@nextera.one/axis-server-sdk 1.2.1 → 1.4.0

package/dist/index.js

@@ -166,34 +166,45 @@ __export(index_exports, {
   buildAts1Hdr: () => buildAts1Hdr,
   buildDtoDecoder: () => buildDtoDecoder,
   buildPacket: () => buildPacket,
+  buildQueueMessage: () => buildQueueMessage,
   buildReceiptHash: () => buildReceiptHash,
   buildTLVs: () => buildTLVs,
+  buildUnsignedWitness: () => buildUnsignedWitness,
   bytes: () => bytes,
   canAccessResource: () => canAccessResource,
   canonicalJson: () => canonicalJson,
   canonicalJsonExcluding: () => canonicalJsonExcluding,
+  canonicalizeObservation: () => canonicalizeObservation,
   classifyIntent: () => classifyIntent,
   computeReceiptHash: () => computeReceiptHash,
   computeSignaturePayload: () => computeSignaturePayload,
+  core: () => core_exports,
+  crypto: () => crypto_exports,
   decodeArray: () => import_axis_protocol.decodeArray,
   decodeAxis1Frame: () => decodeAxis1Frame,
   decodeFrame: () => decodeFrame,
   decodeObject: () => import_axis_protocol.decodeObject,
+  decodeQueueMessage: () => decodeQueueMessage,
   decodeTLVs: () => import_axis_protocol.decodeTLVs,
   decodeTLVsList: () => import_axis_protocol.decodeTLVsList,
   decodeVarint: () => import_axis_protocol3.decodeVarint,
+  decorators: () => decorators_exports,
   encVarint: () => encVarint,
   encodeAxis1Frame: () => encodeAxis1Frame,
   encodeFrame: () => encodeFrame,
+  encodeQueueMessage: () => encodeQueueMessage,
   encodeTLVs: () => import_axis_protocol.encodeTLVs,
   encodeVarint: () => import_axis_protocol3.encodeVarint,
+  engine: () => engine_exports,
   extractDtoSchema: () => extractDtoSchema,
   generateEd25519KeyPair: () => generateEd25519KeyPair,
   getSignTarget: () => getSignTarget,
   hasScope: () => hasScope,
+  hashObservation: () => hashObservation,
   isAdminOpcode: () => isAdminOpcode,
   isKnownOpcode: () => isKnownOpcode,
   isTimestampValid: () => isTimestampValid,
+  loom: () => loom_exports,
   nonce16: () => nonce16,
   normalizeSensorDecision: () => normalizeSensorDecision,
   packPasskeyLoginOptionsReq: () => packPasskeyLoginOptionsReq,
@@ -201,21 +212,29 @@ __export(index_exports, {
   packPasskeyLoginVerifyReq: () => packPasskeyLoginVerifyReq,
   packPasskeyLoginVerifyRes: () => packPasskeyLoginVerifyRes,
   packPasskeyRegisterOptionsReq: () => packPasskeyRegisterOptionsReq,
+  parseAutoClaimEntries: () => parseAutoClaimEntries,
   parseScope: () => parseScope,
+  parseStreamEntries: () => parseStreamEntries,
   resolveTimeout: () => resolveTimeout,
+  schemas: () => schemas_exports,
+  security: () => security_exports,
   sensitivityName: () => sensitivityName,
+  sensors: () => sensors_exports,
   sha256: () => sha256,
   signFrame: () => signFrame,
+  stableJsonStringify: () => stableJsonStringify,
   tlv: () => tlv,
   u64be: () => u64be,
   unpackPasskeyLoginOptionsReq: () => unpackPasskeyLoginOptionsReq,
   unpackPasskeyLoginVerifyReq: () => unpackPasskeyLoginVerifyReq,
   unpackPasskeyRegisterOptionsReq: () => unpackPasskeyRegisterOptionsReq,
   utf8: () => utf8,
+  utils: () => utils_exports,
   validateFrameShape: () => validateFrameShape,
   varintLength: () => import_axis_protocol3.varintLength,
   varintU: () => varintU,
-  verifyFrameSignature: () => verifyFrameSignature
+  verifyFrameSignature: () => verifyFrameSignature,
+  verifyResponse: () => verifyResponse
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -910,9 +929,213 @@ IntentRouter = __decorateClass([
   __decorateParam(0, (0, import_common2.Optional)())
 ], IntentRouter);
 
+// src/engine/observation/stable-json.ts
+function normalize(value) {
+  if (Array.isArray(value)) {
+    return value.map((item) => normalize(item));
+  }
+  if (value && typeof value === "object") {
+    const entries = Object.entries(value).filter(([, nested]) => nested !== void 0).sort(([left], [right]) => left.localeCompare(right));
+    const normalized = {};
+    for (const [key, nested] of entries) {
+      normalized[key] = normalize(nested);
+    }
+    return normalized;
+  }
+  return value;
+}
+function stableJsonStringify(value) {
+  return JSON.stringify(normalize(value));
+}
+
+// src/engine/observation/observation-queue.codec.ts
+function buildQueueMessage(observation, sourceNodeId, previous, lastError) {
+  const now = Date.now();
+  return {
+    v: 1,
+    observation,
+    attempts: previous ? previous.attempts + 1 : 0,
+    firstEnqueuedAt: previous?.firstEnqueuedAt ?? now,
+    lastEnqueuedAt: now,
+    sourceNodeId,
+    lastError
+  };
+}
+function encodeQueueMessage(message) {
+  return JSON.stringify(message);
+}
+function decodeQueueMessage(raw) {
+  try {
+    const parsed = JSON.parse(raw);
+    if (!parsed || parsed.v !== 1 || !parsed.observation?.id) {
+      return null;
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function parseStreamEntries(raw) {
+  if (!Array.isArray(raw)) {
+    return [];
+  }
+  const entries = [];
+  for (const streamRow of raw) {
+    if (!Array.isArray(streamRow) || streamRow.length < 2) {
+      continue;
+    }
+    const messageRows = streamRow[1];
+    if (!Array.isArray(messageRows)) {
+      continue;
+    }
+    for (const row of messageRows) {
+      if (!Array.isArray(row) || row.length < 2) {
+        continue;
+      }
+      const id = String(row[0]);
+      const fields = Array.isArray(row[1]) ? row[1] : [];
+      const fieldMap = fieldsToMap(fields);
+      const payload = fieldMap.get("payload");
+      if (!payload) {
+        continue;
+      }
+      const message = decodeQueueMessage(payload);
+      if (!message) {
+        continue;
+      }
+      entries.push({ id, message });
+    }
+  }
+  return entries;
+}
+function parseAutoClaimEntries(raw) {
+  if (!Array.isArray(raw) || raw.length < 2) {
+    return [];
+  }
+  const rows = Array.isArray(raw[1]) ? raw[1] : [];
+  return parseStreamEntries([["stream", rows]]);
+}
+function fieldsToMap(fields) {
+  const map3 = /* @__PURE__ */ new Map();
+  for (let i = 0; i < fields.length; i += 2) {
+    const key = fields[i];
+    const value = fields[i + 1];
+    if (key !== void 0 && value !== void 0) {
+      map3.set(String(key), String(value));
+    }
+  }
+  return map3;
+}
+
+// src/engine/observation/observation-hash.ts
+var import_crypto = require("crypto");
+function canonicalizeObservation(obs) {
+  const obj = {
+    id: obs.id,
+    startMs: obs.startMs,
+    endMs: obs.endMs,
+    transport: obs.transport,
+    ip: obs.ip,
+    intent: obs.intent,
+    actorId: obs.actorId,
+    capsuleId: obs.capsuleId,
+    decision: obs.decision,
+    resultCode: obs.resultCode,
+    statusCode: obs.statusCode,
+    durationMs: obs.durationMs,
+    stages: obs.stages.map((s) => ({
+      name: s.name,
+      status: s.status,
+      startMs: s.startMs,
+      endMs: s.endMs,
+      durationMs: s.durationMs,
+      reason: s.reason,
+      code: s.code
+    })),
+    sensors: obs.sensors.map((s) => ({
+      name: s.name,
+      allowed: s.allowed,
+      riskScore: s.riskScore,
+      durationMs: s.durationMs,
+      reasons: s.reasons,
+      code: s.code
+    }))
+  };
+  return stableJsonStringify(obj);
+}
+function hashObservation(obs) {
+  const canonical = canonicalizeObservation(obs);
+  return (0, import_crypto.createHash)("sha256").update(canonical).digest("hex");
+}
+function buildUnsignedWitness(obs) {
+  if (!obs.decision || !obs.endMs) {
+    return null;
+  }
+  return {
+    v: 1,
+    observationId: obs.id,
+    payloadHash: hashObservation(obs),
+    sealedAt: Date.now(),
+    summary: {
+      intent: obs.intent,
+      actorId: obs.actorId,
+      decision: obs.decision,
+      statusCode: obs.statusCode,
+      durationMs: obs.durationMs,
+      sensorCount: obs.sensors.length,
+      stageCount: obs.stages.length
+    }
+  };
+}
+
 // src/core/constants.ts
 var import_axis_protocol2 = require("@nextera.one/axis-protocol");
 
+// src/engine/observation/response-observer.ts
+var SENSITIVE_RESPONSE_TAGS = [4, 5, 6];
+function verifyResponse(ctx, response) {
+  if (!response.effect || typeof response.effect !== "string") {
+    return {
+      passed: false,
+      code: "OBSERVER_INVALID_EFFECT",
+      reason: "Response effect is missing or invalid"
+    };
+  }
+  if (response.ok && (!response.body || response.body.length === 0)) {
+    return {
+      passed: false,
+      code: "OBSERVER_EMPTY_BODY",
+      reason: "Successful response must contain a body"
+    };
+  }
+  if (response.body && response.body.length > import_axis_protocol2.MAX_BODY_LEN) {
+    return {
+      passed: false,
+      code: "OBSERVER_BODY_OVERFLOW",
+      reason: `Response body exceeds ${import_axis_protocol2.MAX_BODY_LEN} bytes`
+    };
+  }
+  if (response.headers) {
+    for (const tag of SENSITIVE_RESPONSE_TAGS) {
+      if (response.headers.has(tag)) {
+        return {
+          passed: false,
+          code: "OBSERVER_DATA_LEAK",
+          reason: `Response must not contain sensitive TLV tag ${tag}`
+        };
+      }
+    }
+  }
+  if (response.effect.includes("Error:") || response.effect.includes("stack") || response.effect.includes("at /")) {
+    return {
+      passed: false,
+      code: "OBSERVER_INFO_LEAK",
+      reason: "Response effect may contain internal error details"
+    };
+  }
+  return { passed: true };
+}
+
 // src/core/varint.ts
 var import_axis_protocol3 = require("@nextera.one/axis-protocol");
 
@@ -1188,7 +1411,7 @@ __export(ats1_exports, {
   tlvsToMap: () => tlvsToMap,
   validateTLVsAgainstSchema: () => validateTLVsAgainstSchema
 });
-var import_crypto = require("crypto");
+var import_crypto2 = require("crypto");
 var DEFAULT_LIMITS = {
   maxVarintBytes: 10,
   maxTlvCount: 512,
@@ -1238,7 +1461,7 @@ function decodeU64BE(buf) {
   return buf.readBigUInt64BE(0);
 }
 function sha2562(data) {
-  return (0, import_crypto.createHash)("sha256").update(data).digest();
+  return (0, import_crypto2.createHash)("sha256").update(data).digest();
 }
 function encodeTLV(tag, value) {
   if (!Number.isInteger(tag) || tag <= 0)
@@ -1827,7 +2050,7 @@ function packPasskeyLoginVerifyRes(params) {
 }
 
 // src/codec/tlv.encode.ts
-var import_crypto2 = require("crypto");
+var import_crypto3 = require("crypto");
 function encVarint(x) {
   if (x < 0n) throw new Error("VARINT_NEG");
   const out = [];
@@ -1855,7 +2078,7 @@ function bytes(b) {
   return Buffer.isBuffer(b) ? b : Buffer.from(b);
 }
 function nonce16() {
-  return (0, import_crypto2.randomBytes)(16);
+  return (0, import_crypto3.randomBytes)(16);
 }
 function tlv(type, value) {
   if (!Number.isSafeInteger(type) || type < 0) throw new Error("TLV_BAD_TYPE");
@@ -2401,9 +2624,9 @@ function isAdminOpcode(op) {
 }
 
 // src/core/receipt.ts
-var import_crypto3 = require("crypto");
+var import_crypto4 = require("crypto");
 function buildReceiptHash(prevHash, pid, actorId, intent, effect, ts) {
-  const h = (0, import_crypto3.createHash)("sha256");
+  const h = (0, import_crypto4.createHash)("sha256");
   if (prevHash) h.update(prevHash);
   h.update(pid);
   h.update(Buffer.from(actorId, "utf8"));
@@ -2807,6 +3030,2842 @@ var DiskUploadFileStore = class {
     return fs.createReadStream(tempPath);
   }
 };
+
+// src/core/index.ts
+var core_exports = {};
+__export(core_exports, {
+  AXIS_MAGIC: () => import_axis_protocol2.AXIS_MAGIC,
+  AXIS_VERSION: () => import_axis_protocol2.AXIS_VERSION,
+  AxisError: () => AxisError,
+  AxisFrameZ: () => AxisFrameZ,
+  BodyProfile: () => import_axis_protocol2.BodyProfile,
+  ERR_BAD_SIGNATURE: () => import_axis_protocol2.ERR_BAD_SIGNATURE,
+  ERR_CONTRACT_VIOLATION: () => import_axis_protocol2.ERR_CONTRACT_VIOLATION,
+  ERR_INVALID_PACKET: () => import_axis_protocol2.ERR_INVALID_PACKET,
+  ERR_REPLAY_DETECTED: () => import_axis_protocol2.ERR_REPLAY_DETECTED,
+  FLAG_BODY_TLV: () => import_axis_protocol2.FLAG_BODY_TLV,
+  FLAG_CHAIN_REQ: () => import_axis_protocol2.FLAG_CHAIN_REQ,
+  FLAG_HAS_WITNESS: () => import_axis_protocol2.FLAG_HAS_WITNESS,
+  MAX_BODY_LEN: () => import_axis_protocol2.MAX_BODY_LEN,
+  MAX_FRAME_LEN: () => import_axis_protocol2.MAX_FRAME_LEN,
+  MAX_HDR_LEN: () => import_axis_protocol2.MAX_HDR_LEN,
+  MAX_SIG_LEN: () => import_axis_protocol2.MAX_SIG_LEN,
+  NCERT_ALG: () => import_axis_protocol2.NCERT_ALG,
+  NCERT_EXP: () => import_axis_protocol2.NCERT_EXP,
+  NCERT_ISSUER_KID: () => import_axis_protocol2.NCERT_ISSUER_KID,
+  NCERT_KID: () => import_axis_protocol2.NCERT_KID,
+  NCERT_NBF: () => import_axis_protocol2.NCERT_NBF,
+  NCERT_NODE_ID: () => import_axis_protocol2.NCERT_NODE_ID,
+  NCERT_PAYLOAD: () => import_axis_protocol2.NCERT_PAYLOAD,
+  NCERT_PUB: () => import_axis_protocol2.NCERT_PUB,
+  NCERT_SCOPE: () => import_axis_protocol2.NCERT_SCOPE,
+  NCERT_SIG: () => import_axis_protocol2.NCERT_SIG,
+  PROOF_CAPSULE: () => import_axis_protocol2.PROOF_CAPSULE,
+  PROOF_JWT: () => import_axis_protocol2.PROOF_JWT,
+  PROOF_LOOM: () => import_axis_protocol2.PROOF_LOOM,
+  PROOF_MTLS: () => import_axis_protocol2.PROOF_MTLS,
+  PROOF_NONE: () => import_axis_protocol2.PROOF_NONE,
+  PROOF_WITNESS: () => import_axis_protocol2.PROOF_WITNESS,
+  ProofType: () => import_axis_protocol2.ProofType,
+  TLV: () => import_axis_protocol.TLV,
+  TLV_ACTOR_ID: () => import_axis_protocol2.TLV_ACTOR_ID,
+  TLV_AUD: () => import_axis_protocol2.TLV_AUD,
+  TLV_BODY_ARR: () => import_axis_protocol2.TLV_BODY_ARR,
+  TLV_BODY_OBJ: () => import_axis_protocol2.TLV_BODY_OBJ,
+  TLV_CAPSULE: () => import_axis_protocol2.TLV_CAPSULE,
+  TLV_EFFECT: () => import_axis_protocol2.TLV_EFFECT,
+  TLV_ERROR_CODE: () => import_axis_protocol2.TLV_ERROR_CODE,
+  TLV_ERROR_MSG: () => import_axis_protocol2.TLV_ERROR_MSG,
+  TLV_INDEX: () => import_axis_protocol2.TLV_INDEX,
+  TLV_INTENT: () => import_axis_protocol2.TLV_INTENT,
+  TLV_KID: () => import_axis_protocol2.TLV_KID,
+  TLV_LOOM_PRESENCE_ID: () => import_axis_protocol2.TLV_LOOM_PRESENCE_ID,
+  TLV_LOOM_THREAD_HASH: () => import_axis_protocol2.TLV_LOOM_THREAD_HASH,
+  TLV_LOOM_WRIT: () => import_axis_protocol2.TLV_LOOM_WRIT,
+  TLV_NODE: () => import_axis_protocol2.TLV_NODE,
+  TLV_NODE_CERT_HASH: () => import_axis_protocol2.TLV_NODE_CERT_HASH,
+  TLV_NODE_KID: () => import_axis_protocol2.TLV_NODE_KID,
+  TLV_NONCE: () => import_axis_protocol2.TLV_NONCE,
+  TLV_OFFSET: () => import_axis_protocol2.TLV_OFFSET,
+  TLV_OK: () => import_axis_protocol2.TLV_OK,
+  TLV_PID: () => import_axis_protocol2.TLV_PID,
+  TLV_PREV_HASH: () => import_axis_protocol2.TLV_PREV_HASH,
+  TLV_PROOF_REF: () => import_axis_protocol2.TLV_PROOF_REF,
+  TLV_PROOF_TYPE: () => import_axis_protocol2.TLV_PROOF_TYPE,
+  TLV_REALM: () => import_axis_protocol2.TLV_REALM,
+  TLV_RECEIPT_HASH: () => import_axis_protocol2.TLV_RECEIPT_HASH,
+  TLV_RID: () => import_axis_protocol2.TLV_RID,
+  TLV_SHA256_CHUNK: () => import_axis_protocol2.TLV_SHA256_CHUNK,
+  TLV_TRACE_ID: () => import_axis_protocol2.TLV_TRACE_ID,
+  TLV_TS: () => import_axis_protocol2.TLV_TS,
+  TLV_UPLOAD_ID: () => import_axis_protocol2.TLV_UPLOAD_ID,
+  computeReceiptHash: () => computeReceiptHash,
+  computeSignaturePayload: () => computeSignaturePayload,
+  decodeArray: () => import_axis_protocol.decodeArray,
+  decodeFrame: () => decodeFrame,
+  decodeObject: () => import_axis_protocol.decodeObject,
+  decodeTLVs: () => import_axis_protocol.decodeTLVs,
+  decodeTLVsList: () => import_axis_protocol.decodeTLVsList,
+  decodeVarint: () => import_axis_protocol3.decodeVarint,
+  encodeFrame: () => encodeFrame,
+  encodeTLVs: () => import_axis_protocol.encodeTLVs,
+  encodeVarint: () => import_axis_protocol3.encodeVarint,
+  generateEd25519KeyPair: () => generateEd25519KeyPair,
+  getSignTarget: () => getSignTarget,
+  sha256: () => sha256,
+  signFrame: () => signFrame,
+  varintLength: () => import_axis_protocol3.varintLength,
+  verifyFrameSignature: () => verifyFrameSignature
+});
+
+// src/core/axis-error.ts
+var AxisError = class extends Error {
+  constructor(code, message, httpStatus = 400, details) {
+    super(message);
+    this.code = code;
+    this.httpStatus = httpStatus;
+    this.details = details;
+    this.name = "AxisError";
+  }
+};
+
+// src/crypto/index.ts
+var crypto_exports = {};
+__export(crypto_exports, {
+  ProofVerificationService: () => ProofVerificationService,
+  b64urlDecode: () => b64urlDecode,
+  b64urlDecodeString: () => b64urlDecodeString,
+  b64urlEncode: () => b64urlEncode,
+  b64urlEncodeString: () => b64urlEncodeString,
+  canonicalJson: () => canonicalJson,
+  canonicalJsonExcluding: () => canonicalJsonExcluding
+});
+
+// src/crypto/proof-verification.service.ts
+var import_common4 = require("@nestjs/common");
+var crypto3 = __toESM(require("crypto"));
+var nacl = __toESM(require("tweetnacl"));
+var ProofVerificationService = class {
+  constructor() {
+    this.logger = new import_common4.Logger(ProofVerificationService.name);
+    // Cache of registered device public keys (deviceId -> pubKey)
+    this.deviceKeys = /* @__PURE__ */ new Map();
+    // Cache of trusted mTLS certificate fingerprints
+    this.trustedCerts = /* @__PURE__ */ new Map();
+  }
+  /**
+   * Verifies an authentication proof based on its type.
+   *
+   * **Supported Types:**
+   * - 1 (CAPSULE): Delegated to `verifyCapsuleProof`
+   * - 2 (JWT): Verified by `verifyJWTProof`
+   * - 3 (MTLS_ID): Verified by `verifyMTLSProof`
+   * - 4 (DEVICE_SE): Verified by `verifyDeviceSEProof`
+   *
+   * @param {ProofType} proofType - The numeric AXIS proof type
+   * @param {Uint8Array} proofRef - The binary reference or token for the proof
+   * @param {Object} context - Additional metadata required for specific proof types
+   * @param {Uint8Array} [context.signTarget] - The canonical bytes that were signed (for Ed25519)
+   * @param {Uint8Array} [context.signature] - The signature to verify (for Ed25519)
+   * @param {MTLSContext} [context.mtls] - mTLS certificate data
+   * @param {DeviceSEContext} [context.deviceSE] - Device Secure Element information
+   * @returns {Promise<ProofVerificationResult>} The outcome of the verification
+   */
+  async verifyProof(proofType, proofRef, context) {
+    switch (proofType) {
+      case 1:
+        return this.verifyCapsuleProof(proofRef);
+      case 2:
+        return this.verifyJWTProof(proofRef);
+      case 3:
+        return this.verifyMTLSProof(context.mtls);
+      case 4:
+        return this.verifyDeviceSEProof(
+          context.signTarget,
+          context.signature,
+          context.deviceSE
+        );
+      default:
+        return { valid: false, error: `Unknown proof type: ${proofType}` };
+    }
+  }
+  /**
+   * Verify CAPSULE proof (delegated to CapsuleService)
+   */
+  async verifyCapsuleProof(proofRef) {
+    const capsuleId = new TextDecoder().decode(proofRef);
+    return {
+      valid: true,
+      metadata: { capsuleId, requiresCapsuleValidation: true }
+    };
+  }
+  /**
+   * Verifies a JSON Web Token (JWT) proof.
+   *
+   * **Validation Logic:**
+   * 1. Decodes the token string.
+   * 2. Checks for valid 3-part JWT structure.
+   * 3. Validates `exp` (expiration) and `nbf` (not before) claims.
+   * 4. Extracts `actor_id` or `sub` as the identity.
+   *
+   * @param {Uint8Array} proofRef - Binary representation of the JWT string
+   * @returns {Promise<ProofVerificationResult>} Result including the actor identifier
+   */
+  async verifyJWTProof(proofRef) {
+    try {
+      const token = new TextDecoder().decode(proofRef);
+      const parts = token.split(".");
+      if (parts.length !== 3) {
+        return { valid: false, error: "Invalid JWT format" };
+      }
+      const header = JSON.parse(Buffer.from(parts[0], "base64url").toString());
+      const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+      if (payload.exp && Date.now() / 1e3 > payload.exp) {
+        return { valid: false, error: "JWT expired" };
+      }
+      if (payload.nbf && Date.now() / 1e3 < payload.nbf) {
+        return { valid: false, error: "JWT not yet valid" };
+      }
+      return {
+        valid: true,
+        actorId: payload.sub || payload.actor_id,
+        metadata: { iss: payload.iss, scope: payload.scope }
+      };
+    } catch (e) {
+      const message = e instanceof Error ? e.message : "Unknown error";
+      return { valid: false, error: `JWT parse error: ${message}` };
+    }
+  }
+  /**
+   * Verify mTLS client certificate proof
+   */
+  async verifyMTLSProof(mtls) {
+    if (!mtls) {
+      return { valid: false, error: "No mTLS context provided" };
+    }
+    if (!mtls.verified) {
+      return { valid: false, error: "mTLS not verified by TLS terminator" };
+    }
+    if (mtls.clientCertFingerprint) {
+      const trusted = this.trustedCerts.get(mtls.clientCertFingerprint);
+      if (trusted) {
+        return {
+          valid: true,
+          actorId: trusted.actorId,
+          metadata: {
+            fingerprint: mtls.clientCertFingerprint,
+            subject: mtls.clientCertSubject
+          }
+        };
+      }
+    }
+    if (mtls.clientCertSubject) {
+      const cnMatch = mtls.clientCertSubject.match(/CN=([^,]+)/);
+      if (cnMatch) {
+        return {
+          valid: true,
+          actorId: cnMatch[1],
+          metadata: {
+            subject: mtls.clientCertSubject,
+            issuer: mtls.clientCertIssuer
+          }
+        };
+      }
+    }
+    return { valid: false, error: "Could not extract actor from certificate" };
+  }
+  /**
+   * Verify Device Secure Element signature
+   */
+  async verifyDeviceSEProof(signTarget, signature, deviceSE) {
+    if (!deviceSE || !signTarget || !signature) {
+      return { valid: false, error: "Missing Device SE context" };
+    }
+    let publicKey = deviceSE.publicKey;
+    const registeredKey = this.deviceKeys.get(deviceSE.deviceId);
+    if (registeredKey) {
+      publicKey = registeredKey;
+    }
+    if (!publicKey || publicKey.length !== 32) {
+      return {
+        valid: false,
+        error: "Invalid or unregistered device public key"
+      };
+    }
+    try {
+      const valid = nacl.sign.detached.verify(signTarget, signature, publicKey);
+      if (!valid) {
+        return { valid: false, error: "Device signature verification failed" };
+      }
+      return {
+        valid: true,
+        actorId: deviceSE.deviceId,
+        metadata: { deviceId: deviceSE.deviceId, proofType: "DEVICE_SE" }
+      };
+    } catch (e) {
+      const message = e instanceof Error ? e.message : "Unknown error";
+      return {
+        valid: false,
+        error: `Signature verification error: ${message}`
+      };
+    }
+  }
+  /**
+   * Registers a public key for a trusted device.
+   * This key will be used for future `DEVICE_SE` proof verifications.
+   *
+   * @param {string} deviceId - Unique identifier for the device
+   * @param {Uint8Array} publicKey - 32-byte Ed25519 public key
+   * @throws {Error} If the public key is not 32 bytes
+   */
+  registerDeviceKey(deviceId, publicKey) {
+    if (publicKey.length !== 32) {
+      throw new Error("Device public key must be 32 bytes (Ed25519)");
+    }
+    this.deviceKeys.set(deviceId, publicKey);
+    this.logger.log(`Registered device key for ${deviceId}`);
+  }
+  /**
+   * Unregister a device
+   */
+  unregisterDevice(deviceId) {
+    return this.deviceKeys.delete(deviceId);
+  }
+  /**
+   * Registers a trusted mTLS certificate fingerprint and associates it with an actor.
+   *
+   * @param {string} fingerprint - SHA-256 fingerprint of the client certificate
+   * @param {string} actorId - The actor to associate with this certificate
+   */
+  registerMTLSCert(fingerprint, actorId) {
+    this.trustedCerts.set(fingerprint, { actorId, issuedAt: Date.now() });
+    this.logger.log(`Registered mTLS cert ${fingerprint} for actor ${actorId}`);
+  }
+  /**
+   * Revoke an mTLS certificate
+   */
+  revokeMTLSCert(fingerprint) {
+    return this.trustedCerts.delete(fingerprint);
+  }
+  /**
+   * Calculate certificate fingerprint (SHA-256)
+   */
+  static calculateFingerprint(certPem) {
+    const der = Buffer.from(
+      certPem.replace(/-----BEGIN CERTIFICATE-----/, "").replace(/-----END CERTIFICATE-----/, "").replace(/\s/g, ""),
+      "base64"
+    );
+    return crypto3.createHash("sha256").update(der).digest("hex");
+  }
+};
+ProofVerificationService = __decorateClass([
+  (0, import_common4.Injectable)()
+], ProofVerificationService);
+
+// src/decorators/index.ts
+var decorators_exports = {};
+__export(decorators_exports, {
+  AxisContext: () => AxisContext,
+  AxisDemoPubkey: () => AxisDemoPubkey,
+  AxisFrame: () => AxisFrame3,
+  AxisIp: () => AxisIp,
+  AxisRaw: () => AxisRaw,
+  HANDLER_METADATA_KEY: () => HANDLER_METADATA_KEY,
+  Handler: () => Handler,
+  INTENT_BODY_KEY: () => INTENT_BODY_KEY,
+  INTENT_METADATA_KEY: () => INTENT_METADATA_KEY,
+  INTENT_ROUTES_KEY: () => INTENT_ROUTES_KEY,
+  INTENT_SENSORS_KEY: () => INTENT_SENSORS_KEY,
+  Intent: () => Intent,
+  IntentBody: () => IntentBody,
+  IntentSensors: () => IntentSensors,
+  SENSOR_METADATA_KEY: () => SENSOR_METADATA_KEY,
+  Sensor: () => Sensor,
+  TLV_FIELDS_KEY: () => TLV_FIELDS_KEY,
+  TLV_VALIDATORS_KEY: () => TLV_VALIDATORS_KEY,
+  TlvEnum: () => TlvEnum,
+  TlvField: () => TlvField,
+  TlvMinLen: () => TlvMinLen,
+  TlvRange: () => TlvRange,
+  TlvUtf8Pattern: () => TlvUtf8Pattern,
+  TlvValidate: () => TlvValidate,
+  buildDtoDecoder: () => buildDtoDecoder,
+  extractDtoSchema: () => extractDtoSchema
+});
+
+// src/decorators/axis-request.decorator.ts
+var import_common5 = require("@nestjs/common");
+function resolveIp(req) {
+  return req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.headers["x-real-ip"] || req.socket.remoteAddress || void 0;
+}
+var AxisRaw = (0, import_common5.createParamDecorator)(
+  (_data, ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    return req.body;
+  }
+);
+var AxisIp = (0, import_common5.createParamDecorator)(
+  (_data, ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    return resolveIp(req);
+  }
+);
+var AxisContext = (0, import_common5.createParamDecorator)(
+  (_data, ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    const axisData = req.axis || {};
+    return {
+      raw: req.body,
+      ip: resolveIp(req),
+      preDecodeInput: axisData.preDecodeInput,
+      frameBytesCount: axisData.frameBytesCount || 0
+    };
+  }
+);
+var AxisDemoPubkey = (0, import_common5.createParamDecorator)(
+  (_data, ctx) => {
+    if (process.env.NODE_ENV !== "development") return void 0;
+    const req = ctx.switchToHttp().getRequest();
+    return req.headers["x-demo-pubkey"];
+  }
+);
+var AxisFrame3 = (0, import_common5.createParamDecorator)(
+  (_data, ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    const decoded = req.axisDecoded;
+    if (!decoded) {
+      throw new Error(
+        "@AxisFrame() requires AxisDecodeInterceptor on the route. Add @UseInterceptors(AxisDecodeInterceptor) to use this decorator."
+      );
+    }
+    return decoded;
+  }
+);
+
+// src/decorators/sensor.decorator.ts
+var import_common6 = require("@nestjs/common");
+var SENSOR_METADATA_KEY = "axis:sensor";
+function Sensor(options) {
+  return (0, import_common6.SetMetadata)(SENSOR_METADATA_KEY, options ?? true);
+}
+
+// src/engine/index.ts
+var engine_exports = {};
+__export(engine_exports, {
+  BAND: () => BAND,
+  HandlerDiscoveryService: () => HandlerDiscoveryService,
+  IntentRouter: () => IntentRouter,
+  PRE_DECODE_BOUNDARY: () => PRE_DECODE_BOUNDARY,
+  SensorDiscoveryService: () => SensorDiscoveryService,
+  SensorRegistry: () => SensorRegistry,
+  createObservation: () => createObservation,
+  endStage: () => endStage,
+  finalizeObservation: () => finalizeObservation,
+  observation: () => observation_exports,
+  recordSensor: () => recordSensor,
+  startStage: () => startStage
+});
+
+// src/engine/axis-observation.ts
+var import_crypto5 = require("crypto");
+function createObservation(transport, ip) {
+  return {
+    id: (0, import_crypto5.randomBytes)(16).toString("hex"),
+    startMs: Date.now(),
+    transport,
+    ip,
+    stages: [],
+    sensors: [],
+    facts: {}
+  };
+}
+function startStage(obs, name) {
+  const stage = { name, status: "ok", startMs: Date.now() };
+  obs.stages.push(stage);
+  return stage;
+}
+function endStage(stage, status = "ok", reason, code) {
+  stage.endMs = Date.now();
+  stage.durationMs = stage.endMs - stage.startMs;
+  stage.status = status;
+  if (reason) stage.reason = reason;
+  if (code) stage.code = code;
+}
+function recordSensor(obs, name, allowed, riskScore, durationMs, reasons, code) {
+  obs.sensors.push({ name, allowed, riskScore, durationMs, reasons, code });
+}
+function finalizeObservation(obs, decision, statusCode, resultCode) {
+  obs.endMs = Date.now();
+  obs.durationMs = obs.endMs - obs.startMs;
+  obs.decision = decision;
+  obs.statusCode = statusCode;
+  if (resultCode) obs.resultCode = resultCode;
+}
+
+// src/engine/handler-discovery.service.ts
+var import_common7 = require("@nestjs/common");
+var HandlerDiscoveryService = class {
+  constructor(discovery, scanner, router) {
+    this.discovery = discovery;
+    this.scanner = scanner;
+    this.router = router;
+    this.logger = new import_common7.Logger(HandlerDiscoveryService.name);
+  }
+  onModuleInit() {
+    const providers = this.discovery.getProviders();
+    let totalIntents = 0;
+    for (const wrapper of providers) {
+      const { instance, metatype } = wrapper;
+      if (!instance || !metatype) continue;
+      const handlerMeta = Reflect.getMetadata(HANDLER_METADATA_KEY, metatype);
+      if (!handlerMeta) continue;
+      const handlerName = handlerMeta.intent || metatype.name;
+      const proto = Object.getPrototypeOf(instance);
+      const methods = this.scanner.getAllMethodNames(proto);
+      let registered = 0;
+      for (const methodName of methods) {
+        const meta = Reflect.getMetadata(
+          INTENT_METADATA_KEY,
+          proto,
+          methodName
+        );
+        if (!meta?.intent) continue;
+        if (!this.router.has(meta.intent)) {
+          this.router.register(
+            meta.intent,
+            instance[methodName].bind(instance)
+          );
+          registered++;
+          totalIntents++;
+        }
+        this.router.registerIntentMeta(meta.intent, proto, methodName);
+      }
+      if (registered > 0) {
+        this.logger.log(
+          `Auto-registered ${registered} intents from ${handlerName}`
+        );
+      }
+    }
+    this.logger.log(
+      `Handler discovery complete: ${totalIntents} intents auto-registered`
+    );
+  }
+};
+HandlerDiscoveryService = __decorateClass([
+  (0, import_common7.Injectable)()
+], HandlerDiscoveryService);
+
+// src/engine/sensor-bands.ts
+var BAND = {
+  /** Pre-decode: raw byte validation, geo, budget, magic */
+  WIRE: 0,
+  /** Post-decode: identity resolution, capsule, proof */
+  IDENTITY: 40,
+  /** Post-decode: authorization, signature, rate limiting */
+  POLICY: 90,
+  /** Post-decode: content validation, TLV, schema, files */
+  CONTENT: 140,
+  /** Post-decode: business logic sensors, streams, WS */
+  BUSINESS: 200,
+  /** Post-decode: audit, logging (always last) */
+  AUDIT: 900
+};
+var PRE_DECODE_BOUNDARY = 40;
+
+// src/engine/sensor-discovery.service.ts
+var import_common8 = require("@nestjs/common");
+var SensorDiscoveryService = class {
+  constructor(discovery, reflector, registry) {
+    this.discovery = discovery;
+    this.reflector = reflector;
+    this.registry = registry;
+    this.logger = new import_common8.Logger(SensorDiscoveryService.name);
+  }
+  onApplicationBootstrap() {
+    const providers = this.discovery.getProviders();
+    let count = 0;
+    for (const wrapper of providers) {
+      const { instance } = wrapper;
+      if (!instance || !instance.constructor) continue;
+      const meta = this.reflector.get(
+        SENSOR_METADATA_KEY,
+        instance.constructor
+      );
+      if (!meta) continue;
+      const sensor = instance;
+      if (!sensor.name || sensor.order === void 0) {
+        this.logger.warn(
+          `@Sensor() on ${instance.constructor.name} missing name or order \u2014 skipped`
+        );
+        continue;
+      }
+      if (!sensor.phase) {
+        const decoratorPhase = meta !== true ? meta.phase : void 0;
+        sensor.phase = decoratorPhase ?? (sensor.order < PRE_DECODE_BOUNDARY ? "PRE_DECODE" : "POST_DECODE");
+      }
+      this.registry.register(sensor);
+      count++;
+    }
+    this.logger.log(`Auto-registered ${count} sensors via @Sensor()`);
+  }
+};
+SensorDiscoveryService = __decorateClass([
+  (0, import_common8.Injectable)()
+], SensorDiscoveryService);
+
+// src/engine/registry/sensor.registry.ts
+var import_common9 = require("@nestjs/common");
+var SensorRegistry = class {
+  constructor(configService) {
+    this.configService = configService;
+    this.sensors = [];
+    this.logger = new import_common9.Logger(SensorRegistry.name);
+  }
+  /**
+   * Registers a new sensor in the registry.
+   *
+   * Validates that:
+   * - AxisSensor has a unique name
+   * - AxisSensor has an order field
+   * - Pre-decode sensors have order < 40
+   * - Post-decode sensors have order >= 40
+   *
+   * @param {AxisSensor} sensor - The sensor instance to register
+   * @throws Error if validation fails
+   */
+  register(sensor) {
+    if (!sensor.name) {
+      throw new Error("AxisSensor must have a name");
+    }
+    const enabledSensorsStr = this.configService.get("ENABLED_SENSORS");
+    const disabledSensorsStr = this.configService.get("DISABLED_SENSORS");
+    const enabledSensors = enabledSensorsStr ? enabledSensorsStr.split(",").map((s) => s.trim()) : null;
+    const disabledSensors = disabledSensorsStr ? disabledSensorsStr.split(",").map((s) => s.trim()) : [];
+    if (enabledSensors && !enabledSensors.includes(sensor.name)) {
+      this.logger.log(`Skipping disabled sensor (not in ENABLED_SENSORS): ${sensor.name}`);
+      return;
+    }
+    if (disabledSensors.includes(sensor.name)) {
+      this.logger.log(`Skipping disabled sensor (in DISABLED_SENSORS): ${sensor.name}`);
+      return;
+    }
+    if (sensor.order === void 0) {
+      throw new Error(`AxisSensor "${sensor.name}" must have an order field`);
+    }
+    const isPreDecodeSensor = this.isPreDecodeSensor(sensor);
+    const isPostDecodeSensor = this.isPostDecodeSensor(sensor);
+    if (isPreDecodeSensor && sensor.order >= 40) {
+      this.logger.warn(
+        `AxisSensor "${sensor.name}" is marked as PRE_DECODE but has order ${sensor.order} (should be < 40)`
+      );
+    }
+    if (isPostDecodeSensor && sensor.order < 40) {
+      this.logger.warn(
+        `AxisSensor "${sensor.name}" is marked as POST_DECODE but has order ${sensor.order} (should be >= 40)`
+      );
+    }
+    this.sensors.push(sensor);
+    const phaseLabel = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase || "UNKNOWN";
+    this.logger.debug(
+      `Registered sensor: ${sensor.name} (order: ${sensor.order}, phase: ${phaseLabel})`
+    );
+  }
+  /**
+   * Returns all registered sensors, sorted by their execution order.
+   *
+   * @returns {AxisSensor[]} A sorted array of sensors
+   */
+  list() {
+    return [...this.sensors].sort(
+      (a, b) => (a.order ?? 999) - (b.order ?? 999)
+    );
+  }
+  /**
+   * Returns only pre-decode sensors (order < 40).
+   * These sensors run in middleware on raw bytes before frame decoding.
+   *
+   * @returns {AxisPreSensor[]} Pre-decode sensors sorted by order
+   */
+  getPreDecodeSensors() {
+    return this.list().filter((s) => (s.order ?? 999) < 40);
+  }
+  /**
+   * Returns only post-decode sensors (order >= 40).
+   * These sensors run in the controller on fully decoded frames.
+   *
+   * @returns {AxisPostSensor[]} Post-decode sensors sorted by order
+   */
+  getPostDecodeSensors() {
+    return this.list().filter(
+      (s) => (s.order ?? 999) >= 40
+    );
+  }
+  /**
+   * Helper: Check if a sensor is a pre-decode sensor.
+   *
+   * @private
+   * @param {AxisSensor} sensor - The sensor to check
+   * @returns {boolean} True if sensor is pre-decode
+   */
+  isPreDecodeSensor(sensor) {
+    const phase = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase;
+    return phase === "PRE_DECODE" || (sensor.order ?? 999) < 40;
+  }
+  /**
+   * Helper: Check if a sensor is a post-decode sensor.
+   *
+   * @private
+   * @param {AxisSensor} sensor - The sensor to check
+   * @returns {boolean} True if sensor is post-decode
+   */
+  isPostDecodeSensor(sensor) {
+    const phase = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase;
+    return phase === "POST_DECODE" || (sensor.order ?? 999) >= 40;
+  }
+  /**
+   * Returns sensor count by phase.
+   * Useful for diagnostics and monitoring.
+   *
+   * @returns {{preDecodeCount: number, postDecodeCount: number}}
+   */
+  getSensorCountByPhase() {
+    return {
+      preDecodeCount: this.getPreDecodeSensors().length,
+      postDecodeCount: this.getPostDecodeSensors().length
+    };
+  }
+  /**
+   * Clears all registered sensors.
+   * Useful for testing.
+   *
+   * @internal
+   */
+  clear() {
+    this.sensors = [];
+  }
+};
+SensorRegistry = __decorateClass([
+  (0, import_common9.Injectable)()
+], SensorRegistry);
+
+// src/engine/observation/index.ts
+var observation_exports = {};
+__export(observation_exports, {
+  buildQueueMessage: () => buildQueueMessage,
+  buildUnsignedWitness: () => buildUnsignedWitness,
+  canonicalizeObservation: () => canonicalizeObservation,
+  decodeQueueMessage: () => decodeQueueMessage,
+  encodeQueueMessage: () => encodeQueueMessage,
+  hashObservation: () => hashObservation,
+  parseAutoClaimEntries: () => parseAutoClaimEntries,
+  parseStreamEntries: () => parseStreamEntries,
+  stableJsonStringify: () => stableJsonStringify,
+  verifyResponse: () => verifyResponse
+});
+
+// src/loom/index.ts
+var loom_exports = {};
+__export(loom_exports, {
+  PROOF_LOOM: () => import_axis_protocol2.PROOF_LOOM,
+  TLV_PRESENCE_ID: () => import_axis_protocol2.TLV_LOOM_PRESENCE_ID,
+  TLV_THREAD_HASH: () => import_axis_protocol2.TLV_LOOM_THREAD_HASH,
+  TLV_WRIT: () => import_axis_protocol2.TLV_LOOM_WRIT,
+  canonicalizeGrant: () => canonicalizeGrant,
+  canonicalizeWrit: () => canonicalizeWrit,
+  deriveAnchorReflection: () => deriveAnchorReflection
+});
+
+// src/loom/loom.types.ts
+function deriveAnchorReflection(softid, context = "openlogs", scope = "loom") {
+  return `ar:${context}:${scope}:${softid}`;
+}
+function canonicalizeWrit(writ) {
+  const ordered = {
+    head: { tid: writ.head.tid, seq: writ.head.seq },
+    body: {
+      who: writ.body.who,
+      act: writ.body.act,
+      res: writ.body.res,
+      law: writ.body.law
+    },
+    meta: { iat: writ.meta.iat, exp: writ.meta.exp, prev: writ.meta.prev }
+  };
+  return JSON.stringify(ordered);
+}
+function canonicalizeGrant(grant) {
+  const ordered = {
+    grant_id: grant.grant_id,
+    issuer: grant.issuer,
+    subject: grant.subject,
+    grant_type: grant.grant_type,
+    caps: grant.caps,
+    meta: grant.meta
+  };
+  return JSON.stringify(ordered);
+}
+
+// src/schemas/index.ts
+var schemas_exports = {};
+__export(schemas_exports, {
+  AccessProfileZ: () => AccessProfileZ,
+  AxisContextZ: () => AxisContextZ,
+  AxisErrorZ: () => AxisErrorZ,
+  BodyBudgetInputZ: () => BodyBudgetInputZ,
+  BodyBudgetPolicyZ: () => BodyBudgetPolicyZ,
+  BodyProfile: () => BodyProfile2,
+  BodyProfileValidator: () => BodyProfileValidator,
+  BodyProfileZ: () => BodyProfileZ,
+  CapsuleClaimsZ: () => CapsuleClaimsZ,
+  CapsuleValidationResultZ: () => CapsuleValidationResultZ,
+  CapsuleVerifyResultZ: () => CapsuleVerifyResultZ,
+  CapsuleVerifySensorInputZ: () => CapsuleVerifySensorInputZ,
+  CapsuleZ: () => CapsuleZ,
+  ChunkHashInputZ: () => ChunkHashInputZ,
+  CountryBlockDecisionZ: () => CountryBlockDecisionZ,
+  CountryBlockSensorInputZ: () => CountryBlockSensorInputZ,
+  EntropySensorInputZ: () => EntropySensorInputZ,
+  ExecutionMetricsZ: () => ExecutionMetricsZ,
+  IPReputationInputZ: () => IPReputationInputZ,
+  IPReputationZ: () => IPReputationZ,
+  IntentPolicyDecisionZ: () => IntentPolicyDecisionZ,
+  IntentPolicySensorInputZ: () => IntentPolicySensorInputZ,
+  IntentPolicyZ: () => IntentPolicyZ,
+  IntentSchemaZ: () => IntentSchemaZ,
+  PassportZ: () => PassportZ,
+  ProofKindZ: () => ProofKindZ,
+  ProofPresenceInputZ: () => ProofPresenceInputZ,
+  ProofType: () => ProofType2,
+  ProtocolStrictInputZ: () => ProtocolStrictInputZ,
+  RateLimitConfigZ: () => RateLimitConfigZ,
+  RateLimitInputZ: () => RateLimitInputZ,
+  RateLimitProfileZ: () => RateLimitProfileZ,
+  ScanBurstDecisionZ: () => ScanBurstDecisionZ,
+  ScanBurstSensorInputZ: () => ScanBurstSensorInputZ,
+  SchemaFieldKindZ: () => SchemaFieldKindZ,
+  SchemaFieldZ: () => SchemaFieldZ,
+  ScopeZ: () => ScopeZ,
+  SensitivityLevelZ: () => SensitivityLevelZ,
+  SensorChainInputZ: () => SensorChainInputZ,
+  SensorDecisionWithMetadataZ: () => SensorDecisionWithMetadataZ,
+  SensorDecisionZ: () => SensorDecisionZ,
+  SensorResultZ: () => SensorResultZ,
+  UploadSessionZ: () => UploadSessionZ,
+  UploadStatusZ: () => UploadStatusZ,
+  WsHandshakeDecisionZ: () => WsHandshakeDecisionZ,
+  WsHandshakeInputZ: () => WsHandshakeInputZ
+});
+
+// src/schemas/axis-schemas.ts
+var z2 = __toESM(require("zod"));
+var SensorDecisionZ = z2.union([
+  z2.object({ action: z2.literal("ALLOW"), meta: z2.any().optional() }),
+  z2.object({
+    action: z2.literal("DENY"),
+    code: z2.string(),
+    reason: z2.string().optional(),
+    meta: z2.any().optional()
+  })
+]);
+var SensorDecisionWithMetadataZ = z2.union([
+  z2.object({ action: z2.literal("ALLOW"), meta: z2.any().optional() }),
+  z2.object({
+    action: z2.literal("DENY"),
+    code: z2.string(),
+    reason: z2.string().optional(),
+    retryAfterMs: z2.number().int().positive().optional(),
+    meta: z2.any().optional()
+  })
+]);
+var CountryBlockSensorInputZ = z2.object({
+  ip: z2.string().min(1),
+  country: z2.string().length(2).toUpperCase().optional()
+});
+var CountryBlockDecisionZ = SensorDecisionZ;
+var ScanBurstSensorInputZ = z2.object({
+  ip: z2.string().min(1),
+  isFailure: z2.boolean().optional()
+});
+var ScanBurstDecisionZ = SensorDecisionWithMetadataZ;
+var ProofKindZ = z2.enum([
+  "NONE",
+  "CAPSULE",
+  "PASSPORT",
+  "MTLS",
+  "JWT"
+]);
+var AccessProfileZ = z2.enum(["PUBLIC", "PARTNER", "INTERNAL", "NODE"]);
+var ProofPresenceInputZ = z2.object({
+  profile: AccessProfileZ,
+  visibility: z2.enum(["PUBLIC", "GUARDED"]),
+  requiredProof: z2.array(ProofKindZ).min(1),
+  hasCapsule: z2.boolean(),
+  hasPassportSignature: z2.boolean(),
+  intent: z2.string().min(1)
+});
+var SensitivityLevelZ = z2.enum(["LOW", "MEDIUM", "HIGH", "CRITICAL"]);
+var IntentPolicyZ = z2.object({
+  intent: z2.string().min(1),
+  sensitivity: SensitivityLevelZ,
+  maxFrameBytes: z2.number().int().positive(),
+  maxHeaderBytes: z2.number().int().positive(),
+  maxBodyBytes: z2.number().int().positive(),
+  maxSigBytes: z2.number().int().positive().optional(),
+  rateLimitPerMinute: z2.number().int().positive().optional(),
+  rateLimitPerHour: z2.number().int().positive().optional(),
+  requiresSignature: z2.boolean(),
+  requiresCapsule: z2.boolean(),
+  timeoutMs: z2.number().int().positive()
+});
+var IntentPolicySensorInputZ = z2.object({
+  frame: AxisFrameZ,
+  intent: z2.string().min(1),
+  rawFrameSize: z2.number().int().positive()
+});
+var IntentPolicyDecisionZ = z2.union([
+  z2.object({
+    action: z2.literal("ALLOW"),
+    policy: IntentPolicyZ
+  }),
+  z2.object({
+    action: z2.literal("DENY"),
+    reason: z2.string()
+  })
+]);
+var CapsuleClaimsZ = z2.object({
+  capsuleId: z2.string().min(8),
+  allowIntents: z2.array(z2.string()).min(1),
+  limits: z2.object({
+    maxBodyBytes: z2.number().int().positive().optional()
+  }).optional(),
+  scopes: z2.record(z2.string(), z2.any()).optional()
+});
+var CapsuleZ = z2.object({
+  id: z2.string(),
+  claims: CapsuleClaimsZ,
+  issuedAt: z2.number().int(),
+  expiresAt: z2.number().int(),
+  tier: z2.enum(["FREE", "STANDARD", "PREMIUM"])
+});
+var CapsuleValidationResultZ = z2.object({
+  valid: z2.boolean(),
+  capsule: CapsuleZ.optional(),
+  reason: z2.string().optional(),
+  requiresStepUp: z2.boolean().optional()
+});
+var CapsuleVerifySensorInputZ = z2.object({
+  headers: z2.map(
+    z2.number(),
+    z2.custom((v) => v instanceof Uint8Array)
+  ),
+  intent: z2.string().min(1),
+  ctx: z2.any()
+  // AxisContext - avoid circular dependency
+});
+var CapsuleVerifyResultZ = z2.object({
+  ok: z2.literal(true),
+  capsule: CapsuleZ
+});
+var RateLimitProfileZ = z2.enum([
+  "PUBLIC",
+  "PARTNER",
+  "INTERNAL",
+  "NODE"
+]);
+var RateLimitInputZ = z2.object({
+  ip: z2.string().min(1),
+  userAgent: z2.string().optional(),
+  actorId: z2.string().optional(),
+  capsuleId: z2.string().optional(),
+  intent: z2.string().min(1),
+  profile: RateLimitProfileZ
+});
+var RateLimitConfigZ = z2.object({
+  windowSec: z2.number().int().positive(),
+  max: z2.number().int().positive(),
+  key: z2.enum(["ip_fingerprint", "actor_capsule"])
+});
+var SensorResultZ = z2.object({
+  ok: z2.literal(true)
+});
+var PassportZ = z2.object({
+  id: z2.string(),
+  public_key: z2.custom((v) => Buffer.isBuffer(v)),
+  status: z2.enum(["ACTIVE", "REVOKED", "EXPIRED", "PENDING"]),
+  issuedAt: z2.number().int(),
+  expiresAt: z2.number().int().optional()
+});
+var ExecutionMetricsZ = z2.object({
+  dbWrites: z2.number().int(),
+  dbReads: z2.number().int(),
+  externalCalls: z2.number().int(),
+  elapsedMs: z2.number().int().optional()
+});
+var SensorChainInputZ = z2.object({
+  ip: z2.string().min(1),
+  path: z2.string().min(1),
+  contentLength: z2.number().int().nonnegative(),
+  peek: z2.instanceof(Uint8Array),
+  country: z2.string().optional()
+});
+var EntropySensorInputZ = z2.object({
+  pid: z2.custom((v) => Buffer.isBuffer(v)).optional(),
+  nonce: z2.custom((v) => Buffer.isBuffer(v)).optional(),
+  ip: z2.string().min(1)
+});
+var ProtocolStrictInputZ = z2.object({
+  rawBytes: z2.union([z2.custom((v) => Buffer.isBuffer(v)), z2.instanceof(Uint8Array)]).optional(),
+  ip: z2.string().min(1),
+  path: z2.string().min(1),
+  contentLength: z2.number().int().nonnegative(),
+  peek: z2.instanceof(Uint8Array),
+  country: z2.string().optional(),
+  contentType: z2.string().optional()
+});
+var SchemaFieldKindZ = z2.enum([
+  "utf8",
+  "u64",
+  "bytes",
+  "bytes16",
+  "bool",
+  "obj",
+  "arr"
+]);
+var ScopeZ = z2.enum(["header", "body"]);
+var SchemaFieldZ = z2.object({
+  name: z2.string().min(1),
+  tlv: z2.number().int().positive(),
+  kind: SchemaFieldKindZ,
+  required: z2.boolean().optional(),
+  maxLen: z2.number().int().positive().optional(),
+  max: z2.string().optional(),
+  scope: ScopeZ.optional()
+});
+var BodyProfileZ = z2.enum(["TLV_MAP", "RAW", "TLV_OBJ", "TLV_ARR"]);
+var IntentSchemaZ = z2.object({
+  intent: z2.string().min(1),
+  version: z2.number().int().positive(),
+  bodyProfile: BodyProfileZ,
+  fields: z2.array(SchemaFieldZ).min(1)
+});
+var WsHandshakeInputZ = z2.object({
+  clientId: z2.string().min(1),
+  isWs: z2.boolean(),
+  ip: z2.string().min(1)
+});
+var WsHandshakeDecisionZ = z2.union([
+  z2.object({ action: z2.literal("ALLOW") }),
+  z2.object({ action: z2.literal("DENY"), code: z2.string() })
+]);
+var IPReputationInputZ = z2.object({
+  ip: z2.string().min(1)
+});
+var IPReputationZ = z2.object({
+  score: z2.number().min(-100).max(100),
+  lastUpdated: z2.number().int(),
+  totalRequests: z2.number().int().nonnegative(),
+  failedRequests: z2.number().int().nonnegative(),
+  blockedRequests: z2.number().int().nonnegative(),
+  tags: z2.array(z2.string())
+});
+var UploadStatusZ = z2.enum([
+  "INIT",
+  "UPLOADING",
+  "FINALIZING",
+  "DONE",
+  "ABORTED"
+]);
+var UploadSessionZ = z2.object({
+  uploadIdHex: z2.string().min(1),
+  fileName: z2.string().min(1),
+  totalSize: z2.number().int().positive(),
+  chunkSize: z2.number().int().positive(),
+  totalChunks: z2.number().int().positive(),
+  receivedCount: z2.number().int().nonnegative(),
+  status: UploadStatusZ
+});
+var BodyBudgetInputZ = z2.object({
+  intent: z2.string().min(1),
+  headerLen: z2.number().int().nonnegative(),
+  bodyLen: z2.number().int().nonnegative()
+});
+var BodyBudgetPolicyZ = z2.object({
+  maxHeaderBytes: z2.number().int().positive(),
+  maxBodyBytes: z2.number().int().positive()
+});
+var ChunkHashInputZ = z2.object({
+  headerTLVs: z2.any(),
+  // Map<number, Uint8Array> - flexible validation for compatibility
+  bodyBytes: z2.any(),
+  // Uint8Array - flexible validation for compatibility
+  intent: z2.string().min(1)
+});
+var ProofType2 = /* @__PURE__ */ ((ProofType3) => {
+  ProofType3[ProofType3["CAPSULE"] = 1] = "CAPSULE";
+  ProofType3[ProofType3["JWT"] = 2] = "JWT";
+  ProofType3[ProofType3["MTLS_ID"] = 3] = "MTLS_ID";
+  ProofType3[ProofType3["DEVICE_SE"] = 4] = "DEVICE_SE";
+  ProofType3[ProofType3["WITNESS_SIG"] = 5] = "WITNESS_SIG";
+  return ProofType3;
+})(ProofType2 || {});
+var AxisContextZ = z2.object({
+  pid: z2.custom((v) => Buffer.isBuffer(v)),
+  // Process ID
+  ts: z2.bigint(),
+  // Timestamp
+  intent: z2.string().min(1),
+  actorId: z2.custom((v) => Buffer.isBuffer(v)),
+  proofType: z2.enum(ProofType2),
+  proofRef: z2.custom((v) => Buffer.isBuffer(v)),
+  nonce: z2.custom((v) => Buffer.isBuffer(v)),
+  ip: z2.string().min(1),
+  nodeCertHash: z2.string().optional(),
+  capsule: CapsuleZ.optional(),
+  passport: PassportZ.optional(),
+  meter: z2.any().optional()
+  // ExecutionMeter instance - any to avoid circular dependency and allow class instance
+});
+var AxisErrorZ = z2.object({
+  code: z2.string(),
+  message: z2.string(),
+  httpStatus: z2.number().int()
+});
+
+// src/schemas/body-profile.validator.ts
+var import_common10 = require("@nestjs/common");
+var BodyProfile2 = /* @__PURE__ */ ((BodyProfile3) => {
+  BodyProfile3[BodyProfile3["RAW"] = 0] = "RAW";
+  BodyProfile3[BodyProfile3["TLV_MAP"] = 1] = "TLV_MAP";
+  BodyProfile3[BodyProfile3["OBJ"] = 2] = "OBJ";
+  BodyProfile3[BodyProfile3["ARR"] = 3] = "ARR";
+  return BodyProfile3;
+})(BodyProfile2 || {});
+var BodyProfileValidator = class {
+  constructor() {
+    this.logger = new import_common10.Logger(BodyProfileValidator.name);
+  }
+  /**
+   * Validate body matches declared profile
+   */
+  validate(body, profile) {
+    switch (profile) {
+      case 0 /* RAW */:
+        return this.validateRaw(body);
+      case 1 /* TLV_MAP */:
+        return this.validateTlvMap(body);
+      case 2 /* OBJ */:
+        return this.validateObj(body);
+      case 3 /* ARR */:
+        return this.validateArr(body);
+      default:
+        return {
+          valid: false,
+          error: `Unknown body profile: ${profile}`,
+          profile
+        };
+    }
+  }
+  /**
+   * RAW profile - no validation, any bytes accepted
+   */
+  validateRaw(body) {
+    return {
+      valid: true,
+      profile: 0 /* RAW */
+    };
+  }
+  /**
+   * TLV_MAP profile - flat TLV list (no nested structures)
+   */
+  validateTlvMap(body) {
+    try {
+      const tlvs = (0, import_axis_protocol.decodeTLVsList)(body);
+      for (const tlv2 of tlvs) {
+        if (tlv2.type === 254 || tlv2.type === 255) {
+          return {
+            valid: false,
+            error: "TLV_MAP profile cannot contain nested OBJ/ARR types",
+            profile: 1 /* TLV_MAP */
+          };
+        }
+      }
+      return {
+        valid: true,
+        profile: 1 /* TLV_MAP */
+      };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Unknown error";
+      return {
+        valid: false,
+        error: `TLV_MAP decode failed: ${message}`,
+        profile: 1 /* TLV_MAP */
+      };
+    }
+  }
+  /**
+   * OBJ profile - must be valid nested object
+   */
+  validateObj(body) {
+    try {
+      const tlvs = (0, import_axis_protocol.decodeTLVsList)(body);
+      const hasObj = tlvs.some((t) => t.type === 254);
+      if (!hasObj && tlvs.length > 0) {
+        return {
+          valid: false,
+          error: "OBJ profile must contain OBJ type (254)",
+          profile: 2 /* OBJ */
+        };
+      }
+      return {
+        valid: true,
+        profile: 2 /* OBJ */
+      };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Unknown error";
+      return {
+        valid: false,
+        error: `OBJ decode failed: ${message}`,
+        profile: 2 /* OBJ */
+      };
+    }
+  }
+  /**
+   * ARR profile - must be valid array
+   */
+  validateArr(body) {
+    try {
+      const tlvs = (0, import_axis_protocol.decodeTLVsList)(body);
+      const hasArr = tlvs.some((t) => t.type === 255);
+      if (!hasArr && tlvs.length > 0) {
+        return {
+          valid: false,
+          error: "ARR profile must contain ARR type (255)",
+          profile: 3 /* ARR */
+        };
+      }
+      return {
+        valid: true,
+        profile: 3 /* ARR */
+      };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Unknown error";
+      return {
+        valid: false,
+        error: `ARR decode failed: ${message}`,
+        profile: 3 /* ARR */
+      };
+    }
+  }
+};
+BodyProfileValidator = __decorateClass([
+  (0, import_common10.Injectable)()
+], BodyProfileValidator);
+
+// src/security/index.ts
+var security_exports = {};
+__export(security_exports, {
+  CAPABILITIES: () => CAPABILITIES,
+  INTENT_REQUIREMENTS: () => INTENT_REQUIREMENTS,
+  PROOF_CAPABILITIES: () => PROOF_CAPABILITIES,
+  canAccessResource: () => canAccessResource,
+  hasScope: () => hasScope,
+  parseScope: () => parseScope
+});
+
+// src/sensors/index.ts
+var sensors_exports = {};
+__export(sensors_exports, {
+  AccessProfileResolverSensor: () => AccessProfileResolverSensor,
+  BodyBudgetSensor: () => BodyBudgetSensor,
+  CapabilityEnforcementSensor: () => CapabilityEnforcementSensor,
+  ChunkHashSensor: () => ChunkHashSensor,
+  EntropySensor: () => EntropySensor,
+  ExecutionTimeoutSensor: () => ExecutionTimeoutSensor,
+  FrameBudgetSensor: () => FrameBudgetSensor,
+  FrameHeaderSanitySensor: () => FrameHeaderSanitySensor,
+  HeaderTLVLimitSensor: () => HeaderTLVLimitSensor,
+  IntentAllowlistSensor: () => IntentAllowlistSensor,
+  IntentRegistrySensor: () => IntentRegistrySensor,
+  ProofPresenceSensor: () => ProofPresenceSensor,
+  ProtocolStrictSensor: () => ProtocolStrictSensor,
+  ReceiptPolicySensor: () => ReceiptPolicySensor,
+  SchemaValidationSensor: () => SchemaValidationSensor,
+  StreamScopeSensor: () => StreamScopeSensor,
+  TLVParseSensor: () => TLVParseSensor,
+  VarintHardeningSensor: () => VarintHardeningSensor
+});
+
+// src/sensors/access-profile-resolver.sensor.ts
+var import_common11 = require("@nestjs/common");
+var AccessProfileResolverSensor = class {
+  constructor() {
+    /** AxisSensor identifier */
+    this.name = "AccessProfileResolverSensor";
+    /**
+     * Execution order - runs early to establish the access profile
+     * for downstream sensors.
+     */
+    this.order = BAND.IDENTITY + 10;
+  }
+  supports() {
+    return true;
+  }
+  async run(input) {
+    const hasCapsule = !!input.metadata?.capsuleId;
+    const hasPassport = !!input.metadata?.passportSig;
+    const hasMTLS = !!input.metadata?.mtlsId;
+    const profile = hasCapsule || hasPassport || hasMTLS ? "GUARDED" : "PUBLIC";
+    if (!input.metadata) input.metadata = {};
+    input.metadata.profile = profile;
+    return { action: "ALLOW" };
+  }
+};
+AccessProfileResolverSensor = __decorateClass([
+  Sensor(),
+  (0, import_common11.Injectable)()
+], AccessProfileResolverSensor);
+
+// src/sensors/body-budget.sensor.ts
+var import_common12 = require("@nestjs/common");
+var BodyBudgetSensor = class {
+  constructor() {
+    /** AxisSensor identifier */
+    this.name = "BodyBudgetSensor";
+    /**
+     * Execution order - after authentication
+     *
+     * Order 150 ensures:
+     * - Authentication complete
+     * - Runs before full body read
+     * - Before schema validation (170)
+     */
+    this.order = BAND.CONTENT + 10;
+  }
+  /**
+   * Determines if this sensor should process the given input.
+   *
+   * Requires at least 8 bytes of peeked data to read headers.
+   *
+   * @param {SensorInput} input - Incoming request
+   * @returns {boolean} True if sufficient peek data available
+   */
+  supports(input) {
+    return !!input.peek && input.peek.length >= 8;
+  }
+  /**
+   * Validates header and body lengths against configured limits.
+   *
+   * **Frame Parsing:**
+   * - Skip magic (5 bytes)
+   * - Skip version (1 byte)
+   * - Skip flags (1 byte)
+   * - Read HDR_LEN varint
+   * - Read BODY_LEN varint
+   * - Compare against MAX_HDR_LEN and MAX_BODY_LEN
+   *
+   * @param {SensorInput} input - Request with peek data
+   * @returns {Promise<SensorDecision>} ALLOW or DENY based on size limits
+   */
+  async run(input) {
+    const { peek } = input;
+    if (!peek || peek.length < 8) {
+      return { action: "ALLOW" };
+    }
+    try {
+      let offset = 5;
+      offset += 1;
+      offset += 1;
+      const { value: hdrLen, length: hdrBytes } = (0, import_axis_protocol3.decodeVarint)(peek, offset);
+      offset += hdrBytes;
+      const { value: bodyLen } = (0, import_axis_protocol3.decodeVarint)(peek, offset);
+      if (hdrLen > import_axis_protocol2.MAX_HDR_LEN) {
+        return {
+          action: "DENY",
+          code: "HEADER_TOO_LARGE",
+          reason: `Header size ${hdrLen} exceeds limit ${import_axis_protocol2.MAX_HDR_LEN}`
+        };
+      }
+      if (bodyLen > import_axis_protocol2.MAX_BODY_LEN) {
+        return {
+          action: "DENY",
+          code: "BODY_TOO_LARGE",
+          reason: `Body size ${bodyLen} exceeds limit ${import_axis_protocol2.MAX_BODY_LEN}`
+        };
+      }
+      return { action: "ALLOW" };
+    } catch (e) {
+      return { action: "ALLOW" };
+    }
+  }
+};
+BodyBudgetSensor = __decorateClass([
+  Sensor(),
+  (0, import_common12.Injectable)()
+], BodyBudgetSensor);
+
+// src/sensors/capability-enforcement.sensor.ts
+var import_common13 = require("@nestjs/common");
+var CapabilityEnforcementSensor = class {
+  constructor() {
+    this.logger = new import_common13.Logger(CapabilityEnforcementSensor.name);
+    /** AxisSensor identifier for logging and registry */
+    this.name = "CapabilityEnforcementSensor";
+    /**
+     * Execution order - runs after authentication
+     *
+     * Order 100 ensures:
+     * - Capsule is verified (CapsuleVerifySensor @ 80)
+     * - Signature is verified (SigVerifySensor @ 90)
+     * - We know the proof type for capability lookup
+     */
+    this.order = BAND.POLICY + 10;
+  }
+  /**
+   * Determines if this sensor should process the given input.
+   *
+   * Only activates when an intent is present.
+   *
+   * @param {SensorInput} input - Incoming AXIS request
+   * @returns {boolean} True if intent is present
+   */
+  supports(input) {
+    return !!input.intent;
+  }
+  /**
+   * Enforces capability requirements for the requested intent.
+   *
+   * **Processing Flow:**
+   * 1. Extract proof type from packet (default: 0/NONE)
+   * 2. Look up capabilities granted by this proof type
+   * 3. Look up capabilities required by the intent
+   * 4. If no requirements, ALLOW
+   * 5. Check if all required capabilities are granted
+   * 6. If missing capabilities, DENY with details
+   * 7. Otherwise, ALLOW
+   *
+   * @param {SensorInput} input - Request with intent and packet
+   * @returns {Promise<SensorDecision>} ALLOW or DENY based on capabilities
+   */
+  async run(input) {
+    const { intent, packet } = input;
+    if (!intent) {
+      return { action: "ALLOW" };
+    }
+    const proofType = packet?.proofType ?? 0;
+    const grantedCapabilities = PROOF_CAPABILITIES[proofType] || [];
+    const requiredCapabilities = this.getRequiredCapabilities(intent);
+    if (requiredCapabilities.length === 0) {
+      return { action: "ALLOW" };
+    }
+    const missingCapabilities = requiredCapabilities.filter(
+      (cap) => !grantedCapabilities.includes(cap)
+    );
+    if (missingCapabilities.length > 0) {
+      this.logger.warn(
+        `Capability denied for ${intent}: missing ${missingCapabilities.join(", ")} (has: ${grantedCapabilities.join(", ")})`
+      );
+      return {
+        action: "DENY",
+        code: "CAPABILITY_DENIED",
+        reason: `Missing capabilities: ${missingCapabilities.join(", ")}`
+      };
+    }
+    return { action: "ALLOW" };
+  }
+  /**
+   * Gets required capabilities for an intent.
+   *
+   * **Lookup Strategy:**
+   * 1. Check for exact intent match
+   * 2. Check for prefix pattern match (*.suffix)
+   * 3. Default to 'execute' for unknown intents
+   *
+   * @private
+   * @param {string} intent - Intent name to look up
+   * @returns {Capability[]} Array of required capabilities
+   */
+  getRequiredCapabilities(intent) {
+    if (INTENT_REQUIREMENTS[intent]) {
+      return INTENT_REQUIREMENTS[intent];
+    }
+    for (const [pattern, caps] of Object.entries(INTENT_REQUIREMENTS)) {
+      if (pattern.endsWith(".*")) {
+        const prefix = pattern.slice(0, -1);
+        if (intent.startsWith(prefix)) {
+          return caps;
+        }
+      }
+    }
+    return ["execute"];
+  }
+};
+CapabilityEnforcementSensor = __decorateClass([
+  Sensor(),
+  (0, import_common13.Injectable)()
+], CapabilityEnforcementSensor);
+
+// src/sensors/chunk-hash.sensor.ts
+var import_common14 = require("@nestjs/common");
+var import_crypto6 = require("crypto");
+var ChunkHashSensor = class {
+  constructor() {
+    /** Sensor identifier */
+    this.name = "ChunkHashSensor";
+    /**
+     * Execution order - after session validation
+     *
+     * Order 190 ensures:
+     * - Session validated (180)
+     * - Chunk parameters verified
+     * - Hash check before storage
+     */
+    this.order = BAND.CONTENT + 50;
+  }
+  /**
+   * Determines if this sensor should process the given input.
+   *
+   * Only processes file.chunk intents.
+   *
+   * @param {SensorInput} input - Incoming request
+   * @returns {boolean} True if intent is 'file.chunk'
+   */
+  supports(input) {
+    return input.intent === "file.chunk";
+  }
+  /**
+   * Validates chunk data against declared SHA-256 hash.
+   *
+   * **Processing Flow:**
+   * 1. Check for required headerTLVs and body
+   * 2. Extract expected hash from TLV 73
+   * 3. Verify hash is exactly 32 bytes
+   * 4. Compute SHA-256 of body
+   * 5. Compare bytes (timing-safe)
+   * 6. DENY on mismatch
+   *
+   * @param {SensorInput} input - Request with chunk body
+   * @returns {Promise<SensorDecision>} ALLOW if hash matches, DENY otherwise
+   */
+  async run(input) {
+    const headerTLVs = input.headerTLVs;
+    const bodyBytes = input.body;
+    if (!headerTLVs || !bodyBytes) {
+      return {
+        action: "DENY",
+        code: "SENSOR_INVALID_INPUT",
+        reason: "Missing headerTLVs or body"
+      };
+    }
+    const TLV_SHA256_CHUNK2 = 73;
+    const expected = headerTLVs.get(TLV_SHA256_CHUNK2);
+    if (!expected || expected.length !== 32) {
+      return {
+        action: "DENY",
+        code: "FILE_CHUNK_HASH_MISSING",
+        reason: "Missing sha256Chunk TLV in header"
+      };
+    }
+    const actual = (0, import_crypto6.createHash)("sha256").update(bodyBytes).digest();
+    if (!Buffer.from(actual).equals(Buffer.from(expected))) {
+      return {
+        action: "DENY",
+        code: "FILE_CHUNK_HASH_MISMATCH",
+        reason: "Chunk hash mismatch - data corrupted"
+      };
+    }
+    return { action: "ALLOW" };
+  }
+};
+ChunkHashSensor = __decorateClass([
+  Sensor(),
+  (0, import_common14.Injectable)()
+], ChunkHashSensor);
+
+// src/sensors/entropy.sensor.ts
+var import_common15 = require("@nestjs/common");
+var crypto4 = __toESM(require("crypto"));
+var EntropySensor = class {
+  constructor() {
+    this.logger = new import_common15.Logger(EntropySensor.name);
+    /**
+     * Minimum acceptable entropy in bits per byte.
+     *
+     * 3.0 bits/byte is a conservative threshold:
+     * - Random data: ~7.9 bits/byte
+     * - English text: ~4.5 bits/byte
+     * - Sequential data: ~0-2 bits/byte
+     */
+    this.MIN_ENTROPY_THRESHOLD = 3;
+    /** AxisSensor identifier */
+    this.name = "EntropySensor";
+    /**
+     * Execution order - anomaly detection phase
+     *
+     * Order 130 ensures:
+     * - Replay protection done (120)
+     * - Runs before expensive policy lookups
+     */
+    this.order = BAND.POLICY + 35;
+  }
+  /**
+   * Calculates Shannon entropy of a byte array.
+   *
+   * **Algorithm:**
+   * 1. Count frequency of each byte value (0-255)
+   * 2. Calculate probability p = count / total
+   * 3. Sum: -Σ(p * log2(p))
+   *
+   * @private
+   * @param {Uint8Array} data - Bytes to analyze
+   * @returns {number} Entropy in bits per byte (0-8 scale)
+   */
+  calculateEntropy(data) {
+    if (data.length === 0) return 0;
+    const freq = /* @__PURE__ */ new Map();
+    for (const byte of data) {
+      freq.set(byte, (freq.get(byte) || 0) + 1);
+    }
+    let entropy = 0;
+    const len = data.length;
+    for (const count of freq.values()) {
+      const p = count / len;
+      entropy -= p * Math.log2(p);
+    }
+    return entropy;
+  }
+  /**
+   * Checks for sequential patterns in data.
+   *
+   * Detects sequences like [1,2,3,4...] or [10,9,8,7...].
+   * More than 50% sequential is considered suspicious.
+   *
+   * @private
+   * @param {Uint8Array} data - Bytes to analyze
+   * @returns {boolean} True if sequential pattern detected
+   */
+  hasSequentialPattern(data) {
+    if (data.length < 4) return false;
+    let ascending = 0;
+    let descending = 0;
+    for (let i = 1; i < data.length; i++) {
+      if (data[i] === data[i - 1] + 1) ascending++;
+      if (data[i] === data[i - 1] - 1) descending++;
+    }
+    return ascending > data.length / 2 || descending > data.length / 2;
+  }
+  /**
+   * Checks for repeated patterns in data.
+   *
+   * Detects patterns like [0xAB, 0xCD, 0xAB, 0xCD...].
+   * Checks for 2, 4, and 8 byte repeating patterns.
+   *
+   * @private
+   * @param {Uint8Array} data - Bytes to analyze
+   * @returns {boolean} True if repeated pattern detected
+   */
+  hasRepeatedPattern(data) {
+    if (data.length < 8) return false;
+    for (const patternLen of [2, 4, 8]) {
+      if (data.length % patternLen !== 0) continue;
+      let matches = 0;
+      for (let i = patternLen; i < data.length; i++) {
+        if (data[i] === data[i % patternLen]) matches++;
+      }
+      if (matches > (data.length - patternLen) * 0.9) {
+        return true;
+      }
+    }
+    return false;
+  }
+  /**
+   * Analyzes entropy of PID and nonce in request headers.
+   *
+   * **Processing Flow:**
+   * 1. Extract PID and nonce from header TLVs
+   * 2. Calculate entropy for each
+   * 3. Check for sequential patterns
+   * 4. Check for repeated patterns
+   * 5. Accumulate issues and score delta
+   * 6. Return FLAG if issues found, ALLOW otherwise
+   *
+   * @param {SensorInput} input - Request with header TLVs
+   * @returns {Promise<SensorDecision>} ALLOW or FLAG based on entropy analysis
+   */
+  async run(input) {
+    const headers = input.headerTLVs;
+    if (!headers) {
+      return { action: "ALLOW" };
+    }
+    const pid = headers.get(import_axis_protocol2.TLV_PID);
+    const nonce = headers.get(import_axis_protocol2.TLV_NONCE);
+    const issues = [];
+    let totalDelta = 0;
+    if (pid && pid.length > 0) {
+      const pidEntropy = this.calculateEntropy(pid);
+      if (pidEntropy < this.MIN_ENTROPY_THRESHOLD) {
+        issues.push(`pid_low_entropy:${pidEntropy.toFixed(2)}`);
+        totalDelta -= 3;
+      }
+      if (this.hasSequentialPattern(pid)) {
+        issues.push("pid_sequential");
+        totalDelta -= 5;
+      }
+      if (this.hasRepeatedPattern(pid)) {
+        issues.push("pid_repeated");
+        totalDelta -= 5;
+      }
+    }
+    if (nonce && nonce.length > 0) {
+      const nonceEntropy = this.calculateEntropy(nonce);
+      if (nonceEntropy < this.MIN_ENTROPY_THRESHOLD) {
+        issues.push(`nonce_low_entropy:${nonceEntropy.toFixed(2)}`);
+        totalDelta -= 3;
+      }
+      if (this.hasSequentialPattern(nonce)) {
+        issues.push("nonce_sequential");
+        totalDelta -= 5;
+      }
+      if (this.hasRepeatedPattern(nonce)) {
+        issues.push("nonce_repeated");
+        totalDelta -= 5;
+      }
+    }
+    if (issues.length > 0) {
+      this.logger.warn(`Entropy issues from ${input.ip}: ${issues.join(", ")}`);
+      return {
+        action: "FLAG",
+        scoreDelta: totalDelta,
+        reasons: issues
+      };
+    }
+    return { action: "ALLOW" };
+  }
+  /**
+   * Generates cryptographically secure random bytes.
+   *
+   * Utility method for SDK/client code to ensure proper entropy.
+   * Uses Node.js crypto.randomBytes for secure PRNG.
+   *
+   * @static
+   * @param {number} length - Number of random bytes
+   * @returns {Uint8Array} Cryptographically secure random bytes
+   */
+  static generateSecureRandom(length) {
+    return new Uint8Array(crypto4.randomBytes(length));
+  }
+};
+EntropySensor = __decorateClass([
+  Sensor(),
+  (0, import_common15.Injectable)()
+], EntropySensor);
+
+// src/sensors/execution-timeout.sensor.ts
+var import_common16 = require("@nestjs/common");
+var ExecutionTimeoutSensor = class {
+  constructor() {
+    this.logger = new import_common16.Logger(ExecutionTimeoutSensor.name);
+    /** AxisSensor identifier */
+    this.name = "ExecutionTimeoutSensor";
+    /**
+     * Execution order - late, near handler execution
+     *
+     * Order 210 ensures:
+     * - All validation complete
+     * - Deadline set just before handler
+     */
+    this.order = BAND.BUSINESS + 10;
+  }
+  /**
+   * Determines if this sensor should process the given input.
+   *
+   * @param {SensorInput} input - Incoming request
+   * @returns {boolean} True if intent is present
+   */
+  supports(input) {
+    return !!input.intent;
+  }
+  /**
+   * Sets execution deadline in the request context.
+   *
+   * **Processing Flow:**
+   * 1. Look up timeout for intent
+   * 2. Calculate absolute deadline
+   * 3. Store in context for handler use
+   * 4. Return ALLOW
+   *
+   * @param {SensorInput} input - Request with intent
+   * @returns {Promise<SensorDecision>} Always ALLOW
+   */
+  async run(input) {
+    const { intent, context } = input;
+    if (!intent) {
+      return { action: "ALLOW" };
+    }
+    const timeout = resolveTimeout(intent);
+    const deadline = Date.now() + timeout;
+    if (context) {
+      context.deadline = deadline;
+      context.timeoutMs = timeout;
+    }
+    this.logger.debug(
+      `Set ${timeout}ms timeout for ${intent} (deadline: ${new Date(deadline).toISOString()})`
+    );
+    return { action: "ALLOW" };
+  }
+  /**
+   * Checks if a deadline has been exceeded.
+   *
+   * Utility method for handler code.
+   *
+   * @static
+   * @param {object} ctx - Context with deadline
+   * @returns {boolean} True if deadline passed
+   */
+  static isExpired(ctx) {
+    if (!ctx.deadline) return false;
+    return Date.now() > ctx.deadline;
+  }
+  /**
+   * Gets remaining time until deadline.
+   *
+   * Utility method for handler code.
+   *
+   * @static
+   * @param {object} ctx - Context with deadline
+   * @returns {number} Remaining milliseconds (0 if expired, Infinity if no deadline)
+   */
+  static getRemainingMs(ctx) {
+    if (!ctx.deadline) return Infinity;
+    return Math.max(0, ctx.deadline - Date.now());
+  }
+};
+ExecutionTimeoutSensor = __decorateClass([
+  Sensor(),
+  (0, import_common16.Injectable)()
+], ExecutionTimeoutSensor);
+
+// src/sensors/frame-budget.sensor.ts
+var import_common17 = require("@nestjs/common");
+var FrameBudgetSensor = class {
+  constructor(config) {
+    this.config = config;
+    /** AxisSensor identifier for logging and registry */
+    this.name = "FrameBudgetSensor";
+    /**
+     * Execution order - runs after protocol validation
+     *
+     * Order 20 ensures:
+     * - Protocol is valid (ProtocolStrictSensor @ 10)
+     * - Size checked before expensive processing
+     */
+    this.order = BAND.WIRE + 20;
+  }
+  /**
+   * Determines if this sensor should process the given input.
+   *
+   * Only activates when Content-Length header is available.
+   * WebSocket frames may not have Content-Length; they use different size tracking.
+   *
+   * @param {SensorInput} input - Incoming AXIS request
+   * @returns {boolean} True if Content-Length is present
+   */
+  supports(input) {
+    return typeof input.contentLength === "number";
+  }
+  /**
+   * Validates frame size against configured limits.
+   *
+   * **Current Implementation:** Stub that always allows.
+   *
+   * **TODO:** Full implementation should:
+   * 1. Load intent policy for the request
+   * 2. Get maxFrameBytes from policy
+   * 3. Compare against contentLength
+   * 4. DENY if exceeded
+   *
+   * @param {SensorInput} input - Request with contentLength
+   * @returns {Promise<SensorDecision>} ALLOW or DENY based on size
+   */
+  async run(input) {
+    const maxBytes = this.config.get("AXIS_MAX_FRAME_SIZE") || 50 * 1024 * 1024;
+    const contentLength = input.contentLength;
+    if (typeof contentLength !== "number") {
+      return { action: "ALLOW" };
+    }
+    if (contentLength > maxBytes) {
+      return {
+        action: "DENY",
+        code: "FRAME_TOO_LARGE",
+        reason: `Frame size ${contentLength} exceeds limit ${maxBytes}`
+      };
+    }
+    return { action: "ALLOW" };
+  }
+};
+FrameBudgetSensor = __decorateClass([
+  Sensor({ phase: "PRE_DECODE" }),
+  (0, import_common17.Injectable)()
+], FrameBudgetSensor);
+
+// src/sensors/frame-header-sanity.sensor.ts
+var import_common18 = require("@nestjs/common");
+var FrameHeaderSanitySensor = class {
+  constructor() {
+    this.name = "FrameHeaderSanitySensor";
+    this.order = BAND.WIRE + 30;
+  }
+  supports(input) {
+    return !!input.peek && input.peek.length >= 7;
+  }
+  async run(input) {
+    const peek = input.peek;
+    const contentLen = input.contentLength || 0;
+    if (peek.length < 5 || !this.bufferEqual(peek.slice(0, 5), import_axis_protocol2.AXIS_MAGIC)) {
+      return {
+        action: "DENY",
+        code: "INVALID_MAGIC",
+        reason: "Frame magic is not AXIS1"
+      };
+    }
+    if (peek[5] !== import_axis_protocol2.AXIS_VERSION) {
+      return {
+        action: "DENY",
+        code: "UNSUPPORTED_VERSION",
+        reason: `Unsupported version: ${peek[5]}`
+      };
+    }
+    if (contentLen > import_axis_protocol2.MAX_FRAME_LEN) {
+      return {
+        action: "DENY",
+        code: "FRAME_TOO_LARGE",
+        reason: `Frame size ${contentLen} exceeds max ${import_axis_protocol2.MAX_FRAME_LEN}`
+      };
+    }
+    return { action: "ALLOW" };
+  }
+  bufferEqual(a, b) {
+    if (a.length !== b.length) return false;
+    for (let i = 0; i < a.length; i++) {
+      if (a[i] !== b[i]) return false;
+    }
+    return true;
+  }
+};
+FrameHeaderSanitySensor = __decorateClass([
+  (0, import_common18.Injectable)(),
+  Sensor({ phase: "PRE_DECODE" })
+], FrameHeaderSanitySensor);
+
+// src/sensors/header-tlv-limit.sensor.ts
+var import_common19 = require("@nestjs/common");
+var HeaderTLVLimitSensor = class {
+  constructor() {
+    this.name = "HeaderTLVLimitSensor";
+    this.order = BAND.CONTENT + 0;
+    this.MAX_TLVS = 64;
+  }
+  supports(input) {
+    return !!input.headerTLVs || !!input.packet;
+  }
+  async run(input) {
+    if (input.headerTLVs && input.headerTLVs.size > this.MAX_TLVS) {
+      return {
+        action: "DENY",
+        code: "TOO_MANY_TLVS",
+        reason: `Header TLVs (${input.headerTLVs.size}) exceed max (${this.MAX_TLVS})`
+      };
+    }
+    if (input.packet && input.packet.headerBytes) {
+      const hdrLen = input.packet.headerBytes.length;
+      if (hdrLen > import_axis_protocol2.MAX_HDR_LEN) {
+        return {
+          action: "DENY",
+          code: "HEADER_TOO_LARGE",
+          reason: `Header size ${hdrLen} exceeds max ${import_axis_protocol2.MAX_HDR_LEN}`
+        };
+      }
+    }
+    return { action: "ALLOW" };
+  }
+};
+HeaderTLVLimitSensor = __decorateClass([
+  (0, import_common19.Injectable)(),
+  Sensor()
+], HeaderTLVLimitSensor);
+
+// src/sensors/intent-allowlist.sensor.ts
+var import_common20 = require("@nestjs/common");
+var PUBLIC_INTENT_ALLOWLIST = [
+  "public.",
+  "schema.",
+  "catalog.",
+  "health.",
+  "system."
+];
+var IntentAllowlistSensor = class {
+  constructor() {
+    this.name = "IntentAllowlistSensor";
+    this.order = BAND.IDENTITY + 20;
+  }
+  supports(input) {
+    return !!input.intent;
+  }
+  async run(input) {
+    const profile = input.metadata?.profile || "PUBLIC";
+    const intent = input.intent || "";
+    if (profile === "PUBLIC") {
+      const isAllowed = PUBLIC_INTENT_ALLOWLIST.some(
+        (prefix) => intent.startsWith(prefix)
+      );
+      if (!isAllowed) {
+        return {
+          action: "DENY",
+          code: "INTENT_NOT_ALLOWED",
+          reason: `Intent '${intent}' not in public allowlist`
+        };
+      }
+    }
+    return { action: "ALLOW" };
+  }
+};
+IntentAllowlistSensor = __decorateClass([
+  (0, import_common20.Injectable)(),
+  Sensor()
+], IntentAllowlistSensor);
+
+// src/sensors/intent-registry.sensor.ts
+var import_common21 = require("@nestjs/common");
+var IntentRegistrySensor = class {
+  constructor(router) {
+    this.router = router;
+    this.name = "IntentRegistrySensor";
+    this.order = BAND.IDENTITY + 25;
+  }
+  supports(input) {
+    return !!input.intent;
+  }
+  async run(input) {
+    const intent = input.intent;
+    if (this.router.has(intent)) {
+      return { action: "ALLOW" };
+    }
+    return {
+      action: "DENY",
+      code: "INTENT_NOT_REGISTERED",
+      reason: `Intent '${intent}' is not registered`
+    };
+  }
+};
+IntentRegistrySensor = __decorateClass([
+  (0, import_common21.Injectable)(),
+  Sensor({ phase: "POST_DECODE" })
+], IntentRegistrySensor);
+
+// src/sensors/proof-presence.sensor.ts
+var import_common22 = require("@nestjs/common");
+var ProofPresenceSensor = class {
+  constructor() {
+    this.name = "ProofPresenceSensor";
+    this.order = BAND.IDENTITY + 30;
+  }
+  supports(input) {
+    return !!input.profile && !!input.visibility;
+  }
+  async run(input) {
+    const validatedInput = ProofPresenceInputZ.safeParse(input);
+    if (!validatedInput.success) {
+      throw new AxisError(
+        "SENSOR_INVALID_INPUT",
+        `Input validation failed: ${validatedInput.error.message}`,
+        400
+      );
+    }
+    const {
+      visibility,
+      requiredProof,
+      hasCapsule,
+      hasPassportSignature,
+      profile,
+      intent
+    } = validatedInput.data;
+    if (visibility === "PUBLIC") {
+      return { action: "ALLOW" };
+    }
+    if (requiredProof.includes("NONE")) {
+      return { action: "ALLOW" };
+    }
+    const hasCapsuleProof = requiredProof.includes("CAPSULE") && hasCapsule;
+    const hasPassportProof = requiredProof.includes("PASSPORT") && hasPassportSignature;
+    const hasNodeProof = requiredProof.includes("MTLS") && profile === "NODE";
+    const satisfied = hasCapsuleProof || hasPassportProof || hasNodeProof;
+    if (!satisfied) {
+      throw new AxisError(
+        "SENSOR_PROOF_REQUIRED",
+        `Proof required for guarded intent: ${intent}`,
+        403
+      );
+    }
+    return { action: "ALLOW" };
+  }
+};
+ProofPresenceSensor = __decorateClass([
+  Sensor(),
+  (0, import_common22.Injectable)()
+], ProofPresenceSensor);
+
+// src/sensors/protocol-strict.sensor.ts
+var import_common23 = require("@nestjs/common");
+var VALID_FLAGS = [
+  0,
+  // No flags
+  import_axis_protocol2.FLAG_BODY_TLV,
+  // Body contains TLVs
+  import_axis_protocol2.FLAG_CHAIN_REQ,
+  // Requires receipt chaining
+  import_axis_protocol2.FLAG_HAS_WITNESS,
+  // Has witness signatures
+  import_axis_protocol2.FLAG_BODY_TLV | import_axis_protocol2.FLAG_CHAIN_REQ,
+  import_axis_protocol2.FLAG_BODY_TLV | import_axis_protocol2.FLAG_HAS_WITNESS,
+  import_axis_protocol2.FLAG_CHAIN_REQ | import_axis_protocol2.FLAG_HAS_WITNESS,
+  import_axis_protocol2.FLAG_BODY_TLV | import_axis_protocol2.FLAG_CHAIN_REQ | import_axis_protocol2.FLAG_HAS_WITNESS
+];
+var ProtocolStrictSensor = class {
+  constructor(config) {
+    this.config = config;
+    this.logger = new import_common23.Logger(ProtocolStrictSensor.name);
+    /** Sensor identifier for logging and registry */
+    this.name = "ProtocolStrictSensor";
+    /**
+     * Execution order - FIRST sensor in the chain
+     *
+     * Order 10 ensures:
+     * - Runs before any other processing
+     * - Invalid frames rejected immediately
+     * - Protects all downstream sensors from malformed input
+     */
+    this.order = BAND.WIRE + 10;
+    this.protocolMagic = import_axis_protocol2.AXIS_MAGIC;
+    this.protocolVersion = import_axis_protocol2.AXIS_VERSION;
+  }
+  /**
+   * Static validation for streaming middleware (Fast Check)
+   */
+  static validateMagic(chunk, expected) {
+    if (chunk.length < expected.length) return { valid: true };
+    const actual = chunk.subarray(0, expected.length);
+    const valid = Buffer.from(actual).equals(Buffer.from(expected));
+    return {
+      valid,
+      actual: valid ? void 0 : new TextDecoder().decode(actual)
+    };
+  }
+  static validateVersion(version, expected) {
+    return version === expected;
+  }
+  /**
+   * Lifecycle hook: Registers this sensor in the chain on module initialization.
+   */
+  onModuleInit() {
+    const magicStr = this.config.get("AXIS_PROTOCOL_MAGIC");
+    this.protocolMagic = magicStr ? Buffer.from(magicStr, "ascii") : import_axis_protocol2.AXIS_MAGIC;
+    this.protocolVersion = this.config.get("AXIS_PROTOCOL_VERSION") || import_axis_protocol2.AXIS_VERSION;
+  }
+  /**
+   * Evaluate protocol strictness
+   */
+  async run(input) {
+    const validatedInput = ProtocolStrictInputZ.safeParse(input);
+    if (!validatedInput.success) {
+      this.logger.error(
+        `Invalid input: ${validatedInput.error.message}`,
+        validatedInput.error.issues
+      );
+      return {
+        action: "DENY",
+        code: "INVALID_INPUT",
+        reason: "Protocol validation input failed"
+      };
+    }
+    const { contentType, peek } = validatedInput.data;
+    const issues = [];
+    if (peek.length >= 8) {
+      const hex = Buffer.from(peek.subarray(0, 10)).toString("hex");
+      this.logger.debug(`Raw Frame Header (Hex): ${hex} (IP: ${input.ip})`);
+    }
+    if (contentType !== void 0) {
+      if (!this.isValidContentType(contentType)) {
+        issues.push(`invalid_content_type:${contentType}`);
+      }
+    }
+    if (peek.length < 9) {
+      return {
+        action: "DENY",
+        code: "FRAME_TOO_SHORT",
+        reason: "Frame too short for protocol header"
+      };
+    }
+    const magicCheck = ProtocolStrictSensor.validateMagic(
+      peek,
+      this.protocolMagic
+    );
+    if (!magicCheck.valid) {
+      return {
+        action: "DENY",
+        code: "INVALID_MAGIC",
+        reason: `Expected ${new TextDecoder().decode(this.protocolMagic)} magic, got ${magicCheck.actual}`
+      };
+    }
+    const version = peek[5];
+    if (!ProtocolStrictSensor.validateVersion(version, this.protocolVersion)) {
+      issues.push(`unsupported_version:${version}`);
+    }
+    const flags = peek[6];
+    if (!this.isValidFlags(flags)) {
+      issues.push(`invalid_flags:0x${flags.toString(16)}`);
+    }
+    if (peek.length >= 10) {
+      const lengthCheck = this.checkVarintEncoding(peek.subarray(7));
+      if (!lengthCheck.valid) {
+        issues.push(`non_minimal_varint:${lengthCheck.reason}`);
+      }
+    }
+    if (peek.length >= 20) {
+      const tlvCheck = this.checkTLVOrdering(peek);
+      if (!tlvCheck.valid) {
+        issues.push(`tlv_not_canonical:${tlvCheck.reason}`);
+      }
+      const hasClientVersion = await this.checkForClientVersion(peek);
+      if (!hasClientVersion) {
+        issues.push("missing_client_version");
+      }
+    }
+    if (issues.length > 0) {
+      const critical = issues.some(
+        (i) => i.startsWith("invalid_magic") || i.startsWith("unsupported_version")
+      );
+      if (critical) {
+        return {
+          action: "DENY",
+          code: "PROTOCOL_VIOLATION",
+          reason: issues.join(", ")
+        };
+      }
+      this.logger.warn(
+        `Protocol issues from ${input.ip}: ${issues.join(", ")}`
+      );
+      return {
+        action: "FLAG",
+        scoreDelta: -issues.length * 2,
+        reasons: issues
+      };
+    }
+    return { action: "ALLOW" };
+  }
+  /**
+   * Compare two buffers for equality
+   */
+  buffersEqual(a, b) {
+    if (a.length !== b.length) return false;
+    for (let i = 0; i < a.length; i++) {
+      if (a[i] !== b[i]) return false;
+    }
+    return true;
+  }
+  /**
+   * Check if Content-Type is valid for AXIS
+   */
+  isValidContentType(contentType) {
+    const valid = [
+      "application/axis-bin",
+      "application/octet-stream",
+      "application/x-axis"
+    ];
+    return valid.some((v) => contentType.toLowerCase().includes(v));
+  }
+  /**
+   * Check if flags are a valid combination
+   */
+  isValidFlags(flags) {
+    return VALID_FLAGS.includes(flags);
+  }
+  /**
+   * Check varint encoding is minimal (no leading zeros)
+   */
+  checkVarintEncoding(data) {
+    try {
+      const { value, length: bytesRead } = (0, import_axis_protocol3.decodeVarint)(data, 0);
+      if (value < 128 && bytesRead > 1) {
+        return { valid: false, reason: "non-minimal-small-value" };
+      }
+      if (value < 16384 && bytesRead > 2) {
+        return { valid: false, reason: "non-minimal-medium-value" };
+      }
+      return { valid: true };
+    } catch {
+      return { valid: false, reason: "varint-decode-error" };
+    }
+  }
+  /**
+   * Check TLV ordering is canonical (sorted by type, no duplicates)
+   */
+  checkTLVOrdering(data) {
+    try {
+      let offset = 7;
+      const { value: hdrLen, length: hdrBytes } = (0, import_axis_protocol3.decodeVarint)(data, offset);
+      offset += hdrBytes;
+      const { length: bodyBytes } = (0, import_axis_protocol3.decodeVarint)(data, offset);
+      offset += bodyBytes;
+      const { length: sigBytes } = (0, import_axis_protocol3.decodeVarint)(data, offset);
+      offset += sigBytes;
+      const hdrStart = offset;
+      const hdrEnd = hdrStart + Number(hdrLen);
+      if (hdrEnd > data.length) {
+        return { valid: true };
+      }
+      let lastType = -1;
+      let pos = hdrStart;
+      while (pos < hdrEnd && pos < data.length - 2) {
+        const { value: type, length: typeBytes } = (0, import_axis_protocol3.decodeVarint)(data, pos);
+        pos += typeBytes;
+        if (pos >= hdrEnd) break;
+        const { value: len, length: lenBytes } = (0, import_axis_protocol3.decodeVarint)(data, pos);
+        pos += lenBytes;
+        if (Number(type) <= lastType) {
+          return {
+            valid: false,
+            reason: `type-${type}-after-${lastType}`
+          };
+        }
+        lastType = Number(type);
+        pos += Number(len);
+      }
+      return { valid: true };
+    } catch {
+      return { valid: true };
+    }
+  }
+  /**
+   * Check if TLV 100 (Client Version) exists in the headers
+   */
+  async checkForClientVersion(data) {
+    try {
+      let offset = 7;
+      const { value: hdrLen, length: hdrBytes } = (0, import_axis_protocol3.decodeVarint)(data, offset);
+      offset += hdrBytes;
+      const { length: bodyBytes } = (0, import_axis_protocol3.decodeVarint)(data, offset);
+      offset += bodyBytes;
+      const { length: sigBytes } = (0, import_axis_protocol3.decodeVarint)(data, offset);
+      offset += sigBytes;
+      const hdrEnd = offset + Number(hdrLen);
+      let pos = offset;
+      while (pos < hdrEnd && pos < data.length) {
+        const { value: type, length: typeBytes } = (0, import_axis_protocol3.decodeVarint)(data, pos);
+        pos += typeBytes;
+        const { length: lenBytes } = (0, import_axis_protocol3.decodeVarint)(data, pos);
+        pos += lenBytes;
+        const { value: valLen, length: valLenBytes } = (0, import_axis_protocol3.decodeVarint)(
+          data,
+          pos - lenBytes
+        );
+      }
+      pos = offset;
+      while (pos < hdrEnd && pos < data.length) {
+        const t = (0, import_axis_protocol3.decodeVarint)(data, pos);
+        pos += t.length;
+        const l = (0, import_axis_protocol3.decodeVarint)(data, pos);
+        pos += l.length;
+        if (t.value === 100) return true;
+        pos += Number(l.value);
+      }
+      return false;
+    } catch {
+      return false;
+    }
+  }
+};
+ProtocolStrictSensor = __decorateClass([
+  Sensor({ phase: "PRE_DECODE" }),
+  (0, import_common23.Injectable)()
+], ProtocolStrictSensor);
+
+// src/sensors/receipt-policy.sensor.ts
+var import_common24 = require("@nestjs/common");
+var ReceiptPolicySensor = class {
+  constructor() {
+    this.name = "ReceiptPolicySensor";
+    this.order = BAND.BUSINESS + 20;
+  }
+  supports() {
+    return true;
+  }
+  async run() {
+    return { action: "ALLOW" };
+  }
+};
+ReceiptPolicySensor = __decorateClass([
+  (0, import_common24.Injectable)(),
+  Sensor()
+], ReceiptPolicySensor);
+
+// src/sensors/schema-validation.sensor.ts
+var import_common25 = require("@nestjs/common");
+function readU64be(b) {
+  if (b.length !== 8)
+    throw new AxisError("SCHEMA_TYPE_MISMATCH", "u64 must be 8 bytes", 400);
+  let x = 0n;
+  for (const by of b) x = x << 8n | BigInt(by);
+  return x;
+}
+var SchemaValidationSensor = class {
+  constructor() {
+    /** Sensor identifier for logging and registry */
+    this.name = "SchemaValidationSensor";
+    /**
+     * Execution order - runs late in the pipeline
+     *
+     * Order 170 ensures:
+     * - All authentication complete
+     * - All policy checks complete
+     * - Data validated before handler execution
+     */
+    this.order = BAND.CONTENT + 35;
+  }
+  /**
+   * Determines if this sensor should process the given input.
+   *
+   * Only activates when a schema is provided for the intent (post-decode phase).
+   *
+   * @param {any} input - Sensor input
+   * @returns {boolean} True if schema exists in metadata
+   */
+  supports(input) {
+    return !!input.metadata?.schema;
+  }
+  /**
+   * Validates TLV fields against the schema definition.
+   *
+   * **Validation Steps:**
+   * 1. Validate the schema itself using Zod
+   * 2. Iterate through each field definition
+   * 3. Check required fields are present
+   * 4. Validate size limits (maxLen)
+   * 5. Validate type-specific rules
+   *
+   * @param {any} input - Standard SensorInput
+   * @returns {{ action: 'ALLOW' } | { action: 'DENY', code: string, reason: string }} Decision
+   */
+  async run(input) {
+    const schema = input.metadata?.schema;
+    const headerTLVs = input.headerTLVs;
+    const bodyTLVs = input.bodyTLVs;
+    if (!schema) {
+      return { action: "ALLOW" };
+    }
+    const validatedSchema = IntentSchemaZ.safeParse(schema);
+    if (!validatedSchema.success) {
+      return {
+        action: "DENY",
+        code: "SCHEMA_INVALID",
+        reason: `Schema validation failed: ${validatedSchema.error.message}`
+      };
+    }
+    try {
+      for (const field of schema.fields) {
+        const scope = field.scope ?? "body";
+        const map3 = scope === "header" ? headerTLVs : bodyTLVs;
+        const val = map3?.get(field.tlv);
+        if (field.required && !val) {
+          throw new AxisError(
+            "SCHEMA_FIELD_MISSING",
+            `Missing required field: ${field.name} (TLV ${field.tlv})`,
+            400
+          );
+        }
+        if (!val) continue;
+        if (typeof field.maxLen === "number" && val.length > field.maxLen) {
+          throw new AxisError(
+            "SCHEMA_LIMIT_EXCEEDED",
+            `Field ${field.name} too large (${val.length} > ${field.maxLen})`,
+            413
+            // Payload Too Large
+          );
+        }
+        switch (field.kind) {
+          case "utf8":
+            try {
+              new TextDecoder("utf-8", { fatal: true }).decode(val);
+            } catch {
+              throw new AxisError(
+                "SCHEMA_TYPE_MISMATCH",
+                `Invalid UTF-8 in ${field.name}`,
+                400
+              );
+            }
+            break;
+          case "bool":
+            if (val.length !== 1 || val[0] !== 0 && val[0] !== 1) {
+              throw new AxisError(
+                "SCHEMA_TYPE_MISMATCH",
+                `Invalid bool: ${field.name}`,
+                400
+              );
+            }
+            break;
+          case "u64": {
+            const x = readU64be(val);
+            if (field.max) {
+              const mx = BigInt(field.max);
+              if (x > mx) {
+                throw new AxisError(
+                  "SCHEMA_LIMIT_EXCEEDED",
+                  `u64 ${field.name} exceeds max (${x} > ${mx})`,
+                  400
+                );
+              }
+            }
+            break;
+          }
+          case "bytes16":
+            if (val.length !== 16) {
+              throw new AxisError(
+                "SCHEMA_TYPE_MISMATCH",
+                `bytes16 required for ${field.name}`,
+                400
+              );
+            }
+            break;
+          case "bytes":
+            break;
+          case "obj":
+          case "arr":
+            break;
+          default:
+            throw new AxisError(
+              "SCHEMA_TYPE_MISMATCH",
+              `Unknown schema kind: ${field.kind}`,
+              500
+            );
+        }
+      }
+      const validators = input.metadata?.validators;
+      if (validators && validators.size > 0) {
+        for (const field of schema.fields) {
+          const fns = validators.get(field.tlv);
+          if (!fns || fns.length === 0) continue;
+          const scope = field.scope ?? "body";
+          const map3 = scope === "header" ? headerTLVs : bodyTLVs;
+          const val = map3?.get(field.tlv);
+          if (!val) continue;
+          for (const fn of fns) {
+            const error = fn(val, field.name);
+            if (error) {
+              throw new AxisError(
+                "SCHEMA_VALIDATION_FAILED",
+                `${field.name} (TLV ${field.tlv}): ${error}`,
+                400
+              );
+            }
+          }
+        }
+      }
+    } catch (err) {
+      if (err instanceof AxisError) {
+        return {
+          action: "DENY",
+          code: err.code,
+          reason: err.message
+        };
+      }
+      throw err;
+    }
+    return { action: "ALLOW" };
+  }
+};
+SchemaValidationSensor = __decorateClass([
+  Sensor(),
+  (0, import_common25.Injectable)()
+], SchemaValidationSensor);
+
+// src/sensors/stream-scope.sensor.ts
+var import_common26 = require("@nestjs/common");
+var StreamScopeSensor = class {
+  constructor() {
+    /** Sensor identifier */
+    this.name = "StreamScopeSensor";
+    /**
+     * Execution order - near handler execution
+     *
+     * Order 200 ensures:
+     * - All authentication complete
+     * - All policy checks complete
+     * - Stream-specific check right before subscription
+     */
+    this.order = BAND.BUSINESS + 0;
+  }
+  /**
+   * Determines if this sensor should process the given input.
+   *
+   * Currently processes all inputs.
+   *
+   * @returns {boolean} Always true
+   */
+  supports() {
+    return true;
+  }
+  /**
+   * Validates stream topic access permissions.
+   *
+   * **Current Implementation:** Stub that always allows.
+   *
+   * **TODO:** Full implementation should:
+   * 1. Check if intent is stream.subscribe or stream.publish
+   * 2. Extract topic from body TLVs
+   * 3. Parse topic into owner/resource pattern
+   * 4. Look up topic ACL from database/cache
+   * 5. Check if actor has required permission (read/write)
+   * 6. DENY if unauthorized
+   *
+   * @returns {Promise<SensorDecision>} ALLOW (stub implementation)
+   */
+  async run() {
+    return { action: "ALLOW" };
+  }
+};
+StreamScopeSensor = __decorateClass([
+  Sensor(),
+  (0, import_common26.Injectable)()
+], StreamScopeSensor);
+
+// src/sensors/tlv-parse.sensor.ts
+var import_common27 = require("@nestjs/common");
+var TLVParseSensor = class {
+  constructor() {
+    this.name = "TLVParseSensor";
+    this.order = BAND.CONTENT + 20;
+  }
+  supports(input) {
+    return !!input.packet;
+  }
+  async run(input) {
+    const packet = input.packet;
+    if (!packet) return { action: "ALLOW" };
+    const hdrBytes = packet.hdrBytes ?? packet.headerBytes;
+    if (hdrBytes && hdrBytes.length > 0) {
+      const result = this.validateCanonicalTLV(hdrBytes, "header");
+      if (result) return result;
+    }
+    const bodyBytes = packet.bodyBytes ?? input.body;
+    const bodyIsTlv = packet.flags !== void 0 ? (packet.flags & 1) !== 0 : false;
+    const bodyProfile = input.metadata?.schema?.bodyProfile;
+    const skipBody = bodyProfile === "RAW";
+    if (!skipBody && bodyIsTlv && bodyBytes && bodyBytes.length > 0) {
+      const result = this.validateCanonicalTLV(bodyBytes, "body");
+      if (result) return result;
+    }
+    return { action: "ALLOW" };
+  }
+  /**
+   * Validates a TLV buffer for canonical ordering, no duplicates,
+   * valid bounds, and minimal varint encoding.
+   */
+  validateCanonicalTLV(buf, section) {
+    let offset = 0;
+    let lastType = -1;
+    let count = 0;
+    const maxItems = 512;
+    while (offset < buf.length) {
+      if (count >= maxItems) {
+        return {
+          action: "DENY",
+          code: "TLV_LIMIT",
+          reason: `Too many TLVs in ${section}`
+        };
+      }
+      let type;
+      let typeLen;
+      try {
+        const r = (0, import_axis_protocol3.decodeVarint)(buf, offset);
+        type = r.value;
+        typeLen = r.length;
+      } catch {
+        return {
+          action: "DENY",
+          code: "TLV_PARSE_ERROR",
+          reason: `Malformed type varint in ${section} at offset ${offset}`
+        };
+      }
+      offset += typeLen;
+      if (type <= 0) {
+        return {
+          action: "DENY",
+          code: "TLV_INVALID_TAG",
+          reason: `Invalid tag ${type} in ${section}`
+        };
+      }
+      if (type <= lastType) {
+        return {
+          action: "DENY",
+          code: "TLV_NOT_CANONICAL",
+          reason: `Non-canonical tag order in ${section}: ${type} after ${lastType}`
+        };
+      }
+      lastType = type;
+      let len;
+      let lenLen;
+      try {
+        const r = (0, import_axis_protocol3.decodeVarint)(buf, offset);
+        len = r.value;
+        lenLen = r.length;
+      } catch {
+        return {
+          action: "DENY",
+          code: "TLV_PARSE_ERROR",
+          reason: `Malformed length varint in ${section}`
+        };
+      }
+      offset += lenLen;
+      if (offset + len > buf.length) {
+        return {
+          action: "DENY",
+          code: "TLV_TRUNCATED",
+          reason: `TLV value truncated in ${section}`
+        };
+      }
+      offset += len;
+      count++;
+    }
+    return null;
+  }
+};
+TLVParseSensor = __decorateClass([
+  Sensor(),
+  (0, import_common27.Injectable)()
+], TLVParseSensor);
+
+// src/sensors/varint-hardening.sensor.ts
+var import_common28 = require("@nestjs/common");
+var VarintHardeningSensor = class {
+  constructor() {
+    /** Sensor identifier */
+    this.name = "VarintHardeningSensor";
+    /**
+     * Execution order - early detection
+     *
+     * Order 40 ensures:
+     * - After protocol magic check
+     * - Before length-based parsing
+     */
+    this.order = BAND.WIRE + 35;
+    /** Maximum allowed bytes for a single varint */
+    this.MAX_VARINT_BYTES = 5;
+  }
+  /**
+   * Determines if this sensor should process the given input.
+   *
+   * Requires at least 7 bytes of peeked data.
+   *
+   * @param {SensorInput} input - Incoming request
+   * @returns {boolean} True if sufficient peek data
+   */
+  supports(input) {
+    return !!input.peek && input.peek.length >= 7;
+  }
+  /**
+   * Validates varint lengths in frame header.
+   *
+   * **Processing Flow:**
+   * 1. Skip to varint section (offset 7)
+   * 2. Scan for continuation bytes (MSB = 1)
+   * 3. Count consecutive continuation bytes
+   * 4. DENY if count exceeds MAX_VARINT_BYTES
+   *
+   * @param {SensorInput} input - Request with peek data
+   * @returns {Promise<SensorDecision>} ALLOW or DENY based on varint length
+   */
+  async run(input) {
+    const peek = input.peek;
+    const offset = 7;
+    const maxOffset = Math.min(offset + 15, peek.length);
+    let continuationCount = 0;
+    for (let i = offset; i < maxOffset; i++) {
+      if ((peek[i] & 128) !== 0) {
+        continuationCount++;
+        if (continuationCount > this.MAX_VARINT_BYTES) {
+          return {
+            action: "DENY",
+            code: "VARINT_OVERFLOW",
+            reason: `Varint exceeds ${this.MAX_VARINT_BYTES} bytes`
+          };
+        }
+      } else {
+        continuationCount = 0;
+      }
+    }
+    return { action: "ALLOW" };
+  }
+};
+VarintHardeningSensor = __decorateClass([
+  Sensor({ phase: "PRE_DECODE" }),
+  (0, import_common28.Injectable)()
+], VarintHardeningSensor);
+
+// src/utils/index.ts
+var utils_exports = {};
+__export(utils_exports, {
+  encodeAxisTlvDto: () => encodeAxisTlvDto
+});
+
+// src/utils/axis-tlv-codec.ts
+function encodeAxisTlvDto(dtoClass, data) {
+  const schema = extractDtoSchema(dtoClass);
+  const items = schema.fields.flatMap((field) => {
+    const value = data[field.name];
+    if (value === void 0 || value === null) {
+      if (field.required) {
+        throw new Error(`Missing required TLV response field: ${field.name}`);
+      }
+      return [];
+    }
+    return [{ type: field.tag, value: encodeField(field, value) }];
+  });
+  return buildTLVs(items);
+}
+function encodeField(field, value) {
+  switch (field.kind) {
+    case "utf8":
+      return Buffer.from(String(value), "utf8");
+    case "u64":
+      return encodeU64(value);
+    case "bytes":
+    case "bytes16":
+      return toBuffer(value);
+    case "bool":
+      return Buffer.from([value ? 1 : 0]);
+    case "obj":
+    case "arr":
+      return Buffer.from(JSON.stringify(value), "utf8");
+    default:
+      return toBuffer(value);
+  }
+}
+function encodeU64(value) {
+  const encoded = Buffer.alloc(8);
+  encoded.writeBigUInt64BE(
+    typeof value === "bigint" ? value : BigInt(value)
+  );
+  return encoded;
+}
+function toBuffer(value) {
+  if (Buffer.isBuffer(value)) {
+    return value;
+  }
+  if (value instanceof Uint8Array) {
+    return Buffer.from(value);
+  }
+  if (typeof value === "string") {
+    return Buffer.from(value, "utf8");
+  }
+  throw new Error(`Unsupported TLV bytes value: ${typeof value}`);
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ATS1_HDR,
@@ -2937,34 +5996,45 @@ var DiskUploadFileStore = class {
   buildAts1Hdr,
   buildDtoDecoder,
   buildPacket,
+  buildQueueMessage,
   buildReceiptHash,
   buildTLVs,
+  buildUnsignedWitness,
   bytes,
   canAccessResource,
   canonicalJson,
   canonicalJsonExcluding,
+  canonicalizeObservation,
   classifyIntent,
   computeReceiptHash,
   computeSignaturePayload,
+  core,
+  crypto,
   decodeArray,
   decodeAxis1Frame,
   decodeFrame,
   decodeObject,
+  decodeQueueMessage,
   decodeTLVs,
   decodeTLVsList,
   decodeVarint,
+  decorators,
   encVarint,
   encodeAxis1Frame,
   encodeFrame,
+  encodeQueueMessage,
   encodeTLVs,
   encodeVarint,
+  engine,
   extractDtoSchema,
   generateEd25519KeyPair,
   getSignTarget,
   hasScope,
+  hashObservation,
   isAdminOpcode,
   isKnownOpcode,
   isTimestampValid,
+  loom,
   nonce16,
   normalizeSensorDecision,
   packPasskeyLoginOptionsReq,
@@ -2972,20 +6042,28 @@ var DiskUploadFileStore = class {
   packPasskeyLoginVerifyReq,
   packPasskeyLoginVerifyRes,
   packPasskeyRegisterOptionsReq,
+  parseAutoClaimEntries,
   parseScope,
+  parseStreamEntries,
   resolveTimeout,
+  schemas,
+  security,
   sensitivityName,
+  sensors,
   sha256,
   signFrame,
+  stableJsonStringify,
   tlv,
   u64be,
   unpackPasskeyLoginOptionsReq,
   unpackPasskeyLoginVerifyReq,
   unpackPasskeyRegisterOptionsReq,
   utf8,
+  utils,
   validateFrameShape,
   varintLength,
   varintU,
-  verifyFrameSignature
+  verifyFrameSignature,
+  verifyResponse
 });
 //# sourceMappingURL=index.js.map