@nextera.one/axis-server-sdk 1.4.0 → 1.5.0

package/dist/index.js

@@ -47,14 +47,21 @@ __export(index_exports, {
   AXIS_UPLOAD_SESSION_STORE: () => AXIS_UPLOAD_SESSION_STORE,
   AXIS_VERSION: () => import_axis_protocol2.AXIS_VERSION,
   Ats1Codec: () => ats1_exports,
+  AxisContext: () => AxisContext,
+  AxisDemoPubkey: () => AxisDemoPubkey,
+  AxisError: () => AxisError,
   AxisFilesDownloadHandler: () => AxisFilesDownloadHandler,
   AxisFilesFinalizeHandler: () => AxisFilesFinalizeHandler,
   AxisFrameZ: () => AxisFrameZ,
   AxisIdDto: () => AxisIdDto,
+  AxisIp: () => AxisIp,
   AxisPacketTags: () => T,
   AxisPartialType: () => AxisPartialType,
+  AxisRaw: () => AxisRaw,
   AxisResponseDto: () => AxisResponseDto,
+  AxisSensorChainService: () => AxisSensorChainService,
   AxisTlvDto: () => AxisTlvDto,
+  BAND: () => BAND,
   BodyProfile: () => import_axis_protocol2.BodyProfile,
   CAPABILITIES: () => CAPABILITIES,
   ContractViolationError: () => ContractViolationError,
@@ -72,7 +79,10 @@ __export(index_exports, {
   FLAG_CHAIN_REQ: () => import_axis_protocol2.FLAG_CHAIN_REQ,
   FLAG_HAS_WITNESS: () => import_axis_protocol2.FLAG_HAS_WITNESS,
   HANDLER_METADATA_KEY: () => HANDLER_METADATA_KEY,
+  HANDLER_SENSORS_KEY: () => HANDLER_SENSORS_KEY,
   Handler: () => Handler,
+  HandlerDiscoveryService: () => HandlerDiscoveryService,
+  HandlerSensors: () => HandlerSensors,
   INTENT_BODY_KEY: () => INTENT_BODY_KEY,
   INTENT_METADATA_KEY: () => INTENT_METADATA_KEY,
   INTENT_REQUIREMENTS: () => INTENT_REQUIREMENTS,
@@ -99,6 +109,7 @@ __export(index_exports, {
   NCERT_PUB: () => import_axis_protocol2.NCERT_PUB,
   NCERT_SCOPE: () => import_axis_protocol2.NCERT_SCOPE,
   NCERT_SIG: () => import_axis_protocol2.NCERT_SIG,
+  PRE_DECODE_BOUNDARY: () => PRE_DECODE_BOUNDARY,
   PROOF_CAPABILITIES: () => PROOF_CAPABILITIES,
   PROOF_CAPSULE: () => import_axis_protocol2.PROOF_CAPSULE,
   PROOF_JWT: () => import_axis_protocol2.PROOF_JWT,
@@ -113,11 +124,15 @@ __export(index_exports, {
   RESPONSE_TAG_UPDATED_AT: () => RESPONSE_TAG_UPDATED_AT,
   RESPONSE_TAG_UPDATED_BY: () => RESPONSE_TAG_UPDATED_BY,
   RiskDecision: () => RiskDecision,
+  SENSOR_METADATA_KEY: () => SENSOR_METADATA_KEY,
   Schema2002_PasskeyLoginOptionsRes: () => Schema2002_PasskeyLoginOptionsRes,
   Schema2011_PasskeyLoginVerifyReq: () => Schema2011_PasskeyLoginVerifyReq,
   Schema2012_PasskeyLoginVerifyRes: () => Schema2012_PasskeyLoginVerifyRes,
   Schema2021_PasskeyRegisterOptionsReq: () => Schema2021_PasskeyRegisterOptionsReq,
+  Sensor: () => Sensor,
   SensorDecisions: () => SensorDecisions,
+  SensorDiscoveryService: () => SensorDiscoveryService,
+  SensorRegistry: () => SensorRegistry,
   TLV: () => import_axis_protocol.TLV,
   TLV_ACTOR_ID: () => import_axis_protocol2.TLV_ACTOR_ID,
   TLV_AUD: () => import_axis_protocol2.TLV_AUD,
@@ -179,6 +194,7 @@ __export(index_exports, {
   computeReceiptHash: () => computeReceiptHash,
   computeSignaturePayload: () => computeSignaturePayload,
   core: () => core_exports,
+  createObservation: () => createObservation,
   crypto: () => crypto_exports,
   decodeArray: () => import_axis_protocol.decodeArray,
   decodeAxis1Frame: () => decodeAxis1Frame,
@@ -195,8 +211,10 @@ __export(index_exports, {
   encodeQueueMessage: () => encodeQueueMessage,
   encodeTLVs: () => import_axis_protocol.encodeTLVs,
   encodeVarint: () => import_axis_protocol3.encodeVarint,
+  endStage: () => endStage,
   engine: () => engine_exports,
   extractDtoSchema: () => extractDtoSchema,
+  finalizeObservation: () => finalizeObservation,
   generateEd25519KeyPair: () => generateEd25519KeyPair,
   getSignTarget: () => getSignTarget,
   hasScope: () => hasScope,
@@ -215,6 +233,7 @@ __export(index_exports, {
   parseAutoClaimEntries: () => parseAutoClaimEntries,
   parseScope: () => parseScope,
   parseStreamEntries: () => parseStreamEntries,
+  recordSensor: () => recordSensor,
   resolveTimeout: () => resolveTimeout,
   schemas: () => schemas_exports,
   security: () => security_exports,
@@ -223,6 +242,7 @@ __export(index_exports, {
   sha256: () => sha256,
   signFrame: () => signFrame,
   stableJsonStringify: () => stableJsonStringify,
+  startStage: () => startStage,
   tlv: () => tlv,
   u64be: () => u64be,
   unpackPasskeyLoginOptionsReq: () => unpackPasskeyLoginOptionsReq,
@@ -293,8 +313,24 @@ function IntentSensors(sensors) {
   };
 }
 
-// src/decorators/tlv-field.decorator.ts
+// src/decorators/handler-sensors.decorator.ts
 var import_reflect_metadata4 = require("reflect-metadata");
+var HANDLER_SENSORS_KEY = "axis:handler:sensors";
+function HandlerSensors(sensors) {
+  return (target) => {
+    Reflect.defineMetadata(HANDLER_SENSORS_KEY, sensors, target);
+  };
+}
+
+// src/decorators/sensor.decorator.ts
+var import_common2 = require("@nestjs/common");
+var SENSOR_METADATA_KEY = "axis:sensor";
+function Sensor(options) {
+  return (0, import_common2.SetMetadata)(SENSOR_METADATA_KEY, options ?? true);
+}
+
+// src/decorators/tlv-field.decorator.ts
+var import_reflect_metadata5 = require("reflect-metadata");
 var TLV_FIELDS_KEY = "axis:tlv:fields";
 var TLV_VALIDATORS_KEY = "axis:tlv:validators";
 function TlvField(tag, options) {
@@ -352,7 +388,7 @@ function TlvRange(min, max, message) {
 }
 
 // src/decorators/dto-schema.util.ts
-var import_reflect_metadata5 = require("reflect-metadata");
+var import_reflect_metadata6 = require("reflect-metadata");
 
 // src/core/tlv.ts
 var import_axis_protocol = require("@nextera.one/axis-protocol");
@@ -453,7 +489,7 @@ __decorateClass([
 ], AxisIdDto.prototype, "id", 2);
 
 // src/base/axis-partial-type.ts
-var import_reflect_metadata6 = require("reflect-metadata");
+var import_reflect_metadata7 = require("reflect-metadata");
 function AxisPartialType(BaseDto) {
   class PartialDto extends BaseDto {
   }
@@ -499,7 +535,7 @@ __decorateClass([
 ], AxisResponseDto.prototype, "updated_by", 2);
 
 // src/engine/intent.router.ts
-var import_common2 = require("@nestjs/common");
+var import_common3 = require("@nestjs/common");
 
 // src/sensor/axis-sensor.ts
 var Decision = /* @__PURE__ */ ((Decision2) => {
@@ -604,7 +640,7 @@ var SensorDecisions = {
 var IntentRouter = class {
   constructor(moduleRef) {
     this.moduleRef = moduleRef;
-    this.logger = new import_common2.Logger(IntentRouter.name);
+    this.logger = new import_common3.Logger(IntentRouter.name);
     /** Internal registry of dynamic intent handlers */
     this.handlers = /* @__PURE__ */ new Map();
     /** Per-intent sensor classes (resolved at call time) */
@@ -666,6 +702,7 @@ var IntentRouter = class {
     );
     const prefix = handlerMeta?.intent || instance.name;
     const routes = Reflect.getMetadata(INTENT_ROUTES_KEY, instance.constructor) || [];
+    const handlerSensors = Reflect.getMetadata(HANDLER_SENSORS_KEY, instance.constructor) || [];
     for (const route of routes) {
       const intentName = route.absolute ? route.action : `${prefix}.${route.action}`;
       const fn = instance[route.methodName].bind(instance);
@@ -674,7 +711,12 @@ var IntentRouter = class {
       } else {
         this.register(intentName, fn);
       }
-      this.registerIntentMeta(intentName, Object.getPrototypeOf(instance), String(route.methodName));
+      this.registerIntentMeta(
+        intentName,
+        Object.getPrototypeOf(instance),
+        String(route.methodName),
+        handlerSensors
+      );
     }
     const proto = Object.getPrototypeOf(instance);
     for (const key of Object.getOwnPropertyNames(proto)) {
@@ -683,7 +725,7 @@ var IntentRouter = class {
       if (!this.handlers.has(meta.intent)) {
         this.register(meta.intent, instance[key].bind(instance));
       }
-      this.registerIntentMeta(meta.intent, proto, key);
+      this.registerIntentMeta(meta.intent, proto, key, handlerSensors);
     }
   }
   /**
@@ -819,14 +861,22 @@ var IntentRouter = class {
       this.logger.warn(`${intent} failed in ${ms}ms - ${error}`);
     }
   }
-  registerIntentMeta(intent, proto, methodName) {
+  registerIntentMeta(intent, proto, methodName, handlerSensors) {
     const decoder = Reflect.getMetadata(INTENT_BODY_KEY, proto, methodName);
     if (decoder) {
       this.intentDecoders.set(intent, decoder);
     }
-    const sensors = Reflect.getMetadata(INTENT_SENSORS_KEY, proto, methodName);
-    if (sensors && Array.isArray(sensors) && sensors.length > 0) {
-      this.intentSensors.set(intent, sensors);
+    const intentSensors = Reflect.getMetadata(
+      INTENT_SENSORS_KEY,
+      proto,
+      methodName
+    );
+    const combined = [
+      ...handlerSensors || [],
+      ...Array.isArray(intentSensors) ? intentSensors : []
+    ];
+    if (combined.length > 0) {
+      this.intentSensors.set(intent, combined);
     }
     const meta = Reflect.getMetadata(INTENT_METADATA_KEY, proto, methodName);
     if (meta) {
@@ -925,10 +975,27 @@ IntentRouter.BUILTIN_INTENTS = /* @__PURE__ */ new Set([
   "axis.intent.exec"
 ]);
 IntentRouter = __decorateClass([
-  (0, import_common2.Injectable)(),
-  __decorateParam(0, (0, import_common2.Optional)())
+  (0, import_common3.Injectable)(),
+  __decorateParam(0, (0, import_common3.Optional)())
 ], IntentRouter);
 
+// src/engine/sensor-bands.ts
+var BAND = {
+  /** Pre-decode: raw byte validation, geo, budget, magic */
+  WIRE: 0,
+  /** Post-decode: identity resolution, capsule, proof */
+  IDENTITY: 40,
+  /** Post-decode: authorization, signature, rate limiting */
+  POLICY: 90,
+  /** Post-decode: content validation, TLV, schema, files */
+  CONTENT: 140,
+  /** Post-decode: business logic sensors, streams, WS */
+  BUSINESS: 200,
+  /** Post-decode: audit, logging (always last) */
+  AUDIT: 900
+};
+var PRE_DECODE_BOUNDARY = 40;
+
 // src/engine/observation/stable-json.ts
 function normalize(value) {
   if (Array.isArray(value)) {
@@ -2805,7 +2872,7 @@ function isTimestampValid(ts, skewSeconds = 120) {
 }
 
 // src/upload/axis-files.handlers.ts
-var import_common3 = require("@nestjs/common");
+var import_common4 = require("@nestjs/common");
 var crypto2 = __toESM(require("crypto"));
 
 // src/upload/upload.tokens.ts
@@ -2818,7 +2885,7 @@ var AxisFilesDownloadHandler = class {
   constructor(sessions, files) {
     this.sessions = sessions;
     this.files = files;
-    this.logger = new import_common3.Logger(AxisFilesDownloadHandler.name);
+    this.logger = new import_common4.Logger(AxisFilesDownloadHandler.name);
     this.name = "axis.files.download";
     this.open = true;
     this.description = "File download handler";
@@ -2883,16 +2950,16 @@ __decorateClass([
 ], AxisFilesDownloadHandler.prototype, "execute", 1);
 AxisFilesDownloadHandler = __decorateClass([
   Handler("axis.files.download"),
-  (0, import_common3.Injectable)(),
-  __decorateParam(0, (0, import_common3.Inject)(AXIS_UPLOAD_SESSION_STORE)),
-  __decorateParam(1, (0, import_common3.Inject)(AXIS_UPLOAD_FILE_STORE))
+  (0, import_common4.Injectable)(),
+  __decorateParam(0, (0, import_common4.Inject)(AXIS_UPLOAD_SESSION_STORE)),
+  __decorateParam(1, (0, import_common4.Inject)(AXIS_UPLOAD_FILE_STORE))
 ], AxisFilesDownloadHandler);
 var AxisFilesFinalizeHandler = class {
   constructor(sessions, files, keyring) {
     this.sessions = sessions;
     this.files = files;
     this.keyring = keyring;
-    this.logger = new import_common3.Logger(AxisFilesFinalizeHandler.name);
+    this.logger = new import_common4.Logger(AxisFilesFinalizeHandler.name);
     this.name = "axis.files.finalize";
     this.open = false;
     this.description = "File upload finalization handler";
@@ -2968,11 +3035,11 @@ __decorateClass([
 ], AxisFilesFinalizeHandler.prototype, "execute", 1);
 AxisFilesFinalizeHandler = __decorateClass([
   Handler("axis.files.finalize"),
-  (0, import_common3.Injectable)(),
-  __decorateParam(0, (0, import_common3.Inject)(AXIS_UPLOAD_SESSION_STORE)),
-  __decorateParam(1, (0, import_common3.Inject)(AXIS_UPLOAD_FILE_STORE)),
-  __decorateParam(2, (0, import_common3.Optional)()),
-  __decorateParam(2, (0, import_common3.Inject)(AXIS_UPLOAD_RECEIPT_SIGNER))
+  (0, import_common4.Injectable)(),
+  __decorateParam(0, (0, import_common4.Inject)(AXIS_UPLOAD_SESSION_STORE)),
+  __decorateParam(1, (0, import_common4.Inject)(AXIS_UPLOAD_FILE_STORE)),
+  __decorateParam(2, (0, import_common4.Optional)()),
+  __decorateParam(2, (0, import_common4.Inject)(AXIS_UPLOAD_RECEIPT_SIGNER))
 ], AxisFilesFinalizeHandler);
 
 // src/upload/disk-upload-file.store.ts
@@ -3031,92 +3098,54 @@ var DiskUploadFileStore = class {
   }
 };
 
-// src/core/index.ts
-var core_exports = {};
-__export(core_exports, {
-  AXIS_MAGIC: () => import_axis_protocol2.AXIS_MAGIC,
-  AXIS_VERSION: () => import_axis_protocol2.AXIS_VERSION,
-  AxisError: () => AxisError,
-  AxisFrameZ: () => AxisFrameZ,
-  BodyProfile: () => import_axis_protocol2.BodyProfile,
-  ERR_BAD_SIGNATURE: () => import_axis_protocol2.ERR_BAD_SIGNATURE,
-  ERR_CONTRACT_VIOLATION: () => import_axis_protocol2.ERR_CONTRACT_VIOLATION,
-  ERR_INVALID_PACKET: () => import_axis_protocol2.ERR_INVALID_PACKET,
-  ERR_REPLAY_DETECTED: () => import_axis_protocol2.ERR_REPLAY_DETECTED,
-  FLAG_BODY_TLV: () => import_axis_protocol2.FLAG_BODY_TLV,
-  FLAG_CHAIN_REQ: () => import_axis_protocol2.FLAG_CHAIN_REQ,
-  FLAG_HAS_WITNESS: () => import_axis_protocol2.FLAG_HAS_WITNESS,
-  MAX_BODY_LEN: () => import_axis_protocol2.MAX_BODY_LEN,
-  MAX_FRAME_LEN: () => import_axis_protocol2.MAX_FRAME_LEN,
-  MAX_HDR_LEN: () => import_axis_protocol2.MAX_HDR_LEN,
-  MAX_SIG_LEN: () => import_axis_protocol2.MAX_SIG_LEN,
-  NCERT_ALG: () => import_axis_protocol2.NCERT_ALG,
-  NCERT_EXP: () => import_axis_protocol2.NCERT_EXP,
-  NCERT_ISSUER_KID: () => import_axis_protocol2.NCERT_ISSUER_KID,
-  NCERT_KID: () => import_axis_protocol2.NCERT_KID,
-  NCERT_NBF: () => import_axis_protocol2.NCERT_NBF,
-  NCERT_NODE_ID: () => import_axis_protocol2.NCERT_NODE_ID,
-  NCERT_PAYLOAD: () => import_axis_protocol2.NCERT_PAYLOAD,
-  NCERT_PUB: () => import_axis_protocol2.NCERT_PUB,
-  NCERT_SCOPE: () => import_axis_protocol2.NCERT_SCOPE,
-  NCERT_SIG: () => import_axis_protocol2.NCERT_SIG,
-  PROOF_CAPSULE: () => import_axis_protocol2.PROOF_CAPSULE,
-  PROOF_JWT: () => import_axis_protocol2.PROOF_JWT,
-  PROOF_LOOM: () => import_axis_protocol2.PROOF_LOOM,
-  PROOF_MTLS: () => import_axis_protocol2.PROOF_MTLS,
-  PROOF_NONE: () => import_axis_protocol2.PROOF_NONE,
-  PROOF_WITNESS: () => import_axis_protocol2.PROOF_WITNESS,
-  ProofType: () => import_axis_protocol2.ProofType,
-  TLV: () => import_axis_protocol.TLV,
-  TLV_ACTOR_ID: () => import_axis_protocol2.TLV_ACTOR_ID,
-  TLV_AUD: () => import_axis_protocol2.TLV_AUD,
-  TLV_BODY_ARR: () => import_axis_protocol2.TLV_BODY_ARR,
-  TLV_BODY_OBJ: () => import_axis_protocol2.TLV_BODY_OBJ,
-  TLV_CAPSULE: () => import_axis_protocol2.TLV_CAPSULE,
-  TLV_EFFECT: () => import_axis_protocol2.TLV_EFFECT,
-  TLV_ERROR_CODE: () => import_axis_protocol2.TLV_ERROR_CODE,
-  TLV_ERROR_MSG: () => import_axis_protocol2.TLV_ERROR_MSG,
-  TLV_INDEX: () => import_axis_protocol2.TLV_INDEX,
-  TLV_INTENT: () => import_axis_protocol2.TLV_INTENT,
-  TLV_KID: () => import_axis_protocol2.TLV_KID,
-  TLV_LOOM_PRESENCE_ID: () => import_axis_protocol2.TLV_LOOM_PRESENCE_ID,
-  TLV_LOOM_THREAD_HASH: () => import_axis_protocol2.TLV_LOOM_THREAD_HASH,
-  TLV_LOOM_WRIT: () => import_axis_protocol2.TLV_LOOM_WRIT,
-  TLV_NODE: () => import_axis_protocol2.TLV_NODE,
-  TLV_NODE_CERT_HASH: () => import_axis_protocol2.TLV_NODE_CERT_HASH,
-  TLV_NODE_KID: () => import_axis_protocol2.TLV_NODE_KID,
-  TLV_NONCE: () => import_axis_protocol2.TLV_NONCE,
-  TLV_OFFSET: () => import_axis_protocol2.TLV_OFFSET,
-  TLV_OK: () => import_axis_protocol2.TLV_OK,
-  TLV_PID: () => import_axis_protocol2.TLV_PID,
-  TLV_PREV_HASH: () => import_axis_protocol2.TLV_PREV_HASH,
-  TLV_PROOF_REF: () => import_axis_protocol2.TLV_PROOF_REF,
-  TLV_PROOF_TYPE: () => import_axis_protocol2.TLV_PROOF_TYPE,
-  TLV_REALM: () => import_axis_protocol2.TLV_REALM,
-  TLV_RECEIPT_HASH: () => import_axis_protocol2.TLV_RECEIPT_HASH,
-  TLV_RID: () => import_axis_protocol2.TLV_RID,
-  TLV_SHA256_CHUNK: () => import_axis_protocol2.TLV_SHA256_CHUNK,
-  TLV_TRACE_ID: () => import_axis_protocol2.TLV_TRACE_ID,
-  TLV_TS: () => import_axis_protocol2.TLV_TS,
-  TLV_UPLOAD_ID: () => import_axis_protocol2.TLV_UPLOAD_ID,
-  computeReceiptHash: () => computeReceiptHash,
-  computeSignaturePayload: () => computeSignaturePayload,
-  decodeArray: () => import_axis_protocol.decodeArray,
-  decodeFrame: () => decodeFrame,
-  decodeObject: () => import_axis_protocol.decodeObject,
-  decodeTLVs: () => import_axis_protocol.decodeTLVs,
-  decodeTLVsList: () => import_axis_protocol.decodeTLVsList,
-  decodeVarint: () => import_axis_protocol3.decodeVarint,
-  encodeFrame: () => encodeFrame,
-  encodeTLVs: () => import_axis_protocol.encodeTLVs,
-  encodeVarint: () => import_axis_protocol3.encodeVarint,
-  generateEd25519KeyPair: () => generateEd25519KeyPair,
-  getSignTarget: () => getSignTarget,
-  sha256: () => sha256,
-  signFrame: () => signFrame,
-  varintLength: () => import_axis_protocol3.varintLength,
-  verifyFrameSignature: () => verifyFrameSignature
-});
+// src/decorators/axis-request.decorator.ts
+var import_common5 = require("@nestjs/common");
+function resolveIp(req) {
+  return req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.headers["x-real-ip"] || req.socket.remoteAddress || void 0;
+}
+var AxisRaw = (0, import_common5.createParamDecorator)(
+  (_data, ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    return req.body;
+  }
+);
+var AxisIp = (0, import_common5.createParamDecorator)(
+  (_data, ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    return resolveIp(req);
+  }
+);
+var AxisContext = (0, import_common5.createParamDecorator)(
+  (_data, ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    const axisData = req.axis || {};
+    return {
+      raw: req.body,
+      ip: resolveIp(req),
+      preDecodeInput: axisData.preDecodeInput,
+      frameBytesCount: axisData.frameBytesCount || 0
+    };
+  }
+);
+var AxisDemoPubkey = (0, import_common5.createParamDecorator)(
+  (_data, ctx) => {
+    if (process.env.NODE_ENV !== "development") return void 0;
+    const req = ctx.switchToHttp().getRequest();
+    return req.headers["x-demo-pubkey"];
+  }
+);
+var AxisFrame3 = (0, import_common5.createParamDecorator)(
+  (_data, ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    const decoded = req.axisDecoded;
+    if (!decoded) {
+      throw new Error(
+        "@AxisFrame() requires AxisDecodeInterceptor on the route. Add @UseInterceptors(AxisDecodeInterceptor) to use this decorator."
+      );
+    }
+    return decoded;
+  }
+);
 
 // src/core/axis-error.ts
 var AxisError = class extends Error {
@@ -3129,342 +3158,240 @@ var AxisError = class extends Error {
   }
 };
 
-// src/crypto/index.ts
-var crypto_exports = {};
-__export(crypto_exports, {
-  ProofVerificationService: () => ProofVerificationService,
-  b64urlDecode: () => b64urlDecode,
-  b64urlDecodeString: () => b64urlDecodeString,
-  b64urlEncode: () => b64urlEncode,
-  b64urlEncodeString: () => b64urlEncodeString,
-  canonicalJson: () => canonicalJson,
-  canonicalJsonExcluding: () => canonicalJsonExcluding
-});
-
-// src/crypto/proof-verification.service.ts
-var import_common4 = require("@nestjs/common");
-var crypto3 = __toESM(require("crypto"));
-var nacl = __toESM(require("tweetnacl"));
-var ProofVerificationService = class {
-  constructor() {
-    this.logger = new import_common4.Logger(ProofVerificationService.name);
-    // Cache of registered device public keys (deviceId -> pubKey)
-    this.deviceKeys = /* @__PURE__ */ new Map();
-    // Cache of trusted mTLS certificate fingerprints
-    this.trustedCerts = /* @__PURE__ */ new Map();
+// src/engine/handler-discovery.service.ts
+var import_common6 = require("@nestjs/common");
+var HandlerDiscoveryService = class {
+  constructor(discovery, scanner, router) {
+    this.discovery = discovery;
+    this.scanner = scanner;
+    this.router = router;
+    this.logger = new import_common6.Logger(HandlerDiscoveryService.name);
   }
-  /**
-   * Verifies an authentication proof based on its type.
-   *
-   * **Supported Types:**
-   * - 1 (CAPSULE): Delegated to `verifyCapsuleProof`
-   * - 2 (JWT): Verified by `verifyJWTProof`
-   * - 3 (MTLS_ID): Verified by `verifyMTLSProof`
-   * - 4 (DEVICE_SE): Verified by `verifyDeviceSEProof`
-   *
-   * @param {ProofType} proofType - The numeric AXIS proof type
-   * @param {Uint8Array} proofRef - The binary reference or token for the proof
-   * @param {Object} context - Additional metadata required for specific proof types
-   * @param {Uint8Array} [context.signTarget] - The canonical bytes that were signed (for Ed25519)
-   * @param {Uint8Array} [context.signature] - The signature to verify (for Ed25519)
-   * @param {MTLSContext} [context.mtls] - mTLS certificate data
-   * @param {DeviceSEContext} [context.deviceSE] - Device Secure Element information
-   * @returns {Promise<ProofVerificationResult>} The outcome of the verification
-   */
-  async verifyProof(proofType, proofRef, context) {
-    switch (proofType) {
-      case 1:
-        return this.verifyCapsuleProof(proofRef);
-      case 2:
-        return this.verifyJWTProof(proofRef);
-      case 3:
-        return this.verifyMTLSProof(context.mtls);
-      case 4:
-        return this.verifyDeviceSEProof(
-          context.signTarget,
-          context.signature,
-          context.deviceSE
-        );
-      default:
-        return { valid: false, error: `Unknown proof type: ${proofType}` };
+  onModuleInit() {
+    const providers = this.discovery.getProviders();
+    let totalIntents = 0;
+    for (const wrapper of providers) {
+      const { instance, metatype } = wrapper;
+      if (!instance || !metatype) continue;
+      const handlerMeta = Reflect.getMetadata(HANDLER_METADATA_KEY, metatype);
+      if (!handlerMeta) continue;
+      const handlerName = handlerMeta.intent || metatype.name;
+      const proto = Object.getPrototypeOf(instance);
+      const methods = this.scanner.getAllMethodNames(proto);
+      let registered = 0;
+      const handlerSensors = Reflect.getMetadata(HANDLER_SENSORS_KEY, metatype) || [];
+      for (const methodName of methods) {
+        const meta = Reflect.getMetadata(
+          INTENT_METADATA_KEY,
+          proto,
+          methodName
+        );
+        if (!meta?.intent) continue;
+        if (!this.router.has(meta.intent)) {
+          this.router.register(
+            meta.intent,
+            instance[methodName].bind(instance)
+          );
+          registered++;
+          totalIntents++;
+        }
+        this.router.registerIntentMeta(
+          meta.intent,
+          proto,
+          methodName,
+          handlerSensors
+        );
+      }
+      if (registered > 0) {
+        this.logger.log(
+          `Auto-registered ${registered} intents from ${handlerName}`
+        );
+      }
     }
+    this.logger.log(
+      `Handler discovery complete: ${totalIntents} intents auto-registered`
+    );
   }
-  /**
-   * Verify CAPSULE proof (delegated to CapsuleService)
-   */
-  async verifyCapsuleProof(proofRef) {
-    const capsuleId = new TextDecoder().decode(proofRef);
-    return {
-      valid: true,
-      metadata: { capsuleId, requiresCapsuleValidation: true }
-    };
+};
+HandlerDiscoveryService = __decorateClass([
+  (0, import_common6.Injectable)()
+], HandlerDiscoveryService);
+
+// src/engine/sensor-discovery.service.ts
+var import_common7 = require("@nestjs/common");
+var SensorDiscoveryService = class {
+  constructor(discovery, reflector, registry) {
+    this.discovery = discovery;
+    this.reflector = reflector;
+    this.registry = registry;
+    this.logger = new import_common7.Logger(SensorDiscoveryService.name);
   }
-  /**
-   * Verifies a JSON Web Token (JWT) proof.
-   *
-   * **Validation Logic:**
-   * 1. Decodes the token string.
-   * 2. Checks for valid 3-part JWT structure.
-   * 3. Validates `exp` (expiration) and `nbf` (not before) claims.
-   * 4. Extracts `actor_id` or `sub` as the identity.
-   *
-   * @param {Uint8Array} proofRef - Binary representation of the JWT string
-   * @returns {Promise<ProofVerificationResult>} Result including the actor identifier
-   */
-  async verifyJWTProof(proofRef) {
-    try {
-      const token = new TextDecoder().decode(proofRef);
-      const parts = token.split(".");
-      if (parts.length !== 3) {
-        return { valid: false, error: "Invalid JWT format" };
-      }
-      const header = JSON.parse(Buffer.from(parts[0], "base64url").toString());
-      const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
-      if (payload.exp && Date.now() / 1e3 > payload.exp) {
-        return { valid: false, error: "JWT expired" };
+  onApplicationBootstrap() {
+    const providers = this.discovery.getProviders();
+    let count = 0;
+    for (const wrapper of providers) {
+      const { instance } = wrapper;
+      if (!instance || !instance.constructor) continue;
+      const meta = this.reflector.get(
+        SENSOR_METADATA_KEY,
+        instance.constructor
+      );
+      if (!meta) continue;
+      const sensor = instance;
+      if (!sensor.name || sensor.order === void 0) {
+        this.logger.warn(
+          `@Sensor() on ${instance.constructor.name} missing name or order \u2014 skipped`
+        );
+        continue;
       }
-      if (payload.nbf && Date.now() / 1e3 < payload.nbf) {
-        return { valid: false, error: "JWT not yet valid" };
+      if (!sensor.phase) {
+        const decoratorPhase = meta !== true ? meta.phase : void 0;
+        sensor.phase = decoratorPhase ?? (sensor.order < PRE_DECODE_BOUNDARY ? "PRE_DECODE" : "POST_DECODE");
       }
-      return {
-        valid: true,
-        actorId: payload.sub || payload.actor_id,
-        metadata: { iss: payload.iss, scope: payload.scope }
-      };
-    } catch (e) {
-      const message = e instanceof Error ? e.message : "Unknown error";
-      return { valid: false, error: `JWT parse error: ${message}` };
+      this.registry.register(sensor);
+      count++;
     }
+    this.logger.log(`Auto-registered ${count} sensors via @Sensor()`);
+  }
+};
+SensorDiscoveryService = __decorateClass([
+  (0, import_common7.Injectable)()
+], SensorDiscoveryService);
+
+// src/engine/registry/sensor.registry.ts
+var import_common8 = require("@nestjs/common");
+var SensorRegistry = class {
+  constructor(configService) {
+    this.configService = configService;
+    this.sensors = [];
+    this.logger = new import_common8.Logger(SensorRegistry.name);
   }
   /**
-   * Verify mTLS client certificate proof
+   * Registers a new sensor in the registry.
+   *
+   * Validates that:
+   * - AxisSensor has a unique name
+   * - AxisSensor has an order field
+   * - Pre-decode sensors have order < 40
+   * - Post-decode sensors have order >= 40
+   *
+   * @param {AxisSensor} sensor - The sensor instance to register
+   * @throws Error if validation fails
    */
-  async verifyMTLSProof(mtls) {
-    if (!mtls) {
-      return { valid: false, error: "No mTLS context provided" };
-    }
-    if (!mtls.verified) {
-      return { valid: false, error: "mTLS not verified by TLS terminator" };
-    }
-    if (mtls.clientCertFingerprint) {
-      const trusted = this.trustedCerts.get(mtls.clientCertFingerprint);
-      if (trusted) {
-        return {
-          valid: true,
-          actorId: trusted.actorId,
-          metadata: {
-            fingerprint: mtls.clientCertFingerprint,
-            subject: mtls.clientCertSubject
-          }
-        };
-      }
+  register(sensor) {
+    if (!sensor.name) {
+      throw new Error("AxisSensor must have a name");
     }
-    if (mtls.clientCertSubject) {
-      const cnMatch = mtls.clientCertSubject.match(/CN=([^,]+)/);
-      if (cnMatch) {
-        return {
-          valid: true,
-          actorId: cnMatch[1],
-          metadata: {
-            subject: mtls.clientCertSubject,
-            issuer: mtls.clientCertIssuer
-          }
-        };
-      }
+    const enabledSensorsStr = this.configService.get("ENABLED_SENSORS");
+    const disabledSensorsStr = this.configService.get("DISABLED_SENSORS");
+    const enabledSensors = enabledSensorsStr ? enabledSensorsStr.split(",").map((s) => s.trim()) : null;
+    const disabledSensors = disabledSensorsStr ? disabledSensorsStr.split(",").map((s) => s.trim()) : [];
+    if (enabledSensors && !enabledSensors.includes(sensor.name)) {
+      this.logger.log(`Skipping disabled sensor (not in ENABLED_SENSORS): ${sensor.name}`);
+      return;
     }
-    return { valid: false, error: "Could not extract actor from certificate" };
-  }
-  /**
-   * Verify Device Secure Element signature
-   */
-  async verifyDeviceSEProof(signTarget, signature, deviceSE) {
-    if (!deviceSE || !signTarget || !signature) {
-      return { valid: false, error: "Missing Device SE context" };
+    if (disabledSensors.includes(sensor.name)) {
+      this.logger.log(`Skipping disabled sensor (in DISABLED_SENSORS): ${sensor.name}`);
+      return;
     }
-    let publicKey = deviceSE.publicKey;
-    const registeredKey = this.deviceKeys.get(deviceSE.deviceId);
-    if (registeredKey) {
-      publicKey = registeredKey;
+    if (sensor.order === void 0) {
+      throw new Error(`AxisSensor "${sensor.name}" must have an order field`);
     }
-    if (!publicKey || publicKey.length !== 32) {
-      return {
-        valid: false,
-        error: "Invalid or unregistered device public key"
-      };
+    const isPreDecodeSensor = this.isPreDecodeSensor(sensor);
+    const isPostDecodeSensor = this.isPostDecodeSensor(sensor);
+    if (isPreDecodeSensor && sensor.order >= 40) {
+      this.logger.warn(
+        `AxisSensor "${sensor.name}" is marked as PRE_DECODE but has order ${sensor.order} (should be < 40)`
+      );
     }
-    try {
-      const valid = nacl.sign.detached.verify(signTarget, signature, publicKey);
-      if (!valid) {
-        return { valid: false, error: "Device signature verification failed" };
-      }
-      return {
-        valid: true,
-        actorId: deviceSE.deviceId,
-        metadata: { deviceId: deviceSE.deviceId, proofType: "DEVICE_SE" }
-      };
-    } catch (e) {
-      const message = e instanceof Error ? e.message : "Unknown error";
-      return {
-        valid: false,
-        error: `Signature verification error: ${message}`
-      };
+    if (isPostDecodeSensor && sensor.order < 40) {
+      this.logger.warn(
+        `AxisSensor "${sensor.name}" is marked as POST_DECODE but has order ${sensor.order} (should be >= 40)`
+      );
     }
+    this.sensors.push(sensor);
+    const phaseLabel = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase || "UNKNOWN";
+    this.logger.debug(
+      `Registered sensor: ${sensor.name} (order: ${sensor.order}, phase: ${phaseLabel})`
+    );
   }
   /**
-   * Registers a public key for a trusted device.
-   * This key will be used for future `DEVICE_SE` proof verifications.
+   * Returns all registered sensors, sorted by their execution order.
    *
-   * @param {string} deviceId - Unique identifier for the device
-   * @param {Uint8Array} publicKey - 32-byte Ed25519 public key
-   * @throws {Error} If the public key is not 32 bytes
+   * @returns {AxisSensor[]} A sorted array of sensors
    */
-  registerDeviceKey(deviceId, publicKey) {
-    if (publicKey.length !== 32) {
-      throw new Error("Device public key must be 32 bytes (Ed25519)");
-    }
-    this.deviceKeys.set(deviceId, publicKey);
-    this.logger.log(`Registered device key for ${deviceId}`);
+  list() {
+    return [...this.sensors].sort(
+      (a, b) => (a.order ?? 999) - (b.order ?? 999)
+    );
   }
   /**
-   * Unregister a device
+   * Returns only pre-decode sensors (order < 40).
+   * These sensors run in middleware on raw bytes before frame decoding.
+   *
+   * @returns {AxisPreSensor[]} Pre-decode sensors sorted by order
    */
-  unregisterDevice(deviceId) {
-    return this.deviceKeys.delete(deviceId);
-  }
+  getPreDecodeSensors() {
+    return this.list().filter((s) => (s.order ?? 999) < 40);
+  }
   /**
-   * Registers a trusted mTLS certificate fingerprint and associates it with an actor.
+   * Returns only post-decode sensors (order >= 40).
+   * These sensors run in the controller on fully decoded frames.
    *
-   * @param {string} fingerprint - SHA-256 fingerprint of the client certificate
-   * @param {string} actorId - The actor to associate with this certificate
+   * @returns {AxisPostSensor[]} Post-decode sensors sorted by order
    */
-  registerMTLSCert(fingerprint, actorId) {
-    this.trustedCerts.set(fingerprint, { actorId, issuedAt: Date.now() });
-    this.logger.log(`Registered mTLS cert ${fingerprint} for actor ${actorId}`);
+  getPostDecodeSensors() {
+    return this.list().filter(
+      (s) => (s.order ?? 999) >= 40
+    );
   }
   /**
-   * Revoke an mTLS certificate
+   * Helper: Check if a sensor is a pre-decode sensor.
+   *
+   * @private
+   * @param {AxisSensor} sensor - The sensor to check
+   * @returns {boolean} True if sensor is pre-decode
    */
-  revokeMTLSCert(fingerprint) {
-    return this.trustedCerts.delete(fingerprint);
+  isPreDecodeSensor(sensor) {
+    const phase = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase;
+    return phase === "PRE_DECODE" || (sensor.order ?? 999) < 40;
   }
   /**
-   * Calculate certificate fingerprint (SHA-256)
+   * Helper: Check if a sensor is a post-decode sensor.
+   *
+   * @private
+   * @param {AxisSensor} sensor - The sensor to check
+   * @returns {boolean} True if sensor is post-decode
    */
-  static calculateFingerprint(certPem) {
-    const der = Buffer.from(
-      certPem.replace(/-----BEGIN CERTIFICATE-----/, "").replace(/-----END CERTIFICATE-----/, "").replace(/\s/g, ""),
-      "base64"
-    );
-    return crypto3.createHash("sha256").update(der).digest("hex");
-  }
-};
-ProofVerificationService = __decorateClass([
-  (0, import_common4.Injectable)()
-], ProofVerificationService);
-
-// src/decorators/index.ts
-var decorators_exports = {};
-__export(decorators_exports, {
-  AxisContext: () => AxisContext,
-  AxisDemoPubkey: () => AxisDemoPubkey,
-  AxisFrame: () => AxisFrame3,
-  AxisIp: () => AxisIp,
-  AxisRaw: () => AxisRaw,
-  HANDLER_METADATA_KEY: () => HANDLER_METADATA_KEY,
-  Handler: () => Handler,
-  INTENT_BODY_KEY: () => INTENT_BODY_KEY,
-  INTENT_METADATA_KEY: () => INTENT_METADATA_KEY,
-  INTENT_ROUTES_KEY: () => INTENT_ROUTES_KEY,
-  INTENT_SENSORS_KEY: () => INTENT_SENSORS_KEY,
-  Intent: () => Intent,
-  IntentBody: () => IntentBody,
-  IntentSensors: () => IntentSensors,
-  SENSOR_METADATA_KEY: () => SENSOR_METADATA_KEY,
-  Sensor: () => Sensor,
-  TLV_FIELDS_KEY: () => TLV_FIELDS_KEY,
-  TLV_VALIDATORS_KEY: () => TLV_VALIDATORS_KEY,
-  TlvEnum: () => TlvEnum,
-  TlvField: () => TlvField,
-  TlvMinLen: () => TlvMinLen,
-  TlvRange: () => TlvRange,
-  TlvUtf8Pattern: () => TlvUtf8Pattern,
-  TlvValidate: () => TlvValidate,
-  buildDtoDecoder: () => buildDtoDecoder,
-  extractDtoSchema: () => extractDtoSchema
-});
-
-// src/decorators/axis-request.decorator.ts
-var import_common5 = require("@nestjs/common");
-function resolveIp(req) {
-  return req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.headers["x-real-ip"] || req.socket.remoteAddress || void 0;
-}
-var AxisRaw = (0, import_common5.createParamDecorator)(
-  (_data, ctx) => {
-    const req = ctx.switchToHttp().getRequest();
-    return req.body;
-  }
-);
-var AxisIp = (0, import_common5.createParamDecorator)(
-  (_data, ctx) => {
-    const req = ctx.switchToHttp().getRequest();
-    return resolveIp(req);
+  isPostDecodeSensor(sensor) {
+    const phase = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase;
+    return phase === "POST_DECODE" || (sensor.order ?? 999) >= 40;
   }
-);
-var AxisContext = (0, import_common5.createParamDecorator)(
-  (_data, ctx) => {
-    const req = ctx.switchToHttp().getRequest();
-    const axisData = req.axis || {};
+  /**
+   * Returns sensor count by phase.
+   * Useful for diagnostics and monitoring.
+   *
+   * @returns {{preDecodeCount: number, postDecodeCount: number}}
+   */
+  getSensorCountByPhase() {
     return {
-      raw: req.body,
-      ip: resolveIp(req),
-      preDecodeInput: axisData.preDecodeInput,
-      frameBytesCount: axisData.frameBytesCount || 0
+      preDecodeCount: this.getPreDecodeSensors().length,
+      postDecodeCount: this.getPostDecodeSensors().length
     };
   }
-);
-var AxisDemoPubkey = (0, import_common5.createParamDecorator)(
-  (_data, ctx) => {
-    if (process.env.NODE_ENV !== "development") return void 0;
-    const req = ctx.switchToHttp().getRequest();
-    return req.headers["x-demo-pubkey"];
-  }
-);
-var AxisFrame3 = (0, import_common5.createParamDecorator)(
-  (_data, ctx) => {
-    const req = ctx.switchToHttp().getRequest();
-    const decoded = req.axisDecoded;
-    if (!decoded) {
-      throw new Error(
-        "@AxisFrame() requires AxisDecodeInterceptor on the route. Add @UseInterceptors(AxisDecodeInterceptor) to use this decorator."
-      );
-    }
-    return decoded;
+  /**
+   * Clears all registered sensors.
+   * Useful for testing.
+   *
+   * @internal
+   */
+  clear() {
+    this.sensors = [];
   }
-);
-
-// src/decorators/sensor.decorator.ts
-var import_common6 = require("@nestjs/common");
-var SENSOR_METADATA_KEY = "axis:sensor";
-function Sensor(options) {
-  return (0, import_common6.SetMetadata)(SENSOR_METADATA_KEY, options ?? true);
-}
-
-// src/engine/index.ts
-var engine_exports = {};
-__export(engine_exports, {
-  BAND: () => BAND,
-  HandlerDiscoveryService: () => HandlerDiscoveryService,
-  IntentRouter: () => IntentRouter,
-  PRE_DECODE_BOUNDARY: () => PRE_DECODE_BOUNDARY,
-  SensorDiscoveryService: () => SensorDiscoveryService,
-  SensorRegistry: () => SensorRegistry,
-  createObservation: () => createObservation,
-  endStage: () => endStage,
-  finalizeObservation: () => finalizeObservation,
-  observation: () => observation_exports,
-  recordSensor: () => recordSensor,
-  startStage: () => startStage
-});
+};
+SensorRegistry = __decorateClass([
+  (0, import_common8.Injectable)()
+], SensorRegistry);
 
 // src/engine/axis-observation.ts
 var import_crypto5 = require("crypto");
@@ -3502,251 +3429,499 @@ function finalizeObservation(obs, decision, statusCode, resultCode) {
   if (resultCode) obs.resultCode = resultCode;
 }
 
-// src/engine/handler-discovery.service.ts
-var import_common7 = require("@nestjs/common");
-var HandlerDiscoveryService = class {
-  constructor(discovery, scanner, router) {
-    this.discovery = discovery;
-    this.scanner = scanner;
-    this.router = router;
-    this.logger = new import_common7.Logger(HandlerDiscoveryService.name);
+// src/security/axis-sensor-chain.service.ts
+var import_common9 = require("@nestjs/common");
+var AxisSensorChainService = class {
+  constructor(registry) {
+    this.registry = registry;
   }
-  onModuleInit() {
-    const providers = this.discovery.getProviders();
-    let totalIntents = 0;
-    for (const wrapper of providers) {
-      const { instance, metatype } = wrapper;
-      if (!instance || !metatype) continue;
-      const handlerMeta = Reflect.getMetadata(HANDLER_METADATA_KEY, metatype);
-      if (!handlerMeta) continue;
-      const handlerName = handlerMeta.intent || metatype.name;
-      const proto = Object.getPrototypeOf(instance);
-      const methods = this.scanner.getAllMethodNames(proto);
-      let registered = 0;
-      for (const methodName of methods) {
-        const meta = Reflect.getMetadata(
-          INTENT_METADATA_KEY,
-          proto,
-          methodName
-        );
-        if (!meta?.intent) continue;
-        if (!this.router.has(meta.intent)) {
-          this.router.register(
-            meta.intent,
-            instance[methodName].bind(instance)
+  /**
+   * Evaluate all applicable sensors based on phase.
+   */
+  async evaluate(input, phase = "POST_DECODE", baseDecision) {
+    if (phase === "PRE_DECODE") {
+      return this.evaluateSensors(this.registry.getPreDecodeSensors(), input);
+    }
+    if (phase === "BOTH") {
+      const rawPreResult = await this.evaluateSensors(
+        this.registry.getPreDecodeSensors(),
+        input
+      );
+      const preResult = normalizeSensorDecision(rawPreResult);
+      if (!preResult.allow) return rawPreResult;
+      return this.evaluateSensors(
+        this.registry.getPostDecodeSensors(),
+        input,
+        rawPreResult
+      );
+    }
+    return this.evaluateSensors(
+      this.registry.getPostDecodeSensors(),
+      input,
+      baseDecision
+    );
+  }
+  /** Run only pre-decode sensors. */
+  async evaluatePre(input) {
+    return this.evaluateSensors(this.registry.getPreDecodeSensors(), input);
+  }
+  /** Run only post-decode sensors. */
+  async evaluatePost(input, baseDecision) {
+    return this.evaluateSensors(
+      this.registry.getPostDecodeSensors(),
+      input,
+      baseDecision
+    );
+  }
+  async evaluateSensors(sensors, input, baseDecision) {
+    const relevantSensors = sensors.filter(
+      (s) => !s.supports || s.supports(input)
+    );
+    const normalizedBase = baseDecision ? normalizeSensorDecision(baseDecision) : void 0;
+    let riskScore = normalizedBase?.riskScore ?? 0;
+    const reasons = normalizedBase?.reasons ? [...normalizedBase.reasons] : [];
+    const tags = normalizedBase?.tags ? { ...normalizedBase.tags } : {};
+    let expSecondsMax = normalizedBase?.tighten?.expSecondsMax;
+    let constraintsPatch = normalizedBase?.tighten?.constraintsPatch ? { ...normalizedBase.tighten.constraintsPatch } : {};
+    for (const sensor of relevantSensors) {
+      try {
+        const t0 = Date.now();
+        const rawDecision = await sensor.run(input);
+        const elapsed = Date.now() - t0;
+        const decision = normalizeSensorDecision(rawDecision);
+        const obs = input.metadata?.observation;
+        if (obs) {
+          recordSensor(
+            obs,
+            sensor.name,
+            decision.allow,
+            decision.riskScore,
+            elapsed,
+            decision.reasons,
+            decision.allow ? void 0 : decision.code
           );
-          registered++;
-          totalIntents++;
         }
-        this.router.registerIntentMeta(meta.intent, proto, methodName);
-      }
-      if (registered > 0) {
-        this.logger.log(
-          `Auto-registered ${registered} intents from ${handlerName}`
-        );
+        if (!decision.allow) {
+          return {
+            allow: false,
+            riskScore: Math.min(100, riskScore + decision.riskScore),
+            reasons: [...reasons, ...decision.reasons],
+            tags
+          };
+        }
+        riskScore = Math.min(100, riskScore + decision.riskScore);
+        reasons.push(...decision.reasons);
+        if (decision.tags) {
+          Object.assign(tags, decision.tags);
+        }
+        if (decision.tighten?.expSecondsMax !== void 0) {
+          expSecondsMax = expSecondsMax === void 0 ? decision.tighten.expSecondsMax : Math.min(expSecondsMax, decision.tighten.expSecondsMax);
+        }
+        if (decision.tighten?.constraintsPatch) {
+          constraintsPatch = {
+            ...constraintsPatch,
+            ...decision.tighten.constraintsPatch
+          };
+        }
+      } catch (error) {
+        console.error(`[AXIS][SENSOR] ${sensor.name} failed:`, error);
+        const obs = input.metadata?.observation;
+        if (obs) {
+          recordSensor(obs, sensor.name, false, 100, 0, [
+            `sensor_error:${sensor.name}`
+          ]);
+        }
+        return {
+          allow: false,
+          riskScore: 100,
+          reasons: [`sensor_error:${sensor.name}`]
+        };
       }
     }
-    this.logger.log(
-      `Handler discovery complete: ${totalIntents} intents auto-registered`
-    );
+    const tightenPatch = Object.keys(constraintsPatch).length > 0 ? constraintsPatch : void 0;
+    return {
+      allow: true,
+      riskScore,
+      reasons,
+      tags,
+      tighten: expSecondsMax !== void 0 || tightenPatch ? {
+        expSecondsMax,
+        constraintsPatch: tightenPatch
+      } : void 0
+    };
   }
 };
-HandlerDiscoveryService = __decorateClass([
-  (0, import_common7.Injectable)()
-], HandlerDiscoveryService);
+AxisSensorChainService = __decorateClass([
+  (0, import_common9.Injectable)()
+], AxisSensorChainService);
 
-// src/engine/sensor-bands.ts
-var BAND = {
-  /** Pre-decode: raw byte validation, geo, budget, magic */
-  WIRE: 0,
-  /** Post-decode: identity resolution, capsule, proof */
-  IDENTITY: 40,
-  /** Post-decode: authorization, signature, rate limiting */
-  POLICY: 90,
-  /** Post-decode: content validation, TLV, schema, files */
-  CONTENT: 140,
-  /** Post-decode: business logic sensors, streams, WS */
-  BUSINESS: 200,
-  /** Post-decode: audit, logging (always last) */
-  AUDIT: 900
-};
-var PRE_DECODE_BOUNDARY = 40;
+// src/core/index.ts
+var core_exports = {};
+__export(core_exports, {
+  AXIS_MAGIC: () => import_axis_protocol2.AXIS_MAGIC,
+  AXIS_VERSION: () => import_axis_protocol2.AXIS_VERSION,
+  AxisError: () => AxisError,
+  AxisFrameZ: () => AxisFrameZ,
+  BodyProfile: () => import_axis_protocol2.BodyProfile,
+  ERR_BAD_SIGNATURE: () => import_axis_protocol2.ERR_BAD_SIGNATURE,
+  ERR_CONTRACT_VIOLATION: () => import_axis_protocol2.ERR_CONTRACT_VIOLATION,
+  ERR_INVALID_PACKET: () => import_axis_protocol2.ERR_INVALID_PACKET,
+  ERR_REPLAY_DETECTED: () => import_axis_protocol2.ERR_REPLAY_DETECTED,
+  FLAG_BODY_TLV: () => import_axis_protocol2.FLAG_BODY_TLV,
+  FLAG_CHAIN_REQ: () => import_axis_protocol2.FLAG_CHAIN_REQ,
+  FLAG_HAS_WITNESS: () => import_axis_protocol2.FLAG_HAS_WITNESS,
+  MAX_BODY_LEN: () => import_axis_protocol2.MAX_BODY_LEN,
+  MAX_FRAME_LEN: () => import_axis_protocol2.MAX_FRAME_LEN,
+  MAX_HDR_LEN: () => import_axis_protocol2.MAX_HDR_LEN,
+  MAX_SIG_LEN: () => import_axis_protocol2.MAX_SIG_LEN,
+  NCERT_ALG: () => import_axis_protocol2.NCERT_ALG,
+  NCERT_EXP: () => import_axis_protocol2.NCERT_EXP,
+  NCERT_ISSUER_KID: () => import_axis_protocol2.NCERT_ISSUER_KID,
+  NCERT_KID: () => import_axis_protocol2.NCERT_KID,
+  NCERT_NBF: () => import_axis_protocol2.NCERT_NBF,
+  NCERT_NODE_ID: () => import_axis_protocol2.NCERT_NODE_ID,
+  NCERT_PAYLOAD: () => import_axis_protocol2.NCERT_PAYLOAD,
+  NCERT_PUB: () => import_axis_protocol2.NCERT_PUB,
+  NCERT_SCOPE: () => import_axis_protocol2.NCERT_SCOPE,
+  NCERT_SIG: () => import_axis_protocol2.NCERT_SIG,
+  PROOF_CAPSULE: () => import_axis_protocol2.PROOF_CAPSULE,
+  PROOF_JWT: () => import_axis_protocol2.PROOF_JWT,
+  PROOF_LOOM: () => import_axis_protocol2.PROOF_LOOM,
+  PROOF_MTLS: () => import_axis_protocol2.PROOF_MTLS,
+  PROOF_NONE: () => import_axis_protocol2.PROOF_NONE,
+  PROOF_WITNESS: () => import_axis_protocol2.PROOF_WITNESS,
+  ProofType: () => import_axis_protocol2.ProofType,
+  TLV: () => import_axis_protocol.TLV,
+  TLV_ACTOR_ID: () => import_axis_protocol2.TLV_ACTOR_ID,
+  TLV_AUD: () => import_axis_protocol2.TLV_AUD,
+  TLV_BODY_ARR: () => import_axis_protocol2.TLV_BODY_ARR,
+  TLV_BODY_OBJ: () => import_axis_protocol2.TLV_BODY_OBJ,
+  TLV_CAPSULE: () => import_axis_protocol2.TLV_CAPSULE,
+  TLV_EFFECT: () => import_axis_protocol2.TLV_EFFECT,
+  TLV_ERROR_CODE: () => import_axis_protocol2.TLV_ERROR_CODE,
+  TLV_ERROR_MSG: () => import_axis_protocol2.TLV_ERROR_MSG,
+  TLV_INDEX: () => import_axis_protocol2.TLV_INDEX,
+  TLV_INTENT: () => import_axis_protocol2.TLV_INTENT,
+  TLV_KID: () => import_axis_protocol2.TLV_KID,
+  TLV_LOOM_PRESENCE_ID: () => import_axis_protocol2.TLV_LOOM_PRESENCE_ID,
+  TLV_LOOM_THREAD_HASH: () => import_axis_protocol2.TLV_LOOM_THREAD_HASH,
+  TLV_LOOM_WRIT: () => import_axis_protocol2.TLV_LOOM_WRIT,
+  TLV_NODE: () => import_axis_protocol2.TLV_NODE,
+  TLV_NODE_CERT_HASH: () => import_axis_protocol2.TLV_NODE_CERT_HASH,
+  TLV_NODE_KID: () => import_axis_protocol2.TLV_NODE_KID,
+  TLV_NONCE: () => import_axis_protocol2.TLV_NONCE,
+  TLV_OFFSET: () => import_axis_protocol2.TLV_OFFSET,
+  TLV_OK: () => import_axis_protocol2.TLV_OK,
+  TLV_PID: () => import_axis_protocol2.TLV_PID,
+  TLV_PREV_HASH: () => import_axis_protocol2.TLV_PREV_HASH,
+  TLV_PROOF_REF: () => import_axis_protocol2.TLV_PROOF_REF,
+  TLV_PROOF_TYPE: () => import_axis_protocol2.TLV_PROOF_TYPE,
+  TLV_REALM: () => import_axis_protocol2.TLV_REALM,
+  TLV_RECEIPT_HASH: () => import_axis_protocol2.TLV_RECEIPT_HASH,
+  TLV_RID: () => import_axis_protocol2.TLV_RID,
+  TLV_SHA256_CHUNK: () => import_axis_protocol2.TLV_SHA256_CHUNK,
+  TLV_TRACE_ID: () => import_axis_protocol2.TLV_TRACE_ID,
+  TLV_TS: () => import_axis_protocol2.TLV_TS,
+  TLV_UPLOAD_ID: () => import_axis_protocol2.TLV_UPLOAD_ID,
+  computeReceiptHash: () => computeReceiptHash,
+  computeSignaturePayload: () => computeSignaturePayload,
+  decodeArray: () => import_axis_protocol.decodeArray,
+  decodeFrame: () => decodeFrame,
+  decodeObject: () => import_axis_protocol.decodeObject,
+  decodeTLVs: () => import_axis_protocol.decodeTLVs,
+  decodeTLVsList: () => import_axis_protocol.decodeTLVsList,
+  decodeVarint: () => import_axis_protocol3.decodeVarint,
+  encodeFrame: () => encodeFrame,
+  encodeTLVs: () => import_axis_protocol.encodeTLVs,
+  encodeVarint: () => import_axis_protocol3.encodeVarint,
+  generateEd25519KeyPair: () => generateEd25519KeyPair,
+  getSignTarget: () => getSignTarget,
+  sha256: () => sha256,
+  signFrame: () => signFrame,
+  varintLength: () => import_axis_protocol3.varintLength,
+  verifyFrameSignature: () => verifyFrameSignature
+});
 
-// src/engine/sensor-discovery.service.ts
-var import_common8 = require("@nestjs/common");
-var SensorDiscoveryService = class {
-  constructor(discovery, reflector, registry) {
-    this.discovery = discovery;
-    this.reflector = reflector;
-    this.registry = registry;
-    this.logger = new import_common8.Logger(SensorDiscoveryService.name);
+// src/crypto/index.ts
+var crypto_exports = {};
+__export(crypto_exports, {
+  ProofVerificationService: () => ProofVerificationService,
+  b64urlDecode: () => b64urlDecode,
+  b64urlDecodeString: () => b64urlDecodeString,
+  b64urlEncode: () => b64urlEncode,
+  b64urlEncodeString: () => b64urlEncodeString,
+  canonicalJson: () => canonicalJson,
+  canonicalJsonExcluding: () => canonicalJsonExcluding
+});
+
+// src/crypto/proof-verification.service.ts
+var import_common10 = require("@nestjs/common");
+var crypto3 = __toESM(require("crypto"));
+var nacl = __toESM(require("tweetnacl"));
+var ProofVerificationService = class {
+  constructor() {
+    this.logger = new import_common10.Logger(ProofVerificationService.name);
+    // Cache of registered device public keys (deviceId -> pubKey)
+    this.deviceKeys = /* @__PURE__ */ new Map();
+    // Cache of trusted mTLS certificate fingerprints
+    this.trustedCerts = /* @__PURE__ */ new Map();
   }
-  onApplicationBootstrap() {
-    const providers = this.discovery.getProviders();
-    let count = 0;
-    for (const wrapper of providers) {
-      const { instance } = wrapper;
-      if (!instance || !instance.constructor) continue;
-      const meta = this.reflector.get(
-        SENSOR_METADATA_KEY,
-        instance.constructor
-      );
-      if (!meta) continue;
-      const sensor = instance;
-      if (!sensor.name || sensor.order === void 0) {
-        this.logger.warn(
-          `@Sensor() on ${instance.constructor.name} missing name or order \u2014 skipped`
+  /**
+   * Verifies an authentication proof based on its type.
+   *
+   * **Supported Types:**
+   * - 1 (CAPSULE): Delegated to `verifyCapsuleProof`
+   * - 2 (JWT): Verified by `verifyJWTProof`
+   * - 3 (MTLS_ID): Verified by `verifyMTLSProof`
+   * - 4 (DEVICE_SE): Verified by `verifyDeviceSEProof`
+   *
+   * @param {ProofType} proofType - The numeric AXIS proof type
+   * @param {Uint8Array} proofRef - The binary reference or token for the proof
+   * @param {Object} context - Additional metadata required for specific proof types
+   * @param {Uint8Array} [context.signTarget] - The canonical bytes that were signed (for Ed25519)
+   * @param {Uint8Array} [context.signature] - The signature to verify (for Ed25519)
+   * @param {MTLSContext} [context.mtls] - mTLS certificate data
+   * @param {DeviceSEContext} [context.deviceSE] - Device Secure Element information
+   * @returns {Promise<ProofVerificationResult>} The outcome of the verification
+   */
+  async verifyProof(proofType, proofRef, context) {
+    switch (proofType) {
+      case 1:
+        return this.verifyCapsuleProof(proofRef);
+      case 2:
+        return this.verifyJWTProof(proofRef);
+      case 3:
+        return this.verifyMTLSProof(context.mtls);
+      case 4:
+        return this.verifyDeviceSEProof(
+          context.signTarget,
+          context.signature,
+          context.deviceSE
         );
-        continue;
-      }
-      if (!sensor.phase) {
-        const decoratorPhase = meta !== true ? meta.phase : void 0;
-        sensor.phase = decoratorPhase ?? (sensor.order < PRE_DECODE_BOUNDARY ? "PRE_DECODE" : "POST_DECODE");
-      }
-      this.registry.register(sensor);
-      count++;
+      default:
+        return { valid: false, error: `Unknown proof type: ${proofType}` };
     }
-    this.logger.log(`Auto-registered ${count} sensors via @Sensor()`);
   }
-};
-SensorDiscoveryService = __decorateClass([
-  (0, import_common8.Injectable)()
-], SensorDiscoveryService);
-
-// src/engine/registry/sensor.registry.ts
-var import_common9 = require("@nestjs/common");
-var SensorRegistry = class {
-  constructor(configService) {
-    this.configService = configService;
-    this.sensors = [];
-    this.logger = new import_common9.Logger(SensorRegistry.name);
+  /**
+   * Verify CAPSULE proof (delegated to CapsuleService)
+   */
+  async verifyCapsuleProof(proofRef) {
+    const capsuleId = new TextDecoder().decode(proofRef);
+    return {
+      valid: true,
+      metadata: { capsuleId, requiresCapsuleValidation: true }
+    };
   }
   /**
-   * Registers a new sensor in the registry.
+   * Verifies a JSON Web Token (JWT) proof.
    *
-   * Validates that:
-   * - AxisSensor has a unique name
-   * - AxisSensor has an order field
-   * - Pre-decode sensors have order < 40
-   * - Post-decode sensors have order >= 40
+   * **Validation Logic:**
+   * 1. Decodes the token string.
+   * 2. Checks for valid 3-part JWT structure.
+   * 3. Validates `exp` (expiration) and `nbf` (not before) claims.
+   * 4. Extracts `actor_id` or `sub` as the identity.
    *
-   * @param {AxisSensor} sensor - The sensor instance to register
-   * @throws Error if validation fails
+   * @param {Uint8Array} proofRef - Binary representation of the JWT string
+   * @returns {Promise<ProofVerificationResult>} Result including the actor identifier
    */
-  register(sensor) {
-    if (!sensor.name) {
-      throw new Error("AxisSensor must have a name");
-    }
-    const enabledSensorsStr = this.configService.get("ENABLED_SENSORS");
-    const disabledSensorsStr = this.configService.get("DISABLED_SENSORS");
-    const enabledSensors = enabledSensorsStr ? enabledSensorsStr.split(",").map((s) => s.trim()) : null;
-    const disabledSensors = disabledSensorsStr ? disabledSensorsStr.split(",").map((s) => s.trim()) : [];
-    if (enabledSensors && !enabledSensors.includes(sensor.name)) {
-      this.logger.log(`Skipping disabled sensor (not in ENABLED_SENSORS): ${sensor.name}`);
-      return;
-    }
-    if (disabledSensors.includes(sensor.name)) {
-      this.logger.log(`Skipping disabled sensor (in DISABLED_SENSORS): ${sensor.name}`);
-      return;
+  async verifyJWTProof(proofRef) {
+    try {
+      const token = new TextDecoder().decode(proofRef);
+      const parts = token.split(".");
+      if (parts.length !== 3) {
+        return { valid: false, error: "Invalid JWT format" };
+      }
+      const header = JSON.parse(Buffer.from(parts[0], "base64url").toString());
+      const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+      if (payload.exp && Date.now() / 1e3 > payload.exp) {
+        return { valid: false, error: "JWT expired" };
+      }
+      if (payload.nbf && Date.now() / 1e3 < payload.nbf) {
+        return { valid: false, error: "JWT not yet valid" };
+      }
+      return {
+        valid: true,
+        actorId: payload.sub || payload.actor_id,
+        metadata: { iss: payload.iss, scope: payload.scope }
+      };
+    } catch (e) {
+      const message = e instanceof Error ? e.message : "Unknown error";
+      return { valid: false, error: `JWT parse error: ${message}` };
     }
-    if (sensor.order === void 0) {
-      throw new Error(`AxisSensor "${sensor.name}" must have an order field`);
+  }
+  /**
+   * Verify mTLS client certificate proof
+   */
+  async verifyMTLSProof(mtls) {
+    if (!mtls) {
+      return { valid: false, error: "No mTLS context provided" };
     }
-    const isPreDecodeSensor = this.isPreDecodeSensor(sensor);
-    const isPostDecodeSensor = this.isPostDecodeSensor(sensor);
-    if (isPreDecodeSensor && sensor.order >= 40) {
-      this.logger.warn(
-        `AxisSensor "${sensor.name}" is marked as PRE_DECODE but has order ${sensor.order} (should be < 40)`
-      );
+    if (!mtls.verified) {
+      return { valid: false, error: "mTLS not verified by TLS terminator" };
     }
-    if (isPostDecodeSensor && sensor.order < 40) {
-      this.logger.warn(
-        `AxisSensor "${sensor.name}" is marked as POST_DECODE but has order ${sensor.order} (should be >= 40)`
-      );
+    if (mtls.clientCertFingerprint) {
+      const trusted = this.trustedCerts.get(mtls.clientCertFingerprint);
+      if (trusted) {
+        return {
+          valid: true,
+          actorId: trusted.actorId,
+          metadata: {
+            fingerprint: mtls.clientCertFingerprint,
+            subject: mtls.clientCertSubject
+          }
+        };
+      }
     }
-    this.sensors.push(sensor);
-    const phaseLabel = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase || "UNKNOWN";
-    this.logger.debug(
-      `Registered sensor: ${sensor.name} (order: ${sensor.order}, phase: ${phaseLabel})`
-    );
-  }
-  /**
-   * Returns all registered sensors, sorted by their execution order.
-   *
-   * @returns {AxisSensor[]} A sorted array of sensors
-   */
-  list() {
-    return [...this.sensors].sort(
-      (a, b) => (a.order ?? 999) - (b.order ?? 999)
-    );
+    if (mtls.clientCertSubject) {
+      const cnMatch = mtls.clientCertSubject.match(/CN=([^,]+)/);
+      if (cnMatch) {
+        return {
+          valid: true,
+          actorId: cnMatch[1],
+          metadata: {
+            subject: mtls.clientCertSubject,
+            issuer: mtls.clientCertIssuer
+          }
+        };
+      }
+    }
+    return { valid: false, error: "Could not extract actor from certificate" };
   }
   /**
-   * Returns only pre-decode sensors (order < 40).
-   * These sensors run in middleware on raw bytes before frame decoding.
-   *
-   * @returns {AxisPreSensor[]} Pre-decode sensors sorted by order
+   * Verify Device Secure Element signature
    */
-  getPreDecodeSensors() {
-    return this.list().filter((s) => (s.order ?? 999) < 40);
+  async verifyDeviceSEProof(signTarget, signature, deviceSE) {
+    if (!deviceSE || !signTarget || !signature) {
+      return { valid: false, error: "Missing Device SE context" };
+    }
+    let publicKey = deviceSE.publicKey;
+    const registeredKey = this.deviceKeys.get(deviceSE.deviceId);
+    if (registeredKey) {
+      publicKey = registeredKey;
+    }
+    if (!publicKey || publicKey.length !== 32) {
+      return {
+        valid: false,
+        error: "Invalid or unregistered device public key"
+      };
+    }
+    try {
+      const valid = nacl.sign.detached.verify(signTarget, signature, publicKey);
+      if (!valid) {
+        return { valid: false, error: "Device signature verification failed" };
+      }
+      return {
+        valid: true,
+        actorId: deviceSE.deviceId,
+        metadata: { deviceId: deviceSE.deviceId, proofType: "DEVICE_SE" }
+      };
+    } catch (e) {
+      const message = e instanceof Error ? e.message : "Unknown error";
+      return {
+        valid: false,
+        error: `Signature verification error: ${message}`
+      };
+    }
   }
   /**
-   * Returns only post-decode sensors (order >= 40).
-   * These sensors run in the controller on fully decoded frames.
+   * Registers a public key for a trusted device.
+   * This key will be used for future `DEVICE_SE` proof verifications.
    *
-   * @returns {AxisPostSensor[]} Post-decode sensors sorted by order
+   * @param {string} deviceId - Unique identifier for the device
+   * @param {Uint8Array} publicKey - 32-byte Ed25519 public key
+   * @throws {Error} If the public key is not 32 bytes
    */
-  getPostDecodeSensors() {
-    return this.list().filter(
-      (s) => (s.order ?? 999) >= 40
-    );
+  registerDeviceKey(deviceId, publicKey) {
+    if (publicKey.length !== 32) {
+      throw new Error("Device public key must be 32 bytes (Ed25519)");
+    }
+    this.deviceKeys.set(deviceId, publicKey);
+    this.logger.log(`Registered device key for ${deviceId}`);
   }
   /**
-   * Helper: Check if a sensor is a pre-decode sensor.
-   *
-   * @private
-   * @param {AxisSensor} sensor - The sensor to check
-   * @returns {boolean} True if sensor is pre-decode
+   * Unregister a device
    */
-  isPreDecodeSensor(sensor) {
-    const phase = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase;
-    return phase === "PRE_DECODE" || (sensor.order ?? 999) < 40;
+  unregisterDevice(deviceId) {
+    return this.deviceKeys.delete(deviceId);
   }
   /**
-   * Helper: Check if a sensor is a post-decode sensor.
+   * Registers a trusted mTLS certificate fingerprint and associates it with an actor.
    *
-   * @private
-   * @param {AxisSensor} sensor - The sensor to check
-   * @returns {boolean} True if sensor is post-decode
+   * @param {string} fingerprint - SHA-256 fingerprint of the client certificate
+   * @param {string} actorId - The actor to associate with this certificate
    */
-  isPostDecodeSensor(sensor) {
-    const phase = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase;
-    return phase === "POST_DECODE" || (sensor.order ?? 999) >= 40;
+  registerMTLSCert(fingerprint, actorId) {
+    this.trustedCerts.set(fingerprint, { actorId, issuedAt: Date.now() });
+    this.logger.log(`Registered mTLS cert ${fingerprint} for actor ${actorId}`);
   }
   /**
-   * Returns sensor count by phase.
-   * Useful for diagnostics and monitoring.
-   *
-   * @returns {{preDecodeCount: number, postDecodeCount: number}}
+   * Revoke an mTLS certificate
    */
-  getSensorCountByPhase() {
-    return {
-      preDecodeCount: this.getPreDecodeSensors().length,
-      postDecodeCount: this.getPostDecodeSensors().length
-    };
+  revokeMTLSCert(fingerprint) {
+    return this.trustedCerts.delete(fingerprint);
   }
   /**
-   * Clears all registered sensors.
-   * Useful for testing.
-   *
-   * @internal
+   * Calculate certificate fingerprint (SHA-256)
    */
-  clear() {
-    this.sensors = [];
+  static calculateFingerprint(certPem) {
+    const der = Buffer.from(
+      certPem.replace(/-----BEGIN CERTIFICATE-----/, "").replace(/-----END CERTIFICATE-----/, "").replace(/\s/g, ""),
+      "base64"
+    );
+    return crypto3.createHash("sha256").update(der).digest("hex");
   }
 };
-SensorRegistry = __decorateClass([
-  (0, import_common9.Injectable)()
-], SensorRegistry);
+ProofVerificationService = __decorateClass([
+  (0, import_common10.Injectable)()
+], ProofVerificationService);
+
+// src/decorators/index.ts
+var decorators_exports = {};
+__export(decorators_exports, {
+  AxisContext: () => AxisContext,
+  AxisDemoPubkey: () => AxisDemoPubkey,
+  AxisFrame: () => AxisFrame3,
+  AxisIp: () => AxisIp,
+  AxisRaw: () => AxisRaw,
+  HANDLER_METADATA_KEY: () => HANDLER_METADATA_KEY,
+  Handler: () => Handler,
+  INTENT_BODY_KEY: () => INTENT_BODY_KEY,
+  INTENT_METADATA_KEY: () => INTENT_METADATA_KEY,
+  INTENT_ROUTES_KEY: () => INTENT_ROUTES_KEY,
+  INTENT_SENSORS_KEY: () => INTENT_SENSORS_KEY,
+  Intent: () => Intent,
+  IntentBody: () => IntentBody,
+  IntentSensors: () => IntentSensors,
+  SENSOR_METADATA_KEY: () => SENSOR_METADATA_KEY,
+  Sensor: () => Sensor,
+  TLV_FIELDS_KEY: () => TLV_FIELDS_KEY,
+  TLV_VALIDATORS_KEY: () => TLV_VALIDATORS_KEY,
+  TlvEnum: () => TlvEnum,
+  TlvField: () => TlvField,
+  TlvMinLen: () => TlvMinLen,
+  TlvRange: () => TlvRange,
+  TlvUtf8Pattern: () => TlvUtf8Pattern,
+  TlvValidate: () => TlvValidate,
+  buildDtoDecoder: () => buildDtoDecoder,
+  extractDtoSchema: () => extractDtoSchema
+});
+
+// src/engine/index.ts
+var engine_exports = {};
+__export(engine_exports, {
+  BAND: () => BAND,
+  HandlerDiscoveryService: () => HandlerDiscoveryService,
+  IntentRouter: () => IntentRouter,
+  PRE_DECODE_BOUNDARY: () => PRE_DECODE_BOUNDARY,
+  SensorDiscoveryService: () => SensorDiscoveryService,
+  SensorRegistry: () => SensorRegistry,
+  createObservation: () => createObservation,
+  endStage: () => endStage,
+  finalizeObservation: () => finalizeObservation,
+  observation: () => observation_exports,
+  recordSensor: () => recordSensor,
+  startStage: () => startStage
+});
 
 // src/engine/observation/index.ts
 var observation_exports = {};
@@ -4131,7 +4306,7 @@ var AxisErrorZ = z2.object({
 });
 
 // src/schemas/body-profile.validator.ts
-var import_common10 = require("@nestjs/common");
+var import_common11 = require("@nestjs/common");
 var BodyProfile2 = /* @__PURE__ */ ((BodyProfile3) => {
   BodyProfile3[BodyProfile3["RAW"] = 0] = "RAW";
   BodyProfile3[BodyProfile3["TLV_MAP"] = 1] = "TLV_MAP";
@@ -4141,7 +4316,7 @@ var BodyProfile2 = /* @__PURE__ */ ((BodyProfile3) => {
 })(BodyProfile2 || {});
 var BodyProfileValidator = class {
   constructor() {
-    this.logger = new import_common10.Logger(BodyProfileValidator.name);
+    this.logger = new import_common11.Logger(BodyProfileValidator.name);
   }
   /**
    * Validate body matches declared profile
@@ -4257,12 +4432,13 @@ var BodyProfileValidator = class {
   }
 };
 BodyProfileValidator = __decorateClass([
-  (0, import_common10.Injectable)()
+  (0, import_common11.Injectable)()
 ], BodyProfileValidator);
 
 // src/security/index.ts
 var security_exports = {};
 __export(security_exports, {
+  AxisSensorChainService: () => AxisSensorChainService,
   CAPABILITIES: () => CAPABILITIES,
   INTENT_REQUIREMENTS: () => INTENT_REQUIREMENTS,
   PROOF_CAPABILITIES: () => PROOF_CAPABILITIES,
@@ -4295,7 +4471,7 @@ __export(sensors_exports, {
 });
 
 // src/sensors/access-profile-resolver.sensor.ts
-var import_common11 = require("@nestjs/common");
+var import_common12 = require("@nestjs/common");
 var AccessProfileResolverSensor = class {
   constructor() {
     /** AxisSensor identifier */
@@ -4321,11 +4497,11 @@ var AccessProfileResolverSensor = class {
 };
 AccessProfileResolverSensor = __decorateClass([
   Sensor(),
-  (0, import_common11.Injectable)()
+  (0, import_common12.Injectable)()
 ], AccessProfileResolverSensor);
 
 // src/sensors/body-budget.sensor.ts
-var import_common12 = require("@nestjs/common");
+var import_common13 = require("@nestjs/common");
 var BodyBudgetSensor = class {
   constructor() {
     /** AxisSensor identifier */
@@ -4399,14 +4575,14 @@ var BodyBudgetSensor = class {
 };
 BodyBudgetSensor = __decorateClass([
   Sensor(),
-  (0, import_common12.Injectable)()
+  (0, import_common13.Injectable)()
 ], BodyBudgetSensor);
 
 // src/sensors/capability-enforcement.sensor.ts
-var import_common13 = require("@nestjs/common");
+var import_common14 = require("@nestjs/common");
 var CapabilityEnforcementSensor = class {
   constructor() {
-    this.logger = new import_common13.Logger(CapabilityEnforcementSensor.name);
+    this.logger = new import_common14.Logger(CapabilityEnforcementSensor.name);
     /** AxisSensor identifier for logging and registry */
     this.name = "CapabilityEnforcementSensor";
     /**
@@ -4500,11 +4676,11 @@ var CapabilityEnforcementSensor = class {
 };
 CapabilityEnforcementSensor = __decorateClass([
   Sensor(),
-  (0, import_common13.Injectable)()
+  (0, import_common14.Injectable)()
 ], CapabilityEnforcementSensor);
 
 // src/sensors/chunk-hash.sensor.ts
-var import_common14 = require("@nestjs/common");
+var import_common15 = require("@nestjs/common");
 var import_crypto6 = require("crypto");
 var ChunkHashSensor = class {
   constructor() {
@@ -4577,15 +4753,15 @@ var ChunkHashSensor = class {
 };
 ChunkHashSensor = __decorateClass([
   Sensor(),
-  (0, import_common14.Injectable)()
+  (0, import_common15.Injectable)()
 ], ChunkHashSensor);
 
 // src/sensors/entropy.sensor.ts
-var import_common15 = require("@nestjs/common");
+var import_common16 = require("@nestjs/common");
 var crypto4 = __toESM(require("crypto"));
 var EntropySensor = class {
   constructor() {
-    this.logger = new import_common15.Logger(EntropySensor.name);
+    this.logger = new import_common16.Logger(EntropySensor.name);
     /**
      * Minimum acceptable entropy in bits per byte.
      *
@@ -4755,14 +4931,14 @@ var EntropySensor = class {
 };
 EntropySensor = __decorateClass([
   Sensor(),
-  (0, import_common15.Injectable)()
+  (0, import_common16.Injectable)()
 ], EntropySensor);
 
 // src/sensors/execution-timeout.sensor.ts
-var import_common16 = require("@nestjs/common");
+var import_common17 = require("@nestjs/common");
 var ExecutionTimeoutSensor = class {
   constructor() {
-    this.logger = new import_common16.Logger(ExecutionTimeoutSensor.name);
+    this.logger = new import_common17.Logger(ExecutionTimeoutSensor.name);
     /** AxisSensor identifier */
     this.name = "ExecutionTimeoutSensor";
     /**
@@ -4840,11 +5016,11 @@ var ExecutionTimeoutSensor = class {
 };
 ExecutionTimeoutSensor = __decorateClass([
   Sensor(),
-  (0, import_common16.Injectable)()
+  (0, import_common17.Injectable)()
 ], ExecutionTimeoutSensor);
 
 // src/sensors/frame-budget.sensor.ts
-var import_common17 = require("@nestjs/common");
+var import_common18 = require("@nestjs/common");
 var FrameBudgetSensor = class {
   constructor(config) {
     this.config = config;
@@ -4903,11 +5079,11 @@ var FrameBudgetSensor = class {
 };
 FrameBudgetSensor = __decorateClass([
   Sensor({ phase: "PRE_DECODE" }),
-  (0, import_common17.Injectable)()
+  (0, import_common18.Injectable)()
 ], FrameBudgetSensor);
 
 // src/sensors/frame-header-sanity.sensor.ts
-var import_common18 = require("@nestjs/common");
+var import_common19 = require("@nestjs/common");
 var FrameHeaderSanitySensor = class {
   constructor() {
     this.name = "FrameHeaderSanitySensor";
@@ -4951,12 +5127,12 @@ var FrameHeaderSanitySensor = class {
   }
 };
 FrameHeaderSanitySensor = __decorateClass([
-  (0, import_common18.Injectable)(),
+  (0, import_common19.Injectable)(),
   Sensor({ phase: "PRE_DECODE" })
 ], FrameHeaderSanitySensor);
 
 // src/sensors/header-tlv-limit.sensor.ts
-var import_common19 = require("@nestjs/common");
+var import_common20 = require("@nestjs/common");
 var HeaderTLVLimitSensor = class {
   constructor() {
     this.name = "HeaderTLVLimitSensor";
@@ -4988,12 +5164,12 @@ var HeaderTLVLimitSensor = class {
   }
 };
 HeaderTLVLimitSensor = __decorateClass([
-  (0, import_common19.Injectable)(),
+  (0, import_common20.Injectable)(),
   Sensor()
 ], HeaderTLVLimitSensor);
 
 // src/sensors/intent-allowlist.sensor.ts
-var import_common20 = require("@nestjs/common");
+var import_common21 = require("@nestjs/common");
 var PUBLIC_INTENT_ALLOWLIST = [
   "public.",
   "schema.",
@@ -5028,12 +5204,12 @@ var IntentAllowlistSensor = class {
   }
 };
 IntentAllowlistSensor = __decorateClass([
-  (0, import_common20.Injectable)(),
+  (0, import_common21.Injectable)(),
   Sensor()
 ], IntentAllowlistSensor);
 
 // src/sensors/intent-registry.sensor.ts
-var import_common21 = require("@nestjs/common");
+var import_common22 = require("@nestjs/common");
 var IntentRegistrySensor = class {
   constructor(router) {
     this.router = router;
@@ -5056,12 +5232,12 @@ var IntentRegistrySensor = class {
   }
 };
 IntentRegistrySensor = __decorateClass([
-  (0, import_common21.Injectable)(),
+  (0, import_common22.Injectable)(),
   Sensor({ phase: "POST_DECODE" })
 ], IntentRegistrySensor);
 
 // src/sensors/proof-presence.sensor.ts
-var import_common22 = require("@nestjs/common");
+var import_common23 = require("@nestjs/common");
 var ProofPresenceSensor = class {
   constructor() {
     this.name = "ProofPresenceSensor";
@@ -5109,11 +5285,11 @@ var ProofPresenceSensor = class {
 };
 ProofPresenceSensor = __decorateClass([
   Sensor(),
-  (0, import_common22.Injectable)()
+  (0, import_common23.Injectable)()
 ], ProofPresenceSensor);
 
 // src/sensors/protocol-strict.sensor.ts
-var import_common23 = require("@nestjs/common");
+var import_common24 = require("@nestjs/common");
 var VALID_FLAGS = [
   0,
   // No flags
@@ -5131,7 +5307,7 @@ var VALID_FLAGS = [
 var ProtocolStrictSensor = class {
   constructor(config) {
     this.config = config;
-    this.logger = new import_common23.Logger(ProtocolStrictSensor.name);
+    this.logger = new import_common24.Logger(ProtocolStrictSensor.name);
     /** Sensor identifier for logging and registry */
     this.name = "ProtocolStrictSensor";
     /**
@@ -5384,11 +5560,11 @@ var ProtocolStrictSensor = class {
 };
 ProtocolStrictSensor = __decorateClass([
   Sensor({ phase: "PRE_DECODE" }),
-  (0, import_common23.Injectable)()
+  (0, import_common24.Injectable)()
 ], ProtocolStrictSensor);
 
 // src/sensors/receipt-policy.sensor.ts
-var import_common24 = require("@nestjs/common");
+var import_common25 = require("@nestjs/common");
 var ReceiptPolicySensor = class {
   constructor() {
     this.name = "ReceiptPolicySensor";
@@ -5402,12 +5578,12 @@ var ReceiptPolicySensor = class {
   }
 };
 ReceiptPolicySensor = __decorateClass([
-  (0, import_common24.Injectable)(),
+  (0, import_common25.Injectable)(),
   Sensor()
 ], ReceiptPolicySensor);
 
 // src/sensors/schema-validation.sensor.ts
-var import_common25 = require("@nestjs/common");
+var import_common26 = require("@nestjs/common");
 function readU64be(b) {
   if (b.length !== 8)
     throw new AxisError("SCHEMA_TYPE_MISMATCH", "u64 must be 8 bytes", 400);
@@ -5582,11 +5758,11 @@ var SchemaValidationSensor = class {
 };
 SchemaValidationSensor = __decorateClass([
   Sensor(),
-  (0, import_common25.Injectable)()
+  (0, import_common26.Injectable)()
 ], SchemaValidationSensor);
 
 // src/sensors/stream-scope.sensor.ts
-var import_common26 = require("@nestjs/common");
+var import_common27 = require("@nestjs/common");
 var StreamScopeSensor = class {
   constructor() {
     /** Sensor identifier */
@@ -5632,11 +5808,11 @@ var StreamScopeSensor = class {
 };
 StreamScopeSensor = __decorateClass([
   Sensor(),
-  (0, import_common26.Injectable)()
+  (0, import_common27.Injectable)()
 ], StreamScopeSensor);
 
 // src/sensors/tlv-parse.sensor.ts
-var import_common27 = require("@nestjs/common");
+var import_common28 = require("@nestjs/common");
 var TLVParseSensor = class {
   constructor() {
     this.name = "TLVParseSensor";
@@ -5738,11 +5914,11 @@ var TLVParseSensor = class {
 };
 TLVParseSensor = __decorateClass([
   Sensor(),
-  (0, import_common27.Injectable)()
+  (0, import_common28.Injectable)()
 ], TLVParseSensor);
 
 // src/sensors/varint-hardening.sensor.ts
-var import_common28 = require("@nestjs/common");
+var import_common29 = require("@nestjs/common");
 var VarintHardeningSensor = class {
   constructor() {
     /** Sensor identifier */
@@ -5805,7 +5981,7 @@ var VarintHardeningSensor = class {
 };
 VarintHardeningSensor = __decorateClass([
   Sensor({ phase: "PRE_DECODE" }),
-  (0, import_common28.Injectable)()
+  (0, import_common29.Injectable)()
 ], VarintHardeningSensor);
 
 // src/utils/index.ts
@@ -5877,14 +6053,21 @@ function toBuffer(value) {
   AXIS_UPLOAD_SESSION_STORE,
   AXIS_VERSION,
   Ats1Codec,
+  AxisContext,
+  AxisDemoPubkey,
+  AxisError,
   AxisFilesDownloadHandler,
   AxisFilesFinalizeHandler,
   AxisFrameZ,
   AxisIdDto,
+  AxisIp,
   AxisPacketTags,
   AxisPartialType,
+  AxisRaw,
   AxisResponseDto,
+  AxisSensorChainService,
   AxisTlvDto,
+  BAND,
   BodyProfile,
   CAPABILITIES,
   ContractViolationError,
@@ -5902,7 +6085,10 @@ function toBuffer(value) {
   FLAG_CHAIN_REQ,
   FLAG_HAS_WITNESS,
   HANDLER_METADATA_KEY,
+  HANDLER_SENSORS_KEY,
   Handler,
+  HandlerDiscoveryService,
+  HandlerSensors,
   INTENT_BODY_KEY,
   INTENT_METADATA_KEY,
   INTENT_REQUIREMENTS,
@@ -5929,6 +6115,7 @@ function toBuffer(value) {
   NCERT_PUB,
   NCERT_SCOPE,
   NCERT_SIG,
+  PRE_DECODE_BOUNDARY,
   PROOF_CAPABILITIES,
   PROOF_CAPSULE,
   PROOF_JWT,
@@ -5943,11 +6130,15 @@ function toBuffer(value) {
   RESPONSE_TAG_UPDATED_AT,
   RESPONSE_TAG_UPDATED_BY,
   RiskDecision,
+  SENSOR_METADATA_KEY,
   Schema2002_PasskeyLoginOptionsRes,
   Schema2011_PasskeyLoginVerifyReq,
   Schema2012_PasskeyLoginVerifyRes,
   Schema2021_PasskeyRegisterOptionsReq,
+  Sensor,
   SensorDecisions,
+  SensorDiscoveryService,
+  SensorRegistry,
   TLV,
   TLV_ACTOR_ID,
   TLV_AUD,
@@ -6009,6 +6200,7 @@ function toBuffer(value) {
   computeReceiptHash,
   computeSignaturePayload,
   core,
+  createObservation,
   crypto,
   decodeArray,
   decodeAxis1Frame,
@@ -6025,8 +6217,10 @@ function toBuffer(value) {
   encodeQueueMessage,
   encodeTLVs,
   encodeVarint,
+  endStage,
   engine,
   extractDtoSchema,
+  finalizeObservation,
   generateEd25519KeyPair,
   getSignTarget,
   hasScope,
@@ -6045,6 +6239,7 @@ function toBuffer(value) {
   parseAutoClaimEntries,
   parseScope,
   parseStreamEntries,
+  recordSensor,
   resolveTimeout,
   schemas,
   security,
@@ -6053,6 +6248,7 @@ function toBuffer(value) {
   sha256,
   signFrame,
   stableJsonStringify,
+  startStage,
   tlv,
   u64be,
   unpackPasskeyLoginOptionsReq,