- AXIS Actor Key for ${actorId}
+INSERT INTO axis_actor_keys (
+  id, actor_id, key_id, algorithm, public_key, purpose, status,
+  is_primary, created_at, updated_at
+) VALUES (
+  UNHEX('${uuid}'),
+  '${actorId}',
+  '${kid}',
+  'ED25519',
+  UNHEX('${publicKeyBytes.toString("hex")}'),
+  'SIGN',
+  'ACTIVE',
+  1,
+  '${now}',
+  '${now}'
+);`;
+      return {
+        kid,
+        publicKeyPem,
+        privateKeyPem,
+        fingerprint,
+        sql
+      };
+    }
+    function main() {
+      const args = process.argv.slice(2);
+      const typeIndex = args.indexOf("--type");
+      const actorIdIndex = args.indexOf("--actor-id");
+      const type = typeIndex >= 0 ? args[typeIndex + 1] : "issuer";
+      const actorId = actorIdIndex >= 0 ? args[actorIdIndex + 1] : `actor_${Date.now()}`;
+      console.log("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+      console.log("  AXIS Key Generator (Ed25519)");
+      console.log("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+      console.log("");
+      let result;
+      if (type === "issuer") {
+        console.log("Generating ISSUER keypair...");
+        console.log("");
+        result = generateIssuerKey();
+      } else if (type === "actor") {
+        console.log(`Generating ACTOR keypair for: ${actorId}`);
+        console.log("");
+        result = generateActorKey(actorId);
+      } else {
+        console.error("Invalid type. Use --type issuer or --type actor");
+        process.exit(1);
+      }
+      console.log("\u2713 Keypair generated successfully");
+      console.log("");
+      console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+      console.log("KID (Key Identifier):");
+      console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+      console.log(result.kid);
+      console.log("");
+      console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+      console.log("Fingerprint (SHA-256):");
+      console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+      console.log(result.fingerprint);
+      console.log("");
+      console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+      console.log("PUBLIC KEY (PEM):");
+      console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+      console.log(result.publicKeyPem);
+      console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+      console.log("PRIVATE KEY (PEM):");
+      console.log("\u26A0\uFE0F  KEEP SECRET - Do not commit to version control");
+      console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+      console.log(result.privateKeyPem);
+      if (type === "issuer") {
+        console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+        console.log("Environment Variables (add to .env):");
+        console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+        console.log(`AXIS_ISSUER_KID=${result.kid}`);
+        console.log(`AXIS_ISSUER_ALG=EdDSA`);
+        console.log(
+          `AXIS_ISSUER_PRIVATE_KEY_PEM="${result.privateKeyPem.replace(/\n/g, "\\n")}"`
+        );
+        console.log("");
+      }
+      if (result.sql) {
+        console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+        console.log("SQL INSERT Statement:");
+        console.log("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+        console.log(result.sql);
+      }
+      console.log("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+      console.log("");
+      console.log("Next steps:");
+      if (type === "issuer") {
+        console.log("1. Add environment variables to .env");
+        console.log("2. Run SQL statement to insert public key into database");
+        console.log("3. Store private key securely (Vault/KMS in production)");
+      } else {
+        console.log("1. Run SQL statement to insert actor key into database");
+        console.log("2. Distribute private key securely to actor/device");
+      }
+      console.log("");
+    }
+    main();
+  }
+});
+export default require_generate_keys();
+//# sourceMappingURL=generate-keys.mjs.map

package/dist/bin/generate-keys.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/bin/generate-keys.ts"],"sourcesContent":["/**\n * AXIS Key Generator\n *\n * Generates Ed25519 keypairs for AXIS issuer and actors\n * For development and testing only - use proper KMS/Vault in production\n *\n * Usage:\n *   npm run generate-keys -- --type issuer\n *   npm run generate-keys -- --type actor --actor-id user_123\n */\nimport { createHash, createPublicKey, generateKeyPairSync } from 'crypto';\nimport { randomBytes } from 'crypto';\n\ninterface KeyPairResult {\n  kid: string;\n  publicKeyPem: string;\n  privateKeyPem: string;\n  fingerprint: string;\n  sql?: string;\n}\n\n/**\n * Calculate SHA-256 fingerprint of public key\n */\nfunction calculateFingerprint(publicKeyPem: string): string {\n  const der = createPublicKey(publicKeyPem).export({\n    type: 'spki',\n    format: 'der',\n  }) as Buffer;\n  return createHash('sha256').update(der).digest('hex');\n}\n\n/**\n * Generate UUID v4 as binary hex for MySQL\n */\nfunction generateUuid(): string {\n  const bytes = randomBytes(16);\n  bytes[6] = (bytes[6] & 0x0f) | 0x40; // Version 4\n  bytes[8] = (bytes[8] & 0x3f) | 0x80; // Variant\n  return bytes.toString('hex');\n}\n\n/**\n * Generate Ed25519 keypair for AXIS issuer\n */\nfunction generateIssuerKey(): KeyPairResult {\n  const { publicKey, privateKey } = generateKeyPairSync('ed25519');\n\n  const publicKeyPem = publicKey\n    .export({ type: 'spki', format: 'pem' })\n    .toString();\n  const privateKeyPem = privateKey\n    .export({ type: 'pkcs8', format: 'pem' })\n    .toString();\n\n  const fingerprint = calculateFingerprint(publicKeyPem);\n  const kid = `axis_issuer_${fingerprint.slice(0, 16)}`;\n\n  const uuid = generateUuid();\n  const now = new Date().toISOString().slice(0, 19).replace('T', ' ');\n\n  const sql = `\n-- AXIS Issuer Key\nINSERT INTO axis_issuer_keys (\n  id, kid, issuer_id, alg, public_key_pem, status, \n  fingerprint, created_at, updated_at\n) VALUES (\n  UNHEX('${uuid}'),\n  '${kid}',\n  'axis-capsule-service',\n  'EdDSA',\n  '${publicKeyPem.replace(/\\n/g, '\\\\n')}',\n  'ACTIVE',\n  '${fingerprint}',\n  '${now}',\n  '${now}'\n);`;\n\n  return {\n    kid,\n    publicKeyPem,\n    privateKeyPem,\n    fingerprint,\n    sql,\n  };\n}\n\n/**\n * Generate Ed25519 keypair for AXIS actor\n */\nfunction generateActorKey(actorId: string): KeyPairResult {\n  const { publicKey, privateKey } = generateKeyPairSync('ed25519');\n\n  const publicKeyPem = publicKey\n    .export({ type: 'spki', format: 'pem' })\n    .toString();\n  const privateKeyPem = privateKey\n    .export({ type: 'pkcs8', format: 'pem' })\n    .toString();\n\n  // Extract raw public key bytes (32 bytes for Ed25519)\n  const der = publicKey.export({ type: 'spki', format: 'der' }) as Buffer;\n  const publicKeyBytes = der.slice(-32); // Last 32 bytes are the raw key\n\n  const fingerprint = calculateFingerprint(publicKeyPem);\n  const kid = `${actorId}_${fingerprint.slice(0, 12)}`;\n\n  const uuid = generateUuid();\n  const now = new Date().toISOString().slice(0, 19).replace('T', ' ');\n\n  const sql = `\n-- AXIS Actor Key for ${actorId}\nINSERT INTO axis_actor_keys (\n  id, actor_id, key_id, algorithm, public_key, purpose, status,\n  is_primary, created_at, updated_at\n) VALUES (\n  UNHEX('${uuid}'),\n  '${actorId}',\n  '${kid}',\n  'ED25519',\n  UNHEX('${publicKeyBytes.toString('hex')}'),\n  'SIGN',\n  'ACTIVE',\n  1,\n  '${now}',\n  '${now}'\n);`;\n\n  return {\n    kid,\n    publicKeyPem,\n    privateKeyPem,\n    fingerprint,\n    sql,\n  };\n}\n\n/**\n * Main function\n */\nfunction main() {\n  const args = process.argv.slice(2);\n  const typeIndex = args.indexOf('--type');\n  const actorIdIndex = args.indexOf('--actor-id');\n\n  const type = typeIndex >= 0 ? args[typeIndex + 1] : 'issuer';\n  const actorId =\n    actorIdIndex >= 0 ? args[actorIdIndex + 1] : `actor_${Date.now()}`;\n\n  console.log('═══════════════════════════════════════════════════════════');\n  console.log('  AXIS Key Generator (Ed25519)');\n  console.log('═══════════════════════════════════════════════════════════');\n  console.log('');\n\n  let result: KeyPairResult;\n\n  if (type === 'issuer') {\n    console.log('Generating ISSUER keypair...');\n    console.log('');\n    result = generateIssuerKey();\n  } else if (type === 'actor') {\n    console.log(`Generating ACTOR keypair for: ${actorId}`);\n    console.log('');\n    result = generateActorKey(actorId);\n  } else {\n    console.error('Invalid type. Use --type issuer or --type actor');\n    process.exit(1);\n  }\n\n  console.log('✓ Keypair generated successfully');\n  console.log('');\n  console.log('───────────────────────────────────────────────────────────');\n  console.log('KID (Key Identifier):');\n  console.log('───────────────────────────────────────────────────────────');\n  console.log(result.kid);\n  console.log('');\n  console.log('───────────────────────────────────────────────────────────');\n  console.log('Fingerprint (SHA-256):');\n  console.log('───────────────────────────────────────────────────────────');\n  console.log(result.fingerprint);\n  console.log('');\n  console.log('───────────────────────────────────────────────────────────');\n  console.log('PUBLIC KEY (PEM):');\n  console.log('───────────────────────────────────────────────────────────');\n  console.log(result.publicKeyPem);\n  console.log('───────────────────────────────────────────────────────────');\n  console.log('PRIVATE KEY (PEM):');\n  console.log('⚠️  KEEP SECRET - Do not commit to version control');\n  console.log('───────────────────────────────────────────────────────────');\n  console.log(result.privateKeyPem);\n\n  if (type === 'issuer') {\n    console.log('───────────────────────────────────────────────────────────');\n    console.log('Environment Variables (add to .env):');\n    console.log('───────────────────────────────────────────────────────────');\n    console.log(`AXIS_ISSUER_KID=${result.kid}`);\n    console.log(`AXIS_ISSUER_ALG=EdDSA`);\n    console.log(\n      `AXIS_ISSUER_PRIVATE_KEY_PEM=\"${result.privateKeyPem.replace(/\\n/g, '\\\\n')}\"`,\n    );\n    console.log('');\n  }\n\n  if (result.sql) {\n    console.log('───────────────────────────────────────────────────────────');\n    console.log('SQL INSERT Statement:');\n    console.log('───────────────────────────────────────────────────────────');\n    console.log(result.sql);\n  }\n\n  console.log('═══════════════════════════════════════════════════════════');\n  console.log('');\n  console.log('Next steps:');\n  if (type === 'issuer') {\n    console.log('1. Add environment variables to .env');\n    console.log('2. Run SQL statement to insert public key into database');\n    console.log('3. Store private key securely (Vault/KMS in production)');\n  } else {\n    console.log('1. Run SQL statement to insert actor key into database');\n    console.log('2. Distribute private key securely to actor/device');\n  }\n  console.log('');\n}\n\nmain();\n"],"mappings":";;;;;;AAUA,SAAS,YAAY,iBAAiB,2BAA2B;AACjE,SAAS,mBAAmB;AAX5B;AAAA;AAwBA,aAAS,qBAAqB,cAA8B;AAC1D,YAAM,MAAM,gBAAgB,YAAY,EAAE,OAAO;AAAA,QAC/C,MAAM;AAAA,QACN,QAAQ;AAAA,MACV,CAAC;AACD,aAAO,WAAW,QAAQ,EAAE,OAAO,GAAG,EAAE,OAAO,KAAK;AAAA,IACtD;AAKA,aAAS,eAAuB;AAC9B,YAAM,QAAQ,YAAY,EAAE;AAC5B,YAAM,CAAC,IAAK,MAAM,CAAC,IAAI,KAAQ;AAC/B,YAAM,CAAC,IAAK,MAAM,CAAC,IAAI,KAAQ;AAC/B,aAAO,MAAM,SAAS,KAAK;AAAA,IAC7B;AAKA,aAAS,oBAAmC;AAC1C,YAAM,EAAE,WAAW,WAAW,IAAI,oBAAoB,SAAS;AAE/D,YAAM,eAAe,UAClB,OAAO,EAAE,MAAM,QAAQ,QAAQ,MAAM,CAAC,EACtC,SAAS;AACZ,YAAM,gBAAgB,WACnB,OAAO,EAAE,MAAM,SAAS,QAAQ,MAAM,CAAC,EACvC,SAAS;AAEZ,YAAM,cAAc,qBAAqB,YAAY;AACrD,YAAM,MAAM,eAAe,YAAY,MAAM,GAAG,EAAE,CAAC;AAEnD,YAAM,OAAO,aAAa;AAC1B,YAAM,OAAM,oBAAI,KAAK,GAAE,YAAY,EAAE,MAAM,GAAG,EAAE,EAAE,QAAQ,KAAK,GAAG;AAElE,YAAM,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,WAMH,IAAI;AAAA,KACV,GAAG;AAAA;AAAA;AAAA,KAGH,aAAa,QAAQ,OAAO,KAAK,CAAC;AAAA;AAAA,KAElC,WAAW;AAAA,KACX,GAAG;AAAA,KACH,GAAG;AAAA;AAGN,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAKA,aAAS,iBAAiB,SAAgC;AACxD,YAAM,EAAE,WAAW,WAAW,IAAI,oBAAoB,SAAS;AAE/D,YAAM,eAAe,UAClB,OAAO,EAAE,MAAM,QAAQ,QAAQ,MAAM,CAAC,EACtC,SAAS;AACZ,YAAM,gBAAgB,WACnB,OAAO,EAAE,MAAM,SAAS,QAAQ,MAAM,CAAC,EACvC,SAAS;AAGZ,YAAM,MAAM,UAAU,OAAO,EAAE,MAAM,QAAQ,QAAQ,MAAM,CAAC;AAC5D,YAAM,iBAAiB,IAAI,MAAM,GAAG;AAEpC,YAAM,cAAc,qBAAqB,YAAY;AACrD,YAAM,MAAM,GAAG,OAAO,IAAI,YAAY,MAAM,GAAG,EAAE,CAAC;AAElD,YAAM,OAAO,aAAa;AAC1B,YAAM,OAAM,oBAAI,KAAK,GAAE,YAAY,EAAE,MAAM,GAAG,EAAE,EAAE,QAAQ,KAAK,GAAG;AAElE,YAAM,MAAM;AAAA,wBACU,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA,WAKpB,IAAI;AAAA,KACV,OAAO;AAAA,KACP,GAAG;AAAA;AAAA,WAEG,eAAe,SAAS,KAAK,CAAC;AAAA;AAAA;AAAA;AAAA,KAIpC,GAAG;AAAA,KACH,GAAG;AAAA;AAGN,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAKA,aAAS,OAAO;AACd,YAAM,OAAO,QAAQ,KAAK,MAAM,CAAC;AACjC,YAAM,YAAY,KAAK,QAAQ,QAAQ;AACvC,YAAM,eAAe,KAAK,QAAQ,YAAY;AAE9C,YAAM,OAAO,aAAa,IAAI,KAAK,YAAY,CAAC,IAAI;AACpD,YAAM,UACJ,gBAAgB,IAAI,KAAK,eAAe,CAAC,IAAI,SAAS,KAAK,IAAI,CAAC;AAElE,cAAQ,IAAI,oWAA6D;AACzE,cAAQ,IAAI,gCAAgC;AAC5C,cAAQ,IAAI,oWAA6D;AACzE,cAAQ,IAAI,EAAE;AAEd,UAAI;AAEJ,UAAI,SAAS,UAAU;AACrB,gBAAQ,IAAI,8BAA8B;AAC1C,gBAAQ,IAAI,EAAE;AACd,iBAAS,kBAAkB;AAAA,MAC7B,WAAW,SAAS,SAAS;AAC3B,gBAAQ,IAAI,iCAAiC,OAAO,EAAE;AACtD,gBAAQ,IAAI,EAAE;AACd,iBAAS,iBAAiB,OAAO;AAAA,MACnC,OAAO;AACL,gBAAQ,MAAM,iDAAiD;AAC/D,gBAAQ,KAAK,CAAC;AAAA,MAChB;AAEA,cAAQ,IAAI,uCAAkC;AAC9C,cAAQ,IAAI,EAAE;AACd,cAAQ,IAAI,oWAA6D;AACzE,cAAQ,IAAI,uBAAuB;AACnC,cAAQ,IAAI,oWAA6D;AACzE,cAAQ,IAAI,OAAO,GAAG;AACtB,cAAQ,IAAI,EAAE;AACd,cAAQ,IAAI,oWAA6D;AACzE,cAAQ,IAAI,wBAAwB;AACpC,cAAQ,IAAI,oWAA6D;AACzE,cAAQ,IAAI,OAAO,WAAW;AAC9B,cAAQ,IAAI,EAAE;AACd,cAAQ,IAAI,oWAA6D;AACzE,cAAQ,IAAI,mBAAmB;AAC/B,cAAQ,IAAI,oWAA6D;AACzE,cAAQ,IAAI,OAAO,YAAY;AAC/B,cAAQ,IAAI,oWAA6D;AACzE,cAAQ,IAAI,oBAAoB;AAChC,cAAQ,IAAI,8DAAoD;AAChE,cAAQ,IAAI,oWAA6D;AACzE,cAAQ,IAAI,OAAO,aAAa;AAEhC,UAAI,SAAS,UAAU;AACrB,gBAAQ,IAAI,oWAA6D;AACzE,gBAAQ,IAAI,sCAAsC;AAClD,gBAAQ,IAAI,oWAA6D;AACzE,gBAAQ,IAAI,mBAAmB,OAAO,GAAG,EAAE;AAC3C,gBAAQ,IAAI,uBAAuB;AACnC,gBAAQ;AAAA,UACN,gCAAgC,OAAO,cAAc,QAAQ,OAAO,KAAK,CAAC;AAAA,QAC5E;AACA,gBAAQ,IAAI,EAAE;AAAA,MAChB;AAEA,UAAI,OAAO,KAAK;AACd,gBAAQ,IAAI,oWAA6D;AACzE,gBAAQ,IAAI,uBAAuB;AACnC,gBAAQ,IAAI,oWAA6D;AACzE,gBAAQ,IAAI,OAAO,GAAG;AAAA,MACxB;AAEA,cAAQ,IAAI,oWAA6D;AACzE,cAAQ,IAAI,EAAE;AACd,cAAQ,IAAI,aAAa;AACzB,UAAI,SAAS,UAAU;AACrB,gBAAQ,IAAI,sCAAsC;AAClD,gBAAQ,IAAI,yDAAyD;AACrE,gBAAQ,IAAI,yDAAyD;AAAA,MACvE,OAAO;AACL,gBAAQ,IAAI,wDAAwD;AACpE,gBAAQ,IAAI,oDAAoD;AAAA,MAClE;AACA,cAAQ,IAAI,EAAE;AAAA,IAChB;AAEA,SAAK;AAAA;AAAA;","names":[]}

package/dist/core/index.d.mts

@@ -1,26 +1,3 @@
 export { AXIS_MAGIC, AXIS_VERSION, BodyProfile, ERR_BAD_SIGNATURE, ERR_CONTRACT_VIOLATION, ERR_INVALID_PACKET, ERR_REPLAY_DETECTED, FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS, MAX_BODY_LEN, MAX_FRAME_LEN, MAX_HDR_LEN, MAX_SIG_LEN, NCERT_ALG, NCERT_EXP, NCERT_ISSUER_KID, NCERT_KID, NCERT_NBF, NCERT_NODE_ID, NCERT_PAYLOAD, NCERT_PUB, NCERT_SCOPE, NCERT_SIG, PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, PROOF_NONE, PROOF_WITNESS, ProofType, TLV, TLV_ACTOR_ID, TLV_AUD, TLV_BODY_ARR, TLV_BODY_OBJ, TLV_CAPSULE, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG, TLV_INDEX, TLV_INTENT, TLV_KID, TLV_LOOM_PRESENCE_ID, TLV_LOOM_THREAD_HASH, TLV_LOOM_WRIT, TLV_NODE, TLV_NODE_CERT_HASH, TLV_NODE_KID, TLV_NONCE, TLV_OFFSET, TLV_OK, TLV_PID, TLV_PREV_HASH, TLV_PROOF_REF, TLV_PROOF_TYPE, TLV_REALM, TLV_RECEIPT_HASH, TLV_RID, TLV_SHA256_CHUNK, TLV_TRACE_ID, TLV_TS, TLV_UPLOAD_ID, decodeArray, decodeObject, decodeTLVs, decodeTLVsList, decodeVarint, encodeTLVs, encodeVarint, varintLength } from '@nextera.one/axis-protocol';
-import * as z from 'zod';
-
-declare const AxisFrameZ: z.ZodObject<{
-    flags: z.ZodNumber;
-    headers: z.ZodMap<z.ZodNumber, z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>>;
-    body: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
-    sig: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
-}, z.core.$strip>;
-type AxisFrame = z.infer<typeof AxisFrameZ>;
-type AxisBinaryFrame = AxisFrame;
-declare function encodeFrame(frame: AxisFrame): Uint8Array;
-declare function decodeFrame(buf: Uint8Array): AxisFrame;
-declare function getSignTarget(frame: AxisFrame): Uint8Array;
-
-declare function computeSignaturePayload(frame: AxisFrame): Buffer;
-declare function signFrame(frame: AxisFrame, privateKey: Buffer): Buffer;
-declare function verifyFrameSignature(frame: AxisFrame, publicKey: Buffer): boolean;
-declare function generateEd25519KeyPair(): {
-    privateKey: Buffer;
-    publicKey: Buffer;
-};
-declare function sha256(data: Buffer | Uint8Array): Buffer;
-declare function computeReceiptHash(receiptBytes: Buffer | Uint8Array, prevHash?: Buffer | Uint8Array): Buffer;
-
-export { type AxisBinaryFrame, type AxisFrame, AxisFrameZ, computeReceiptHash, computeSignaturePayload, decodeFrame, encodeFrame, generateEd25519KeyPair, getSignTarget, sha256, signFrame, verifyFrameSignature };
+export { a as AxisBinaryFrame, k as AxisError, A as AxisFrame, b as AxisFrameZ, c as computeReceiptHash, d as computeSignaturePayload, e as decodeFrame, f as encodeFrame, g as generateEd25519KeyPair, h as getSignTarget, s as sha256, j as signFrame, v as verifyFrameSignature } from '../index-B5xzROld.mjs';
+import 'zod';

package/dist/core/index.d.ts

@@ -1,26 +1,3 @@
 export { AXIS_MAGIC, AXIS_VERSION, BodyProfile, ERR_BAD_SIGNATURE, ERR_CONTRACT_VIOLATION, ERR_INVALID_PACKET, ERR_REPLAY_DETECTED, FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS, MAX_BODY_LEN, MAX_FRAME_LEN, MAX_HDR_LEN, MAX_SIG_LEN, NCERT_ALG, NCERT_EXP, NCERT_ISSUER_KID, NCERT_KID, NCERT_NBF, NCERT_NODE_ID, NCERT_PAYLOAD, NCERT_PUB, NCERT_SCOPE, NCERT_SIG, PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, PROOF_NONE, PROOF_WITNESS, ProofType, TLV, TLV_ACTOR_ID, TLV_AUD, TLV_BODY_ARR, TLV_BODY_OBJ, TLV_CAPSULE, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG, TLV_INDEX, TLV_INTENT, TLV_KID, TLV_LOOM_PRESENCE_ID, TLV_LOOM_THREAD_HASH, TLV_LOOM_WRIT, TLV_NODE, TLV_NODE_CERT_HASH, TLV_NODE_KID, TLV_NONCE, TLV_OFFSET, TLV_OK, TLV_PID, TLV_PREV_HASH, TLV_PROOF_REF, TLV_PROOF_TYPE, TLV_REALM, TLV_RECEIPT_HASH, TLV_RID, TLV_SHA256_CHUNK, TLV_TRACE_ID, TLV_TS, TLV_UPLOAD_ID, decodeArray, decodeObject, decodeTLVs, decodeTLVsList, decodeVarint, encodeTLVs, encodeVarint, varintLength } from '@nextera.one/axis-protocol';
-import * as z from 'zod';
-
-declare const AxisFrameZ: z.ZodObject<{
-    flags: z.ZodNumber;
-    headers: z.ZodMap<z.ZodNumber, z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>>;
-    body: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
-    sig: z.ZodCustom<Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
-}, z.core.$strip>;
-type AxisFrame = z.infer<typeof AxisFrameZ>;
-type AxisBinaryFrame = AxisFrame;
-declare function encodeFrame(frame: AxisFrame): Uint8Array;
-declare function decodeFrame(buf: Uint8Array): AxisFrame;
-declare function getSignTarget(frame: AxisFrame): Uint8Array;
-
-declare function computeSignaturePayload(frame: AxisFrame): Buffer;
-declare function signFrame(frame: AxisFrame, privateKey: Buffer): Buffer;
-declare function verifyFrameSignature(frame: AxisFrame, publicKey: Buffer): boolean;
-declare function generateEd25519KeyPair(): {
-    privateKey: Buffer;
-    publicKey: Buffer;
-};
-declare function sha256(data: Buffer | Uint8Array): Buffer;
-declare function computeReceiptHash(receiptBytes: Buffer | Uint8Array, prevHash?: Buffer | Uint8Array): Buffer;
-
-export { type AxisBinaryFrame, type AxisFrame, AxisFrameZ, computeReceiptHash, computeSignaturePayload, decodeFrame, encodeFrame, generateEd25519KeyPair, getSignTarget, sha256, signFrame, verifyFrameSignature };
+export { a as AxisBinaryFrame, k as AxisError, A as AxisFrame, b as AxisFrameZ, c as computeReceiptHash, d as computeSignaturePayload, e as decodeFrame, f as encodeFrame, g as generateEd25519KeyPair, h as getSignTarget, s as sha256, j as signFrame, v as verifyFrameSignature } from '../index-B5xzROld.js';
+import 'zod';

package/dist/core/index.js

@@ -31,6 +31,7 @@ var core_exports = {};
 __export(core_exports, {
   AXIS_MAGIC: () => import_axis_protocol.AXIS_MAGIC,
   AXIS_VERSION: () => import_axis_protocol.AXIS_VERSION,
+  AxisError: () => AxisError,
   AxisFrameZ: () => AxisFrameZ,
   BodyProfile: () => import_axis_protocol.BodyProfile,
   ERR_BAD_SIGNATURE: () => import_axis_protocol.ERR_BAD_SIGNATURE,
@@ -336,10 +337,22 @@ function computeReceiptHash(receiptBytes, prevHash) {
   }
   return hasher.digest();
 }
+
+// src/core/axis-error.ts
+var AxisError = class extends Error {
+  constructor(code, message, httpStatus = 400, details) {
+    super(message);
+    this.code = code;
+    this.httpStatus = httpStatus;
+    this.details = details;
+    this.name = "AxisError";
+  }
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AXIS_MAGIC,
   AXIS_VERSION,
+  AxisError,
   AxisFrameZ,
   BodyProfile,
   ERR_BAD_SIGNATURE,

package/dist/core/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/core/index.ts","../../src/core/constants.ts","../../src/core/varint.ts","../../src/core/tlv.ts","../../src/core/axis-bin.ts","../../src/core/signature.ts"],"sourcesContent":["export * from './constants';\nexport * from './varint';\nexport * from './tlv';\nexport * from './axis-bin';\nexport * from './signature';\n","export {\n  AXIS_MAGIC, AXIS_VERSION,\n  MAX_HDR_LEN, MAX_BODY_LEN, MAX_SIG_LEN, MAX_FRAME_LEN,\n  FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS,\n  TLV_PID, TLV_TS, TLV_INTENT, TLV_ACTOR_ID, TLV_PROOF_TYPE,\n  TLV_PROOF_REF, TLV_NONCE, TLV_AUD, TLV_REALM, TLV_NODE,\n  TLV_TRACE_ID, TLV_KID,\n  TLV_RID, TLV_OK, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG,\n  TLV_PREV_HASH, TLV_RECEIPT_HASH, TLV_NODE_KID, TLV_NODE_CERT_HASH,\n  TLV_LOOM_PRESENCE_ID, TLV_LOOM_WRIT, TLV_LOOM_THREAD_HASH,\n  TLV_UPLOAD_ID, TLV_INDEX, TLV_OFFSET, TLV_SHA256_CHUNK, TLV_CAPSULE,\n  TLV_BODY_OBJ, TLV_BODY_ARR,\n  NCERT_NODE_ID, NCERT_KID, NCERT_ALG, NCERT_PUB, NCERT_NBF,\n  NCERT_EXP, NCERT_SCOPE, NCERT_ISSUER_KID, NCERT_PAYLOAD, NCERT_SIG,\n  PROOF_NONE, PROOF_CAPSULE, PROOF_JWT, PROOF_MTLS, PROOF_LOOM, PROOF_WITNESS,\n  ProofType, BodyProfile,\n  ERR_INVALID_PACKET, ERR_BAD_SIGNATURE, ERR_REPLAY_DETECTED, ERR_CONTRACT_VIOLATION,\n} from '@nextera.one/axis-protocol';\n","export { encodeVarint, decodeVarint, varintLength } from '@nextera.one/axis-protocol';\n","export {\n  TLV, encodeTLVs, decodeTLVs, decodeTLVsList, decodeObject, decodeArray,\n} from '@nextera.one/axis-protocol';\n","import * as z from 'zod';\n\n/**\n * AxisFrame Schema\n *\n * Defines the logical structure of an AXIS frame using Zod for runtime validation.\n * This is used for internal processing after the low-level binary parsing is complete.\n */\nexport const AxisFrameZ = z.object({\n  /** Flag bits for protocol control (e.g., encryption, compression) */\n  flags: z.number().int().nonnegative(),\n  /** A map of TLV headers where key=Tag and value=BinaryData */\n  headers: z.map(\n    z.number(),\n    z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n  ),\n  /** The main payload of the frame */\n  body: z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n  /** The cryptographic signature covering the frame (except the signature itself) */\n  sig: z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n});\n\n/**\n * Represents a structured AXIS frame.\n * @typedef {Object} AxisFrame\n */\nexport type AxisFrame = z.infer<typeof AxisFrameZ>;\nexport type AxisBinaryFrame = AxisFrame;\nimport {\n  AXIS_MAGIC,\n  AXIS_VERSION,\n  MAX_BODY_LEN,\n  MAX_FRAME_LEN,\n  MAX_HDR_LEN,\n  MAX_SIG_LEN,\n} from './constants';\nimport { decodeTLVs, encodeTLVs } from './tlv';\nimport { decodeVarint, encodeVarint } from './varint';\n\n/**\n * Encodes a structured AxisFrame into its binary wire representation.\n *\n * **Encoding Steps:**\n * 1. Encodes header TLV map into a single buffer.\n * 2. Validates lengths against MAX_* constants.\n * 3. Encodes lengths (HDR, BODY, SIG) as varints.\n * 4. Assembles the final byte array with magic, version, and flags.\n *\n * @param {AxisFrame} frame - The structured frame to encode\n * @returns {Uint8Array} The full binary frame\n * @throws {Error} If any section exceeds protocol limits\n */\nexport function encodeFrame(frame: AxisFrame): Uint8Array {\n  const hdrBytes = encodeTLVs(\n    Array.from(frame.headers.entries()).map(([t, v]) => ({\n      type: t,\n      value: v,\n    })),\n  );\n\n  if (hdrBytes.length > MAX_HDR_LEN) throw new Error('Header too large');\n  if (frame.body.length > MAX_BODY_LEN) throw new Error('Body too large');\n  if (frame.sig.length > MAX_SIG_LEN) throw new Error('Signature too large');\n\n  // Header Len, Body Len, Sig Len\n  const hdrLenBytes = encodeVarint(hdrBytes.length);\n  const bodyLenBytes = encodeVarint(frame.body.length);\n  const sigLenBytes = encodeVarint(frame.sig.length);\n\n  const totalLen =\n    5 + // Magic (AXIS1)\n    1 + // Version\n    1 + // Flags\n    hdrLenBytes.length +\n    bodyLenBytes.length +\n    sigLenBytes.length +\n    hdrBytes.length +\n    frame.body.length +\n    frame.sig.length;\n\n  if (totalLen > MAX_FRAME_LEN) throw new Error('Total frame too large');\n\n  const buf = new Uint8Array(totalLen);\n  let offset = 0;\n\n  // Magic (AXIS1 - 5 bytes)\n  buf.set(AXIS_MAGIC, offset);\n  offset += 5;\n\n  // Version\n  buf[offset++] = AXIS_VERSION;\n\n  // Flags\n  buf[offset++] = frame.flags;\n\n  // Lengths\n  buf.set(hdrLenBytes, offset);\n  offset += hdrLenBytes.length;\n\n  buf.set(bodyLenBytes, offset);\n  offset += bodyLenBytes.length;\n\n  buf.set(sigLenBytes, offset);\n  offset += sigLenBytes.length;\n\n  // Payloads\n  buf.set(hdrBytes, offset);\n  offset += hdrBytes.length;\n\n  buf.set(frame.body, offset);\n  offset += frame.body.length;\n\n  buf.set(frame.sig, offset);\n  offset += frame.sig.length;\n\n  return buf;\n}\n\n/**\n * Decodes a binary buffer into a structured AxisFrame with strict validation.\n *\n * @param {Uint8Array} buf - Raw bytes from the wire\n * @returns {AxisFrame} The parsed and validated frame\n * @throws {Error} If magic, version, or lengths are invalid\n */\nexport function decodeFrame(buf: Uint8Array): AxisFrame {\n  let offset = 0;\n\n  // 1. Magic (AXIS1 - 5 bytes)\n  if (offset + 5 > buf.length) throw new Error('Packet too short');\n  for (let i = 0; i < 5; i++) {\n    if (buf[offset + i] !== AXIS_MAGIC[i]) throw new Error('Invalid Magic');\n  }\n  offset += 5;\n\n  // 2. Version\n  const ver = buf[offset++];\n  if (ver !== AXIS_VERSION) throw new Error(`Unsupported version: ${ver}`);\n\n  // 3. Flags\n  const flags = buf[offset++];\n\n  // 4. Lengths\n  const { value: hdrLen, length: hlLen } = decodeVarint(buf, offset);\n  offset += hlLen;\n  if (hdrLen > MAX_HDR_LEN) throw new Error('Header limit exceeded');\n\n  const { value: bodyLen, length: blLen } = decodeVarint(buf, offset);\n  offset += blLen;\n  if (bodyLen > MAX_BODY_LEN) throw new Error('Body limit exceeded');\n\n  const { value: sigLen, length: slLen } = decodeVarint(buf, offset);\n  offset += slLen;\n  if (sigLen > MAX_SIG_LEN) throw new Error('Signature limit exceeded');\n\n  // 5. Extract Bytes\n  if (offset + hdrLen + bodyLen + sigLen > buf.length) {\n    throw new Error('Frame truncated');\n  }\n\n  const hdrBytes = buf.slice(offset, offset + hdrLen);\n  offset += hdrLen;\n\n  const bodyBytes = buf.slice(offset, offset + bodyLen);\n  offset += bodyLen;\n\n  const sigBytes = buf.slice(offset, offset + sigLen);\n  offset += sigLen;\n\n  // 6. Decode Header TLVs\n  const headers = decodeTLVs(hdrBytes);\n\n  return {\n    flags,\n    headers,\n    body: bodyBytes,\n    sig: sigBytes,\n  };\n}\n\n/**\n * Helper to get canonical bytes for signing.\n * SigTarget = All bytes up to SigLen, with SigLen=0, and no SigBytes.\n */\nexport function getSignTarget(frame: AxisFrame): Uint8Array {\n  // Re-encode frame but with empty signature\n  // Note: This is efficient enough for v1 (tens of KB).\n  return encodeFrame({\n    ...frame,\n    sig: new Uint8Array(0),\n  });\n}\n","import * as crypto from 'crypto';\n\nimport { AxisFrame, encodeFrame } from './axis-bin';\n\n/**\n * Signature utilities for AXIS binary frames\n * Supports Ed25519 signature generation and verification\n */\n\n/**\n * Computes the canonical payload for signing an AXIS frame.\n * The signature covers all bytes of the encoded frame EXCEPT the signature field itself.\n *\n * @param {AxisFrame} frame - The frame to prepare for signing\n * @returns {Buffer} The serialized canonical bytes for the signature algorithm\n */\nexport function computeSignaturePayload(frame: AxisFrame): Buffer {\n  // Re-encode frame with empty signature\n  const frameWithoutSig: AxisFrame = {\n    ...frame,\n    sig: new Uint8Array(0),\n  };\n\n  const encoded = encodeFrame(frameWithoutSig);\n  return Buffer.from(encoded);\n}\n\n/**\n * Signs an AXIS frame using the Ed25519 algorithm.\n * Automatically handles both raw 32-byte seeds and pkcs8 DER-encoded private keys.\n *\n * @param {AxisFrame} frame - The frame to sign\n * @param {Buffer} privateKey - Ed25519 private key (32-byte raw OR pkcs8 DER)\n * @returns {Buffer} The 64-byte Ed25519 signature\n * @throws {Error} If key format is invalid or signing fail\n */\nexport function signFrame(frame: AxisFrame, privateKey: Buffer): Buffer {\n  const payload = computeSignaturePayload(frame);\n\n  let keyObject: crypto.KeyObject;\n\n  // Check if key is raw 32-byte seed or DER-encoded\n  if (privateKey.length === 32) {\n    // Raw seed - wrap in pkcs8 DER format\n    // pkcs8 prefix for Ed25519: 0x302e020100300506032b657004220420\n    const pkcs8Prefix = Buffer.from([\n      0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,\n      0x04, 0x22, 0x04, 0x20,\n    ]);\n    const pkcs8Key = Buffer.concat([pkcs8Prefix, privateKey]);\n\n    keyObject = crypto.createPrivateKey({\n      key: pkcs8Key,\n      format: 'der',\n      type: 'pkcs8',\n    });\n  } else {\n    // Assume already DER-encoded pkcs8\n    keyObject = crypto.createPrivateKey({\n      key: privateKey,\n      format: 'der',\n      type: 'pkcs8',\n    });\n  }\n\n  const signature = crypto.sign(null, payload, keyObject);\n\n  if (signature.length !== 64) {\n    throw new Error('Ed25519 signature must be 64 bytes');\n  }\n\n  return signature;\n}\n\n/**\n * Verifies an Ed25519 signature on an AXIS frame.\n * Automatically handles both raw 32-byte public keys and spki DER-encoded public keys.\n *\n * @param {AxisFrame} frame - The frame containing the signature to verify\n * @param {Buffer} publicKey - Ed25519 public key (32-byte raw OR spki DER)\n * @returns {boolean} True if the signature is cryptographically valid\n * @throws {Error} If signature length is invalid\n */\nexport function verifyFrameSignature(\n  frame: AxisFrame,\n  publicKey: Buffer,\n): boolean {\n  if (frame.sig.length === 0) {\n    return false; // No signature\n  }\n\n  if (frame.sig.length !== 64) {\n    throw new Error('Ed25519 signature must be 64 bytes');\n  }\n\n  const payload = computeSignaturePayload(frame);\n\n  try {\n    let keyObject: crypto.KeyObject;\n\n    // Check if key is raw 32-byte or DER-encoded\n    if (publicKey.length === 32) {\n      // Raw key - wrap in spki DER format\n      // spki prefix for Ed25519: 0x302a300506032b6570032100\n      const spkiPrefix = Buffer.from([\n        0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00,\n      ]);\n      const spkiKey = Buffer.concat([spkiPrefix, publicKey]);\n\n      keyObject = crypto.createPublicKey({\n        key: spkiKey,\n        format: 'der',\n        type: 'spki',\n      });\n    } else {\n      // Assume already DER-encoded spki\n      keyObject = crypto.createPublicKey({\n        key: publicKey,\n        format: 'der',\n        type: 'spki',\n      });\n    }\n\n    const valid = crypto.verify(\n      null,\n      payload,\n      keyObject,\n      Buffer.from(frame.sig),\n    );\n    return valid;\n  } catch (error) {\n    return false;\n  }\n}\n\n/**\n * Generates a new Ed25519 key pair for use with the AXIS protocol.\n * Returns keys in canonical DER format (pkcs8 for private, spki for public).\n *\n * @returns {Object} An object containing the privateKey and publicKey as Buffers\n */\nexport function generateEd25519KeyPair(): {\n  privateKey: Buffer;\n  publicKey: Buffer;\n} {\n  const { privateKey, publicKey } = crypto.generateKeyPairSync('ed25519');\n\n  return {\n    privateKey: privateKey.export({ type: 'pkcs8', format: 'der' }) as Buffer,\n    publicKey: publicKey.export({ type: 'spki', format: 'der' }) as Buffer,\n  };\n}\n\n/**\n * Computes a standard SHA-256 hash of the provided data.\n *\n * @param {Buffer | Uint8Array} data - The input data to hash\n * @returns {Buffer} The 32-byte SHA-256 digest\n */\nexport function sha256(data: Buffer | Uint8Array): Buffer {\n  return crypto.createHash('sha256').update(data).digest();\n}\n\n/**\n * Computes a hash for an AXIS receipt, optionally chaining it to a previous hash.\n * This is used for generating an immutable transaction chain.\n *\n * @param {Buffer | Uint8Array} receiptBytes - The canonical binary representation of the receipt\n * @param {Buffer | Uint8Array} [prevHash] - The hash of the previous receipt in the chain\n * @returns {Buffer} The 32-byte SHA-256 hash of the receipt (and link)\n */\nexport function computeReceiptHash(\n  receiptBytes: Buffer | Uint8Array,\n  prevHash?: Buffer | Uint8Array,\n): Buffer {\n  const hasher = crypto.createHash('sha256');\n  hasher.update(receiptBytes);\n\n  if (prevHash && prevHash.length > 0) {\n    hasher.update(prevHash);\n  }\n\n  return hasher.digest();\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,2BAiBO;;;ACjBP,IAAAA,wBAAyD;;;ACAzD,IAAAC,wBAEO;;;ACFP,QAAmB;AAQZ,IAAM,aAAe,SAAO;AAAA;AAAA,EAEjC,OAAS,SAAO,EAAE,IAAI,EAAE,YAAY;AAAA;AAAA,EAEpC,SAAW;AAAA,IACP,SAAO;AAAA,IACP,SAAmB,CAAC,MAAM,aAAa,UAAU;AAAA,EACrD;AAAA;AAAA,EAEA,MAAQ,SAAmB,CAAC,MAAM,aAAa,UAAU;AAAA;AAAA,EAEzD,KAAO,SAAmB,CAAC,MAAM,aAAa,UAAU;AAC1D,CAAC;AAgCM,SAAS,YAAY,OAA8B;AACxD,QAAM,eAAW;AAAA,IACf,MAAM,KAAK,MAAM,QAAQ,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO;AAAA,MACnD,MAAM;AAAA,MACN,OAAO;AAAA,IACT,EAAE;AAAA,EACJ;AAEA,MAAI,SAAS,SAAS,iCAAa,OAAM,IAAI,MAAM,kBAAkB;AACrE,MAAI,MAAM,KAAK,SAAS,kCAAc,OAAM,IAAI,MAAM,gBAAgB;AACtE,MAAI,MAAM,IAAI,SAAS,iCAAa,OAAM,IAAI,MAAM,qBAAqB;AAGzE,QAAM,kBAAc,oCAAa,SAAS,MAAM;AAChD,QAAM,mBAAe,oCAAa,MAAM,KAAK,MAAM;AACnD,QAAM,kBAAc,oCAAa,MAAM,IAAI,MAAM;AAEjD,QAAM,WACJ;AAAA,EACA;AAAA,EACA;AAAA,EACA,YAAY,SACZ,aAAa,SACb,YAAY,SACZ,SAAS,SACT,MAAM,KAAK,SACX,MAAM,IAAI;AAEZ,MAAI,WAAW,mCAAe,OAAM,IAAI,MAAM,uBAAuB;AAErE,QAAM,MAAM,IAAI,WAAW,QAAQ;AACnC,MAAI,SAAS;AAGb,MAAI,IAAI,iCAAY,MAAM;AAC1B,YAAU;AAGV,MAAI,QAAQ,IAAI;AAGhB,MAAI,QAAQ,IAAI,MAAM;AAGtB,MAAI,IAAI,aAAa,MAAM;AAC3B,YAAU,YAAY;AAEtB,MAAI,IAAI,cAAc,MAAM;AAC5B,YAAU,aAAa;AAEvB,MAAI,IAAI,aAAa,MAAM;AAC3B,YAAU,YAAY;AAGtB,MAAI,IAAI,UAAU,MAAM;AACxB,YAAU,SAAS;AAEnB,MAAI,IAAI,MAAM,MAAM,MAAM;AAC1B,YAAU,MAAM,KAAK;AAErB,MAAI,IAAI,MAAM,KAAK,MAAM;AACzB,YAAU,MAAM,IAAI;AAEpB,SAAO;AACT;AASO,SAAS,YAAY,KAA4B;AACtD,MAAI,SAAS;AAGb,MAAI,SAAS,IAAI,IAAI,OAAQ,OAAM,IAAI,MAAM,kBAAkB;AAC/D,WAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AAC1B,QAAI,IAAI,SAAS,CAAC,MAAM,gCAAW,CAAC,EAAG,OAAM,IAAI,MAAM,eAAe;AAAA,EACxE;AACA,YAAU;AAGV,QAAM,MAAM,IAAI,QAAQ;AACxB,MAAI,QAAQ,kCAAc,OAAM,IAAI,MAAM,wBAAwB,GAAG,EAAE;AAGvE,QAAM,QAAQ,IAAI,QAAQ;AAG1B,QAAM,EAAE,OAAO,QAAQ,QAAQ,MAAM,QAAI,oCAAa,KAAK,MAAM;AACjE,YAAU;AACV,MAAI,SAAS,iCAAa,OAAM,IAAI,MAAM,uBAAuB;AAEjE,QAAM,EAAE,OAAO,SAAS,QAAQ,MAAM,QAAI,oCAAa,KAAK,MAAM;AAClE,YAAU;AACV,MAAI,UAAU,kCAAc,OAAM,IAAI,MAAM,qBAAqB;AAEjE,QAAM,EAAE,OAAO,QAAQ,QAAQ,MAAM,QAAI,oCAAa,KAAK,MAAM;AACjE,YAAU;AACV,MAAI,SAAS,iCAAa,OAAM,IAAI,MAAM,0BAA0B;AAGpE,MAAI,SAAS,SAAS,UAAU,SAAS,IAAI,QAAQ;AACnD,UAAM,IAAI,MAAM,iBAAiB;AAAA,EACnC;AAEA,QAAM,WAAW,IAAI,MAAM,QAAQ,SAAS,MAAM;AAClD,YAAU;AAEV,QAAM,YAAY,IAAI,MAAM,QAAQ,SAAS,OAAO;AACpD,YAAU;AAEV,QAAM,WAAW,IAAI,MAAM,QAAQ,SAAS,MAAM;AAClD,YAAU;AAGV,QAAM,cAAU,kCAAW,QAAQ;AAEnC,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,KAAK;AAAA,EACP;AACF;AAMO,SAAS,cAAc,OAA8B;AAG1D,SAAO,YAAY;AAAA,IACjB,GAAG;AAAA,IACH,KAAK,IAAI,WAAW,CAAC;AAAA,EACvB,CAAC;AACH;;;AC/LA,aAAwB;AAgBjB,SAAS,wBAAwB,OAA0B;AAEhE,QAAM,kBAA6B;AAAA,IACjC,GAAG;AAAA,IACH,KAAK,IAAI,WAAW,CAAC;AAAA,EACvB;AAEA,QAAM,UAAU,YAAY,eAAe;AAC3C,SAAO,OAAO,KAAK,OAAO;AAC5B;AAWO,SAAS,UAAU,OAAkB,YAA4B;AACtE,QAAM,UAAU,wBAAwB,KAAK;AAE7C,MAAI;AAGJ,MAAI,WAAW,WAAW,IAAI;AAG5B,UAAM,cAAc,OAAO,KAAK;AAAA,MAC9B;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAClE;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,IACpB,CAAC;AACD,UAAM,WAAW,OAAO,OAAO,CAAC,aAAa,UAAU,CAAC;AAExD,gBAAmB,wBAAiB;AAAA,MAClC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH,OAAO;AAEL,gBAAmB,wBAAiB;AAAA,MAClC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAEA,QAAM,YAAmB,YAAK,MAAM,SAAS,SAAS;AAEtD,MAAI,UAAU,WAAW,IAAI;AAC3B,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,SAAO;AACT;AAWO,SAAS,qBACd,OACA,WACS;AACT,MAAI,MAAM,IAAI,WAAW,GAAG;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,IAAI,WAAW,IAAI;AAC3B,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,QAAM,UAAU,wBAAwB,KAAK;AAE7C,MAAI;AACF,QAAI;AAGJ,QAAI,UAAU,WAAW,IAAI;AAG3B,YAAM,aAAa,OAAO,KAAK;AAAA,QAC7B;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,MACpE,CAAC;AACD,YAAM,UAAU,OAAO,OAAO,CAAC,YAAY,SAAS,CAAC;AAErD,kBAAmB,uBAAgB;AAAA,QACjC,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,MACR,CAAC;AAAA,IACH,OAAO;AAEL,kBAAmB,uBAAgB;AAAA,QACjC,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,UAAM,QAAe;AAAA,MACnB;AAAA,MACA;AAAA,MACA;AAAA,MACA,OAAO,KAAK,MAAM,GAAG;AAAA,IACvB;AACA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,WAAO;AAAA,EACT;AACF;AAQO,SAAS,yBAGd;AACA,QAAM,EAAE,YAAY,UAAU,IAAW,2BAAoB,SAAS;AAEtE,SAAO;AAAA,IACL,YAAY,WAAW,OAAO,EAAE,MAAM,SAAS,QAAQ,MAAM,CAAC;AAAA,IAC9D,WAAW,UAAU,OAAO,EAAE,MAAM,QAAQ,QAAQ,MAAM,CAAC;AAAA,EAC7D;AACF;AAQO,SAAS,OAAO,MAAmC;AACxD,SAAc,kBAAW,QAAQ,EAAE,OAAO,IAAI,EAAE,OAAO;AACzD;AAUO,SAAS,mBACd,cACA,UACQ;AACR,QAAM,SAAgB,kBAAW,QAAQ;AACzC,SAAO,OAAO,YAAY;AAE1B,MAAI,YAAY,SAAS,SAAS,GAAG;AACnC,WAAO,OAAO,QAAQ;AAAA,EACxB;AAEA,SAAO,OAAO,OAAO;AACvB;","names":["import_axis_protocol","import_axis_protocol"]}
+{"version":3,"sources":["../../src/core/index.ts","../../src/core/constants.ts","../../src/core/varint.ts","../../src/core/tlv.ts","../../src/core/axis-bin.ts","../../src/core/signature.ts","../../src/core/axis-error.ts"],"sourcesContent":["export * from './constants';\nexport * from './varint';\nexport * from './tlv';\nexport * from './axis-bin';\nexport * from './signature';\nexport * from './axis-error';\n","export {\n  AXIS_MAGIC, AXIS_VERSION,\n  MAX_HDR_LEN, MAX_BODY_LEN, MAX_SIG_LEN, MAX_FRAME_LEN,\n  FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS,\n  TLV_PID, TLV_TS, TLV_INTENT, TLV_ACTOR_ID, TLV_PROOF_TYPE,\n  TLV_PROOF_REF, TLV_NONCE, TLV_AUD, TLV_REALM, TLV_NODE,\n  TLV_TRACE_ID, TLV_KID,\n  TLV_RID, TLV_OK, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG,\n  TLV_PREV_HASH, TLV_RECEIPT_HASH, TLV_NODE_KID, TLV_NODE_CERT_HASH,\n  TLV_LOOM_PRESENCE_ID, TLV_LOOM_WRIT, TLV_LOOM_THREAD_HASH,\n  TLV_UPLOAD_ID, TLV_INDEX, TLV_OFFSET, TLV_SHA256_CHUNK, TLV_CAPSULE,\n  TLV_BODY_OBJ, TLV_BODY_ARR,\n  NCERT_NODE_ID, NCERT_KID, NCERT_ALG, NCERT_PUB, NCERT_NBF,\n  NCERT_EXP, NCERT_SCOPE, NCERT_ISSUER_KID, NCERT_PAYLOAD, NCERT_SIG,\n  PROOF_NONE, PROOF_CAPSULE, PROOF_JWT, PROOF_MTLS, PROOF_LOOM, PROOF_WITNESS,\n  ProofType, BodyProfile,\n  ERR_INVALID_PACKET, ERR_BAD_SIGNATURE, ERR_REPLAY_DETECTED, ERR_CONTRACT_VIOLATION,\n} from '@nextera.one/axis-protocol';\n","export { encodeVarint, decodeVarint, varintLength } from '@nextera.one/axis-protocol';\n","export {\n  TLV, encodeTLVs, decodeTLVs, decodeTLVsList, decodeObject, decodeArray,\n} from '@nextera.one/axis-protocol';\n","import * as z from 'zod';\n\n/**\n * AxisFrame Schema\n *\n * Defines the logical structure of an AXIS frame using Zod for runtime validation.\n * This is used for internal processing after the low-level binary parsing is complete.\n */\nexport const AxisFrameZ = z.object({\n  /** Flag bits for protocol control (e.g., encryption, compression) */\n  flags: z.number().int().nonnegative(),\n  /** A map of TLV headers where key=Tag and value=BinaryData */\n  headers: z.map(\n    z.number(),\n    z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n  ),\n  /** The main payload of the frame */\n  body: z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n  /** The cryptographic signature covering the frame (except the signature itself) */\n  sig: z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n});\n\n/**\n * Represents a structured AXIS frame.\n * @typedef {Object} AxisFrame\n */\nexport type AxisFrame = z.infer<typeof AxisFrameZ>;\nexport type AxisBinaryFrame = AxisFrame;\nimport {\n  AXIS_MAGIC,\n  AXIS_VERSION,\n  MAX_BODY_LEN,\n  MAX_FRAME_LEN,\n  MAX_HDR_LEN,\n  MAX_SIG_LEN,\n} from './constants';\nimport { decodeTLVs, encodeTLVs } from './tlv';\nimport { decodeVarint, encodeVarint } from './varint';\n\n/**\n * Encodes a structured AxisFrame into its binary wire representation.\n *\n * **Encoding Steps:**\n * 1. Encodes header TLV map into a single buffer.\n * 2. Validates lengths against MAX_* constants.\n * 3. Encodes lengths (HDR, BODY, SIG) as varints.\n * 4. Assembles the final byte array with magic, version, and flags.\n *\n * @param {AxisFrame} frame - The structured frame to encode\n * @returns {Uint8Array} The full binary frame\n * @throws {Error} If any section exceeds protocol limits\n */\nexport function encodeFrame(frame: AxisFrame): Uint8Array {\n  const hdrBytes = encodeTLVs(\n    Array.from(frame.headers.entries()).map(([t, v]) => ({\n      type: t,\n      value: v,\n    })),\n  );\n\n  if (hdrBytes.length > MAX_HDR_LEN) throw new Error('Header too large');\n  if (frame.body.length > MAX_BODY_LEN) throw new Error('Body too large');\n  if (frame.sig.length > MAX_SIG_LEN) throw new Error('Signature too large');\n\n  // Header Len, Body Len, Sig Len\n  const hdrLenBytes = encodeVarint(hdrBytes.length);\n  const bodyLenBytes = encodeVarint(frame.body.length);\n  const sigLenBytes = encodeVarint(frame.sig.length);\n\n  const totalLen =\n    5 + // Magic (AXIS1)\n    1 + // Version\n    1 + // Flags\n    hdrLenBytes.length +\n    bodyLenBytes.length +\n    sigLenBytes.length +\n    hdrBytes.length +\n    frame.body.length +\n    frame.sig.length;\n\n  if (totalLen > MAX_FRAME_LEN) throw new Error('Total frame too large');\n\n  const buf = new Uint8Array(totalLen);\n  let offset = 0;\n\n  // Magic (AXIS1 - 5 bytes)\n  buf.set(AXIS_MAGIC, offset);\n  offset += 5;\n\n  // Version\n  buf[offset++] = AXIS_VERSION;\n\n  // Flags\n  buf[offset++] = frame.flags;\n\n  // Lengths\n  buf.set(hdrLenBytes, offset);\n  offset += hdrLenBytes.length;\n\n  buf.set(bodyLenBytes, offset);\n  offset += bodyLenBytes.length;\n\n  buf.set(sigLenBytes, offset);\n  offset += sigLenBytes.length;\n\n  // Payloads\n  buf.set(hdrBytes, offset);\n  offset += hdrBytes.length;\n\n  buf.set(frame.body, offset);\n  offset += frame.body.length;\n\n  buf.set(frame.sig, offset);\n  offset += frame.sig.length;\n\n  return buf;\n}\n\n/**\n * Decodes a binary buffer into a structured AxisFrame with strict validation.\n *\n * @param {Uint8Array} buf - Raw bytes from the wire\n * @returns {AxisFrame} The parsed and validated frame\n * @throws {Error} If magic, version, or lengths are invalid\n */\nexport function decodeFrame(buf: Uint8Array): AxisFrame {\n  let offset = 0;\n\n  // 1. Magic (AXIS1 - 5 bytes)\n  if (offset + 5 > buf.length) throw new Error('Packet too short');\n  for (let i = 0; i < 5; i++) {\n    if (buf[offset + i] !== AXIS_MAGIC[i]) throw new Error('Invalid Magic');\n  }\n  offset += 5;\n\n  // 2. Version\n  const ver = buf[offset++];\n  if (ver !== AXIS_VERSION) throw new Error(`Unsupported version: ${ver}`);\n\n  // 3. Flags\n  const flags = buf[offset++];\n\n  // 4. Lengths\n  const { value: hdrLen, length: hlLen } = decodeVarint(buf, offset);\n  offset += hlLen;\n  if (hdrLen > MAX_HDR_LEN) throw new Error('Header limit exceeded');\n\n  const { value: bodyLen, length: blLen } = decodeVarint(buf, offset);\n  offset += blLen;\n  if (bodyLen > MAX_BODY_LEN) throw new Error('Body limit exceeded');\n\n  const { value: sigLen, length: slLen } = decodeVarint(buf, offset);\n  offset += slLen;\n  if (sigLen > MAX_SIG_LEN) throw new Error('Signature limit exceeded');\n\n  // 5. Extract Bytes\n  if (offset + hdrLen + bodyLen + sigLen > buf.length) {\n    throw new Error('Frame truncated');\n  }\n\n  const hdrBytes = buf.slice(offset, offset + hdrLen);\n  offset += hdrLen;\n\n  const bodyBytes = buf.slice(offset, offset + bodyLen);\n  offset += bodyLen;\n\n  const sigBytes = buf.slice(offset, offset + sigLen);\n  offset += sigLen;\n\n  // 6. Decode Header TLVs\n  const headers = decodeTLVs(hdrBytes);\n\n  return {\n    flags,\n    headers,\n    body: bodyBytes,\n    sig: sigBytes,\n  };\n}\n\n/**\n * Helper to get canonical bytes for signing.\n * SigTarget = All bytes up to SigLen, with SigLen=0, and no SigBytes.\n */\nexport function getSignTarget(frame: AxisFrame): Uint8Array {\n  // Re-encode frame but with empty signature\n  // Note: This is efficient enough for v1 (tens of KB).\n  return encodeFrame({\n    ...frame,\n    sig: new Uint8Array(0),\n  });\n}\n","import * as crypto from 'crypto';\n\nimport { AxisFrame, encodeFrame } from './axis-bin';\n\n/**\n * Signature utilities for AXIS binary frames\n * Supports Ed25519 signature generation and verification\n */\n\n/**\n * Computes the canonical payload for signing an AXIS frame.\n * The signature covers all bytes of the encoded frame EXCEPT the signature field itself.\n *\n * @param {AxisFrame} frame - The frame to prepare for signing\n * @returns {Buffer} The serialized canonical bytes for the signature algorithm\n */\nexport function computeSignaturePayload(frame: AxisFrame): Buffer {\n  // Re-encode frame with empty signature\n  const frameWithoutSig: AxisFrame = {\n    ...frame,\n    sig: new Uint8Array(0),\n  };\n\n  const encoded = encodeFrame(frameWithoutSig);\n  return Buffer.from(encoded);\n}\n\n/**\n * Signs an AXIS frame using the Ed25519 algorithm.\n * Automatically handles both raw 32-byte seeds and pkcs8 DER-encoded private keys.\n *\n * @param {AxisFrame} frame - The frame to sign\n * @param {Buffer} privateKey - Ed25519 private key (32-byte raw OR pkcs8 DER)\n * @returns {Buffer} The 64-byte Ed25519 signature\n * @throws {Error} If key format is invalid or signing fail\n */\nexport function signFrame(frame: AxisFrame, privateKey: Buffer): Buffer {\n  const payload = computeSignaturePayload(frame);\n\n  let keyObject: crypto.KeyObject;\n\n  // Check if key is raw 32-byte seed or DER-encoded\n  if (privateKey.length === 32) {\n    // Raw seed - wrap in pkcs8 DER format\n    // pkcs8 prefix for Ed25519: 0x302e020100300506032b657004220420\n    const pkcs8Prefix = Buffer.from([\n      0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,\n      0x04, 0x22, 0x04, 0x20,\n    ]);\n    const pkcs8Key = Buffer.concat([pkcs8Prefix, privateKey]);\n\n    keyObject = crypto.createPrivateKey({\n      key: pkcs8Key,\n      format: 'der',\n      type: 'pkcs8',\n    });\n  } else {\n    // Assume already DER-encoded pkcs8\n    keyObject = crypto.createPrivateKey({\n      key: privateKey,\n      format: 'der',\n      type: 'pkcs8',\n    });\n  }\n\n  const signature = crypto.sign(null, payload, keyObject);\n\n  if (signature.length !== 64) {\n    throw new Error('Ed25519 signature must be 64 bytes');\n  }\n\n  return signature;\n}\n\n/**\n * Verifies an Ed25519 signature on an AXIS frame.\n * Automatically handles both raw 32-byte public keys and spki DER-encoded public keys.\n *\n * @param {AxisFrame} frame - The frame containing the signature to verify\n * @param {Buffer} publicKey - Ed25519 public key (32-byte raw OR spki DER)\n * @returns {boolean} True if the signature is cryptographically valid\n * @throws {Error} If signature length is invalid\n */\nexport function verifyFrameSignature(\n  frame: AxisFrame,\n  publicKey: Buffer,\n): boolean {\n  if (frame.sig.length === 0) {\n    return false; // No signature\n  }\n\n  if (frame.sig.length !== 64) {\n    throw new Error('Ed25519 signature must be 64 bytes');\n  }\n\n  const payload = computeSignaturePayload(frame);\n\n  try {\n    let keyObject: crypto.KeyObject;\n\n    // Check if key is raw 32-byte or DER-encoded\n    if (publicKey.length === 32) {\n      // Raw key - wrap in spki DER format\n      // spki prefix for Ed25519: 0x302a300506032b6570032100\n      const spkiPrefix = Buffer.from([\n        0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00,\n      ]);\n      const spkiKey = Buffer.concat([spkiPrefix, publicKey]);\n\n      keyObject = crypto.createPublicKey({\n        key: spkiKey,\n        format: 'der',\n        type: 'spki',\n      });\n    } else {\n      // Assume already DER-encoded spki\n      keyObject = crypto.createPublicKey({\n        key: publicKey,\n        format: 'der',\n        type: 'spki',\n      });\n    }\n\n    const valid = crypto.verify(\n      null,\n      payload,\n      keyObject,\n      Buffer.from(frame.sig),\n    );\n    return valid;\n  } catch (error) {\n    return false;\n  }\n}\n\n/**\n * Generates a new Ed25519 key pair for use with the AXIS protocol.\n * Returns keys in canonical DER format (pkcs8 for private, spki for public).\n *\n * @returns {Object} An object containing the privateKey and publicKey as Buffers\n */\nexport function generateEd25519KeyPair(): {\n  privateKey: Buffer;\n  publicKey: Buffer;\n} {\n  const { privateKey, publicKey } = crypto.generateKeyPairSync('ed25519');\n\n  return {\n    privateKey: privateKey.export({ type: 'pkcs8', format: 'der' }) as Buffer,\n    publicKey: publicKey.export({ type: 'spki', format: 'der' }) as Buffer,\n  };\n}\n\n/**\n * Computes a standard SHA-256 hash of the provided data.\n *\n * @param {Buffer | Uint8Array} data - The input data to hash\n * @returns {Buffer} The 32-byte SHA-256 digest\n */\nexport function sha256(data: Buffer | Uint8Array): Buffer {\n  return crypto.createHash('sha256').update(data).digest();\n}\n\n/**\n * Computes a hash for an AXIS receipt, optionally chaining it to a previous hash.\n * This is used for generating an immutable transaction chain.\n *\n * @param {Buffer | Uint8Array} receiptBytes - The canonical binary representation of the receipt\n * @param {Buffer | Uint8Array} [prevHash] - The hash of the previous receipt in the chain\n * @returns {Buffer} The 32-byte SHA-256 hash of the receipt (and link)\n */\nexport function computeReceiptHash(\n  receiptBytes: Buffer | Uint8Array,\n  prevHash?: Buffer | Uint8Array,\n): Buffer {\n  const hasher = crypto.createHash('sha256');\n  hasher.update(receiptBytes);\n\n  if (prevHash && prevHash.length > 0) {\n    hasher.update(prevHash);\n  }\n\n  return hasher.digest();\n}\n","export class AxisError extends Error {\n  constructor(\n    public code: string,\n    message: string,\n    public httpStatus: number = 400,\n    public details?: Record<string, any>,\n  ) {\n    super(message);\n    this.name = 'AxisError';\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,2BAiBO;;;ACjBP,IAAAA,wBAAyD;;;ACAzD,IAAAC,wBAEO;;;ACFP,QAAmB;AAQZ,IAAM,aAAe,SAAO;AAAA;AAAA,EAEjC,OAAS,SAAO,EAAE,IAAI,EAAE,YAAY;AAAA;AAAA,EAEpC,SAAW;AAAA,IACP,SAAO;AAAA,IACP,SAAmB,CAAC,MAAM,aAAa,UAAU;AAAA,EACrD;AAAA;AAAA,EAEA,MAAQ,SAAmB,CAAC,MAAM,aAAa,UAAU;AAAA;AAAA,EAEzD,KAAO,SAAmB,CAAC,MAAM,aAAa,UAAU;AAC1D,CAAC;AAgCM,SAAS,YAAY,OAA8B;AACxD,QAAM,eAAW;AAAA,IACf,MAAM,KAAK,MAAM,QAAQ,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO;AAAA,MACnD,MAAM;AAAA,MACN,OAAO;AAAA,IACT,EAAE;AAAA,EACJ;AAEA,MAAI,SAAS,SAAS,iCAAa,OAAM,IAAI,MAAM,kBAAkB;AACrE,MAAI,MAAM,KAAK,SAAS,kCAAc,OAAM,IAAI,MAAM,gBAAgB;AACtE,MAAI,MAAM,IAAI,SAAS,iCAAa,OAAM,IAAI,MAAM,qBAAqB;AAGzE,QAAM,kBAAc,oCAAa,SAAS,MAAM;AAChD,QAAM,mBAAe,oCAAa,MAAM,KAAK,MAAM;AACnD,QAAM,kBAAc,oCAAa,MAAM,IAAI,MAAM;AAEjD,QAAM,WACJ;AAAA,EACA;AAAA,EACA;AAAA,EACA,YAAY,SACZ,aAAa,SACb,YAAY,SACZ,SAAS,SACT,MAAM,KAAK,SACX,MAAM,IAAI;AAEZ,MAAI,WAAW,mCAAe,OAAM,IAAI,MAAM,uBAAuB;AAErE,QAAM,MAAM,IAAI,WAAW,QAAQ;AACnC,MAAI,SAAS;AAGb,MAAI,IAAI,iCAAY,MAAM;AAC1B,YAAU;AAGV,MAAI,QAAQ,IAAI;AAGhB,MAAI,QAAQ,IAAI,MAAM;AAGtB,MAAI,IAAI,aAAa,MAAM;AAC3B,YAAU,YAAY;AAEtB,MAAI,IAAI,cAAc,MAAM;AAC5B,YAAU,aAAa;AAEvB,MAAI,IAAI,aAAa,MAAM;AAC3B,YAAU,YAAY;AAGtB,MAAI,IAAI,UAAU,MAAM;AACxB,YAAU,SAAS;AAEnB,MAAI,IAAI,MAAM,MAAM,MAAM;AAC1B,YAAU,MAAM,KAAK;AAErB,MAAI,IAAI,MAAM,KAAK,MAAM;AACzB,YAAU,MAAM,IAAI;AAEpB,SAAO;AACT;AASO,SAAS,YAAY,KAA4B;AACtD,MAAI,SAAS;AAGb,MAAI,SAAS,IAAI,IAAI,OAAQ,OAAM,IAAI,MAAM,kBAAkB;AAC/D,WAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AAC1B,QAAI,IAAI,SAAS,CAAC,MAAM,gCAAW,CAAC,EAAG,OAAM,IAAI,MAAM,eAAe;AAAA,EACxE;AACA,YAAU;AAGV,QAAM,MAAM,IAAI,QAAQ;AACxB,MAAI,QAAQ,kCAAc,OAAM,IAAI,MAAM,wBAAwB,GAAG,EAAE;AAGvE,QAAM,QAAQ,IAAI,QAAQ;AAG1B,QAAM,EAAE,OAAO,QAAQ,QAAQ,MAAM,QAAI,oCAAa,KAAK,MAAM;AACjE,YAAU;AACV,MAAI,SAAS,iCAAa,OAAM,IAAI,MAAM,uBAAuB;AAEjE,QAAM,EAAE,OAAO,SAAS,QAAQ,MAAM,QAAI,oCAAa,KAAK,MAAM;AAClE,YAAU;AACV,MAAI,UAAU,kCAAc,OAAM,IAAI,MAAM,qBAAqB;AAEjE,QAAM,EAAE,OAAO,QAAQ,QAAQ,MAAM,QAAI,oCAAa,KAAK,MAAM;AACjE,YAAU;AACV,MAAI,SAAS,iCAAa,OAAM,IAAI,MAAM,0BAA0B;AAGpE,MAAI,SAAS,SAAS,UAAU,SAAS,IAAI,QAAQ;AACnD,UAAM,IAAI,MAAM,iBAAiB;AAAA,EACnC;AAEA,QAAM,WAAW,IAAI,MAAM,QAAQ,SAAS,MAAM;AAClD,YAAU;AAEV,QAAM,YAAY,IAAI,MAAM,QAAQ,SAAS,OAAO;AACpD,YAAU;AAEV,QAAM,WAAW,IAAI,MAAM,QAAQ,SAAS,MAAM;AAClD,YAAU;AAGV,QAAM,cAAU,kCAAW,QAAQ;AAEnC,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,KAAK;AAAA,EACP;AACF;AAMO,SAAS,cAAc,OAA8B;AAG1D,SAAO,YAAY;AAAA,IACjB,GAAG;AAAA,IACH,KAAK,IAAI,WAAW,CAAC;AAAA,EACvB,CAAC;AACH;;;AC/LA,aAAwB;AAgBjB,SAAS,wBAAwB,OAA0B;AAEhE,QAAM,kBAA6B;AAAA,IACjC,GAAG;AAAA,IACH,KAAK,IAAI,WAAW,CAAC;AAAA,EACvB;AAEA,QAAM,UAAU,YAAY,eAAe;AAC3C,SAAO,OAAO,KAAK,OAAO;AAC5B;AAWO,SAAS,UAAU,OAAkB,YAA4B;AACtE,QAAM,UAAU,wBAAwB,KAAK;AAE7C,MAAI;AAGJ,MAAI,WAAW,WAAW,IAAI;AAG5B,UAAM,cAAc,OAAO,KAAK;AAAA,MAC9B;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAClE;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,IACpB,CAAC;AACD,UAAM,WAAW,OAAO,OAAO,CAAC,aAAa,UAAU,CAAC;AAExD,gBAAmB,wBAAiB;AAAA,MAClC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH,OAAO;AAEL,gBAAmB,wBAAiB;AAAA,MAClC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAEA,QAAM,YAAmB,YAAK,MAAM,SAAS,SAAS;AAEtD,MAAI,UAAU,WAAW,IAAI;AAC3B,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,SAAO;AACT;AAWO,SAAS,qBACd,OACA,WACS;AACT,MAAI,MAAM,IAAI,WAAW,GAAG;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,IAAI,WAAW,IAAI;AAC3B,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,QAAM,UAAU,wBAAwB,KAAK;AAE7C,MAAI;AACF,QAAI;AAGJ,QAAI,UAAU,WAAW,IAAI;AAG3B,YAAM,aAAa,OAAO,KAAK;AAAA,QAC7B;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,MACpE,CAAC;AACD,YAAM,UAAU,OAAO,OAAO,CAAC,YAAY,SAAS,CAAC;AAErD,kBAAmB,uBAAgB;AAAA,QACjC,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,MACR,CAAC;AAAA,IACH,OAAO;AAEL,kBAAmB,uBAAgB;AAAA,QACjC,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,UAAM,QAAe;AAAA,MACnB;AAAA,MACA;AAAA,MACA;AAAA,MACA,OAAO,KAAK,MAAM,GAAG;AAAA,IACvB;AACA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,WAAO;AAAA,EACT;AACF;AAQO,SAAS,yBAGd;AACA,QAAM,EAAE,YAAY,UAAU,IAAW,2BAAoB,SAAS;AAEtE,SAAO;AAAA,IACL,YAAY,WAAW,OAAO,EAAE,MAAM,SAAS,QAAQ,MAAM,CAAC;AAAA,IAC9D,WAAW,UAAU,OAAO,EAAE,MAAM,QAAQ,QAAQ,MAAM,CAAC;AAAA,EAC7D;AACF;AAQO,SAAS,OAAO,MAAmC;AACxD,SAAc,kBAAW,QAAQ,EAAE,OAAO,IAAI,EAAE,OAAO;AACzD;AAUO,SAAS,mBACd,cACA,UACQ;AACR,QAAM,SAAgB,kBAAW,QAAQ;AACzC,SAAO,OAAO,YAAY;AAE1B,MAAI,YAAY,SAAS,SAAS,GAAG;AACnC,WAAO,OAAO,QAAQ;AAAA,EACxB;AAEA,SAAO,OAAO,OAAO;AACvB;;;ACvLO,IAAM,YAAN,cAAwB,MAAM;AAAA,EACnC,YACS,MACP,SACO,aAAqB,KACrB,SACP;AACA,UAAM,OAAO;AALN;AAEA;AACA;AAGP,SAAK,OAAO;AAAA,EACd;AACF;","names":["import_axis_protocol","import_axis_protocol"]}