npm - @nextera.one/axis-server-sdk - Versions diffs - 1.3.0 → 1.4.0 - Mend

@nextera.one/axis-server-sdk 1.3.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.mjs CHANGED Viewed

@@ -718,6 +718,165 @@ IntentRouter = __decorateClass([
   __decorateParam(0, Optional())
 ], IntentRouter);
+// src/engine/observation/stable-json.ts
+function normalize(value) {
+  if (Array.isArray(value)) {
+    return value.map((item) => normalize(item));
+  }
+  if (value && typeof value === "object") {
+    const entries = Object.entries(value).filter(([, nested]) => nested !== void 0).sort(([left], [right]) => left.localeCompare(right));
+    const normalized = {};
+    for (const [key, nested] of entries) {
+      normalized[key] = normalize(nested);
+    }
+    return normalized;
+  }
+  return value;
+}
+function stableJsonStringify(value) {
+  return JSON.stringify(normalize(value));
+}
+// src/engine/observation/observation-queue.codec.ts
+function buildQueueMessage(observation, sourceNodeId, previous, lastError) {
+  const now = Date.now();
+  return {
+    v: 1,
+    observation,
+    attempts: previous ? previous.attempts + 1 : 0,
+    firstEnqueuedAt: previous?.firstEnqueuedAt ?? now,
+    lastEnqueuedAt: now,
+    sourceNodeId,
+    lastError
+  };
+}
+function encodeQueueMessage(message) {
+  return JSON.stringify(message);
+}
+function decodeQueueMessage(raw) {
+  try {
+    const parsed = JSON.parse(raw);
+    if (!parsed || parsed.v !== 1 || !parsed.observation?.id) {
+      return null;
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function parseStreamEntries(raw) {
+  if (!Array.isArray(raw)) {
+    return [];
+  }
+  const entries = [];
+  for (const streamRow of raw) {
+    if (!Array.isArray(streamRow) || streamRow.length < 2) {
+      continue;
+    }
+    const messageRows = streamRow[1];
+    if (!Array.isArray(messageRows)) {
+      continue;
+    }
+    for (const row of messageRows) {
+      if (!Array.isArray(row) || row.length < 2) {
+        continue;
+      }
+      const id = String(row[0]);
+      const fields = Array.isArray(row[1]) ? row[1] : [];
+      const fieldMap = fieldsToMap(fields);
+      const payload = fieldMap.get("payload");
+      if (!payload) {
+        continue;
+      }
+      const message = decodeQueueMessage(payload);
+      if (!message) {
+        continue;
+      }
+      entries.push({ id, message });
+    }
+  }
+  return entries;
+}
+function parseAutoClaimEntries(raw) {
+  if (!Array.isArray(raw) || raw.length < 2) {
+    return [];
+  }
+  const rows = Array.isArray(raw[1]) ? raw[1] : [];
+  return parseStreamEntries([["stream", rows]]);
+}
+function fieldsToMap(fields) {
+  const map3 = /* @__PURE__ */ new Map();
+  for (let i = 0; i < fields.length; i += 2) {
+    const key = fields[i];
+    const value = fields[i + 1];
+    if (key !== void 0 && value !== void 0) {
+      map3.set(String(key), String(value));
+    }
+  }
+  return map3;
+}
+// src/engine/observation/observation-hash.ts
+import { createHash } from "crypto";
+function canonicalizeObservation(obs) {
+  const obj = {
+    id: obs.id,
+    startMs: obs.startMs,
+    endMs: obs.endMs,
+    transport: obs.transport,
+    ip: obs.ip,
+    intent: obs.intent,
+    actorId: obs.actorId,
+    capsuleId: obs.capsuleId,
+    decision: obs.decision,
+    resultCode: obs.resultCode,
+    statusCode: obs.statusCode,
+    durationMs: obs.durationMs,
+    stages: obs.stages.map((s) => ({
+      name: s.name,
+      status: s.status,
+      startMs: s.startMs,
+      endMs: s.endMs,
+      durationMs: s.durationMs,
+      reason: s.reason,
+      code: s.code
+    })),
+    sensors: obs.sensors.map((s) => ({
+      name: s.name,
+      allowed: s.allowed,
+      riskScore: s.riskScore,
+      durationMs: s.durationMs,
+      reasons: s.reasons,
+      code: s.code
+    }))
+  };
+  return stableJsonStringify(obj);
+}
+function hashObservation(obs) {
+  const canonical = canonicalizeObservation(obs);
+  return createHash("sha256").update(canonical).digest("hex");
+}
+function buildUnsignedWitness(obs) {
+  if (!obs.decision || !obs.endMs) {
+    return null;
+  }
+  return {
+    v: 1,
+    observationId: obs.id,
+    payloadHash: hashObservation(obs),
+    sealedAt: Date.now(),
+    summary: {
+      intent: obs.intent,
+      actorId: obs.actorId,
+      decision: obs.decision,
+      statusCode: obs.statusCode,
+      durationMs: obs.durationMs,
+      sensorCount: obs.sensors.length,
+      stageCount: obs.stages.length
+    }
+  };
+}
 // src/core/constants.ts
 import {
   AXIS_MAGIC,
@@ -784,6 +943,51 @@ import {
   ERR_CONTRACT_VIOLATION
 } from "@nextera.one/axis-protocol";
+// src/engine/observation/response-observer.ts
+var SENSITIVE_RESPONSE_TAGS = [4, 5, 6];
+function verifyResponse(ctx, response) {
+  if (!response.effect || typeof response.effect !== "string") {
+    return {
+      passed: false,
+      code: "OBSERVER_INVALID_EFFECT",
+      reason: "Response effect is missing or invalid"
+    };
+  }
+  if (response.ok && (!response.body || response.body.length === 0)) {
+    return {
+      passed: false,
+      code: "OBSERVER_EMPTY_BODY",
+      reason: "Successful response must contain a body"
+    };
+  }
+  if (response.body && response.body.length > MAX_BODY_LEN) {
+    return {
+      passed: false,
+      code: "OBSERVER_BODY_OVERFLOW",
+      reason: `Response body exceeds ${MAX_BODY_LEN} bytes`
+    };
+  }
+  if (response.headers) {
+    for (const tag of SENSITIVE_RESPONSE_TAGS) {
+      if (response.headers.has(tag)) {
+        return {
+          passed: false,
+          code: "OBSERVER_DATA_LEAK",
+          reason: `Response must not contain sensitive TLV tag ${tag}`
+        };
+      }
+    }
+  }
+  if (response.effect.includes("Error:") || response.effect.includes("stack") || response.effect.includes("at /")) {
+    return {
+      passed: false,
+      code: "OBSERVER_INFO_LEAK",
+      reason: "Response effect may contain internal error details"
+    };
+  }
+  return { passed: true };
+}
 // src/core/varint.ts
 import { encodeVarint, decodeVarint, varintLength } from "@nextera.one/axis-protocol";
@@ -1059,7 +1263,7 @@ __export(ats1_exports, {
   tlvsToMap: () => tlvsToMap,
   validateTLVsAgainstSchema: () => validateTLVsAgainstSchema
 });
-import { createHash as createHash2 } from "crypto";
+import { createHash as createHash3 } from "crypto";
 var DEFAULT_LIMITS = {
   maxVarintBytes: 10,
   maxTlvCount: 512,
@@ -1109,7 +1313,7 @@ function decodeU64BE(buf) {
   return buf.readBigUInt64BE(0);
 }
 function sha2562(data) {
-  return createHash2("sha256").update(data).digest();
+  return createHash3("sha256").update(data).digest();
 }
 function encodeTLV(tag, value) {
   if (!Number.isInteger(tag) || tag <= 0)
@@ -2272,9 +2476,9 @@ function isAdminOpcode(op) {
 }
 // src/core/receipt.ts
-import { createHash as createHash3 } from "crypto";
+import { createHash as createHash4 } from "crypto";
 function buildReceiptHash(prevHash, pid, actorId, intent, effect, ts) {
-  const h = createHash3("sha256");
+  const h = createHash4("sha256");
   if (prevHash) h.update(prevHash);
   h.update(pid);
   h.update(Buffer.from(actorId, "utf8"));
@@ -3109,6 +3313,7 @@ __export(engine_exports, {
   createObservation: () => createObservation,
   endStage: () => endStage,
   finalizeObservation: () => finalizeObservation,
+  observation: () => observation_exports,
   recordSensor: () => recordSensor,
   startStage: () => startStage
 });
@@ -3395,6 +3600,21 @@ SensorRegistry = __decorateClass([
   Injectable7()
 ], SensorRegistry);
+// src/engine/observation/index.ts
+var observation_exports = {};
+__export(observation_exports, {
+  buildQueueMessage: () => buildQueueMessage,
+  buildUnsignedWitness: () => buildUnsignedWitness,
+  canonicalizeObservation: () => canonicalizeObservation,
+  decodeQueueMessage: () => decodeQueueMessage,
+  encodeQueueMessage: () => encodeQueueMessage,
+  hashObservation: () => hashObservation,
+  parseAutoClaimEntries: () => parseAutoClaimEntries,
+  parseStreamEntries: () => parseStreamEntries,
+  stableJsonStringify: () => stableJsonStringify,
+  verifyResponse: () => verifyResponse
+});
 // src/loom/index.ts
 var loom_exports = {};
 __export(loom_exports, {
@@ -4137,7 +4357,7 @@ CapabilityEnforcementSensor = __decorateClass([
 // src/sensors/chunk-hash.sensor.ts
 import { Injectable as Injectable12 } from "@nestjs/common";
-import { createHash as createHash6 } from "crypto";
+import { createHash as createHash7 } from "crypto";
 var ChunkHashSensor = class {
   constructor() {
     /** Sensor identifier */
@@ -4196,7 +4416,7 @@ var ChunkHashSensor = class {
         reason: "Missing sha256Chunk TLV in header"
       };
     }
-    const actual = createHash6("sha256").update(bodyBytes).digest();
+    const actual = createHash7("sha256").update(bodyBytes).digest();
     if (!Buffer.from(actual).equals(Buffer.from(expected))) {
       return {
         action: "DENY",
@@ -5627,12 +5847,15 @@ export {
   buildAts1Hdr,
   buildDtoDecoder,
   buildPacket,
+  buildQueueMessage,
   buildReceiptHash,
   buildTLVs,
+  buildUnsignedWitness,
   bytes,
   canAccessResource,
   canonicalJson,
   canonicalJsonExcluding,
+  canonicalizeObservation,
   classifyIntent,
   computeReceiptHash,
   computeSignaturePayload,
@@ -5642,6 +5865,7 @@ export {
   decodeAxis1Frame,
   decodeFrame,
   decodeObject,
+  decodeQueueMessage,
   decodeTLVs,
   decodeTLVsList,
   decodeVarint,
@@ -5649,6 +5873,7 @@ export {
   encVarint,
   encodeAxis1Frame,
   encodeFrame,
+  encodeQueueMessage,
   encodeTLVs,
   encodeVarint,
   engine_exports as engine,
@@ -5656,6 +5881,7 @@ export {
   generateEd25519KeyPair,
   getSignTarget,
   hasScope,
+  hashObservation,
   isAdminOpcode,
   isKnownOpcode,
   isTimestampValid,
@@ -5667,7 +5893,9 @@ export {
   packPasskeyLoginVerifyReq,
   packPasskeyLoginVerifyRes,
   packPasskeyRegisterOptionsReq,
+  parseAutoClaimEntries,
   parseScope,
+  parseStreamEntries,
   resolveTimeout,
   schemas_exports as schemas,
   security_exports as security,
@@ -5675,6 +5903,7 @@ export {
   sensors_exports as sensors,
   sha256,
   signFrame,
+  stableJsonStringify,
   tlv,
   u64be,
   unpackPasskeyLoginOptionsReq,
@@ -5685,6 +5914,7 @@ export {
   validateFrameShape,
   varintLength,
   varintU,
-  verifyFrameSignature
+  verifyFrameSignature,
+  verifyResponse
 };
 //# sourceMappingURL=index.mjs.map