@nextera.one/axis-server-sdk 1.3.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/README.md +25 -0
  2. package/dist/core/index.d.mts +1 -1
  3. package/dist/core/index.d.ts +1 -1
  4. package/dist/{index-B5xzROld.d.mts → index-1uEwnW-w.d.mts} +1 -1
  5. package/dist/{index-B5xzROld.d.ts → index-1uEwnW-w.d.ts} +1 -1
  6. package/dist/index.d.mts +331 -212
  7. package/dist/index.d.ts +331 -212
  8. package/dist/index.js +1029 -593
  9. package/dist/index.js.map +1 -1
  10. package/dist/index.mjs +1047 -641
  11. package/dist/index.mjs.map +1 -1
  12. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -47,14 +47,21 @@ __export(index_exports, {
47
47
  AXIS_UPLOAD_SESSION_STORE: () => AXIS_UPLOAD_SESSION_STORE,
48
48
  AXIS_VERSION: () => import_axis_protocol2.AXIS_VERSION,
49
49
  Ats1Codec: () => ats1_exports,
50
+ AxisContext: () => AxisContext,
51
+ AxisDemoPubkey: () => AxisDemoPubkey,
52
+ AxisError: () => AxisError,
50
53
  AxisFilesDownloadHandler: () => AxisFilesDownloadHandler,
51
54
  AxisFilesFinalizeHandler: () => AxisFilesFinalizeHandler,
52
55
  AxisFrameZ: () => AxisFrameZ,
53
56
  AxisIdDto: () => AxisIdDto,
57
+ AxisIp: () => AxisIp,
54
58
  AxisPacketTags: () => T,
55
59
  AxisPartialType: () => AxisPartialType,
60
+ AxisRaw: () => AxisRaw,
56
61
  AxisResponseDto: () => AxisResponseDto,
62
+ AxisSensorChainService: () => AxisSensorChainService,
57
63
  AxisTlvDto: () => AxisTlvDto,
64
+ BAND: () => BAND,
58
65
  BodyProfile: () => import_axis_protocol2.BodyProfile,
59
66
  CAPABILITIES: () => CAPABILITIES,
60
67
  ContractViolationError: () => ContractViolationError,
@@ -72,7 +79,10 @@ __export(index_exports, {
72
79
  FLAG_CHAIN_REQ: () => import_axis_protocol2.FLAG_CHAIN_REQ,
73
80
  FLAG_HAS_WITNESS: () => import_axis_protocol2.FLAG_HAS_WITNESS,
74
81
  HANDLER_METADATA_KEY: () => HANDLER_METADATA_KEY,
82
+ HANDLER_SENSORS_KEY: () => HANDLER_SENSORS_KEY,
75
83
  Handler: () => Handler,
84
+ HandlerDiscoveryService: () => HandlerDiscoveryService,
85
+ HandlerSensors: () => HandlerSensors,
76
86
  INTENT_BODY_KEY: () => INTENT_BODY_KEY,
77
87
  INTENT_METADATA_KEY: () => INTENT_METADATA_KEY,
78
88
  INTENT_REQUIREMENTS: () => INTENT_REQUIREMENTS,
@@ -99,6 +109,7 @@ __export(index_exports, {
99
109
  NCERT_PUB: () => import_axis_protocol2.NCERT_PUB,
100
110
  NCERT_SCOPE: () => import_axis_protocol2.NCERT_SCOPE,
101
111
  NCERT_SIG: () => import_axis_protocol2.NCERT_SIG,
112
+ PRE_DECODE_BOUNDARY: () => PRE_DECODE_BOUNDARY,
102
113
  PROOF_CAPABILITIES: () => PROOF_CAPABILITIES,
103
114
  PROOF_CAPSULE: () => import_axis_protocol2.PROOF_CAPSULE,
104
115
  PROOF_JWT: () => import_axis_protocol2.PROOF_JWT,
@@ -113,11 +124,15 @@ __export(index_exports, {
113
124
  RESPONSE_TAG_UPDATED_AT: () => RESPONSE_TAG_UPDATED_AT,
114
125
  RESPONSE_TAG_UPDATED_BY: () => RESPONSE_TAG_UPDATED_BY,
115
126
  RiskDecision: () => RiskDecision,
127
+ SENSOR_METADATA_KEY: () => SENSOR_METADATA_KEY,
116
128
  Schema2002_PasskeyLoginOptionsRes: () => Schema2002_PasskeyLoginOptionsRes,
117
129
  Schema2011_PasskeyLoginVerifyReq: () => Schema2011_PasskeyLoginVerifyReq,
118
130
  Schema2012_PasskeyLoginVerifyRes: () => Schema2012_PasskeyLoginVerifyRes,
119
131
  Schema2021_PasskeyRegisterOptionsReq: () => Schema2021_PasskeyRegisterOptionsReq,
132
+ Sensor: () => Sensor,
120
133
  SensorDecisions: () => SensorDecisions,
134
+ SensorDiscoveryService: () => SensorDiscoveryService,
135
+ SensorRegistry: () => SensorRegistry,
121
136
  TLV: () => import_axis_protocol.TLV,
122
137
  TLV_ACTOR_ID: () => import_axis_protocol2.TLV_ACTOR_ID,
123
138
  TLV_AUD: () => import_axis_protocol2.TLV_AUD,
@@ -166,21 +181,26 @@ __export(index_exports, {
166
181
  buildAts1Hdr: () => buildAts1Hdr,
167
182
  buildDtoDecoder: () => buildDtoDecoder,
168
183
  buildPacket: () => buildPacket,
184
+ buildQueueMessage: () => buildQueueMessage,
169
185
  buildReceiptHash: () => buildReceiptHash,
170
186
  buildTLVs: () => buildTLVs,
187
+ buildUnsignedWitness: () => buildUnsignedWitness,
171
188
  bytes: () => bytes,
172
189
  canAccessResource: () => canAccessResource,
173
190
  canonicalJson: () => canonicalJson,
174
191
  canonicalJsonExcluding: () => canonicalJsonExcluding,
192
+ canonicalizeObservation: () => canonicalizeObservation,
175
193
  classifyIntent: () => classifyIntent,
176
194
  computeReceiptHash: () => computeReceiptHash,
177
195
  computeSignaturePayload: () => computeSignaturePayload,
178
196
  core: () => core_exports,
197
+ createObservation: () => createObservation,
179
198
  crypto: () => crypto_exports,
180
199
  decodeArray: () => import_axis_protocol.decodeArray,
181
200
  decodeAxis1Frame: () => decodeAxis1Frame,
182
201
  decodeFrame: () => decodeFrame,
183
202
  decodeObject: () => import_axis_protocol.decodeObject,
203
+ decodeQueueMessage: () => decodeQueueMessage,
184
204
  decodeTLVs: () => import_axis_protocol.decodeTLVs,
185
205
  decodeTLVsList: () => import_axis_protocol.decodeTLVsList,
186
206
  decodeVarint: () => import_axis_protocol3.decodeVarint,
@@ -188,13 +208,17 @@ __export(index_exports, {
188
208
  encVarint: () => encVarint,
189
209
  encodeAxis1Frame: () => encodeAxis1Frame,
190
210
  encodeFrame: () => encodeFrame,
211
+ encodeQueueMessage: () => encodeQueueMessage,
191
212
  encodeTLVs: () => import_axis_protocol.encodeTLVs,
192
213
  encodeVarint: () => import_axis_protocol3.encodeVarint,
214
+ endStage: () => endStage,
193
215
  engine: () => engine_exports,
194
216
  extractDtoSchema: () => extractDtoSchema,
217
+ finalizeObservation: () => finalizeObservation,
195
218
  generateEd25519KeyPair: () => generateEd25519KeyPair,
196
219
  getSignTarget: () => getSignTarget,
197
220
  hasScope: () => hasScope,
221
+ hashObservation: () => hashObservation,
198
222
  isAdminOpcode: () => isAdminOpcode,
199
223
  isKnownOpcode: () => isKnownOpcode,
200
224
  isTimestampValid: () => isTimestampValid,
@@ -206,7 +230,10 @@ __export(index_exports, {
206
230
  packPasskeyLoginVerifyReq: () => packPasskeyLoginVerifyReq,
207
231
  packPasskeyLoginVerifyRes: () => packPasskeyLoginVerifyRes,
208
232
  packPasskeyRegisterOptionsReq: () => packPasskeyRegisterOptionsReq,
233
+ parseAutoClaimEntries: () => parseAutoClaimEntries,
209
234
  parseScope: () => parseScope,
235
+ parseStreamEntries: () => parseStreamEntries,
236
+ recordSensor: () => recordSensor,
210
237
  resolveTimeout: () => resolveTimeout,
211
238
  schemas: () => schemas_exports,
212
239
  security: () => security_exports,
@@ -214,6 +241,8 @@ __export(index_exports, {
214
241
  sensors: () => sensors_exports,
215
242
  sha256: () => sha256,
216
243
  signFrame: () => signFrame,
244
+ stableJsonStringify: () => stableJsonStringify,
245
+ startStage: () => startStage,
217
246
  tlv: () => tlv,
218
247
  u64be: () => u64be,
219
248
  unpackPasskeyLoginOptionsReq: () => unpackPasskeyLoginOptionsReq,
@@ -224,7 +253,8 @@ __export(index_exports, {
224
253
  validateFrameShape: () => validateFrameShape,
225
254
  varintLength: () => import_axis_protocol3.varintLength,
226
255
  varintU: () => varintU,
227
- verifyFrameSignature: () => verifyFrameSignature
256
+ verifyFrameSignature: () => verifyFrameSignature,
257
+ verifyResponse: () => verifyResponse
228
258
  });
229
259
  module.exports = __toCommonJS(index_exports);
230
260
 
@@ -283,8 +313,24 @@ function IntentSensors(sensors) {
283
313
  };
284
314
  }
285
315
 
286
- // src/decorators/tlv-field.decorator.ts
316
+ // src/decorators/handler-sensors.decorator.ts
287
317
  var import_reflect_metadata4 = require("reflect-metadata");
318
+ var HANDLER_SENSORS_KEY = "axis:handler:sensors";
319
+ function HandlerSensors(sensors) {
320
+ return (target) => {
321
+ Reflect.defineMetadata(HANDLER_SENSORS_KEY, sensors, target);
322
+ };
323
+ }
324
+
325
+ // src/decorators/sensor.decorator.ts
326
+ var import_common2 = require("@nestjs/common");
327
+ var SENSOR_METADATA_KEY = "axis:sensor";
328
+ function Sensor(options) {
329
+ return (0, import_common2.SetMetadata)(SENSOR_METADATA_KEY, options ?? true);
330
+ }
331
+
332
+ // src/decorators/tlv-field.decorator.ts
333
+ var import_reflect_metadata5 = require("reflect-metadata");
288
334
  var TLV_FIELDS_KEY = "axis:tlv:fields";
289
335
  var TLV_VALIDATORS_KEY = "axis:tlv:validators";
290
336
  function TlvField(tag, options) {
@@ -342,7 +388,7 @@ function TlvRange(min, max, message) {
342
388
  }
343
389
 
344
390
  // src/decorators/dto-schema.util.ts
345
- var import_reflect_metadata5 = require("reflect-metadata");
391
+ var import_reflect_metadata6 = require("reflect-metadata");
346
392
 
347
393
  // src/core/tlv.ts
348
394
  var import_axis_protocol = require("@nextera.one/axis-protocol");
@@ -443,7 +489,7 @@ __decorateClass([
443
489
  ], AxisIdDto.prototype, "id", 2);
444
490
 
445
491
  // src/base/axis-partial-type.ts
446
- var import_reflect_metadata6 = require("reflect-metadata");
492
+ var import_reflect_metadata7 = require("reflect-metadata");
447
493
  function AxisPartialType(BaseDto) {
448
494
  class PartialDto extends BaseDto {
449
495
  }
@@ -489,7 +535,7 @@ __decorateClass([
489
535
  ], AxisResponseDto.prototype, "updated_by", 2);
490
536
 
491
537
  // src/engine/intent.router.ts
492
- var import_common2 = require("@nestjs/common");
538
+ var import_common3 = require("@nestjs/common");
493
539
 
494
540
  // src/sensor/axis-sensor.ts
495
541
  var Decision = /* @__PURE__ */ ((Decision2) => {
@@ -594,7 +640,7 @@ var SensorDecisions = {
594
640
  var IntentRouter = class {
595
641
  constructor(moduleRef) {
596
642
  this.moduleRef = moduleRef;
597
- this.logger = new import_common2.Logger(IntentRouter.name);
643
+ this.logger = new import_common3.Logger(IntentRouter.name);
598
644
  /** Internal registry of dynamic intent handlers */
599
645
  this.handlers = /* @__PURE__ */ new Map();
600
646
  /** Per-intent sensor classes (resolved at call time) */
@@ -656,6 +702,7 @@ var IntentRouter = class {
656
702
  );
657
703
  const prefix = handlerMeta?.intent || instance.name;
658
704
  const routes = Reflect.getMetadata(INTENT_ROUTES_KEY, instance.constructor) || [];
705
+ const handlerSensors = Reflect.getMetadata(HANDLER_SENSORS_KEY, instance.constructor) || [];
659
706
  for (const route of routes) {
660
707
  const intentName = route.absolute ? route.action : `${prefix}.${route.action}`;
661
708
  const fn = instance[route.methodName].bind(instance);
@@ -664,7 +711,12 @@ var IntentRouter = class {
664
711
  } else {
665
712
  this.register(intentName, fn);
666
713
  }
667
- this.registerIntentMeta(intentName, Object.getPrototypeOf(instance), String(route.methodName));
714
+ this.registerIntentMeta(
715
+ intentName,
716
+ Object.getPrototypeOf(instance),
717
+ String(route.methodName),
718
+ handlerSensors
719
+ );
668
720
  }
669
721
  const proto = Object.getPrototypeOf(instance);
670
722
  for (const key of Object.getOwnPropertyNames(proto)) {
@@ -673,7 +725,7 @@ var IntentRouter = class {
673
725
  if (!this.handlers.has(meta.intent)) {
674
726
  this.register(meta.intent, instance[key].bind(instance));
675
727
  }
676
- this.registerIntentMeta(meta.intent, proto, key);
728
+ this.registerIntentMeta(meta.intent, proto, key, handlerSensors);
677
729
  }
678
730
  }
679
731
  /**
@@ -809,14 +861,22 @@ var IntentRouter = class {
809
861
  this.logger.warn(`${intent} failed in ${ms}ms - ${error}`);
810
862
  }
811
863
  }
812
- registerIntentMeta(intent, proto, methodName) {
864
+ registerIntentMeta(intent, proto, methodName, handlerSensors) {
813
865
  const decoder = Reflect.getMetadata(INTENT_BODY_KEY, proto, methodName);
814
866
  if (decoder) {
815
867
  this.intentDecoders.set(intent, decoder);
816
868
  }
817
- const sensors = Reflect.getMetadata(INTENT_SENSORS_KEY, proto, methodName);
818
- if (sensors && Array.isArray(sensors) && sensors.length > 0) {
819
- this.intentSensors.set(intent, sensors);
869
+ const intentSensors = Reflect.getMetadata(
870
+ INTENT_SENSORS_KEY,
871
+ proto,
872
+ methodName
873
+ );
874
+ const combined = [
875
+ ...handlerSensors || [],
876
+ ...Array.isArray(intentSensors) ? intentSensors : []
877
+ ];
878
+ if (combined.length > 0) {
879
+ this.intentSensors.set(intent, combined);
820
880
  }
821
881
  const meta = Reflect.getMetadata(INTENT_METADATA_KEY, proto, methodName);
822
882
  if (meta) {
@@ -915,13 +975,234 @@ IntentRouter.BUILTIN_INTENTS = /* @__PURE__ */ new Set([
915
975
  "axis.intent.exec"
916
976
  ]);
917
977
  IntentRouter = __decorateClass([
918
- (0, import_common2.Injectable)(),
919
- __decorateParam(0, (0, import_common2.Optional)())
978
+ (0, import_common3.Injectable)(),
979
+ __decorateParam(0, (0, import_common3.Optional)())
920
980
  ], IntentRouter);
921
981
 
982
+ // src/engine/sensor-bands.ts
983
+ var BAND = {
984
+ /** Pre-decode: raw byte validation, geo, budget, magic */
985
+ WIRE: 0,
986
+ /** Post-decode: identity resolution, capsule, proof */
987
+ IDENTITY: 40,
988
+ /** Post-decode: authorization, signature, rate limiting */
989
+ POLICY: 90,
990
+ /** Post-decode: content validation, TLV, schema, files */
991
+ CONTENT: 140,
992
+ /** Post-decode: business logic sensors, streams, WS */
993
+ BUSINESS: 200,
994
+ /** Post-decode: audit, logging (always last) */
995
+ AUDIT: 900
996
+ };
997
+ var PRE_DECODE_BOUNDARY = 40;
998
+
999
+ // src/engine/observation/stable-json.ts
1000
+ function normalize(value) {
1001
+ if (Array.isArray(value)) {
1002
+ return value.map((item) => normalize(item));
1003
+ }
1004
+ if (value && typeof value === "object") {
1005
+ const entries = Object.entries(value).filter(([, nested]) => nested !== void 0).sort(([left], [right]) => left.localeCompare(right));
1006
+ const normalized = {};
1007
+ for (const [key, nested] of entries) {
1008
+ normalized[key] = normalize(nested);
1009
+ }
1010
+ return normalized;
1011
+ }
1012
+ return value;
1013
+ }
1014
+ function stableJsonStringify(value) {
1015
+ return JSON.stringify(normalize(value));
1016
+ }
1017
+
1018
+ // src/engine/observation/observation-queue.codec.ts
1019
+ function buildQueueMessage(observation, sourceNodeId, previous, lastError) {
1020
+ const now = Date.now();
1021
+ return {
1022
+ v: 1,
1023
+ observation,
1024
+ attempts: previous ? previous.attempts + 1 : 0,
1025
+ firstEnqueuedAt: previous?.firstEnqueuedAt ?? now,
1026
+ lastEnqueuedAt: now,
1027
+ sourceNodeId,
1028
+ lastError
1029
+ };
1030
+ }
1031
+ function encodeQueueMessage(message) {
1032
+ return JSON.stringify(message);
1033
+ }
1034
+ function decodeQueueMessage(raw) {
1035
+ try {
1036
+ const parsed = JSON.parse(raw);
1037
+ if (!parsed || parsed.v !== 1 || !parsed.observation?.id) {
1038
+ return null;
1039
+ }
1040
+ return parsed;
1041
+ } catch {
1042
+ return null;
1043
+ }
1044
+ }
1045
+ function parseStreamEntries(raw) {
1046
+ if (!Array.isArray(raw)) {
1047
+ return [];
1048
+ }
1049
+ const entries = [];
1050
+ for (const streamRow of raw) {
1051
+ if (!Array.isArray(streamRow) || streamRow.length < 2) {
1052
+ continue;
1053
+ }
1054
+ const messageRows = streamRow[1];
1055
+ if (!Array.isArray(messageRows)) {
1056
+ continue;
1057
+ }
1058
+ for (const row of messageRows) {
1059
+ if (!Array.isArray(row) || row.length < 2) {
1060
+ continue;
1061
+ }
1062
+ const id = String(row[0]);
1063
+ const fields = Array.isArray(row[1]) ? row[1] : [];
1064
+ const fieldMap = fieldsToMap(fields);
1065
+ const payload = fieldMap.get("payload");
1066
+ if (!payload) {
1067
+ continue;
1068
+ }
1069
+ const message = decodeQueueMessage(payload);
1070
+ if (!message) {
1071
+ continue;
1072
+ }
1073
+ entries.push({ id, message });
1074
+ }
1075
+ }
1076
+ return entries;
1077
+ }
1078
+ function parseAutoClaimEntries(raw) {
1079
+ if (!Array.isArray(raw) || raw.length < 2) {
1080
+ return [];
1081
+ }
1082
+ const rows = Array.isArray(raw[1]) ? raw[1] : [];
1083
+ return parseStreamEntries([["stream", rows]]);
1084
+ }
1085
+ function fieldsToMap(fields) {
1086
+ const map3 = /* @__PURE__ */ new Map();
1087
+ for (let i = 0; i < fields.length; i += 2) {
1088
+ const key = fields[i];
1089
+ const value = fields[i + 1];
1090
+ if (key !== void 0 && value !== void 0) {
1091
+ map3.set(String(key), String(value));
1092
+ }
1093
+ }
1094
+ return map3;
1095
+ }
1096
+
1097
+ // src/engine/observation/observation-hash.ts
1098
+ var import_crypto = require("crypto");
1099
+ function canonicalizeObservation(obs) {
1100
+ const obj = {
1101
+ id: obs.id,
1102
+ startMs: obs.startMs,
1103
+ endMs: obs.endMs,
1104
+ transport: obs.transport,
1105
+ ip: obs.ip,
1106
+ intent: obs.intent,
1107
+ actorId: obs.actorId,
1108
+ capsuleId: obs.capsuleId,
1109
+ decision: obs.decision,
1110
+ resultCode: obs.resultCode,
1111
+ statusCode: obs.statusCode,
1112
+ durationMs: obs.durationMs,
1113
+ stages: obs.stages.map((s) => ({
1114
+ name: s.name,
1115
+ status: s.status,
1116
+ startMs: s.startMs,
1117
+ endMs: s.endMs,
1118
+ durationMs: s.durationMs,
1119
+ reason: s.reason,
1120
+ code: s.code
1121
+ })),
1122
+ sensors: obs.sensors.map((s) => ({
1123
+ name: s.name,
1124
+ allowed: s.allowed,
1125
+ riskScore: s.riskScore,
1126
+ durationMs: s.durationMs,
1127
+ reasons: s.reasons,
1128
+ code: s.code
1129
+ }))
1130
+ };
1131
+ return stableJsonStringify(obj);
1132
+ }
1133
+ function hashObservation(obs) {
1134
+ const canonical = canonicalizeObservation(obs);
1135
+ return (0, import_crypto.createHash)("sha256").update(canonical).digest("hex");
1136
+ }
1137
+ function buildUnsignedWitness(obs) {
1138
+ if (!obs.decision || !obs.endMs) {
1139
+ return null;
1140
+ }
1141
+ return {
1142
+ v: 1,
1143
+ observationId: obs.id,
1144
+ payloadHash: hashObservation(obs),
1145
+ sealedAt: Date.now(),
1146
+ summary: {
1147
+ intent: obs.intent,
1148
+ actorId: obs.actorId,
1149
+ decision: obs.decision,
1150
+ statusCode: obs.statusCode,
1151
+ durationMs: obs.durationMs,
1152
+ sensorCount: obs.sensors.length,
1153
+ stageCount: obs.stages.length
1154
+ }
1155
+ };
1156
+ }
1157
+
922
1158
  // src/core/constants.ts
923
1159
  var import_axis_protocol2 = require("@nextera.one/axis-protocol");
924
1160
 
1161
+ // src/engine/observation/response-observer.ts
1162
+ var SENSITIVE_RESPONSE_TAGS = [4, 5, 6];
1163
+ function verifyResponse(ctx, response) {
1164
+ if (!response.effect || typeof response.effect !== "string") {
1165
+ return {
1166
+ passed: false,
1167
+ code: "OBSERVER_INVALID_EFFECT",
1168
+ reason: "Response effect is missing or invalid"
1169
+ };
1170
+ }
1171
+ if (response.ok && (!response.body || response.body.length === 0)) {
1172
+ return {
1173
+ passed: false,
1174
+ code: "OBSERVER_EMPTY_BODY",
1175
+ reason: "Successful response must contain a body"
1176
+ };
1177
+ }
1178
+ if (response.body && response.body.length > import_axis_protocol2.MAX_BODY_LEN) {
1179
+ return {
1180
+ passed: false,
1181
+ code: "OBSERVER_BODY_OVERFLOW",
1182
+ reason: `Response body exceeds ${import_axis_protocol2.MAX_BODY_LEN} bytes`
1183
+ };
1184
+ }
1185
+ if (response.headers) {
1186
+ for (const tag of SENSITIVE_RESPONSE_TAGS) {
1187
+ if (response.headers.has(tag)) {
1188
+ return {
1189
+ passed: false,
1190
+ code: "OBSERVER_DATA_LEAK",
1191
+ reason: `Response must not contain sensitive TLV tag ${tag}`
1192
+ };
1193
+ }
1194
+ }
1195
+ }
1196
+ if (response.effect.includes("Error:") || response.effect.includes("stack") || response.effect.includes("at /")) {
1197
+ return {
1198
+ passed: false,
1199
+ code: "OBSERVER_INFO_LEAK",
1200
+ reason: "Response effect may contain internal error details"
1201
+ };
1202
+ }
1203
+ return { passed: true };
1204
+ }
1205
+
925
1206
  // src/core/varint.ts
926
1207
  var import_axis_protocol3 = require("@nextera.one/axis-protocol");
927
1208
 
@@ -1197,7 +1478,7 @@ __export(ats1_exports, {
1197
1478
  tlvsToMap: () => tlvsToMap,
1198
1479
  validateTLVsAgainstSchema: () => validateTLVsAgainstSchema
1199
1480
  });
1200
- var import_crypto = require("crypto");
1481
+ var import_crypto2 = require("crypto");
1201
1482
  var DEFAULT_LIMITS = {
1202
1483
  maxVarintBytes: 10,
1203
1484
  maxTlvCount: 512,
@@ -1247,7 +1528,7 @@ function decodeU64BE(buf) {
1247
1528
  return buf.readBigUInt64BE(0);
1248
1529
  }
1249
1530
  function sha2562(data) {
1250
- return (0, import_crypto.createHash)("sha256").update(data).digest();
1531
+ return (0, import_crypto2.createHash)("sha256").update(data).digest();
1251
1532
  }
1252
1533
  function encodeTLV(tag, value) {
1253
1534
  if (!Number.isInteger(tag) || tag <= 0)
@@ -1836,7 +2117,7 @@ function packPasskeyLoginVerifyRes(params) {
1836
2117
  }
1837
2118
 
1838
2119
  // src/codec/tlv.encode.ts
1839
- var import_crypto2 = require("crypto");
2120
+ var import_crypto3 = require("crypto");
1840
2121
  function encVarint(x) {
1841
2122
  if (x < 0n) throw new Error("VARINT_NEG");
1842
2123
  const out = [];
@@ -1864,7 +2145,7 @@ function bytes(b) {
1864
2145
  return Buffer.isBuffer(b) ? b : Buffer.from(b);
1865
2146
  }
1866
2147
  function nonce16() {
1867
- return (0, import_crypto2.randomBytes)(16);
2148
+ return (0, import_crypto3.randomBytes)(16);
1868
2149
  }
1869
2150
  function tlv(type, value) {
1870
2151
  if (!Number.isSafeInteger(type) || type < 0) throw new Error("TLV_BAD_TYPE");
@@ -2410,9 +2691,9 @@ function isAdminOpcode(op) {
2410
2691
  }
2411
2692
 
2412
2693
  // src/core/receipt.ts
2413
- var import_crypto3 = require("crypto");
2694
+ var import_crypto4 = require("crypto");
2414
2695
  function buildReceiptHash(prevHash, pid, actorId, intent, effect, ts) {
2415
- const h = (0, import_crypto3.createHash)("sha256");
2696
+ const h = (0, import_crypto4.createHash)("sha256");
2416
2697
  if (prevHash) h.update(prevHash);
2417
2698
  h.update(pid);
2418
2699
  h.update(Buffer.from(actorId, "utf8"));
@@ -2591,7 +2872,7 @@ function isTimestampValid(ts, skewSeconds = 120) {
2591
2872
  }
2592
2873
 
2593
2874
  // src/upload/axis-files.handlers.ts
2594
- var import_common3 = require("@nestjs/common");
2875
+ var import_common4 = require("@nestjs/common");
2595
2876
  var crypto2 = __toESM(require("crypto"));
2596
2877
 
2597
2878
  // src/upload/upload.tokens.ts
@@ -2604,7 +2885,7 @@ var AxisFilesDownloadHandler = class {
2604
2885
  constructor(sessions, files) {
2605
2886
  this.sessions = sessions;
2606
2887
  this.files = files;
2607
- this.logger = new import_common3.Logger(AxisFilesDownloadHandler.name);
2888
+ this.logger = new import_common4.Logger(AxisFilesDownloadHandler.name);
2608
2889
  this.name = "axis.files.download";
2609
2890
  this.open = true;
2610
2891
  this.description = "File download handler";
@@ -2669,16 +2950,16 @@ __decorateClass([
2669
2950
  ], AxisFilesDownloadHandler.prototype, "execute", 1);
2670
2951
  AxisFilesDownloadHandler = __decorateClass([
2671
2952
  Handler("axis.files.download"),
2672
- (0, import_common3.Injectable)(),
2673
- __decorateParam(0, (0, import_common3.Inject)(AXIS_UPLOAD_SESSION_STORE)),
2674
- __decorateParam(1, (0, import_common3.Inject)(AXIS_UPLOAD_FILE_STORE))
2953
+ (0, import_common4.Injectable)(),
2954
+ __decorateParam(0, (0, import_common4.Inject)(AXIS_UPLOAD_SESSION_STORE)),
2955
+ __decorateParam(1, (0, import_common4.Inject)(AXIS_UPLOAD_FILE_STORE))
2675
2956
  ], AxisFilesDownloadHandler);
2676
2957
  var AxisFilesFinalizeHandler = class {
2677
2958
  constructor(sessions, files, keyring) {
2678
2959
  this.sessions = sessions;
2679
2960
  this.files = files;
2680
2961
  this.keyring = keyring;
2681
- this.logger = new import_common3.Logger(AxisFilesFinalizeHandler.name);
2962
+ this.logger = new import_common4.Logger(AxisFilesFinalizeHandler.name);
2682
2963
  this.name = "axis.files.finalize";
2683
2964
  this.open = false;
2684
2965
  this.description = "File upload finalization handler";
@@ -2754,11 +3035,11 @@ __decorateClass([
2754
3035
  ], AxisFilesFinalizeHandler.prototype, "execute", 1);
2755
3036
  AxisFilesFinalizeHandler = __decorateClass([
2756
3037
  Handler("axis.files.finalize"),
2757
- (0, import_common3.Injectable)(),
2758
- __decorateParam(0, (0, import_common3.Inject)(AXIS_UPLOAD_SESSION_STORE)),
2759
- __decorateParam(1, (0, import_common3.Inject)(AXIS_UPLOAD_FILE_STORE)),
2760
- __decorateParam(2, (0, import_common3.Optional)()),
2761
- __decorateParam(2, (0, import_common3.Inject)(AXIS_UPLOAD_RECEIPT_SIGNER))
3038
+ (0, import_common4.Injectable)(),
3039
+ __decorateParam(0, (0, import_common4.Inject)(AXIS_UPLOAD_SESSION_STORE)),
3040
+ __decorateParam(1, (0, import_common4.Inject)(AXIS_UPLOAD_FILE_STORE)),
3041
+ __decorateParam(2, (0, import_common4.Optional)()),
3042
+ __decorateParam(2, (0, import_common4.Inject)(AXIS_UPLOAD_RECEIPT_SIGNER))
2762
3043
  ], AxisFilesFinalizeHandler);
2763
3044
 
2764
3045
  // src/upload/disk-upload-file.store.ts
@@ -2817,377 +3098,15 @@ var DiskUploadFileStore = class {
2817
3098
  }
2818
3099
  };
2819
3100
 
2820
- // src/core/index.ts
2821
- var core_exports = {};
2822
- __export(core_exports, {
2823
- AXIS_MAGIC: () => import_axis_protocol2.AXIS_MAGIC,
2824
- AXIS_VERSION: () => import_axis_protocol2.AXIS_VERSION,
2825
- AxisError: () => AxisError,
2826
- AxisFrameZ: () => AxisFrameZ,
2827
- BodyProfile: () => import_axis_protocol2.BodyProfile,
2828
- ERR_BAD_SIGNATURE: () => import_axis_protocol2.ERR_BAD_SIGNATURE,
2829
- ERR_CONTRACT_VIOLATION: () => import_axis_protocol2.ERR_CONTRACT_VIOLATION,
2830
- ERR_INVALID_PACKET: () => import_axis_protocol2.ERR_INVALID_PACKET,
2831
- ERR_REPLAY_DETECTED: () => import_axis_protocol2.ERR_REPLAY_DETECTED,
2832
- FLAG_BODY_TLV: () => import_axis_protocol2.FLAG_BODY_TLV,
2833
- FLAG_CHAIN_REQ: () => import_axis_protocol2.FLAG_CHAIN_REQ,
2834
- FLAG_HAS_WITNESS: () => import_axis_protocol2.FLAG_HAS_WITNESS,
2835
- MAX_BODY_LEN: () => import_axis_protocol2.MAX_BODY_LEN,
2836
- MAX_FRAME_LEN: () => import_axis_protocol2.MAX_FRAME_LEN,
2837
- MAX_HDR_LEN: () => import_axis_protocol2.MAX_HDR_LEN,
2838
- MAX_SIG_LEN: () => import_axis_protocol2.MAX_SIG_LEN,
2839
- NCERT_ALG: () => import_axis_protocol2.NCERT_ALG,
2840
- NCERT_EXP: () => import_axis_protocol2.NCERT_EXP,
2841
- NCERT_ISSUER_KID: () => import_axis_protocol2.NCERT_ISSUER_KID,
2842
- NCERT_KID: () => import_axis_protocol2.NCERT_KID,
2843
- NCERT_NBF: () => import_axis_protocol2.NCERT_NBF,
2844
- NCERT_NODE_ID: () => import_axis_protocol2.NCERT_NODE_ID,
2845
- NCERT_PAYLOAD: () => import_axis_protocol2.NCERT_PAYLOAD,
2846
- NCERT_PUB: () => import_axis_protocol2.NCERT_PUB,
2847
- NCERT_SCOPE: () => import_axis_protocol2.NCERT_SCOPE,
2848
- NCERT_SIG: () => import_axis_protocol2.NCERT_SIG,
2849
- PROOF_CAPSULE: () => import_axis_protocol2.PROOF_CAPSULE,
2850
- PROOF_JWT: () => import_axis_protocol2.PROOF_JWT,
2851
- PROOF_LOOM: () => import_axis_protocol2.PROOF_LOOM,
2852
- PROOF_MTLS: () => import_axis_protocol2.PROOF_MTLS,
2853
- PROOF_NONE: () => import_axis_protocol2.PROOF_NONE,
2854
- PROOF_WITNESS: () => import_axis_protocol2.PROOF_WITNESS,
2855
- ProofType: () => import_axis_protocol2.ProofType,
2856
- TLV: () => import_axis_protocol.TLV,
2857
- TLV_ACTOR_ID: () => import_axis_protocol2.TLV_ACTOR_ID,
2858
- TLV_AUD: () => import_axis_protocol2.TLV_AUD,
2859
- TLV_BODY_ARR: () => import_axis_protocol2.TLV_BODY_ARR,
2860
- TLV_BODY_OBJ: () => import_axis_protocol2.TLV_BODY_OBJ,
2861
- TLV_CAPSULE: () => import_axis_protocol2.TLV_CAPSULE,
2862
- TLV_EFFECT: () => import_axis_protocol2.TLV_EFFECT,
2863
- TLV_ERROR_CODE: () => import_axis_protocol2.TLV_ERROR_CODE,
2864
- TLV_ERROR_MSG: () => import_axis_protocol2.TLV_ERROR_MSG,
2865
- TLV_INDEX: () => import_axis_protocol2.TLV_INDEX,
2866
- TLV_INTENT: () => import_axis_protocol2.TLV_INTENT,
2867
- TLV_KID: () => import_axis_protocol2.TLV_KID,
2868
- TLV_LOOM_PRESENCE_ID: () => import_axis_protocol2.TLV_LOOM_PRESENCE_ID,
2869
- TLV_LOOM_THREAD_HASH: () => import_axis_protocol2.TLV_LOOM_THREAD_HASH,
2870
- TLV_LOOM_WRIT: () => import_axis_protocol2.TLV_LOOM_WRIT,
2871
- TLV_NODE: () => import_axis_protocol2.TLV_NODE,
2872
- TLV_NODE_CERT_HASH: () => import_axis_protocol2.TLV_NODE_CERT_HASH,
2873
- TLV_NODE_KID: () => import_axis_protocol2.TLV_NODE_KID,
2874
- TLV_NONCE: () => import_axis_protocol2.TLV_NONCE,
2875
- TLV_OFFSET: () => import_axis_protocol2.TLV_OFFSET,
2876
- TLV_OK: () => import_axis_protocol2.TLV_OK,
2877
- TLV_PID: () => import_axis_protocol2.TLV_PID,
2878
- TLV_PREV_HASH: () => import_axis_protocol2.TLV_PREV_HASH,
2879
- TLV_PROOF_REF: () => import_axis_protocol2.TLV_PROOF_REF,
2880
- TLV_PROOF_TYPE: () => import_axis_protocol2.TLV_PROOF_TYPE,
2881
- TLV_REALM: () => import_axis_protocol2.TLV_REALM,
2882
- TLV_RECEIPT_HASH: () => import_axis_protocol2.TLV_RECEIPT_HASH,
2883
- TLV_RID: () => import_axis_protocol2.TLV_RID,
2884
- TLV_SHA256_CHUNK: () => import_axis_protocol2.TLV_SHA256_CHUNK,
2885
- TLV_TRACE_ID: () => import_axis_protocol2.TLV_TRACE_ID,
2886
- TLV_TS: () => import_axis_protocol2.TLV_TS,
2887
- TLV_UPLOAD_ID: () => import_axis_protocol2.TLV_UPLOAD_ID,
2888
- computeReceiptHash: () => computeReceiptHash,
2889
- computeSignaturePayload: () => computeSignaturePayload,
2890
- decodeArray: () => import_axis_protocol.decodeArray,
2891
- decodeFrame: () => decodeFrame,
2892
- decodeObject: () => import_axis_protocol.decodeObject,
2893
- decodeTLVs: () => import_axis_protocol.decodeTLVs,
2894
- decodeTLVsList: () => import_axis_protocol.decodeTLVsList,
2895
- decodeVarint: () => import_axis_protocol3.decodeVarint,
2896
- encodeFrame: () => encodeFrame,
2897
- encodeTLVs: () => import_axis_protocol.encodeTLVs,
2898
- encodeVarint: () => import_axis_protocol3.encodeVarint,
2899
- generateEd25519KeyPair: () => generateEd25519KeyPair,
2900
- getSignTarget: () => getSignTarget,
2901
- sha256: () => sha256,
2902
- signFrame: () => signFrame,
2903
- varintLength: () => import_axis_protocol3.varintLength,
2904
- verifyFrameSignature: () => verifyFrameSignature
2905
- });
2906
-
2907
- // src/core/axis-error.ts
2908
- var AxisError = class extends Error {
2909
- constructor(code, message, httpStatus = 400, details) {
2910
- super(message);
2911
- this.code = code;
2912
- this.httpStatus = httpStatus;
2913
- this.details = details;
2914
- this.name = "AxisError";
2915
- }
2916
- };
2917
-
2918
- // src/crypto/index.ts
2919
- var crypto_exports = {};
2920
- __export(crypto_exports, {
2921
- ProofVerificationService: () => ProofVerificationService,
2922
- b64urlDecode: () => b64urlDecode,
2923
- b64urlDecodeString: () => b64urlDecodeString,
2924
- b64urlEncode: () => b64urlEncode,
2925
- b64urlEncodeString: () => b64urlEncodeString,
2926
- canonicalJson: () => canonicalJson,
2927
- canonicalJsonExcluding: () => canonicalJsonExcluding
2928
- });
2929
-
2930
- // src/crypto/proof-verification.service.ts
2931
- var import_common4 = require("@nestjs/common");
2932
- var crypto3 = __toESM(require("crypto"));
2933
- var nacl = __toESM(require("tweetnacl"));
2934
- var ProofVerificationService = class {
2935
- constructor() {
2936
- this.logger = new import_common4.Logger(ProofVerificationService.name);
2937
- // Cache of registered device public keys (deviceId -> pubKey)
2938
- this.deviceKeys = /* @__PURE__ */ new Map();
2939
- // Cache of trusted mTLS certificate fingerprints
2940
- this.trustedCerts = /* @__PURE__ */ new Map();
2941
- }
2942
- /**
2943
- * Verifies an authentication proof based on its type.
2944
- *
2945
- * **Supported Types:**
2946
- * - 1 (CAPSULE): Delegated to `verifyCapsuleProof`
2947
- * - 2 (JWT): Verified by `verifyJWTProof`
2948
- * - 3 (MTLS_ID): Verified by `verifyMTLSProof`
2949
- * - 4 (DEVICE_SE): Verified by `verifyDeviceSEProof`
2950
- *
2951
- * @param {ProofType} proofType - The numeric AXIS proof type
2952
- * @param {Uint8Array} proofRef - The binary reference or token for the proof
2953
- * @param {Object} context - Additional metadata required for specific proof types
2954
- * @param {Uint8Array} [context.signTarget] - The canonical bytes that were signed (for Ed25519)
2955
- * @param {Uint8Array} [context.signature] - The signature to verify (for Ed25519)
2956
- * @param {MTLSContext} [context.mtls] - mTLS certificate data
2957
- * @param {DeviceSEContext} [context.deviceSE] - Device Secure Element information
2958
- * @returns {Promise<ProofVerificationResult>} The outcome of the verification
2959
- */
2960
- async verifyProof(proofType, proofRef, context) {
2961
- switch (proofType) {
2962
- case 1:
2963
- return this.verifyCapsuleProof(proofRef);
2964
- case 2:
2965
- return this.verifyJWTProof(proofRef);
2966
- case 3:
2967
- return this.verifyMTLSProof(context.mtls);
2968
- case 4:
2969
- return this.verifyDeviceSEProof(
2970
- context.signTarget,
2971
- context.signature,
2972
- context.deviceSE
2973
- );
2974
- default:
2975
- return { valid: false, error: `Unknown proof type: ${proofType}` };
2976
- }
2977
- }
2978
- /**
2979
- * Verify CAPSULE proof (delegated to CapsuleService)
2980
- */
2981
- async verifyCapsuleProof(proofRef) {
2982
- const capsuleId = new TextDecoder().decode(proofRef);
2983
- return {
2984
- valid: true,
2985
- metadata: { capsuleId, requiresCapsuleValidation: true }
2986
- };
2987
- }
2988
- /**
2989
- * Verifies a JSON Web Token (JWT) proof.
2990
- *
2991
- * **Validation Logic:**
2992
- * 1. Decodes the token string.
2993
- * 2. Checks for valid 3-part JWT structure.
2994
- * 3. Validates `exp` (expiration) and `nbf` (not before) claims.
2995
- * 4. Extracts `actor_id` or `sub` as the identity.
2996
- *
2997
- * @param {Uint8Array} proofRef - Binary representation of the JWT string
2998
- * @returns {Promise<ProofVerificationResult>} Result including the actor identifier
2999
- */
3000
- async verifyJWTProof(proofRef) {
3001
- try {
3002
- const token = new TextDecoder().decode(proofRef);
3003
- const parts = token.split(".");
3004
- if (parts.length !== 3) {
3005
- return { valid: false, error: "Invalid JWT format" };
3006
- }
3007
- const header = JSON.parse(Buffer.from(parts[0], "base64url").toString());
3008
- const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
3009
- if (payload.exp && Date.now() / 1e3 > payload.exp) {
3010
- return { valid: false, error: "JWT expired" };
3011
- }
3012
- if (payload.nbf && Date.now() / 1e3 < payload.nbf) {
3013
- return { valid: false, error: "JWT not yet valid" };
3014
- }
3015
- return {
3016
- valid: true,
3017
- actorId: payload.sub || payload.actor_id,
3018
- metadata: { iss: payload.iss, scope: payload.scope }
3019
- };
3020
- } catch (e) {
3021
- const message = e instanceof Error ? e.message : "Unknown error";
3022
- return { valid: false, error: `JWT parse error: ${message}` };
3023
- }
3024
- }
3025
- /**
3026
- * Verify mTLS client certificate proof
3027
- */
3028
- async verifyMTLSProof(mtls) {
3029
- if (!mtls) {
3030
- return { valid: false, error: "No mTLS context provided" };
3031
- }
3032
- if (!mtls.verified) {
3033
- return { valid: false, error: "mTLS not verified by TLS terminator" };
3034
- }
3035
- if (mtls.clientCertFingerprint) {
3036
- const trusted = this.trustedCerts.get(mtls.clientCertFingerprint);
3037
- if (trusted) {
3038
- return {
3039
- valid: true,
3040
- actorId: trusted.actorId,
3041
- metadata: {
3042
- fingerprint: mtls.clientCertFingerprint,
3043
- subject: mtls.clientCertSubject
3044
- }
3045
- };
3046
- }
3047
- }
3048
- if (mtls.clientCertSubject) {
3049
- const cnMatch = mtls.clientCertSubject.match(/CN=([^,]+)/);
3050
- if (cnMatch) {
3051
- return {
3052
- valid: true,
3053
- actorId: cnMatch[1],
3054
- metadata: {
3055
- subject: mtls.clientCertSubject,
3056
- issuer: mtls.clientCertIssuer
3057
- }
3058
- };
3059
- }
3060
- }
3061
- return { valid: false, error: "Could not extract actor from certificate" };
3062
- }
3063
- /**
3064
- * Verify Device Secure Element signature
3065
- */
3066
- async verifyDeviceSEProof(signTarget, signature, deviceSE) {
3067
- if (!deviceSE || !signTarget || !signature) {
3068
- return { valid: false, error: "Missing Device SE context" };
3069
- }
3070
- let publicKey = deviceSE.publicKey;
3071
- const registeredKey = this.deviceKeys.get(deviceSE.deviceId);
3072
- if (registeredKey) {
3073
- publicKey = registeredKey;
3074
- }
3075
- if (!publicKey || publicKey.length !== 32) {
3076
- return {
3077
- valid: false,
3078
- error: "Invalid or unregistered device public key"
3079
- };
3080
- }
3081
- try {
3082
- const valid = nacl.sign.detached.verify(signTarget, signature, publicKey);
3083
- if (!valid) {
3084
- return { valid: false, error: "Device signature verification failed" };
3085
- }
3086
- return {
3087
- valid: true,
3088
- actorId: deviceSE.deviceId,
3089
- metadata: { deviceId: deviceSE.deviceId, proofType: "DEVICE_SE" }
3090
- };
3091
- } catch (e) {
3092
- const message = e instanceof Error ? e.message : "Unknown error";
3093
- return {
3094
- valid: false,
3095
- error: `Signature verification error: ${message}`
3096
- };
3097
- }
3098
- }
3099
- /**
3100
- * Registers a public key for a trusted device.
3101
- * This key will be used for future `DEVICE_SE` proof verifications.
3102
- *
3103
- * @param {string} deviceId - Unique identifier for the device
3104
- * @param {Uint8Array} publicKey - 32-byte Ed25519 public key
3105
- * @throws {Error} If the public key is not 32 bytes
3106
- */
3107
- registerDeviceKey(deviceId, publicKey) {
3108
- if (publicKey.length !== 32) {
3109
- throw new Error("Device public key must be 32 bytes (Ed25519)");
3110
- }
3111
- this.deviceKeys.set(deviceId, publicKey);
3112
- this.logger.log(`Registered device key for ${deviceId}`);
3113
- }
3114
- /**
3115
- * Unregister a device
3116
- */
3117
- unregisterDevice(deviceId) {
3118
- return this.deviceKeys.delete(deviceId);
3119
- }
3120
- /**
3121
- * Registers a trusted mTLS certificate fingerprint and associates it with an actor.
3122
- *
3123
- * @param {string} fingerprint - SHA-256 fingerprint of the client certificate
3124
- * @param {string} actorId - The actor to associate with this certificate
3125
- */
3126
- registerMTLSCert(fingerprint, actorId) {
3127
- this.trustedCerts.set(fingerprint, { actorId, issuedAt: Date.now() });
3128
- this.logger.log(`Registered mTLS cert ${fingerprint} for actor ${actorId}`);
3129
- }
3130
- /**
3131
- * Revoke an mTLS certificate
3132
- */
3133
- revokeMTLSCert(fingerprint) {
3134
- return this.trustedCerts.delete(fingerprint);
3135
- }
3136
- /**
3137
- * Calculate certificate fingerprint (SHA-256)
3138
- */
3139
- static calculateFingerprint(certPem) {
3140
- const der = Buffer.from(
3141
- certPem.replace(/-----BEGIN CERTIFICATE-----/, "").replace(/-----END CERTIFICATE-----/, "").replace(/\s/g, ""),
3142
- "base64"
3143
- );
3144
- return crypto3.createHash("sha256").update(der).digest("hex");
3145
- }
3146
- };
3147
- ProofVerificationService = __decorateClass([
3148
- (0, import_common4.Injectable)()
3149
- ], ProofVerificationService);
3150
-
3151
- // src/decorators/index.ts
3152
- var decorators_exports = {};
3153
- __export(decorators_exports, {
3154
- AxisContext: () => AxisContext,
3155
- AxisDemoPubkey: () => AxisDemoPubkey,
3156
- AxisFrame: () => AxisFrame3,
3157
- AxisIp: () => AxisIp,
3158
- AxisRaw: () => AxisRaw,
3159
- HANDLER_METADATA_KEY: () => HANDLER_METADATA_KEY,
3160
- Handler: () => Handler,
3161
- INTENT_BODY_KEY: () => INTENT_BODY_KEY,
3162
- INTENT_METADATA_KEY: () => INTENT_METADATA_KEY,
3163
- INTENT_ROUTES_KEY: () => INTENT_ROUTES_KEY,
3164
- INTENT_SENSORS_KEY: () => INTENT_SENSORS_KEY,
3165
- Intent: () => Intent,
3166
- IntentBody: () => IntentBody,
3167
- IntentSensors: () => IntentSensors,
3168
- SENSOR_METADATA_KEY: () => SENSOR_METADATA_KEY,
3169
- Sensor: () => Sensor,
3170
- TLV_FIELDS_KEY: () => TLV_FIELDS_KEY,
3171
- TLV_VALIDATORS_KEY: () => TLV_VALIDATORS_KEY,
3172
- TlvEnum: () => TlvEnum,
3173
- TlvField: () => TlvField,
3174
- TlvMinLen: () => TlvMinLen,
3175
- TlvRange: () => TlvRange,
3176
- TlvUtf8Pattern: () => TlvUtf8Pattern,
3177
- TlvValidate: () => TlvValidate,
3178
- buildDtoDecoder: () => buildDtoDecoder,
3179
- extractDtoSchema: () => extractDtoSchema
3180
- });
3181
-
3182
- // src/decorators/axis-request.decorator.ts
3183
- var import_common5 = require("@nestjs/common");
3184
- function resolveIp(req) {
3185
- return req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.headers["x-real-ip"] || req.socket.remoteAddress || void 0;
3186
- }
3187
- var AxisRaw = (0, import_common5.createParamDecorator)(
3188
- (_data, ctx) => {
3189
- const req = ctx.switchToHttp().getRequest();
3190
- return req.body;
3101
+ // src/decorators/axis-request.decorator.ts
3102
+ var import_common5 = require("@nestjs/common");
3103
+ function resolveIp(req) {
3104
+ return req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.headers["x-real-ip"] || req.socket.remoteAddress || void 0;
3105
+ }
3106
+ var AxisRaw = (0, import_common5.createParamDecorator)(
3107
+ (_data, ctx) => {
3108
+ const req = ctx.switchToHttp().getRequest();
3109
+ return req.body;
3191
3110
  }
3192
3111
  );
3193
3112
  var AxisIp = (0, import_common5.createParamDecorator)(
@@ -3228,73 +3147,25 @@ var AxisFrame3 = (0, import_common5.createParamDecorator)(
3228
3147
  }
3229
3148
  );
3230
3149
 
3231
- // src/decorators/sensor.decorator.ts
3232
- var import_common6 = require("@nestjs/common");
3233
- var SENSOR_METADATA_KEY = "axis:sensor";
3234
- function Sensor(options) {
3235
- return (0, import_common6.SetMetadata)(SENSOR_METADATA_KEY, options ?? true);
3236
- }
3237
-
3238
- // src/engine/index.ts
3239
- var engine_exports = {};
3240
- __export(engine_exports, {
3241
- BAND: () => BAND,
3242
- HandlerDiscoveryService: () => HandlerDiscoveryService,
3243
- IntentRouter: () => IntentRouter,
3244
- PRE_DECODE_BOUNDARY: () => PRE_DECODE_BOUNDARY,
3245
- SensorDiscoveryService: () => SensorDiscoveryService,
3246
- SensorRegistry: () => SensorRegistry,
3247
- createObservation: () => createObservation,
3248
- endStage: () => endStage,
3249
- finalizeObservation: () => finalizeObservation,
3250
- recordSensor: () => recordSensor,
3251
- startStage: () => startStage
3252
- });
3253
-
3254
- // src/engine/axis-observation.ts
3255
- var import_crypto4 = require("crypto");
3256
- function createObservation(transport, ip) {
3257
- return {
3258
- id: (0, import_crypto4.randomBytes)(16).toString("hex"),
3259
- startMs: Date.now(),
3260
- transport,
3261
- ip,
3262
- stages: [],
3263
- sensors: [],
3264
- facts: {}
3265
- };
3266
- }
3267
- function startStage(obs, name) {
3268
- const stage = { name, status: "ok", startMs: Date.now() };
3269
- obs.stages.push(stage);
3270
- return stage;
3271
- }
3272
- function endStage(stage, status = "ok", reason, code) {
3273
- stage.endMs = Date.now();
3274
- stage.durationMs = stage.endMs - stage.startMs;
3275
- stage.status = status;
3276
- if (reason) stage.reason = reason;
3277
- if (code) stage.code = code;
3278
- }
3279
- function recordSensor(obs, name, allowed, riskScore, durationMs, reasons, code) {
3280
- obs.sensors.push({ name, allowed, riskScore, durationMs, reasons, code });
3281
- }
3282
- function finalizeObservation(obs, decision, statusCode, resultCode) {
3283
- obs.endMs = Date.now();
3284
- obs.durationMs = obs.endMs - obs.startMs;
3285
- obs.decision = decision;
3286
- obs.statusCode = statusCode;
3287
- if (resultCode) obs.resultCode = resultCode;
3288
- }
3150
+ // src/core/axis-error.ts
3151
+ var AxisError = class extends Error {
3152
+ constructor(code, message, httpStatus = 400, details) {
3153
+ super(message);
3154
+ this.code = code;
3155
+ this.httpStatus = httpStatus;
3156
+ this.details = details;
3157
+ this.name = "AxisError";
3158
+ }
3159
+ };
3289
3160
 
3290
3161
  // src/engine/handler-discovery.service.ts
3291
- var import_common7 = require("@nestjs/common");
3162
+ var import_common6 = require("@nestjs/common");
3292
3163
  var HandlerDiscoveryService = class {
3293
3164
  constructor(discovery, scanner, router) {
3294
3165
  this.discovery = discovery;
3295
3166
  this.scanner = scanner;
3296
3167
  this.router = router;
3297
- this.logger = new import_common7.Logger(HandlerDiscoveryService.name);
3168
+ this.logger = new import_common6.Logger(HandlerDiscoveryService.name);
3298
3169
  }
3299
3170
  onModuleInit() {
3300
3171
  const providers = this.discovery.getProviders();
@@ -3308,6 +3179,7 @@ var HandlerDiscoveryService = class {
3308
3179
  const proto = Object.getPrototypeOf(instance);
3309
3180
  const methods = this.scanner.getAllMethodNames(proto);
3310
3181
  let registered = 0;
3182
+ const handlerSensors = Reflect.getMetadata(HANDLER_SENSORS_KEY, metatype) || [];
3311
3183
  for (const methodName of methods) {
3312
3184
  const meta = Reflect.getMetadata(
3313
3185
  INTENT_METADATA_KEY,
@@ -3323,7 +3195,12 @@ var HandlerDiscoveryService = class {
3323
3195
  registered++;
3324
3196
  totalIntents++;
3325
3197
  }
3326
- this.router.registerIntentMeta(meta.intent, proto, methodName);
3198
+ this.router.registerIntentMeta(
3199
+ meta.intent,
3200
+ proto,
3201
+ methodName,
3202
+ handlerSensors
3203
+ );
3327
3204
  }
3328
3205
  if (registered > 0) {
3329
3206
  this.logger.log(
@@ -3337,34 +3214,17 @@ var HandlerDiscoveryService = class {
3337
3214
  }
3338
3215
  };
3339
3216
  HandlerDiscoveryService = __decorateClass([
3340
- (0, import_common7.Injectable)()
3217
+ (0, import_common6.Injectable)()
3341
3218
  ], HandlerDiscoveryService);
3342
3219
 
3343
- // src/engine/sensor-bands.ts
3344
- var BAND = {
3345
- /** Pre-decode: raw byte validation, geo, budget, magic */
3346
- WIRE: 0,
3347
- /** Post-decode: identity resolution, capsule, proof */
3348
- IDENTITY: 40,
3349
- /** Post-decode: authorization, signature, rate limiting */
3350
- POLICY: 90,
3351
- /** Post-decode: content validation, TLV, schema, files */
3352
- CONTENT: 140,
3353
- /** Post-decode: business logic sensors, streams, WS */
3354
- BUSINESS: 200,
3355
- /** Post-decode: audit, logging (always last) */
3356
- AUDIT: 900
3357
- };
3358
- var PRE_DECODE_BOUNDARY = 40;
3359
-
3360
3220
  // src/engine/sensor-discovery.service.ts
3361
- var import_common8 = require("@nestjs/common");
3221
+ var import_common7 = require("@nestjs/common");
3362
3222
  var SensorDiscoveryService = class {
3363
3223
  constructor(discovery, reflector, registry) {
3364
3224
  this.discovery = discovery;
3365
3225
  this.reflector = reflector;
3366
3226
  this.registry = registry;
3367
- this.logger = new import_common8.Logger(SensorDiscoveryService.name);
3227
+ this.logger = new import_common7.Logger(SensorDiscoveryService.name);
3368
3228
  }
3369
3229
  onApplicationBootstrap() {
3370
3230
  const providers = this.discovery.getProviders();
@@ -3395,16 +3255,16 @@ var SensorDiscoveryService = class {
3395
3255
  }
3396
3256
  };
3397
3257
  SensorDiscoveryService = __decorateClass([
3398
- (0, import_common8.Injectable)()
3258
+ (0, import_common7.Injectable)()
3399
3259
  ], SensorDiscoveryService);
3400
3260
 
3401
3261
  // src/engine/registry/sensor.registry.ts
3402
- var import_common9 = require("@nestjs/common");
3262
+ var import_common8 = require("@nestjs/common");
3403
3263
  var SensorRegistry = class {
3404
3264
  constructor(configService) {
3405
3265
  this.configService = configService;
3406
3266
  this.sensors = [];
3407
- this.logger = new import_common9.Logger(SensorRegistry.name);
3267
+ this.logger = new import_common8.Logger(SensorRegistry.name);
3408
3268
  }
3409
3269
  /**
3410
3270
  * Registers a new sensor in the registry.
@@ -3449,89 +3309,634 @@ var SensorRegistry = class {
3449
3309
  `AxisSensor "${sensor.name}" is marked as POST_DECODE but has order ${sensor.order} (should be >= 40)`
3450
3310
  );
3451
3311
  }
3452
- this.sensors.push(sensor);
3453
- const phaseLabel = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase || "UNKNOWN";
3454
- this.logger.debug(
3455
- `Registered sensor: ${sensor.name} (order: ${sensor.order}, phase: ${phaseLabel})`
3456
- );
3457
- }
3458
- /**
3459
- * Returns all registered sensors, sorted by their execution order.
3460
- *
3461
- * @returns {AxisSensor[]} A sorted array of sensors
3462
- */
3463
- list() {
3464
- return [...this.sensors].sort(
3465
- (a, b) => (a.order ?? 999) - (b.order ?? 999)
3466
- );
3312
+ this.sensors.push(sensor);
3313
+ const phaseLabel = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase || "UNKNOWN";
3314
+ this.logger.debug(
3315
+ `Registered sensor: ${sensor.name} (order: ${sensor.order}, phase: ${phaseLabel})`
3316
+ );
3317
+ }
3318
+ /**
3319
+ * Returns all registered sensors, sorted by their execution order.
3320
+ *
3321
+ * @returns {AxisSensor[]} A sorted array of sensors
3322
+ */
3323
+ list() {
3324
+ return [...this.sensors].sort(
3325
+ (a, b) => (a.order ?? 999) - (b.order ?? 999)
3326
+ );
3327
+ }
3328
+ /**
3329
+ * Returns only pre-decode sensors (order < 40).
3330
+ * These sensors run in middleware on raw bytes before frame decoding.
3331
+ *
3332
+ * @returns {AxisPreSensor[]} Pre-decode sensors sorted by order
3333
+ */
3334
+ getPreDecodeSensors() {
3335
+ return this.list().filter((s) => (s.order ?? 999) < 40);
3336
+ }
3337
+ /**
3338
+ * Returns only post-decode sensors (order >= 40).
3339
+ * These sensors run in the controller on fully decoded frames.
3340
+ *
3341
+ * @returns {AxisPostSensor[]} Post-decode sensors sorted by order
3342
+ */
3343
+ getPostDecodeSensors() {
3344
+ return this.list().filter(
3345
+ (s) => (s.order ?? 999) >= 40
3346
+ );
3347
+ }
3348
+ /**
3349
+ * Helper: Check if a sensor is a pre-decode sensor.
3350
+ *
3351
+ * @private
3352
+ * @param {AxisSensor} sensor - The sensor to check
3353
+ * @returns {boolean} True if sensor is pre-decode
3354
+ */
3355
+ isPreDecodeSensor(sensor) {
3356
+ const phase = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase;
3357
+ return phase === "PRE_DECODE" || (sensor.order ?? 999) < 40;
3358
+ }
3359
+ /**
3360
+ * Helper: Check if a sensor is a post-decode sensor.
3361
+ *
3362
+ * @private
3363
+ * @param {AxisSensor} sensor - The sensor to check
3364
+ * @returns {boolean} True if sensor is post-decode
3365
+ */
3366
+ isPostDecodeSensor(sensor) {
3367
+ const phase = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase;
3368
+ return phase === "POST_DECODE" || (sensor.order ?? 999) >= 40;
3369
+ }
3370
+ /**
3371
+ * Returns sensor count by phase.
3372
+ * Useful for diagnostics and monitoring.
3373
+ *
3374
+ * @returns {{preDecodeCount: number, postDecodeCount: number}}
3375
+ */
3376
+ getSensorCountByPhase() {
3377
+ return {
3378
+ preDecodeCount: this.getPreDecodeSensors().length,
3379
+ postDecodeCount: this.getPostDecodeSensors().length
3380
+ };
3381
+ }
3382
+ /**
3383
+ * Clears all registered sensors.
3384
+ * Useful for testing.
3385
+ *
3386
+ * @internal
3387
+ */
3388
+ clear() {
3389
+ this.sensors = [];
3390
+ }
3391
+ };
3392
+ SensorRegistry = __decorateClass([
3393
+ (0, import_common8.Injectable)()
3394
+ ], SensorRegistry);
3395
+
3396
+ // src/engine/axis-observation.ts
3397
+ var import_crypto5 = require("crypto");
3398
+ function createObservation(transport, ip) {
3399
+ return {
3400
+ id: (0, import_crypto5.randomBytes)(16).toString("hex"),
3401
+ startMs: Date.now(),
3402
+ transport,
3403
+ ip,
3404
+ stages: [],
3405
+ sensors: [],
3406
+ facts: {}
3407
+ };
3408
+ }
3409
+ function startStage(obs, name) {
3410
+ const stage = { name, status: "ok", startMs: Date.now() };
3411
+ obs.stages.push(stage);
3412
+ return stage;
3413
+ }
3414
+ function endStage(stage, status = "ok", reason, code) {
3415
+ stage.endMs = Date.now();
3416
+ stage.durationMs = stage.endMs - stage.startMs;
3417
+ stage.status = status;
3418
+ if (reason) stage.reason = reason;
3419
+ if (code) stage.code = code;
3420
+ }
3421
+ function recordSensor(obs, name, allowed, riskScore, durationMs, reasons, code) {
3422
+ obs.sensors.push({ name, allowed, riskScore, durationMs, reasons, code });
3423
+ }
3424
+ function finalizeObservation(obs, decision, statusCode, resultCode) {
3425
+ obs.endMs = Date.now();
3426
+ obs.durationMs = obs.endMs - obs.startMs;
3427
+ obs.decision = decision;
3428
+ obs.statusCode = statusCode;
3429
+ if (resultCode) obs.resultCode = resultCode;
3430
+ }
3431
+
3432
+ // src/security/axis-sensor-chain.service.ts
3433
+ var import_common9 = require("@nestjs/common");
3434
+ var AxisSensorChainService = class {
3435
+ constructor(registry) {
3436
+ this.registry = registry;
3437
+ }
3438
+ /**
3439
+ * Evaluate all applicable sensors based on phase.
3440
+ */
3441
+ async evaluate(input, phase = "POST_DECODE", baseDecision) {
3442
+ if (phase === "PRE_DECODE") {
3443
+ return this.evaluateSensors(this.registry.getPreDecodeSensors(), input);
3444
+ }
3445
+ if (phase === "BOTH") {
3446
+ const rawPreResult = await this.evaluateSensors(
3447
+ this.registry.getPreDecodeSensors(),
3448
+ input
3449
+ );
3450
+ const preResult = normalizeSensorDecision(rawPreResult);
3451
+ if (!preResult.allow) return rawPreResult;
3452
+ return this.evaluateSensors(
3453
+ this.registry.getPostDecodeSensors(),
3454
+ input,
3455
+ rawPreResult
3456
+ );
3457
+ }
3458
+ return this.evaluateSensors(
3459
+ this.registry.getPostDecodeSensors(),
3460
+ input,
3461
+ baseDecision
3462
+ );
3463
+ }
3464
+ /** Run only pre-decode sensors. */
3465
+ async evaluatePre(input) {
3466
+ return this.evaluateSensors(this.registry.getPreDecodeSensors(), input);
3467
+ }
3468
+ /** Run only post-decode sensors. */
3469
+ async evaluatePost(input, baseDecision) {
3470
+ return this.evaluateSensors(
3471
+ this.registry.getPostDecodeSensors(),
3472
+ input,
3473
+ baseDecision
3474
+ );
3475
+ }
3476
+ async evaluateSensors(sensors, input, baseDecision) {
3477
+ const relevantSensors = sensors.filter(
3478
+ (s) => !s.supports || s.supports(input)
3479
+ );
3480
+ const normalizedBase = baseDecision ? normalizeSensorDecision(baseDecision) : void 0;
3481
+ let riskScore = normalizedBase?.riskScore ?? 0;
3482
+ const reasons = normalizedBase?.reasons ? [...normalizedBase.reasons] : [];
3483
+ const tags = normalizedBase?.tags ? { ...normalizedBase.tags } : {};
3484
+ let expSecondsMax = normalizedBase?.tighten?.expSecondsMax;
3485
+ let constraintsPatch = normalizedBase?.tighten?.constraintsPatch ? { ...normalizedBase.tighten.constraintsPatch } : {};
3486
+ for (const sensor of relevantSensors) {
3487
+ try {
3488
+ const t0 = Date.now();
3489
+ const rawDecision = await sensor.run(input);
3490
+ const elapsed = Date.now() - t0;
3491
+ const decision = normalizeSensorDecision(rawDecision);
3492
+ const obs = input.metadata?.observation;
3493
+ if (obs) {
3494
+ recordSensor(
3495
+ obs,
3496
+ sensor.name,
3497
+ decision.allow,
3498
+ decision.riskScore,
3499
+ elapsed,
3500
+ decision.reasons,
3501
+ decision.allow ? void 0 : decision.code
3502
+ );
3503
+ }
3504
+ if (!decision.allow) {
3505
+ return {
3506
+ allow: false,
3507
+ riskScore: Math.min(100, riskScore + decision.riskScore),
3508
+ reasons: [...reasons, ...decision.reasons],
3509
+ tags
3510
+ };
3511
+ }
3512
+ riskScore = Math.min(100, riskScore + decision.riskScore);
3513
+ reasons.push(...decision.reasons);
3514
+ if (decision.tags) {
3515
+ Object.assign(tags, decision.tags);
3516
+ }
3517
+ if (decision.tighten?.expSecondsMax !== void 0) {
3518
+ expSecondsMax = expSecondsMax === void 0 ? decision.tighten.expSecondsMax : Math.min(expSecondsMax, decision.tighten.expSecondsMax);
3519
+ }
3520
+ if (decision.tighten?.constraintsPatch) {
3521
+ constraintsPatch = {
3522
+ ...constraintsPatch,
3523
+ ...decision.tighten.constraintsPatch
3524
+ };
3525
+ }
3526
+ } catch (error) {
3527
+ console.error(`[AXIS][SENSOR] ${sensor.name} failed:`, error);
3528
+ const obs = input.metadata?.observation;
3529
+ if (obs) {
3530
+ recordSensor(obs, sensor.name, false, 100, 0, [
3531
+ `sensor_error:${sensor.name}`
3532
+ ]);
3533
+ }
3534
+ return {
3535
+ allow: false,
3536
+ riskScore: 100,
3537
+ reasons: [`sensor_error:${sensor.name}`]
3538
+ };
3539
+ }
3540
+ }
3541
+ const tightenPatch = Object.keys(constraintsPatch).length > 0 ? constraintsPatch : void 0;
3542
+ return {
3543
+ allow: true,
3544
+ riskScore,
3545
+ reasons,
3546
+ tags,
3547
+ tighten: expSecondsMax !== void 0 || tightenPatch ? {
3548
+ expSecondsMax,
3549
+ constraintsPatch: tightenPatch
3550
+ } : void 0
3551
+ };
3552
+ }
3553
+ };
3554
+ AxisSensorChainService = __decorateClass([
3555
+ (0, import_common9.Injectable)()
3556
+ ], AxisSensorChainService);
3557
+
3558
+ // src/core/index.ts
3559
+ var core_exports = {};
3560
+ __export(core_exports, {
3561
+ AXIS_MAGIC: () => import_axis_protocol2.AXIS_MAGIC,
3562
+ AXIS_VERSION: () => import_axis_protocol2.AXIS_VERSION,
3563
+ AxisError: () => AxisError,
3564
+ AxisFrameZ: () => AxisFrameZ,
3565
+ BodyProfile: () => import_axis_protocol2.BodyProfile,
3566
+ ERR_BAD_SIGNATURE: () => import_axis_protocol2.ERR_BAD_SIGNATURE,
3567
+ ERR_CONTRACT_VIOLATION: () => import_axis_protocol2.ERR_CONTRACT_VIOLATION,
3568
+ ERR_INVALID_PACKET: () => import_axis_protocol2.ERR_INVALID_PACKET,
3569
+ ERR_REPLAY_DETECTED: () => import_axis_protocol2.ERR_REPLAY_DETECTED,
3570
+ FLAG_BODY_TLV: () => import_axis_protocol2.FLAG_BODY_TLV,
3571
+ FLAG_CHAIN_REQ: () => import_axis_protocol2.FLAG_CHAIN_REQ,
3572
+ FLAG_HAS_WITNESS: () => import_axis_protocol2.FLAG_HAS_WITNESS,
3573
+ MAX_BODY_LEN: () => import_axis_protocol2.MAX_BODY_LEN,
3574
+ MAX_FRAME_LEN: () => import_axis_protocol2.MAX_FRAME_LEN,
3575
+ MAX_HDR_LEN: () => import_axis_protocol2.MAX_HDR_LEN,
3576
+ MAX_SIG_LEN: () => import_axis_protocol2.MAX_SIG_LEN,
3577
+ NCERT_ALG: () => import_axis_protocol2.NCERT_ALG,
3578
+ NCERT_EXP: () => import_axis_protocol2.NCERT_EXP,
3579
+ NCERT_ISSUER_KID: () => import_axis_protocol2.NCERT_ISSUER_KID,
3580
+ NCERT_KID: () => import_axis_protocol2.NCERT_KID,
3581
+ NCERT_NBF: () => import_axis_protocol2.NCERT_NBF,
3582
+ NCERT_NODE_ID: () => import_axis_protocol2.NCERT_NODE_ID,
3583
+ NCERT_PAYLOAD: () => import_axis_protocol2.NCERT_PAYLOAD,
3584
+ NCERT_PUB: () => import_axis_protocol2.NCERT_PUB,
3585
+ NCERT_SCOPE: () => import_axis_protocol2.NCERT_SCOPE,
3586
+ NCERT_SIG: () => import_axis_protocol2.NCERT_SIG,
3587
+ PROOF_CAPSULE: () => import_axis_protocol2.PROOF_CAPSULE,
3588
+ PROOF_JWT: () => import_axis_protocol2.PROOF_JWT,
3589
+ PROOF_LOOM: () => import_axis_protocol2.PROOF_LOOM,
3590
+ PROOF_MTLS: () => import_axis_protocol2.PROOF_MTLS,
3591
+ PROOF_NONE: () => import_axis_protocol2.PROOF_NONE,
3592
+ PROOF_WITNESS: () => import_axis_protocol2.PROOF_WITNESS,
3593
+ ProofType: () => import_axis_protocol2.ProofType,
3594
+ TLV: () => import_axis_protocol.TLV,
3595
+ TLV_ACTOR_ID: () => import_axis_protocol2.TLV_ACTOR_ID,
3596
+ TLV_AUD: () => import_axis_protocol2.TLV_AUD,
3597
+ TLV_BODY_ARR: () => import_axis_protocol2.TLV_BODY_ARR,
3598
+ TLV_BODY_OBJ: () => import_axis_protocol2.TLV_BODY_OBJ,
3599
+ TLV_CAPSULE: () => import_axis_protocol2.TLV_CAPSULE,
3600
+ TLV_EFFECT: () => import_axis_protocol2.TLV_EFFECT,
3601
+ TLV_ERROR_CODE: () => import_axis_protocol2.TLV_ERROR_CODE,
3602
+ TLV_ERROR_MSG: () => import_axis_protocol2.TLV_ERROR_MSG,
3603
+ TLV_INDEX: () => import_axis_protocol2.TLV_INDEX,
3604
+ TLV_INTENT: () => import_axis_protocol2.TLV_INTENT,
3605
+ TLV_KID: () => import_axis_protocol2.TLV_KID,
3606
+ TLV_LOOM_PRESENCE_ID: () => import_axis_protocol2.TLV_LOOM_PRESENCE_ID,
3607
+ TLV_LOOM_THREAD_HASH: () => import_axis_protocol2.TLV_LOOM_THREAD_HASH,
3608
+ TLV_LOOM_WRIT: () => import_axis_protocol2.TLV_LOOM_WRIT,
3609
+ TLV_NODE: () => import_axis_protocol2.TLV_NODE,
3610
+ TLV_NODE_CERT_HASH: () => import_axis_protocol2.TLV_NODE_CERT_HASH,
3611
+ TLV_NODE_KID: () => import_axis_protocol2.TLV_NODE_KID,
3612
+ TLV_NONCE: () => import_axis_protocol2.TLV_NONCE,
3613
+ TLV_OFFSET: () => import_axis_protocol2.TLV_OFFSET,
3614
+ TLV_OK: () => import_axis_protocol2.TLV_OK,
3615
+ TLV_PID: () => import_axis_protocol2.TLV_PID,
3616
+ TLV_PREV_HASH: () => import_axis_protocol2.TLV_PREV_HASH,
3617
+ TLV_PROOF_REF: () => import_axis_protocol2.TLV_PROOF_REF,
3618
+ TLV_PROOF_TYPE: () => import_axis_protocol2.TLV_PROOF_TYPE,
3619
+ TLV_REALM: () => import_axis_protocol2.TLV_REALM,
3620
+ TLV_RECEIPT_HASH: () => import_axis_protocol2.TLV_RECEIPT_HASH,
3621
+ TLV_RID: () => import_axis_protocol2.TLV_RID,
3622
+ TLV_SHA256_CHUNK: () => import_axis_protocol2.TLV_SHA256_CHUNK,
3623
+ TLV_TRACE_ID: () => import_axis_protocol2.TLV_TRACE_ID,
3624
+ TLV_TS: () => import_axis_protocol2.TLV_TS,
3625
+ TLV_UPLOAD_ID: () => import_axis_protocol2.TLV_UPLOAD_ID,
3626
+ computeReceiptHash: () => computeReceiptHash,
3627
+ computeSignaturePayload: () => computeSignaturePayload,
3628
+ decodeArray: () => import_axis_protocol.decodeArray,
3629
+ decodeFrame: () => decodeFrame,
3630
+ decodeObject: () => import_axis_protocol.decodeObject,
3631
+ decodeTLVs: () => import_axis_protocol.decodeTLVs,
3632
+ decodeTLVsList: () => import_axis_protocol.decodeTLVsList,
3633
+ decodeVarint: () => import_axis_protocol3.decodeVarint,
3634
+ encodeFrame: () => encodeFrame,
3635
+ encodeTLVs: () => import_axis_protocol.encodeTLVs,
3636
+ encodeVarint: () => import_axis_protocol3.encodeVarint,
3637
+ generateEd25519KeyPair: () => generateEd25519KeyPair,
3638
+ getSignTarget: () => getSignTarget,
3639
+ sha256: () => sha256,
3640
+ signFrame: () => signFrame,
3641
+ varintLength: () => import_axis_protocol3.varintLength,
3642
+ verifyFrameSignature: () => verifyFrameSignature
3643
+ });
3644
+
3645
+ // src/crypto/index.ts
3646
+ var crypto_exports = {};
3647
+ __export(crypto_exports, {
3648
+ ProofVerificationService: () => ProofVerificationService,
3649
+ b64urlDecode: () => b64urlDecode,
3650
+ b64urlDecodeString: () => b64urlDecodeString,
3651
+ b64urlEncode: () => b64urlEncode,
3652
+ b64urlEncodeString: () => b64urlEncodeString,
3653
+ canonicalJson: () => canonicalJson,
3654
+ canonicalJsonExcluding: () => canonicalJsonExcluding
3655
+ });
3656
+
3657
+ // src/crypto/proof-verification.service.ts
3658
+ var import_common10 = require("@nestjs/common");
3659
+ var crypto3 = __toESM(require("crypto"));
3660
+ var nacl = __toESM(require("tweetnacl"));
3661
+ var ProofVerificationService = class {
3662
+ constructor() {
3663
+ this.logger = new import_common10.Logger(ProofVerificationService.name);
3664
+ // Cache of registered device public keys (deviceId -> pubKey)
3665
+ this.deviceKeys = /* @__PURE__ */ new Map();
3666
+ // Cache of trusted mTLS certificate fingerprints
3667
+ this.trustedCerts = /* @__PURE__ */ new Map();
3668
+ }
3669
+ /**
3670
+ * Verifies an authentication proof based on its type.
3671
+ *
3672
+ * **Supported Types:**
3673
+ * - 1 (CAPSULE): Delegated to `verifyCapsuleProof`
3674
+ * - 2 (JWT): Verified by `verifyJWTProof`
3675
+ * - 3 (MTLS_ID): Verified by `verifyMTLSProof`
3676
+ * - 4 (DEVICE_SE): Verified by `verifyDeviceSEProof`
3677
+ *
3678
+ * @param {ProofType} proofType - The numeric AXIS proof type
3679
+ * @param {Uint8Array} proofRef - The binary reference or token for the proof
3680
+ * @param {Object} context - Additional metadata required for specific proof types
3681
+ * @param {Uint8Array} [context.signTarget] - The canonical bytes that were signed (for Ed25519)
3682
+ * @param {Uint8Array} [context.signature] - The signature to verify (for Ed25519)
3683
+ * @param {MTLSContext} [context.mtls] - mTLS certificate data
3684
+ * @param {DeviceSEContext} [context.deviceSE] - Device Secure Element information
3685
+ * @returns {Promise<ProofVerificationResult>} The outcome of the verification
3686
+ */
3687
+ async verifyProof(proofType, proofRef, context) {
3688
+ switch (proofType) {
3689
+ case 1:
3690
+ return this.verifyCapsuleProof(proofRef);
3691
+ case 2:
3692
+ return this.verifyJWTProof(proofRef);
3693
+ case 3:
3694
+ return this.verifyMTLSProof(context.mtls);
3695
+ case 4:
3696
+ return this.verifyDeviceSEProof(
3697
+ context.signTarget,
3698
+ context.signature,
3699
+ context.deviceSE
3700
+ );
3701
+ default:
3702
+ return { valid: false, error: `Unknown proof type: ${proofType}` };
3703
+ }
3704
+ }
3705
+ /**
3706
+ * Verify CAPSULE proof (delegated to CapsuleService)
3707
+ */
3708
+ async verifyCapsuleProof(proofRef) {
3709
+ const capsuleId = new TextDecoder().decode(proofRef);
3710
+ return {
3711
+ valid: true,
3712
+ metadata: { capsuleId, requiresCapsuleValidation: true }
3713
+ };
3714
+ }
3715
+ /**
3716
+ * Verifies a JSON Web Token (JWT) proof.
3717
+ *
3718
+ * **Validation Logic:**
3719
+ * 1. Decodes the token string.
3720
+ * 2. Checks for valid 3-part JWT structure.
3721
+ * 3. Validates `exp` (expiration) and `nbf` (not before) claims.
3722
+ * 4. Extracts `actor_id` or `sub` as the identity.
3723
+ *
3724
+ * @param {Uint8Array} proofRef - Binary representation of the JWT string
3725
+ * @returns {Promise<ProofVerificationResult>} Result including the actor identifier
3726
+ */
3727
+ async verifyJWTProof(proofRef) {
3728
+ try {
3729
+ const token = new TextDecoder().decode(proofRef);
3730
+ const parts = token.split(".");
3731
+ if (parts.length !== 3) {
3732
+ return { valid: false, error: "Invalid JWT format" };
3733
+ }
3734
+ const header = JSON.parse(Buffer.from(parts[0], "base64url").toString());
3735
+ const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
3736
+ if (payload.exp && Date.now() / 1e3 > payload.exp) {
3737
+ return { valid: false, error: "JWT expired" };
3738
+ }
3739
+ if (payload.nbf && Date.now() / 1e3 < payload.nbf) {
3740
+ return { valid: false, error: "JWT not yet valid" };
3741
+ }
3742
+ return {
3743
+ valid: true,
3744
+ actorId: payload.sub || payload.actor_id,
3745
+ metadata: { iss: payload.iss, scope: payload.scope }
3746
+ };
3747
+ } catch (e) {
3748
+ const message = e instanceof Error ? e.message : "Unknown error";
3749
+ return { valid: false, error: `JWT parse error: ${message}` };
3750
+ }
3751
+ }
3752
+ /**
3753
+ * Verify mTLS client certificate proof
3754
+ */
3755
+ async verifyMTLSProof(mtls) {
3756
+ if (!mtls) {
3757
+ return { valid: false, error: "No mTLS context provided" };
3758
+ }
3759
+ if (!mtls.verified) {
3760
+ return { valid: false, error: "mTLS not verified by TLS terminator" };
3761
+ }
3762
+ if (mtls.clientCertFingerprint) {
3763
+ const trusted = this.trustedCerts.get(mtls.clientCertFingerprint);
3764
+ if (trusted) {
3765
+ return {
3766
+ valid: true,
3767
+ actorId: trusted.actorId,
3768
+ metadata: {
3769
+ fingerprint: mtls.clientCertFingerprint,
3770
+ subject: mtls.clientCertSubject
3771
+ }
3772
+ };
3773
+ }
3774
+ }
3775
+ if (mtls.clientCertSubject) {
3776
+ const cnMatch = mtls.clientCertSubject.match(/CN=([^,]+)/);
3777
+ if (cnMatch) {
3778
+ return {
3779
+ valid: true,
3780
+ actorId: cnMatch[1],
3781
+ metadata: {
3782
+ subject: mtls.clientCertSubject,
3783
+ issuer: mtls.clientCertIssuer
3784
+ }
3785
+ };
3786
+ }
3787
+ }
3788
+ return { valid: false, error: "Could not extract actor from certificate" };
3467
3789
  }
3468
3790
  /**
3469
- * Returns only pre-decode sensors (order < 40).
3470
- * These sensors run in middleware on raw bytes before frame decoding.
3471
- *
3472
- * @returns {AxisPreSensor[]} Pre-decode sensors sorted by order
3791
+ * Verify Device Secure Element signature
3473
3792
  */
3474
- getPreDecodeSensors() {
3475
- return this.list().filter((s) => (s.order ?? 999) < 40);
3793
+ async verifyDeviceSEProof(signTarget, signature, deviceSE) {
3794
+ if (!deviceSE || !signTarget || !signature) {
3795
+ return { valid: false, error: "Missing Device SE context" };
3796
+ }
3797
+ let publicKey = deviceSE.publicKey;
3798
+ const registeredKey = this.deviceKeys.get(deviceSE.deviceId);
3799
+ if (registeredKey) {
3800
+ publicKey = registeredKey;
3801
+ }
3802
+ if (!publicKey || publicKey.length !== 32) {
3803
+ return {
3804
+ valid: false,
3805
+ error: "Invalid or unregistered device public key"
3806
+ };
3807
+ }
3808
+ try {
3809
+ const valid = nacl.sign.detached.verify(signTarget, signature, publicKey);
3810
+ if (!valid) {
3811
+ return { valid: false, error: "Device signature verification failed" };
3812
+ }
3813
+ return {
3814
+ valid: true,
3815
+ actorId: deviceSE.deviceId,
3816
+ metadata: { deviceId: deviceSE.deviceId, proofType: "DEVICE_SE" }
3817
+ };
3818
+ } catch (e) {
3819
+ const message = e instanceof Error ? e.message : "Unknown error";
3820
+ return {
3821
+ valid: false,
3822
+ error: `Signature verification error: ${message}`
3823
+ };
3824
+ }
3476
3825
  }
3477
3826
  /**
3478
- * Returns only post-decode sensors (order >= 40).
3479
- * These sensors run in the controller on fully decoded frames.
3827
+ * Registers a public key for a trusted device.
3828
+ * This key will be used for future `DEVICE_SE` proof verifications.
3480
3829
  *
3481
- * @returns {AxisPostSensor[]} Post-decode sensors sorted by order
3830
+ * @param {string} deviceId - Unique identifier for the device
3831
+ * @param {Uint8Array} publicKey - 32-byte Ed25519 public key
3832
+ * @throws {Error} If the public key is not 32 bytes
3482
3833
  */
3483
- getPostDecodeSensors() {
3484
- return this.list().filter(
3485
- (s) => (s.order ?? 999) >= 40
3486
- );
3834
+ registerDeviceKey(deviceId, publicKey) {
3835
+ if (publicKey.length !== 32) {
3836
+ throw new Error("Device public key must be 32 bytes (Ed25519)");
3837
+ }
3838
+ this.deviceKeys.set(deviceId, publicKey);
3839
+ this.logger.log(`Registered device key for ${deviceId}`);
3487
3840
  }
3488
3841
  /**
3489
- * Helper: Check if a sensor is a pre-decode sensor.
3490
- *
3491
- * @private
3492
- * @param {AxisSensor} sensor - The sensor to check
3493
- * @returns {boolean} True if sensor is pre-decode
3842
+ * Unregister a device
3494
3843
  */
3495
- isPreDecodeSensor(sensor) {
3496
- const phase = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase;
3497
- return phase === "PRE_DECODE" || (sensor.order ?? 999) < 40;
3844
+ unregisterDevice(deviceId) {
3845
+ return this.deviceKeys.delete(deviceId);
3498
3846
  }
3499
3847
  /**
3500
- * Helper: Check if a sensor is a post-decode sensor.
3848
+ * Registers a trusted mTLS certificate fingerprint and associates it with an actor.
3501
3849
  *
3502
- * @private
3503
- * @param {AxisSensor} sensor - The sensor to check
3504
- * @returns {boolean} True if sensor is post-decode
3850
+ * @param {string} fingerprint - SHA-256 fingerprint of the client certificate
3851
+ * @param {string} actorId - The actor to associate with this certificate
3505
3852
  */
3506
- isPostDecodeSensor(sensor) {
3507
- const phase = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase;
3508
- return phase === "POST_DECODE" || (sensor.order ?? 999) >= 40;
3853
+ registerMTLSCert(fingerprint, actorId) {
3854
+ this.trustedCerts.set(fingerprint, { actorId, issuedAt: Date.now() });
3855
+ this.logger.log(`Registered mTLS cert ${fingerprint} for actor ${actorId}`);
3509
3856
  }
3510
3857
  /**
3511
- * Returns sensor count by phase.
3512
- * Useful for diagnostics and monitoring.
3513
- *
3514
- * @returns {{preDecodeCount: number, postDecodeCount: number}}
3858
+ * Revoke an mTLS certificate
3515
3859
  */
3516
- getSensorCountByPhase() {
3517
- return {
3518
- preDecodeCount: this.getPreDecodeSensors().length,
3519
- postDecodeCount: this.getPostDecodeSensors().length
3520
- };
3860
+ revokeMTLSCert(fingerprint) {
3861
+ return this.trustedCerts.delete(fingerprint);
3521
3862
  }
3522
3863
  /**
3523
- * Clears all registered sensors.
3524
- * Useful for testing.
3525
- *
3526
- * @internal
3864
+ * Calculate certificate fingerprint (SHA-256)
3527
3865
  */
3528
- clear() {
3529
- this.sensors = [];
3866
+ static calculateFingerprint(certPem) {
3867
+ const der = Buffer.from(
3868
+ certPem.replace(/-----BEGIN CERTIFICATE-----/, "").replace(/-----END CERTIFICATE-----/, "").replace(/\s/g, ""),
3869
+ "base64"
3870
+ );
3871
+ return crypto3.createHash("sha256").update(der).digest("hex");
3530
3872
  }
3531
3873
  };
3532
- SensorRegistry = __decorateClass([
3533
- (0, import_common9.Injectable)()
3534
- ], SensorRegistry);
3874
+ ProofVerificationService = __decorateClass([
3875
+ (0, import_common10.Injectable)()
3876
+ ], ProofVerificationService);
3877
+
3878
+ // src/decorators/index.ts
3879
+ var decorators_exports = {};
3880
+ __export(decorators_exports, {
3881
+ AxisContext: () => AxisContext,
3882
+ AxisDemoPubkey: () => AxisDemoPubkey,
3883
+ AxisFrame: () => AxisFrame3,
3884
+ AxisIp: () => AxisIp,
3885
+ AxisRaw: () => AxisRaw,
3886
+ HANDLER_METADATA_KEY: () => HANDLER_METADATA_KEY,
3887
+ Handler: () => Handler,
3888
+ INTENT_BODY_KEY: () => INTENT_BODY_KEY,
3889
+ INTENT_METADATA_KEY: () => INTENT_METADATA_KEY,
3890
+ INTENT_ROUTES_KEY: () => INTENT_ROUTES_KEY,
3891
+ INTENT_SENSORS_KEY: () => INTENT_SENSORS_KEY,
3892
+ Intent: () => Intent,
3893
+ IntentBody: () => IntentBody,
3894
+ IntentSensors: () => IntentSensors,
3895
+ SENSOR_METADATA_KEY: () => SENSOR_METADATA_KEY,
3896
+ Sensor: () => Sensor,
3897
+ TLV_FIELDS_KEY: () => TLV_FIELDS_KEY,
3898
+ TLV_VALIDATORS_KEY: () => TLV_VALIDATORS_KEY,
3899
+ TlvEnum: () => TlvEnum,
3900
+ TlvField: () => TlvField,
3901
+ TlvMinLen: () => TlvMinLen,
3902
+ TlvRange: () => TlvRange,
3903
+ TlvUtf8Pattern: () => TlvUtf8Pattern,
3904
+ TlvValidate: () => TlvValidate,
3905
+ buildDtoDecoder: () => buildDtoDecoder,
3906
+ extractDtoSchema: () => extractDtoSchema
3907
+ });
3908
+
3909
+ // src/engine/index.ts
3910
+ var engine_exports = {};
3911
+ __export(engine_exports, {
3912
+ BAND: () => BAND,
3913
+ HandlerDiscoveryService: () => HandlerDiscoveryService,
3914
+ IntentRouter: () => IntentRouter,
3915
+ PRE_DECODE_BOUNDARY: () => PRE_DECODE_BOUNDARY,
3916
+ SensorDiscoveryService: () => SensorDiscoveryService,
3917
+ SensorRegistry: () => SensorRegistry,
3918
+ createObservation: () => createObservation,
3919
+ endStage: () => endStage,
3920
+ finalizeObservation: () => finalizeObservation,
3921
+ observation: () => observation_exports,
3922
+ recordSensor: () => recordSensor,
3923
+ startStage: () => startStage
3924
+ });
3925
+
3926
+ // src/engine/observation/index.ts
3927
+ var observation_exports = {};
3928
+ __export(observation_exports, {
3929
+ buildQueueMessage: () => buildQueueMessage,
3930
+ buildUnsignedWitness: () => buildUnsignedWitness,
3931
+ canonicalizeObservation: () => canonicalizeObservation,
3932
+ decodeQueueMessage: () => decodeQueueMessage,
3933
+ encodeQueueMessage: () => encodeQueueMessage,
3934
+ hashObservation: () => hashObservation,
3935
+ parseAutoClaimEntries: () => parseAutoClaimEntries,
3936
+ parseStreamEntries: () => parseStreamEntries,
3937
+ stableJsonStringify: () => stableJsonStringify,
3938
+ verifyResponse: () => verifyResponse
3939
+ });
3535
3940
 
3536
3941
  // src/loom/index.ts
3537
3942
  var loom_exports = {};
@@ -3901,7 +4306,7 @@ var AxisErrorZ = z2.object({
3901
4306
  });
3902
4307
 
3903
4308
  // src/schemas/body-profile.validator.ts
3904
- var import_common10 = require("@nestjs/common");
4309
+ var import_common11 = require("@nestjs/common");
3905
4310
  var BodyProfile2 = /* @__PURE__ */ ((BodyProfile3) => {
3906
4311
  BodyProfile3[BodyProfile3["RAW"] = 0] = "RAW";
3907
4312
  BodyProfile3[BodyProfile3["TLV_MAP"] = 1] = "TLV_MAP";
@@ -3911,7 +4316,7 @@ var BodyProfile2 = /* @__PURE__ */ ((BodyProfile3) => {
3911
4316
  })(BodyProfile2 || {});
3912
4317
  var BodyProfileValidator = class {
3913
4318
  constructor() {
3914
- this.logger = new import_common10.Logger(BodyProfileValidator.name);
4319
+ this.logger = new import_common11.Logger(BodyProfileValidator.name);
3915
4320
  }
3916
4321
  /**
3917
4322
  * Validate body matches declared profile
@@ -4027,12 +4432,13 @@ var BodyProfileValidator = class {
4027
4432
  }
4028
4433
  };
4029
4434
  BodyProfileValidator = __decorateClass([
4030
- (0, import_common10.Injectable)()
4435
+ (0, import_common11.Injectable)()
4031
4436
  ], BodyProfileValidator);
4032
4437
 
4033
4438
  // src/security/index.ts
4034
4439
  var security_exports = {};
4035
4440
  __export(security_exports, {
4441
+ AxisSensorChainService: () => AxisSensorChainService,
4036
4442
  CAPABILITIES: () => CAPABILITIES,
4037
4443
  INTENT_REQUIREMENTS: () => INTENT_REQUIREMENTS,
4038
4444
  PROOF_CAPABILITIES: () => PROOF_CAPABILITIES,
@@ -4065,7 +4471,7 @@ __export(sensors_exports, {
4065
4471
  });
4066
4472
 
4067
4473
  // src/sensors/access-profile-resolver.sensor.ts
4068
- var import_common11 = require("@nestjs/common");
4474
+ var import_common12 = require("@nestjs/common");
4069
4475
  var AccessProfileResolverSensor = class {
4070
4476
  constructor() {
4071
4477
  /** AxisSensor identifier */
@@ -4091,11 +4497,11 @@ var AccessProfileResolverSensor = class {
4091
4497
  };
4092
4498
  AccessProfileResolverSensor = __decorateClass([
4093
4499
  Sensor(),
4094
- (0, import_common11.Injectable)()
4500
+ (0, import_common12.Injectable)()
4095
4501
  ], AccessProfileResolverSensor);
4096
4502
 
4097
4503
  // src/sensors/body-budget.sensor.ts
4098
- var import_common12 = require("@nestjs/common");
4504
+ var import_common13 = require("@nestjs/common");
4099
4505
  var BodyBudgetSensor = class {
4100
4506
  constructor() {
4101
4507
  /** AxisSensor identifier */
@@ -4169,14 +4575,14 @@ var BodyBudgetSensor = class {
4169
4575
  };
4170
4576
  BodyBudgetSensor = __decorateClass([
4171
4577
  Sensor(),
4172
- (0, import_common12.Injectable)()
4578
+ (0, import_common13.Injectable)()
4173
4579
  ], BodyBudgetSensor);
4174
4580
 
4175
4581
  // src/sensors/capability-enforcement.sensor.ts
4176
- var import_common13 = require("@nestjs/common");
4582
+ var import_common14 = require("@nestjs/common");
4177
4583
  var CapabilityEnforcementSensor = class {
4178
4584
  constructor() {
4179
- this.logger = new import_common13.Logger(CapabilityEnforcementSensor.name);
4585
+ this.logger = new import_common14.Logger(CapabilityEnforcementSensor.name);
4180
4586
  /** AxisSensor identifier for logging and registry */
4181
4587
  this.name = "CapabilityEnforcementSensor";
4182
4588
  /**
@@ -4270,12 +4676,12 @@ var CapabilityEnforcementSensor = class {
4270
4676
  };
4271
4677
  CapabilityEnforcementSensor = __decorateClass([
4272
4678
  Sensor(),
4273
- (0, import_common13.Injectable)()
4679
+ (0, import_common14.Injectable)()
4274
4680
  ], CapabilityEnforcementSensor);
4275
4681
 
4276
4682
  // src/sensors/chunk-hash.sensor.ts
4277
- var import_common14 = require("@nestjs/common");
4278
- var import_crypto5 = require("crypto");
4683
+ var import_common15 = require("@nestjs/common");
4684
+ var import_crypto6 = require("crypto");
4279
4685
  var ChunkHashSensor = class {
4280
4686
  constructor() {
4281
4687
  /** Sensor identifier */
@@ -4334,7 +4740,7 @@ var ChunkHashSensor = class {
4334
4740
  reason: "Missing sha256Chunk TLV in header"
4335
4741
  };
4336
4742
  }
4337
- const actual = (0, import_crypto5.createHash)("sha256").update(bodyBytes).digest();
4743
+ const actual = (0, import_crypto6.createHash)("sha256").update(bodyBytes).digest();
4338
4744
  if (!Buffer.from(actual).equals(Buffer.from(expected))) {
4339
4745
  return {
4340
4746
  action: "DENY",
@@ -4347,15 +4753,15 @@ var ChunkHashSensor = class {
4347
4753
  };
4348
4754
  ChunkHashSensor = __decorateClass([
4349
4755
  Sensor(),
4350
- (0, import_common14.Injectable)()
4756
+ (0, import_common15.Injectable)()
4351
4757
  ], ChunkHashSensor);
4352
4758
 
4353
4759
  // src/sensors/entropy.sensor.ts
4354
- var import_common15 = require("@nestjs/common");
4760
+ var import_common16 = require("@nestjs/common");
4355
4761
  var crypto4 = __toESM(require("crypto"));
4356
4762
  var EntropySensor = class {
4357
4763
  constructor() {
4358
- this.logger = new import_common15.Logger(EntropySensor.name);
4764
+ this.logger = new import_common16.Logger(EntropySensor.name);
4359
4765
  /**
4360
4766
  * Minimum acceptable entropy in bits per byte.
4361
4767
  *
@@ -4525,14 +4931,14 @@ var EntropySensor = class {
4525
4931
  };
4526
4932
  EntropySensor = __decorateClass([
4527
4933
  Sensor(),
4528
- (0, import_common15.Injectable)()
4934
+ (0, import_common16.Injectable)()
4529
4935
  ], EntropySensor);
4530
4936
 
4531
4937
  // src/sensors/execution-timeout.sensor.ts
4532
- var import_common16 = require("@nestjs/common");
4938
+ var import_common17 = require("@nestjs/common");
4533
4939
  var ExecutionTimeoutSensor = class {
4534
4940
  constructor() {
4535
- this.logger = new import_common16.Logger(ExecutionTimeoutSensor.name);
4941
+ this.logger = new import_common17.Logger(ExecutionTimeoutSensor.name);
4536
4942
  /** AxisSensor identifier */
4537
4943
  this.name = "ExecutionTimeoutSensor";
4538
4944
  /**
@@ -4610,11 +5016,11 @@ var ExecutionTimeoutSensor = class {
4610
5016
  };
4611
5017
  ExecutionTimeoutSensor = __decorateClass([
4612
5018
  Sensor(),
4613
- (0, import_common16.Injectable)()
5019
+ (0, import_common17.Injectable)()
4614
5020
  ], ExecutionTimeoutSensor);
4615
5021
 
4616
5022
  // src/sensors/frame-budget.sensor.ts
4617
- var import_common17 = require("@nestjs/common");
5023
+ var import_common18 = require("@nestjs/common");
4618
5024
  var FrameBudgetSensor = class {
4619
5025
  constructor(config) {
4620
5026
  this.config = config;
@@ -4673,11 +5079,11 @@ var FrameBudgetSensor = class {
4673
5079
  };
4674
5080
  FrameBudgetSensor = __decorateClass([
4675
5081
  Sensor({ phase: "PRE_DECODE" }),
4676
- (0, import_common17.Injectable)()
5082
+ (0, import_common18.Injectable)()
4677
5083
  ], FrameBudgetSensor);
4678
5084
 
4679
5085
  // src/sensors/frame-header-sanity.sensor.ts
4680
- var import_common18 = require("@nestjs/common");
5086
+ var import_common19 = require("@nestjs/common");
4681
5087
  var FrameHeaderSanitySensor = class {
4682
5088
  constructor() {
4683
5089
  this.name = "FrameHeaderSanitySensor";
@@ -4721,12 +5127,12 @@ var FrameHeaderSanitySensor = class {
4721
5127
  }
4722
5128
  };
4723
5129
  FrameHeaderSanitySensor = __decorateClass([
4724
- (0, import_common18.Injectable)(),
5130
+ (0, import_common19.Injectable)(),
4725
5131
  Sensor({ phase: "PRE_DECODE" })
4726
5132
  ], FrameHeaderSanitySensor);
4727
5133
 
4728
5134
  // src/sensors/header-tlv-limit.sensor.ts
4729
- var import_common19 = require("@nestjs/common");
5135
+ var import_common20 = require("@nestjs/common");
4730
5136
  var HeaderTLVLimitSensor = class {
4731
5137
  constructor() {
4732
5138
  this.name = "HeaderTLVLimitSensor";
@@ -4758,12 +5164,12 @@ var HeaderTLVLimitSensor = class {
4758
5164
  }
4759
5165
  };
4760
5166
  HeaderTLVLimitSensor = __decorateClass([
4761
- (0, import_common19.Injectable)(),
5167
+ (0, import_common20.Injectable)(),
4762
5168
  Sensor()
4763
5169
  ], HeaderTLVLimitSensor);
4764
5170
 
4765
5171
  // src/sensors/intent-allowlist.sensor.ts
4766
- var import_common20 = require("@nestjs/common");
5172
+ var import_common21 = require("@nestjs/common");
4767
5173
  var PUBLIC_INTENT_ALLOWLIST = [
4768
5174
  "public.",
4769
5175
  "schema.",
@@ -4798,12 +5204,12 @@ var IntentAllowlistSensor = class {
4798
5204
  }
4799
5205
  };
4800
5206
  IntentAllowlistSensor = __decorateClass([
4801
- (0, import_common20.Injectable)(),
5207
+ (0, import_common21.Injectable)(),
4802
5208
  Sensor()
4803
5209
  ], IntentAllowlistSensor);
4804
5210
 
4805
5211
  // src/sensors/intent-registry.sensor.ts
4806
- var import_common21 = require("@nestjs/common");
5212
+ var import_common22 = require("@nestjs/common");
4807
5213
  var IntentRegistrySensor = class {
4808
5214
  constructor(router) {
4809
5215
  this.router = router;
@@ -4826,12 +5232,12 @@ var IntentRegistrySensor = class {
4826
5232
  }
4827
5233
  };
4828
5234
  IntentRegistrySensor = __decorateClass([
4829
- (0, import_common21.Injectable)(),
5235
+ (0, import_common22.Injectable)(),
4830
5236
  Sensor({ phase: "POST_DECODE" })
4831
5237
  ], IntentRegistrySensor);
4832
5238
 
4833
5239
  // src/sensors/proof-presence.sensor.ts
4834
- var import_common22 = require("@nestjs/common");
5240
+ var import_common23 = require("@nestjs/common");
4835
5241
  var ProofPresenceSensor = class {
4836
5242
  constructor() {
4837
5243
  this.name = "ProofPresenceSensor";
@@ -4879,11 +5285,11 @@ var ProofPresenceSensor = class {
4879
5285
  };
4880
5286
  ProofPresenceSensor = __decorateClass([
4881
5287
  Sensor(),
4882
- (0, import_common22.Injectable)()
5288
+ (0, import_common23.Injectable)()
4883
5289
  ], ProofPresenceSensor);
4884
5290
 
4885
5291
  // src/sensors/protocol-strict.sensor.ts
4886
- var import_common23 = require("@nestjs/common");
5292
+ var import_common24 = require("@nestjs/common");
4887
5293
  var VALID_FLAGS = [
4888
5294
  0,
4889
5295
  // No flags
@@ -4901,7 +5307,7 @@ var VALID_FLAGS = [
4901
5307
  var ProtocolStrictSensor = class {
4902
5308
  constructor(config) {
4903
5309
  this.config = config;
4904
- this.logger = new import_common23.Logger(ProtocolStrictSensor.name);
5310
+ this.logger = new import_common24.Logger(ProtocolStrictSensor.name);
4905
5311
  /** Sensor identifier for logging and registry */
4906
5312
  this.name = "ProtocolStrictSensor";
4907
5313
  /**
@@ -5154,11 +5560,11 @@ var ProtocolStrictSensor = class {
5154
5560
  };
5155
5561
  ProtocolStrictSensor = __decorateClass([
5156
5562
  Sensor({ phase: "PRE_DECODE" }),
5157
- (0, import_common23.Injectable)()
5563
+ (0, import_common24.Injectable)()
5158
5564
  ], ProtocolStrictSensor);
5159
5565
 
5160
5566
  // src/sensors/receipt-policy.sensor.ts
5161
- var import_common24 = require("@nestjs/common");
5567
+ var import_common25 = require("@nestjs/common");
5162
5568
  var ReceiptPolicySensor = class {
5163
5569
  constructor() {
5164
5570
  this.name = "ReceiptPolicySensor";
@@ -5172,12 +5578,12 @@ var ReceiptPolicySensor = class {
5172
5578
  }
5173
5579
  };
5174
5580
  ReceiptPolicySensor = __decorateClass([
5175
- (0, import_common24.Injectable)(),
5581
+ (0, import_common25.Injectable)(),
5176
5582
  Sensor()
5177
5583
  ], ReceiptPolicySensor);
5178
5584
 
5179
5585
  // src/sensors/schema-validation.sensor.ts
5180
- var import_common25 = require("@nestjs/common");
5586
+ var import_common26 = require("@nestjs/common");
5181
5587
  function readU64be(b) {
5182
5588
  if (b.length !== 8)
5183
5589
  throw new AxisError("SCHEMA_TYPE_MISMATCH", "u64 must be 8 bytes", 400);
@@ -5352,11 +5758,11 @@ var SchemaValidationSensor = class {
5352
5758
  };
5353
5759
  SchemaValidationSensor = __decorateClass([
5354
5760
  Sensor(),
5355
- (0, import_common25.Injectable)()
5761
+ (0, import_common26.Injectable)()
5356
5762
  ], SchemaValidationSensor);
5357
5763
 
5358
5764
  // src/sensors/stream-scope.sensor.ts
5359
- var import_common26 = require("@nestjs/common");
5765
+ var import_common27 = require("@nestjs/common");
5360
5766
  var StreamScopeSensor = class {
5361
5767
  constructor() {
5362
5768
  /** Sensor identifier */
@@ -5402,11 +5808,11 @@ var StreamScopeSensor = class {
5402
5808
  };
5403
5809
  StreamScopeSensor = __decorateClass([
5404
5810
  Sensor(),
5405
- (0, import_common26.Injectable)()
5811
+ (0, import_common27.Injectable)()
5406
5812
  ], StreamScopeSensor);
5407
5813
 
5408
5814
  // src/sensors/tlv-parse.sensor.ts
5409
- var import_common27 = require("@nestjs/common");
5815
+ var import_common28 = require("@nestjs/common");
5410
5816
  var TLVParseSensor = class {
5411
5817
  constructor() {
5412
5818
  this.name = "TLVParseSensor";
@@ -5508,11 +5914,11 @@ var TLVParseSensor = class {
5508
5914
  };
5509
5915
  TLVParseSensor = __decorateClass([
5510
5916
  Sensor(),
5511
- (0, import_common27.Injectable)()
5917
+ (0, import_common28.Injectable)()
5512
5918
  ], TLVParseSensor);
5513
5919
 
5514
5920
  // src/sensors/varint-hardening.sensor.ts
5515
- var import_common28 = require("@nestjs/common");
5921
+ var import_common29 = require("@nestjs/common");
5516
5922
  var VarintHardeningSensor = class {
5517
5923
  constructor() {
5518
5924
  /** Sensor identifier */
@@ -5575,7 +5981,7 @@ var VarintHardeningSensor = class {
5575
5981
  };
5576
5982
  VarintHardeningSensor = __decorateClass([
5577
5983
  Sensor({ phase: "PRE_DECODE" }),
5578
- (0, import_common28.Injectable)()
5984
+ (0, import_common29.Injectable)()
5579
5985
  ], VarintHardeningSensor);
5580
5986
 
5581
5987
  // src/utils/index.ts
@@ -5647,14 +6053,21 @@ function toBuffer(value) {
5647
6053
  AXIS_UPLOAD_SESSION_STORE,
5648
6054
  AXIS_VERSION,
5649
6055
  Ats1Codec,
6056
+ AxisContext,
6057
+ AxisDemoPubkey,
6058
+ AxisError,
5650
6059
  AxisFilesDownloadHandler,
5651
6060
  AxisFilesFinalizeHandler,
5652
6061
  AxisFrameZ,
5653
6062
  AxisIdDto,
6063
+ AxisIp,
5654
6064
  AxisPacketTags,
5655
6065
  AxisPartialType,
6066
+ AxisRaw,
5656
6067
  AxisResponseDto,
6068
+ AxisSensorChainService,
5657
6069
  AxisTlvDto,
6070
+ BAND,
5658
6071
  BodyProfile,
5659
6072
  CAPABILITIES,
5660
6073
  ContractViolationError,
@@ -5672,7 +6085,10 @@ function toBuffer(value) {
5672
6085
  FLAG_CHAIN_REQ,
5673
6086
  FLAG_HAS_WITNESS,
5674
6087
  HANDLER_METADATA_KEY,
6088
+ HANDLER_SENSORS_KEY,
5675
6089
  Handler,
6090
+ HandlerDiscoveryService,
6091
+ HandlerSensors,
5676
6092
  INTENT_BODY_KEY,
5677
6093
  INTENT_METADATA_KEY,
5678
6094
  INTENT_REQUIREMENTS,
@@ -5699,6 +6115,7 @@ function toBuffer(value) {
5699
6115
  NCERT_PUB,
5700
6116
  NCERT_SCOPE,
5701
6117
  NCERT_SIG,
6118
+ PRE_DECODE_BOUNDARY,
5702
6119
  PROOF_CAPABILITIES,
5703
6120
  PROOF_CAPSULE,
5704
6121
  PROOF_JWT,
@@ -5713,11 +6130,15 @@ function toBuffer(value) {
5713
6130
  RESPONSE_TAG_UPDATED_AT,
5714
6131
  RESPONSE_TAG_UPDATED_BY,
5715
6132
  RiskDecision,
6133
+ SENSOR_METADATA_KEY,
5716
6134
  Schema2002_PasskeyLoginOptionsRes,
5717
6135
  Schema2011_PasskeyLoginVerifyReq,
5718
6136
  Schema2012_PasskeyLoginVerifyRes,
5719
6137
  Schema2021_PasskeyRegisterOptionsReq,
6138
+ Sensor,
5720
6139
  SensorDecisions,
6140
+ SensorDiscoveryService,
6141
+ SensorRegistry,
5721
6142
  TLV,
5722
6143
  TLV_ACTOR_ID,
5723
6144
  TLV_AUD,
@@ -5766,21 +6187,26 @@ function toBuffer(value) {
5766
6187
  buildAts1Hdr,
5767
6188
  buildDtoDecoder,
5768
6189
  buildPacket,
6190
+ buildQueueMessage,
5769
6191
  buildReceiptHash,
5770
6192
  buildTLVs,
6193
+ buildUnsignedWitness,
5771
6194
  bytes,
5772
6195
  canAccessResource,
5773
6196
  canonicalJson,
5774
6197
  canonicalJsonExcluding,
6198
+ canonicalizeObservation,
5775
6199
  classifyIntent,
5776
6200
  computeReceiptHash,
5777
6201
  computeSignaturePayload,
5778
6202
  core,
6203
+ createObservation,
5779
6204
  crypto,
5780
6205
  decodeArray,
5781
6206
  decodeAxis1Frame,
5782
6207
  decodeFrame,
5783
6208
  decodeObject,
6209
+ decodeQueueMessage,
5784
6210
  decodeTLVs,
5785
6211
  decodeTLVsList,
5786
6212
  decodeVarint,
@@ -5788,13 +6214,17 @@ function toBuffer(value) {
5788
6214
  encVarint,
5789
6215
  encodeAxis1Frame,
5790
6216
  encodeFrame,
6217
+ encodeQueueMessage,
5791
6218
  encodeTLVs,
5792
6219
  encodeVarint,
6220
+ endStage,
5793
6221
  engine,
5794
6222
  extractDtoSchema,
6223
+ finalizeObservation,
5795
6224
  generateEd25519KeyPair,
5796
6225
  getSignTarget,
5797
6226
  hasScope,
6227
+ hashObservation,
5798
6228
  isAdminOpcode,
5799
6229
  isKnownOpcode,
5800
6230
  isTimestampValid,
@@ -5806,7 +6236,10 @@ function toBuffer(value) {
5806
6236
  packPasskeyLoginVerifyReq,
5807
6237
  packPasskeyLoginVerifyRes,
5808
6238
  packPasskeyRegisterOptionsReq,
6239
+ parseAutoClaimEntries,
5809
6240
  parseScope,
6241
+ parseStreamEntries,
6242
+ recordSensor,
5810
6243
  resolveTimeout,
5811
6244
  schemas,
5812
6245
  security,
@@ -5814,6 +6247,8 @@ function toBuffer(value) {
5814
6247
  sensors,
5815
6248
  sha256,
5816
6249
  signFrame,
6250
+ stableJsonStringify,
6251
+ startStage,
5817
6252
  tlv,
5818
6253
  u64be,
5819
6254
  unpackPasskeyLoginOptionsReq,
@@ -5824,6 +6259,7 @@ function toBuffer(value) {
5824
6259
  validateFrameShape,
5825
6260
  varintLength,
5826
6261
  varintU,
5827
- verifyFrameSignature
6262
+ verifyFrameSignature,
6263
+ verifyResponse
5828
6264
  });
5829
6265
  //# sourceMappingURL=index.js.map