@nextera.one/axis-server-sdk 1.5.0 → 1.7.0

package/dist/index.d.ts

@@ -2,7 +2,7 @@ import { ModuleRef, DiscoveryService, MetadataScanner, Reflector } from '@nestjs
 import { A as AxisFrame$2 } from './index-1uEwnW-w.js';
 export { a as AxisBinaryFrame, b as AxisError, c as AxisFrameZ, d as computeReceiptHash, e as computeSignaturePayload, i as core, f as decodeFrame, g as encodeFrame, h as generateEd25519KeyPair, j as getSignTarget, s as sha256, k as signFrame, v as verifyFrameSignature } from './index-1uEwnW-w.js';
 import { PROOF_LOOM, TLV_LOOM_PRESENCE_ID, TLV_LOOM_THREAD_HASH, TLV_LOOM_WRIT } from '@nextera.one/axis-protocol';
-export { AXIS_MAGIC, AXIS_VERSION, TLV as AxisTlvType, BodyProfile, ERR_BAD_SIGNATURE, ERR_CONTRACT_VIOLATION, ERR_INVALID_PACKET, ERR_REPLAY_DETECTED, FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS, MAX_BODY_LEN, MAX_FRAME_LEN, MAX_HDR_LEN, MAX_SIG_LEN, NCERT_ALG, NCERT_EXP, NCERT_ISSUER_KID, NCERT_KID, NCERT_NBF, NCERT_NODE_ID, NCERT_PAYLOAD, NCERT_PUB, NCERT_SCOPE, NCERT_SIG, PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, PROOF_NONE, PROOF_WITNESS, ProofType, TLV, TLV_ACTOR_ID, TLV_AUD, TLV_BODY_ARR, TLV_BODY_OBJ, TLV_CAPSULE, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG, TLV_INDEX, TLV_INTENT, TLV_KID, TLV_LOOM_PRESENCE_ID, TLV_LOOM_THREAD_HASH, TLV_LOOM_WRIT, TLV_NODE, TLV_NODE_CERT_HASH, TLV_NODE_KID, TLV_NONCE, TLV_OFFSET, TLV_OK, TLV_PID, TLV_PREV_HASH, TLV_PROOF_REF, TLV_PROOF_TYPE, TLV_REALM, TLV_RECEIPT_HASH, TLV_RID, TLV_SHA256_CHUNK, TLV_TRACE_ID, TLV_TS, TLV_UPLOAD_ID, decodeArray, decodeObject, decodeTLVs, decodeTLVsList, decodeVarint, encodeTLVs, encodeVarint, varintLength } from '@nextera.one/axis-protocol';
+export { AXIS_MAGIC, AXIS_VERSION, TLV as AxisTlvType, BodyProfile, ERR_BAD_SIGNATURE, ERR_CONTRACT_VIOLATION, ERR_INVALID_PACKET, ERR_REPLAY_DETECTED, FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS, MAX_BODY_LEN, MAX_FRAME_LEN, MAX_HDR_LEN, MAX_SIG_LEN, NCERT_ALG, NCERT_EXP, NCERT_ISSUER_KID, NCERT_KID, NCERT_NBF, NCERT_NODE_ID, NCERT_PAYLOAD, NCERT_PUB, NCERT_SCOPE, NCERT_SIG, PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, PROOF_NONE, PROOF_WITNESS, ProofType, TLV, TLV_ACTOR_ID, TLV_AUD, TLV_BODY_ARR, TLV_BODY_OBJ, TLV_CAPSULE, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG, TLV_INDEX, TLV_INTENT, TLV_KID, TLV_LOOM_PRESENCE_ID, TLV_LOOM_THREAD_HASH, TLV_LOOM_WRIT, TLV_NODE, TLV_NODE_CERT_HASH, TLV_NODE_KID, TLV_NONCE, TLV_OFFSET, TLV_OK, TLV_PID, TLV_LOOM_PRESENCE_ID as TLV_PRESENCE_ID, TLV_PREV_HASH, TLV_PROOF_REF, TLV_PROOF_TYPE, TLV_REALM, TLV_RECEIPT_HASH, TLV_RID, TLV_SHA256_CHUNK, TLV_LOOM_THREAD_HASH as TLV_THREAD_HASH, TLV_TRACE_ID, TLV_TS, TLV_UPLOAD_ID, TLV_LOOM_WRIT as TLV_WRIT, decodeArray, decodeObject, decodeTLVs, decodeTLVsList, decodeVarint, encodeTLVs, encodeVarint, varintLength } from '@nextera.one/axis-protocol';
 import { OnModuleInit, OnApplicationBootstrap } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 import * as z from 'zod';
@@ -115,193 +115,776 @@ declare abstract class AxisResponseDto extends AxisTlvDto {
     updated_by?: string;
 }
 
-interface IntentSchema$1 {
+declare const CCE_PROTOCOL_VERSION: "cce-v1";
+declare const CCE_DERIVATION: {
+    readonly REQUEST: "axis:cce:req:v1";
+    readonly RESPONSE: "axis:cce:resp:v1";
+    readonly WITNESS: "axis:cce:witness:v1";
+};
+type CceAlgorithm = "AES-256-GCM";
+type CceKemAlgorithm = "X25519" | "RSA-OAEP-256";
+type CceKdfAlgorithm = "HKDF-SHA256";
+declare const CCE_AES_KEY_BYTES = 32;
+declare const CCE_IV_BYTES = 12;
+declare const CCE_TAG_BYTES = 16;
+declare const CCE_NONCE_BYTES = 32;
+interface CceCapsuleClaims {
+    capsule_id: string;
+    ver: typeof CCE_PROTOCOL_VERSION;
+    sub: string;
+    kid: string;
     intent: string;
-    version: number;
-    bodyProfile: "TLV_MAP" | "RAW" | "TLV_OBJ" | "TLV_ARR";
-    fields: Array<{
-        name: string;
-        tlv: number;
-        kind: IntentTlvField["kind"];
-        required?: boolean;
-        maxLen?: number;
-        max?: string;
-        scope?: "header" | "body";
-    }>;
-}
-interface AxisEffect {
-    ok: boolean;
-    effect: string;
-    body?: Uint8Array;
-    headers?: Map<number, Uint8Array>;
-    metadata?: any;
+    aud: string;
+    tps_from: number;
+    tps_to: number;
+    capsule_nonce: string;
+    challenge_id: string;
+    policy_hash?: string;
+    iat: number;
+    exp: number;
+    mode: "SINGLE_USE" | "SESSION";
+    scope?: string[];
+    constraints?: CceConstraints;
+    issuer_sig: CceSignature;
+}
+interface CceConstraints {
+    max_payload_bytes?: number;
+    ip_allow?: string[];
+    device_allow?: string[];
+    country_allow?: string[];
+}
+interface CceSignature {
+    alg: "EdDSA" | "ES256";
+    kid: string;
+    value: string;
 }
-declare class IntentRouter {
-    private readonly moduleRef?;
-    private readonly logger;
-    private static readonly BUILTIN_INTENTS;
-    private handlers;
-    private intentSensors;
-    private intentDecoders;
-    private intentSchemas;
-    private intentValidators;
-    private intentKinds;
-    constructor(moduleRef?: ModuleRef | undefined);
-    getSchema(intent: string): IntentSchema$1 | undefined;
-    getValidators(intent: string): Map<number, TlvValidatorFn[]> | undefined;
-    has(intent: string): boolean;
-    getRegisteredIntents(): string[];
-    getIntentEntry(intent: string): {
-        schema?: IntentSchema$1;
-        validators?: Map<number, TlvValidatorFn[]>;
-        hasSensors: boolean;
-        builtin: boolean;
-        kind?: IntentKind;
-    } | null;
-    register(intent: string, handler: any): void;
-    registerHandler(instance: any): void;
-    route(frame: AxisFrame$2): Promise<AxisEffect>;
-    private logIntent;
-    registerIntentMeta(intent: string, proto: object, methodName: string, handlerSensors?: Function[]): void;
-    private runIntentSensors;
-    private storeSchema;
+interface CceRequestEnvelope {
+    ver: typeof CCE_PROTOCOL_VERSION;
+    request_id: string;
+    correlation_id: string;
+    client_kid: string;
+    capsule: CceCapsuleClaims;
+    encrypted_key: CceEncryptedKey;
+    encrypted_payload: CceEncryptedPayload;
+    request_nonce: string;
+    client_sig: CceSignature;
+    content_type: string;
+    algorithms: CceAlgorithmDescriptor;
+    aad_descriptor?: string;
+}
+interface CceEncryptedKey {
+    alg: CceKemAlgorithm;
+    axis_kid: string;
+    ciphertext: string;
+    ephemeral_pk?: string;
+}
+interface CceEncryptedPayload {
+    alg: CceAlgorithm;
+    iv: string;
+    ciphertext: string;
+    tag: string;
+}
+interface CceAlgorithmDescriptor {
+    kem: CceKemAlgorithm;
+    enc: CceAlgorithm;
+    kdf: CceKdfAlgorithm;
+    sig: "EdDSA" | "ES256";
+}
+interface CceResponseEnvelope {
+    ver: typeof CCE_PROTOCOL_VERSION;
+    response_id: string;
+    request_id: string;
+    correlation_id: string;
+    encrypted_key: CceEncryptedKey;
+    encrypted_payload: CceEncryptedPayload;
+    response_nonce: string;
+    axis_sig: CceSignature;
+    witness_ref?: string;
+    algorithms: CceAlgorithmDescriptor;
+    status: CceResponseStatus;
+}
+type CceResponseStatus = "SUCCESS" | "DENIED" | "PARTIAL" | "FAILED" | "ERROR";
+interface CceExecutionContext {
+    execution_key_hash: string;
+    request_id: string;
+    capsule_id: string;
+    sub: string;
+    kid: string;
+    intent: string;
+    aud: string;
+    tps_from: number;
+    tps_to: number;
+    policy_hash?: string;
+    derived_at: number;
+    valid: boolean;
 }
-
-declare const BAND: {
-    readonly WIRE: 0;
-    readonly IDENTITY: 40;
-    readonly POLICY: 90;
-    readonly CONTENT: 140;
-    readonly BUSINESS: 200;
-    readonly AUDIT: 900;
+interface CceWitnessRecord {
+    witness_id: string;
+    request_id: string;
+    capsule_id: string;
+    sub: string;
+    intent: string;
+    aud: string;
+    tps_from: number;
+    tps_to: number;
+    timestamp: number;
+    verification: {
+        client_sig: boolean;
+        capsule_sig: boolean;
+        tps_valid: boolean;
+        audience_match: boolean;
+        intent_match: boolean;
+        replay_clean: boolean;
+        nonce_unique: boolean;
+        decryption_ok: boolean;
+    };
+    execution: {
+        status: CceResponseStatus;
+        handler_duration_ms: number;
+        effect?: string;
+    };
+    response_encrypted: boolean;
+    execution_context_hash: string;
+    request_payload_hash?: string;
+    response_payload_hash?: string;
+}
+declare const CCE_ERROR: {
+    readonly INVALID_ENVELOPE: "CCE_INVALID_ENVELOPE";
+    readonly UNSUPPORTED_VERSION: "CCE_UNSUPPORTED_VERSION";
+    readonly MISSING_CAPSULE: "CCE_MISSING_CAPSULE";
+    readonly MISSING_ENCRYPTED_KEY: "CCE_MISSING_ENCRYPTED_KEY";
+    readonly CLIENT_SIG_INVALID: "CCE_CLIENT_SIG_INVALID";
+    readonly CLIENT_KEY_NOT_FOUND: "CCE_CLIENT_KEY_NOT_FOUND";
+    readonly CAPSULE_SIG_INVALID: "CCE_CAPSULE_SIG_INVALID";
+    readonly CAPSULE_EXPIRED: "CCE_CAPSULE_EXPIRED";
+    readonly CAPSULE_NOT_YET_VALID: "CCE_CAPSULE_NOT_YET_VALID";
+    readonly CAPSULE_REVOKED: "CCE_CAPSULE_REVOKED";
+    readonly CAPSULE_CONSUMED: "CCE_CAPSULE_CONSUMED";
+    readonly AUDIENCE_MISMATCH: "CCE_AUDIENCE_MISMATCH";
+    readonly INTENT_MISMATCH: "CCE_INTENT_MISMATCH";
+    readonly TPS_WINDOW_EXPIRED: "CCE_TPS_WINDOW_EXPIRED";
+    readonly TPS_WINDOW_FUTURE: "CCE_TPS_WINDOW_FUTURE";
+    readonly REPLAY_DETECTED: "CCE_REPLAY_DETECTED";
+    readonly NONCE_REUSED: "CCE_NONCE_REUSED";
+    readonly DECRYPTION_FAILED: "CCE_DECRYPTION_FAILED";
+    readonly KEY_UNWRAP_FAILED: "CCE_KEY_UNWRAP_FAILED";
+    readonly AEAD_TAG_MISMATCH: "CCE_AEAD_TAG_MISMATCH";
+    readonly PAYLOAD_TOO_LARGE: "CCE_PAYLOAD_TOO_LARGE";
+    readonly PAYLOAD_SCHEMA_INVALID: "CCE_PAYLOAD_SCHEMA_INVALID";
+    readonly INTENT_SCHEMA_MISMATCH: "CCE_INTENT_SCHEMA_MISMATCH";
+    readonly POLICY_DENIED: "CCE_POLICY_DENIED";
+    readonly CONSTRAINT_VIOLATED: "CCE_CONSTRAINT_VIOLATED";
+    readonly HANDLER_NOT_FOUND: "CCE_HANDLER_NOT_FOUND";
+    readonly HANDLER_EXECUTION_FAILED: "CCE_HANDLER_EXECUTION_FAILED";
+    readonly HANDLER_TIMEOUT: "CCE_HANDLER_TIMEOUT";
+    readonly RESPONSE_ENCRYPTION_FAILED: "CCE_RESPONSE_ENCRYPTION_FAILED";
 };
-type SensorBand = keyof typeof BAND;
-declare const PRE_DECODE_BOUNDARY = 40;
-
-declare function stableJsonStringify(value: unknown): string;
+type CceErrorCode = (typeof CCE_ERROR)[keyof typeof CCE_ERROR];
+declare class CceError extends Error {
+    readonly code: CceErrorCode;
+    readonly metadata?: Record<string, unknown> | undefined;
+    constructor(code: CceErrorCode, message: string, metadata?: Record<string, unknown> | undefined);
+    get clientSafe(): boolean;
+    toClientError(): {
+        code: CceErrorCode;
+        message: string;
+    };
+}
 
-interface ObservationStage {
-    name: string;
-    status: 'ok' | 'fail' | 'skip';
-    startMs: number;
-    endMs?: number;
-    durationMs?: number;
-    reason?: string;
-    code?: string;
+interface CceClientKeyEncryptor {
+    wrapKey(aesKey: Uint8Array, clientKid: string, clientPublicKeyHex: string): Promise<CceEncryptedKey>;
 }
-interface ObservationSensor {
-    name: string;
-    allowed: boolean;
-    riskScore: number;
-    durationMs: number;
-    reasons: string[];
-    code?: string;
+interface CceAxisSigner {
+    sign(payload: Uint8Array): Promise<CceSignature>;
 }
-interface AxisObservation {
-    id: string;
-    startMs: number;
-    transport: 'http' | 'ws';
-    ip?: string;
-    intent?: string;
-    actorId?: string;
-    capsuleId?: string;
-    stages: ObservationStage[];
-    sensors: ObservationSensor[];
-    decision?: 'ALLOW' | 'DENY';
-    resultCode?: string;
-    statusCode?: number;
-    endMs?: number;
-    durationMs?: number;
-    facts: Record<string, unknown>;
+interface CceResponseOptions {
+    request: CceRequestEnvelope;
+    capsule: CceCapsuleClaims;
+    status: CceResponseStatus;
+    body: Uint8Array;
+    clientPublicKeyHex: string;
+    witnessRef?: string;
 }
-declare function createObservation(transport: 'http' | 'ws', ip?: string): AxisObservation;
-declare function startStage(obs: AxisObservation, name: string): ObservationStage;
-declare function endStage(stage: ObservationStage, status?: 'ok' | 'fail' | 'skip', reason?: string, code?: string): void;
-declare function recordSensor(obs: AxisObservation, name: string, allowed: boolean, riskScore: number, durationMs: number, reasons: string[], code?: string): void;
-declare function finalizeObservation(obs: AxisObservation, decision: 'ALLOW' | 'DENY', statusCode: number, resultCode?: string): void;
+declare function buildCceResponse(options: CceResponseOptions, clientKeyEncryptor: CceClientKeyEncryptor, axisSigner: CceAxisSigner): Promise<{
+    envelope: CceResponseEnvelope;
+    responsePayloadHash: string;
+}>;
+declare function buildCceErrorResponse(requestId: string, correlationId: string, status: CceResponseStatus, errorCode: string, message: string): {
+    ver: string;
+    request_id: string;
+    correlation_id: string;
+    status: CceResponseStatus;
+    error: {
+        code: string;
+        message: string;
+    };
+};
 
-interface ObservationQueueMessage {
-    v: 1;
-    observation: AxisObservation;
-    attempts: number;
-    firstEnqueuedAt: number;
-    lastEnqueuedAt: number;
-    sourceNodeId: string;
-    lastError?: string;
+interface CceWitnessStore {
+    record(witness: CceWitnessRecord): Promise<void>;
+}
+declare class InMemoryCceWitnessStore implements CceWitnessStore {
+    readonly records: CceWitnessRecord[];
+    record(witness: CceWitnessRecord): Promise<void>;
+    getByRequestId(requestId: string): CceWitnessRecord | undefined;
+    getByCapsuleId(capsuleId: string): CceWitnessRecord[];
+}
+interface CceVerificationState {
+    clientSigVerified: boolean;
+    capsuleSigVerified: boolean;
+    tpsValid: boolean;
+    audienceMatch: boolean;
+    intentMatch: boolean;
+    replayClean: boolean;
+    nonceUnique: boolean;
+    decryptionOk: boolean;
+}
+declare function buildWitnessRecord(envelope: CceRequestEnvelope, capsule: CceCapsuleClaims, verification: CceVerificationState, execution: {
+    status: CceResponseStatus;
+    handlerDurationMs: number;
+    effect?: string;
+}, options: {
+    axisLocalSecret: string;
+    requestPayload?: Uint8Array;
+    responsePayload?: Uint8Array;
+    responseEncrypted: boolean;
+}): CceWitnessRecord;
+declare function extractVerificationState(metadata: Record<string, any>): CceVerificationState;
+
+type AxisAlg$1 = 'EdDSA' | 'ES256' | 'RS256';
+type CapsuleStatus = 'ACTIVE' | 'CONSUMED' | 'REVOKED' | 'EXPIRED';
+type CapsuleMode = 'SINGLE_USE' | 'MULTI_USE';
+type KeyStatus = 'ACTIVE' | 'GRACE' | 'REVOKED' | 'RETIRED';
+interface AxisSig$1 {
+    alg: AxisAlg$1;
+    kid: string;
+    value: string;
 }
-interface ObservationQueueConfig {
-    enabled: boolean;
-    workerEnabled: boolean;
-    streamKey: string;
-    deadLetterStreamKey: string;
-    groupName: string;
-    consumerName: string;
-    readBlockMs: number;
-    readBatchSize: number;
-    reclaimIdleMs: number;
-    reclaimBatchSize: number;
-    maxRetries: number;
-    maxStreamLength: number;
-    workerConcurrency: number;
+interface AxisPacket$1<T = any> {
+    v: 1;
+    pid: string;
+    nonce: string;
+    ts: number;
+    actorId: string;
+    opcode: string;
+    body: T;
+    sig: AxisSig$1;
 }
-
-interface ObservationStreamEntry {
-    id: string;
-    message: ObservationQueueMessage;
+interface AxisCapsuleConstraints {
+    maxAmount?: number;
+    maxCount?: number;
+    ttlSeconds?: number;
+    ipCidrAllow?: string[];
+    countryAllow?: string[];
+    deviceIdAllow?: string[];
+    sessionIdLock?: string;
+    nonceRequired?: boolean;
 }
-declare function buildQueueMessage(observation: AxisObservation, sourceNodeId: string, previous?: ObservationQueueMessage, lastError?: string): ObservationQueueMessage;
-declare function encodeQueueMessage(message: ObservationQueueMessage): string;
-declare function decodeQueueMessage(raw: string): ObservationQueueMessage | null;
-declare function parseStreamEntries(raw: any): ObservationStreamEntry[];
-declare function parseAutoClaimEntries(raw: any): ObservationStreamEntry[];
-
-interface ObservationWitnessSummary {
-    intent?: string;
-    actorId?: string;
-    decision?: string;
-    statusCode?: number;
-    durationMs?: number;
-    sensorCount: number;
-    stageCount: number;
+interface TickWindow {
+    start: number;
+    end: number;
 }
-interface UnsignedObservationWitness {
+interface AxisCapsulePayload {
     v: 1;
-    observationId: string;
-    payloadHash: string;
-    sealedAt: number;
-    summary: ObservationWitnessSummary;
-}
-declare function canonicalizeObservation(obs: AxisObservation): string;
-declare function hashObservation(obs: AxisObservation): string;
-declare function buildUnsignedWitness(obs: AxisObservation): UnsignedObservationWitness | null;
-
-interface ResponseObserverContext {
+    capsuleId: string;
     actorId: string;
+    issuer: string;
+    audience: string;
+    subject?: string;
     intent: string;
+    scopes: string[];
+    actions?: string[];
+    iat: number;
+    nbf?: number;
+    exp: number;
+    tickWindow?: TickWindow;
+    mode: CapsuleMode;
+    maxUses: number;
+    nonceSeed?: string;
+    policyRefs?: string[];
+    riskScore?: number;
+    constraints?: AxisCapsuleConstraints;
+    meta?: Record<string, unknown>;
 }
-interface ResponseContract {
-    ok: boolean;
-    effect: string;
-    body?: Uint8Array;
-    headers?: Map<number, Uint8Array>;
+interface AxisCapsule {
+    payload: AxisCapsulePayload;
+    sig: AxisSig$1;
 }
-interface ObserverVerdict {
-    passed: boolean;
-    code?: string;
-    reason?: string;
+interface CapsuleIssueBody {
+    intent: string;
+    audience: string;
+    scopes: string[];
+    subject?: string;
+    mode: CapsuleMode;
+    maxUses?: number;
+    expSeconds?: number;
+    constraints?: AxisCapsuleConstraints;
+    hints?: {
+        ip?: string;
+        ua?: string;
+        deviceId?: string;
+        geo?: string;
+    };
 }
-declare function verifyResponse(ctx: ResponseObserverContext, response: ResponseContract): ObserverVerdict;
-
-declare const ATS1_HDR: {
-    readonly INTENT_ID: 1;
-    readonly ACTOR_KEY_ID: 2;
-    readonly CAPSULE_ID: 3;
-    readonly NONCE: 4;
-    readonly TS_MS: 5;
-    readonly SCHEMA_ID: 6;
-    readonly BODY_HASH: 7;
-    readonly TRACE_ID: 8;
-};
+interface CapsuleBatchBody extends Omit<CapsuleIssueBody, 'mode' | 'maxUses'> {
+    count: number;
+    mode: 'SINGLE_USE';
+}
+interface IntentExecBody {
+    intent: string;
+    capsule: AxisCapsule;
+    execNonce?: string;
+    args: Record<string, any>;
+}
+interface CapsuleRevokeBody {
+    capsuleId: string;
+    reason: string;
+}
+interface AxisResponse$1<T = any> {
+    ok: boolean;
+    pid: string;
+    decisionId: string;
+    code: string;
+    message?: string;
+    data?: T;
+    meta?: Record<string, unknown>;
+}
+interface CapsuleIssueResult {
+    capsule: AxisCapsule;
+}
+interface CapsuleBatchResult {
+    capsules: AxisCapsule[];
+}
+interface ActorKeyRecord {
+    id: Buffer;
+    actor_id: string;
+    key_id: string;
+    algorithm: string;
+    public_key: Buffer;
+    purpose: string;
+    status: KeyStatus;
+    is_primary: boolean;
+    not_before: Date | null;
+    expires_at: Date | null;
+    rotated_from_key_id: string | null;
+    revoked_at: Date | null;
+    revocation_reason: string | null;
+    metadata: any;
+    created_at: Date;
+    updated_at: Date;
+}
+interface IssuerKeyRecord {
+    id: Buffer;
+    kid: string;
+    issuer_id: string;
+    alg: string;
+    public_key_pem: string;
+    status: KeyStatus;
+    not_before: Date | null;
+    not_after: Date | null;
+    fingerprint: string | null;
+    metadata: any;
+    created_at: Date;
+    updated_at: Date;
+}
+interface CapsuleRecord {
+    id: Buffer;
+    capsule_id: string;
+    actor_id: string;
+    intent: string;
+    audience: string;
+    issuer: string;
+    subject: string | null;
+    status: CapsuleStatus;
+    mode: CapsuleMode;
+    max_uses: number;
+    used_count: number;
+    iat: Date;
+    nbf: Date | null;
+    exp: Date;
+    scopes_json: any;
+    constraints_json: any;
+    policy_refs_json: any;
+    risk_score: number | null;
+    payload_hash: Buffer;
+    sig_alg: string;
+    sig_kid: string;
+    sig_value: Buffer;
+    created_at: Date;
+    updated_at: Date;
+    last_used_at: Date | null;
+}
+
+type AxisAlg = Extract<AxisAlg$1, 'EdDSA'>;
+type AxisSig = AxisSig$1 & {
+    alg: AxisAlg;
+};
+interface AxisFrame$1<T = any> {
+    v: 1;
+    pid: string;
+    nonce: string;
+    ts: number;
+    actorId: string;
+    aud?: string;
+    opcode: string;
+    headers: Map<number, Uint8Array>;
+    body: T;
+    sig: AxisSig;
+}
+type AxisResponse<T = any> = AxisResponse$1<T> & {
+    policyRefs?: string[];
+    riskScore?: number;
+};
+interface AxisObservedContext {
+    ip?: string;
+    ua?: string;
+    geo?: string;
+}
+interface AxisRequestContext {
+    observed: AxisObservedContext;
+    actorKeyKid?: string;
+    issuerKeyKid?: string;
+    decisionId: string;
+    actorId: string;
+    aud?: string;
+    opcode: string;
+    deviceId?: string;
+    sessionId?: string;
+}
+
+interface SensorPhaseMetadata {
+    phase: 'PRE_DECODE' | 'POST_DECODE';
+    dependencies?: string[];
+    asyncOk?: boolean;
+    cryptoOk?: boolean;
+    description?: string;
+}
+interface AxisSensor {
+    readonly name: string;
+    readonly order?: number;
+    phase?: SensorPhaseMetadata | 'PRE_DECODE' | 'POST_DECODE';
+    supports?(input: SensorInput): boolean;
+    run(input: SensorInput): Promise<SensorDecision>;
+}
+interface AxisSensorInit extends AxisSensor {
+    onModuleInit?(): void | Promise<void>;
+}
+interface AxisPreSensor extends AxisSensor {
+    phase: 'PRE_DECODE';
+}
+interface AxisPostSensor extends AxisSensor {
+    phase: 'POST_DECODE';
+}
+interface SensorInput {
+    rawBytes?: Buffer | Uint8Array;
+    intent?: string;
+    ip?: string;
+    path?: string;
+    contentLength?: number;
+    peek?: Uint8Array;
+    country?: string;
+    clientId?: string;
+    isWs?: boolean;
+    metadata?: Record<string, any>;
+    actorId?: string;
+    opcode?: string;
+    aud?: string;
+    observed?: AxisObservedContext;
+    frameBody?: any;
+    deviceId?: string;
+    sessionId?: string;
+    packet?: Record<string, any>;
+    [key: string]: any;
+}
+declare enum Decision {
+    ALLOW = "ALLOW",
+    DENY = "DENY",
+    THROTTLE = "THROTTLE",
+    FLAG = "FLAG"
+}
+type SensorDecision = {
+    decision?: Decision;
+    allow: boolean;
+    riskScore: number;
+    reasons: string[];
+    code?: string;
+    retryAfterMs?: number;
+    scoreDelta?: number;
+    tags?: Record<string, any>;
+    meta?: any;
+    tighten?: {
+        expSecondsMax?: number;
+        constraintsPatch?: Record<string, any>;
+    };
+} | {
+    action: 'ALLOW';
+    meta?: any;
+} | {
+    action: 'DENY';
+    code: string;
+    reason?: string;
+    retryAfterMs?: number;
+    meta?: any;
+} | {
+    action: 'THROTTLE';
+    retryAfterMs: number;
+    meta?: any;
+} | {
+    action: 'FLAG';
+    scoreDelta: number;
+    reasons: string[];
+    meta?: any;
+};
+type SensorMinifiedDecision = {
+    allow: boolean;
+    riskScore: number;
+    reasons: string[];
+    tags?: Record<string, any>;
+    meta?: any;
+    tighten?: {
+        expSecondsMax?: number;
+        constraintsPatch?: Record<string, any>;
+    };
+    retryAfterMs?: number;
+};
+declare function normalizeSensorDecision(sensorDecision: SensorDecision): SensorMinifiedDecision;
+declare const SensorDecisions: {
+    allow(meta?: any, tags?: Record<string, any>): SensorDecision;
+    deny(code: string, reason?: string, meta?: any): SensorDecision;
+    throttle(retryAfterMs: number, meta?: any): SensorDecision;
+    flag(scoreDelta: number, reasons: string[], meta?: any): SensorDecision;
+};
+
+type CceHandler = (payload: Uint8Array, context: CceHandlerContext) => Promise<CceHandlerResult>;
+interface CceHandlerContext {
+    capsule: CceCapsuleClaims;
+    executionContext: CceExecutionContext;
+    envelope: CceRequestEnvelope;
+    clientPublicKeyHex: string;
+    intent: string;
+    sub: string;
+}
+interface CceHandlerResult {
+    status: CceResponseStatus;
+    body: Uint8Array;
+    effect?: string;
+}
+interface CcePipelineConfig {
+    axisLocalSecret: string;
+    axisAudience: string;
+    sensors: AxisSensor[];
+    handlers: Map<string, CceHandler>;
+    witnessStore: CceWitnessStore;
+    clientKeyEncryptor: CceClientKeyEncryptor;
+    axisSigner: CceAxisSigner;
+}
+type CcePipelineResult = {
+    ok: true;
+    response: CceResponseEnvelope;
+    witnessId: string;
+} | {
+    ok: false;
+    error: {
+        code: string;
+        message: string;
+    };
+    status: CceResponseStatus;
+};
+declare function executeCcePipeline(envelope: CceRequestEnvelope, config: CcePipelineConfig): Promise<CcePipelineResult>;
+
+interface IntentSchema$1 {
+    intent: string;
+    version: number;
+    bodyProfile: "TLV_MAP" | "RAW" | "TLV_OBJ" | "TLV_ARR";
+    fields: Array<{
+        name: string;
+        tlv: number;
+        kind: IntentTlvField["kind"];
+        required?: boolean;
+        maxLen?: number;
+        max?: string;
+        scope?: "header" | "body";
+    }>;
+}
+interface AxisEffect {
+    ok: boolean;
+    effect: string;
+    body?: Uint8Array;
+    headers?: Map<number, Uint8Array>;
+    metadata?: any;
+}
+declare class IntentRouter {
+    private readonly moduleRef?;
+    private readonly logger;
+    private static readonly BUILTIN_INTENTS;
+    private handlers;
+    private intentSensors;
+    private intentDecoders;
+    private intentSchemas;
+    private intentValidators;
+    private intentKinds;
+    private cceHandlers;
+    private ccePipelineConfig;
+    constructor(moduleRef?: ModuleRef | undefined);
+    getSchema(intent: string): IntentSchema$1 | undefined;
+    getValidators(intent: string): Map<number, TlvValidatorFn[]> | undefined;
+    has(intent: string): boolean;
+    getRegisteredIntents(): string[];
+    getIntentEntry(intent: string): {
+        schema?: IntentSchema$1;
+        validators?: Map<number, TlvValidatorFn[]>;
+        hasSensors: boolean;
+        builtin: boolean;
+        kind?: IntentKind;
+    } | null;
+    register(intent: string, handler: any): void;
+    registerHandler(instance: any): void;
+    route(frame: AxisFrame$2): Promise<AxisEffect>;
+    private logIntent;
+    registerIntentMeta(intent: string, proto: object, methodName: string, handlerSensors?: Function[]): void;
+    private runIntentSensors;
+    configureCce(config: Omit<CcePipelineConfig, "handlers">): void;
+    registerCceHandler(intent: string, handler: CceHandler): void;
+    hasCceHandler(intent: string): boolean;
+    routeCce(envelope: CceRequestEnvelope): Promise<CcePipelineResult>;
+    private storeSchema;
+}
+
+declare const BAND: {
+    readonly WIRE: 0;
+    readonly IDENTITY: 40;
+    readonly POLICY: 90;
+    readonly CONTENT: 140;
+    readonly BUSINESS: 200;
+    readonly AUDIT: 900;
+};
+type SensorBand = keyof typeof BAND;
+declare const PRE_DECODE_BOUNDARY = 40;
+
+declare function stableJsonStringify(value: unknown): string;
+
+interface ObservationStage {
+    name: string;
+    status: 'ok' | 'fail' | 'skip';
+    startMs: number;
+    endMs?: number;
+    durationMs?: number;
+    reason?: string;
+    code?: string;
+}
+interface ObservationSensor {
+    name: string;
+    allowed: boolean;
+    riskScore: number;
+    durationMs: number;
+    reasons: string[];
+    code?: string;
+}
+interface AxisObservation {
+    id: string;
+    startMs: number;
+    transport: 'http' | 'ws';
+    ip?: string;
+    intent?: string;
+    actorId?: string;
+    capsuleId?: string;
+    stages: ObservationStage[];
+    sensors: ObservationSensor[];
+    decision?: 'ALLOW' | 'DENY';
+    resultCode?: string;
+    statusCode?: number;
+    endMs?: number;
+    durationMs?: number;
+    facts: Record<string, unknown>;
+}
+declare function createObservation(transport: 'http' | 'ws', ip?: string): AxisObservation;
+declare function startStage(obs: AxisObservation, name: string): ObservationStage;
+declare function endStage(stage: ObservationStage, status?: 'ok' | 'fail' | 'skip', reason?: string, code?: string): void;
+declare function recordSensor(obs: AxisObservation, name: string, allowed: boolean, riskScore: number, durationMs: number, reasons: string[], code?: string): void;
+declare function finalizeObservation(obs: AxisObservation, decision: 'ALLOW' | 'DENY', statusCode: number, resultCode?: string): void;
+
+interface ObservationQueueMessage {
+    v: 1;
+    observation: AxisObservation;
+    attempts: number;
+    firstEnqueuedAt: number;
+    lastEnqueuedAt: number;
+    sourceNodeId: string;
+    lastError?: string;
+}
+interface ObservationQueueConfig {
+    enabled: boolean;
+    workerEnabled: boolean;
+    streamKey: string;
+    deadLetterStreamKey: string;
+    groupName: string;
+    consumerName: string;
+    readBlockMs: number;
+    readBatchSize: number;
+    reclaimIdleMs: number;
+    reclaimBatchSize: number;
+    maxRetries: number;
+    maxStreamLength: number;
+    workerConcurrency: number;
+}
+
+interface ObservationStreamEntry {
+    id: string;
+    message: ObservationQueueMessage;
+}
+declare function buildQueueMessage(observation: AxisObservation, sourceNodeId: string, previous?: ObservationQueueMessage, lastError?: string): ObservationQueueMessage;
+declare function encodeQueueMessage(message: ObservationQueueMessage): string;
+declare function decodeQueueMessage(raw: string): ObservationQueueMessage | null;
+declare function parseStreamEntries(raw: any): ObservationStreamEntry[];
+declare function parseAutoClaimEntries(raw: any): ObservationStreamEntry[];
+
+interface ObservationWitnessSummary {
+    intent?: string;
+    actorId?: string;
+    decision?: string;
+    statusCode?: number;
+    durationMs?: number;
+    sensorCount: number;
+    stageCount: number;
+}
+interface UnsignedObservationWitness {
+    v: 1;
+    observationId: string;
+    payloadHash: string;
+    sealedAt: number;
+    summary: ObservationWitnessSummary;
+}
+declare function canonicalizeObservation(obs: AxisObservation): string;
+declare function hashObservation(obs: AxisObservation): string;
+declare function buildUnsignedWitness(obs: AxisObservation): UnsignedObservationWitness | null;
+
+interface ResponseObserverContext {
+    actorId: string;
+    intent: string;
+}
+interface ResponseContract {
+    ok: boolean;
+    effect: string;
+    body?: Uint8Array;
+    headers?: Map<number, Uint8Array>;
+}
+interface ObserverVerdict {
+    passed: boolean;
+    code?: string;
+    reason?: string;
+}
+declare function verifyResponse(ctx: ResponseObserverContext, response: ResponseContract): ObserverVerdict;
+
+declare const ATS1_HDR: {
+    readonly INTENT_ID: 1;
+    readonly ACTOR_KEY_ID: 2;
+    readonly CAPSULE_ID: 3;
+    readonly NONCE: 4;
+    readonly TS_MS: 5;
+    readonly SCHEMA_ID: 6;
+    readonly BODY_HASH: 7;
+    readonly TRACE_ID: 8;
+};
 declare const ATS1_SCHEMA: {
     readonly PASSKEY_LOGIN_OPTIONS_REQ: 2001;
     readonly PASSKEY_LOGIN_OPTIONS_RES: 2002;
@@ -446,289 +1029,125 @@ declare const ats1_tlvsToLogicalBody: typeof tlvsToLogicalBody;
 declare const ats1_tlvsToMap: typeof tlvsToMap;
 declare const ats1_validateTLVsAgainstSchema: typeof validateTLVsAgainstSchema;
 declare namespace ats1 {
-  export { type ats1_Ats1FieldDescriptor as Ats1FieldDescriptor, type ats1_Ats1FieldType as Ats1FieldType, type ats1_Ats1Limits as Ats1Limits, type ats1_Ats1SchemaDescriptor as Ats1SchemaDescriptor, type ats1_AxisHeaderLogical as AxisHeaderLogical, type ats1_AxisLogicalRequest as AxisLogicalRequest, ats1_DEFAULT_LIMITS as DEFAULT_LIMITS, type ats1_DecodedTlv as DecodedTlv, type ats1_DecodedTlvMap as DecodedTlvMap, ats1_HDR_TAGS as HDR_TAGS, ats1_Schema2001_PasskeyLoginOptionsReq as Schema2001_PasskeyLoginOptionsReq, ats1_Schema3100_DeviceContext as Schema3100_DeviceContext, ats1_Schema4001_LoginWithDeviceReq as Schema4001_LoginWithDeviceReq, type ats1_SensorInputLike as SensorInputLike, ats1_decodeAxisHeaderFromTLVs as decodeAxisHeaderFromTLVs, ats1_decodeAxisRequestBinary as decodeAxisRequestBinary, ats1_decodeTLVStream as decodeTLVStream, ats1_decodeU64BE as decodeU64BE, ats1_decodeUVarint as decodeUVarint, ats1_encodeAxisHeaderToTLVs as encodeAxisHeaderToTLVs, ats1_encodeAxisRequestBinary as encodeAxisRequestBinary, ats1_encodeTLV as encodeTLV, ats1_encodeTLVStreamCanonical as encodeTLVStreamCanonical, ats1_encodeU64BE as encodeU64BE, ats1_encodeUVarint as encodeUVarint, ats1_logicalBodyToTLVs as logicalBodyToTLVs, ats1_sha256 as sha256, ats1_tlvsToLogicalBody as tlvsToLogicalBody, ats1_tlvsToMap as tlvsToMap, ats1_validateTLVsAgainstSchema as validateTLVsAgainstSchema };
-}
-
-declare function buildAts1Hdr(params: {
-    intentId: number;
-    schemaId: number;
-    actorKeyId?: Buffer;
-    capsuleId?: Buffer;
-    traceId?: Buffer;
-    tsMs?: bigint;
-    nonce?: Buffer;
-    bodyHash?: Buffer;
-}): Buffer;
-declare function packPasskeyLoginOptionsReq(params: {
-    intentId: number;
-    username: string;
-    actorKeyId?: Buffer;
-    capsuleId?: Buffer;
-    traceId?: Buffer;
-}): {
-    hdr: Buffer<ArrayBufferLike>;
-    body: Buffer<ArrayBufferLike>;
-};
-declare function unpackPasskeyLoginOptionsReq(body: Buffer): {
-    username: string;
-};
-declare const Schema2021_PasskeyRegisterOptionsReq: Ats1SchemaDescriptor;
-declare const Schema2011_PasskeyLoginVerifyReq: Ats1SchemaDescriptor;
-declare function packPasskeyRegisterOptionsReq(params: {
+  export { type ats1_Ats1FieldDescriptor as Ats1FieldDescriptor, type ats1_Ats1FieldType as Ats1FieldType, type ats1_Ats1Limits as Ats1Limits, type ats1_Ats1SchemaDescriptor as Ats1SchemaDescriptor, type ats1_AxisHeaderLogical as AxisHeaderLogical, type ats1_AxisLogicalRequest as AxisLogicalRequest, ats1_DEFAULT_LIMITS as DEFAULT_LIMITS, type ats1_DecodedTlv as DecodedTlv, type ats1_DecodedTlvMap as DecodedTlvMap, ats1_HDR_TAGS as HDR_TAGS, ats1_Schema2001_PasskeyLoginOptionsReq as Schema2001_PasskeyLoginOptionsReq, ats1_Schema3100_DeviceContext as Schema3100_DeviceContext, ats1_Schema4001_LoginWithDeviceReq as Schema4001_LoginWithDeviceReq, type ats1_SensorInputLike as SensorInputLike, ats1_decodeAxisHeaderFromTLVs as decodeAxisHeaderFromTLVs, ats1_decodeAxisRequestBinary as decodeAxisRequestBinary, ats1_decodeTLVStream as decodeTLVStream, ats1_decodeU64BE as decodeU64BE, ats1_decodeUVarint as decodeUVarint, ats1_encodeAxisHeaderToTLVs as encodeAxisHeaderToTLVs, ats1_encodeAxisRequestBinary as encodeAxisRequestBinary, ats1_encodeTLV as encodeTLV, ats1_encodeTLVStreamCanonical as encodeTLVStreamCanonical, ats1_encodeU64BE as encodeU64BE, ats1_encodeUVarint as encodeUVarint, ats1_logicalBodyToTLVs as logicalBodyToTLVs, ats1_sha256 as sha256, ats1_tlvsToLogicalBody as tlvsToLogicalBody, ats1_tlvsToMap as tlvsToMap, ats1_validateTLVsAgainstSchema as validateTLVsAgainstSchema };
+}
+
+declare function buildAts1Hdr(params: {
     intentId: number;
-    username: string;
+    schemaId: number;
     actorKeyId?: Buffer;
+    capsuleId?: Buffer;
     traceId?: Buffer;
-}): {
-    hdr: Buffer<ArrayBufferLike>;
-    body: Buffer<ArrayBufferLike>;
-};
-declare function unpackPasskeyRegisterOptionsReq(body: Buffer): {
-    username: string;
-};
-declare function packPasskeyLoginVerifyReq(params: {
+    tsMs?: bigint;
+    nonce?: Buffer;
+    bodyHash?: Buffer;
+}): Buffer;
+declare function packPasskeyLoginOptionsReq(params: {
     intentId: number;
     username: string;
-    credentialId: Buffer;
-    clientDataJSON: Buffer;
-    authenticatorData: Buffer;
-    signature: Buffer;
-    userHandle?: Buffer;
     actorKeyId?: Buffer;
+    capsuleId?: Buffer;
     traceId?: Buffer;
 }): {
     hdr: Buffer<ArrayBufferLike>;
     body: Buffer<ArrayBufferLike>;
-};
-declare function unpackPasskeyLoginVerifyReq(body: Buffer): {
-    username: string;
-    credentialId: Buffer;
-    clientDataJSON: Buffer;
-    authenticatorData: Buffer;
-    signature: Buffer;
-    userHandle: Buffer | undefined;
-};
-declare const Schema2002_PasskeyLoginOptionsRes: Ats1SchemaDescriptor;
-declare function packPasskeyLoginOptionsRes(params: {
-    challenge: string;
-    timeout?: number;
-    rpId?: string;
-    userVerification?: string;
-    allowCredentials?: {
-        id: string;
-        type: string;
-        transports?: string[];
-    }[];
-}): Buffer;
-declare const Schema2012_PasskeyLoginVerifyRes: Ats1SchemaDescriptor;
-declare function packPasskeyLoginVerifyRes(params: {
-    actorId: string;
-    keyId: string;
-    capsule: Buffer;
-    expiresAt: bigint;
-}): Buffer;
-
-type Axis1FrameToEncode = {
-    ver: number;
-    flags: number;
-    hdr: Buffer;
-    body: Buffer;
-    sig: Buffer;
-};
-declare function encodeAxis1Frame(f: Axis1FrameToEncode): Buffer;
-
-declare function axis1SigningBytes(params: {
-    ver: number;
-    flags: number;
-    hdr: Buffer;
-    body: Buffer;
-}): Buffer;
-
-declare function encVarint(x: bigint): Buffer;
-declare function varintU(x: number | bigint): Buffer;
-declare function u64be(x: bigint): Buffer;
-declare function utf8(s: string): Buffer;
-declare function bytes(b: Uint8Array | Buffer): Buffer;
-declare function nonce16(): Buffer;
-declare function tlv(type: number, value: Buffer): Buffer;
-declare function buildTLVs(items: {
-    type: number;
-    value: Buffer;
-}[], opts?: {
-    allowDupTypes?: Set<number>;
-}): Buffer;
-
-declare function b64urlEncode(buf: Buffer): string;
-declare function b64urlDecode(str: string): Buffer;
-declare function b64urlEncodeString(str: string, encoding?: BufferEncoding): string;
-declare function b64urlDecodeString(str: string, encoding?: BufferEncoding): string;
-
-declare function canonicalJson(value: any): string;
-declare function canonicalJsonExcluding(obj: Record<string, any>, exclude: string[]): string;
-
-type AxisAlg$1 = 'EdDSA' | 'ES256' | 'RS256';
-type CapsuleStatus = 'ACTIVE' | 'CONSUMED' | 'REVOKED' | 'EXPIRED';
-type CapsuleMode = 'SINGLE_USE' | 'MULTI_USE';
-type KeyStatus = 'ACTIVE' | 'GRACE' | 'REVOKED' | 'RETIRED';
-interface AxisSig$1 {
-    alg: AxisAlg$1;
-    kid: string;
-    value: string;
-}
-interface AxisPacket$1<T = any> {
-    v: 1;
-    pid: string;
-    nonce: string;
-    ts: number;
-    actorId: string;
-    opcode: string;
-    body: T;
-    sig: AxisSig$1;
-}
-interface AxisCapsuleConstraints {
-    maxAmount?: number;
-    maxCount?: number;
-    ttlSeconds?: number;
-    ipCidrAllow?: string[];
-    countryAllow?: string[];
-    deviceIdAllow?: string[];
-    sessionIdLock?: string;
-    nonceRequired?: boolean;
-}
-interface TickWindow {
-    start: number;
-    end: number;
-}
-interface AxisCapsulePayload {
-    v: 1;
-    capsuleId: string;
-    actorId: string;
-    issuer: string;
-    audience: string;
-    subject?: string;
-    intent: string;
-    scopes: string[];
-    actions?: string[];
-    iat: number;
-    nbf?: number;
-    exp: number;
-    tickWindow?: TickWindow;
-    mode: CapsuleMode;
-    maxUses: number;
-    nonceSeed?: string;
-    policyRefs?: string[];
-    riskScore?: number;
-    constraints?: AxisCapsuleConstraints;
-    meta?: Record<string, unknown>;
-}
-interface AxisCapsule {
-    payload: AxisCapsulePayload;
-    sig: AxisSig$1;
-}
-interface CapsuleIssueBody {
-    intent: string;
-    audience: string;
-    scopes: string[];
-    subject?: string;
-    mode: CapsuleMode;
-    maxUses?: number;
-    expSeconds?: number;
-    constraints?: AxisCapsuleConstraints;
-    hints?: {
-        ip?: string;
-        ua?: string;
-        deviceId?: string;
-        geo?: string;
-    };
-}
-interface CapsuleBatchBody extends Omit<CapsuleIssueBody, 'mode' | 'maxUses'> {
-    count: number;
-    mode: 'SINGLE_USE';
-}
-interface IntentExecBody {
-    intent: string;
-    capsule: AxisCapsule;
-    execNonce?: string;
-    args: Record<string, any>;
-}
-interface CapsuleRevokeBody {
-    capsuleId: string;
-    reason: string;
-}
-interface AxisResponse$1<T = any> {
-    ok: boolean;
-    pid: string;
-    decisionId: string;
-    code: string;
-    message?: string;
-    data?: T;
-    meta?: Record<string, unknown>;
-}
-interface CapsuleIssueResult {
-    capsule: AxisCapsule;
-}
-interface CapsuleBatchResult {
-    capsules: AxisCapsule[];
-}
-interface ActorKeyRecord {
-    id: Buffer;
-    actor_id: string;
-    key_id: string;
-    algorithm: string;
-    public_key: Buffer;
-    purpose: string;
-    status: KeyStatus;
-    is_primary: boolean;
-    not_before: Date | null;
-    expires_at: Date | null;
-    rotated_from_key_id: string | null;
-    revoked_at: Date | null;
-    revocation_reason: string | null;
-    metadata: any;
-    created_at: Date;
-    updated_at: Date;
-}
-interface IssuerKeyRecord {
-    id: Buffer;
-    kid: string;
-    issuer_id: string;
-    alg: string;
-    public_key_pem: string;
-    status: KeyStatus;
-    not_before: Date | null;
-    not_after: Date | null;
-    fingerprint: string | null;
-    metadata: any;
-    created_at: Date;
-    updated_at: Date;
-}
-interface CapsuleRecord {
-    id: Buffer;
-    capsule_id: string;
-    actor_id: string;
-    intent: string;
-    audience: string;
-    issuer: string;
-    subject: string | null;
-    status: CapsuleStatus;
-    mode: CapsuleMode;
-    max_uses: number;
-    used_count: number;
-    iat: Date;
-    nbf: Date | null;
-    exp: Date;
-    scopes_json: any;
-    constraints_json: any;
-    policy_refs_json: any;
-    risk_score: number | null;
-    payload_hash: Buffer;
-    sig_alg: string;
-    sig_kid: string;
-    sig_value: Buffer;
-    created_at: Date;
-    updated_at: Date;
-    last_used_at: Date | null;
-}
+};
+declare function unpackPasskeyLoginOptionsReq(body: Buffer): {
+    username: string;
+};
+declare const Schema2021_PasskeyRegisterOptionsReq: Ats1SchemaDescriptor;
+declare const Schema2011_PasskeyLoginVerifyReq: Ats1SchemaDescriptor;
+declare function packPasskeyRegisterOptionsReq(params: {
+    intentId: number;
+    username: string;
+    actorKeyId?: Buffer;
+    traceId?: Buffer;
+}): {
+    hdr: Buffer<ArrayBufferLike>;
+    body: Buffer<ArrayBufferLike>;
+};
+declare function unpackPasskeyRegisterOptionsReq(body: Buffer): {
+    username: string;
+};
+declare function packPasskeyLoginVerifyReq(params: {
+    intentId: number;
+    username: string;
+    credentialId: Buffer;
+    clientDataJSON: Buffer;
+    authenticatorData: Buffer;
+    signature: Buffer;
+    userHandle?: Buffer;
+    actorKeyId?: Buffer;
+    traceId?: Buffer;
+}): {
+    hdr: Buffer<ArrayBufferLike>;
+    body: Buffer<ArrayBufferLike>;
+};
+declare function unpackPasskeyLoginVerifyReq(body: Buffer): {
+    username: string;
+    credentialId: Buffer;
+    clientDataJSON: Buffer;
+    authenticatorData: Buffer;
+    signature: Buffer;
+    userHandle: Buffer | undefined;
+};
+declare const Schema2002_PasskeyLoginOptionsRes: Ats1SchemaDescriptor;
+declare function packPasskeyLoginOptionsRes(params: {
+    challenge: string;
+    timeout?: number;
+    rpId?: string;
+    userVerification?: string;
+    allowCredentials?: {
+        id: string;
+        type: string;
+        transports?: string[];
+    }[];
+}): Buffer;
+declare const Schema2012_PasskeyLoginVerifyRes: Ats1SchemaDescriptor;
+declare function packPasskeyLoginVerifyRes(params: {
+    actorId: string;
+    keyId: string;
+    capsule: Buffer;
+    expiresAt: bigint;
+}): Buffer;
+
+type Axis1FrameToEncode = {
+    ver: number;
+    flags: number;
+    hdr: Buffer;
+    body: Buffer;
+    sig: Buffer;
+};
+declare function encodeAxis1Frame(f: Axis1FrameToEncode): Buffer;
+
+declare function axis1SigningBytes(params: {
+    ver: number;
+    flags: number;
+    hdr: Buffer;
+    body: Buffer;
+}): Buffer;
+
+declare function encVarint(x: bigint): Buffer;
+declare function varintU(x: number | bigint): Buffer;
+declare function u64be(x: bigint): Buffer;
+declare function utf8(s: string): Buffer;
+declare function bytes(b: Uint8Array | Buffer): Buffer;
+declare function nonce16(): Buffer;
+declare function tlv(type: number, value: Buffer): Buffer;
+declare function buildTLVs(items: {
+    type: number;
+    value: Buffer;
+}[], opts?: {
+    allowDupTypes?: Set<number>;
+}): Buffer;
+
+declare function b64urlEncode(buf: Buffer): string;
+declare function b64urlDecode(str: string): Buffer;
+declare function b64urlEncodeString(str: string, encoding?: BufferEncoding): string;
+declare function b64urlDecodeString(str: string, encoding?: BufferEncoding): string;
+
+declare function canonicalJson(value: any): string;
+declare function canonicalJsonExcluding(obj: Record<string, any>, exclude: string[]): string;
 
 declare class ContractViolationError extends Error {
     code: string;
@@ -765,185 +1184,45 @@ interface ExecutionContract {
     maxMemoryMb?: number;
 }
 declare const DEFAULT_CONTRACTS: Record<string, ExecutionContract>;
-declare const FALLBACK_CONTRACT: ExecutionContract;
-
-type Axis1DecodedFrame = {
-    ver: number;
-    flags: number;
-    hdr: Buffer;
-    body: Buffer;
-    sig: Buffer;
-    frameSize: number;
-};
-declare function decodeAxis1Frame(buf: Buffer): Axis1DecodedFrame;
-
-declare const T: {
-    INTENT: number;
-    PID: number;
-    INTENT_VERSION: number;
-    ACTOR_ID: number;
-    CAPSULE_ID: number;
-    NONCE: number;
-    TS_MS: number;
-    PROOF_TYPE: number;
-    BODY: number;
-    JSON: number;
-};
-type AxisPacket = {
-    intent: string;
-    intentVersion: number;
-    actorId: string;
-    capsuleId?: Buffer;
-    pid: Buffer;
-    nonce: Buffer;
-    tsMs: bigint;
-    headersMap: Map<number, Buffer[]>;
-    bodyMap: Map<number, Buffer[]>;
-    hdrBytes: Buffer;
-    bodyBytes: Buffer;
-    sig: Buffer;
-};
-declare function buildPacket(hdr: Buffer, body: Buffer, sig: Buffer, flags?: number): AxisPacket;
-
-type AxisAlg = Extract<AxisAlg$1, 'EdDSA'>;
-type AxisSig = AxisSig$1 & {
-    alg: AxisAlg;
-};
-interface AxisFrame$1<T = any> {
-    v: 1;
-    pid: string;
-    nonce: string;
-    ts: number;
-    actorId: string;
-    aud?: string;
-    opcode: string;
-    headers: Map<number, Uint8Array>;
-    body: T;
-    sig: AxisSig;
-}
-type AxisResponse<T = any> = AxisResponse$1<T> & {
-    policyRefs?: string[];
-    riskScore?: number;
-};
-interface AxisObservedContext {
-    ip?: string;
-    ua?: string;
-    geo?: string;
-}
-interface AxisRequestContext {
-    observed: AxisObservedContext;
-    actorKeyKid?: string;
-    issuerKeyKid?: string;
-    decisionId: string;
-    actorId: string;
-    aud?: string;
-    opcode: string;
-    deviceId?: string;
-    sessionId?: string;
-}
-
-interface SensorPhaseMetadata {
-    phase: 'PRE_DECODE' | 'POST_DECODE';
-    dependencies?: string[];
-    asyncOk?: boolean;
-    cryptoOk?: boolean;
-    description?: string;
-}
-interface AxisSensor {
-    readonly name: string;
-    readonly order?: number;
-    phase?: SensorPhaseMetadata | 'PRE_DECODE' | 'POST_DECODE';
-    supports?(input: SensorInput): boolean;
-    run(input: SensorInput): Promise<SensorDecision>;
-}
-interface AxisSensorInit extends AxisSensor {
-    onModuleInit?(): void | Promise<void>;
-}
-interface AxisPreSensor extends AxisSensor {
-    phase: 'PRE_DECODE';
-}
-interface AxisPostSensor extends AxisSensor {
-    phase: 'POST_DECODE';
-}
-interface SensorInput {
-    rawBytes?: Buffer | Uint8Array;
-    intent?: string;
-    ip?: string;
-    path?: string;
-    contentLength?: number;
-    peek?: Uint8Array;
-    country?: string;
-    clientId?: string;
-    isWs?: boolean;
-    metadata?: Record<string, any>;
-    actorId?: string;
-    opcode?: string;
-    aud?: string;
-    observed?: AxisObservedContext;
-    frameBody?: any;
-    deviceId?: string;
-    sessionId?: string;
-    packet?: Record<string, any>;
-    [key: string]: any;
-}
-declare enum Decision {
-    ALLOW = "ALLOW",
-    DENY = "DENY",
-    THROTTLE = "THROTTLE",
-    FLAG = "FLAG"
-}
-type SensorDecision = {
-    decision?: Decision;
-    allow: boolean;
-    riskScore: number;
-    reasons: string[];
-    code?: string;
-    retryAfterMs?: number;
-    scoreDelta?: number;
-    tags?: Record<string, any>;
-    meta?: any;
-    tighten?: {
-        expSecondsMax?: number;
-        constraintsPatch?: Record<string, any>;
-    };
-} | {
-    action: 'ALLOW';
-    meta?: any;
-} | {
-    action: 'DENY';
-    code: string;
-    reason?: string;
-    retryAfterMs?: number;
-    meta?: any;
-} | {
-    action: 'THROTTLE';
-    retryAfterMs: number;
-    meta?: any;
-} | {
-    action: 'FLAG';
-    scoreDelta: number;
-    reasons: string[];
-    meta?: any;
+declare const FALLBACK_CONTRACT: ExecutionContract;
+
+type Axis1DecodedFrame = {
+    ver: number;
+    flags: number;
+    hdr: Buffer;
+    body: Buffer;
+    sig: Buffer;
+    frameSize: number;
 };
-type SensorMinifiedDecision = {
-    allow: boolean;
-    riskScore: number;
-    reasons: string[];
-    tags?: Record<string, any>;
-    meta?: any;
-    tighten?: {
-        expSecondsMax?: number;
-        constraintsPatch?: Record<string, any>;
-    };
-    retryAfterMs?: number;
+declare function decodeAxis1Frame(buf: Buffer): Axis1DecodedFrame;
+
+declare const T: {
+    INTENT: number;
+    PID: number;
+    INTENT_VERSION: number;
+    ACTOR_ID: number;
+    CAPSULE_ID: number;
+    NONCE: number;
+    TS_MS: number;
+    PROOF_TYPE: number;
+    BODY: number;
+    JSON: number;
 };
-declare function normalizeSensorDecision(sensorDecision: SensorDecision): SensorMinifiedDecision;
-declare const SensorDecisions: {
-    allow(meta?: any, tags?: Record<string, any>): SensorDecision;
-    deny(code: string, reason?: string, meta?: any): SensorDecision;
-    throttle(retryAfterMs: number, meta?: any): SensorDecision;
-    flag(scoreDelta: number, reasons: string[], meta?: any): SensorDecision;
+type AxisPacket = {
+    intent: string;
+    intentVersion: number;
+    actorId: string;
+    capsuleId?: Buffer;
+    pid: Buffer;
+    nonce: Buffer;
+    tsMs: bigint;
+    headersMap: Map<number, Buffer[]>;
+    bodyMap: Map<number, Buffer[]>;
+    hdrBytes: Buffer;
+    bodyBytes: Buffer;
+    sig: Buffer;
 };
+declare function buildPacket(hdr: Buffer, body: Buffer, sig: Buffer, flags?: number): AxisPacket;
 
 interface AxisHandler {
     readonly name: string;
@@ -1623,84 +1902,451 @@ declare enum ProofType$1 {
     DEVICE_SE = 4,
     WITNESS_SIG = 5
 }
-declare const AxisContextZ: z.ZodObject<{
-    pid: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
-    ts: z.ZodBigInt;
-    intent: z.ZodString;
-    actorId: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
-    proofType: z.ZodEnum<typeof ProofType$1>;
-    proofRef: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
-    nonce: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
-    ip: z.ZodString;
-    nodeCertHash: z.ZodOptional<z.ZodString>;
-    capsule: z.ZodOptional<z.ZodObject<{
-        id: z.ZodString;
-        claims: z.ZodObject<{
-            capsuleId: z.ZodString;
-            allowIntents: z.ZodArray<z.ZodString>;
-            limits: z.ZodOptional<z.ZodObject<{
-                maxBodyBytes: z.ZodOptional<z.ZodNumber>;
-            }, z.core.$strip>>;
-            scopes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
-        }, z.core.$strip>;
-        issuedAt: z.ZodNumber;
-        expiresAt: z.ZodNumber;
-        tier: z.ZodEnum<{
-            FREE: "FREE";
-            STANDARD: "STANDARD";
-            PREMIUM: "PREMIUM";
-        }>;
-    }, z.core.$strip>>;
-    passport: z.ZodOptional<z.ZodObject<{
-        id: z.ZodString;
-        public_key: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
-        status: z.ZodEnum<{
-            ACTIVE: "ACTIVE";
-            REVOKED: "REVOKED";
-            EXPIRED: "EXPIRED";
-            PENDING: "PENDING";
-        }>;
-        issuedAt: z.ZodNumber;
-        expiresAt: z.ZodOptional<z.ZodNumber>;
-    }, z.core.$strip>>;
-    meter: z.ZodOptional<z.ZodAny>;
-}, z.core.$strip>;
-type AxisContext = z.infer<typeof AxisContextZ>;
-declare const AxisErrorZ: z.ZodObject<{
-    code: z.ZodString;
-    message: z.ZodString;
-    httpStatus: z.ZodNumber;
-}, z.core.$strip>;
-type AxisError = z.infer<typeof AxisErrorZ>;
+declare const AxisContextZ: z.ZodObject<{
+    pid: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
+    ts: z.ZodBigInt;
+    intent: z.ZodString;
+    actorId: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
+    proofType: z.ZodEnum<typeof ProofType$1>;
+    proofRef: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
+    nonce: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
+    ip: z.ZodString;
+    nodeCertHash: z.ZodOptional<z.ZodString>;
+    capsule: z.ZodOptional<z.ZodObject<{
+        id: z.ZodString;
+        claims: z.ZodObject<{
+            capsuleId: z.ZodString;
+            allowIntents: z.ZodArray<z.ZodString>;
+            limits: z.ZodOptional<z.ZodObject<{
+                maxBodyBytes: z.ZodOptional<z.ZodNumber>;
+            }, z.core.$strip>>;
+            scopes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
+        }, z.core.$strip>;
+        issuedAt: z.ZodNumber;
+        expiresAt: z.ZodNumber;
+        tier: z.ZodEnum<{
+            FREE: "FREE";
+            STANDARD: "STANDARD";
+            PREMIUM: "PREMIUM";
+        }>;
+    }, z.core.$strip>>;
+    passport: z.ZodOptional<z.ZodObject<{
+        id: z.ZodString;
+        public_key: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
+        status: z.ZodEnum<{
+            ACTIVE: "ACTIVE";
+            REVOKED: "REVOKED";
+            EXPIRED: "EXPIRED";
+            PENDING: "PENDING";
+        }>;
+        issuedAt: z.ZodNumber;
+        expiresAt: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strip>>;
+    meter: z.ZodOptional<z.ZodAny>;
+}, z.core.$strip>;
+type AxisContext = z.infer<typeof AxisContextZ>;
+declare const AxisErrorZ: z.ZodObject<{
+    code: z.ZodString;
+    message: z.ZodString;
+    httpStatus: z.ZodNumber;
+}, z.core.$strip>;
+type AxisError = z.infer<typeof AxisErrorZ>;
+
+interface AxisDecoded {
+    frame: Axis1DecodedFrame;
+    packet: AxisPacket;
+    axisCtx: AxisContext;
+    correlationId: Buffer;
+    correlationIdHex: string;
+    sensorInput: SensorInput;
+    extra: {
+        ip?: string;
+        demoPubkeyHex?: string;
+    };
+    observation: AxisObservation;
+}
+
+interface ChainResult {
+    allowed: boolean;
+    scoreDelta: number;
+    statusCode: number;
+    body?: string | Buffer | Uint8Array;
+    headers?: Map<number, Uint8Array>;
+}
+declare class AxisSensorChainService {
+    private readonly registry;
+    constructor(registry: SensorRegistry);
+    evaluate(input: SensorInput, phase?: 'PRE_DECODE' | 'POST_DECODE' | 'BOTH', baseDecision?: SensorDecision): Promise<SensorDecision>;
+    evaluatePre(input: SensorInput): Promise<SensorDecision>;
+    evaluatePost(input: SensorInput, baseDecision?: SensorDecision): Promise<SensorDecision>;
+    private evaluateSensors;
+}
+
+type AxisTlvDtoCtor<T = object> = new (...args: never[]) => T;
+declare function encodeAxisTlvDto<T extends object>(dtoClass: AxisTlvDtoCtor<T>, data: Partial<Record<keyof T, unknown>>): Uint8Array;
+
+interface PresenceDeclaration {
+    softid: string;
+    device_meta?: {
+        fingerprint?: string;
+        platform?: string;
+        user_agent?: string;
+    };
+}
+interface PresenceChallenge {
+    challenge_id: string;
+    nonce: string;
+    temporal_anchor: number;
+    ttl_ms: number;
+    expires_at: number;
+}
+interface PresenceProof {
+    challenge_id: string;
+    signature: string;
+    public_key: string;
+    kid?: string;
+}
+interface PresenceReceipt {
+    presence_id: string;
+    softid: string;
+    anchor_reflection: string;
+    scope: {
+        ip?: string;
+        device_fingerprint?: string;
+    };
+    issued_at: number;
+    expires_at: number;
+    renewed_at?: number;
+}
+type PresenceStatus = 'active' | 'expired' | 'revoked';
+interface WritHead {
+    tid: string;
+    seq: number;
+}
+interface WritBody {
+    who: string;
+    act: string;
+    res: string;
+    law: string;
+}
+interface WritMeta {
+    iat: number;
+    exp: number;
+    prev: string;
+}
+interface WritSignature {
+    alg: 'ed25519';
+    value: string;
+    kid?: string;
+}
+interface Writ {
+    head: WritHead;
+    body: WritBody;
+    meta: WritMeta;
+    sig: WritSignature;
+}
+type GrantType = 'sovereign' | 'delegated' | 'system';
+interface GrantCapability {
+    oec: string;
+    scope: string;
+    limit?: {
+        rate?: string;
+        amount?: number;
+        depth?: string;
+    };
+}
+interface GrantMeta {
+    iat: number;
+    exp: number;
+    revocable: boolean;
+    version: number;
+    contract_ref?: string;
+}
+interface Grant {
+    grant_id: string;
+    issuer: string;
+    subject: string;
+    grant_type: GrantType;
+    caps: GrantCapability[];
+    meta: GrantMeta;
+    sig: WritSignature;
+}
+type GrantStatus = 'active' | 'revoked' | 'expired';
+interface LoomReceipt {
+    receipt_id: string;
+    writ_hash: string;
+    thread_id: string;
+    sequence: number;
+    effect: string;
+    hash: string;
+    prev_hash: string | null;
+    executed_at: number;
+    metadata?: Record<string, unknown>;
+}
+interface ThreadState {
+    thread_id: string;
+    softid: string;
+    last_receipt_hash: string;
+    sequence: number;
+    updated_at: number;
+}
+type RevocationTargetType = 'grant' | 'presence' | 'softid';
+interface Revocation {
+    revocation_id: string;
+    target_type: RevocationTargetType;
+    target_id: string;
+    issuer_softid: string;
+    reason?: string;
+    effective_at: number;
+    sig_value: string;
+}
+interface LoomValidationResult {
+    valid: boolean;
+    error?: string;
+    code?: string;
+}
+interface PresenceVerifyResult extends LoomValidationResult {
+    presence?: PresenceReceipt;
+}
+interface WritValidationResult extends LoomValidationResult {
+    writ?: Writ;
+    gate_failed?: 'temporal' | 'causal' | 'legal' | 'authentic';
+}
+interface GrantValidationResult extends LoomValidationResult {
+    grant?: Grant;
+}
 
-interface AxisDecoded {
-    frame: Axis1DecodedFrame;
-    packet: AxisPacket;
-    axisCtx: AxisContext;
-    correlationId: Buffer;
-    correlationIdHex: string;
-    sensorInput: SensorInput;
-    extra: {
-        ip?: string;
-        demoPubkeyHex?: string;
-    };
-    observation: AxisObservation;
+declare function deriveAnchorReflection(softid: string, context?: string, scope?: string): string;
+declare function canonicalizeWrit(writ: Omit<Writ, 'sig'>): string;
+declare function canonicalizeGrant(grant: Omit<Grant, 'sig'>): string;
+
+interface CceDerivationInput {
+    axisLocalSecret: string;
+    capsule: CceCapsuleClaims;
+    requestNonce: string;
+    responseNonce?: string;
+}
+declare function deriveRequestExecutionKey(input: CceDerivationInput): Uint8Array;
+declare function deriveResponseExecutionKey(input: CceDerivationInput & {
+    responseNonce: string;
+}): Uint8Array;
+declare function deriveWitnessKey(input: CceDerivationInput): Uint8Array;
+declare function buildExecutionContext(input: CceDerivationInput, requestId: string): CceExecutionContext;
+declare function generateCceNonce(): string;
+
+interface CceAxisKeyProvider {
+    unwrapKey(encryptedKeyB64: string, algorithm: string, axisKid: string, ephemeralPkB64?: string): Promise<Uint8Array | null>;
+}
+interface CceAesGcmProvider {
+    decrypt(key: Uint8Array, iv: Uint8Array, ciphertext: Uint8Array, tag: Uint8Array, aad?: Uint8Array): Promise<Uint8Array | null>;
+}
+declare class CcePayloadDecryptionSensor implements AxisSensor {
+    private readonly keyProvider;
+    private readonly aesProvider;
+    private readonly maxPayloadBytes;
+    readonly name = "cce.payload.decryption";
+    readonly order = 145;
+    readonly phase: "POST_DECODE";
+    constructor(keyProvider: CceAxisKeyProvider, aesProvider: CceAesGcmProvider, maxPayloadBytes?: number);
+    supports(input: SensorInput): boolean;
+    run(input: SensorInput): Promise<SensorDecision>;
 }
 
-interface ChainResult {
-    allowed: boolean;
-    scoreDelta: number;
-    statusCode: number;
-    body?: string | Buffer | Uint8Array;
-    headers?: Map<number, Uint8Array>;
+declare function aesGcmEncrypt(key: Uint8Array, plaintext: Uint8Array, aad?: Uint8Array): {
+    iv: Uint8Array;
+    ciphertext: Uint8Array;
+    tag: Uint8Array;
+};
+declare function aesGcmDecrypt(key: Uint8Array, iv: Uint8Array, ciphertext: Uint8Array, tag: Uint8Array, aad?: Uint8Array): Uint8Array | null;
+declare function generateAesKey(): Uint8Array;
+declare function generateIv(): Uint8Array;
+declare function base64UrlEncode(bytes: Uint8Array): string;
+declare function base64UrlDecode(input: string): Uint8Array;
+declare function hashPayload(payload: Uint8Array): string;
+
+declare const nodeAesGcmProvider: CceAesGcmProvider;
+
+declare class CceEnvelopeValidationSensor implements AxisSensor {
+    readonly name = "cce.envelope.validation";
+    readonly order = 5;
+    readonly phase: "PRE_DECODE";
+    supports(input: SensorInput): boolean;
+    run(input: SensorInput): Promise<SensorDecision>;
 }
-declare class AxisSensorChainService {
-    private readonly registry;
-    constructor(registry: SensorRegistry);
-    evaluate(input: SensorInput, phase?: 'PRE_DECODE' | 'POST_DECODE' | 'BOTH', baseDecision?: SensorDecision): Promise<SensorDecision>;
-    evaluatePre(input: SensorInput): Promise<SensorDecision>;
-    evaluatePost(input: SensorInput, baseDecision?: SensorDecision): Promise<SensorDecision>;
-    private evaluateSensors;
+
+interface CceClientKeyResolver {
+    resolve(kid: string): Promise<{
+        publicKeyHex: string;
+        alg: string;
+    } | null>;
+}
+interface CceSignatureVerifier {
+    verify(message: Uint8Array, signatureHex: string, publicKeyHex: string, alg: string): Promise<boolean>;
+}
+declare class CceClientSignatureSensor implements AxisSensor {
+    private readonly keyResolver;
+    private readonly signatureVerifier;
+    readonly name = "cce.client.signature";
+    readonly order = 45;
+    readonly phase: "POST_DECODE";
+    constructor(keyResolver: CceClientKeyResolver, signatureVerifier: CceSignatureVerifier);
+    supports(input: SensorInput): boolean;
+    run(input: SensorInput): Promise<SensorDecision>;
+}
+
+interface CceIssuerKeyResolver {
+    resolve(kid: string): Promise<{
+        publicKeyHex: string;
+    } | null>;
+}
+interface CceCapsuleSignatureVerifier {
+    verify(claims: Omit<CceCapsuleClaims, "issuer_sig">, signature: {
+        alg: string;
+        kid: string;
+        value: string;
+    }, publicKeyHex: string): Promise<boolean>;
+}
+declare class CceCapsuleVerificationSensor implements AxisSensor {
+    private readonly issuerKeyResolver;
+    private readonly capsuleVerifier;
+    readonly name = "cce.capsule.verification";
+    readonly order = 50;
+    readonly phase: "POST_DECODE";
+    constructor(issuerKeyResolver: CceIssuerKeyResolver, capsuleVerifier: CceCapsuleSignatureVerifier);
+    supports(input: SensorInput): boolean;
+    run(input: SensorInput): Promise<SensorDecision>;
+}
+
+declare class CceTpsWindowSensor implements AxisSensor {
+    private readonly skewMs;
+    readonly name = "cce.tps.window";
+    readonly order = 92;
+    readonly phase: "POST_DECODE";
+    constructor(skewMs?: number);
+    supports(input: SensorInput): boolean;
+    run(input: SensorInput): Promise<SensorDecision>;
+}
+
+declare class CceAudienceIntentBindingSensor implements AxisSensor {
+    private readonly axisAudience;
+    readonly name = "cce.audience.intent.binding";
+    readonly order = 95;
+    readonly phase: "POST_DECODE";
+    constructor(axisAudience: string);
+    supports(input: SensorInput): boolean;
+    run(input: SensorInput): Promise<SensorDecision>;
+}
+
+interface CceReplayStore {
+    checkAndMark(key: string, ttlMs: number): Promise<boolean>;
+    isCapsuleConsumed(capsuleId: string): Promise<boolean>;
+    markCapsuleConsumed(capsuleId: string, ttlMs: number): Promise<void>;
+    isCapsuleRevoked(capsuleId: string): Promise<boolean>;
+}
+declare class InMemoryCceReplayStore implements CceReplayStore {
+    private nonces;
+    private consumed;
+    private revoked;
+    checkAndMark(key: string, ttlMs: number): Promise<boolean>;
+    isCapsuleConsumed(capsuleId: string): Promise<boolean>;
+    markCapsuleConsumed(capsuleId: string, _ttlMs: number): Promise<void>;
+    isCapsuleRevoked(capsuleId: string): Promise<boolean>;
+    revoke(capsuleId: string): void;
+    private cleanup;
+}
+declare class CceReplayProtectionSensor implements AxisSensor {
+    private readonly replayStore;
+    readonly name = "cce.replay.protection";
+    readonly order = 98;
+    readonly phase: "POST_DECODE";
+    private readonly nonceTtlMs;
+    constructor(replayStore: CceReplayStore, options?: {
+        nonceTtlMs?: number;
+    });
+    supports(input: SensorInput): boolean;
+    run(input: SensorInput): Promise<SensorDecision>;
+}
+
+declare const index$9_CCE_AES_KEY_BYTES: typeof CCE_AES_KEY_BYTES;
+declare const index$9_CCE_DERIVATION: typeof CCE_DERIVATION;
+declare const index$9_CCE_ERROR: typeof CCE_ERROR;
+declare const index$9_CCE_IV_BYTES: typeof CCE_IV_BYTES;
+declare const index$9_CCE_NONCE_BYTES: typeof CCE_NONCE_BYTES;
+declare const index$9_CCE_PROTOCOL_VERSION: typeof CCE_PROTOCOL_VERSION;
+declare const index$9_CCE_TAG_BYTES: typeof CCE_TAG_BYTES;
+type index$9_CceAesGcmProvider = CceAesGcmProvider;
+type index$9_CceAlgorithm = CceAlgorithm;
+type index$9_CceAlgorithmDescriptor = CceAlgorithmDescriptor;
+type index$9_CceAudienceIntentBindingSensor = CceAudienceIntentBindingSensor;
+declare const index$9_CceAudienceIntentBindingSensor: typeof CceAudienceIntentBindingSensor;
+type index$9_CceAxisKeyProvider = CceAxisKeyProvider;
+type index$9_CceAxisSigner = CceAxisSigner;
+type index$9_CceCapsuleClaims = CceCapsuleClaims;
+type index$9_CceCapsuleSignatureVerifier = CceCapsuleSignatureVerifier;
+type index$9_CceCapsuleVerificationSensor = CceCapsuleVerificationSensor;
+declare const index$9_CceCapsuleVerificationSensor: typeof CceCapsuleVerificationSensor;
+type index$9_CceClientKeyEncryptor = CceClientKeyEncryptor;
+type index$9_CceClientKeyResolver = CceClientKeyResolver;
+type index$9_CceClientSignatureSensor = CceClientSignatureSensor;
+declare const index$9_CceClientSignatureSensor: typeof CceClientSignatureSensor;
+type index$9_CceConstraints = CceConstraints;
+type index$9_CceDerivationInput = CceDerivationInput;
+type index$9_CceEncryptedKey = CceEncryptedKey;
+type index$9_CceEncryptedPayload = CceEncryptedPayload;
+type index$9_CceEnvelopeValidationSensor = CceEnvelopeValidationSensor;
+declare const index$9_CceEnvelopeValidationSensor: typeof CceEnvelopeValidationSensor;
+type index$9_CceError = CceError;
+declare const index$9_CceError: typeof CceError;
+type index$9_CceErrorCode = CceErrorCode;
+type index$9_CceExecutionContext = CceExecutionContext;
+type index$9_CceHandler = CceHandler;
+type index$9_CceHandlerContext = CceHandlerContext;
+type index$9_CceHandlerResult = CceHandlerResult;
+type index$9_CceIssuerKeyResolver = CceIssuerKeyResolver;
+type index$9_CceKdfAlgorithm = CceKdfAlgorithm;
+type index$9_CceKemAlgorithm = CceKemAlgorithm;
+type index$9_CcePayloadDecryptionSensor = CcePayloadDecryptionSensor;
+declare const index$9_CcePayloadDecryptionSensor: typeof CcePayloadDecryptionSensor;
+type index$9_CcePipelineConfig = CcePipelineConfig;
+type index$9_CcePipelineResult = CcePipelineResult;
+type index$9_CceReplayProtectionSensor = CceReplayProtectionSensor;
+declare const index$9_CceReplayProtectionSensor: typeof CceReplayProtectionSensor;
+type index$9_CceReplayStore = CceReplayStore;
+type index$9_CceRequestEnvelope = CceRequestEnvelope;
+type index$9_CceResponseEnvelope = CceResponseEnvelope;
+type index$9_CceResponseOptions = CceResponseOptions;
+type index$9_CceResponseStatus = CceResponseStatus;
+type index$9_CceSignature = CceSignature;
+type index$9_CceSignatureVerifier = CceSignatureVerifier;
+type index$9_CceTpsWindowSensor = CceTpsWindowSensor;
+declare const index$9_CceTpsWindowSensor: typeof CceTpsWindowSensor;
+type index$9_CceVerificationState = CceVerificationState;
+type index$9_CceWitnessRecord = CceWitnessRecord;
+type index$9_CceWitnessStore = CceWitnessStore;
+type index$9_InMemoryCceReplayStore = InMemoryCceReplayStore;
+declare const index$9_InMemoryCceReplayStore: typeof InMemoryCceReplayStore;
+type index$9_InMemoryCceWitnessStore = InMemoryCceWitnessStore;
+declare const index$9_InMemoryCceWitnessStore: typeof InMemoryCceWitnessStore;
+declare const index$9_aesGcmDecrypt: typeof aesGcmDecrypt;
+declare const index$9_aesGcmEncrypt: typeof aesGcmEncrypt;
+declare const index$9_base64UrlDecode: typeof base64UrlDecode;
+declare const index$9_base64UrlEncode: typeof base64UrlEncode;
+declare const index$9_buildCceErrorResponse: typeof buildCceErrorResponse;
+declare const index$9_buildCceResponse: typeof buildCceResponse;
+declare const index$9_buildExecutionContext: typeof buildExecutionContext;
+declare const index$9_buildWitnessRecord: typeof buildWitnessRecord;
+declare const index$9_deriveRequestExecutionKey: typeof deriveRequestExecutionKey;
+declare const index$9_deriveResponseExecutionKey: typeof deriveResponseExecutionKey;
+declare const index$9_deriveWitnessKey: typeof deriveWitnessKey;
+declare const index$9_executeCcePipeline: typeof executeCcePipeline;
+declare const index$9_extractVerificationState: typeof extractVerificationState;
+declare const index$9_generateAesKey: typeof generateAesKey;
+declare const index$9_generateCceNonce: typeof generateCceNonce;
+declare const index$9_generateIv: typeof generateIv;
+declare const index$9_hashPayload: typeof hashPayload;
+declare const index$9_nodeAesGcmProvider: typeof nodeAesGcmProvider;
+declare namespace index$9 {
+  export { index$9_CCE_AES_KEY_BYTES as CCE_AES_KEY_BYTES, index$9_CCE_DERIVATION as CCE_DERIVATION, index$9_CCE_ERROR as CCE_ERROR, index$9_CCE_IV_BYTES as CCE_IV_BYTES, index$9_CCE_NONCE_BYTES as CCE_NONCE_BYTES, index$9_CCE_PROTOCOL_VERSION as CCE_PROTOCOL_VERSION, index$9_CCE_TAG_BYTES as CCE_TAG_BYTES, type index$9_CceAesGcmProvider as CceAesGcmProvider, type index$9_CceAlgorithm as CceAlgorithm, type index$9_CceAlgorithmDescriptor as CceAlgorithmDescriptor, index$9_CceAudienceIntentBindingSensor as CceAudienceIntentBindingSensor, type index$9_CceAxisKeyProvider as CceAxisKeyProvider, type index$9_CceAxisSigner as CceAxisSigner, type index$9_CceCapsuleClaims as CceCapsuleClaims, type index$9_CceCapsuleSignatureVerifier as CceCapsuleSignatureVerifier, index$9_CceCapsuleVerificationSensor as CceCapsuleVerificationSensor, type index$9_CceClientKeyEncryptor as CceClientKeyEncryptor, type index$9_CceClientKeyResolver as CceClientKeyResolver, index$9_CceClientSignatureSensor as CceClientSignatureSensor, type index$9_CceConstraints as CceConstraints, type index$9_CceDerivationInput as CceDerivationInput, type index$9_CceEncryptedKey as CceEncryptedKey, type index$9_CceEncryptedPayload as CceEncryptedPayload, index$9_CceEnvelopeValidationSensor as CceEnvelopeValidationSensor, index$9_CceError as CceError, type index$9_CceErrorCode as CceErrorCode, type index$9_CceExecutionContext as CceExecutionContext, type index$9_CceHandler as CceHandler, type index$9_CceHandlerContext as CceHandlerContext, type index$9_CceHandlerResult as CceHandlerResult, type index$9_CceIssuerKeyResolver as CceIssuerKeyResolver, type index$9_CceKdfAlgorithm as CceKdfAlgorithm, type index$9_CceKemAlgorithm as CceKemAlgorithm, index$9_CcePayloadDecryptionSensor as CcePayloadDecryptionSensor, type index$9_CcePipelineConfig as CcePipelineConfig, type index$9_CcePipelineResult as CcePipelineResult, index$9_CceReplayProtectionSensor as CceReplayProtectionSensor, type index$9_CceReplayStore as CceReplayStore, type index$9_CceRequestEnvelope as CceRequestEnvelope, type index$9_CceResponseEnvelope as CceResponseEnvelope, type index$9_CceResponseOptions as CceResponseOptions, type index$9_CceResponseStatus as CceResponseStatus, type index$9_CceSignature as CceSignature, type index$9_CceSignatureVerifier as CceSignatureVerifier, index$9_CceTpsWindowSensor as CceTpsWindowSensor, type index$9_CceVerificationState as CceVerificationState, type index$9_CceWitnessRecord as CceWitnessRecord, type index$9_CceWitnessStore as CceWitnessStore, index$9_InMemoryCceReplayStore as InMemoryCceReplayStore, index$9_InMemoryCceWitnessStore as InMemoryCceWitnessStore, index$9_aesGcmDecrypt as aesGcmDecrypt, index$9_aesGcmEncrypt as aesGcmEncrypt, index$9_base64UrlDecode as base64UrlDecode, index$9_base64UrlEncode as base64UrlEncode, index$9_buildCceErrorResponse as buildCceErrorResponse, index$9_buildCceResponse as buildCceResponse, index$9_buildExecutionContext as buildExecutionContext, index$9_buildWitnessRecord as buildWitnessRecord, index$9_deriveRequestExecutionKey as deriveRequestExecutionKey, index$9_deriveResponseExecutionKey as deriveResponseExecutionKey, index$9_deriveWitnessKey as deriveWitnessKey, index$9_executeCcePipeline as executeCcePipeline, index$9_extractVerificationState as extractVerificationState, index$9_generateAesKey as generateAesKey, index$9_generateCceNonce as generateCceNonce, index$9_generateIv as generateIv, index$9_hashPayload as hashPayload, index$9_nodeAesGcmProvider as nodeAesGcmProvider };
 }
 
 type ProofType = 1 | 2 | 3 | 4;
@@ -1848,157 +2494,40 @@ type index$5_HandlerDiscoveryService = HandlerDiscoveryService;
 declare const index$5_HandlerDiscoveryService: typeof HandlerDiscoveryService;
 type index$5_IntentRouter = IntentRouter;
 declare const index$5_IntentRouter: typeof IntentRouter;
+type index$5_ObservationQueueConfig = ObservationQueueConfig;
+type index$5_ObservationQueueMessage = ObservationQueueMessage;
 type index$5_ObservationSensor = ObservationSensor;
 type index$5_ObservationStage = ObservationStage;
+type index$5_ObservationStreamEntry = ObservationStreamEntry;
+type index$5_ObservationWitnessSummary = ObservationWitnessSummary;
+type index$5_ObserverVerdict = ObserverVerdict;
 declare const index$5_PRE_DECODE_BOUNDARY: typeof PRE_DECODE_BOUNDARY;
+type index$5_ResponseContract = ResponseContract;
+type index$5_ResponseObserverContext = ResponseObserverContext;
 type index$5_SensorBand = SensorBand;
 type index$5_SensorDiscoveryService = SensorDiscoveryService;
 declare const index$5_SensorDiscoveryService: typeof SensorDiscoveryService;
 type index$5_SensorRegistry = SensorRegistry;
 declare const index$5_SensorRegistry: typeof SensorRegistry;
+type index$5_UnsignedObservationWitness = UnsignedObservationWitness;
+declare const index$5_buildQueueMessage: typeof buildQueueMessage;
+declare const index$5_buildUnsignedWitness: typeof buildUnsignedWitness;
+declare const index$5_canonicalizeObservation: typeof canonicalizeObservation;
 declare const index$5_createObservation: typeof createObservation;
+declare const index$5_decodeQueueMessage: typeof decodeQueueMessage;
+declare const index$5_encodeQueueMessage: typeof encodeQueueMessage;
 declare const index$5_endStage: typeof endStage;
 declare const index$5_finalizeObservation: typeof finalizeObservation;
+declare const index$5_hashObservation: typeof hashObservation;
+declare const index$5_parseAutoClaimEntries: typeof parseAutoClaimEntries;
+declare const index$5_parseStreamEntries: typeof parseStreamEntries;
 declare const index$5_recordSensor: typeof recordSensor;
+declare const index$5_stableJsonStringify: typeof stableJsonStringify;
 declare const index$5_startStage: typeof startStage;
+declare const index$5_verifyResponse: typeof verifyResponse;
 declare namespace index$5 {
-  export { type index$5_AxisDecoded as AxisDecoded, type index$5_AxisEffect as AxisEffect, type index$5_AxisObservation as AxisObservation, index$5_BAND as BAND, index$5_HandlerDiscoveryService as HandlerDiscoveryService, index$5_IntentRouter as IntentRouter, type IntentSchema$1 as IntentSchema, type index$5_ObservationSensor as ObservationSensor, type index$5_ObservationStage as ObservationStage, index$5_PRE_DECODE_BOUNDARY as PRE_DECODE_BOUNDARY, type index$5_SensorBand as SensorBand, index$5_SensorDiscoveryService as SensorDiscoveryService, index$5_SensorRegistry as SensorRegistry, index$5_createObservation as createObservation, index$5_endStage as endStage, index$5_finalizeObservation as finalizeObservation, index$6 as observation, index$5_recordSensor as recordSensor, index$5_startStage as startStage };
-}
-
-interface PresenceDeclaration {
-    softid: string;
-    device_meta?: {
-        fingerprint?: string;
-        platform?: string;
-        user_agent?: string;
-    };
-}
-interface PresenceChallenge {
-    challenge_id: string;
-    nonce: string;
-    temporal_anchor: number;
-    ttl_ms: number;
-    expires_at: number;
-}
-interface PresenceProof {
-    challenge_id: string;
-    signature: string;
-    public_key: string;
-    kid?: string;
-}
-interface PresenceReceipt {
-    presence_id: string;
-    softid: string;
-    anchor_reflection: string;
-    scope: {
-        ip?: string;
-        device_fingerprint?: string;
-    };
-    issued_at: number;
-    expires_at: number;
-    renewed_at?: number;
-}
-type PresenceStatus = 'active' | 'expired' | 'revoked';
-interface WritHead {
-    tid: string;
-    seq: number;
-}
-interface WritBody {
-    who: string;
-    act: string;
-    res: string;
-    law: string;
-}
-interface WritMeta {
-    iat: number;
-    exp: number;
-    prev: string;
-}
-interface WritSignature {
-    alg: 'ed25519';
-    value: string;
-    kid?: string;
-}
-interface Writ {
-    head: WritHead;
-    body: WritBody;
-    meta: WritMeta;
-    sig: WritSignature;
-}
-type GrantType = 'sovereign' | 'delegated' | 'system';
-interface GrantCapability {
-    oec: string;
-    scope: string;
-    limit?: {
-        rate?: string;
-        amount?: number;
-        depth?: string;
-    };
-}
-interface GrantMeta {
-    iat: number;
-    exp: number;
-    revocable: boolean;
-    version: number;
-    contract_ref?: string;
-}
-interface Grant {
-    grant_id: string;
-    issuer: string;
-    subject: string;
-    grant_type: GrantType;
-    caps: GrantCapability[];
-    meta: GrantMeta;
-    sig: WritSignature;
-}
-type GrantStatus = 'active' | 'revoked' | 'expired';
-interface LoomReceipt {
-    receipt_id: string;
-    writ_hash: string;
-    thread_id: string;
-    sequence: number;
-    effect: string;
-    hash: string;
-    prev_hash: string | null;
-    executed_at: number;
-    metadata?: Record<string, unknown>;
-}
-interface ThreadState {
-    thread_id: string;
-    softid: string;
-    last_receipt_hash: string;
-    sequence: number;
-    updated_at: number;
+  export { type index$5_AxisDecoded as AxisDecoded, type index$5_AxisEffect as AxisEffect, type index$5_AxisObservation as AxisObservation, index$5_BAND as BAND, index$5_HandlerDiscoveryService as HandlerDiscoveryService, index$5_IntentRouter as IntentRouter, type IntentSchema$1 as IntentSchema, type index$5_ObservationQueueConfig as ObservationQueueConfig, type index$5_ObservationQueueMessage as ObservationQueueMessage, type index$5_ObservationSensor as ObservationSensor, type index$5_ObservationStage as ObservationStage, type index$5_ObservationStreamEntry as ObservationStreamEntry, type index$5_ObservationWitnessSummary as ObservationWitnessSummary, type index$5_ObserverVerdict as ObserverVerdict, index$5_PRE_DECODE_BOUNDARY as PRE_DECODE_BOUNDARY, type index$5_ResponseContract as ResponseContract, type index$5_ResponseObserverContext as ResponseObserverContext, type index$5_SensorBand as SensorBand, index$5_SensorDiscoveryService as SensorDiscoveryService, index$5_SensorRegistry as SensorRegistry, type index$5_UnsignedObservationWitness as UnsignedObservationWitness, index$5_buildQueueMessage as buildQueueMessage, index$5_buildUnsignedWitness as buildUnsignedWitness, index$5_canonicalizeObservation as canonicalizeObservation, index$5_createObservation as createObservation, index$5_decodeQueueMessage as decodeQueueMessage, index$5_encodeQueueMessage as encodeQueueMessage, index$5_endStage as endStage, index$5_finalizeObservation as finalizeObservation, index$5_hashObservation as hashObservation, index$6 as observation, index$5_parseAutoClaimEntries as parseAutoClaimEntries, index$5_parseStreamEntries as parseStreamEntries, index$5_recordSensor as recordSensor, index$5_stableJsonStringify as stableJsonStringify, index$5_startStage as startStage, index$5_verifyResponse as verifyResponse };
 }
-type RevocationTargetType = 'grant' | 'presence' | 'softid';
-interface Revocation {
-    revocation_id: string;
-    target_type: RevocationTargetType;
-    target_id: string;
-    issuer_softid: string;
-    reason?: string;
-    effective_at: number;
-    sig_value: string;
-}
-interface LoomValidationResult {
-    valid: boolean;
-    error?: string;
-    code?: string;
-}
-interface PresenceVerifyResult extends LoomValidationResult {
-    presence?: PresenceReceipt;
-}
-interface WritValidationResult extends LoomValidationResult {
-    writ?: Writ;
-    gate_failed?: 'temporal' | 'causal' | 'legal' | 'authentic';
-}
-interface GrantValidationResult extends LoomValidationResult {
-    grant?: Grant;
-}
-
-declare function deriveAnchorReflection(softid: string, context?: string, scope?: string): string;
-declare function canonicalizeWrit(writ: Omit<Writ, 'sig'>): string;
-declare function canonicalizeGrant(grant: Omit<Grant, 'sig'>): string;
 
 type index$4_Grant = Grant;
 type index$4_GrantCapability = GrantCapability;
@@ -2368,12 +2897,9 @@ declare namespace index$1 {
   export { index$1_AccessProfileResolverSensor as AccessProfileResolverSensor, index$1_BodyBudgetSensor as BodyBudgetSensor, index$1_CapabilityEnforcementSensor as CapabilityEnforcementSensor, index$1_ChunkHashSensor as ChunkHashSensor, index$1_EntropySensor as EntropySensor, index$1_ExecutionTimeoutSensor as ExecutionTimeoutSensor, index$1_FrameBudgetSensor as FrameBudgetSensor, index$1_FrameHeaderSanitySensor as FrameHeaderSanitySensor, index$1_HeaderTLVLimitSensor as HeaderTLVLimitSensor, index$1_IntentAllowlistSensor as IntentAllowlistSensor, index$1_IntentRegistrySensor as IntentRegistrySensor, index$1_ProofPresenceSensor as ProofPresenceSensor, index$1_ProtocolStrictSensor as ProtocolStrictSensor, index$1_ReceiptPolicySensor as ReceiptPolicySensor, index$1_SchemaValidationSensor as SchemaValidationSensor, index$1_StreamScopeSensor as StreamScopeSensor, index$1_TLVParseSensor as TLVParseSensor, index$1_VarintHardeningSensor as VarintHardeningSensor };
 }
 
-type AxisTlvDtoCtor<T = object> = new (...args: never[]) => T;
-declare function encodeAxisTlvDto<T extends object>(dtoClass: AxisTlvDtoCtor<T>, data: Partial<Record<keyof T, unknown>>): Uint8Array;
-
 declare const index_encodeAxisTlvDto: typeof encodeAxisTlvDto;
 declare namespace index {
   export { index_encodeAxisTlvDto as encodeAxisTlvDto };
 }
 
-export { ATS1_HDR, ATS1_SCHEMA, AXIS_OPCODES, AXIS_UPLOAD_FILE_STORE, AXIS_UPLOAD_RECEIPT_SIGNER, AXIS_UPLOAD_SESSION_STORE, ats1 as Ats1Codec, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg$1 as AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsule, type AxisCapsuleConstraints, type AxisCapsulePayload, AxisContext$1 as AxisContext, type AxisCrudHandler, type AxisDecoded, AxisDemoPubkey, type AxisEffect, AxisFilesDownloadHandler, AxisFilesFinalizeHandler, AxisFrame$2 as AxisFrame, type AxisHandler, type AxisHandlerInit, AxisIdDto, AxisIp, type AxisAlg as AxisJsonAlg, type AxisFrame$1 as AxisJsonFrame, type AxisResponse as AxisJsonResponse, type AxisSig as AxisJsonSig, type AxisObservation, type AxisObservedContext, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, AxisPartialType, type AxisPostSensor, type AxisPreSensor, AxisRaw, type AxisRequestContext, type AxisRequestData, AxisResponseDto, type AxisSensor, AxisSensorChainService, type AxisSensorInit, type AxisSig$1 as AxisSig, AxisTlvDto, BAND, CAPABILITIES, type Capability, type CapsuleMode, type ChainResult, ContractViolationError, DEFAULT_CONTRACTS, DEFAULT_TIMEOUT, Decision, DiskUploadFileStore, type DtoSchema, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, HANDLER_METADATA_KEY, HANDLER_SENSORS_KEY, Handler, HandlerDiscoveryService, HandlerSensors, INTENT_BODY_KEY, INTENT_METADATA_KEY, INTENT_REQUIREMENTS, INTENT_ROUTES_KEY, INTENT_SENSITIVITY_MAP, INTENT_SENSORS_KEY, INTENT_TIMEOUTS, Intent, IntentBody, type IntentDefinition, type IntentKind, type IntentOptions, type IntentRoute, IntentRouter, IntentSensitivity, IntentSensors, type IntentTlvField, type KeyStatus, type ObservationQueueConfig, type ObservationQueueMessage, type ObservationSensor, type ObservationStage, type ObservationStreamEntry, type ObservationWitnessSummary, type ObserverVerdict, PRE_DECODE_BOUNDARY, PROOF_CAPABILITIES, RESPONSE_TAG_CREATED_AT, RESPONSE_TAG_CREATED_BY, RESPONSE_TAG_ID, RESPONSE_TAG_UPDATED_AT, RESPONSE_TAG_UPDATED_BY, type ReceiptEffect, type ResponseContract, type ResponseObserverContext, RiskDecision, type RiskEvaluation, type RiskSignal, SENSOR_METADATA_KEY, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, Sensor, type SensorBand, type SensorDecision, SensorDecisions, SensorDiscoveryService, type SensorInput, type SensorMinifiedDecision, type SensorOptions, type SensorPhase, type SensorPhaseMetadata, SensorRegistry, TLV_FIELDS_KEY, TLV_VALIDATORS_KEY, TlvEnum, TlvField, type TlvFieldKind, type TlvFieldMeta, type TlvFieldOptions, TlvMinLen, TlvRange, TlvUtf8Pattern, TlvValidate, type TlvValidatorFn, type TlvValidatorMeta, type UnsignedObservationWitness, type UploadFileStat, type UploadFileStore, type UploadReceiptSigner, type UploadSessionRecord, type UploadSessionStatus, type UploadSessionStore, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildDtoDecoder, buildPacket, buildQueueMessage, buildReceiptHash, buildTLVs, buildUnsignedWitness, bytes, canAccessResource, canonicalJson, canonicalJsonExcluding, canonicalizeObservation, classifyIntent, createObservation, index$8 as crypto, decodeAxis1Frame, decodeQueueMessage, index$7 as decorators, encVarint, encodeAxis1Frame, encodeQueueMessage, endStage, index$5 as engine, extractDtoSchema, finalizeObservation, hasScope, hashObservation, isAdminOpcode, isKnownOpcode, isTimestampValid, index$4 as loom, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, parseAutoClaimEntries, parseScope, parseStreamEntries, recordSensor, resolveTimeout, index$3 as schemas, index$2 as security, sensitivityName, index$1 as sensors, stableJsonStringify, startStage, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, index as utils, validateFrameShape, varintU, verifyResponse };
+export { ATS1_HDR, ATS1_SCHEMA, AXIS_OPCODES, AXIS_UPLOAD_FILE_STORE, AXIS_UPLOAD_RECEIPT_SIGNER, AXIS_UPLOAD_SESSION_STORE, ats1 as Ats1Codec, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg$1 as AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsule, type AxisCapsuleConstraints, type AxisCapsulePayload, AxisContext$1 as AxisContext, type AxisCrudHandler, type AxisDecoded, AxisDemoPubkey, type AxisEffect, AxisFilesDownloadHandler, AxisFilesFinalizeHandler, AxisFrame$2 as AxisFrame, type AxisHandler, type AxisHandlerInit, AxisIdDto, AxisIp, type AxisAlg as AxisJsonAlg, type AxisFrame$1 as AxisJsonFrame, type AxisResponse as AxisJsonResponse, type AxisSig as AxisJsonSig, type AxisObservation, type AxisObservedContext, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, AxisPartialType, type AxisPostSensor, type AxisPreSensor, AxisRaw, type AxisRequestContext, type AxisRequestData, AxisResponseDto, type AxisSensor, AxisSensorChainService, type AxisSensorInit, type AxisSig$1 as AxisSig, AxisTlvDto, BAND, CAPABILITIES, CCE_ERROR, CCE_PROTOCOL_VERSION, type Capability, type CapsuleMode, type CceCapsuleClaims as CceCapsuleClaimsType, CceError, type CceExecutionContext as CceExecutionContextType, type CceHandler, type CceHandlerContext, type CceHandlerResult, type CcePipelineConfig, type CcePipelineResult, type CceRequestEnvelope as CceRequestEnvelopeType, type CceResponseEnvelope as CceResponseEnvelopeType, type CceWitnessRecord as CceWitnessRecordType, type ChainResult, ContractViolationError, DEFAULT_CONTRACTS, DEFAULT_TIMEOUT, Decision, DiskUploadFileStore, type DtoSchema, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, type Grant, type GrantCapability, type GrantMeta, type GrantStatus, type GrantType, type GrantValidationResult, HANDLER_METADATA_KEY, HANDLER_SENSORS_KEY, Handler, HandlerDiscoveryService, HandlerSensors, INTENT_BODY_KEY, INTENT_METADATA_KEY, INTENT_REQUIREMENTS, INTENT_ROUTES_KEY, INTENT_SENSITIVITY_MAP, INTENT_SENSORS_KEY, INTENT_TIMEOUTS, Intent, IntentBody, type IntentDefinition, type IntentKind, type IntentOptions, type IntentRoute, IntentRouter, IntentSensitivity, IntentSensors, type IntentTlvField, type KeyStatus, type LoomReceipt, type LoomValidationResult, type ObservationQueueConfig, type ObservationQueueMessage, type ObservationSensor, type ObservationStage, type ObservationStreamEntry, type ObservationWitnessSummary, type ObserverVerdict, PRE_DECODE_BOUNDARY, PROOF_CAPABILITIES, type PresenceChallenge, type PresenceDeclaration, type PresenceProof, type PresenceReceipt, type PresenceStatus, type PresenceVerifyResult, RESPONSE_TAG_CREATED_AT, RESPONSE_TAG_CREATED_BY, RESPONSE_TAG_ID, RESPONSE_TAG_UPDATED_AT, RESPONSE_TAG_UPDATED_BY, type ReceiptEffect, type ResponseContract, verifyResponse as ResponseObserver, type ResponseObserverContext, type Revocation, type RevocationTargetType, RiskDecision, type RiskEvaluation, type RiskSignal, SENSOR_METADATA_KEY, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, Sensor, type SensorBand, type SensorDecision, SensorDecisions, SensorDiscoveryService, type SensorInput, type SensorMinifiedDecision, type SensorOptions, type SensorPhase, type SensorPhaseMetadata, SensorRegistry, TLV_FIELDS_KEY, TLV_VALIDATORS_KEY, type ThreadState, TlvEnum, TlvField, type TlvFieldKind, type TlvFieldMeta, type TlvFieldOptions, TlvMinLen, TlvRange, TlvUtf8Pattern, TlvValidate, type TlvValidatorFn, type TlvValidatorMeta, type UnsignedObservationWitness, type UploadFileStat, type UploadFileStore, type UploadReceiptSigner, type UploadSessionRecord, type UploadSessionStatus, type UploadSessionStore, type Writ, type WritBody, type WritHead, type WritMeta, type WritSignature, type WritValidationResult, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildDtoDecoder, buildPacket, buildQueueMessage, buildReceiptHash, buildTLVs, buildUnsignedWitness, bytes, canAccessResource, canonicalJson, canonicalJsonExcluding, canonicalizeGrant, canonicalizeObservation, canonicalizeWrit, index$9 as cce, classifyIntent, createObservation, index$8 as crypto, decodeAxis1Frame, decodeQueueMessage, index$7 as decorators, deriveAnchorReflection, encVarint, encodeAxis1Frame, encodeAxisTlvDto, encodeQueueMessage, endStage, index$5 as engine, executeCcePipeline, extractDtoSchema, finalizeObservation, hasScope, hashObservation, isAdminOpcode, isKnownOpcode, isTimestampValid, index$4 as loom, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, parseAutoClaimEntries, parseScope, parseStreamEntries, recordSensor, resolveTimeout, index$3 as schemas, index$2 as security, sensitivityName, index$1 as sensors, stableJsonStringify, startStage, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, index as utils, validateFrameShape, varintU, verifyResponse };