@nextera.one/axis-server-sdk 1.5.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.d.mts +894 -386
  2. package/dist/index.d.ts +894 -386
  3. package/dist/index.js +1411 -38
  4. package/dist/index.js.map +1 -1
  5. package/dist/index.mjs +1398 -30
  6. package/dist/index.mjs.map +1 -1
  7. package/package.json +2 -1
package/dist/index.d.ts CHANGED
@@ -115,6 +115,583 @@ declare abstract class AxisResponseDto extends AxisTlvDto {
115
115
  updated_by?: string;
116
116
  }
117
117
 
118
+ declare const CCE_PROTOCOL_VERSION: "cce-v1";
119
+ declare const CCE_DERIVATION: {
120
+ readonly REQUEST: "axis:cce:req:v1";
121
+ readonly RESPONSE: "axis:cce:resp:v1";
122
+ readonly WITNESS: "axis:cce:witness:v1";
123
+ };
124
+ type CceAlgorithm = "AES-256-GCM";
125
+ type CceKemAlgorithm = "X25519" | "RSA-OAEP-256";
126
+ type CceKdfAlgorithm = "HKDF-SHA256";
127
+ declare const CCE_AES_KEY_BYTES = 32;
128
+ declare const CCE_IV_BYTES = 12;
129
+ declare const CCE_TAG_BYTES = 16;
130
+ declare const CCE_NONCE_BYTES = 32;
131
+ interface CceCapsuleClaims {
132
+ capsule_id: string;
133
+ ver: typeof CCE_PROTOCOL_VERSION;
134
+ sub: string;
135
+ kid: string;
136
+ intent: string;
137
+ aud: string;
138
+ tps_from: number;
139
+ tps_to: number;
140
+ capsule_nonce: string;
141
+ challenge_id: string;
142
+ policy_hash?: string;
143
+ iat: number;
144
+ exp: number;
145
+ mode: "SINGLE_USE" | "SESSION";
146
+ scope?: string[];
147
+ constraints?: CceConstraints;
148
+ issuer_sig: CceSignature;
149
+ }
150
+ interface CceConstraints {
151
+ max_payload_bytes?: number;
152
+ ip_allow?: string[];
153
+ device_allow?: string[];
154
+ country_allow?: string[];
155
+ }
156
+ interface CceSignature {
157
+ alg: "EdDSA" | "ES256";
158
+ kid: string;
159
+ value: string;
160
+ }
161
+ interface CceRequestEnvelope {
162
+ ver: typeof CCE_PROTOCOL_VERSION;
163
+ request_id: string;
164
+ correlation_id: string;
165
+ client_kid: string;
166
+ capsule: CceCapsuleClaims;
167
+ encrypted_key: CceEncryptedKey;
168
+ encrypted_payload: CceEncryptedPayload;
169
+ request_nonce: string;
170
+ client_sig: CceSignature;
171
+ content_type: string;
172
+ algorithms: CceAlgorithmDescriptor;
173
+ aad_descriptor?: string;
174
+ }
175
+ interface CceEncryptedKey {
176
+ alg: CceKemAlgorithm;
177
+ axis_kid: string;
178
+ ciphertext: string;
179
+ ephemeral_pk?: string;
180
+ }
181
+ interface CceEncryptedPayload {
182
+ alg: CceAlgorithm;
183
+ iv: string;
184
+ ciphertext: string;
185
+ tag: string;
186
+ }
187
+ interface CceAlgorithmDescriptor {
188
+ kem: CceKemAlgorithm;
189
+ enc: CceAlgorithm;
190
+ kdf: CceKdfAlgorithm;
191
+ sig: "EdDSA" | "ES256";
192
+ }
193
+ interface CceResponseEnvelope {
194
+ ver: typeof CCE_PROTOCOL_VERSION;
195
+ response_id: string;
196
+ request_id: string;
197
+ correlation_id: string;
198
+ encrypted_key: CceEncryptedKey;
199
+ encrypted_payload: CceEncryptedPayload;
200
+ response_nonce: string;
201
+ axis_sig: CceSignature;
202
+ witness_ref?: string;
203
+ algorithms: CceAlgorithmDescriptor;
204
+ status: CceResponseStatus;
205
+ }
206
+ type CceResponseStatus = "SUCCESS" | "DENIED" | "PARTIAL" | "FAILED" | "ERROR";
207
+ interface CceExecutionContext {
208
+ execution_key_hash: string;
209
+ request_id: string;
210
+ capsule_id: string;
211
+ sub: string;
212
+ kid: string;
213
+ intent: string;
214
+ aud: string;
215
+ tps_from: number;
216
+ tps_to: number;
217
+ policy_hash?: string;
218
+ derived_at: number;
219
+ valid: boolean;
220
+ }
221
+ interface CceWitnessRecord {
222
+ witness_id: string;
223
+ request_id: string;
224
+ capsule_id: string;
225
+ sub: string;
226
+ intent: string;
227
+ aud: string;
228
+ tps_from: number;
229
+ tps_to: number;
230
+ timestamp: number;
231
+ verification: {
232
+ client_sig: boolean;
233
+ capsule_sig: boolean;
234
+ tps_valid: boolean;
235
+ audience_match: boolean;
236
+ intent_match: boolean;
237
+ replay_clean: boolean;
238
+ nonce_unique: boolean;
239
+ decryption_ok: boolean;
240
+ };
241
+ execution: {
242
+ status: CceResponseStatus;
243
+ handler_duration_ms: number;
244
+ effect?: string;
245
+ };
246
+ response_encrypted: boolean;
247
+ execution_context_hash: string;
248
+ request_payload_hash?: string;
249
+ response_payload_hash?: string;
250
+ }
251
+ declare const CCE_ERROR: {
252
+ readonly INVALID_ENVELOPE: "CCE_INVALID_ENVELOPE";
253
+ readonly UNSUPPORTED_VERSION: "CCE_UNSUPPORTED_VERSION";
254
+ readonly MISSING_CAPSULE: "CCE_MISSING_CAPSULE";
255
+ readonly MISSING_ENCRYPTED_KEY: "CCE_MISSING_ENCRYPTED_KEY";
256
+ readonly CLIENT_SIG_INVALID: "CCE_CLIENT_SIG_INVALID";
257
+ readonly CLIENT_KEY_NOT_FOUND: "CCE_CLIENT_KEY_NOT_FOUND";
258
+ readonly CAPSULE_SIG_INVALID: "CCE_CAPSULE_SIG_INVALID";
259
+ readonly CAPSULE_EXPIRED: "CCE_CAPSULE_EXPIRED";
260
+ readonly CAPSULE_NOT_YET_VALID: "CCE_CAPSULE_NOT_YET_VALID";
261
+ readonly CAPSULE_REVOKED: "CCE_CAPSULE_REVOKED";
262
+ readonly CAPSULE_CONSUMED: "CCE_CAPSULE_CONSUMED";
263
+ readonly AUDIENCE_MISMATCH: "CCE_AUDIENCE_MISMATCH";
264
+ readonly INTENT_MISMATCH: "CCE_INTENT_MISMATCH";
265
+ readonly TPS_WINDOW_EXPIRED: "CCE_TPS_WINDOW_EXPIRED";
266
+ readonly TPS_WINDOW_FUTURE: "CCE_TPS_WINDOW_FUTURE";
267
+ readonly REPLAY_DETECTED: "CCE_REPLAY_DETECTED";
268
+ readonly NONCE_REUSED: "CCE_NONCE_REUSED";
269
+ readonly DECRYPTION_FAILED: "CCE_DECRYPTION_FAILED";
270
+ readonly KEY_UNWRAP_FAILED: "CCE_KEY_UNWRAP_FAILED";
271
+ readonly AEAD_TAG_MISMATCH: "CCE_AEAD_TAG_MISMATCH";
272
+ readonly PAYLOAD_TOO_LARGE: "CCE_PAYLOAD_TOO_LARGE";
273
+ readonly PAYLOAD_SCHEMA_INVALID: "CCE_PAYLOAD_SCHEMA_INVALID";
274
+ readonly INTENT_SCHEMA_MISMATCH: "CCE_INTENT_SCHEMA_MISMATCH";
275
+ readonly POLICY_DENIED: "CCE_POLICY_DENIED";
276
+ readonly CONSTRAINT_VIOLATED: "CCE_CONSTRAINT_VIOLATED";
277
+ readonly HANDLER_NOT_FOUND: "CCE_HANDLER_NOT_FOUND";
278
+ readonly HANDLER_EXECUTION_FAILED: "CCE_HANDLER_EXECUTION_FAILED";
279
+ readonly HANDLER_TIMEOUT: "CCE_HANDLER_TIMEOUT";
280
+ readonly RESPONSE_ENCRYPTION_FAILED: "CCE_RESPONSE_ENCRYPTION_FAILED";
281
+ };
282
+ type CceErrorCode = (typeof CCE_ERROR)[keyof typeof CCE_ERROR];
283
+ declare class CceError extends Error {
284
+ readonly code: CceErrorCode;
285
+ readonly metadata?: Record<string, unknown> | undefined;
286
+ constructor(code: CceErrorCode, message: string, metadata?: Record<string, unknown> | undefined);
287
+ get clientSafe(): boolean;
288
+ toClientError(): {
289
+ code: CceErrorCode;
290
+ message: string;
291
+ };
292
+ }
293
+
294
+ interface CceClientKeyEncryptor {
295
+ wrapKey(aesKey: Uint8Array, clientKid: string, clientPublicKeyHex: string): Promise<CceEncryptedKey>;
296
+ }
297
+ interface CceAxisSigner {
298
+ sign(payload: Uint8Array): Promise<CceSignature>;
299
+ }
300
+ interface CceResponseOptions {
301
+ request: CceRequestEnvelope;
302
+ capsule: CceCapsuleClaims;
303
+ status: CceResponseStatus;
304
+ body: Uint8Array;
305
+ clientPublicKeyHex: string;
306
+ witnessRef?: string;
307
+ }
308
+ declare function buildCceResponse(options: CceResponseOptions, clientKeyEncryptor: CceClientKeyEncryptor, axisSigner: CceAxisSigner): Promise<{
309
+ envelope: CceResponseEnvelope;
310
+ responsePayloadHash: string;
311
+ }>;
312
+ declare function buildCceErrorResponse(requestId: string, correlationId: string, status: CceResponseStatus, errorCode: string, message: string): {
313
+ ver: string;
314
+ request_id: string;
315
+ correlation_id: string;
316
+ status: CceResponseStatus;
317
+ error: {
318
+ code: string;
319
+ message: string;
320
+ };
321
+ };
322
+
323
+ interface CceWitnessStore {
324
+ record(witness: CceWitnessRecord): Promise<void>;
325
+ }
326
+ declare class InMemoryCceWitnessStore implements CceWitnessStore {
327
+ readonly records: CceWitnessRecord[];
328
+ record(witness: CceWitnessRecord): Promise<void>;
329
+ getByRequestId(requestId: string): CceWitnessRecord | undefined;
330
+ getByCapsuleId(capsuleId: string): CceWitnessRecord[];
331
+ }
332
+ interface CceVerificationState {
333
+ clientSigVerified: boolean;
334
+ capsuleSigVerified: boolean;
335
+ tpsValid: boolean;
336
+ audienceMatch: boolean;
337
+ intentMatch: boolean;
338
+ replayClean: boolean;
339
+ nonceUnique: boolean;
340
+ decryptionOk: boolean;
341
+ }
342
+ declare function buildWitnessRecord(envelope: CceRequestEnvelope, capsule: CceCapsuleClaims, verification: CceVerificationState, execution: {
343
+ status: CceResponseStatus;
344
+ handlerDurationMs: number;
345
+ effect?: string;
346
+ }, options: {
347
+ axisLocalSecret: string;
348
+ requestPayload?: Uint8Array;
349
+ responsePayload?: Uint8Array;
350
+ responseEncrypted: boolean;
351
+ }): CceWitnessRecord;
352
+ declare function extractVerificationState(metadata: Record<string, any>): CceVerificationState;
353
+
354
+ type AxisAlg$1 = 'EdDSA' | 'ES256' | 'RS256';
355
+ type CapsuleStatus = 'ACTIVE' | 'CONSUMED' | 'REVOKED' | 'EXPIRED';
356
+ type CapsuleMode = 'SINGLE_USE' | 'MULTI_USE';
357
+ type KeyStatus = 'ACTIVE' | 'GRACE' | 'REVOKED' | 'RETIRED';
358
+ interface AxisSig$1 {
359
+ alg: AxisAlg$1;
360
+ kid: string;
361
+ value: string;
362
+ }
363
+ interface AxisPacket$1<T = any> {
364
+ v: 1;
365
+ pid: string;
366
+ nonce: string;
367
+ ts: number;
368
+ actorId: string;
369
+ opcode: string;
370
+ body: T;
371
+ sig: AxisSig$1;
372
+ }
373
+ interface AxisCapsuleConstraints {
374
+ maxAmount?: number;
375
+ maxCount?: number;
376
+ ttlSeconds?: number;
377
+ ipCidrAllow?: string[];
378
+ countryAllow?: string[];
379
+ deviceIdAllow?: string[];
380
+ sessionIdLock?: string;
381
+ nonceRequired?: boolean;
382
+ }
383
+ interface TickWindow {
384
+ start: number;
385
+ end: number;
386
+ }
387
+ interface AxisCapsulePayload {
388
+ v: 1;
389
+ capsuleId: string;
390
+ actorId: string;
391
+ issuer: string;
392
+ audience: string;
393
+ subject?: string;
394
+ intent: string;
395
+ scopes: string[];
396
+ actions?: string[];
397
+ iat: number;
398
+ nbf?: number;
399
+ exp: number;
400
+ tickWindow?: TickWindow;
401
+ mode: CapsuleMode;
402
+ maxUses: number;
403
+ nonceSeed?: string;
404
+ policyRefs?: string[];
405
+ riskScore?: number;
406
+ constraints?: AxisCapsuleConstraints;
407
+ meta?: Record<string, unknown>;
408
+ }
409
+ interface AxisCapsule {
410
+ payload: AxisCapsulePayload;
411
+ sig: AxisSig$1;
412
+ }
413
+ interface CapsuleIssueBody {
414
+ intent: string;
415
+ audience: string;
416
+ scopes: string[];
417
+ subject?: string;
418
+ mode: CapsuleMode;
419
+ maxUses?: number;
420
+ expSeconds?: number;
421
+ constraints?: AxisCapsuleConstraints;
422
+ hints?: {
423
+ ip?: string;
424
+ ua?: string;
425
+ deviceId?: string;
426
+ geo?: string;
427
+ };
428
+ }
429
+ interface CapsuleBatchBody extends Omit<CapsuleIssueBody, 'mode' | 'maxUses'> {
430
+ count: number;
431
+ mode: 'SINGLE_USE';
432
+ }
433
+ interface IntentExecBody {
434
+ intent: string;
435
+ capsule: AxisCapsule;
436
+ execNonce?: string;
437
+ args: Record<string, any>;
438
+ }
439
+ interface CapsuleRevokeBody {
440
+ capsuleId: string;
441
+ reason: string;
442
+ }
443
+ interface AxisResponse$1<T = any> {
444
+ ok: boolean;
445
+ pid: string;
446
+ decisionId: string;
447
+ code: string;
448
+ message?: string;
449
+ data?: T;
450
+ meta?: Record<string, unknown>;
451
+ }
452
+ interface CapsuleIssueResult {
453
+ capsule: AxisCapsule;
454
+ }
455
+ interface CapsuleBatchResult {
456
+ capsules: AxisCapsule[];
457
+ }
458
+ interface ActorKeyRecord {
459
+ id: Buffer;
460
+ actor_id: string;
461
+ key_id: string;
462
+ algorithm: string;
463
+ public_key: Buffer;
464
+ purpose: string;
465
+ status: KeyStatus;
466
+ is_primary: boolean;
467
+ not_before: Date | null;
468
+ expires_at: Date | null;
469
+ rotated_from_key_id: string | null;
470
+ revoked_at: Date | null;
471
+ revocation_reason: string | null;
472
+ metadata: any;
473
+ created_at: Date;
474
+ updated_at: Date;
475
+ }
476
+ interface IssuerKeyRecord {
477
+ id: Buffer;
478
+ kid: string;
479
+ issuer_id: string;
480
+ alg: string;
481
+ public_key_pem: string;
482
+ status: KeyStatus;
483
+ not_before: Date | null;
484
+ not_after: Date | null;
485
+ fingerprint: string | null;
486
+ metadata: any;
487
+ created_at: Date;
488
+ updated_at: Date;
489
+ }
490
+ interface CapsuleRecord {
491
+ id: Buffer;
492
+ capsule_id: string;
493
+ actor_id: string;
494
+ intent: string;
495
+ audience: string;
496
+ issuer: string;
497
+ subject: string | null;
498
+ status: CapsuleStatus;
499
+ mode: CapsuleMode;
500
+ max_uses: number;
501
+ used_count: number;
502
+ iat: Date;
503
+ nbf: Date | null;
504
+ exp: Date;
505
+ scopes_json: any;
506
+ constraints_json: any;
507
+ policy_refs_json: any;
508
+ risk_score: number | null;
509
+ payload_hash: Buffer;
510
+ sig_alg: string;
511
+ sig_kid: string;
512
+ sig_value: Buffer;
513
+ created_at: Date;
514
+ updated_at: Date;
515
+ last_used_at: Date | null;
516
+ }
517
+
518
+ type AxisAlg = Extract<AxisAlg$1, 'EdDSA'>;
519
+ type AxisSig = AxisSig$1 & {
520
+ alg: AxisAlg;
521
+ };
522
+ interface AxisFrame$1<T = any> {
523
+ v: 1;
524
+ pid: string;
525
+ nonce: string;
526
+ ts: number;
527
+ actorId: string;
528
+ aud?: string;
529
+ opcode: string;
530
+ headers: Map<number, Uint8Array>;
531
+ body: T;
532
+ sig: AxisSig;
533
+ }
534
+ type AxisResponse<T = any> = AxisResponse$1<T> & {
535
+ policyRefs?: string[];
536
+ riskScore?: number;
537
+ };
538
+ interface AxisObservedContext {
539
+ ip?: string;
540
+ ua?: string;
541
+ geo?: string;
542
+ }
543
+ interface AxisRequestContext {
544
+ observed: AxisObservedContext;
545
+ actorKeyKid?: string;
546
+ issuerKeyKid?: string;
547
+ decisionId: string;
548
+ actorId: string;
549
+ aud?: string;
550
+ opcode: string;
551
+ deviceId?: string;
552
+ sessionId?: string;
553
+ }
554
+
555
+ interface SensorPhaseMetadata {
556
+ phase: 'PRE_DECODE' | 'POST_DECODE';
557
+ dependencies?: string[];
558
+ asyncOk?: boolean;
559
+ cryptoOk?: boolean;
560
+ description?: string;
561
+ }
562
+ interface AxisSensor {
563
+ readonly name: string;
564
+ readonly order?: number;
565
+ phase?: SensorPhaseMetadata | 'PRE_DECODE' | 'POST_DECODE';
566
+ supports?(input: SensorInput): boolean;
567
+ run(input: SensorInput): Promise<SensorDecision>;
568
+ }
569
+ interface AxisSensorInit extends AxisSensor {
570
+ onModuleInit?(): void | Promise<void>;
571
+ }
572
+ interface AxisPreSensor extends AxisSensor {
573
+ phase: 'PRE_DECODE';
574
+ }
575
+ interface AxisPostSensor extends AxisSensor {
576
+ phase: 'POST_DECODE';
577
+ }
578
+ interface SensorInput {
579
+ rawBytes?: Buffer | Uint8Array;
580
+ intent?: string;
581
+ ip?: string;
582
+ path?: string;
583
+ contentLength?: number;
584
+ peek?: Uint8Array;
585
+ country?: string;
586
+ clientId?: string;
587
+ isWs?: boolean;
588
+ metadata?: Record<string, any>;
589
+ actorId?: string;
590
+ opcode?: string;
591
+ aud?: string;
592
+ observed?: AxisObservedContext;
593
+ frameBody?: any;
594
+ deviceId?: string;
595
+ sessionId?: string;
596
+ packet?: Record<string, any>;
597
+ [key: string]: any;
598
+ }
599
+ declare enum Decision {
600
+ ALLOW = "ALLOW",
601
+ DENY = "DENY",
602
+ THROTTLE = "THROTTLE",
603
+ FLAG = "FLAG"
604
+ }
605
+ type SensorDecision = {
606
+ decision?: Decision;
607
+ allow: boolean;
608
+ riskScore: number;
609
+ reasons: string[];
610
+ code?: string;
611
+ retryAfterMs?: number;
612
+ scoreDelta?: number;
613
+ tags?: Record<string, any>;
614
+ meta?: any;
615
+ tighten?: {
616
+ expSecondsMax?: number;
617
+ constraintsPatch?: Record<string, any>;
618
+ };
619
+ } | {
620
+ action: 'ALLOW';
621
+ meta?: any;
622
+ } | {
623
+ action: 'DENY';
624
+ code: string;
625
+ reason?: string;
626
+ retryAfterMs?: number;
627
+ meta?: any;
628
+ } | {
629
+ action: 'THROTTLE';
630
+ retryAfterMs: number;
631
+ meta?: any;
632
+ } | {
633
+ action: 'FLAG';
634
+ scoreDelta: number;
635
+ reasons: string[];
636
+ meta?: any;
637
+ };
638
+ type SensorMinifiedDecision = {
639
+ allow: boolean;
640
+ riskScore: number;
641
+ reasons: string[];
642
+ tags?: Record<string, any>;
643
+ meta?: any;
644
+ tighten?: {
645
+ expSecondsMax?: number;
646
+ constraintsPatch?: Record<string, any>;
647
+ };
648
+ retryAfterMs?: number;
649
+ };
650
+ declare function normalizeSensorDecision(sensorDecision: SensorDecision): SensorMinifiedDecision;
651
+ declare const SensorDecisions: {
652
+ allow(meta?: any, tags?: Record<string, any>): SensorDecision;
653
+ deny(code: string, reason?: string, meta?: any): SensorDecision;
654
+ throttle(retryAfterMs: number, meta?: any): SensorDecision;
655
+ flag(scoreDelta: number, reasons: string[], meta?: any): SensorDecision;
656
+ };
657
+
658
+ type CceHandler = (payload: Uint8Array, context: CceHandlerContext) => Promise<CceHandlerResult>;
659
+ interface CceHandlerContext {
660
+ capsule: CceCapsuleClaims;
661
+ executionContext: CceExecutionContext;
662
+ envelope: CceRequestEnvelope;
663
+ clientPublicKeyHex: string;
664
+ intent: string;
665
+ sub: string;
666
+ }
667
+ interface CceHandlerResult {
668
+ status: CceResponseStatus;
669
+ body: Uint8Array;
670
+ effect?: string;
671
+ }
672
+ interface CcePipelineConfig {
673
+ axisLocalSecret: string;
674
+ axisAudience: string;
675
+ sensors: AxisSensor[];
676
+ handlers: Map<string, CceHandler>;
677
+ witnessStore: CceWitnessStore;
678
+ clientKeyEncryptor: CceClientKeyEncryptor;
679
+ axisSigner: CceAxisSigner;
680
+ }
681
+ type CcePipelineResult = {
682
+ ok: true;
683
+ response: CceResponseEnvelope;
684
+ witnessId: string;
685
+ } | {
686
+ ok: false;
687
+ error: {
688
+ code: string;
689
+ message: string;
690
+ };
691
+ status: CceResponseStatus;
692
+ };
693
+ declare function executeCcePipeline(envelope: CceRequestEnvelope, config: CcePipelineConfig): Promise<CcePipelineResult>;
694
+
118
695
  interface IntentSchema$1 {
119
696
  intent: string;
120
697
  version: number;
@@ -146,6 +723,8 @@ declare class IntentRouter {
146
723
  private intentSchemas;
147
724
  private intentValidators;
148
725
  private intentKinds;
726
+ private cceHandlers;
727
+ private ccePipelineConfig;
149
728
  constructor(moduleRef?: ModuleRef | undefined);
150
729
  getSchema(intent: string): IntentSchema$1 | undefined;
151
730
  getValidators(intent: string): Map<number, TlvValidatorFn[]> | undefined;
@@ -164,6 +743,10 @@ declare class IntentRouter {
164
743
  private logIntent;
165
744
  registerIntentMeta(intent: string, proto: object, methodName: string, handlerSensors?: Function[]): void;
166
745
  private runIntentSensors;
746
+ configureCce(config: Omit<CcePipelineConfig, "handlers">): void;
747
+ registerCceHandler(intent: string, handler: CceHandler): void;
748
+ hasCceHandler(intent: string): boolean;
749
+ routeCce(envelope: CceRequestEnvelope): Promise<CcePipelineResult>;
167
750
  private storeSchema;
168
751
  }
169
752
 
@@ -484,251 +1067,87 @@ declare function packPasskeyRegisterOptionsReq(params: {
484
1067
  body: Buffer<ArrayBufferLike>;
485
1068
  };
486
1069
  declare function unpackPasskeyRegisterOptionsReq(body: Buffer): {
487
- username: string;
488
- };
489
- declare function packPasskeyLoginVerifyReq(params: {
490
- intentId: number;
491
- username: string;
492
- credentialId: Buffer;
493
- clientDataJSON: Buffer;
494
- authenticatorData: Buffer;
495
- signature: Buffer;
496
- userHandle?: Buffer;
497
- actorKeyId?: Buffer;
498
- traceId?: Buffer;
499
- }): {
500
- hdr: Buffer<ArrayBufferLike>;
501
- body: Buffer<ArrayBufferLike>;
502
- };
503
- declare function unpackPasskeyLoginVerifyReq(body: Buffer): {
504
- username: string;
505
- credentialId: Buffer;
506
- clientDataJSON: Buffer;
507
- authenticatorData: Buffer;
508
- signature: Buffer;
509
- userHandle: Buffer | undefined;
510
- };
511
- declare const Schema2002_PasskeyLoginOptionsRes: Ats1SchemaDescriptor;
512
- declare function packPasskeyLoginOptionsRes(params: {
513
- challenge: string;
514
- timeout?: number;
515
- rpId?: string;
516
- userVerification?: string;
517
- allowCredentials?: {
518
- id: string;
519
- type: string;
520
- transports?: string[];
521
- }[];
522
- }): Buffer;
523
- declare const Schema2012_PasskeyLoginVerifyRes: Ats1SchemaDescriptor;
524
- declare function packPasskeyLoginVerifyRes(params: {
525
- actorId: string;
526
- keyId: string;
527
- capsule: Buffer;
528
- expiresAt: bigint;
529
- }): Buffer;
530
-
531
- type Axis1FrameToEncode = {
532
- ver: number;
533
- flags: number;
534
- hdr: Buffer;
535
- body: Buffer;
536
- sig: Buffer;
537
- };
538
- declare function encodeAxis1Frame(f: Axis1FrameToEncode): Buffer;
539
-
540
- declare function axis1SigningBytes(params: {
541
- ver: number;
542
- flags: number;
543
- hdr: Buffer;
544
- body: Buffer;
545
- }): Buffer;
546
-
547
- declare function encVarint(x: bigint): Buffer;
548
- declare function varintU(x: number | bigint): Buffer;
549
- declare function u64be(x: bigint): Buffer;
550
- declare function utf8(s: string): Buffer;
551
- declare function bytes(b: Uint8Array | Buffer): Buffer;
552
- declare function nonce16(): Buffer;
553
- declare function tlv(type: number, value: Buffer): Buffer;
554
- declare function buildTLVs(items: {
555
- type: number;
556
- value: Buffer;
557
- }[], opts?: {
558
- allowDupTypes?: Set<number>;
559
- }): Buffer;
560
-
561
- declare function b64urlEncode(buf: Buffer): string;
562
- declare function b64urlDecode(str: string): Buffer;
563
- declare function b64urlEncodeString(str: string, encoding?: BufferEncoding): string;
564
- declare function b64urlDecodeString(str: string, encoding?: BufferEncoding): string;
565
-
566
- declare function canonicalJson(value: any): string;
567
- declare function canonicalJsonExcluding(obj: Record<string, any>, exclude: string[]): string;
568
-
569
- type AxisAlg$1 = 'EdDSA' | 'ES256' | 'RS256';
570
- type CapsuleStatus = 'ACTIVE' | 'CONSUMED' | 'REVOKED' | 'EXPIRED';
571
- type CapsuleMode = 'SINGLE_USE' | 'MULTI_USE';
572
- type KeyStatus = 'ACTIVE' | 'GRACE' | 'REVOKED' | 'RETIRED';
573
- interface AxisSig$1 {
574
- alg: AxisAlg$1;
575
- kid: string;
576
- value: string;
577
- }
578
- interface AxisPacket$1<T = any> {
579
- v: 1;
580
- pid: string;
581
- nonce: string;
582
- ts: number;
583
- actorId: string;
584
- opcode: string;
585
- body: T;
586
- sig: AxisSig$1;
587
- }
588
- interface AxisCapsuleConstraints {
589
- maxAmount?: number;
590
- maxCount?: number;
591
- ttlSeconds?: number;
592
- ipCidrAllow?: string[];
593
- countryAllow?: string[];
594
- deviceIdAllow?: string[];
595
- sessionIdLock?: string;
596
- nonceRequired?: boolean;
597
- }
598
- interface TickWindow {
599
- start: number;
600
- end: number;
601
- }
602
- interface AxisCapsulePayload {
603
- v: 1;
604
- capsuleId: string;
605
- actorId: string;
606
- issuer: string;
607
- audience: string;
608
- subject?: string;
609
- intent: string;
610
- scopes: string[];
611
- actions?: string[];
612
- iat: number;
613
- nbf?: number;
614
- exp: number;
615
- tickWindow?: TickWindow;
616
- mode: CapsuleMode;
617
- maxUses: number;
618
- nonceSeed?: string;
619
- policyRefs?: string[];
620
- riskScore?: number;
621
- constraints?: AxisCapsuleConstraints;
622
- meta?: Record<string, unknown>;
623
- }
624
- interface AxisCapsule {
625
- payload: AxisCapsulePayload;
626
- sig: AxisSig$1;
627
- }
628
- interface CapsuleIssueBody {
629
- intent: string;
630
- audience: string;
631
- scopes: string[];
632
- subject?: string;
633
- mode: CapsuleMode;
634
- maxUses?: number;
635
- expSeconds?: number;
636
- constraints?: AxisCapsuleConstraints;
637
- hints?: {
638
- ip?: string;
639
- ua?: string;
640
- deviceId?: string;
641
- geo?: string;
642
- };
643
- }
644
- interface CapsuleBatchBody extends Omit<CapsuleIssueBody, 'mode' | 'maxUses'> {
645
- count: number;
646
- mode: 'SINGLE_USE';
647
- }
648
- interface IntentExecBody {
649
- intent: string;
650
- capsule: AxisCapsule;
651
- execNonce?: string;
652
- args: Record<string, any>;
653
- }
654
- interface CapsuleRevokeBody {
655
- capsuleId: string;
656
- reason: string;
657
- }
658
- interface AxisResponse$1<T = any> {
659
- ok: boolean;
660
- pid: string;
661
- decisionId: string;
662
- code: string;
663
- message?: string;
664
- data?: T;
665
- meta?: Record<string, unknown>;
666
- }
667
- interface CapsuleIssueResult {
668
- capsule: AxisCapsule;
669
- }
670
- interface CapsuleBatchResult {
671
- capsules: AxisCapsule[];
672
- }
673
- interface ActorKeyRecord {
674
- id: Buffer;
675
- actor_id: string;
676
- key_id: string;
677
- algorithm: string;
678
- public_key: Buffer;
679
- purpose: string;
680
- status: KeyStatus;
681
- is_primary: boolean;
682
- not_before: Date | null;
683
- expires_at: Date | null;
684
- rotated_from_key_id: string | null;
685
- revoked_at: Date | null;
686
- revocation_reason: string | null;
687
- metadata: any;
688
- created_at: Date;
689
- updated_at: Date;
690
- }
691
- interface IssuerKeyRecord {
692
- id: Buffer;
693
- kid: string;
694
- issuer_id: string;
695
- alg: string;
696
- public_key_pem: string;
697
- status: KeyStatus;
698
- not_before: Date | null;
699
- not_after: Date | null;
700
- fingerprint: string | null;
701
- metadata: any;
702
- created_at: Date;
703
- updated_at: Date;
704
- }
705
- interface CapsuleRecord {
706
- id: Buffer;
707
- capsule_id: string;
708
- actor_id: string;
709
- intent: string;
710
- audience: string;
711
- issuer: string;
712
- subject: string | null;
713
- status: CapsuleStatus;
714
- mode: CapsuleMode;
715
- max_uses: number;
716
- used_count: number;
717
- iat: Date;
718
- nbf: Date | null;
719
- exp: Date;
720
- scopes_json: any;
721
- constraints_json: any;
722
- policy_refs_json: any;
723
- risk_score: number | null;
724
- payload_hash: Buffer;
725
- sig_alg: string;
726
- sig_kid: string;
727
- sig_value: Buffer;
728
- created_at: Date;
729
- updated_at: Date;
730
- last_used_at: Date | null;
731
- }
1070
+ username: string;
1071
+ };
1072
+ declare function packPasskeyLoginVerifyReq(params: {
1073
+ intentId: number;
1074
+ username: string;
1075
+ credentialId: Buffer;
1076
+ clientDataJSON: Buffer;
1077
+ authenticatorData: Buffer;
1078
+ signature: Buffer;
1079
+ userHandle?: Buffer;
1080
+ actorKeyId?: Buffer;
1081
+ traceId?: Buffer;
1082
+ }): {
1083
+ hdr: Buffer<ArrayBufferLike>;
1084
+ body: Buffer<ArrayBufferLike>;
1085
+ };
1086
+ declare function unpackPasskeyLoginVerifyReq(body: Buffer): {
1087
+ username: string;
1088
+ credentialId: Buffer;
1089
+ clientDataJSON: Buffer;
1090
+ authenticatorData: Buffer;
1091
+ signature: Buffer;
1092
+ userHandle: Buffer | undefined;
1093
+ };
1094
+ declare const Schema2002_PasskeyLoginOptionsRes: Ats1SchemaDescriptor;
1095
+ declare function packPasskeyLoginOptionsRes(params: {
1096
+ challenge: string;
1097
+ timeout?: number;
1098
+ rpId?: string;
1099
+ userVerification?: string;
1100
+ allowCredentials?: {
1101
+ id: string;
1102
+ type: string;
1103
+ transports?: string[];
1104
+ }[];
1105
+ }): Buffer;
1106
+ declare const Schema2012_PasskeyLoginVerifyRes: Ats1SchemaDescriptor;
1107
+ declare function packPasskeyLoginVerifyRes(params: {
1108
+ actorId: string;
1109
+ keyId: string;
1110
+ capsule: Buffer;
1111
+ expiresAt: bigint;
1112
+ }): Buffer;
1113
+
1114
+ type Axis1FrameToEncode = {
1115
+ ver: number;
1116
+ flags: number;
1117
+ hdr: Buffer;
1118
+ body: Buffer;
1119
+ sig: Buffer;
1120
+ };
1121
+ declare function encodeAxis1Frame(f: Axis1FrameToEncode): Buffer;
1122
+
1123
+ declare function axis1SigningBytes(params: {
1124
+ ver: number;
1125
+ flags: number;
1126
+ hdr: Buffer;
1127
+ body: Buffer;
1128
+ }): Buffer;
1129
+
1130
+ declare function encVarint(x: bigint): Buffer;
1131
+ declare function varintU(x: number | bigint): Buffer;
1132
+ declare function u64be(x: bigint): Buffer;
1133
+ declare function utf8(s: string): Buffer;
1134
+ declare function bytes(b: Uint8Array | Buffer): Buffer;
1135
+ declare function nonce16(): Buffer;
1136
+ declare function tlv(type: number, value: Buffer): Buffer;
1137
+ declare function buildTLVs(items: {
1138
+ type: number;
1139
+ value: Buffer;
1140
+ }[], opts?: {
1141
+ allowDupTypes?: Set<number>;
1142
+ }): Buffer;
1143
+
1144
+ declare function b64urlEncode(buf: Buffer): string;
1145
+ declare function b64urlDecode(str: string): Buffer;
1146
+ declare function b64urlEncodeString(str: string, encoding?: BufferEncoding): string;
1147
+ declare function b64urlDecodeString(str: string, encoding?: BufferEncoding): string;
1148
+
1149
+ declare function canonicalJson(value: any): string;
1150
+ declare function canonicalJsonExcluding(obj: Record<string, any>, exclude: string[]): string;
732
1151
 
733
1152
  declare class ContractViolationError extends Error {
734
1153
  code: string;
@@ -805,146 +1224,6 @@ type AxisPacket = {
805
1224
  };
806
1225
  declare function buildPacket(hdr: Buffer, body: Buffer, sig: Buffer, flags?: number): AxisPacket;
807
1226
 
808
- type AxisAlg = Extract<AxisAlg$1, 'EdDSA'>;
809
- type AxisSig = AxisSig$1 & {
810
- alg: AxisAlg;
811
- };
812
- interface AxisFrame$1<T = any> {
813
- v: 1;
814
- pid: string;
815
- nonce: string;
816
- ts: number;
817
- actorId: string;
818
- aud?: string;
819
- opcode: string;
820
- headers: Map<number, Uint8Array>;
821
- body: T;
822
- sig: AxisSig;
823
- }
824
- type AxisResponse<T = any> = AxisResponse$1<T> & {
825
- policyRefs?: string[];
826
- riskScore?: number;
827
- };
828
- interface AxisObservedContext {
829
- ip?: string;
830
- ua?: string;
831
- geo?: string;
832
- }
833
- interface AxisRequestContext {
834
- observed: AxisObservedContext;
835
- actorKeyKid?: string;
836
- issuerKeyKid?: string;
837
- decisionId: string;
838
- actorId: string;
839
- aud?: string;
840
- opcode: string;
841
- deviceId?: string;
842
- sessionId?: string;
843
- }
844
-
845
- interface SensorPhaseMetadata {
846
- phase: 'PRE_DECODE' | 'POST_DECODE';
847
- dependencies?: string[];
848
- asyncOk?: boolean;
849
- cryptoOk?: boolean;
850
- description?: string;
851
- }
852
- interface AxisSensor {
853
- readonly name: string;
854
- readonly order?: number;
855
- phase?: SensorPhaseMetadata | 'PRE_DECODE' | 'POST_DECODE';
856
- supports?(input: SensorInput): boolean;
857
- run(input: SensorInput): Promise<SensorDecision>;
858
- }
859
- interface AxisSensorInit extends AxisSensor {
860
- onModuleInit?(): void | Promise<void>;
861
- }
862
- interface AxisPreSensor extends AxisSensor {
863
- phase: 'PRE_DECODE';
864
- }
865
- interface AxisPostSensor extends AxisSensor {
866
- phase: 'POST_DECODE';
867
- }
868
- interface SensorInput {
869
- rawBytes?: Buffer | Uint8Array;
870
- intent?: string;
871
- ip?: string;
872
- path?: string;
873
- contentLength?: number;
874
- peek?: Uint8Array;
875
- country?: string;
876
- clientId?: string;
877
- isWs?: boolean;
878
- metadata?: Record<string, any>;
879
- actorId?: string;
880
- opcode?: string;
881
- aud?: string;
882
- observed?: AxisObservedContext;
883
- frameBody?: any;
884
- deviceId?: string;
885
- sessionId?: string;
886
- packet?: Record<string, any>;
887
- [key: string]: any;
888
- }
889
- declare enum Decision {
890
- ALLOW = "ALLOW",
891
- DENY = "DENY",
892
- THROTTLE = "THROTTLE",
893
- FLAG = "FLAG"
894
- }
895
- type SensorDecision = {
896
- decision?: Decision;
897
- allow: boolean;
898
- riskScore: number;
899
- reasons: string[];
900
- code?: string;
901
- retryAfterMs?: number;
902
- scoreDelta?: number;
903
- tags?: Record<string, any>;
904
- meta?: any;
905
- tighten?: {
906
- expSecondsMax?: number;
907
- constraintsPatch?: Record<string, any>;
908
- };
909
- } | {
910
- action: 'ALLOW';
911
- meta?: any;
912
- } | {
913
- action: 'DENY';
914
- code: string;
915
- reason?: string;
916
- retryAfterMs?: number;
917
- meta?: any;
918
- } | {
919
- action: 'THROTTLE';
920
- retryAfterMs: number;
921
- meta?: any;
922
- } | {
923
- action: 'FLAG';
924
- scoreDelta: number;
925
- reasons: string[];
926
- meta?: any;
927
- };
928
- type SensorMinifiedDecision = {
929
- allow: boolean;
930
- riskScore: number;
931
- reasons: string[];
932
- tags?: Record<string, any>;
933
- meta?: any;
934
- tighten?: {
935
- expSecondsMax?: number;
936
- constraintsPatch?: Record<string, any>;
937
- };
938
- retryAfterMs?: number;
939
- };
940
- declare function normalizeSensorDecision(sensorDecision: SensorDecision): SensorMinifiedDecision;
941
- declare const SensorDecisions: {
942
- allow(meta?: any, tags?: Record<string, any>): SensorDecision;
943
- deny(code: string, reason?: string, meta?: any): SensorDecision;
944
- throttle(retryAfterMs: number, meta?: any): SensorDecision;
945
- flag(scoreDelta: number, reasons: string[], meta?: any): SensorDecision;
946
- };
947
-
948
1227
  interface AxisHandler {
949
1228
  readonly name: string;
950
1229
  readonly open?: boolean;
@@ -1703,6 +1982,235 @@ declare class AxisSensorChainService {
1703
1982
  private evaluateSensors;
1704
1983
  }
1705
1984
 
1985
+ interface CceDerivationInput {
1986
+ axisLocalSecret: string;
1987
+ capsule: CceCapsuleClaims;
1988
+ requestNonce: string;
1989
+ responseNonce?: string;
1990
+ }
1991
+ declare function deriveRequestExecutionKey(input: CceDerivationInput): Uint8Array;
1992
+ declare function deriveResponseExecutionKey(input: CceDerivationInput & {
1993
+ responseNonce: string;
1994
+ }): Uint8Array;
1995
+ declare function deriveWitnessKey(input: CceDerivationInput): Uint8Array;
1996
+ declare function buildExecutionContext(input: CceDerivationInput, requestId: string): CceExecutionContext;
1997
+ declare function generateCceNonce(): string;
1998
+
1999
+ interface CceAxisKeyProvider {
2000
+ unwrapKey(encryptedKeyB64: string, algorithm: string, axisKid: string, ephemeralPkB64?: string): Promise<Uint8Array | null>;
2001
+ }
2002
+ interface CceAesGcmProvider {
2003
+ decrypt(key: Uint8Array, iv: Uint8Array, ciphertext: Uint8Array, tag: Uint8Array, aad?: Uint8Array): Promise<Uint8Array | null>;
2004
+ }
2005
+ declare class CcePayloadDecryptionSensor implements AxisSensor {
2006
+ private readonly keyProvider;
2007
+ private readonly aesProvider;
2008
+ private readonly maxPayloadBytes;
2009
+ readonly name = "cce.payload.decryption";
2010
+ readonly order = 145;
2011
+ readonly phase: "POST_DECODE";
2012
+ constructor(keyProvider: CceAxisKeyProvider, aesProvider: CceAesGcmProvider, maxPayloadBytes?: number);
2013
+ supports(input: SensorInput): boolean;
2014
+ run(input: SensorInput): Promise<SensorDecision>;
2015
+ }
2016
+
2017
+ declare function aesGcmEncrypt(key: Uint8Array, plaintext: Uint8Array, aad?: Uint8Array): {
2018
+ iv: Uint8Array;
2019
+ ciphertext: Uint8Array;
2020
+ tag: Uint8Array;
2021
+ };
2022
+ declare function aesGcmDecrypt(key: Uint8Array, iv: Uint8Array, ciphertext: Uint8Array, tag: Uint8Array, aad?: Uint8Array): Uint8Array | null;
2023
+ declare function generateAesKey(): Uint8Array;
2024
+ declare function generateIv(): Uint8Array;
2025
+ declare function base64UrlEncode(bytes: Uint8Array): string;
2026
+ declare function base64UrlDecode(input: string): Uint8Array;
2027
+ declare function hashPayload(payload: Uint8Array): string;
2028
+
2029
+ declare const nodeAesGcmProvider: CceAesGcmProvider;
2030
+
2031
+ declare class CceEnvelopeValidationSensor implements AxisSensor {
2032
+ readonly name = "cce.envelope.validation";
2033
+ readonly order = 5;
2034
+ readonly phase: "PRE_DECODE";
2035
+ supports(input: SensorInput): boolean;
2036
+ run(input: SensorInput): Promise<SensorDecision>;
2037
+ }
2038
+
2039
+ interface CceClientKeyResolver {
2040
+ resolve(kid: string): Promise<{
2041
+ publicKeyHex: string;
2042
+ alg: string;
2043
+ } | null>;
2044
+ }
2045
+ interface CceSignatureVerifier {
2046
+ verify(message: Uint8Array, signatureHex: string, publicKeyHex: string, alg: string): Promise<boolean>;
2047
+ }
2048
+ declare class CceClientSignatureSensor implements AxisSensor {
2049
+ private readonly keyResolver;
2050
+ private readonly signatureVerifier;
2051
+ readonly name = "cce.client.signature";
2052
+ readonly order = 45;
2053
+ readonly phase: "POST_DECODE";
2054
+ constructor(keyResolver: CceClientKeyResolver, signatureVerifier: CceSignatureVerifier);
2055
+ supports(input: SensorInput): boolean;
2056
+ run(input: SensorInput): Promise<SensorDecision>;
2057
+ }
2058
+
2059
+ interface CceIssuerKeyResolver {
2060
+ resolve(kid: string): Promise<{
2061
+ publicKeyHex: string;
2062
+ } | null>;
2063
+ }
2064
+ interface CceCapsuleSignatureVerifier {
2065
+ verify(claims: Omit<CceCapsuleClaims, "issuer_sig">, signature: {
2066
+ alg: string;
2067
+ kid: string;
2068
+ value: string;
2069
+ }, publicKeyHex: string): Promise<boolean>;
2070
+ }
2071
+ declare class CceCapsuleVerificationSensor implements AxisSensor {
2072
+ private readonly issuerKeyResolver;
2073
+ private readonly capsuleVerifier;
2074
+ readonly name = "cce.capsule.verification";
2075
+ readonly order = 50;
2076
+ readonly phase: "POST_DECODE";
2077
+ constructor(issuerKeyResolver: CceIssuerKeyResolver, capsuleVerifier: CceCapsuleSignatureVerifier);
2078
+ supports(input: SensorInput): boolean;
2079
+ run(input: SensorInput): Promise<SensorDecision>;
2080
+ }
2081
+
2082
+ declare class CceTpsWindowSensor implements AxisSensor {
2083
+ private readonly skewMs;
2084
+ readonly name = "cce.tps.window";
2085
+ readonly order = 92;
2086
+ readonly phase: "POST_DECODE";
2087
+ constructor(skewMs?: number);
2088
+ supports(input: SensorInput): boolean;
2089
+ run(input: SensorInput): Promise<SensorDecision>;
2090
+ }
2091
+
2092
+ declare class CceAudienceIntentBindingSensor implements AxisSensor {
2093
+ private readonly axisAudience;
2094
+ readonly name = "cce.audience.intent.binding";
2095
+ readonly order = 95;
2096
+ readonly phase: "POST_DECODE";
2097
+ constructor(axisAudience: string);
2098
+ supports(input: SensorInput): boolean;
2099
+ run(input: SensorInput): Promise<SensorDecision>;
2100
+ }
2101
+
2102
+ interface CceReplayStore {
2103
+ checkAndMark(key: string, ttlMs: number): Promise<boolean>;
2104
+ isCapsuleConsumed(capsuleId: string): Promise<boolean>;
2105
+ markCapsuleConsumed(capsuleId: string, ttlMs: number): Promise<void>;
2106
+ isCapsuleRevoked(capsuleId: string): Promise<boolean>;
2107
+ }
2108
+ declare class InMemoryCceReplayStore implements CceReplayStore {
2109
+ private nonces;
2110
+ private consumed;
2111
+ private revoked;
2112
+ checkAndMark(key: string, ttlMs: number): Promise<boolean>;
2113
+ isCapsuleConsumed(capsuleId: string): Promise<boolean>;
2114
+ markCapsuleConsumed(capsuleId: string, _ttlMs: number): Promise<void>;
2115
+ isCapsuleRevoked(capsuleId: string): Promise<boolean>;
2116
+ revoke(capsuleId: string): void;
2117
+ private cleanup;
2118
+ }
2119
+ declare class CceReplayProtectionSensor implements AxisSensor {
2120
+ private readonly replayStore;
2121
+ readonly name = "cce.replay.protection";
2122
+ readonly order = 98;
2123
+ readonly phase: "POST_DECODE";
2124
+ private readonly nonceTtlMs;
2125
+ constructor(replayStore: CceReplayStore, options?: {
2126
+ nonceTtlMs?: number;
2127
+ });
2128
+ supports(input: SensorInput): boolean;
2129
+ run(input: SensorInput): Promise<SensorDecision>;
2130
+ }
2131
+
2132
+ declare const index$9_CCE_AES_KEY_BYTES: typeof CCE_AES_KEY_BYTES;
2133
+ declare const index$9_CCE_DERIVATION: typeof CCE_DERIVATION;
2134
+ declare const index$9_CCE_ERROR: typeof CCE_ERROR;
2135
+ declare const index$9_CCE_IV_BYTES: typeof CCE_IV_BYTES;
2136
+ declare const index$9_CCE_NONCE_BYTES: typeof CCE_NONCE_BYTES;
2137
+ declare const index$9_CCE_PROTOCOL_VERSION: typeof CCE_PROTOCOL_VERSION;
2138
+ declare const index$9_CCE_TAG_BYTES: typeof CCE_TAG_BYTES;
2139
+ type index$9_CceAesGcmProvider = CceAesGcmProvider;
2140
+ type index$9_CceAlgorithm = CceAlgorithm;
2141
+ type index$9_CceAlgorithmDescriptor = CceAlgorithmDescriptor;
2142
+ type index$9_CceAudienceIntentBindingSensor = CceAudienceIntentBindingSensor;
2143
+ declare const index$9_CceAudienceIntentBindingSensor: typeof CceAudienceIntentBindingSensor;
2144
+ type index$9_CceAxisKeyProvider = CceAxisKeyProvider;
2145
+ type index$9_CceAxisSigner = CceAxisSigner;
2146
+ type index$9_CceCapsuleClaims = CceCapsuleClaims;
2147
+ type index$9_CceCapsuleSignatureVerifier = CceCapsuleSignatureVerifier;
2148
+ type index$9_CceCapsuleVerificationSensor = CceCapsuleVerificationSensor;
2149
+ declare const index$9_CceCapsuleVerificationSensor: typeof CceCapsuleVerificationSensor;
2150
+ type index$9_CceClientKeyEncryptor = CceClientKeyEncryptor;
2151
+ type index$9_CceClientKeyResolver = CceClientKeyResolver;
2152
+ type index$9_CceClientSignatureSensor = CceClientSignatureSensor;
2153
+ declare const index$9_CceClientSignatureSensor: typeof CceClientSignatureSensor;
2154
+ type index$9_CceConstraints = CceConstraints;
2155
+ type index$9_CceDerivationInput = CceDerivationInput;
2156
+ type index$9_CceEncryptedKey = CceEncryptedKey;
2157
+ type index$9_CceEncryptedPayload = CceEncryptedPayload;
2158
+ type index$9_CceEnvelopeValidationSensor = CceEnvelopeValidationSensor;
2159
+ declare const index$9_CceEnvelopeValidationSensor: typeof CceEnvelopeValidationSensor;
2160
+ type index$9_CceError = CceError;
2161
+ declare const index$9_CceError: typeof CceError;
2162
+ type index$9_CceErrorCode = CceErrorCode;
2163
+ type index$9_CceExecutionContext = CceExecutionContext;
2164
+ type index$9_CceHandler = CceHandler;
2165
+ type index$9_CceHandlerContext = CceHandlerContext;
2166
+ type index$9_CceHandlerResult = CceHandlerResult;
2167
+ type index$9_CceIssuerKeyResolver = CceIssuerKeyResolver;
2168
+ type index$9_CceKdfAlgorithm = CceKdfAlgorithm;
2169
+ type index$9_CceKemAlgorithm = CceKemAlgorithm;
2170
+ type index$9_CcePayloadDecryptionSensor = CcePayloadDecryptionSensor;
2171
+ declare const index$9_CcePayloadDecryptionSensor: typeof CcePayloadDecryptionSensor;
2172
+ type index$9_CcePipelineConfig = CcePipelineConfig;
2173
+ type index$9_CcePipelineResult = CcePipelineResult;
2174
+ type index$9_CceReplayProtectionSensor = CceReplayProtectionSensor;
2175
+ declare const index$9_CceReplayProtectionSensor: typeof CceReplayProtectionSensor;
2176
+ type index$9_CceReplayStore = CceReplayStore;
2177
+ type index$9_CceRequestEnvelope = CceRequestEnvelope;
2178
+ type index$9_CceResponseEnvelope = CceResponseEnvelope;
2179
+ type index$9_CceResponseOptions = CceResponseOptions;
2180
+ type index$9_CceResponseStatus = CceResponseStatus;
2181
+ type index$9_CceSignature = CceSignature;
2182
+ type index$9_CceSignatureVerifier = CceSignatureVerifier;
2183
+ type index$9_CceTpsWindowSensor = CceTpsWindowSensor;
2184
+ declare const index$9_CceTpsWindowSensor: typeof CceTpsWindowSensor;
2185
+ type index$9_CceVerificationState = CceVerificationState;
2186
+ type index$9_CceWitnessRecord = CceWitnessRecord;
2187
+ type index$9_CceWitnessStore = CceWitnessStore;
2188
+ type index$9_InMemoryCceReplayStore = InMemoryCceReplayStore;
2189
+ declare const index$9_InMemoryCceReplayStore: typeof InMemoryCceReplayStore;
2190
+ type index$9_InMemoryCceWitnessStore = InMemoryCceWitnessStore;
2191
+ declare const index$9_InMemoryCceWitnessStore: typeof InMemoryCceWitnessStore;
2192
+ declare const index$9_aesGcmDecrypt: typeof aesGcmDecrypt;
2193
+ declare const index$9_aesGcmEncrypt: typeof aesGcmEncrypt;
2194
+ declare const index$9_base64UrlDecode: typeof base64UrlDecode;
2195
+ declare const index$9_base64UrlEncode: typeof base64UrlEncode;
2196
+ declare const index$9_buildCceErrorResponse: typeof buildCceErrorResponse;
2197
+ declare const index$9_buildCceResponse: typeof buildCceResponse;
2198
+ declare const index$9_buildExecutionContext: typeof buildExecutionContext;
2199
+ declare const index$9_buildWitnessRecord: typeof buildWitnessRecord;
2200
+ declare const index$9_deriveRequestExecutionKey: typeof deriveRequestExecutionKey;
2201
+ declare const index$9_deriveResponseExecutionKey: typeof deriveResponseExecutionKey;
2202
+ declare const index$9_deriveWitnessKey: typeof deriveWitnessKey;
2203
+ declare const index$9_executeCcePipeline: typeof executeCcePipeline;
2204
+ declare const index$9_extractVerificationState: typeof extractVerificationState;
2205
+ declare const index$9_generateAesKey: typeof generateAesKey;
2206
+ declare const index$9_generateCceNonce: typeof generateCceNonce;
2207
+ declare const index$9_generateIv: typeof generateIv;
2208
+ declare const index$9_hashPayload: typeof hashPayload;
2209
+ declare const index$9_nodeAesGcmProvider: typeof nodeAesGcmProvider;
2210
+ declare namespace index$9 {
2211
+ export { index$9_CCE_AES_KEY_BYTES as CCE_AES_KEY_BYTES, index$9_CCE_DERIVATION as CCE_DERIVATION, index$9_CCE_ERROR as CCE_ERROR, index$9_CCE_IV_BYTES as CCE_IV_BYTES, index$9_CCE_NONCE_BYTES as CCE_NONCE_BYTES, index$9_CCE_PROTOCOL_VERSION as CCE_PROTOCOL_VERSION, index$9_CCE_TAG_BYTES as CCE_TAG_BYTES, type index$9_CceAesGcmProvider as CceAesGcmProvider, type index$9_CceAlgorithm as CceAlgorithm, type index$9_CceAlgorithmDescriptor as CceAlgorithmDescriptor, index$9_CceAudienceIntentBindingSensor as CceAudienceIntentBindingSensor, type index$9_CceAxisKeyProvider as CceAxisKeyProvider, type index$9_CceAxisSigner as CceAxisSigner, type index$9_CceCapsuleClaims as CceCapsuleClaims, type index$9_CceCapsuleSignatureVerifier as CceCapsuleSignatureVerifier, index$9_CceCapsuleVerificationSensor as CceCapsuleVerificationSensor, type index$9_CceClientKeyEncryptor as CceClientKeyEncryptor, type index$9_CceClientKeyResolver as CceClientKeyResolver, index$9_CceClientSignatureSensor as CceClientSignatureSensor, type index$9_CceConstraints as CceConstraints, type index$9_CceDerivationInput as CceDerivationInput, type index$9_CceEncryptedKey as CceEncryptedKey, type index$9_CceEncryptedPayload as CceEncryptedPayload, index$9_CceEnvelopeValidationSensor as CceEnvelopeValidationSensor, index$9_CceError as CceError, type index$9_CceErrorCode as CceErrorCode, type index$9_CceExecutionContext as CceExecutionContext, type index$9_CceHandler as CceHandler, type index$9_CceHandlerContext as CceHandlerContext, type index$9_CceHandlerResult as CceHandlerResult, type index$9_CceIssuerKeyResolver as CceIssuerKeyResolver, type index$9_CceKdfAlgorithm as CceKdfAlgorithm, type index$9_CceKemAlgorithm as CceKemAlgorithm, index$9_CcePayloadDecryptionSensor as CcePayloadDecryptionSensor, type index$9_CcePipelineConfig as CcePipelineConfig, type index$9_CcePipelineResult as CcePipelineResult, index$9_CceReplayProtectionSensor as CceReplayProtectionSensor, type index$9_CceReplayStore as CceReplayStore, type index$9_CceRequestEnvelope as CceRequestEnvelope, type index$9_CceResponseEnvelope as CceResponseEnvelope, type index$9_CceResponseOptions as CceResponseOptions, type index$9_CceResponseStatus as CceResponseStatus, type index$9_CceSignature as CceSignature, type index$9_CceSignatureVerifier as CceSignatureVerifier, index$9_CceTpsWindowSensor as CceTpsWindowSensor, type index$9_CceVerificationState as CceVerificationState, type index$9_CceWitnessRecord as CceWitnessRecord, type index$9_CceWitnessStore as CceWitnessStore, index$9_InMemoryCceReplayStore as InMemoryCceReplayStore, index$9_InMemoryCceWitnessStore as InMemoryCceWitnessStore, index$9_aesGcmDecrypt as aesGcmDecrypt, index$9_aesGcmEncrypt as aesGcmEncrypt, index$9_base64UrlDecode as base64UrlDecode, index$9_base64UrlEncode as base64UrlEncode, index$9_buildCceErrorResponse as buildCceErrorResponse, index$9_buildCceResponse as buildCceResponse, index$9_buildExecutionContext as buildExecutionContext, index$9_buildWitnessRecord as buildWitnessRecord, index$9_deriveRequestExecutionKey as deriveRequestExecutionKey, index$9_deriveResponseExecutionKey as deriveResponseExecutionKey, index$9_deriveWitnessKey as deriveWitnessKey, index$9_executeCcePipeline as executeCcePipeline, index$9_extractVerificationState as extractVerificationState, index$9_generateAesKey as generateAesKey, index$9_generateCceNonce as generateCceNonce, index$9_generateIv as generateIv, index$9_hashPayload as hashPayload, index$9_nodeAesGcmProvider as nodeAesGcmProvider };
2212
+ }
2213
+
1706
2214
  type ProofType = 1 | 2 | 3 | 4;
1707
2215
  interface ProofVerificationResult {
1708
2216
  valid: boolean;
@@ -2376,4 +2884,4 @@ declare namespace index {
2376
2884
  export { index_encodeAxisTlvDto as encodeAxisTlvDto };
2377
2885
  }
2378
2886
 
2379
- export { ATS1_HDR, ATS1_SCHEMA, AXIS_OPCODES, AXIS_UPLOAD_FILE_STORE, AXIS_UPLOAD_RECEIPT_SIGNER, AXIS_UPLOAD_SESSION_STORE, ats1 as Ats1Codec, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg$1 as AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsule, type AxisCapsuleConstraints, type AxisCapsulePayload, AxisContext$1 as AxisContext, type AxisCrudHandler, type AxisDecoded, AxisDemoPubkey, type AxisEffect, AxisFilesDownloadHandler, AxisFilesFinalizeHandler, AxisFrame$2 as AxisFrame, type AxisHandler, type AxisHandlerInit, AxisIdDto, AxisIp, type AxisAlg as AxisJsonAlg, type AxisFrame$1 as AxisJsonFrame, type AxisResponse as AxisJsonResponse, type AxisSig as AxisJsonSig, type AxisObservation, type AxisObservedContext, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, AxisPartialType, type AxisPostSensor, type AxisPreSensor, AxisRaw, type AxisRequestContext, type AxisRequestData, AxisResponseDto, type AxisSensor, AxisSensorChainService, type AxisSensorInit, type AxisSig$1 as AxisSig, AxisTlvDto, BAND, CAPABILITIES, type Capability, type CapsuleMode, type ChainResult, ContractViolationError, DEFAULT_CONTRACTS, DEFAULT_TIMEOUT, Decision, DiskUploadFileStore, type DtoSchema, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, HANDLER_METADATA_KEY, HANDLER_SENSORS_KEY, Handler, HandlerDiscoveryService, HandlerSensors, INTENT_BODY_KEY, INTENT_METADATA_KEY, INTENT_REQUIREMENTS, INTENT_ROUTES_KEY, INTENT_SENSITIVITY_MAP, INTENT_SENSORS_KEY, INTENT_TIMEOUTS, Intent, IntentBody, type IntentDefinition, type IntentKind, type IntentOptions, type IntentRoute, IntentRouter, IntentSensitivity, IntentSensors, type IntentTlvField, type KeyStatus, type ObservationQueueConfig, type ObservationQueueMessage, type ObservationSensor, type ObservationStage, type ObservationStreamEntry, type ObservationWitnessSummary, type ObserverVerdict, PRE_DECODE_BOUNDARY, PROOF_CAPABILITIES, RESPONSE_TAG_CREATED_AT, RESPONSE_TAG_CREATED_BY, RESPONSE_TAG_ID, RESPONSE_TAG_UPDATED_AT, RESPONSE_TAG_UPDATED_BY, type ReceiptEffect, type ResponseContract, type ResponseObserverContext, RiskDecision, type RiskEvaluation, type RiskSignal, SENSOR_METADATA_KEY, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, Sensor, type SensorBand, type SensorDecision, SensorDecisions, SensorDiscoveryService, type SensorInput, type SensorMinifiedDecision, type SensorOptions, type SensorPhase, type SensorPhaseMetadata, SensorRegistry, TLV_FIELDS_KEY, TLV_VALIDATORS_KEY, TlvEnum, TlvField, type TlvFieldKind, type TlvFieldMeta, type TlvFieldOptions, TlvMinLen, TlvRange, TlvUtf8Pattern, TlvValidate, type TlvValidatorFn, type TlvValidatorMeta, type UnsignedObservationWitness, type UploadFileStat, type UploadFileStore, type UploadReceiptSigner, type UploadSessionRecord, type UploadSessionStatus, type UploadSessionStore, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildDtoDecoder, buildPacket, buildQueueMessage, buildReceiptHash, buildTLVs, buildUnsignedWitness, bytes, canAccessResource, canonicalJson, canonicalJsonExcluding, canonicalizeObservation, classifyIntent, createObservation, index$8 as crypto, decodeAxis1Frame, decodeQueueMessage, index$7 as decorators, encVarint, encodeAxis1Frame, encodeQueueMessage, endStage, index$5 as engine, extractDtoSchema, finalizeObservation, hasScope, hashObservation, isAdminOpcode, isKnownOpcode, isTimestampValid, index$4 as loom, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, parseAutoClaimEntries, parseScope, parseStreamEntries, recordSensor, resolveTimeout, index$3 as schemas, index$2 as security, sensitivityName, index$1 as sensors, stableJsonStringify, startStage, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, index as utils, validateFrameShape, varintU, verifyResponse };
2887
+ export { ATS1_HDR, ATS1_SCHEMA, AXIS_OPCODES, AXIS_UPLOAD_FILE_STORE, AXIS_UPLOAD_RECEIPT_SIGNER, AXIS_UPLOAD_SESSION_STORE, ats1 as Ats1Codec, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg$1 as AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsule, type AxisCapsuleConstraints, type AxisCapsulePayload, AxisContext$1 as AxisContext, type AxisCrudHandler, type AxisDecoded, AxisDemoPubkey, type AxisEffect, AxisFilesDownloadHandler, AxisFilesFinalizeHandler, AxisFrame$2 as AxisFrame, type AxisHandler, type AxisHandlerInit, AxisIdDto, AxisIp, type AxisAlg as AxisJsonAlg, type AxisFrame$1 as AxisJsonFrame, type AxisResponse as AxisJsonResponse, type AxisSig as AxisJsonSig, type AxisObservation, type AxisObservedContext, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, AxisPartialType, type AxisPostSensor, type AxisPreSensor, AxisRaw, type AxisRequestContext, type AxisRequestData, AxisResponseDto, type AxisSensor, AxisSensorChainService, type AxisSensorInit, type AxisSig$1 as AxisSig, AxisTlvDto, BAND, CAPABILITIES, CCE_ERROR, CCE_PROTOCOL_VERSION, type Capability, type CapsuleMode, type CceCapsuleClaims as CceCapsuleClaimsType, CceError, type CceExecutionContext as CceExecutionContextType, type CceHandler, type CceHandlerContext, type CceHandlerResult, type CcePipelineConfig, type CcePipelineResult, type CceRequestEnvelope as CceRequestEnvelopeType, type CceResponseEnvelope as CceResponseEnvelopeType, type CceWitnessRecord as CceWitnessRecordType, type ChainResult, ContractViolationError, DEFAULT_CONTRACTS, DEFAULT_TIMEOUT, Decision, DiskUploadFileStore, type DtoSchema, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, HANDLER_METADATA_KEY, HANDLER_SENSORS_KEY, Handler, HandlerDiscoveryService, HandlerSensors, INTENT_BODY_KEY, INTENT_METADATA_KEY, INTENT_REQUIREMENTS, INTENT_ROUTES_KEY, INTENT_SENSITIVITY_MAP, INTENT_SENSORS_KEY, INTENT_TIMEOUTS, Intent, IntentBody, type IntentDefinition, type IntentKind, type IntentOptions, type IntentRoute, IntentRouter, IntentSensitivity, IntentSensors, type IntentTlvField, type KeyStatus, type ObservationQueueConfig, type ObservationQueueMessage, type ObservationSensor, type ObservationStage, type ObservationStreamEntry, type ObservationWitnessSummary, type ObserverVerdict, PRE_DECODE_BOUNDARY, PROOF_CAPABILITIES, RESPONSE_TAG_CREATED_AT, RESPONSE_TAG_CREATED_BY, RESPONSE_TAG_ID, RESPONSE_TAG_UPDATED_AT, RESPONSE_TAG_UPDATED_BY, type ReceiptEffect, type ResponseContract, type ResponseObserverContext, RiskDecision, type RiskEvaluation, type RiskSignal, SENSOR_METADATA_KEY, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, Sensor, type SensorBand, type SensorDecision, SensorDecisions, SensorDiscoveryService, type SensorInput, type SensorMinifiedDecision, type SensorOptions, type SensorPhase, type SensorPhaseMetadata, SensorRegistry, TLV_FIELDS_KEY, TLV_VALIDATORS_KEY, TlvEnum, TlvField, type TlvFieldKind, type TlvFieldMeta, type TlvFieldOptions, TlvMinLen, TlvRange, TlvUtf8Pattern, TlvValidate, type TlvValidatorFn, type TlvValidatorMeta, type UnsignedObservationWitness, type UploadFileStat, type UploadFileStore, type UploadReceiptSigner, type UploadSessionRecord, type UploadSessionStatus, type UploadSessionStore, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildDtoDecoder, buildPacket, buildQueueMessage, buildReceiptHash, buildTLVs, buildUnsignedWitness, bytes, canAccessResource, canonicalJson, canonicalJsonExcluding, canonicalizeObservation, index$9 as cce, classifyIntent, createObservation, index$8 as crypto, decodeAxis1Frame, decodeQueueMessage, index$7 as decorators, encVarint, encodeAxis1Frame, encodeQueueMessage, endStage, index$5 as engine, executeCcePipeline, extractDtoSchema, finalizeObservation, hasScope, hashObservation, isAdminOpcode, isKnownOpcode, isTimestampValid, index$4 as loom, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, parseAutoClaimEntries, parseScope, parseStreamEntries, recordSensor, resolveTimeout, index$3 as schemas, index$2 as security, sensitivityName, index$1 as sensors, stableJsonStringify, startStage, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, index as utils, validateFrameShape, varintU, verifyResponse };