npm - @nextera.one/axis-server-sdk - Versions diffs - 1.4.0 → 1.6.0 - Mend

@nextera.one/axis-server-sdk 1.4.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/core/index.d.mts +1 -1
package/dist/core/index.d.ts +1 -1
package/dist/{index-B5xzROld.d.mts → index-1uEwnW-w.d.mts} +1 -1
package/dist/{index-B5xzROld.d.ts → index-1uEwnW-w.d.ts} +1 -1
package/dist/index.d.mts +1063 -532
package/dist/index.d.ts +1063 -532
package/dist/index.js +2257 -688
package/dist/index.js.map +1 -1
package/dist/index.mjs +2204 -660
package/dist/index.mjs.map +1 -1
package/package.json +2 -1

package/dist/index.js CHANGED Viewed

@@ -47,16 +47,26 @@ __export(index_exports, {
   AXIS_UPLOAD_SESSION_STORE: () => AXIS_UPLOAD_SESSION_STORE,
   AXIS_VERSION: () => import_axis_protocol2.AXIS_VERSION,
   Ats1Codec: () => ats1_exports,
+  AxisContext: () => AxisContext,
+  AxisDemoPubkey: () => AxisDemoPubkey,
+  AxisError: () => AxisError,
   AxisFilesDownloadHandler: () => AxisFilesDownloadHandler,
   AxisFilesFinalizeHandler: () => AxisFilesFinalizeHandler,
   AxisFrameZ: () => AxisFrameZ,
   AxisIdDto: () => AxisIdDto,
+  AxisIp: () => AxisIp,
   AxisPacketTags: () => T,
   AxisPartialType: () => AxisPartialType,
+  AxisRaw: () => AxisRaw,
   AxisResponseDto: () => AxisResponseDto,
+  AxisSensorChainService: () => AxisSensorChainService,
   AxisTlvDto: () => AxisTlvDto,
+  BAND: () => BAND,
   BodyProfile: () => import_axis_protocol2.BodyProfile,
   CAPABILITIES: () => CAPABILITIES,
+  CCE_ERROR: () => CCE_ERROR,
+  CCE_PROTOCOL_VERSION: () => CCE_PROTOCOL_VERSION,
+  CceError: () => CceError,
   ContractViolationError: () => ContractViolationError,
   DEFAULT_CONTRACTS: () => DEFAULT_CONTRACTS,
   DEFAULT_TIMEOUT: () => DEFAULT_TIMEOUT,
@@ -72,7 +82,10 @@ __export(index_exports, {
   FLAG_CHAIN_REQ: () => import_axis_protocol2.FLAG_CHAIN_REQ,
   FLAG_HAS_WITNESS: () => import_axis_protocol2.FLAG_HAS_WITNESS,
   HANDLER_METADATA_KEY: () => HANDLER_METADATA_KEY,
+  HANDLER_SENSORS_KEY: () => HANDLER_SENSORS_KEY,
   Handler: () => Handler,
+  HandlerDiscoveryService: () => HandlerDiscoveryService,
+  HandlerSensors: () => HandlerSensors,
   INTENT_BODY_KEY: () => INTENT_BODY_KEY,
   INTENT_METADATA_KEY: () => INTENT_METADATA_KEY,
   INTENT_REQUIREMENTS: () => INTENT_REQUIREMENTS,
@@ -99,6 +112,7 @@ __export(index_exports, {
   NCERT_PUB: () => import_axis_protocol2.NCERT_PUB,
   NCERT_SCOPE: () => import_axis_protocol2.NCERT_SCOPE,
   NCERT_SIG: () => import_axis_protocol2.NCERT_SIG,
+  PRE_DECODE_BOUNDARY: () => PRE_DECODE_BOUNDARY,
   PROOF_CAPABILITIES: () => PROOF_CAPABILITIES,
   PROOF_CAPSULE: () => import_axis_protocol2.PROOF_CAPSULE,
   PROOF_JWT: () => import_axis_protocol2.PROOF_JWT,
@@ -113,11 +127,15 @@ __export(index_exports, {
   RESPONSE_TAG_UPDATED_AT: () => RESPONSE_TAG_UPDATED_AT,
   RESPONSE_TAG_UPDATED_BY: () => RESPONSE_TAG_UPDATED_BY,
   RiskDecision: () => RiskDecision,
+  SENSOR_METADATA_KEY: () => SENSOR_METADATA_KEY,
   Schema2002_PasskeyLoginOptionsRes: () => Schema2002_PasskeyLoginOptionsRes,
   Schema2011_PasskeyLoginVerifyReq: () => Schema2011_PasskeyLoginVerifyReq,
   Schema2012_PasskeyLoginVerifyRes: () => Schema2012_PasskeyLoginVerifyRes,
   Schema2021_PasskeyRegisterOptionsReq: () => Schema2021_PasskeyRegisterOptionsReq,
+  Sensor: () => Sensor,
   SensorDecisions: () => SensorDecisions,
+  SensorDiscoveryService: () => SensorDiscoveryService,
+  SensorRegistry: () => SensorRegistry,
   TLV: () => import_axis_protocol.TLV,
   TLV_ACTOR_ID: () => import_axis_protocol2.TLV_ACTOR_ID,
   TLV_AUD: () => import_axis_protocol2.TLV_AUD,
@@ -175,10 +193,12 @@ __export(index_exports, {
   canonicalJson: () => canonicalJson,
   canonicalJsonExcluding: () => canonicalJsonExcluding,
   canonicalizeObservation: () => canonicalizeObservation,
+  cce: () => cce_exports,
   classifyIntent: () => classifyIntent,
   computeReceiptHash: () => computeReceiptHash,
   computeSignaturePayload: () => computeSignaturePayload,
   core: () => core_exports,
+  createObservation: () => createObservation,
   crypto: () => crypto_exports,
   decodeArray: () => import_axis_protocol.decodeArray,
   decodeAxis1Frame: () => decodeAxis1Frame,
@@ -195,8 +215,11 @@ __export(index_exports, {
   encodeQueueMessage: () => encodeQueueMessage,
   encodeTLVs: () => import_axis_protocol.encodeTLVs,
   encodeVarint: () => import_axis_protocol3.encodeVarint,
+  endStage: () => endStage,
   engine: () => engine_exports,
+  executeCcePipeline: () => executeCcePipeline,
   extractDtoSchema: () => extractDtoSchema,
+  finalizeObservation: () => finalizeObservation,
   generateEd25519KeyPair: () => generateEd25519KeyPair,
   getSignTarget: () => getSignTarget,
   hasScope: () => hasScope,
@@ -215,14 +238,16 @@ __export(index_exports, {
   parseAutoClaimEntries: () => parseAutoClaimEntries,
   parseScope: () => parseScope,
   parseStreamEntries: () => parseStreamEntries,
+  recordSensor: () => recordSensor,
   resolveTimeout: () => resolveTimeout,
   schemas: () => schemas_exports,
   security: () => security_exports,
   sensitivityName: () => sensitivityName,
   sensors: () => sensors_exports,
-  sha256: () => sha256,
+  sha256: () => sha2564,
   signFrame: () => signFrame,
   stableJsonStringify: () => stableJsonStringify,
+  startStage: () => startStage,
   tlv: () => tlv,
   u64be: () => u64be,
   unpackPasskeyLoginOptionsReq: () => unpackPasskeyLoginOptionsReq,
@@ -293,8 +318,24 @@ function IntentSensors(sensors) {
   };
 }
-// src/decorators/tlv-field.decorator.ts
+// src/decorators/handler-sensors.decorator.ts
 var import_reflect_metadata4 = require("reflect-metadata");
+var HANDLER_SENSORS_KEY = "axis:handler:sensors";
+function HandlerSensors(sensors) {
+  return (target) => {
+    Reflect.defineMetadata(HANDLER_SENSORS_KEY, sensors, target);
+  };
+}
+// src/decorators/sensor.decorator.ts
+var import_common2 = require("@nestjs/common");
+var SENSOR_METADATA_KEY = "axis:sensor";
+function Sensor(options) {
+  return (0, import_common2.SetMetadata)(SENSOR_METADATA_KEY, options ?? true);
+}
+// src/decorators/tlv-field.decorator.ts
+var import_reflect_metadata5 = require("reflect-metadata");
 var TLV_FIELDS_KEY = "axis:tlv:fields";
 var TLV_VALIDATORS_KEY = "axis:tlv:validators";
 function TlvField(tag, options) {
@@ -352,7 +393,7 @@ function TlvRange(min, max, message) {
 }
 // src/decorators/dto-schema.util.ts
-var import_reflect_metadata5 = require("reflect-metadata");
+var import_reflect_metadata6 = require("reflect-metadata");
 // src/core/tlv.ts
 var import_axis_protocol = require("@nextera.one/axis-protocol");
@@ -453,7 +494,7 @@ __decorateClass([
 ], AxisIdDto.prototype, "id", 2);
 // src/base/axis-partial-type.ts
-var import_reflect_metadata6 = require("reflect-metadata");
+var import_reflect_metadata7 = require("reflect-metadata");
 function AxisPartialType(BaseDto) {
   class PartialDto extends BaseDto {
   }
@@ -499,7 +540,7 @@ __decorateClass([
 ], AxisResponseDto.prototype, "updated_by", 2);
 // src/engine/intent.router.ts
-var import_common2 = require("@nestjs/common");
+var import_common3 = require("@nestjs/common");
 // src/sensor/axis-sensor.ts
 var Decision = /* @__PURE__ */ ((Decision2) => {
@@ -600,11 +641,631 @@ var SensorDecisions = {
   }
 };
+// src/cce/cce-derivation.service.ts
+var import_utils = require("@noble/hashes/utils.js");
+var import_hkdf = require("@noble/hashes/hkdf.js");
+var import_sha2 = require("@noble/hashes/sha2.js");
+// src/cce/cce.types.ts
+var CCE_PROTOCOL_VERSION = "cce-v1";
+var CCE_DERIVATION = {
+  /** Request execution context */
+  REQUEST: "axis:cce:req:v1",
+  /** Response execution context */
+  RESPONSE: "axis:cce:resp:v1",
+  /** Witness binding context */
+  WITNESS: "axis:cce:witness:v1"
+};
+var CCE_AES_KEY_BYTES = 32;
+var CCE_IV_BYTES = 12;
+var CCE_TAG_BYTES = 16;
+var CCE_NONCE_BYTES = 32;
+var CCE_ERROR = {
+  // Envelope errors
+  INVALID_ENVELOPE: "CCE_INVALID_ENVELOPE",
+  UNSUPPORTED_VERSION: "CCE_UNSUPPORTED_VERSION",
+  MISSING_CAPSULE: "CCE_MISSING_CAPSULE",
+  MISSING_ENCRYPTED_KEY: "CCE_MISSING_ENCRYPTED_KEY",
+  // Signature errors
+  CLIENT_SIG_INVALID: "CCE_CLIENT_SIG_INVALID",
+  CLIENT_KEY_NOT_FOUND: "CCE_CLIENT_KEY_NOT_FOUND",
+  // Capsule errors
+  CAPSULE_SIG_INVALID: "CCE_CAPSULE_SIG_INVALID",
+  CAPSULE_EXPIRED: "CCE_CAPSULE_EXPIRED",
+  CAPSULE_NOT_YET_VALID: "CCE_CAPSULE_NOT_YET_VALID",
+  CAPSULE_REVOKED: "CCE_CAPSULE_REVOKED",
+  CAPSULE_CONSUMED: "CCE_CAPSULE_CONSUMED",
+  // Binding errors
+  AUDIENCE_MISMATCH: "CCE_AUDIENCE_MISMATCH",
+  INTENT_MISMATCH: "CCE_INTENT_MISMATCH",
+  TPS_WINDOW_EXPIRED: "CCE_TPS_WINDOW_EXPIRED",
+  TPS_WINDOW_FUTURE: "CCE_TPS_WINDOW_FUTURE",
+  // Replay / nonce errors
+  REPLAY_DETECTED: "CCE_REPLAY_DETECTED",
+  NONCE_REUSED: "CCE_NONCE_REUSED",
+  // Decryption errors
+  DECRYPTION_FAILED: "CCE_DECRYPTION_FAILED",
+  KEY_UNWRAP_FAILED: "CCE_KEY_UNWRAP_FAILED",
+  AEAD_TAG_MISMATCH: "CCE_AEAD_TAG_MISMATCH",
+  PAYLOAD_TOO_LARGE: "CCE_PAYLOAD_TOO_LARGE",
+  // Schema / validation errors
+  PAYLOAD_SCHEMA_INVALID: "CCE_PAYLOAD_SCHEMA_INVALID",
+  INTENT_SCHEMA_MISMATCH: "CCE_INTENT_SCHEMA_MISMATCH",
+  // Policy errors
+  POLICY_DENIED: "CCE_POLICY_DENIED",
+  CONSTRAINT_VIOLATED: "CCE_CONSTRAINT_VIOLATED",
+  // Handler errors
+  HANDLER_NOT_FOUND: "CCE_HANDLER_NOT_FOUND",
+  HANDLER_EXECUTION_FAILED: "CCE_HANDLER_EXECUTION_FAILED",
+  HANDLER_TIMEOUT: "CCE_HANDLER_TIMEOUT",
+  // Response errors
+  RESPONSE_ENCRYPTION_FAILED: "CCE_RESPONSE_ENCRYPTION_FAILED"
+};
+var CceError = class extends Error {
+  constructor(code, message, metadata) {
+    super(`[${code}] ${message}`);
+    this.code = code;
+    this.metadata = metadata;
+    this.name = "CceError";
+  }
+  /** Whether this error is safe to expose to the client */
+  get clientSafe() {
+    const internal = [
+      CCE_ERROR.DECRYPTION_FAILED,
+      CCE_ERROR.KEY_UNWRAP_FAILED,
+      CCE_ERROR.AEAD_TAG_MISMATCH,
+      CCE_ERROR.HANDLER_EXECUTION_FAILED,
+      CCE_ERROR.RESPONSE_ENCRYPTION_FAILED
+    ];
+    return !internal.includes(this.code);
+  }
+  /** Get client-safe representation */
+  toClientError() {
+    if (this.clientSafe) {
+      return { code: this.code, message: this.message };
+    }
+    return {
+      code: CCE_ERROR.DECRYPTION_FAILED,
+      message: "Request processing failed"
+    };
+  }
+};
+// src/cce/cce-derivation.service.ts
+function buildSalt(capsuleId, capsuleNonce, requestNonce) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(
+    capsuleId + "|" + capsuleNonce + "|" + requestNonce
+  );
+  return (0, import_sha2.sha256)(data);
+}
+function buildInfo(contextPrefix, capsule, extraNonce) {
+  const encoder = new TextEncoder();
+  const parts = [
+    contextPrefix,
+    capsule.sub,
+    capsule.kid,
+    capsule.intent,
+    capsule.aud,
+    String(capsule.tps_from),
+    String(capsule.tps_to),
+    capsule.policy_hash ?? "",
+    capsule.ver
+  ];
+  if (extraNonce) {
+    parts.push(extraNonce);
+  }
+  return encoder.encode(parts.join("|"));
+}
+function deriveRequestExecutionKey(input) {
+  const ikm = (0, import_utils.hexToBytes)(input.axisLocalSecret);
+  const salt = buildSalt(
+    input.capsule.capsule_id,
+    input.capsule.capsule_nonce,
+    input.requestNonce
+  );
+  const info = buildInfo(CCE_DERIVATION.REQUEST, input.capsule);
+  return (0, import_hkdf.hkdf)(import_sha2.sha256, ikm, salt, info, CCE_AES_KEY_BYTES);
+}
+function deriveResponseExecutionKey(input) {
+  const ikm = (0, import_utils.hexToBytes)(input.axisLocalSecret);
+  const encoder = new TextEncoder();
+  const saltData = encoder.encode(
+    input.capsule.capsule_id + "|" + input.capsule.capsule_nonce + "|" + input.requestNonce + "|" + input.responseNonce
+  );
+  const salt = (0, import_sha2.sha256)(saltData);
+  const info = buildInfo(
+    CCE_DERIVATION.RESPONSE,
+    input.capsule,
+    input.responseNonce
+  );
+  return (0, import_hkdf.hkdf)(import_sha2.sha256, ikm, salt, info, CCE_AES_KEY_BYTES);
+}
+function deriveWitnessKey(input) {
+  const ikm = (0, import_utils.hexToBytes)(input.axisLocalSecret);
+  const salt = buildSalt(
+    input.capsule.capsule_id,
+    input.capsule.capsule_nonce,
+    input.requestNonce
+  );
+  const info = buildInfo(CCE_DERIVATION.WITNESS, input.capsule);
+  return (0, import_hkdf.hkdf)(import_sha2.sha256, ikm, salt, info, CCE_AES_KEY_BYTES);
+}
+function buildExecutionContext(input, requestId) {
+  const executionKey = deriveRequestExecutionKey(input);
+  const keyHash = (0, import_utils.bytesToHex)((0, import_sha2.sha256)(executionKey));
+  executionKey.fill(0);
+  return {
+    execution_key_hash: keyHash,
+    request_id: requestId,
+    capsule_id: input.capsule.capsule_id,
+    sub: input.capsule.sub,
+    kid: input.capsule.kid,
+    intent: input.capsule.intent,
+    aud: input.capsule.aud,
+    tps_from: input.capsule.tps_from,
+    tps_to: input.capsule.tps_to,
+    policy_hash: input.capsule.policy_hash,
+    derived_at: Math.floor(Date.now() / 1e3),
+    valid: true
+  };
+}
+function generateCceNonce() {
+  const bytes2 = new Uint8Array(CCE_NONCE_BYTES);
+  crypto.getRandomValues(bytes2);
+  return (0, import_utils.bytesToHex)(bytes2);
+}
+// src/cce/cce-response.service.ts
+var import_utils3 = require("@noble/hashes/utils.js");
+var import_crypto2 = require("crypto");
+// src/cce/cce-crypto.ts
+var import_utils2 = require("@noble/hashes/utils.js");
+var import_sha22 = require("@noble/hashes/sha2.js");
+var import_crypto = require("crypto");
+function aesGcmEncrypt(key, plaintext, aad) {
+  if (key.length !== CCE_AES_KEY_BYTES) {
+    throw new Error(`AES key must be ${CCE_AES_KEY_BYTES} bytes`);
+  }
+  const iv = (0, import_crypto.randomBytes)(CCE_IV_BYTES);
+  const cipher = (0, import_crypto.createCipheriv)("aes-256-gcm", key, iv);
+  if (aad) {
+    cipher.setAAD(aad);
+  }
+  const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return {
+    iv: new Uint8Array(iv),
+    ciphertext: new Uint8Array(encrypted),
+    tag: new Uint8Array(tag)
+  };
+}
+function aesGcmDecrypt(key, iv, ciphertext, tag, aad) {
+  if (key.length !== CCE_AES_KEY_BYTES) {
+    throw new Error(`AES key must be ${CCE_AES_KEY_BYTES} bytes`);
+  }
+  if (iv.length !== CCE_IV_BYTES) {
+    throw new Error(`IV must be ${CCE_IV_BYTES} bytes`);
+  }
+  if (tag.length !== CCE_TAG_BYTES) {
+    throw new Error(`Tag must be ${CCE_TAG_BYTES} bytes`);
+  }
+  try {
+    const decipher = (0, import_crypto.createDecipheriv)("aes-256-gcm", key, iv);
+    decipher.setAuthTag(tag);
+    if (aad) {
+      decipher.setAAD(aad);
+    }
+    const decrypted = Buffer.concat([
+      decipher.update(ciphertext),
+      decipher.final()
+    ]);
+    return new Uint8Array(decrypted);
+  } catch {
+    return null;
+  }
+}
+function generateAesKey() {
+  return new Uint8Array((0, import_crypto.randomBytes)(CCE_AES_KEY_BYTES));
+}
+function generateIv() {
+  return new Uint8Array((0, import_crypto.randomBytes)(CCE_IV_BYTES));
+}
+function base64UrlEncode(bytes2) {
+  return Buffer.from(bytes2).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64UrlDecode(input) {
+  const base64 = input.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = "=".repeat((4 - base64.length % 4) % 4);
+  return new Uint8Array(Buffer.from(base64 + padding, "base64"));
+}
+function hashPayload(payload) {
+  return (0, import_utils2.bytesToHex)((0, import_sha22.sha256)(payload));
+}
+var nodeAesGcmProvider = {
+  async decrypt(key, iv, ciphertext, tag, aad) {
+    return aesGcmDecrypt(key, iv, ciphertext, tag, aad);
+  }
+};
+// src/cce/cce-response.service.ts
+async function buildCceResponse(options, clientKeyEncryptor, axisSigner) {
+  const { request, capsule, status, body, clientPublicKeyHex, witnessRef } = options;
+  const responseNonce = (0, import_utils3.bytesToHex)(
+    new Uint8Array((0, import_crypto2.randomBytes)(CCE_NONCE_BYTES))
+  );
+  const responseId = generateResponseId();
+  const aesKey = generateAesKey();
+  const aad = buildResponseAad(
+    request.request_id,
+    responseId,
+    request.correlation_id,
+    capsule.capsule_id,
+    responseNonce
+  );
+  const { iv, ciphertext, tag } = aesGcmEncrypt(aesKey, body, aad);
+  const encryptedKey = await clientKeyEncryptor.wrapKey(
+    aesKey,
+    request.client_kid,
+    clientPublicKeyHex
+  );
+  aesKey.fill(0);
+  const encryptedPayload = {
+    alg: "AES-256-GCM",
+    iv: base64UrlEncode(iv),
+    ciphertext: base64UrlEncode(ciphertext),
+    tag: base64UrlEncode(tag)
+  };
+  const algorithms = {
+    kem: encryptedKey.alg,
+    enc: "AES-256-GCM",
+    kdf: "HKDF-SHA256",
+    sig: "EdDSA"
+  };
+  const unsignedResponse = {
+    ver: CCE_PROTOCOL_VERSION,
+    response_id: responseId,
+    request_id: request.request_id,
+    correlation_id: request.correlation_id,
+    encrypted_key: encryptedKey,
+    encrypted_payload: encryptedPayload,
+    response_nonce: responseNonce,
+    algorithms,
+    status,
+    ...witnessRef ? { witness_ref: witnessRef } : {}
+  };
+  const signPayload = new TextEncoder().encode(canonicalize(unsignedResponse));
+  const axisSig = await axisSigner.sign(signPayload);
+  const envelope = {
+    ...unsignedResponse,
+    axis_sig: axisSig
+  };
+  return {
+    envelope,
+    responsePayloadHash: hashPayload(body)
+  };
+}
+function buildCceErrorResponse(requestId, correlationId, status, errorCode, message) {
+  return {
+    ver: CCE_PROTOCOL_VERSION,
+    request_id: requestId,
+    correlation_id: correlationId,
+    status,
+    error: { code: errorCode, message }
+  };
+}
+function generateResponseId() {
+  const bytes2 = (0, import_crypto2.randomBytes)(16);
+  return "resp_" + (0, import_utils3.bytesToHex)(new Uint8Array(bytes2)).slice(0, 24);
+}
+function buildResponseAad(requestId, responseId, correlationId, capsuleId, responseNonce) {
+  const parts = [
+    requestId,
+    responseId,
+    correlationId,
+    capsuleId,
+    responseNonce
+  ];
+  return new TextEncoder().encode(parts.join("|"));
+}
+function canonicalize(obj) {
+  if (Array.isArray(obj)) {
+    return "[" + obj.map(canonicalize).join(",") + "]";
+  }
+  if (obj !== null && typeof obj === "object") {
+    const sorted = Object.keys(obj).sort().map(
+      (k) => JSON.stringify(k) + ":" + canonicalize(obj[k])
+    );
+    return "{" + sorted.join(",") + "}";
+  }
+  return JSON.stringify(obj);
+}
+// src/cce/cce-witness.observer.ts
+var import_utils4 = require("@noble/hashes/utils.js");
+var import_hkdf2 = require("@noble/hashes/hkdf.js");
+var import_sha23 = require("@noble/hashes/sha2.js");
+var InMemoryCceWitnessStore = class {
+  constructor() {
+    this.records = [];
+  }
+  async record(witness) {
+    this.records.push(witness);
+  }
+  getByRequestId(requestId) {
+    return this.records.find((w) => w.request_id === requestId);
+  }
+  getByCapsuleId(capsuleId) {
+    return this.records.filter((w) => w.capsule_id === capsuleId);
+  }
+};
+function buildWitnessRecord(envelope, capsule, verification, execution, options) {
+  const witnessId = generateWitnessId(envelope.request_id, capsule.capsule_id);
+  const executionContextHash = computeExecutionContextHash(
+    options.axisLocalSecret,
+    capsule,
+    envelope.request_nonce
+  );
+  return {
+    witness_id: witnessId,
+    request_id: envelope.request_id,
+    capsule_id: capsule.capsule_id,
+    sub: capsule.sub,
+    intent: capsule.intent,
+    aud: capsule.aud,
+    tps_from: capsule.tps_from,
+    tps_to: capsule.tps_to,
+    timestamp: Math.floor(Date.now() / 1e3),
+    verification: {
+      client_sig: verification.clientSigVerified,
+      capsule_sig: verification.capsuleSigVerified,
+      tps_valid: verification.tpsValid,
+      audience_match: verification.audienceMatch,
+      intent_match: verification.intentMatch,
+      replay_clean: verification.replayClean,
+      nonce_unique: verification.nonceUnique,
+      decryption_ok: verification.decryptionOk
+    },
+    execution: {
+      status: execution.status,
+      handler_duration_ms: execution.handlerDurationMs,
+      ...execution.effect ? { effect: execution.effect } : {}
+    },
+    response_encrypted: options.responseEncrypted,
+    execution_context_hash: executionContextHash,
+    ...options.requestPayload ? { request_payload_hash: hashPayload(options.requestPayload) } : {},
+    ...options.responsePayload ? { response_payload_hash: hashPayload(options.responsePayload) } : {}
+  };
+}
+function extractVerificationState(metadata) {
+  return {
+    clientSigVerified: metadata.cceClientSigVerified === true,
+    capsuleSigVerified: metadata.cceCapsuleVerified === true,
+    tpsValid: metadata.cceTpsValid === true,
+    audienceMatch: metadata.cceBindingVerified === true,
+    intentMatch: metadata.cceBindingVerified === true,
+    replayClean: metadata.cceReplayClean === true,
+    nonceUnique: metadata.cceReplayClean === true,
+    decryptionOk: metadata.cceDecryptionOk === true
+  };
+}
+function generateWitnessId(requestId, capsuleId) {
+  const input = `witness:${requestId}:${capsuleId}:${Date.now()}`;
+  const hash = (0, import_sha23.sha256)(new TextEncoder().encode(input));
+  return "wit_" + (0, import_utils4.bytesToHex)(hash).slice(0, 24);
+}
+function computeExecutionContextHash(axisLocalSecret, capsule, requestNonce) {
+  const encoder = new TextEncoder();
+  const ikm = hexToBytes2(axisLocalSecret);
+  const salt = (0, import_sha23.sha256)(
+    encoder.encode(
+      capsule.capsule_id + "|" + capsule.capsule_nonce + "|" + requestNonce
+    )
+  );
+  const info = encoder.encode(
+    [
+      CCE_DERIVATION.WITNESS,
+      capsule.sub,
+      capsule.kid,
+      capsule.intent,
+      capsule.aud,
+      String(capsule.tps_from),
+      String(capsule.tps_to),
+      capsule.policy_hash ?? "",
+      capsule.ver
+    ].join("|")
+  );
+  const witnessKey = (0, import_hkdf2.hkdf)(import_sha23.sha256, ikm, salt, info, 32);
+  const hash = (0, import_utils4.bytesToHex)((0, import_sha23.sha256)(witnessKey));
+  witnessKey.fill(0);
+  return hash;
+}
+function hexToBytes2(hex) {
+  const bytes2 = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < bytes2.length; i++) {
+    bytes2[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+  }
+  return bytes2;
+}
+// src/cce/cce-pipeline.ts
+async function executeCcePipeline(envelope, config) {
+  const startTime = Date.now();
+  if (envelope.ver !== CCE_PROTOCOL_VERSION) {
+    return {
+      ok: false,
+      error: {
+        code: CCE_ERROR.UNSUPPORTED_VERSION,
+        message: `Unsupported version: ${envelope.ver}`
+      },
+      status: "ERROR"
+    };
+  }
+  const sensorInput = {
+    intent: envelope.capsule.intent,
+    metadata: {
+      cce: true,
+      cceEnvelope: envelope,
+      contentType: "application/axis-cce"
+    }
+  };
+  const sortedSensors = [...config.sensors].sort(
+    (a, b) => (a.order ?? 999) - (b.order ?? 999)
+  );
+  for (const sensor of sortedSensors) {
+    if (sensor.supports && !sensor.supports(sensorInput)) {
+      continue;
+    }
+    let decision;
+    try {
+      decision = await sensor.run(sensorInput);
+    } catch (err) {
+      return {
+        ok: false,
+        error: {
+          code: CCE_ERROR.DECRYPTION_FAILED,
+          message: `Sensor ${sensor.name} failed`
+        },
+        status: "ERROR"
+      };
+    }
+    const normalized = normalizeSensorDecision(decision);
+    if (!normalized.allow) {
+      const code = normalized.reasons[0]?.split(":")[0] ?? CCE_ERROR.DECRYPTION_FAILED;
+      return {
+        ok: false,
+        error: { code, message: normalized.reasons.join("; ") },
+        status: "DENIED"
+      };
+    }
+  }
+  const capsule = sensorInput.metadata?.cceCapsule;
+  const decryptedPayload = sensorInput.metadata?.cceDecryptedPayload;
+  const clientKey = sensorInput.metadata?.cceClientKey;
+  if (!capsule || !decryptedPayload || !clientKey) {
+    return {
+      ok: false,
+      error: {
+        code: CCE_ERROR.DECRYPTION_FAILED,
+        message: "Sensor chain did not produce required outputs"
+      },
+      status: "ERROR"
+    };
+  }
+  const derivationInput = {
+    axisLocalSecret: config.axisLocalSecret,
+    capsule,
+    requestNonce: envelope.request_nonce
+  };
+  const executionContext = buildExecutionContext(
+    derivationInput,
+    envelope.request_id
+  );
+  const handler = config.handlers.get(capsule.intent);
+  if (!handler) {
+    return {
+      ok: false,
+      error: {
+        code: CCE_ERROR.HANDLER_NOT_FOUND,
+        message: `No handler for intent: ${capsule.intent}`
+      },
+      status: "ERROR"
+    };
+  }
+  const handlerContext = {
+    capsule,
+    executionContext,
+    envelope,
+    clientPublicKeyHex: clientKey.publicKeyHex,
+    intent: capsule.intent,
+    sub: capsule.sub
+  };
+  let result;
+  const handlerStart = Date.now();
+  try {
+    result = await handler(decryptedPayload, handlerContext);
+  } catch (err) {
+    const handlerDuration2 = Date.now() - handlerStart;
+    const verification2 = extractVerificationState(sensorInput.metadata ?? {});
+    const witness2 = buildWitnessRecord(
+      envelope,
+      capsule,
+      verification2,
+      { status: "FAILED", handlerDurationMs: handlerDuration2 },
+      {
+        axisLocalSecret: config.axisLocalSecret,
+        requestPayload: decryptedPayload,
+        responseEncrypted: false
+      }
+    );
+    await config.witnessStore.record(witness2);
+    return {
+      ok: false,
+      error: {
+        code: CCE_ERROR.HANDLER_EXECUTION_FAILED,
+        message: "Handler execution failed"
+      },
+      status: "FAILED"
+    };
+  }
+  const handlerDuration = Date.now() - handlerStart;
+  let responseEnvelope;
+  let responsePayloadHash;
+  try {
+    const responseResult = await buildCceResponse(
+      {
+        request: envelope,
+        capsule,
+        status: result.status,
+        body: result.body,
+        clientPublicKeyHex: clientKey.publicKeyHex
+      },
+      config.clientKeyEncryptor,
+      config.axisSigner
+    );
+    responseEnvelope = responseResult.envelope;
+    responsePayloadHash = responseResult.responsePayloadHash;
+  } catch (err) {
+    return {
+      ok: false,
+      error: {
+        code: CCE_ERROR.RESPONSE_ENCRYPTION_FAILED,
+        message: "Response encryption failed"
+      },
+      status: "ERROR"
+    };
+  }
+  const verification = extractVerificationState(sensorInput.metadata ?? {});
+  const witness = buildWitnessRecord(
+    envelope,
+    capsule,
+    verification,
+    {
+      status: result.status,
+      handlerDurationMs: handlerDuration,
+      effect: result.effect
+    },
+    {
+      axisLocalSecret: config.axisLocalSecret,
+      requestPayload: decryptedPayload,
+      responsePayload: result.body,
+      responseEncrypted: true
+    }
+  );
+  await config.witnessStore.record(witness);
+  return {
+    ok: true,
+    response: responseEnvelope,
+    witnessId: witness.witness_id
+  };
+}
 // src/engine/intent.router.ts
 var IntentRouter = class {
   constructor(moduleRef) {
     this.moduleRef = moduleRef;
-    this.logger = new import_common2.Logger(IntentRouter.name);
+    this.logger = new import_common3.Logger(IntentRouter.name);
     /** Internal registry of dynamic intent handlers */
     this.handlers = /* @__PURE__ */ new Map();
     /** Per-intent sensor classes (resolved at call time) */
@@ -617,6 +1278,10 @@ var IntentRouter = class {
     this.intentValidators = /* @__PURE__ */ new Map();
     /** Per-intent operation kind */
     this.intentKinds = /* @__PURE__ */ new Map();
+    /** CCE handler registry */
+    this.cceHandlers = /* @__PURE__ */ new Map();
+    /** CCE pipeline configuration (set via configureCce) */
+    this.ccePipelineConfig = null;
   }
   getSchema(intent) {
     return this.intentSchemas.get(intent);
@@ -666,6 +1331,7 @@ var IntentRouter = class {
     );
     const prefix = handlerMeta?.intent || instance.name;
     const routes = Reflect.getMetadata(INTENT_ROUTES_KEY, instance.constructor) || [];
+    const handlerSensors = Reflect.getMetadata(HANDLER_SENSORS_KEY, instance.constructor) || [];
     for (const route of routes) {
       const intentName = route.absolute ? route.action : `${prefix}.${route.action}`;
       const fn = instance[route.methodName].bind(instance);
@@ -674,7 +1340,12 @@ var IntentRouter = class {
       } else {
         this.register(intentName, fn);
       }
-      this.registerIntentMeta(intentName, Object.getPrototypeOf(instance), String(route.methodName));
+      this.registerIntentMeta(
+        intentName,
+        Object.getPrototypeOf(instance),
+        String(route.methodName),
+        handlerSensors
+      );
     }
     const proto = Object.getPrototypeOf(instance);
     for (const key of Object.getOwnPropertyNames(proto)) {
@@ -683,7 +1354,7 @@ var IntentRouter = class {
       if (!this.handlers.has(meta.intent)) {
         this.register(meta.intent, instance[key].bind(instance));
       }
-      this.registerIntentMeta(meta.intent, proto, key);
+      this.registerIntentMeta(meta.intent, proto, key, handlerSensors);
     }
   }
   /**
@@ -819,14 +1490,22 @@ var IntentRouter = class {
       this.logger.warn(`${intent} failed in ${ms}ms - ${error}`);
     }
   }
-  registerIntentMeta(intent, proto, methodName) {
+  registerIntentMeta(intent, proto, methodName, handlerSensors) {
     const decoder = Reflect.getMetadata(INTENT_BODY_KEY, proto, methodName);
     if (decoder) {
       this.intentDecoders.set(intent, decoder);
     }
-    const sensors = Reflect.getMetadata(INTENT_SENSORS_KEY, proto, methodName);
-    if (sensors && Array.isArray(sensors) && sensors.length > 0) {
-      this.intentSensors.set(intent, sensors);
+    const intentSensors = Reflect.getMetadata(
+      INTENT_SENSORS_KEY,
+      proto,
+      methodName
+    );
+    const combined = [
+      ...handlerSensors || [],
+      ...Array.isArray(intentSensors) ? intentSensors : []
+    ];
+    if (combined.length > 0) {
+      this.intentSensors.set(intent, combined);
     }
     const meta = Reflect.getMetadata(INTENT_METADATA_KEY, proto, methodName);
     if (meta) {
@@ -866,6 +1545,58 @@ var IntentRouter = class {
       }
     }
   }
+  // ===========================================================================
+  // CCE — Capsule-Carried Encryption Support
+  // ===========================================================================
+  /**
+   * Configure the CCE pipeline.
+   * Must be called before routeCce() can process encrypted requests.
+   */
+  configureCce(config) {
+    this.ccePipelineConfig = config;
+    this.logger.log("CCE pipeline configured");
+  }
+  /**
+   * Register a CCE-encrypted intent handler.
+   * CCE handlers receive decrypted payloads and execution context.
+   */
+  registerCceHandler(intent, handler) {
+    this.cceHandlers.set(intent, handler);
+    this.logger.debug(`CCE handler registered: ${intent}`);
+  }
+  /**
+   * Check if a CCE handler exists for the given intent.
+   */
+  hasCceHandler(intent) {
+    return this.cceHandlers.has(intent);
+  }
+  /**
+   * Route a CCE-encrypted request through the full pipeline.
+   *
+   * Steps:
+   * 1. Sensor chain (envelope validation → capsule verification → replay → decrypt)
+   * 2. Execution context derivation
+   * 3. Handler execution
+   * 4. Response encryption
+   * 5. Witness recording
+   */
+  async routeCce(envelope) {
+    if (!this.ccePipelineConfig) {
+      return {
+        ok: false,
+        error: {
+          code: "CCE_NOT_CONFIGURED",
+          message: "CCE pipeline not configured. Call configureCce() first."
+        },
+        status: "ERROR"
+      };
+    }
+    const config = {
+      ...this.ccePipelineConfig,
+      handlers: this.cceHandlers
+    };
+    return executeCcePipeline(envelope, config);
+  }
   storeSchema(meta) {
     if (meta.dto) {
       if (meta.tlv && meta.tlv.length > 0) {
@@ -925,10 +1656,27 @@ IntentRouter.BUILTIN_INTENTS = /* @__PURE__ */ new Set([
   "axis.intent.exec"
 ]);
 IntentRouter = __decorateClass([
-  (0, import_common2.Injectable)(),
-  __decorateParam(0, (0, import_common2.Optional)())
+  (0, import_common3.Injectable)(),
+  __decorateParam(0, (0, import_common3.Optional)())
 ], IntentRouter);
+// src/engine/sensor-bands.ts
+var BAND = {
+  /** Pre-decode: raw byte validation, geo, budget, magic */
+  WIRE: 0,
+  /** Post-decode: identity resolution, capsule, proof */
+  IDENTITY: 40,
+  /** Post-decode: authorization, signature, rate limiting */
+  POLICY: 90,
+  /** Post-decode: content validation, TLV, schema, files */
+  CONTENT: 140,
+  /** Post-decode: business logic sensors, streams, WS */
+  BUSINESS: 200,
+  /** Post-decode: audit, logging (always last) */
+  AUDIT: 900
+};
+var PRE_DECODE_BOUNDARY = 40;
 // src/engine/observation/stable-json.ts
 function normalize(value) {
   if (Array.isArray(value)) {
@@ -1028,7 +1776,7 @@ function fieldsToMap(fields) {
 }
 // src/engine/observation/observation-hash.ts
-var import_crypto = require("crypto");
+var import_crypto3 = require("crypto");
 function canonicalizeObservation(obs) {
   const obj = {
     id: obs.id,
@@ -1065,7 +1813,7 @@ function canonicalizeObservation(obs) {
 }
 function hashObservation(obs) {
   const canonical = canonicalizeObservation(obs);
-  return (0, import_crypto.createHash)("sha256").update(canonical).digest("hex");
+  return (0, import_crypto3.createHash)("sha256").update(canonical).digest("hex");
 }
 function buildUnsignedWitness(obs) {
   if (!obs.decision || !obs.endMs) {
@@ -1140,7 +1888,7 @@ function verifyResponse(ctx, response) {
 var import_axis_protocol3 = require("@nextera.one/axis-protocol");
 // src/core/signature.ts
-var crypto = __toESM(require("crypto"));
+var crypto2 = __toESM(require("crypto"));
 // src/core/axis-bin.ts
 var z = __toESM(require("zod"));
@@ -1270,19 +2018,19 @@ function signFrame(frame, privateKey) {
       32
     ]);
     const pkcs8Key = Buffer.concat([pkcs8Prefix, privateKey]);
-    keyObject = crypto.createPrivateKey({
+    keyObject = crypto2.createPrivateKey({
       key: pkcs8Key,
       format: "der",
       type: "pkcs8"
     });
   } else {
-    keyObject = crypto.createPrivateKey({
+    keyObject = crypto2.createPrivateKey({
       key: privateKey,
       format: "der",
       type: "pkcs8"
     });
   }
-  const signature = crypto.sign(null, payload, keyObject);
+  const signature = crypto2.sign(null, payload, keyObject);
   if (signature.length !== 64) {
     throw new Error("Ed25519 signature must be 64 bytes");
   }
@@ -1314,19 +2062,19 @@ function verifyFrameSignature(frame, publicKey) {
         0
       ]);
       const spkiKey = Buffer.concat([spkiPrefix, publicKey]);
-      keyObject = crypto.createPublicKey({
+      keyObject = crypto2.createPublicKey({
         key: spkiKey,
         format: "der",
         type: "spki"
       });
     } else {
-      keyObject = crypto.createPublicKey({
+      keyObject = crypto2.createPublicKey({
         key: publicKey,
         format: "der",
         type: "spki"
       });
     }
-    const valid = crypto.verify(
+    const valid = crypto2.verify(
       null,
       payload,
       keyObject,
@@ -1338,17 +2086,17 @@ function verifyFrameSignature(frame, publicKey) {
   }
 }
 function generateEd25519KeyPair() {
-  const { privateKey, publicKey } = crypto.generateKeyPairSync("ed25519");
+  const { privateKey, publicKey } = crypto2.generateKeyPairSync("ed25519");
   return {
     privateKey: privateKey.export({ type: "pkcs8", format: "der" }),
     publicKey: publicKey.export({ type: "spki", format: "der" })
   };
 }
-function sha256(data) {
-  return crypto.createHash("sha256").update(data).digest();
+function sha2564(data) {
+  return crypto2.createHash("sha256").update(data).digest();
 }
 function computeReceiptHash(receiptBytes, prevHash) {
-  const hasher = crypto.createHash("sha256");
+  const hasher = crypto2.createHash("sha256");
   hasher.update(receiptBytes);
   if (prevHash && prevHash.length > 0) {
     hasher.update(prevHash);
@@ -1406,12 +2154,12 @@ __export(ats1_exports, {
   encodeU64BE: () => encodeU64BE,
   encodeUVarint: () => encodeUVarint,
   logicalBodyToTLVs: () => logicalBodyToTLVs,
-  sha256: () => sha2562,
+  sha256: () => sha2565,
   tlvsToLogicalBody: () => tlvsToLogicalBody,
   tlvsToMap: () => tlvsToMap,
   validateTLVsAgainstSchema: () => validateTLVsAgainstSchema
 });
-var import_crypto2 = require("crypto");
+var import_crypto4 = require("crypto");
 var DEFAULT_LIMITS = {
   maxVarintBytes: 10,
   maxTlvCount: 512,
@@ -1460,8 +2208,8 @@ function decodeU64BE(buf) {
   if (buf.length !== 8) throw new Error("decodeU64BE: length must be 8");
   return buf.readBigUInt64BE(0);
 }
-function sha2562(data) {
-  return (0, import_crypto2.createHash)("sha256").update(data).digest();
+function sha2565(data) {
+  return (0, import_crypto4.createHash)("sha256").update(data).digest();
 }
 function encodeTLV(tag, value) {
   if (!Number.isInteger(tag) || tag <= 0)
@@ -1777,7 +2525,7 @@ function decodeAxisHeaderFromTLVs(hdrTlvs, limits = DEFAULT_LIMITS) {
 function encodeAxisRequestBinary(schema, req, limits = DEFAULT_LIMITS) {
   const bodyTlvs = logicalBodyToTLVs(schema, req.body, limits);
   const bodyBytes = encodeTLVStreamCanonical(bodyTlvs);
-  const bodyHash = sha2562(bodyBytes);
+  const bodyHash = sha2565(bodyBytes);
   const hdr = {
     ...req.hdr,
     schemaId: schema.schemaId,
@@ -1793,7 +2541,7 @@ function decodeAxisRequestBinary(schema, hdrBytes, bodyBytes, limits = DEFAULT_L
   const hdr = decodeAxisHeaderFromTLVs(hdrTlvs, limits);
   if (hdr.schemaId !== schema.schemaId)
     throw new Error("decodeAxisRequestBinary: schemaId mismatch");
-  const bh = sha2562(bodyBytes);
+  const bh = sha2565(bodyBytes);
   if (!Buffer.from(hdr.bodyHash).equals(bh))
     throw new Error("decodeAxisRequestBinary: body_hash mismatch");
   const body = tlvsToLogicalBody(schema, bodyTlvs, limits);
@@ -1866,7 +2614,7 @@ function packPasskeyLoginOptionsReq(params) {
     }
   );
   const body = encodeTLVStreamCanonical(bodyTlvs);
-  const bodyHash = sha2562(body);
+  const bodyHash = sha2565(body);
   const hdr = buildAts1Hdr({
     intentId: params.intentId,
     schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_REQ,
@@ -1935,7 +2683,7 @@ function packPasskeyRegisterOptionsReq(params) {
     }
   );
   const body = encodeTLVStreamCanonical(bodyTlvs);
-  const bodyHash = sha2562(body);
+  const bodyHash = sha2565(body);
   const hdr = buildAts1Hdr({
     intentId: params.intentId,
     schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,
@@ -1966,7 +2714,7 @@ function packPasskeyLoginVerifyReq(params) {
     }
   });
   const body = encodeTLVStreamCanonical(bodyTlvs);
-  const bodyHash = sha2562(body);
+  const bodyHash = sha2565(body);
   const hdr = buildAts1Hdr({
     intentId: params.intentId,
     schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,
@@ -2050,7 +2798,7 @@ function packPasskeyLoginVerifyRes(params) {
 }
 // src/codec/tlv.encode.ts
-var import_crypto3 = require("crypto");
+var import_crypto5 = require("crypto");
 function encVarint(x) {
   if (x < 0n) throw new Error("VARINT_NEG");
   const out = [];
@@ -2078,7 +2826,7 @@ function bytes(b) {
   return Buffer.isBuffer(b) ? b : Buffer.from(b);
 }
 function nonce16() {
-  return (0, import_crypto3.randomBytes)(16);
+  return (0, import_crypto5.randomBytes)(16);
 }
 function tlv(type, value) {
   if (!Number.isSafeInteger(type) || type < 0) throw new Error("TLV_BAD_TYPE");
@@ -2624,9 +3372,9 @@ function isAdminOpcode(op) {
 }
 // src/core/receipt.ts
-var import_crypto4 = require("crypto");
+var import_crypto6 = require("crypto");
 function buildReceiptHash(prevHash, pid, actorId, intent, effect, ts) {
-  const h = (0, import_crypto4.createHash)("sha256");
+  const h = (0, import_crypto6.createHash)("sha256");
   if (prevHash) h.update(prevHash);
   h.update(pid);
   h.update(Buffer.from(actorId, "utf8"));
@@ -2805,8 +3553,8 @@ function isTimestampValid(ts, skewSeconds = 120) {
 }
 // src/upload/axis-files.handlers.ts
-var import_common3 = require("@nestjs/common");
-var crypto2 = __toESM(require("crypto"));
+var import_common4 = require("@nestjs/common");
+var crypto3 = __toESM(require("crypto"));
 // src/upload/upload.tokens.ts
 var AXIS_UPLOAD_SESSION_STORE = "AXIS_UPLOAD_SESSION_STORE";
@@ -2818,7 +3566,7 @@ var AxisFilesDownloadHandler = class {
   constructor(sessions, files) {
     this.sessions = sessions;
     this.files = files;
-    this.logger = new import_common3.Logger(AxisFilesDownloadHandler.name);
+    this.logger = new import_common4.Logger(AxisFilesDownloadHandler.name);
     this.name = "axis.files.download";
     this.open = true;
     this.description = "File download handler";
@@ -2883,16 +3631,16 @@ __decorateClass([
 ], AxisFilesDownloadHandler.prototype, "execute", 1);
 AxisFilesDownloadHandler = __decorateClass([
   Handler("axis.files.download"),
-  (0, import_common3.Injectable)(),
-  __decorateParam(0, (0, import_common3.Inject)(AXIS_UPLOAD_SESSION_STORE)),
-  __decorateParam(1, (0, import_common3.Inject)(AXIS_UPLOAD_FILE_STORE))
+  (0, import_common4.Injectable)(),
+  __decorateParam(0, (0, import_common4.Inject)(AXIS_UPLOAD_SESSION_STORE)),
+  __decorateParam(1, (0, import_common4.Inject)(AXIS_UPLOAD_FILE_STORE))
 ], AxisFilesDownloadHandler);
 var AxisFilesFinalizeHandler = class {
   constructor(sessions, files, keyring) {
     this.sessions = sessions;
     this.files = files;
     this.keyring = keyring;
-    this.logger = new import_common3.Logger(AxisFilesFinalizeHandler.name);
+    this.logger = new import_common4.Logger(AxisFilesFinalizeHandler.name);
     this.name = "axis.files.finalize";
     this.open = false;
     this.description = "File upload finalization handler";
@@ -2907,7 +3655,7 @@ var AxisFilesFinalizeHandler = class {
     if (!await this.files.hasTemp(fileId)) {
       throw new Error("CHUNKS_NOT_FOUND");
     }
-    const hash = crypto2.createHash("sha256");
+    const hash = crypto3.createHash("sha256");
     const rs = this.files.createTempReadStream(fileId);
     for await (const chunk of rs) {
       hash.update(chunk);
@@ -2968,11 +3716,11 @@ __decorateClass([
 ], AxisFilesFinalizeHandler.prototype, "execute", 1);
 AxisFilesFinalizeHandler = __decorateClass([
   Handler("axis.files.finalize"),
-  (0, import_common3.Injectable)(),
-  __decorateParam(0, (0, import_common3.Inject)(AXIS_UPLOAD_SESSION_STORE)),
-  __decorateParam(1, (0, import_common3.Inject)(AXIS_UPLOAD_FILE_STORE)),
-  __decorateParam(2, (0, import_common3.Optional)()),
-  __decorateParam(2, (0, import_common3.Inject)(AXIS_UPLOAD_RECEIPT_SIGNER))
+  (0, import_common4.Injectable)(),
+  __decorateParam(0, (0, import_common4.Inject)(AXIS_UPLOAD_SESSION_STORE)),
+  __decorateParam(1, (0, import_common4.Inject)(AXIS_UPLOAD_FILE_STORE)),
+  __decorateParam(2, (0, import_common4.Optional)()),
+  __decorateParam(2, (0, import_common4.Inject)(AXIS_UPLOAD_RECEIPT_SIGNER))
 ], AxisFilesFinalizeHandler);
 // src/upload/disk-upload-file.store.ts
@@ -3031,92 +3779,54 @@ var DiskUploadFileStore = class {
   }
 };
-// src/core/index.ts
-var core_exports = {};
-__export(core_exports, {
-  AXIS_MAGIC: () => import_axis_protocol2.AXIS_MAGIC,
-  AXIS_VERSION: () => import_axis_protocol2.AXIS_VERSION,
-  AxisError: () => AxisError,
-  AxisFrameZ: () => AxisFrameZ,
-  BodyProfile: () => import_axis_protocol2.BodyProfile,
-  ERR_BAD_SIGNATURE: () => import_axis_protocol2.ERR_BAD_SIGNATURE,
-  ERR_CONTRACT_VIOLATION: () => import_axis_protocol2.ERR_CONTRACT_VIOLATION,
-  ERR_INVALID_PACKET: () => import_axis_protocol2.ERR_INVALID_PACKET,
-  ERR_REPLAY_DETECTED: () => import_axis_protocol2.ERR_REPLAY_DETECTED,
-  FLAG_BODY_TLV: () => import_axis_protocol2.FLAG_BODY_TLV,
-  FLAG_CHAIN_REQ: () => import_axis_protocol2.FLAG_CHAIN_REQ,
-  FLAG_HAS_WITNESS: () => import_axis_protocol2.FLAG_HAS_WITNESS,
-  MAX_BODY_LEN: () => import_axis_protocol2.MAX_BODY_LEN,
-  MAX_FRAME_LEN: () => import_axis_protocol2.MAX_FRAME_LEN,
-  MAX_HDR_LEN: () => import_axis_protocol2.MAX_HDR_LEN,
-  MAX_SIG_LEN: () => import_axis_protocol2.MAX_SIG_LEN,
-  NCERT_ALG: () => import_axis_protocol2.NCERT_ALG,
-  NCERT_EXP: () => import_axis_protocol2.NCERT_EXP,
-  NCERT_ISSUER_KID: () => import_axis_protocol2.NCERT_ISSUER_KID,
-  NCERT_KID: () => import_axis_protocol2.NCERT_KID,
-  NCERT_NBF: () => import_axis_protocol2.NCERT_NBF,
-  NCERT_NODE_ID: () => import_axis_protocol2.NCERT_NODE_ID,
-  NCERT_PAYLOAD: () => import_axis_protocol2.NCERT_PAYLOAD,
-  NCERT_PUB: () => import_axis_protocol2.NCERT_PUB,
-  NCERT_SCOPE: () => import_axis_protocol2.NCERT_SCOPE,
-  NCERT_SIG: () => import_axis_protocol2.NCERT_SIG,
-  PROOF_CAPSULE: () => import_axis_protocol2.PROOF_CAPSULE,
-  PROOF_JWT: () => import_axis_protocol2.PROOF_JWT,
-  PROOF_LOOM: () => import_axis_protocol2.PROOF_LOOM,
-  PROOF_MTLS: () => import_axis_protocol2.PROOF_MTLS,
-  PROOF_NONE: () => import_axis_protocol2.PROOF_NONE,
-  PROOF_WITNESS: () => import_axis_protocol2.PROOF_WITNESS,
-  ProofType: () => import_axis_protocol2.ProofType,
-  TLV: () => import_axis_protocol.TLV,
-  TLV_ACTOR_ID: () => import_axis_protocol2.TLV_ACTOR_ID,
-  TLV_AUD: () => import_axis_protocol2.TLV_AUD,
-  TLV_BODY_ARR: () => import_axis_protocol2.TLV_BODY_ARR,
-  TLV_BODY_OBJ: () => import_axis_protocol2.TLV_BODY_OBJ,
-  TLV_CAPSULE: () => import_axis_protocol2.TLV_CAPSULE,
-  TLV_EFFECT: () => import_axis_protocol2.TLV_EFFECT,
-  TLV_ERROR_CODE: () => import_axis_protocol2.TLV_ERROR_CODE,
-  TLV_ERROR_MSG: () => import_axis_protocol2.TLV_ERROR_MSG,
-  TLV_INDEX: () => import_axis_protocol2.TLV_INDEX,
-  TLV_INTENT: () => import_axis_protocol2.TLV_INTENT,
-  TLV_KID: () => import_axis_protocol2.TLV_KID,
-  TLV_LOOM_PRESENCE_ID: () => import_axis_protocol2.TLV_LOOM_PRESENCE_ID,
-  TLV_LOOM_THREAD_HASH: () => import_axis_protocol2.TLV_LOOM_THREAD_HASH,
-  TLV_LOOM_WRIT: () => import_axis_protocol2.TLV_LOOM_WRIT,
-  TLV_NODE: () => import_axis_protocol2.TLV_NODE,
-  TLV_NODE_CERT_HASH: () => import_axis_protocol2.TLV_NODE_CERT_HASH,
-  TLV_NODE_KID: () => import_axis_protocol2.TLV_NODE_KID,
-  TLV_NONCE: () => import_axis_protocol2.TLV_NONCE,
-  TLV_OFFSET: () => import_axis_protocol2.TLV_OFFSET,
-  TLV_OK: () => import_axis_protocol2.TLV_OK,
-  TLV_PID: () => import_axis_protocol2.TLV_PID,
-  TLV_PREV_HASH: () => import_axis_protocol2.TLV_PREV_HASH,
-  TLV_PROOF_REF: () => import_axis_protocol2.TLV_PROOF_REF,
-  TLV_PROOF_TYPE: () => import_axis_protocol2.TLV_PROOF_TYPE,
-  TLV_REALM: () => import_axis_protocol2.TLV_REALM,
-  TLV_RECEIPT_HASH: () => import_axis_protocol2.TLV_RECEIPT_HASH,
-  TLV_RID: () => import_axis_protocol2.TLV_RID,
-  TLV_SHA256_CHUNK: () => import_axis_protocol2.TLV_SHA256_CHUNK,
-  TLV_TRACE_ID: () => import_axis_protocol2.TLV_TRACE_ID,
-  TLV_TS: () => import_axis_protocol2.TLV_TS,
-  TLV_UPLOAD_ID: () => import_axis_protocol2.TLV_UPLOAD_ID,
-  computeReceiptHash: () => computeReceiptHash,
-  computeSignaturePayload: () => computeSignaturePayload,
-  decodeArray: () => import_axis_protocol.decodeArray,
-  decodeFrame: () => decodeFrame,
-  decodeObject: () => import_axis_protocol.decodeObject,
-  decodeTLVs: () => import_axis_protocol.decodeTLVs,
-  decodeTLVsList: () => import_axis_protocol.decodeTLVsList,
-  decodeVarint: () => import_axis_protocol3.decodeVarint,
-  encodeFrame: () => encodeFrame,
-  encodeTLVs: () => import_axis_protocol.encodeTLVs,
-  encodeVarint: () => import_axis_protocol3.encodeVarint,
-  generateEd25519KeyPair: () => generateEd25519KeyPair,
-  getSignTarget: () => getSignTarget,
-  sha256: () => sha256,
-  signFrame: () => signFrame,
-  varintLength: () => import_axis_protocol3.varintLength,
-  verifyFrameSignature: () => verifyFrameSignature
-});
+// src/decorators/axis-request.decorator.ts
+var import_common5 = require("@nestjs/common");
+function resolveIp(req) {
+  return req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.headers["x-real-ip"] || req.socket.remoteAddress || void 0;
+}
+var AxisRaw = (0, import_common5.createParamDecorator)(
+  (_data, ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    return req.body;
+  }
+);
+var AxisIp = (0, import_common5.createParamDecorator)(
+  (_data, ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    return resolveIp(req);
+  }
+);
+var AxisContext = (0, import_common5.createParamDecorator)(
+  (_data, ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    const axisData = req.axis || {};
+    return {
+      raw: req.body,
+      ip: resolveIp(req),
+      preDecodeInput: axisData.preDecodeInput,
+      frameBytesCount: axisData.frameBytesCount || 0
+    };
+  }
+);
+var AxisDemoPubkey = (0, import_common5.createParamDecorator)(
+  (_data, ctx) => {
+    if (process.env.NODE_ENV !== "development") return void 0;
+    const req = ctx.switchToHttp().getRequest();
+    return req.headers["x-demo-pubkey"];
+  }
+);
+var AxisFrame3 = (0, import_common5.createParamDecorator)(
+  (_data, ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    const decoded = req.axisDecoded;
+    if (!decoded) {
+      throw new Error(
+        "@AxisFrame() requires AxisDecodeInterceptor on the route. Add @UseInterceptors(AxisDecodeInterceptor) to use this decorator."
+      );
+    }
+    return decoded;
+  }
+);
 // src/core/axis-error.ts
 var AxisError = class extends Error {
@@ -3129,348 +3839,246 @@ var AxisError = class extends Error {
   }
 };
-// src/crypto/index.ts
-var crypto_exports = {};
-__export(crypto_exports, {
-  ProofVerificationService: () => ProofVerificationService,
-  b64urlDecode: () => b64urlDecode,
-  b64urlDecodeString: () => b64urlDecodeString,
-  b64urlEncode: () => b64urlEncode,
-  b64urlEncodeString: () => b64urlEncodeString,
-  canonicalJson: () => canonicalJson,
-  canonicalJsonExcluding: () => canonicalJsonExcluding
-});
-// src/crypto/proof-verification.service.ts
-var import_common4 = require("@nestjs/common");
-var crypto3 = __toESM(require("crypto"));
-var nacl = __toESM(require("tweetnacl"));
-var ProofVerificationService = class {
-  constructor() {
-    this.logger = new import_common4.Logger(ProofVerificationService.name);
-    // Cache of registered device public keys (deviceId -> pubKey)
-    this.deviceKeys = /* @__PURE__ */ new Map();
-    // Cache of trusted mTLS certificate fingerprints
-    this.trustedCerts = /* @__PURE__ */ new Map();
+// src/engine/handler-discovery.service.ts
+var import_common6 = require("@nestjs/common");
+var HandlerDiscoveryService = class {
+  constructor(discovery, scanner, router) {
+    this.discovery = discovery;
+    this.scanner = scanner;
+    this.router = router;
+    this.logger = new import_common6.Logger(HandlerDiscoveryService.name);
   }
-  /**
-   * Verifies an authentication proof based on its type.
-   *
-   * **Supported Types:**
-   * - 1 (CAPSULE): Delegated to `verifyCapsuleProof`
-   * - 2 (JWT): Verified by `verifyJWTProof`
-   * - 3 (MTLS_ID): Verified by `verifyMTLSProof`
-   * - 4 (DEVICE_SE): Verified by `verifyDeviceSEProof`
-   *
-   * @param {ProofType} proofType - The numeric AXIS proof type
-   * @param {Uint8Array} proofRef - The binary reference or token for the proof
-   * @param {Object} context - Additional metadata required for specific proof types
-   * @param {Uint8Array} [context.signTarget] - The canonical bytes that were signed (for Ed25519)
-   * @param {Uint8Array} [context.signature] - The signature to verify (for Ed25519)
-   * @param {MTLSContext} [context.mtls] - mTLS certificate data
-   * @param {DeviceSEContext} [context.deviceSE] - Device Secure Element information
-   * @returns {Promise<ProofVerificationResult>} The outcome of the verification
-   */
-  async verifyProof(proofType, proofRef, context) {
-    switch (proofType) {
-      case 1:
-        return this.verifyCapsuleProof(proofRef);
-      case 2:
-        return this.verifyJWTProof(proofRef);
-      case 3:
-        return this.verifyMTLSProof(context.mtls);
-      case 4:
-        return this.verifyDeviceSEProof(
-          context.signTarget,
-          context.signature,
-          context.deviceSE
+  onModuleInit() {
+    const providers = this.discovery.getProviders();
+    let totalIntents = 0;
+    for (const wrapper of providers) {
+      const { instance, metatype } = wrapper;
+      if (!instance || !metatype) continue;
+      const handlerMeta = Reflect.getMetadata(HANDLER_METADATA_KEY, metatype);
+      if (!handlerMeta) continue;
+      const handlerName = handlerMeta.intent || metatype.name;
+      const proto = Object.getPrototypeOf(instance);
+      const methods = this.scanner.getAllMethodNames(proto);
+      let registered = 0;
+      const handlerSensors = Reflect.getMetadata(HANDLER_SENSORS_KEY, metatype) || [];
+      for (const methodName of methods) {
+        const meta = Reflect.getMetadata(
+          INTENT_METADATA_KEY,
+          proto,
+          methodName
+        );
+        if (!meta?.intent) continue;
+        if (!this.router.has(meta.intent)) {
+          this.router.register(
+            meta.intent,
+            instance[methodName].bind(instance)
+          );
+          registered++;
+          totalIntents++;
+        }
+        this.router.registerIntentMeta(
+          meta.intent,
+          proto,
+          methodName,
+          handlerSensors
         );
-      default:
-        return { valid: false, error: `Unknown proof type: ${proofType}` };
-    }
-  }
-  /**
-   * Verify CAPSULE proof (delegated to CapsuleService)
-   */
-  async verifyCapsuleProof(proofRef) {
-    const capsuleId = new TextDecoder().decode(proofRef);
-    return {
-      valid: true,
-      metadata: { capsuleId, requiresCapsuleValidation: true }
-    };
-  }
-  /**
-   * Verifies a JSON Web Token (JWT) proof.
-   *
-   * **Validation Logic:**
-   * 1. Decodes the token string.
-   * 2. Checks for valid 3-part JWT structure.
-   * 3. Validates `exp` (expiration) and `nbf` (not before) claims.
-   * 4. Extracts `actor_id` or `sub` as the identity.
-   *
-   * @param {Uint8Array} proofRef - Binary representation of the JWT string
-   * @returns {Promise<ProofVerificationResult>} Result including the actor identifier
-   */
-  async verifyJWTProof(proofRef) {
-    try {
-      const token = new TextDecoder().decode(proofRef);
-      const parts = token.split(".");
-      if (parts.length !== 3) {
-        return { valid: false, error: "Invalid JWT format" };
-      }
-      const header = JSON.parse(Buffer.from(parts[0], "base64url").toString());
-      const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
-      if (payload.exp && Date.now() / 1e3 > payload.exp) {
-        return { valid: false, error: "JWT expired" };
       }
-      if (payload.nbf && Date.now() / 1e3 < payload.nbf) {
-        return { valid: false, error: "JWT not yet valid" };
+      if (registered > 0) {
+        this.logger.log(
+          `Auto-registered ${registered} intents from ${handlerName}`
+        );
       }
-      return {
-        valid: true,
-        actorId: payload.sub || payload.actor_id,
-        metadata: { iss: payload.iss, scope: payload.scope }
-      };
-    } catch (e) {
-      const message = e instanceof Error ? e.message : "Unknown error";
-      return { valid: false, error: `JWT parse error: ${message}` };
     }
+    this.logger.log(
+      `Handler discovery complete: ${totalIntents} intents auto-registered`
+    );
   }
-  /**
-   * Verify mTLS client certificate proof
-   */
-  async verifyMTLSProof(mtls) {
-    if (!mtls) {
-      return { valid: false, error: "No mTLS context provided" };
-    }
-    if (!mtls.verified) {
-      return { valid: false, error: "mTLS not verified by TLS terminator" };
-    }
-    if (mtls.clientCertFingerprint) {
-      const trusted = this.trustedCerts.get(mtls.clientCertFingerprint);
-      if (trusted) {
-        return {
-          valid: true,
-          actorId: trusted.actorId,
-          metadata: {
-            fingerprint: mtls.clientCertFingerprint,
-            subject: mtls.clientCertSubject
-          }
-        };
+};
+HandlerDiscoveryService = __decorateClass([
+  (0, import_common6.Injectable)()
+], HandlerDiscoveryService);
+// src/engine/sensor-discovery.service.ts
+var import_common7 = require("@nestjs/common");
+var SensorDiscoveryService = class {
+  constructor(discovery, reflector, registry) {
+    this.discovery = discovery;
+    this.reflector = reflector;
+    this.registry = registry;
+    this.logger = new import_common7.Logger(SensorDiscoveryService.name);
+  }
+  onApplicationBootstrap() {
+    const providers = this.discovery.getProviders();
+    let count = 0;
+    for (const wrapper of providers) {
+      const { instance } = wrapper;
+      if (!instance || !instance.constructor) continue;
+      const meta = this.reflector.get(
+        SENSOR_METADATA_KEY,
+        instance.constructor
+      );
+      if (!meta) continue;
+      const sensor = instance;
+      if (!sensor.name || sensor.order === void 0) {
+        this.logger.warn(
+          `@Sensor() on ${instance.constructor.name} missing name or order \u2014 skipped`
+        );
+        continue;
       }
-    }
-    if (mtls.clientCertSubject) {
-      const cnMatch = mtls.clientCertSubject.match(/CN=([^,]+)/);
-      if (cnMatch) {
-        return {
-          valid: true,
-          actorId: cnMatch[1],
-          metadata: {
-            subject: mtls.clientCertSubject,
-            issuer: mtls.clientCertIssuer
-          }
-        };
+      if (!sensor.phase) {
+        const decoratorPhase = meta !== true ? meta.phase : void 0;
+        sensor.phase = decoratorPhase ?? (sensor.order < PRE_DECODE_BOUNDARY ? "PRE_DECODE" : "POST_DECODE");
       }
+      this.registry.register(sensor);
+      count++;
     }
-    return { valid: false, error: "Could not extract actor from certificate" };
+    this.logger.log(`Auto-registered ${count} sensors via @Sensor()`);
+  }
+};
+SensorDiscoveryService = __decorateClass([
+  (0, import_common7.Injectable)()
+], SensorDiscoveryService);
+// src/engine/registry/sensor.registry.ts
+var import_common8 = require("@nestjs/common");
+var SensorRegistry = class {
+  constructor(configService) {
+    this.configService = configService;
+    this.sensors = [];
+    this.logger = new import_common8.Logger(SensorRegistry.name);
   }
   /**
-   * Verify Device Secure Element signature
+   * Registers a new sensor in the registry.
+   *
+   * Validates that:
+   * - AxisSensor has a unique name
+   * - AxisSensor has an order field
+   * - Pre-decode sensors have order < 40
+   * - Post-decode sensors have order >= 40
+   *
+   * @param {AxisSensor} sensor - The sensor instance to register
+   * @throws Error if validation fails
    */
-  async verifyDeviceSEProof(signTarget, signature, deviceSE) {
-    if (!deviceSE || !signTarget || !signature) {
-      return { valid: false, error: "Missing Device SE context" };
+  register(sensor) {
+    if (!sensor.name) {
+      throw new Error("AxisSensor must have a name");
     }
-    let publicKey = deviceSE.publicKey;
-    const registeredKey = this.deviceKeys.get(deviceSE.deviceId);
-    if (registeredKey) {
-      publicKey = registeredKey;
+    const enabledSensorsStr = this.configService.get("ENABLED_SENSORS");
+    const disabledSensorsStr = this.configService.get("DISABLED_SENSORS");
+    const enabledSensors = enabledSensorsStr ? enabledSensorsStr.split(",").map((s) => s.trim()) : null;
+    const disabledSensors = disabledSensorsStr ? disabledSensorsStr.split(",").map((s) => s.trim()) : [];
+    if (enabledSensors && !enabledSensors.includes(sensor.name)) {
+      this.logger.log(`Skipping disabled sensor (not in ENABLED_SENSORS): ${sensor.name}`);
+      return;
     }
-    if (!publicKey || publicKey.length !== 32) {
-      return {
-        valid: false,
-        error: "Invalid or unregistered device public key"
-      };
+    if (disabledSensors.includes(sensor.name)) {
+      this.logger.log(`Skipping disabled sensor (in DISABLED_SENSORS): ${sensor.name}`);
+      return;
     }
-    try {
-      const valid = nacl.sign.detached.verify(signTarget, signature, publicKey);
-      if (!valid) {
-        return { valid: false, error: "Device signature verification failed" };
-      }
-      return {
-        valid: true,
-        actorId: deviceSE.deviceId,
-        metadata: { deviceId: deviceSE.deviceId, proofType: "DEVICE_SE" }
-      };
-    } catch (e) {
-      const message = e instanceof Error ? e.message : "Unknown error";
-      return {
-        valid: false,
-        error: `Signature verification error: ${message}`
-      };
+    if (sensor.order === void 0) {
+      throw new Error(`AxisSensor "${sensor.name}" must have an order field`);
+    }
+    const isPreDecodeSensor = this.isPreDecodeSensor(sensor);
+    const isPostDecodeSensor = this.isPostDecodeSensor(sensor);
+    if (isPreDecodeSensor && sensor.order >= 40) {
+      this.logger.warn(
+        `AxisSensor "${sensor.name}" is marked as PRE_DECODE but has order ${sensor.order} (should be < 40)`
+      );
+    }
+    if (isPostDecodeSensor && sensor.order < 40) {
+      this.logger.warn(
+        `AxisSensor "${sensor.name}" is marked as POST_DECODE but has order ${sensor.order} (should be >= 40)`
+      );
     }
+    this.sensors.push(sensor);
+    const phaseLabel = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase || "UNKNOWN";
+    this.logger.debug(
+      `Registered sensor: ${sensor.name} (order: ${sensor.order}, phase: ${phaseLabel})`
+    );
   }
   /**
-   * Registers a public key for a trusted device.
-   * This key will be used for future `DEVICE_SE` proof verifications.
+   * Returns all registered sensors, sorted by their execution order.
    *
-   * @param {string} deviceId - Unique identifier for the device
-   * @param {Uint8Array} publicKey - 32-byte Ed25519 public key
-   * @throws {Error} If the public key is not 32 bytes
+   * @returns {AxisSensor[]} A sorted array of sensors
    */
-  registerDeviceKey(deviceId, publicKey) {
-    if (publicKey.length !== 32) {
-      throw new Error("Device public key must be 32 bytes (Ed25519)");
-    }
-    this.deviceKeys.set(deviceId, publicKey);
-    this.logger.log(`Registered device key for ${deviceId}`);
+  list() {
+    return [...this.sensors].sort(
+      (a, b) => (a.order ?? 999) - (b.order ?? 999)
+    );
   }
   /**
-   * Unregister a device
+   * Returns only pre-decode sensors (order < 40).
+   * These sensors run in middleware on raw bytes before frame decoding.
+   *
+   * @returns {AxisPreSensor[]} Pre-decode sensors sorted by order
    */
-  unregisterDevice(deviceId) {
-    return this.deviceKeys.delete(deviceId);
+  getPreDecodeSensors() {
+    return this.list().filter((s) => (s.order ?? 999) < 40);
   }
   /**
-   * Registers a trusted mTLS certificate fingerprint and associates it with an actor.
+   * Returns only post-decode sensors (order >= 40).
+   * These sensors run in the controller on fully decoded frames.
    *
-   * @param {string} fingerprint - SHA-256 fingerprint of the client certificate
-   * @param {string} actorId - The actor to associate with this certificate
+   * @returns {AxisPostSensor[]} Post-decode sensors sorted by order
    */
-  registerMTLSCert(fingerprint, actorId) {
-    this.trustedCerts.set(fingerprint, { actorId, issuedAt: Date.now() });
-    this.logger.log(`Registered mTLS cert ${fingerprint} for actor ${actorId}`);
+  getPostDecodeSensors() {
+    return this.list().filter(
+      (s) => (s.order ?? 999) >= 40
+    );
   }
   /**
-   * Revoke an mTLS certificate
+   * Helper: Check if a sensor is a pre-decode sensor.
+   *
+   * @private
+   * @param {AxisSensor} sensor - The sensor to check
+   * @returns {boolean} True if sensor is pre-decode
    */
-  revokeMTLSCert(fingerprint) {
-    return this.trustedCerts.delete(fingerprint);
+  isPreDecodeSensor(sensor) {
+    const phase = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase;
+    return phase === "PRE_DECODE" || (sensor.order ?? 999) < 40;
   }
   /**
-   * Calculate certificate fingerprint (SHA-256)
+   * Helper: Check if a sensor is a post-decode sensor.
+   *
+   * @private
+   * @param {AxisSensor} sensor - The sensor to check
+   * @returns {boolean} True if sensor is post-decode
    */
-  static calculateFingerprint(certPem) {
-    const der = Buffer.from(
-      certPem.replace(/-----BEGIN CERTIFICATE-----/, "").replace(/-----END CERTIFICATE-----/, "").replace(/\s/g, ""),
-      "base64"
-    );
-    return crypto3.createHash("sha256").update(der).digest("hex");
+  isPostDecodeSensor(sensor) {
+    const phase = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase;
+    return phase === "POST_DECODE" || (sensor.order ?? 999) >= 40;
+  }
+  /**
+   * Returns sensor count by phase.
+   * Useful for diagnostics and monitoring.
+   *
+   * @returns {{preDecodeCount: number, postDecodeCount: number}}
+   */
+  getSensorCountByPhase() {
+    return {
+      preDecodeCount: this.getPreDecodeSensors().length,
+      postDecodeCount: this.getPostDecodeSensors().length
+    };
+  }
+  /**
+   * Clears all registered sensors.
+   * Useful for testing.
+   *
+   * @internal
+   */
+  clear() {
+    this.sensors = [];
   }
 };
-ProofVerificationService = __decorateClass([
-  (0, import_common4.Injectable)()
-], ProofVerificationService);
-// src/decorators/index.ts
-var decorators_exports = {};
-__export(decorators_exports, {
-  AxisContext: () => AxisContext,
-  AxisDemoPubkey: () => AxisDemoPubkey,
-  AxisFrame: () => AxisFrame3,
-  AxisIp: () => AxisIp,
-  AxisRaw: () => AxisRaw,
-  HANDLER_METADATA_KEY: () => HANDLER_METADATA_KEY,
-  Handler: () => Handler,
-  INTENT_BODY_KEY: () => INTENT_BODY_KEY,
-  INTENT_METADATA_KEY: () => INTENT_METADATA_KEY,
-  INTENT_ROUTES_KEY: () => INTENT_ROUTES_KEY,
-  INTENT_SENSORS_KEY: () => INTENT_SENSORS_KEY,
-  Intent: () => Intent,
-  IntentBody: () => IntentBody,
-  IntentSensors: () => IntentSensors,
-  SENSOR_METADATA_KEY: () => SENSOR_METADATA_KEY,
-  Sensor: () => Sensor,
-  TLV_FIELDS_KEY: () => TLV_FIELDS_KEY,
-  TLV_VALIDATORS_KEY: () => TLV_VALIDATORS_KEY,
-  TlvEnum: () => TlvEnum,
-  TlvField: () => TlvField,
-  TlvMinLen: () => TlvMinLen,
-  TlvRange: () => TlvRange,
-  TlvUtf8Pattern: () => TlvUtf8Pattern,
-  TlvValidate: () => TlvValidate,
-  buildDtoDecoder: () => buildDtoDecoder,
-  extractDtoSchema: () => extractDtoSchema
-});
-// src/decorators/axis-request.decorator.ts
-var import_common5 = require("@nestjs/common");
-function resolveIp(req) {
-  return req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.headers["x-real-ip"] || req.socket.remoteAddress || void 0;
-}
-var AxisRaw = (0, import_common5.createParamDecorator)(
-  (_data, ctx) => {
-    const req = ctx.switchToHttp().getRequest();
-    return req.body;
-  }
-);
-var AxisIp = (0, import_common5.createParamDecorator)(
-  (_data, ctx) => {
-    const req = ctx.switchToHttp().getRequest();
-    return resolveIp(req);
-  }
-);
-var AxisContext = (0, import_common5.createParamDecorator)(
-  (_data, ctx) => {
-    const req = ctx.switchToHttp().getRequest();
-    const axisData = req.axis || {};
-    return {
-      raw: req.body,
-      ip: resolveIp(req),
-      preDecodeInput: axisData.preDecodeInput,
-      frameBytesCount: axisData.frameBytesCount || 0
-    };
-  }
-);
-var AxisDemoPubkey = (0, import_common5.createParamDecorator)(
-  (_data, ctx) => {
-    if (process.env.NODE_ENV !== "development") return void 0;
-    const req = ctx.switchToHttp().getRequest();
-    return req.headers["x-demo-pubkey"];
-  }
-);
-var AxisFrame3 = (0, import_common5.createParamDecorator)(
-  (_data, ctx) => {
-    const req = ctx.switchToHttp().getRequest();
-    const decoded = req.axisDecoded;
-    if (!decoded) {
-      throw new Error(
-        "@AxisFrame() requires AxisDecodeInterceptor on the route. Add @UseInterceptors(AxisDecodeInterceptor) to use this decorator."
-      );
-    }
-    return decoded;
-  }
-);
-// src/decorators/sensor.decorator.ts
-var import_common6 = require("@nestjs/common");
-var SENSOR_METADATA_KEY = "axis:sensor";
-function Sensor(options) {
-  return (0, import_common6.SetMetadata)(SENSOR_METADATA_KEY, options ?? true);
-}
-// src/engine/index.ts
-var engine_exports = {};
-__export(engine_exports, {
-  BAND: () => BAND,
-  HandlerDiscoveryService: () => HandlerDiscoveryService,
-  IntentRouter: () => IntentRouter,
-  PRE_DECODE_BOUNDARY: () => PRE_DECODE_BOUNDARY,
-  SensorDiscoveryService: () => SensorDiscoveryService,
-  SensorRegistry: () => SensorRegistry,
-  createObservation: () => createObservation,
-  endStage: () => endStage,
-  finalizeObservation: () => finalizeObservation,
-  observation: () => observation_exports,
-  recordSensor: () => recordSensor,
-  startStage: () => startStage
-});
+SensorRegistry = __decorateClass([
+  (0, import_common8.Injectable)()
+], SensorRegistry);
 // src/engine/axis-observation.ts
-var import_crypto5 = require("crypto");
+var import_crypto7 = require("crypto");
 function createObservation(transport, ip) {
   return {
-    id: (0, import_crypto5.randomBytes)(16).toString("hex"),
+    id: (0, import_crypto7.randomBytes)(16).toString("hex"),
     startMs: Date.now(),
     transport,
     ip,
@@ -3502,251 +4110,1186 @@ function finalizeObservation(obs, decision, statusCode, resultCode) {
   if (resultCode) obs.resultCode = resultCode;
 }
-// src/engine/handler-discovery.service.ts
-var import_common7 = require("@nestjs/common");
-var HandlerDiscoveryService = class {
-  constructor(discovery, scanner, router) {
-    this.discovery = discovery;
-    this.scanner = scanner;
-    this.router = router;
-    this.logger = new import_common7.Logger(HandlerDiscoveryService.name);
+// src/security/axis-sensor-chain.service.ts
+var import_common9 = require("@nestjs/common");
+var AxisSensorChainService = class {
+  constructor(registry) {
+    this.registry = registry;
   }
-  onModuleInit() {
-    const providers = this.discovery.getProviders();
-    let totalIntents = 0;
-    for (const wrapper of providers) {
-      const { instance, metatype } = wrapper;
-      if (!instance || !metatype) continue;
-      const handlerMeta = Reflect.getMetadata(HANDLER_METADATA_KEY, metatype);
-      if (!handlerMeta) continue;
-      const handlerName = handlerMeta.intent || metatype.name;
-      const proto = Object.getPrototypeOf(instance);
-      const methods = this.scanner.getAllMethodNames(proto);
-      let registered = 0;
-      for (const methodName of methods) {
-        const meta = Reflect.getMetadata(
-          INTENT_METADATA_KEY,
-          proto,
-          methodName
-        );
-        if (!meta?.intent) continue;
-        if (!this.router.has(meta.intent)) {
-          this.router.register(
-            meta.intent,
-            instance[methodName].bind(instance)
+  /**
+   * Evaluate all applicable sensors based on phase.
+   */
+  async evaluate(input, phase = "POST_DECODE", baseDecision) {
+    if (phase === "PRE_DECODE") {
+      return this.evaluateSensors(this.registry.getPreDecodeSensors(), input);
+    }
+    if (phase === "BOTH") {
+      const rawPreResult = await this.evaluateSensors(
+        this.registry.getPreDecodeSensors(),
+        input
+      );
+      const preResult = normalizeSensorDecision(rawPreResult);
+      if (!preResult.allow) return rawPreResult;
+      return this.evaluateSensors(
+        this.registry.getPostDecodeSensors(),
+        input,
+        rawPreResult
+      );
+    }
+    return this.evaluateSensors(
+      this.registry.getPostDecodeSensors(),
+      input,
+      baseDecision
+    );
+  }
+  /** Run only pre-decode sensors. */
+  async evaluatePre(input) {
+    return this.evaluateSensors(this.registry.getPreDecodeSensors(), input);
+  }
+  /** Run only post-decode sensors. */
+  async evaluatePost(input, baseDecision) {
+    return this.evaluateSensors(
+      this.registry.getPostDecodeSensors(),
+      input,
+      baseDecision
+    );
+  }
+  async evaluateSensors(sensors, input, baseDecision) {
+    const relevantSensors = sensors.filter(
+      (s) => !s.supports || s.supports(input)
+    );
+    const normalizedBase = baseDecision ? normalizeSensorDecision(baseDecision) : void 0;
+    let riskScore = normalizedBase?.riskScore ?? 0;
+    const reasons = normalizedBase?.reasons ? [...normalizedBase.reasons] : [];
+    const tags = normalizedBase?.tags ? { ...normalizedBase.tags } : {};
+    let expSecondsMax = normalizedBase?.tighten?.expSecondsMax;
+    let constraintsPatch = normalizedBase?.tighten?.constraintsPatch ? { ...normalizedBase.tighten.constraintsPatch } : {};
+    for (const sensor of relevantSensors) {
+      try {
+        const t0 = Date.now();
+        const rawDecision = await sensor.run(input);
+        const elapsed = Date.now() - t0;
+        const decision = normalizeSensorDecision(rawDecision);
+        const obs = input.metadata?.observation;
+        if (obs) {
+          recordSensor(
+            obs,
+            sensor.name,
+            decision.allow,
+            decision.riskScore,
+            elapsed,
+            decision.reasons,
+            decision.allow ? void 0 : decision.code
           );
-          registered++;
-          totalIntents++;
         }
-        this.router.registerIntentMeta(meta.intent, proto, methodName);
-      }
-      if (registered > 0) {
-        this.logger.log(
-          `Auto-registered ${registered} intents from ${handlerName}`
-        );
+        if (!decision.allow) {
+          return {
+            allow: false,
+            riskScore: Math.min(100, riskScore + decision.riskScore),
+            reasons: [...reasons, ...decision.reasons],
+            tags
+          };
+        }
+        riskScore = Math.min(100, riskScore + decision.riskScore);
+        reasons.push(...decision.reasons);
+        if (decision.tags) {
+          Object.assign(tags, decision.tags);
+        }
+        if (decision.tighten?.expSecondsMax !== void 0) {
+          expSecondsMax = expSecondsMax === void 0 ? decision.tighten.expSecondsMax : Math.min(expSecondsMax, decision.tighten.expSecondsMax);
+        }
+        if (decision.tighten?.constraintsPatch) {
+          constraintsPatch = {
+            ...constraintsPatch,
+            ...decision.tighten.constraintsPatch
+          };
+        }
+      } catch (error) {
+        console.error(`[AXIS][SENSOR] ${sensor.name} failed:`, error);
+        const obs = input.metadata?.observation;
+        if (obs) {
+          recordSensor(obs, sensor.name, false, 100, 0, [
+            `sensor_error:${sensor.name}`
+          ]);
+        }
+        return {
+          allow: false,
+          riskScore: 100,
+          reasons: [`sensor_error:${sensor.name}`]
+        };
       }
     }
-    this.logger.log(
-      `Handler discovery complete: ${totalIntents} intents auto-registered`
-    );
+    const tightenPatch = Object.keys(constraintsPatch).length > 0 ? constraintsPatch : void 0;
+    return {
+      allow: true,
+      riskScore,
+      reasons,
+      tags,
+      tighten: expSecondsMax !== void 0 || tightenPatch ? {
+        expSecondsMax,
+        constraintsPatch: tightenPatch
+      } : void 0
+    };
   }
 };
-HandlerDiscoveryService = __decorateClass([
-  (0, import_common7.Injectable)()
-], HandlerDiscoveryService);
+AxisSensorChainService = __decorateClass([
+  (0, import_common9.Injectable)()
+], AxisSensorChainService);
-// src/engine/sensor-bands.ts
-var BAND = {
-  /** Pre-decode: raw byte validation, geo, budget, magic */
-  WIRE: 0,
-  /** Post-decode: identity resolution, capsule, proof */
-  IDENTITY: 40,
-  /** Post-decode: authorization, signature, rate limiting */
-  POLICY: 90,
-  /** Post-decode: content validation, TLV, schema, files */
-  CONTENT: 140,
-  /** Post-decode: business logic sensors, streams, WS */
-  BUSINESS: 200,
-  /** Post-decode: audit, logging (always last) */
-  AUDIT: 900
-};
-var PRE_DECODE_BOUNDARY = 40;
+// src/cce/index.ts
+var cce_exports = {};
+__export(cce_exports, {
+  CCE_AES_KEY_BYTES: () => CCE_AES_KEY_BYTES,
+  CCE_DERIVATION: () => CCE_DERIVATION,
+  CCE_ERROR: () => CCE_ERROR,
+  CCE_IV_BYTES: () => CCE_IV_BYTES,
+  CCE_NONCE_BYTES: () => CCE_NONCE_BYTES,
+  CCE_PROTOCOL_VERSION: () => CCE_PROTOCOL_VERSION,
+  CCE_TAG_BYTES: () => CCE_TAG_BYTES,
+  CceAudienceIntentBindingSensor: () => CceAudienceIntentBindingSensor,
+  CceCapsuleVerificationSensor: () => CceCapsuleVerificationSensor,
+  CceClientSignatureSensor: () => CceClientSignatureSensor,
+  CceEnvelopeValidationSensor: () => CceEnvelopeValidationSensor,
+  CceError: () => CceError,
+  CcePayloadDecryptionSensor: () => CcePayloadDecryptionSensor,
+  CceReplayProtectionSensor: () => CceReplayProtectionSensor,
+  CceTpsWindowSensor: () => CceTpsWindowSensor,
+  InMemoryCceReplayStore: () => InMemoryCceReplayStore,
+  InMemoryCceWitnessStore: () => InMemoryCceWitnessStore,
+  aesGcmDecrypt: () => aesGcmDecrypt,
+  aesGcmEncrypt: () => aesGcmEncrypt,
+  base64UrlDecode: () => base64UrlDecode,
+  base64UrlEncode: () => base64UrlEncode,
+  buildCceErrorResponse: () => buildCceErrorResponse,
+  buildCceResponse: () => buildCceResponse,
+  buildExecutionContext: () => buildExecutionContext,
+  buildWitnessRecord: () => buildWitnessRecord,
+  deriveRequestExecutionKey: () => deriveRequestExecutionKey,
+  deriveResponseExecutionKey: () => deriveResponseExecutionKey,
+  deriveWitnessKey: () => deriveWitnessKey,
+  executeCcePipeline: () => executeCcePipeline,
+  extractVerificationState: () => extractVerificationState,
+  generateAesKey: () => generateAesKey,
+  generateCceNonce: () => generateCceNonce,
+  generateIv: () => generateIv,
+  hashPayload: () => hashPayload,
+  nodeAesGcmProvider: () => nodeAesGcmProvider
+});
-// src/engine/sensor-discovery.service.ts
-var import_common8 = require("@nestjs/common");
-var SensorDiscoveryService = class {
-  constructor(discovery, reflector, registry) {
-    this.discovery = discovery;
-    this.reflector = reflector;
-    this.registry = registry;
-    this.logger = new import_common8.Logger(SensorDiscoveryService.name);
+// src/cce/sensors/cce-envelope-validation.sensor.ts
+var REQUIRED_FIELDS = [
+  "ver",
+  "request_id",
+  "correlation_id",
+  "client_kid",
+  "capsule",
+  "encrypted_key",
+  "encrypted_payload",
+  "request_nonce",
+  "client_sig",
+  "algorithms"
+];
+var CceEnvelopeValidationSensor = class {
+  constructor() {
+    this.name = "cce.envelope.validation";
+    this.order = 5;
+    this.phase = "PRE_DECODE";
   }
-  onApplicationBootstrap() {
-    const providers = this.discovery.getProviders();
-    let count = 0;
-    for (const wrapper of providers) {
-      const { instance } = wrapper;
-      if (!instance || !instance.constructor) continue;
-      const meta = this.reflector.get(
-        SENSOR_METADATA_KEY,
-        instance.constructor
-      );
-      if (!meta) continue;
-      const sensor = instance;
-      if (!sensor.name || sensor.order === void 0) {
-        this.logger.warn(
-          `@Sensor() on ${instance.constructor.name} missing name or order \u2014 skipped`
-        );
-        continue;
-      }
-      if (!sensor.phase) {
-        const decoratorPhase = meta !== true ? meta.phase : void 0;
-        sensor.phase = decoratorPhase ?? (sensor.order < PRE_DECODE_BOUNDARY ? "PRE_DECODE" : "POST_DECODE");
+  supports(input) {
+    return input.metadata?.cce === true || input.metadata?.contentType === "application/axis-cce";
+  }
+  async run(input) {
+    const envelope = input.metadata?.cceEnvelope;
+    if (!envelope) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.INVALID_ENVELOPE],
+        code: CCE_ERROR.INVALID_ENVELOPE
+      };
+    }
+    for (const field of REQUIRED_FIELDS) {
+      if (envelope[field] === void 0 || envelope[field] === null) {
+        return {
+          allow: false,
+          riskScore: 100,
+          reasons: [`${CCE_ERROR.INVALID_ENVELOPE}: missing ${field}`],
+          code: CCE_ERROR.INVALID_ENVELOPE
+        };
       }
-      this.registry.register(sensor);
-      count++;
     }
-    this.logger.log(`Auto-registered ${count} sensors via @Sensor()`);
+    if (envelope.ver !== CCE_PROTOCOL_VERSION) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.UNSUPPORTED_VERSION}: ${envelope.ver}`],
+        code: CCE_ERROR.UNSUPPORTED_VERSION
+      };
+    }
+    if (!/^[0-9a-f]+$/i.test(envelope.request_nonce)) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.INVALID_ENVELOPE}: invalid request_nonce format`
+        ],
+        code: CCE_ERROR.INVALID_ENVELOPE
+      };
+    }
+    if (envelope.request_nonce.length !== CCE_NONCE_BYTES * 2) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.INVALID_ENVELOPE}: request_nonce wrong length`],
+        code: CCE_ERROR.INVALID_ENVELOPE
+      };
+    }
+    const capsule = envelope.capsule;
+    if (!capsule.capsule_id || !capsule.ver || !capsule.sub || !capsule.kid || !capsule.intent || !capsule.aud || !capsule.issuer_sig) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.MISSING_CAPSULE}: incomplete capsule claims`],
+        code: CCE_ERROR.MISSING_CAPSULE
+      };
+    }
+    if (!envelope.encrypted_key.ciphertext || !envelope.encrypted_key.alg) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.MISSING_ENCRYPTED_KEY}: incomplete encrypted_key`
+        ],
+        code: CCE_ERROR.MISSING_ENCRYPTED_KEY
+      };
+    }
+    input.metadata = input.metadata ?? {};
+    input.metadata.cceEnvelopeValid = true;
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: []
+    };
   }
 };
-SensorDiscoveryService = __decorateClass([
-  (0, import_common8.Injectable)()
-], SensorDiscoveryService);
-// src/engine/registry/sensor.registry.ts
-var import_common9 = require("@nestjs/common");
-var SensorRegistry = class {
-  constructor(configService) {
-    this.configService = configService;
-    this.sensors = [];
-    this.logger = new import_common9.Logger(SensorRegistry.name);
+// src/cce/sensors/cce-client-signature.sensor.ts
+var CceClientSignatureSensor = class {
+  constructor(keyResolver, signatureVerifier) {
+    this.keyResolver = keyResolver;
+    this.signatureVerifier = signatureVerifier;
+    this.name = "cce.client.signature";
+    this.order = 45;
+    this.phase = "POST_DECODE";
   }
-  /**
-   * Registers a new sensor in the registry.
-   *
-   * Validates that:
-   * - AxisSensor has a unique name
-   * - AxisSensor has an order field
-   * - Pre-decode sensors have order < 40
-   * - Post-decode sensors have order >= 40
-   *
-   * @param {AxisSensor} sensor - The sensor instance to register
-   * @throws Error if validation fails
-   */
-  register(sensor) {
-    if (!sensor.name) {
-      throw new Error("AxisSensor must have a name");
+  supports(input) {
+    return input.metadata?.cceEnvelopeValid === true;
+  }
+  async run(input) {
+    const envelope = input.metadata?.cceEnvelope;
+    if (!envelope) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.INVALID_ENVELOPE],
+        code: CCE_ERROR.INVALID_ENVELOPE
+      };
     }
-    const enabledSensorsStr = this.configService.get("ENABLED_SENSORS");
-    const disabledSensorsStr = this.configService.get("DISABLED_SENSORS");
-    const enabledSensors = enabledSensorsStr ? enabledSensorsStr.split(",").map((s) => s.trim()) : null;
-    const disabledSensors = disabledSensorsStr ? disabledSensorsStr.split(",").map((s) => s.trim()) : [];
-    if (enabledSensors && !enabledSensors.includes(sensor.name)) {
-      this.logger.log(`Skipping disabled sensor (not in ENABLED_SENSORS): ${sensor.name}`);
-      return;
+    const keyRecord = await this.keyResolver.resolve(envelope.client_kid);
+    if (!keyRecord) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.CLIENT_KEY_NOT_FOUND}: kid=${envelope.client_kid}`
+        ],
+        code: CCE_ERROR.CLIENT_KEY_NOT_FOUND
+      };
     }
-    if (disabledSensors.includes(sensor.name)) {
-      this.logger.log(`Skipping disabled sensor (in DISABLED_SENSORS): ${sensor.name}`);
-      return;
+    const { client_sig, ...signable } = envelope;
+    const canonical = canonicalize2(signable);
+    const message = new TextEncoder().encode(canonical);
+    const valid = await this.signatureVerifier.verify(
+      message,
+      client_sig.value,
+      keyRecord.publicKeyHex,
+      keyRecord.alg
+    );
+    if (!valid) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.CLIENT_SIG_INVALID],
+        code: CCE_ERROR.CLIENT_SIG_INVALID
+      };
     }
-    if (sensor.order === void 0) {
-      throw new Error(`AxisSensor "${sensor.name}" must have an order field`);
+    input.metadata = input.metadata ?? {};
+    input.metadata.cceClientKey = keyRecord;
+    input.metadata.cceClientSigVerified = true;
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: [],
+      meta: { kid: envelope.client_kid }
+    };
+  }
+};
+function canonicalize2(obj) {
+  if (Array.isArray(obj)) {
+    return "[" + obj.map(canonicalize2).join(",") + "]";
+  }
+  if (obj !== null && typeof obj === "object") {
+    const sorted = Object.keys(obj).sort().map(
+      (k) => JSON.stringify(k) + ":" + canonicalize2(obj[k])
+    );
+    return "{" + sorted.join(",") + "}";
+  }
+  return JSON.stringify(obj);
+}
+// src/cce/sensors/cce-capsule-verification.sensor.ts
+var import_blake3 = require("@noble/hashes/blake3.js");
+var import_utils5 = require("@noble/hashes/utils.js");
+var CceCapsuleVerificationSensor = class {
+  constructor(issuerKeyResolver, capsuleVerifier) {
+    this.issuerKeyResolver = issuerKeyResolver;
+    this.capsuleVerifier = capsuleVerifier;
+    this.name = "cce.capsule.verification";
+    this.order = 50;
+    this.phase = "POST_DECODE";
+  }
+  supports(input) {
+    return input.metadata?.cceEnvelopeValid === true;
+  }
+  async run(input) {
+    const capsule = input.metadata?.cceEnvelope?.capsule;
+    if (!capsule) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.MISSING_CAPSULE],
+        code: CCE_ERROR.MISSING_CAPSULE
+      };
     }
-    const isPreDecodeSensor = this.isPreDecodeSensor(sensor);
-    const isPostDecodeSensor = this.isPostDecodeSensor(sensor);
-    if (isPreDecodeSensor && sensor.order >= 40) {
-      this.logger.warn(
-        `AxisSensor "${sensor.name}" is marked as PRE_DECODE but has order ${sensor.order} (should be < 40)`
+    if (capsule.ver !== CCE_PROTOCOL_VERSION) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.CAPSULE_SIG_INVALID}: wrong version ${capsule.ver}`
+        ],
+        code: CCE_ERROR.CAPSULE_SIG_INVALID
+      };
+    }
+    const { capsule_id, issuer_sig, ...claimsBody } = capsule;
+    const expectedId = computeCceCapsuleId(claimsBody);
+    if (capsule_id !== expectedId) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.CAPSULE_SIG_INVALID}: content hash mismatch`],
+        code: CCE_ERROR.CAPSULE_SIG_INVALID
+      };
+    }
+    const issuerKey = await this.issuerKeyResolver.resolve(
+      capsule.issuer_sig.kid
+    );
+    if (!issuerKey) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.CAPSULE_SIG_INVALID}: issuer key not found`],
+        code: CCE_ERROR.CAPSULE_SIG_INVALID
+      };
+    }
+    const { issuer_sig: sig, ...rest } = capsule;
+    const sigValid = await this.capsuleVerifier.verify(
+      rest,
+      sig,
+      issuerKey.publicKeyHex
+    );
+    if (!sigValid) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.CAPSULE_SIG_INVALID],
+        code: CCE_ERROR.CAPSULE_SIG_INVALID
+      };
+    }
+    const nowSeconds = Math.floor(Date.now() / 1e3);
+    if (capsule.exp < nowSeconds) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.CAPSULE_EXPIRED}: exp=${capsule.exp}`],
+        code: CCE_ERROR.CAPSULE_EXPIRED
+      };
+    }
+    if (capsule.iat > nowSeconds + 5) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.CAPSULE_NOT_YET_VALID}: iat=${capsule.iat}`],
+        code: CCE_ERROR.CAPSULE_NOT_YET_VALID
+      };
+    }
+    input.metadata = input.metadata ?? {};
+    input.metadata.cceCapsuleVerified = true;
+    input.metadata.cceCapsule = capsule;
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: [],
+      meta: { capsule_id: capsule.capsule_id }
+    };
+  }
+};
+function canonicalize3(obj) {
+  if (Array.isArray(obj)) {
+    return "[" + obj.map(canonicalize3).join(",") + "]";
+  }
+  if (obj !== null && typeof obj === "object") {
+    const sorted = Object.keys(obj).sort().map(
+      (k) => JSON.stringify(k) + ":" + canonicalize3(obj[k])
+    );
+    return "{" + sorted.join(",") + "}";
+  }
+  return JSON.stringify(obj);
+}
+function computeCceCapsuleId(claims) {
+  const canonical = canonicalize3(claims);
+  const hash = (0, import_blake3.blake3)(new TextEncoder().encode(canonical));
+  return "cce_b3_" + (0, import_utils5.bytesToHex)(hash).slice(0, 32);
+}
+// src/cce/sensors/cce-tps-window.sensor.ts
+var DEFAULT_SKEW_MS = 5e3;
+var CceTpsWindowSensor = class {
+  constructor(skewMs = DEFAULT_SKEW_MS) {
+    this.skewMs = skewMs;
+    this.name = "cce.tps.window";
+    this.order = 92;
+    this.phase = "POST_DECODE";
+  }
+  supports(input) {
+    return input.metadata?.cceCapsuleVerified === true;
+  }
+  async run(input) {
+    const capsule = input.metadata?.cceCapsule;
+    if (!capsule) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.MISSING_CAPSULE],
+        code: CCE_ERROR.MISSING_CAPSULE
+      };
+    }
+    const nowMs = Date.now();
+    if (nowMs > capsule.tps_to + this.skewMs) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.TPS_WINDOW_EXPIRED}: window ended at ${capsule.tps_to}, now=${nowMs}`
+        ],
+        code: CCE_ERROR.TPS_WINDOW_EXPIRED
+      };
+    }
+    if (nowMs < capsule.tps_from - this.skewMs) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.TPS_WINDOW_FUTURE}: window starts at ${capsule.tps_from}, now=${nowMs}`
+        ],
+        code: CCE_ERROR.TPS_WINDOW_FUTURE
+      };
+    }
+    input.metadata = input.metadata ?? {};
+    input.metadata.cceTpsValid = true;
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: []
+    };
+  }
+};
+// src/cce/sensors/cce-audience-intent-binding.sensor.ts
+var CceAudienceIntentBindingSensor = class {
+  constructor(axisAudience) {
+    this.axisAudience = axisAudience;
+    this.name = "cce.audience.intent.binding";
+    this.order = 95;
+    this.phase = "POST_DECODE";
+  }
+  supports(input) {
+    return input.metadata?.cceCapsuleVerified === true;
+  }
+  async run(input) {
+    const capsule = input.metadata?.cceCapsule;
+    const envelope = input.metadata?.cceEnvelope;
+    if (!capsule || !envelope) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.MISSING_CAPSULE],
+        code: CCE_ERROR.MISSING_CAPSULE
+      };
+    }
+    if (capsule.aud !== this.axisAudience) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.AUDIENCE_MISMATCH}: capsule.aud=${capsule.aud}, expected=${this.axisAudience}`
+        ],
+        code: CCE_ERROR.AUDIENCE_MISMATCH
+      };
+    }
+    const requestIntent = input.intent ?? input.metadata?.cceRequestIntent;
+    if (requestIntent && capsule.intent !== requestIntent) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.INTENT_MISMATCH}: capsule.intent=${capsule.intent}, request=${requestIntent}`
+        ],
+        code: CCE_ERROR.INTENT_MISMATCH
+      };
+    }
+    if (envelope.client_kid !== capsule.kid) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.INTENT_MISMATCH}: envelope.kid=${envelope.client_kid}, capsule.kid=${capsule.kid}`
+        ],
+        code: CCE_ERROR.INTENT_MISMATCH
+      };
+    }
+    input.metadata = input.metadata ?? {};
+    input.metadata.cceBindingVerified = true;
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: []
+    };
+  }
+};
+// src/cce/sensors/cce-replay-protection.sensor.ts
+var InMemoryCceReplayStore = class {
+  constructor() {
+    this.nonces = /* @__PURE__ */ new Map();
+    this.consumed = /* @__PURE__ */ new Set();
+    this.revoked = /* @__PURE__ */ new Set();
+  }
+  async checkAndMark(key, ttlMs) {
+    this.cleanup();
+    if (this.nonces.has(key)) return false;
+    this.nonces.set(key, Date.now() + ttlMs);
+    return true;
+  }
+  async isCapsuleConsumed(capsuleId) {
+    return this.consumed.has(capsuleId);
+  }
+  async markCapsuleConsumed(capsuleId, _ttlMs) {
+    this.consumed.add(capsuleId);
+  }
+  async isCapsuleRevoked(capsuleId) {
+    return this.revoked.has(capsuleId);
+  }
+  /** Revoke a capsule (for testing/admin) */
+  revoke(capsuleId) {
+    this.revoked.add(capsuleId);
+  }
+  cleanup() {
+    const now = Date.now();
+    for (const [key, expiresAt] of this.nonces) {
+      if (expiresAt < now) this.nonces.delete(key);
+    }
+  }
+};
+var CceReplayProtectionSensor = class {
+  constructor(replayStore, options) {
+    this.replayStore = replayStore;
+    this.name = "cce.replay.protection";
+    this.order = 98;
+    this.phase = "POST_DECODE";
+    this.nonceTtlMs = options?.nonceTtlMs ?? 5 * 60 * 1e3;
+  }
+  supports(input) {
+    return input.metadata?.cceCapsuleVerified === true;
+  }
+  async run(input) {
+    const capsule = input.metadata?.cceCapsule;
+    const envelope = input.metadata?.cceEnvelope;
+    if (!capsule || !envelope) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.MISSING_CAPSULE],
+        code: CCE_ERROR.MISSING_CAPSULE
+      };
+    }
+    const revoked = await this.replayStore.isCapsuleRevoked(capsule.capsule_id);
+    if (revoked) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.CAPSULE_REVOKED}: ${capsule.capsule_id}`],
+        code: CCE_ERROR.CAPSULE_REVOKED
+      };
+    }
+    if (capsule.mode === "SINGLE_USE") {
+      const consumed = await this.replayStore.isCapsuleConsumed(
+        capsule.capsule_id
       );
+      if (consumed) {
+        return {
+          allow: false,
+          riskScore: 100,
+          reasons: [`${CCE_ERROR.CAPSULE_CONSUMED}: ${capsule.capsule_id}`],
+          code: CCE_ERROR.CAPSULE_CONSUMED
+        };
+      }
     }
-    if (isPostDecodeSensor && sensor.order < 40) {
-      this.logger.warn(
-        `AxisSensor "${sensor.name}" is marked as POST_DECODE but has order ${sensor.order} (should be >= 40)`
+    const nonceKey = `cce:nonce:${capsule.sub}:${capsule.aud}:${capsule.intent}:${envelope.request_nonce}`;
+    const nonceValid = await this.replayStore.checkAndMark(
+      nonceKey,
+      this.nonceTtlMs
+    );
+    if (!nonceValid) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.NONCE_REUSED}: ${envelope.request_nonce.slice(0, 16)}...`
+        ],
+        code: CCE_ERROR.NONCE_REUSED
+      };
+    }
+    if (capsule.mode === "SINGLE_USE") {
+      const capsuleTtl = (capsule.exp - capsule.iat) * 1e3 + 6e4;
+      await this.replayStore.markCapsuleConsumed(
+        capsule.capsule_id,
+        capsuleTtl
+      );
+    }
+    input.metadata = input.metadata ?? {};
+    input.metadata.cceReplayClean = true;
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: []
+    };
+  }
+};
+// src/cce/sensors/cce-payload-decryption.sensor.ts
+var CcePayloadDecryptionSensor = class {
+  constructor(keyProvider, aesProvider, maxPayloadBytes = 64 * 1024) {
+    this.keyProvider = keyProvider;
+    this.aesProvider = aesProvider;
+    this.maxPayloadBytes = maxPayloadBytes;
+    this.name = "cce.payload.decryption";
+    this.order = 145;
+    this.phase = "POST_DECODE";
+  }
+  supports(input) {
+    return input.metadata?.cceEnvelopeValid === true && input.metadata?.cceClientSigVerified === true && input.metadata?.cceCapsuleVerified === true && input.metadata?.cceReplayClean === true;
+  }
+  async run(input) {
+    const envelope = input.metadata?.cceEnvelope;
+    if (!envelope) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.INVALID_ENVELOPE],
+        code: CCE_ERROR.INVALID_ENVELOPE
+      };
+    }
+    let aesKey;
+    try {
+      aesKey = await this.keyProvider.unwrapKey(
+        envelope.encrypted_key.ciphertext,
+        envelope.encrypted_key.alg,
+        envelope.encrypted_key.axis_kid,
+        envelope.encrypted_key.ephemeral_pk
+      );
+    } catch {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.KEY_UNWRAP_FAILED],
+        code: CCE_ERROR.KEY_UNWRAP_FAILED
+      };
+    }
+    if (!aesKey) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.KEY_UNWRAP_FAILED],
+        code: CCE_ERROR.KEY_UNWRAP_FAILED
+      };
+    }
+    let iv;
+    let ciphertext;
+    let tag;
+    try {
+      iv = base64UrlDecode2(envelope.encrypted_payload.iv);
+      ciphertext = base64UrlDecode2(envelope.encrypted_payload.ciphertext);
+      tag = base64UrlDecode2(envelope.encrypted_payload.tag);
+    } catch {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.DECRYPTION_FAILED}: invalid base64url encoding`],
+        code: CCE_ERROR.DECRYPTION_FAILED
+      };
+    }
+    if (ciphertext.length > this.maxPayloadBytes) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.PAYLOAD_TOO_LARGE}: ${ciphertext.length} > ${this.maxPayloadBytes}`
+        ],
+        code: CCE_ERROR.PAYLOAD_TOO_LARGE
+      };
+    }
+    const aad = buildAad(envelope);
+    let plaintext;
+    try {
+      plaintext = await this.aesProvider.decrypt(
+        aesKey,
+        iv,
+        ciphertext,
+        tag,
+        aad
       );
+    } catch {
+      plaintext = null;
+    } finally {
+      aesKey.fill(0);
+    }
+    if (!plaintext) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.AEAD_TAG_MISMATCH],
+        code: CCE_ERROR.AEAD_TAG_MISMATCH
+      };
+    }
+    input.metadata = input.metadata ?? {};
+    input.metadata.cceDecryptedPayload = plaintext;
+    input.metadata.cceDecryptionOk = true;
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: []
+    };
+  }
+};
+function buildAad(envelope) {
+  const parts = [
+    envelope.ver,
+    envelope.request_id,
+    envelope.correlation_id,
+    envelope.client_kid,
+    envelope.capsule.capsule_id,
+    envelope.capsule.intent,
+    envelope.capsule.aud,
+    envelope.request_nonce
+  ];
+  return new TextEncoder().encode(parts.join("|"));
+}
+function base64UrlDecode2(input) {
+  const base64 = input.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = "=".repeat((4 - base64.length % 4) % 4);
+  const binary = atob(base64 + padding);
+  const bytes2 = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes2[i] = binary.charCodeAt(i);
+  }
+  return bytes2;
+}
+// src/core/index.ts
+var core_exports = {};
+__export(core_exports, {
+  AXIS_MAGIC: () => import_axis_protocol2.AXIS_MAGIC,
+  AXIS_VERSION: () => import_axis_protocol2.AXIS_VERSION,
+  AxisError: () => AxisError,
+  AxisFrameZ: () => AxisFrameZ,
+  BodyProfile: () => import_axis_protocol2.BodyProfile,
+  ERR_BAD_SIGNATURE: () => import_axis_protocol2.ERR_BAD_SIGNATURE,
+  ERR_CONTRACT_VIOLATION: () => import_axis_protocol2.ERR_CONTRACT_VIOLATION,
+  ERR_INVALID_PACKET: () => import_axis_protocol2.ERR_INVALID_PACKET,
+  ERR_REPLAY_DETECTED: () => import_axis_protocol2.ERR_REPLAY_DETECTED,
+  FLAG_BODY_TLV: () => import_axis_protocol2.FLAG_BODY_TLV,
+  FLAG_CHAIN_REQ: () => import_axis_protocol2.FLAG_CHAIN_REQ,
+  FLAG_HAS_WITNESS: () => import_axis_protocol2.FLAG_HAS_WITNESS,
+  MAX_BODY_LEN: () => import_axis_protocol2.MAX_BODY_LEN,
+  MAX_FRAME_LEN: () => import_axis_protocol2.MAX_FRAME_LEN,
+  MAX_HDR_LEN: () => import_axis_protocol2.MAX_HDR_LEN,
+  MAX_SIG_LEN: () => import_axis_protocol2.MAX_SIG_LEN,
+  NCERT_ALG: () => import_axis_protocol2.NCERT_ALG,
+  NCERT_EXP: () => import_axis_protocol2.NCERT_EXP,
+  NCERT_ISSUER_KID: () => import_axis_protocol2.NCERT_ISSUER_KID,
+  NCERT_KID: () => import_axis_protocol2.NCERT_KID,
+  NCERT_NBF: () => import_axis_protocol2.NCERT_NBF,
+  NCERT_NODE_ID: () => import_axis_protocol2.NCERT_NODE_ID,
+  NCERT_PAYLOAD: () => import_axis_protocol2.NCERT_PAYLOAD,
+  NCERT_PUB: () => import_axis_protocol2.NCERT_PUB,
+  NCERT_SCOPE: () => import_axis_protocol2.NCERT_SCOPE,
+  NCERT_SIG: () => import_axis_protocol2.NCERT_SIG,
+  PROOF_CAPSULE: () => import_axis_protocol2.PROOF_CAPSULE,
+  PROOF_JWT: () => import_axis_protocol2.PROOF_JWT,
+  PROOF_LOOM: () => import_axis_protocol2.PROOF_LOOM,
+  PROOF_MTLS: () => import_axis_protocol2.PROOF_MTLS,
+  PROOF_NONE: () => import_axis_protocol2.PROOF_NONE,
+  PROOF_WITNESS: () => import_axis_protocol2.PROOF_WITNESS,
+  ProofType: () => import_axis_protocol2.ProofType,
+  TLV: () => import_axis_protocol.TLV,
+  TLV_ACTOR_ID: () => import_axis_protocol2.TLV_ACTOR_ID,
+  TLV_AUD: () => import_axis_protocol2.TLV_AUD,
+  TLV_BODY_ARR: () => import_axis_protocol2.TLV_BODY_ARR,
+  TLV_BODY_OBJ: () => import_axis_protocol2.TLV_BODY_OBJ,
+  TLV_CAPSULE: () => import_axis_protocol2.TLV_CAPSULE,
+  TLV_EFFECT: () => import_axis_protocol2.TLV_EFFECT,
+  TLV_ERROR_CODE: () => import_axis_protocol2.TLV_ERROR_CODE,
+  TLV_ERROR_MSG: () => import_axis_protocol2.TLV_ERROR_MSG,
+  TLV_INDEX: () => import_axis_protocol2.TLV_INDEX,
+  TLV_INTENT: () => import_axis_protocol2.TLV_INTENT,
+  TLV_KID: () => import_axis_protocol2.TLV_KID,
+  TLV_LOOM_PRESENCE_ID: () => import_axis_protocol2.TLV_LOOM_PRESENCE_ID,
+  TLV_LOOM_THREAD_HASH: () => import_axis_protocol2.TLV_LOOM_THREAD_HASH,
+  TLV_LOOM_WRIT: () => import_axis_protocol2.TLV_LOOM_WRIT,
+  TLV_NODE: () => import_axis_protocol2.TLV_NODE,
+  TLV_NODE_CERT_HASH: () => import_axis_protocol2.TLV_NODE_CERT_HASH,
+  TLV_NODE_KID: () => import_axis_protocol2.TLV_NODE_KID,
+  TLV_NONCE: () => import_axis_protocol2.TLV_NONCE,
+  TLV_OFFSET: () => import_axis_protocol2.TLV_OFFSET,
+  TLV_OK: () => import_axis_protocol2.TLV_OK,
+  TLV_PID: () => import_axis_protocol2.TLV_PID,
+  TLV_PREV_HASH: () => import_axis_protocol2.TLV_PREV_HASH,
+  TLV_PROOF_REF: () => import_axis_protocol2.TLV_PROOF_REF,
+  TLV_PROOF_TYPE: () => import_axis_protocol2.TLV_PROOF_TYPE,
+  TLV_REALM: () => import_axis_protocol2.TLV_REALM,
+  TLV_RECEIPT_HASH: () => import_axis_protocol2.TLV_RECEIPT_HASH,
+  TLV_RID: () => import_axis_protocol2.TLV_RID,
+  TLV_SHA256_CHUNK: () => import_axis_protocol2.TLV_SHA256_CHUNK,
+  TLV_TRACE_ID: () => import_axis_protocol2.TLV_TRACE_ID,
+  TLV_TS: () => import_axis_protocol2.TLV_TS,
+  TLV_UPLOAD_ID: () => import_axis_protocol2.TLV_UPLOAD_ID,
+  computeReceiptHash: () => computeReceiptHash,
+  computeSignaturePayload: () => computeSignaturePayload,
+  decodeArray: () => import_axis_protocol.decodeArray,
+  decodeFrame: () => decodeFrame,
+  decodeObject: () => import_axis_protocol.decodeObject,
+  decodeTLVs: () => import_axis_protocol.decodeTLVs,
+  decodeTLVsList: () => import_axis_protocol.decodeTLVsList,
+  decodeVarint: () => import_axis_protocol3.decodeVarint,
+  encodeFrame: () => encodeFrame,
+  encodeTLVs: () => import_axis_protocol.encodeTLVs,
+  encodeVarint: () => import_axis_protocol3.encodeVarint,
+  generateEd25519KeyPair: () => generateEd25519KeyPair,
+  getSignTarget: () => getSignTarget,
+  sha256: () => sha2564,
+  signFrame: () => signFrame,
+  varintLength: () => import_axis_protocol3.varintLength,
+  verifyFrameSignature: () => verifyFrameSignature
+});
+// src/crypto/index.ts
+var crypto_exports = {};
+__export(crypto_exports, {
+  ProofVerificationService: () => ProofVerificationService,
+  b64urlDecode: () => b64urlDecode,
+  b64urlDecodeString: () => b64urlDecodeString,
+  b64urlEncode: () => b64urlEncode,
+  b64urlEncodeString: () => b64urlEncodeString,
+  canonicalJson: () => canonicalJson,
+  canonicalJsonExcluding: () => canonicalJsonExcluding
+});
+// src/crypto/proof-verification.service.ts
+var import_common10 = require("@nestjs/common");
+var crypto4 = __toESM(require("crypto"));
+var nacl = __toESM(require("tweetnacl"));
+var ProofVerificationService = class {
+  constructor() {
+    this.logger = new import_common10.Logger(ProofVerificationService.name);
+    // Cache of registered device public keys (deviceId -> pubKey)
+    this.deviceKeys = /* @__PURE__ */ new Map();
+    // Cache of trusted mTLS certificate fingerprints
+    this.trustedCerts = /* @__PURE__ */ new Map();
+  }
+  /**
+   * Verifies an authentication proof based on its type.
+   *
+   * **Supported Types:**
+   * - 1 (CAPSULE): Delegated to `verifyCapsuleProof`
+   * - 2 (JWT): Verified by `verifyJWTProof`
+   * - 3 (MTLS_ID): Verified by `verifyMTLSProof`
+   * - 4 (DEVICE_SE): Verified by `verifyDeviceSEProof`
+   *
+   * @param {ProofType} proofType - The numeric AXIS proof type
+   * @param {Uint8Array} proofRef - The binary reference or token for the proof
+   * @param {Object} context - Additional metadata required for specific proof types
+   * @param {Uint8Array} [context.signTarget] - The canonical bytes that were signed (for Ed25519)
+   * @param {Uint8Array} [context.signature] - The signature to verify (for Ed25519)
+   * @param {MTLSContext} [context.mtls] - mTLS certificate data
+   * @param {DeviceSEContext} [context.deviceSE] - Device Secure Element information
+   * @returns {Promise<ProofVerificationResult>} The outcome of the verification
+   */
+  async verifyProof(proofType, proofRef, context) {
+    switch (proofType) {
+      case 1:
+        return this.verifyCapsuleProof(proofRef);
+      case 2:
+        return this.verifyJWTProof(proofRef);
+      case 3:
+        return this.verifyMTLSProof(context.mtls);
+      case 4:
+        return this.verifyDeviceSEProof(
+          context.signTarget,
+          context.signature,
+          context.deviceSE
+        );
+      default:
+        return { valid: false, error: `Unknown proof type: ${proofType}` };
+    }
+  }
+  /**
+   * Verify CAPSULE proof (delegated to CapsuleService)
+   */
+  async verifyCapsuleProof(proofRef) {
+    const capsuleId = new TextDecoder().decode(proofRef);
+    return {
+      valid: true,
+      metadata: { capsuleId, requiresCapsuleValidation: true }
+    };
+  }
+  /**
+   * Verifies a JSON Web Token (JWT) proof.
+   *
+   * **Validation Logic:**
+   * 1. Decodes the token string.
+   * 2. Checks for valid 3-part JWT structure.
+   * 3. Validates `exp` (expiration) and `nbf` (not before) claims.
+   * 4. Extracts `actor_id` or `sub` as the identity.
+   *
+   * @param {Uint8Array} proofRef - Binary representation of the JWT string
+   * @returns {Promise<ProofVerificationResult>} Result including the actor identifier
+   */
+  async verifyJWTProof(proofRef) {
+    try {
+      const token = new TextDecoder().decode(proofRef);
+      const parts = token.split(".");
+      if (parts.length !== 3) {
+        return { valid: false, error: "Invalid JWT format" };
+      }
+      const header = JSON.parse(Buffer.from(parts[0], "base64url").toString());
+      const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+      if (payload.exp && Date.now() / 1e3 > payload.exp) {
+        return { valid: false, error: "JWT expired" };
+      }
+      if (payload.nbf && Date.now() / 1e3 < payload.nbf) {
+        return { valid: false, error: "JWT not yet valid" };
+      }
+      return {
+        valid: true,
+        actorId: payload.sub || payload.actor_id,
+        metadata: { iss: payload.iss, scope: payload.scope }
+      };
+    } catch (e) {
+      const message = e instanceof Error ? e.message : "Unknown error";
+      return { valid: false, error: `JWT parse error: ${message}` };
+    }
+  }
+  /**
+   * Verify mTLS client certificate proof
+   */
+  async verifyMTLSProof(mtls) {
+    if (!mtls) {
+      return { valid: false, error: "No mTLS context provided" };
+    }
+    if (!mtls.verified) {
+      return { valid: false, error: "mTLS not verified by TLS terminator" };
+    }
+    if (mtls.clientCertFingerprint) {
+      const trusted = this.trustedCerts.get(mtls.clientCertFingerprint);
+      if (trusted) {
+        return {
+          valid: true,
+          actorId: trusted.actorId,
+          metadata: {
+            fingerprint: mtls.clientCertFingerprint,
+            subject: mtls.clientCertSubject
+          }
+        };
+      }
     }
-    this.sensors.push(sensor);
-    const phaseLabel = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase || "UNKNOWN";
-    this.logger.debug(
-      `Registered sensor: ${sensor.name} (order: ${sensor.order}, phase: ${phaseLabel})`
-    );
-  }
-  /**
-   * Returns all registered sensors, sorted by their execution order.
-   *
-   * @returns {AxisSensor[]} A sorted array of sensors
-   */
-  list() {
-    return [...this.sensors].sort(
-      (a, b) => (a.order ?? 999) - (b.order ?? 999)
-    );
+    if (mtls.clientCertSubject) {
+      const cnMatch = mtls.clientCertSubject.match(/CN=([^,]+)/);
+      if (cnMatch) {
+        return {
+          valid: true,
+          actorId: cnMatch[1],
+          metadata: {
+            subject: mtls.clientCertSubject,
+            issuer: mtls.clientCertIssuer
+          }
+        };
+      }
+    }
+    return { valid: false, error: "Could not extract actor from certificate" };
   }
   /**
-   * Returns only pre-decode sensors (order < 40).
-   * These sensors run in middleware on raw bytes before frame decoding.
-   *
-   * @returns {AxisPreSensor[]} Pre-decode sensors sorted by order
+   * Verify Device Secure Element signature
    */
-  getPreDecodeSensors() {
-    return this.list().filter((s) => (s.order ?? 999) < 40);
+  async verifyDeviceSEProof(signTarget, signature, deviceSE) {
+    if (!deviceSE || !signTarget || !signature) {
+      return { valid: false, error: "Missing Device SE context" };
+    }
+    let publicKey = deviceSE.publicKey;
+    const registeredKey = this.deviceKeys.get(deviceSE.deviceId);
+    if (registeredKey) {
+      publicKey = registeredKey;
+    }
+    if (!publicKey || publicKey.length !== 32) {
+      return {
+        valid: false,
+        error: "Invalid or unregistered device public key"
+      };
+    }
+    try {
+      const valid = nacl.sign.detached.verify(signTarget, signature, publicKey);
+      if (!valid) {
+        return { valid: false, error: "Device signature verification failed" };
+      }
+      return {
+        valid: true,
+        actorId: deviceSE.deviceId,
+        metadata: { deviceId: deviceSE.deviceId, proofType: "DEVICE_SE" }
+      };
+    } catch (e) {
+      const message = e instanceof Error ? e.message : "Unknown error";
+      return {
+        valid: false,
+        error: `Signature verification error: ${message}`
+      };
+    }
   }
   /**
-   * Returns only post-decode sensors (order >= 40).
-   * These sensors run in the controller on fully decoded frames.
+   * Registers a public key for a trusted device.
+   * This key will be used for future `DEVICE_SE` proof verifications.
    *
-   * @returns {AxisPostSensor[]} Post-decode sensors sorted by order
+   * @param {string} deviceId - Unique identifier for the device
+   * @param {Uint8Array} publicKey - 32-byte Ed25519 public key
+   * @throws {Error} If the public key is not 32 bytes
    */
-  getPostDecodeSensors() {
-    return this.list().filter(
-      (s) => (s.order ?? 999) >= 40
-    );
+  registerDeviceKey(deviceId, publicKey) {
+    if (publicKey.length !== 32) {
+      throw new Error("Device public key must be 32 bytes (Ed25519)");
+    }
+    this.deviceKeys.set(deviceId, publicKey);
+    this.logger.log(`Registered device key for ${deviceId}`);
   }
   /**
-   * Helper: Check if a sensor is a pre-decode sensor.
-   *
-   * @private
-   * @param {AxisSensor} sensor - The sensor to check
-   * @returns {boolean} True if sensor is pre-decode
+   * Unregister a device
    */
-  isPreDecodeSensor(sensor) {
-    const phase = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase;
-    return phase === "PRE_DECODE" || (sensor.order ?? 999) < 40;
+  unregisterDevice(deviceId) {
+    return this.deviceKeys.delete(deviceId);
   }
   /**
-   * Helper: Check if a sensor is a post-decode sensor.
+   * Registers a trusted mTLS certificate fingerprint and associates it with an actor.
    *
-   * @private
-   * @param {AxisSensor} sensor - The sensor to check
-   * @returns {boolean} True if sensor is post-decode
+   * @param {string} fingerprint - SHA-256 fingerprint of the client certificate
+   * @param {string} actorId - The actor to associate with this certificate
    */
-  isPostDecodeSensor(sensor) {
-    const phase = typeof sensor.phase === "string" ? sensor.phase : sensor.phase?.phase;
-    return phase === "POST_DECODE" || (sensor.order ?? 999) >= 40;
+  registerMTLSCert(fingerprint, actorId) {
+    this.trustedCerts.set(fingerprint, { actorId, issuedAt: Date.now() });
+    this.logger.log(`Registered mTLS cert ${fingerprint} for actor ${actorId}`);
   }
   /**
-   * Returns sensor count by phase.
-   * Useful for diagnostics and monitoring.
-   *
-   * @returns {{preDecodeCount: number, postDecodeCount: number}}
+   * Revoke an mTLS certificate
    */
-  getSensorCountByPhase() {
-    return {
-      preDecodeCount: this.getPreDecodeSensors().length,
-      postDecodeCount: this.getPostDecodeSensors().length
-    };
+  revokeMTLSCert(fingerprint) {
+    return this.trustedCerts.delete(fingerprint);
   }
   /**
-   * Clears all registered sensors.
-   * Useful for testing.
-   *
-   * @internal
+   * Calculate certificate fingerprint (SHA-256)
    */
-  clear() {
-    this.sensors = [];
+  static calculateFingerprint(certPem) {
+    const der = Buffer.from(
+      certPem.replace(/-----BEGIN CERTIFICATE-----/, "").replace(/-----END CERTIFICATE-----/, "").replace(/\s/g, ""),
+      "base64"
+    );
+    return crypto4.createHash("sha256").update(der).digest("hex");
   }
 };
-SensorRegistry = __decorateClass([
-  (0, import_common9.Injectable)()
-], SensorRegistry);
+ProofVerificationService = __decorateClass([
+  (0, import_common10.Injectable)()
+], ProofVerificationService);
+// src/decorators/index.ts
+var decorators_exports = {};
+__export(decorators_exports, {
+  AxisContext: () => AxisContext,
+  AxisDemoPubkey: () => AxisDemoPubkey,
+  AxisFrame: () => AxisFrame3,
+  AxisIp: () => AxisIp,
+  AxisRaw: () => AxisRaw,
+  HANDLER_METADATA_KEY: () => HANDLER_METADATA_KEY,
+  Handler: () => Handler,
+  INTENT_BODY_KEY: () => INTENT_BODY_KEY,
+  INTENT_METADATA_KEY: () => INTENT_METADATA_KEY,
+  INTENT_ROUTES_KEY: () => INTENT_ROUTES_KEY,
+  INTENT_SENSORS_KEY: () => INTENT_SENSORS_KEY,
+  Intent: () => Intent,
+  IntentBody: () => IntentBody,
+  IntentSensors: () => IntentSensors,
+  SENSOR_METADATA_KEY: () => SENSOR_METADATA_KEY,
+  Sensor: () => Sensor,
+  TLV_FIELDS_KEY: () => TLV_FIELDS_KEY,
+  TLV_VALIDATORS_KEY: () => TLV_VALIDATORS_KEY,
+  TlvEnum: () => TlvEnum,
+  TlvField: () => TlvField,
+  TlvMinLen: () => TlvMinLen,
+  TlvRange: () => TlvRange,
+  TlvUtf8Pattern: () => TlvUtf8Pattern,
+  TlvValidate: () => TlvValidate,
+  buildDtoDecoder: () => buildDtoDecoder,
+  extractDtoSchema: () => extractDtoSchema
+});
+// src/engine/index.ts
+var engine_exports = {};
+__export(engine_exports, {
+  BAND: () => BAND,
+  HandlerDiscoveryService: () => HandlerDiscoveryService,
+  IntentRouter: () => IntentRouter,
+  PRE_DECODE_BOUNDARY: () => PRE_DECODE_BOUNDARY,
+  SensorDiscoveryService: () => SensorDiscoveryService,
+  SensorRegistry: () => SensorRegistry,
+  createObservation: () => createObservation,
+  endStage: () => endStage,
+  finalizeObservation: () => finalizeObservation,
+  observation: () => observation_exports,
+  recordSensor: () => recordSensor,
+  startStage: () => startStage
+});
 // src/engine/observation/index.ts
 var observation_exports = {};
@@ -4131,7 +5674,7 @@ var AxisErrorZ = z2.object({
 });
 // src/schemas/body-profile.validator.ts
-var import_common10 = require("@nestjs/common");
+var import_common11 = require("@nestjs/common");
 var BodyProfile2 = /* @__PURE__ */ ((BodyProfile3) => {
   BodyProfile3[BodyProfile3["RAW"] = 0] = "RAW";
   BodyProfile3[BodyProfile3["TLV_MAP"] = 1] = "TLV_MAP";
@@ -4141,7 +5684,7 @@ var BodyProfile2 = /* @__PURE__ */ ((BodyProfile3) => {
 })(BodyProfile2 || {});
 var BodyProfileValidator = class {
   constructor() {
-    this.logger = new import_common10.Logger(BodyProfileValidator.name);
+    this.logger = new import_common11.Logger(BodyProfileValidator.name);
   }
   /**
    * Validate body matches declared profile
@@ -4257,12 +5800,13 @@ var BodyProfileValidator = class {
   }
 };
 BodyProfileValidator = __decorateClass([
-  (0, import_common10.Injectable)()
+  (0, import_common11.Injectable)()
 ], BodyProfileValidator);
 // src/security/index.ts
 var security_exports = {};
 __export(security_exports, {
+  AxisSensorChainService: () => AxisSensorChainService,
   CAPABILITIES: () => CAPABILITIES,
   INTENT_REQUIREMENTS: () => INTENT_REQUIREMENTS,
   PROOF_CAPABILITIES: () => PROOF_CAPABILITIES,
@@ -4295,7 +5839,7 @@ __export(sensors_exports, {
 });
 // src/sensors/access-profile-resolver.sensor.ts
-var import_common11 = require("@nestjs/common");
+var import_common12 = require("@nestjs/common");
 var AccessProfileResolverSensor = class {
   constructor() {
     /** AxisSensor identifier */
@@ -4321,11 +5865,11 @@ var AccessProfileResolverSensor = class {
 };
 AccessProfileResolverSensor = __decorateClass([
   Sensor(),
-  (0, import_common11.Injectable)()
+  (0, import_common12.Injectable)()
 ], AccessProfileResolverSensor);
 // src/sensors/body-budget.sensor.ts
-var import_common12 = require("@nestjs/common");
+var import_common13 = require("@nestjs/common");
 var BodyBudgetSensor = class {
   constructor() {
     /** AxisSensor identifier */
@@ -4399,14 +5943,14 @@ var BodyBudgetSensor = class {
 };
 BodyBudgetSensor = __decorateClass([
   Sensor(),
-  (0, import_common12.Injectable)()
+  (0, import_common13.Injectable)()
 ], BodyBudgetSensor);
 // src/sensors/capability-enforcement.sensor.ts
-var import_common13 = require("@nestjs/common");
+var import_common14 = require("@nestjs/common");
 var CapabilityEnforcementSensor = class {
   constructor() {
-    this.logger = new import_common13.Logger(CapabilityEnforcementSensor.name);
+    this.logger = new import_common14.Logger(CapabilityEnforcementSensor.name);
     /** AxisSensor identifier for logging and registry */
     this.name = "CapabilityEnforcementSensor";
     /**
@@ -4500,12 +6044,12 @@ var CapabilityEnforcementSensor = class {
 };
 CapabilityEnforcementSensor = __decorateClass([
   Sensor(),
-  (0, import_common13.Injectable)()
+  (0, import_common14.Injectable)()
 ], CapabilityEnforcementSensor);
 // src/sensors/chunk-hash.sensor.ts
-var import_common14 = require("@nestjs/common");
-var import_crypto6 = require("crypto");
+var import_common15 = require("@nestjs/common");
+var import_crypto8 = require("crypto");
 var ChunkHashSensor = class {
   constructor() {
     /** Sensor identifier */
@@ -4564,7 +6108,7 @@ var ChunkHashSensor = class {
         reason: "Missing sha256Chunk TLV in header"
       };
     }
-    const actual = (0, import_crypto6.createHash)("sha256").update(bodyBytes).digest();
+    const actual = (0, import_crypto8.createHash)("sha256").update(bodyBytes).digest();
     if (!Buffer.from(actual).equals(Buffer.from(expected))) {
       return {
         action: "DENY",
@@ -4577,15 +6121,15 @@ var ChunkHashSensor = class {
 };
 ChunkHashSensor = __decorateClass([
   Sensor(),
-  (0, import_common14.Injectable)()
+  (0, import_common15.Injectable)()
 ], ChunkHashSensor);
 // src/sensors/entropy.sensor.ts
-var import_common15 = require("@nestjs/common");
-var crypto4 = __toESM(require("crypto"));
+var import_common16 = require("@nestjs/common");
+var crypto5 = __toESM(require("crypto"));
 var EntropySensor = class {
   constructor() {
-    this.logger = new import_common15.Logger(EntropySensor.name);
+    this.logger = new import_common16.Logger(EntropySensor.name);
     /**
      * Minimum acceptable entropy in bits per byte.
      *
@@ -4750,19 +6294,19 @@ var EntropySensor = class {
    * @returns {Uint8Array} Cryptographically secure random bytes
    */
   static generateSecureRandom(length) {
-    return new Uint8Array(crypto4.randomBytes(length));
+    return new Uint8Array(crypto5.randomBytes(length));
   }
 };
 EntropySensor = __decorateClass([
   Sensor(),
-  (0, import_common15.Injectable)()
+  (0, import_common16.Injectable)()
 ], EntropySensor);
 // src/sensors/execution-timeout.sensor.ts
-var import_common16 = require("@nestjs/common");
+var import_common17 = require("@nestjs/common");
 var ExecutionTimeoutSensor = class {
   constructor() {
-    this.logger = new import_common16.Logger(ExecutionTimeoutSensor.name);
+    this.logger = new import_common17.Logger(ExecutionTimeoutSensor.name);
     /** AxisSensor identifier */
     this.name = "ExecutionTimeoutSensor";
     /**
@@ -4840,11 +6384,11 @@ var ExecutionTimeoutSensor = class {
 };
 ExecutionTimeoutSensor = __decorateClass([
   Sensor(),
-  (0, import_common16.Injectable)()
+  (0, import_common17.Injectable)()
 ], ExecutionTimeoutSensor);
 // src/sensors/frame-budget.sensor.ts
-var import_common17 = require("@nestjs/common");
+var import_common18 = require("@nestjs/common");
 var FrameBudgetSensor = class {
   constructor(config) {
     this.config = config;
@@ -4903,11 +6447,11 @@ var FrameBudgetSensor = class {
 };
 FrameBudgetSensor = __decorateClass([
   Sensor({ phase: "PRE_DECODE" }),
-  (0, import_common17.Injectable)()
+  (0, import_common18.Injectable)()
 ], FrameBudgetSensor);
 // src/sensors/frame-header-sanity.sensor.ts
-var import_common18 = require("@nestjs/common");
+var import_common19 = require("@nestjs/common");
 var FrameHeaderSanitySensor = class {
   constructor() {
     this.name = "FrameHeaderSanitySensor";
@@ -4951,12 +6495,12 @@ var FrameHeaderSanitySensor = class {
   }
 };
 FrameHeaderSanitySensor = __decorateClass([
-  (0, import_common18.Injectable)(),
+  (0, import_common19.Injectable)(),
   Sensor({ phase: "PRE_DECODE" })
 ], FrameHeaderSanitySensor);
 // src/sensors/header-tlv-limit.sensor.ts
-var import_common19 = require("@nestjs/common");
+var import_common20 = require("@nestjs/common");
 var HeaderTLVLimitSensor = class {
   constructor() {
     this.name = "HeaderTLVLimitSensor";
@@ -4988,12 +6532,12 @@ var HeaderTLVLimitSensor = class {
   }
 };
 HeaderTLVLimitSensor = __decorateClass([
-  (0, import_common19.Injectable)(),
+  (0, import_common20.Injectable)(),
   Sensor()
 ], HeaderTLVLimitSensor);
 // src/sensors/intent-allowlist.sensor.ts
-var import_common20 = require("@nestjs/common");
+var import_common21 = require("@nestjs/common");
 var PUBLIC_INTENT_ALLOWLIST = [
   "public.",
   "schema.",
@@ -5028,12 +6572,12 @@ var IntentAllowlistSensor = class {
   }
 };
 IntentAllowlistSensor = __decorateClass([
-  (0, import_common20.Injectable)(),
+  (0, import_common21.Injectable)(),
   Sensor()
 ], IntentAllowlistSensor);
 // src/sensors/intent-registry.sensor.ts
-var import_common21 = require("@nestjs/common");
+var import_common22 = require("@nestjs/common");
 var IntentRegistrySensor = class {
   constructor(router) {
     this.router = router;
@@ -5056,12 +6600,12 @@ var IntentRegistrySensor = class {
   }
 };
 IntentRegistrySensor = __decorateClass([
-  (0, import_common21.Injectable)(),
+  (0, import_common22.Injectable)(),
   Sensor({ phase: "POST_DECODE" })
 ], IntentRegistrySensor);
 // src/sensors/proof-presence.sensor.ts
-var import_common22 = require("@nestjs/common");
+var import_common23 = require("@nestjs/common");
 var ProofPresenceSensor = class {
   constructor() {
     this.name = "ProofPresenceSensor";
@@ -5109,11 +6653,11 @@ var ProofPresenceSensor = class {
 };
 ProofPresenceSensor = __decorateClass([
   Sensor(),
-  (0, import_common22.Injectable)()
+  (0, import_common23.Injectable)()
 ], ProofPresenceSensor);
 // src/sensors/protocol-strict.sensor.ts
-var import_common23 = require("@nestjs/common");
+var import_common24 = require("@nestjs/common");
 var VALID_FLAGS = [
   0,
   // No flags
@@ -5131,7 +6675,7 @@ var VALID_FLAGS = [
 var ProtocolStrictSensor = class {
   constructor(config) {
     this.config = config;
-    this.logger = new import_common23.Logger(ProtocolStrictSensor.name);
+    this.logger = new import_common24.Logger(ProtocolStrictSensor.name);
     /** Sensor identifier for logging and registry */
     this.name = "ProtocolStrictSensor";
     /**
@@ -5384,11 +6928,11 @@ var ProtocolStrictSensor = class {
 };
 ProtocolStrictSensor = __decorateClass([
   Sensor({ phase: "PRE_DECODE" }),
-  (0, import_common23.Injectable)()
+  (0, import_common24.Injectable)()
 ], ProtocolStrictSensor);
 // src/sensors/receipt-policy.sensor.ts
-var import_common24 = require("@nestjs/common");
+var import_common25 = require("@nestjs/common");
 var ReceiptPolicySensor = class {
   constructor() {
     this.name = "ReceiptPolicySensor";
@@ -5402,12 +6946,12 @@ var ReceiptPolicySensor = class {
   }
 };
 ReceiptPolicySensor = __decorateClass([
-  (0, import_common24.Injectable)(),
+  (0, import_common25.Injectable)(),
   Sensor()
 ], ReceiptPolicySensor);
 // src/sensors/schema-validation.sensor.ts
-var import_common25 = require("@nestjs/common");
+var import_common26 = require("@nestjs/common");
 function readU64be(b) {
   if (b.length !== 8)
     throw new AxisError("SCHEMA_TYPE_MISMATCH", "u64 must be 8 bytes", 400);
@@ -5582,11 +7126,11 @@ var SchemaValidationSensor = class {
 };
 SchemaValidationSensor = __decorateClass([
   Sensor(),
-  (0, import_common25.Injectable)()
+  (0, import_common26.Injectable)()
 ], SchemaValidationSensor);
 // src/sensors/stream-scope.sensor.ts
-var import_common26 = require("@nestjs/common");
+var import_common27 = require("@nestjs/common");
 var StreamScopeSensor = class {
   constructor() {
     /** Sensor identifier */
@@ -5632,11 +7176,11 @@ var StreamScopeSensor = class {
 };
 StreamScopeSensor = __decorateClass([
   Sensor(),
-  (0, import_common26.Injectable)()
+  (0, import_common27.Injectable)()
 ], StreamScopeSensor);
 // src/sensors/tlv-parse.sensor.ts
-var import_common27 = require("@nestjs/common");
+var import_common28 = require("@nestjs/common");
 var TLVParseSensor = class {
   constructor() {
     this.name = "TLVParseSensor";
@@ -5738,11 +7282,11 @@ var TLVParseSensor = class {
 };
 TLVParseSensor = __decorateClass([
   Sensor(),
-  (0, import_common27.Injectable)()
+  (0, import_common28.Injectable)()
 ], TLVParseSensor);
 // src/sensors/varint-hardening.sensor.ts
-var import_common28 = require("@nestjs/common");
+var import_common29 = require("@nestjs/common");
 var VarintHardeningSensor = class {
   constructor() {
     /** Sensor identifier */
@@ -5805,7 +7349,7 @@ var VarintHardeningSensor = class {
 };
 VarintHardeningSensor = __decorateClass([
   Sensor({ phase: "PRE_DECODE" }),
-  (0, import_common28.Injectable)()
+  (0, import_common29.Injectable)()
 ], VarintHardeningSensor);
 // src/utils/index.ts
@@ -5877,16 +7421,26 @@ function toBuffer(value) {
   AXIS_UPLOAD_SESSION_STORE,
   AXIS_VERSION,
   Ats1Codec,
+  AxisContext,
+  AxisDemoPubkey,
+  AxisError,
   AxisFilesDownloadHandler,
   AxisFilesFinalizeHandler,
   AxisFrameZ,
   AxisIdDto,
+  AxisIp,
   AxisPacketTags,
   AxisPartialType,
+  AxisRaw,
   AxisResponseDto,
+  AxisSensorChainService,
   AxisTlvDto,
+  BAND,
   BodyProfile,
   CAPABILITIES,
+  CCE_ERROR,
+  CCE_PROTOCOL_VERSION,
+  CceError,
   ContractViolationError,
   DEFAULT_CONTRACTS,
   DEFAULT_TIMEOUT,
@@ -5902,7 +7456,10 @@ function toBuffer(value) {
   FLAG_CHAIN_REQ,
   FLAG_HAS_WITNESS,
   HANDLER_METADATA_KEY,
+  HANDLER_SENSORS_KEY,
   Handler,
+  HandlerDiscoveryService,
+  HandlerSensors,
   INTENT_BODY_KEY,
   INTENT_METADATA_KEY,
   INTENT_REQUIREMENTS,
@@ -5929,6 +7486,7 @@ function toBuffer(value) {
   NCERT_PUB,
   NCERT_SCOPE,
   NCERT_SIG,
+  PRE_DECODE_BOUNDARY,
   PROOF_CAPABILITIES,
   PROOF_CAPSULE,
   PROOF_JWT,
@@ -5943,11 +7501,15 @@ function toBuffer(value) {
   RESPONSE_TAG_UPDATED_AT,
   RESPONSE_TAG_UPDATED_BY,
   RiskDecision,
+  SENSOR_METADATA_KEY,
   Schema2002_PasskeyLoginOptionsRes,
   Schema2011_PasskeyLoginVerifyReq,
   Schema2012_PasskeyLoginVerifyRes,
   Schema2021_PasskeyRegisterOptionsReq,
+  Sensor,
   SensorDecisions,
+  SensorDiscoveryService,
+  SensorRegistry,
   TLV,
   TLV_ACTOR_ID,
   TLV_AUD,
@@ -6005,10 +7567,12 @@ function toBuffer(value) {
   canonicalJson,
   canonicalJsonExcluding,
   canonicalizeObservation,
+  cce,
   classifyIntent,
   computeReceiptHash,
   computeSignaturePayload,
   core,
+  createObservation,
   crypto,
   decodeArray,
   decodeAxis1Frame,
@@ -6025,8 +7589,11 @@ function toBuffer(value) {
   encodeQueueMessage,
   encodeTLVs,
   encodeVarint,
+  endStage,
   engine,
+  executeCcePipeline,
   extractDtoSchema,
+  finalizeObservation,
   generateEd25519KeyPair,
   getSignTarget,
   hasScope,
@@ -6045,6 +7612,7 @@ function toBuffer(value) {
   parseAutoClaimEntries,
   parseScope,
   parseStreamEntries,
+  recordSensor,
   resolveTimeout,
   schemas,
   security,
@@ -6053,6 +7621,7 @@ function toBuffer(value) {
   sha256,
   signFrame,
   stableJsonStringify,
+  startStage,
   tlv,
   u64be,
   unpackPasskeyLoginOptionsReq,