npm - @nextera.one/axis-server-sdk - Versions diffs - 1.3.0 → 1.4.0 - Mend

@nextera.one/axis-server-sdk 1.3.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.js CHANGED Viewed

@@ -166,12 +166,15 @@ __export(index_exports, {
   buildAts1Hdr: () => buildAts1Hdr,
   buildDtoDecoder: () => buildDtoDecoder,
   buildPacket: () => buildPacket,
+  buildQueueMessage: () => buildQueueMessage,
   buildReceiptHash: () => buildReceiptHash,
   buildTLVs: () => buildTLVs,
+  buildUnsignedWitness: () => buildUnsignedWitness,
   bytes: () => bytes,
   canAccessResource: () => canAccessResource,
   canonicalJson: () => canonicalJson,
   canonicalJsonExcluding: () => canonicalJsonExcluding,
+  canonicalizeObservation: () => canonicalizeObservation,
   classifyIntent: () => classifyIntent,
   computeReceiptHash: () => computeReceiptHash,
   computeSignaturePayload: () => computeSignaturePayload,
@@ -181,6 +184,7 @@ __export(index_exports, {
   decodeAxis1Frame: () => decodeAxis1Frame,
   decodeFrame: () => decodeFrame,
   decodeObject: () => import_axis_protocol.decodeObject,
+  decodeQueueMessage: () => decodeQueueMessage,
   decodeTLVs: () => import_axis_protocol.decodeTLVs,
   decodeTLVsList: () => import_axis_protocol.decodeTLVsList,
   decodeVarint: () => import_axis_protocol3.decodeVarint,
@@ -188,6 +192,7 @@ __export(index_exports, {
   encVarint: () => encVarint,
   encodeAxis1Frame: () => encodeAxis1Frame,
   encodeFrame: () => encodeFrame,
+  encodeQueueMessage: () => encodeQueueMessage,
   encodeTLVs: () => import_axis_protocol.encodeTLVs,
   encodeVarint: () => import_axis_protocol3.encodeVarint,
   engine: () => engine_exports,
@@ -195,6 +200,7 @@ __export(index_exports, {
   generateEd25519KeyPair: () => generateEd25519KeyPair,
   getSignTarget: () => getSignTarget,
   hasScope: () => hasScope,
+  hashObservation: () => hashObservation,
   isAdminOpcode: () => isAdminOpcode,
   isKnownOpcode: () => isKnownOpcode,
   isTimestampValid: () => isTimestampValid,
@@ -206,7 +212,9 @@ __export(index_exports, {
   packPasskeyLoginVerifyReq: () => packPasskeyLoginVerifyReq,
   packPasskeyLoginVerifyRes: () => packPasskeyLoginVerifyRes,
   packPasskeyRegisterOptionsReq: () => packPasskeyRegisterOptionsReq,
+  parseAutoClaimEntries: () => parseAutoClaimEntries,
   parseScope: () => parseScope,
+  parseStreamEntries: () => parseStreamEntries,
   resolveTimeout: () => resolveTimeout,
   schemas: () => schemas_exports,
   security: () => security_exports,
@@ -214,6 +222,7 @@ __export(index_exports, {
   sensors: () => sensors_exports,
   sha256: () => sha256,
   signFrame: () => signFrame,
+  stableJsonStringify: () => stableJsonStringify,
   tlv: () => tlv,
   u64be: () => u64be,
   unpackPasskeyLoginOptionsReq: () => unpackPasskeyLoginOptionsReq,
@@ -224,7 +233,8 @@ __export(index_exports, {
   validateFrameShape: () => validateFrameShape,
   varintLength: () => import_axis_protocol3.varintLength,
   varintU: () => varintU,
-  verifyFrameSignature: () => verifyFrameSignature
+  verifyFrameSignature: () => verifyFrameSignature,
+  verifyResponse: () => verifyResponse
 });
 module.exports = __toCommonJS(index_exports);
@@ -919,9 +929,213 @@ IntentRouter = __decorateClass([
   __decorateParam(0, (0, import_common2.Optional)())
 ], IntentRouter);
+// src/engine/observation/stable-json.ts
+function normalize(value) {
+  if (Array.isArray(value)) {
+    return value.map((item) => normalize(item));
+  }
+  if (value && typeof value === "object") {
+    const entries = Object.entries(value).filter(([, nested]) => nested !== void 0).sort(([left], [right]) => left.localeCompare(right));
+    const normalized = {};
+    for (const [key, nested] of entries) {
+      normalized[key] = normalize(nested);
+    }
+    return normalized;
+  }
+  return value;
+}
+function stableJsonStringify(value) {
+  return JSON.stringify(normalize(value));
+}
+// src/engine/observation/observation-queue.codec.ts
+function buildQueueMessage(observation, sourceNodeId, previous, lastError) {
+  const now = Date.now();
+  return {
+    v: 1,
+    observation,
+    attempts: previous ? previous.attempts + 1 : 0,
+    firstEnqueuedAt: previous?.firstEnqueuedAt ?? now,
+    lastEnqueuedAt: now,
+    sourceNodeId,
+    lastError
+  };
+}
+function encodeQueueMessage(message) {
+  return JSON.stringify(message);
+}
+function decodeQueueMessage(raw) {
+  try {
+    const parsed = JSON.parse(raw);
+    if (!parsed || parsed.v !== 1 || !parsed.observation?.id) {
+      return null;
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function parseStreamEntries(raw) {
+  if (!Array.isArray(raw)) {
+    return [];
+  }
+  const entries = [];
+  for (const streamRow of raw) {
+    if (!Array.isArray(streamRow) || streamRow.length < 2) {
+      continue;
+    }
+    const messageRows = streamRow[1];
+    if (!Array.isArray(messageRows)) {
+      continue;
+    }
+    for (const row of messageRows) {
+      if (!Array.isArray(row) || row.length < 2) {
+        continue;
+      }
+      const id = String(row[0]);
+      const fields = Array.isArray(row[1]) ? row[1] : [];
+      const fieldMap = fieldsToMap(fields);
+      const payload = fieldMap.get("payload");
+      if (!payload) {
+        continue;
+      }
+      const message = decodeQueueMessage(payload);
+      if (!message) {
+        continue;
+      }
+      entries.push({ id, message });
+    }
+  }
+  return entries;
+}
+function parseAutoClaimEntries(raw) {
+  if (!Array.isArray(raw) || raw.length < 2) {
+    return [];
+  }
+  const rows = Array.isArray(raw[1]) ? raw[1] : [];
+  return parseStreamEntries([["stream", rows]]);
+}
+function fieldsToMap(fields) {
+  const map3 = /* @__PURE__ */ new Map();
+  for (let i = 0; i < fields.length; i += 2) {
+    const key = fields[i];
+    const value = fields[i + 1];
+    if (key !== void 0 && value !== void 0) {
+      map3.set(String(key), String(value));
+    }
+  }
+  return map3;
+}
+// src/engine/observation/observation-hash.ts
+var import_crypto = require("crypto");
+function canonicalizeObservation(obs) {
+  const obj = {
+    id: obs.id,
+    startMs: obs.startMs,
+    endMs: obs.endMs,
+    transport: obs.transport,
+    ip: obs.ip,
+    intent: obs.intent,
+    actorId: obs.actorId,
+    capsuleId: obs.capsuleId,
+    decision: obs.decision,
+    resultCode: obs.resultCode,
+    statusCode: obs.statusCode,
+    durationMs: obs.durationMs,
+    stages: obs.stages.map((s) => ({
+      name: s.name,
+      status: s.status,
+      startMs: s.startMs,
+      endMs: s.endMs,
+      durationMs: s.durationMs,
+      reason: s.reason,
+      code: s.code
+    })),
+    sensors: obs.sensors.map((s) => ({
+      name: s.name,
+      allowed: s.allowed,
+      riskScore: s.riskScore,
+      durationMs: s.durationMs,
+      reasons: s.reasons,
+      code: s.code
+    }))
+  };
+  return stableJsonStringify(obj);
+}
+function hashObservation(obs) {
+  const canonical = canonicalizeObservation(obs);
+  return (0, import_crypto.createHash)("sha256").update(canonical).digest("hex");
+}
+function buildUnsignedWitness(obs) {
+  if (!obs.decision || !obs.endMs) {
+    return null;
+  }
+  return {
+    v: 1,
+    observationId: obs.id,
+    payloadHash: hashObservation(obs),
+    sealedAt: Date.now(),
+    summary: {
+      intent: obs.intent,
+      actorId: obs.actorId,
+      decision: obs.decision,
+      statusCode: obs.statusCode,
+      durationMs: obs.durationMs,
+      sensorCount: obs.sensors.length,
+      stageCount: obs.stages.length
+    }
+  };
+}
 // src/core/constants.ts
 var import_axis_protocol2 = require("@nextera.one/axis-protocol");
+// src/engine/observation/response-observer.ts
+var SENSITIVE_RESPONSE_TAGS = [4, 5, 6];
+function verifyResponse(ctx, response) {
+  if (!response.effect || typeof response.effect !== "string") {
+    return {
+      passed: false,
+      code: "OBSERVER_INVALID_EFFECT",
+      reason: "Response effect is missing or invalid"
+    };
+  }
+  if (response.ok && (!response.body || response.body.length === 0)) {
+    return {
+      passed: false,
+      code: "OBSERVER_EMPTY_BODY",
+      reason: "Successful response must contain a body"
+    };
+  }
+  if (response.body && response.body.length > import_axis_protocol2.MAX_BODY_LEN) {
+    return {
+      passed: false,
+      code: "OBSERVER_BODY_OVERFLOW",
+      reason: `Response body exceeds ${import_axis_protocol2.MAX_BODY_LEN} bytes`
+    };
+  }
+  if (response.headers) {
+    for (const tag of SENSITIVE_RESPONSE_TAGS) {
+      if (response.headers.has(tag)) {
+        return {
+          passed: false,
+          code: "OBSERVER_DATA_LEAK",
+          reason: `Response must not contain sensitive TLV tag ${tag}`
+        };
+      }
+    }
+  }
+  if (response.effect.includes("Error:") || response.effect.includes("stack") || response.effect.includes("at /")) {
+    return {
+      passed: false,
+      code: "OBSERVER_INFO_LEAK",
+      reason: "Response effect may contain internal error details"
+    };
+  }
+  return { passed: true };
+}
 // src/core/varint.ts
 var import_axis_protocol3 = require("@nextera.one/axis-protocol");
@@ -1197,7 +1411,7 @@ __export(ats1_exports, {
   tlvsToMap: () => tlvsToMap,
   validateTLVsAgainstSchema: () => validateTLVsAgainstSchema
 });
-var import_crypto = require("crypto");
+var import_crypto2 = require("crypto");
 var DEFAULT_LIMITS = {
   maxVarintBytes: 10,
   maxTlvCount: 512,
@@ -1247,7 +1461,7 @@ function decodeU64BE(buf) {
   return buf.readBigUInt64BE(0);
 }
 function sha2562(data) {
-  return (0, import_crypto.createHash)("sha256").update(data).digest();
+  return (0, import_crypto2.createHash)("sha256").update(data).digest();
 }
 function encodeTLV(tag, value) {
   if (!Number.isInteger(tag) || tag <= 0)
@@ -1836,7 +2050,7 @@ function packPasskeyLoginVerifyRes(params) {
 }
 // src/codec/tlv.encode.ts
-var import_crypto2 = require("crypto");
+var import_crypto3 = require("crypto");
 function encVarint(x) {
   if (x < 0n) throw new Error("VARINT_NEG");
   const out = [];
@@ -1864,7 +2078,7 @@ function bytes(b) {
   return Buffer.isBuffer(b) ? b : Buffer.from(b);
 }
 function nonce16() {
-  return (0, import_crypto2.randomBytes)(16);
+  return (0, import_crypto3.randomBytes)(16);
 }
 function tlv(type, value) {
   if (!Number.isSafeInteger(type) || type < 0) throw new Error("TLV_BAD_TYPE");
@@ -2410,9 +2624,9 @@ function isAdminOpcode(op) {
 }
 // src/core/receipt.ts
-var import_crypto3 = require("crypto");
+var import_crypto4 = require("crypto");
 function buildReceiptHash(prevHash, pid, actorId, intent, effect, ts) {
-  const h = (0, import_crypto3.createHash)("sha256");
+  const h = (0, import_crypto4.createHash)("sha256");
   if (prevHash) h.update(prevHash);
   h.update(pid);
   h.update(Buffer.from(actorId, "utf8"));
@@ -3247,15 +3461,16 @@ __export(engine_exports, {
   createObservation: () => createObservation,
   endStage: () => endStage,
   finalizeObservation: () => finalizeObservation,
+  observation: () => observation_exports,
   recordSensor: () => recordSensor,
   startStage: () => startStage
 });
 // src/engine/axis-observation.ts
-var import_crypto4 = require("crypto");
+var import_crypto5 = require("crypto");
 function createObservation(transport, ip) {
   return {
-    id: (0, import_crypto4.randomBytes)(16).toString("hex"),
+    id: (0, import_crypto5.randomBytes)(16).toString("hex"),
     startMs: Date.now(),
     transport,
     ip,
@@ -3533,6 +3748,21 @@ SensorRegistry = __decorateClass([
   (0, import_common9.Injectable)()
 ], SensorRegistry);
+// src/engine/observation/index.ts
+var observation_exports = {};
+__export(observation_exports, {
+  buildQueueMessage: () => buildQueueMessage,
+  buildUnsignedWitness: () => buildUnsignedWitness,
+  canonicalizeObservation: () => canonicalizeObservation,
+  decodeQueueMessage: () => decodeQueueMessage,
+  encodeQueueMessage: () => encodeQueueMessage,
+  hashObservation: () => hashObservation,
+  parseAutoClaimEntries: () => parseAutoClaimEntries,
+  parseStreamEntries: () => parseStreamEntries,
+  stableJsonStringify: () => stableJsonStringify,
+  verifyResponse: () => verifyResponse
+});
 // src/loom/index.ts
 var loom_exports = {};
 __export(loom_exports, {
@@ -4275,7 +4505,7 @@ CapabilityEnforcementSensor = __decorateClass([
 // src/sensors/chunk-hash.sensor.ts
 var import_common14 = require("@nestjs/common");
-var import_crypto5 = require("crypto");
+var import_crypto6 = require("crypto");
 var ChunkHashSensor = class {
   constructor() {
     /** Sensor identifier */
@@ -4334,7 +4564,7 @@ var ChunkHashSensor = class {
         reason: "Missing sha256Chunk TLV in header"
       };
     }
-    const actual = (0, import_crypto5.createHash)("sha256").update(bodyBytes).digest();
+    const actual = (0, import_crypto6.createHash)("sha256").update(bodyBytes).digest();
     if (!Buffer.from(actual).equals(Buffer.from(expected))) {
       return {
         action: "DENY",
@@ -5766,12 +5996,15 @@ function toBuffer(value) {
   buildAts1Hdr,
   buildDtoDecoder,
   buildPacket,
+  buildQueueMessage,
   buildReceiptHash,
   buildTLVs,
+  buildUnsignedWitness,
   bytes,
   canAccessResource,
   canonicalJson,
   canonicalJsonExcluding,
+  canonicalizeObservation,
   classifyIntent,
   computeReceiptHash,
   computeSignaturePayload,
@@ -5781,6 +6014,7 @@ function toBuffer(value) {
   decodeAxis1Frame,
   decodeFrame,
   decodeObject,
+  decodeQueueMessage,
   decodeTLVs,
   decodeTLVsList,
   decodeVarint,
@@ -5788,6 +6022,7 @@ function toBuffer(value) {
   encVarint,
   encodeAxis1Frame,
   encodeFrame,
+  encodeQueueMessage,
   encodeTLVs,
   encodeVarint,
   engine,
@@ -5795,6 +6030,7 @@ function toBuffer(value) {
   generateEd25519KeyPair,
   getSignTarget,
   hasScope,
+  hashObservation,
   isAdminOpcode,
   isKnownOpcode,
   isTimestampValid,
@@ -5806,7 +6042,9 @@ function toBuffer(value) {
   packPasskeyLoginVerifyReq,
   packPasskeyLoginVerifyRes,
   packPasskeyRegisterOptionsReq,
+  parseAutoClaimEntries,
   parseScope,
+  parseStreamEntries,
   resolveTimeout,
   schemas,
   security,
@@ -5814,6 +6052,7 @@ function toBuffer(value) {
   sensors,
   sha256,
   signFrame,
+  stableJsonStringify,
   tlv,
   u64be,
   unpackPasskeyLoginOptionsReq,
@@ -5824,6 +6063,7 @@ function toBuffer(value) {
   validateFrameShape,
   varintLength,
   varintU,
-  verifyFrameSignature
+  verifyFrameSignature,
+  verifyResponse
 });
 //# sourceMappingURL=index.js.map