@nextera.one/axis-server-sdk 1.5.0 → 1.7.0

package/dist/index.js

@@ -64,6 +64,9 @@ __export(index_exports, {
   BAND: () => BAND,
   BodyProfile: () => import_axis_protocol2.BodyProfile,
   CAPABILITIES: () => CAPABILITIES,
+  CCE_ERROR: () => CCE_ERROR,
+  CCE_PROTOCOL_VERSION: () => CCE_PROTOCOL_VERSION,
+  CceError: () => CceError,
   ContractViolationError: () => ContractViolationError,
   DEFAULT_CONTRACTS: () => DEFAULT_CONTRACTS,
   DEFAULT_TIMEOUT: () => DEFAULT_TIMEOUT,
@@ -123,6 +126,7 @@ __export(index_exports, {
   RESPONSE_TAG_ID: () => RESPONSE_TAG_ID,
   RESPONSE_TAG_UPDATED_AT: () => RESPONSE_TAG_UPDATED_AT,
   RESPONSE_TAG_UPDATED_BY: () => RESPONSE_TAG_UPDATED_BY,
+  ResponseObserver: () => verifyResponse,
   RiskDecision: () => RiskDecision,
   SENSOR_METADATA_KEY: () => SENSOR_METADATA_KEY,
   Schema2002_PasskeyLoginOptionsRes: () => Schema2002_PasskeyLoginOptionsRes,
@@ -156,6 +160,7 @@ __export(index_exports, {
   TLV_OFFSET: () => import_axis_protocol2.TLV_OFFSET,
   TLV_OK: () => import_axis_protocol2.TLV_OK,
   TLV_PID: () => import_axis_protocol2.TLV_PID,
+  TLV_PRESENCE_ID: () => import_axis_protocol2.TLV_LOOM_PRESENCE_ID,
   TLV_PREV_HASH: () => import_axis_protocol2.TLV_PREV_HASH,
   TLV_PROOF_REF: () => import_axis_protocol2.TLV_PROOF_REF,
   TLV_PROOF_TYPE: () => import_axis_protocol2.TLV_PROOF_TYPE,
@@ -163,10 +168,12 @@ __export(index_exports, {
   TLV_RECEIPT_HASH: () => import_axis_protocol2.TLV_RECEIPT_HASH,
   TLV_RID: () => import_axis_protocol2.TLV_RID,
   TLV_SHA256_CHUNK: () => import_axis_protocol2.TLV_SHA256_CHUNK,
+  TLV_THREAD_HASH: () => import_axis_protocol2.TLV_LOOM_THREAD_HASH,
   TLV_TRACE_ID: () => import_axis_protocol2.TLV_TRACE_ID,
   TLV_TS: () => import_axis_protocol2.TLV_TS,
   TLV_UPLOAD_ID: () => import_axis_protocol2.TLV_UPLOAD_ID,
   TLV_VALIDATORS_KEY: () => TLV_VALIDATORS_KEY,
+  TLV_WRIT: () => import_axis_protocol2.TLV_LOOM_WRIT,
   TlvEnum: () => TlvEnum,
   TlvField: () => TlvField,
   TlvMinLen: () => TlvMinLen,
@@ -189,7 +196,10 @@ __export(index_exports, {
   canAccessResource: () => canAccessResource,
   canonicalJson: () => canonicalJson,
   canonicalJsonExcluding: () => canonicalJsonExcluding,
+  canonicalizeGrant: () => canonicalizeGrant,
   canonicalizeObservation: () => canonicalizeObservation,
+  canonicalizeWrit: () => canonicalizeWrit,
+  cce: () => cce_exports,
   classifyIntent: () => classifyIntent,
   computeReceiptHash: () => computeReceiptHash,
   computeSignaturePayload: () => computeSignaturePayload,
@@ -205,14 +215,17 @@ __export(index_exports, {
   decodeTLVsList: () => import_axis_protocol.decodeTLVsList,
   decodeVarint: () => import_axis_protocol3.decodeVarint,
   decorators: () => decorators_exports,
+  deriveAnchorReflection: () => deriveAnchorReflection,
   encVarint: () => encVarint,
   encodeAxis1Frame: () => encodeAxis1Frame,
+  encodeAxisTlvDto: () => encodeAxisTlvDto,
   encodeFrame: () => encodeFrame,
   encodeQueueMessage: () => encodeQueueMessage,
   encodeTLVs: () => import_axis_protocol.encodeTLVs,
   encodeVarint: () => import_axis_protocol3.encodeVarint,
   endStage: () => endStage,
   engine: () => engine_exports,
+  executeCcePipeline: () => executeCcePipeline,
   extractDtoSchema: () => extractDtoSchema,
   finalizeObservation: () => finalizeObservation,
   generateEd25519KeyPair: () => generateEd25519KeyPair,
@@ -239,7 +252,7 @@ __export(index_exports, {
   security: () => security_exports,
   sensitivityName: () => sensitivityName,
   sensors: () => sensors_exports,
-  sha256: () => sha256,
+  sha256: () => sha2564,
   signFrame: () => signFrame,
   stableJsonStringify: () => stableJsonStringify,
   startStage: () => startStage,
@@ -636,6 +649,626 @@ var SensorDecisions = {
   }
 };
 
+// src/cce/cce-derivation.service.ts
+var import_utils = require("@noble/hashes/utils.js");
+var import_hkdf = require("@noble/hashes/hkdf.js");
+var import_sha2 = require("@noble/hashes/sha2.js");
+
+// src/cce/cce.types.ts
+var CCE_PROTOCOL_VERSION = "cce-v1";
+var CCE_DERIVATION = {
+  /** Request execution context */
+  REQUEST: "axis:cce:req:v1",
+  /** Response execution context */
+  RESPONSE: "axis:cce:resp:v1",
+  /** Witness binding context */
+  WITNESS: "axis:cce:witness:v1"
+};
+var CCE_AES_KEY_BYTES = 32;
+var CCE_IV_BYTES = 12;
+var CCE_TAG_BYTES = 16;
+var CCE_NONCE_BYTES = 32;
+var CCE_ERROR = {
+  // Envelope errors
+  INVALID_ENVELOPE: "CCE_INVALID_ENVELOPE",
+  UNSUPPORTED_VERSION: "CCE_UNSUPPORTED_VERSION",
+  MISSING_CAPSULE: "CCE_MISSING_CAPSULE",
+  MISSING_ENCRYPTED_KEY: "CCE_MISSING_ENCRYPTED_KEY",
+  // Signature errors
+  CLIENT_SIG_INVALID: "CCE_CLIENT_SIG_INVALID",
+  CLIENT_KEY_NOT_FOUND: "CCE_CLIENT_KEY_NOT_FOUND",
+  // Capsule errors
+  CAPSULE_SIG_INVALID: "CCE_CAPSULE_SIG_INVALID",
+  CAPSULE_EXPIRED: "CCE_CAPSULE_EXPIRED",
+  CAPSULE_NOT_YET_VALID: "CCE_CAPSULE_NOT_YET_VALID",
+  CAPSULE_REVOKED: "CCE_CAPSULE_REVOKED",
+  CAPSULE_CONSUMED: "CCE_CAPSULE_CONSUMED",
+  // Binding errors
+  AUDIENCE_MISMATCH: "CCE_AUDIENCE_MISMATCH",
+  INTENT_MISMATCH: "CCE_INTENT_MISMATCH",
+  TPS_WINDOW_EXPIRED: "CCE_TPS_WINDOW_EXPIRED",
+  TPS_WINDOW_FUTURE: "CCE_TPS_WINDOW_FUTURE",
+  // Replay / nonce errors
+  REPLAY_DETECTED: "CCE_REPLAY_DETECTED",
+  NONCE_REUSED: "CCE_NONCE_REUSED",
+  // Decryption errors
+  DECRYPTION_FAILED: "CCE_DECRYPTION_FAILED",
+  KEY_UNWRAP_FAILED: "CCE_KEY_UNWRAP_FAILED",
+  AEAD_TAG_MISMATCH: "CCE_AEAD_TAG_MISMATCH",
+  PAYLOAD_TOO_LARGE: "CCE_PAYLOAD_TOO_LARGE",
+  // Schema / validation errors
+  PAYLOAD_SCHEMA_INVALID: "CCE_PAYLOAD_SCHEMA_INVALID",
+  INTENT_SCHEMA_MISMATCH: "CCE_INTENT_SCHEMA_MISMATCH",
+  // Policy errors
+  POLICY_DENIED: "CCE_POLICY_DENIED",
+  CONSTRAINT_VIOLATED: "CCE_CONSTRAINT_VIOLATED",
+  // Handler errors
+  HANDLER_NOT_FOUND: "CCE_HANDLER_NOT_FOUND",
+  HANDLER_EXECUTION_FAILED: "CCE_HANDLER_EXECUTION_FAILED",
+  HANDLER_TIMEOUT: "CCE_HANDLER_TIMEOUT",
+  // Response errors
+  RESPONSE_ENCRYPTION_FAILED: "CCE_RESPONSE_ENCRYPTION_FAILED"
+};
+var CceError = class extends Error {
+  constructor(code, message, metadata) {
+    super(`[${code}] ${message}`);
+    this.code = code;
+    this.metadata = metadata;
+    this.name = "CceError";
+  }
+  /** Whether this error is safe to expose to the client */
+  get clientSafe() {
+    const internal = [
+      CCE_ERROR.DECRYPTION_FAILED,
+      CCE_ERROR.KEY_UNWRAP_FAILED,
+      CCE_ERROR.AEAD_TAG_MISMATCH,
+      CCE_ERROR.HANDLER_EXECUTION_FAILED,
+      CCE_ERROR.RESPONSE_ENCRYPTION_FAILED
+    ];
+    return !internal.includes(this.code);
+  }
+  /** Get client-safe representation */
+  toClientError() {
+    if (this.clientSafe) {
+      return { code: this.code, message: this.message };
+    }
+    return {
+      code: CCE_ERROR.DECRYPTION_FAILED,
+      message: "Request processing failed"
+    };
+  }
+};
+
+// src/cce/cce-derivation.service.ts
+function buildSalt(capsuleId, capsuleNonce, requestNonce) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(
+    capsuleId + "|" + capsuleNonce + "|" + requestNonce
+  );
+  return (0, import_sha2.sha256)(data);
+}
+function buildInfo(contextPrefix, capsule, extraNonce) {
+  const encoder = new TextEncoder();
+  const parts = [
+    contextPrefix,
+    capsule.sub,
+    capsule.kid,
+    capsule.intent,
+    capsule.aud,
+    String(capsule.tps_from),
+    String(capsule.tps_to),
+    capsule.policy_hash ?? "",
+    capsule.ver
+  ];
+  if (extraNonce) {
+    parts.push(extraNonce);
+  }
+  return encoder.encode(parts.join("|"));
+}
+function deriveRequestExecutionKey(input) {
+  const ikm = (0, import_utils.hexToBytes)(input.axisLocalSecret);
+  const salt = buildSalt(
+    input.capsule.capsule_id,
+    input.capsule.capsule_nonce,
+    input.requestNonce
+  );
+  const info = buildInfo(CCE_DERIVATION.REQUEST, input.capsule);
+  return (0, import_hkdf.hkdf)(import_sha2.sha256, ikm, salt, info, CCE_AES_KEY_BYTES);
+}
+function deriveResponseExecutionKey(input) {
+  const ikm = (0, import_utils.hexToBytes)(input.axisLocalSecret);
+  const encoder = new TextEncoder();
+  const saltData = encoder.encode(
+    input.capsule.capsule_id + "|" + input.capsule.capsule_nonce + "|" + input.requestNonce + "|" + input.responseNonce
+  );
+  const salt = (0, import_sha2.sha256)(saltData);
+  const info = buildInfo(
+    CCE_DERIVATION.RESPONSE,
+    input.capsule,
+    input.responseNonce
+  );
+  return (0, import_hkdf.hkdf)(import_sha2.sha256, ikm, salt, info, CCE_AES_KEY_BYTES);
+}
+function deriveWitnessKey(input) {
+  const ikm = (0, import_utils.hexToBytes)(input.axisLocalSecret);
+  const salt = buildSalt(
+    input.capsule.capsule_id,
+    input.capsule.capsule_nonce,
+    input.requestNonce
+  );
+  const info = buildInfo(CCE_DERIVATION.WITNESS, input.capsule);
+  return (0, import_hkdf.hkdf)(import_sha2.sha256, ikm, salt, info, CCE_AES_KEY_BYTES);
+}
+function buildExecutionContext(input, requestId) {
+  const executionKey = deriveRequestExecutionKey(input);
+  const keyHash = (0, import_utils.bytesToHex)((0, import_sha2.sha256)(executionKey));
+  executionKey.fill(0);
+  return {
+    execution_key_hash: keyHash,
+    request_id: requestId,
+    capsule_id: input.capsule.capsule_id,
+    sub: input.capsule.sub,
+    kid: input.capsule.kid,
+    intent: input.capsule.intent,
+    aud: input.capsule.aud,
+    tps_from: input.capsule.tps_from,
+    tps_to: input.capsule.tps_to,
+    policy_hash: input.capsule.policy_hash,
+    derived_at: Math.floor(Date.now() / 1e3),
+    valid: true
+  };
+}
+function generateCceNonce() {
+  const bytes2 = new Uint8Array(CCE_NONCE_BYTES);
+  crypto.getRandomValues(bytes2);
+  return (0, import_utils.bytesToHex)(bytes2);
+}
+
+// src/cce/cce-response.service.ts
+var import_utils3 = require("@noble/hashes/utils.js");
+var import_crypto2 = require("crypto");
+
+// src/cce/cce-crypto.ts
+var import_utils2 = require("@noble/hashes/utils.js");
+var import_sha22 = require("@noble/hashes/sha2.js");
+var import_crypto = require("crypto");
+function aesGcmEncrypt(key, plaintext, aad) {
+  if (key.length !== CCE_AES_KEY_BYTES) {
+    throw new Error(`AES key must be ${CCE_AES_KEY_BYTES} bytes`);
+  }
+  const iv = (0, import_crypto.randomBytes)(CCE_IV_BYTES);
+  const cipher = (0, import_crypto.createCipheriv)("aes-256-gcm", key, iv);
+  if (aad) {
+    cipher.setAAD(aad);
+  }
+  const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return {
+    iv: new Uint8Array(iv),
+    ciphertext: new Uint8Array(encrypted),
+    tag: new Uint8Array(tag)
+  };
+}
+function aesGcmDecrypt(key, iv, ciphertext, tag, aad) {
+  if (key.length !== CCE_AES_KEY_BYTES) {
+    throw new Error(`AES key must be ${CCE_AES_KEY_BYTES} bytes`);
+  }
+  if (iv.length !== CCE_IV_BYTES) {
+    throw new Error(`IV must be ${CCE_IV_BYTES} bytes`);
+  }
+  if (tag.length !== CCE_TAG_BYTES) {
+    throw new Error(`Tag must be ${CCE_TAG_BYTES} bytes`);
+  }
+  try {
+    const decipher = (0, import_crypto.createDecipheriv)("aes-256-gcm", key, iv);
+    decipher.setAuthTag(tag);
+    if (aad) {
+      decipher.setAAD(aad);
+    }
+    const decrypted = Buffer.concat([
+      decipher.update(ciphertext),
+      decipher.final()
+    ]);
+    return new Uint8Array(decrypted);
+  } catch {
+    return null;
+  }
+}
+function generateAesKey() {
+  return new Uint8Array((0, import_crypto.randomBytes)(CCE_AES_KEY_BYTES));
+}
+function generateIv() {
+  return new Uint8Array((0, import_crypto.randomBytes)(CCE_IV_BYTES));
+}
+function base64UrlEncode(bytes2) {
+  return Buffer.from(bytes2).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64UrlDecode(input) {
+  const base64 = input.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = "=".repeat((4 - base64.length % 4) % 4);
+  return new Uint8Array(Buffer.from(base64 + padding, "base64"));
+}
+function hashPayload(payload) {
+  return (0, import_utils2.bytesToHex)((0, import_sha22.sha256)(payload));
+}
+var nodeAesGcmProvider = {
+  async decrypt(key, iv, ciphertext, tag, aad) {
+    return aesGcmDecrypt(key, iv, ciphertext, tag, aad);
+  }
+};
+
+// src/cce/cce-response.service.ts
+async function buildCceResponse(options, clientKeyEncryptor, axisSigner) {
+  const { request, capsule, status, body, clientPublicKeyHex, witnessRef } = options;
+  const responseNonce = (0, import_utils3.bytesToHex)(
+    new Uint8Array((0, import_crypto2.randomBytes)(CCE_NONCE_BYTES))
+  );
+  const responseId = generateResponseId();
+  const aesKey = generateAesKey();
+  const aad = buildResponseAad(
+    request.request_id,
+    responseId,
+    request.correlation_id,
+    capsule.capsule_id,
+    responseNonce
+  );
+  const { iv, ciphertext, tag } = aesGcmEncrypt(aesKey, body, aad);
+  const encryptedKey = await clientKeyEncryptor.wrapKey(
+    aesKey,
+    request.client_kid,
+    clientPublicKeyHex
+  );
+  aesKey.fill(0);
+  const encryptedPayload = {
+    alg: "AES-256-GCM",
+    iv: base64UrlEncode(iv),
+    ciphertext: base64UrlEncode(ciphertext),
+    tag: base64UrlEncode(tag)
+  };
+  const algorithms = {
+    kem: encryptedKey.alg,
+    enc: "AES-256-GCM",
+    kdf: "HKDF-SHA256",
+    sig: "EdDSA"
+  };
+  const unsignedResponse = {
+    ver: CCE_PROTOCOL_VERSION,
+    response_id: responseId,
+    request_id: request.request_id,
+    correlation_id: request.correlation_id,
+    encrypted_key: encryptedKey,
+    encrypted_payload: encryptedPayload,
+    response_nonce: responseNonce,
+    algorithms,
+    status,
+    ...witnessRef ? { witness_ref: witnessRef } : {}
+  };
+  const signPayload = new TextEncoder().encode(canonicalize(unsignedResponse));
+  const axisSig = await axisSigner.sign(signPayload);
+  const envelope = {
+    ...unsignedResponse,
+    axis_sig: axisSig
+  };
+  return {
+    envelope,
+    responsePayloadHash: hashPayload(body)
+  };
+}
+function buildCceErrorResponse(requestId, correlationId, status, errorCode, message) {
+  return {
+    ver: CCE_PROTOCOL_VERSION,
+    request_id: requestId,
+    correlation_id: correlationId,
+    status,
+    error: { code: errorCode, message }
+  };
+}
+function generateResponseId() {
+  const bytes2 = (0, import_crypto2.randomBytes)(16);
+  return "resp_" + (0, import_utils3.bytesToHex)(new Uint8Array(bytes2)).slice(0, 24);
+}
+function buildResponseAad(requestId, responseId, correlationId, capsuleId, responseNonce) {
+  const parts = [
+    requestId,
+    responseId,
+    correlationId,
+    capsuleId,
+    responseNonce
+  ];
+  return new TextEncoder().encode(parts.join("|"));
+}
+function canonicalize(obj) {
+  if (Array.isArray(obj)) {
+    return "[" + obj.map(canonicalize).join(",") + "]";
+  }
+  if (obj !== null && typeof obj === "object") {
+    const sorted = Object.keys(obj).sort().map(
+      (k) => JSON.stringify(k) + ":" + canonicalize(obj[k])
+    );
+    return "{" + sorted.join(",") + "}";
+  }
+  return JSON.stringify(obj);
+}
+
+// src/cce/cce-witness.observer.ts
+var import_utils4 = require("@noble/hashes/utils.js");
+var import_hkdf2 = require("@noble/hashes/hkdf.js");
+var import_sha23 = require("@noble/hashes/sha2.js");
+var InMemoryCceWitnessStore = class {
+  constructor() {
+    this.records = [];
+  }
+  async record(witness) {
+    this.records.push(witness);
+  }
+  getByRequestId(requestId) {
+    return this.records.find((w) => w.request_id === requestId);
+  }
+  getByCapsuleId(capsuleId) {
+    return this.records.filter((w) => w.capsule_id === capsuleId);
+  }
+};
+function buildWitnessRecord(envelope, capsule, verification, execution, options) {
+  const witnessId = generateWitnessId(envelope.request_id, capsule.capsule_id);
+  const executionContextHash = computeExecutionContextHash(
+    options.axisLocalSecret,
+    capsule,
+    envelope.request_nonce
+  );
+  return {
+    witness_id: witnessId,
+    request_id: envelope.request_id,
+    capsule_id: capsule.capsule_id,
+    sub: capsule.sub,
+    intent: capsule.intent,
+    aud: capsule.aud,
+    tps_from: capsule.tps_from,
+    tps_to: capsule.tps_to,
+    timestamp: Math.floor(Date.now() / 1e3),
+    verification: {
+      client_sig: verification.clientSigVerified,
+      capsule_sig: verification.capsuleSigVerified,
+      tps_valid: verification.tpsValid,
+      audience_match: verification.audienceMatch,
+      intent_match: verification.intentMatch,
+      replay_clean: verification.replayClean,
+      nonce_unique: verification.nonceUnique,
+      decryption_ok: verification.decryptionOk
+    },
+    execution: {
+      status: execution.status,
+      handler_duration_ms: execution.handlerDurationMs,
+      ...execution.effect ? { effect: execution.effect } : {}
+    },
+    response_encrypted: options.responseEncrypted,
+    execution_context_hash: executionContextHash,
+    ...options.requestPayload ? { request_payload_hash: hashPayload(options.requestPayload) } : {},
+    ...options.responsePayload ? { response_payload_hash: hashPayload(options.responsePayload) } : {}
+  };
+}
+function extractVerificationState(metadata) {
+  return {
+    clientSigVerified: metadata.cceClientSigVerified === true,
+    capsuleSigVerified: metadata.cceCapsuleVerified === true,
+    tpsValid: metadata.cceTpsValid === true,
+    audienceMatch: metadata.cceBindingVerified === true,
+    intentMatch: metadata.cceBindingVerified === true,
+    replayClean: metadata.cceReplayClean === true,
+    nonceUnique: metadata.cceReplayClean === true,
+    decryptionOk: metadata.cceDecryptionOk === true
+  };
+}
+function generateWitnessId(requestId, capsuleId) {
+  const input = `witness:${requestId}:${capsuleId}:${Date.now()}`;
+  const hash = (0, import_sha23.sha256)(new TextEncoder().encode(input));
+  return "wit_" + (0, import_utils4.bytesToHex)(hash).slice(0, 24);
+}
+function computeExecutionContextHash(axisLocalSecret, capsule, requestNonce) {
+  const encoder = new TextEncoder();
+  const ikm = hexToBytes2(axisLocalSecret);
+  const salt = (0, import_sha23.sha256)(
+    encoder.encode(
+      capsule.capsule_id + "|" + capsule.capsule_nonce + "|" + requestNonce
+    )
+  );
+  const info = encoder.encode(
+    [
+      CCE_DERIVATION.WITNESS,
+      capsule.sub,
+      capsule.kid,
+      capsule.intent,
+      capsule.aud,
+      String(capsule.tps_from),
+      String(capsule.tps_to),
+      capsule.policy_hash ?? "",
+      capsule.ver
+    ].join("|")
+  );
+  const witnessKey = (0, import_hkdf2.hkdf)(import_sha23.sha256, ikm, salt, info, 32);
+  const hash = (0, import_utils4.bytesToHex)((0, import_sha23.sha256)(witnessKey));
+  witnessKey.fill(0);
+  return hash;
+}
+function hexToBytes2(hex) {
+  const bytes2 = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < bytes2.length; i++) {
+    bytes2[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+  }
+  return bytes2;
+}
+
+// src/cce/cce-pipeline.ts
+async function executeCcePipeline(envelope, config) {
+  const startTime = Date.now();
+  if (envelope.ver !== CCE_PROTOCOL_VERSION) {
+    return {
+      ok: false,
+      error: {
+        code: CCE_ERROR.UNSUPPORTED_VERSION,
+        message: `Unsupported version: ${envelope.ver}`
+      },
+      status: "ERROR"
+    };
+  }
+  const sensorInput = {
+    intent: envelope.capsule.intent,
+    metadata: {
+      cce: true,
+      cceEnvelope: envelope,
+      contentType: "application/axis-cce"
+    }
+  };
+  const sortedSensors = [...config.sensors].sort(
+    (a, b) => (a.order ?? 999) - (b.order ?? 999)
+  );
+  for (const sensor of sortedSensors) {
+    if (sensor.supports && !sensor.supports(sensorInput)) {
+      continue;
+    }
+    let decision;
+    try {
+      decision = await sensor.run(sensorInput);
+    } catch (err) {
+      return {
+        ok: false,
+        error: {
+          code: CCE_ERROR.DECRYPTION_FAILED,
+          message: `Sensor ${sensor.name} failed`
+        },
+        status: "ERROR"
+      };
+    }
+    const normalized = normalizeSensorDecision(decision);
+    if (!normalized.allow) {
+      const code = normalized.reasons[0]?.split(":")[0] ?? CCE_ERROR.DECRYPTION_FAILED;
+      return {
+        ok: false,
+        error: { code, message: normalized.reasons.join("; ") },
+        status: "DENIED"
+      };
+    }
+  }
+  const capsule = sensorInput.metadata?.cceCapsule;
+  const decryptedPayload = sensorInput.metadata?.cceDecryptedPayload;
+  const clientKey = sensorInput.metadata?.cceClientKey;
+  if (!capsule || !decryptedPayload || !clientKey) {
+    return {
+      ok: false,
+      error: {
+        code: CCE_ERROR.DECRYPTION_FAILED,
+        message: "Sensor chain did not produce required outputs"
+      },
+      status: "ERROR"
+    };
+  }
+  const derivationInput = {
+    axisLocalSecret: config.axisLocalSecret,
+    capsule,
+    requestNonce: envelope.request_nonce
+  };
+  const executionContext = buildExecutionContext(
+    derivationInput,
+    envelope.request_id
+  );
+  const handler = config.handlers.get(capsule.intent);
+  if (!handler) {
+    return {
+      ok: false,
+      error: {
+        code: CCE_ERROR.HANDLER_NOT_FOUND,
+        message: `No handler for intent: ${capsule.intent}`
+      },
+      status: "ERROR"
+    };
+  }
+  const handlerContext = {
+    capsule,
+    executionContext,
+    envelope,
+    clientPublicKeyHex: clientKey.publicKeyHex,
+    intent: capsule.intent,
+    sub: capsule.sub
+  };
+  let result;
+  const handlerStart = Date.now();
+  try {
+    result = await handler(decryptedPayload, handlerContext);
+  } catch (err) {
+    const handlerDuration2 = Date.now() - handlerStart;
+    const verification2 = extractVerificationState(sensorInput.metadata ?? {});
+    const witness2 = buildWitnessRecord(
+      envelope,
+      capsule,
+      verification2,
+      { status: "FAILED", handlerDurationMs: handlerDuration2 },
+      {
+        axisLocalSecret: config.axisLocalSecret,
+        requestPayload: decryptedPayload,
+        responseEncrypted: false
+      }
+    );
+    await config.witnessStore.record(witness2);
+    return {
+      ok: false,
+      error: {
+        code: CCE_ERROR.HANDLER_EXECUTION_FAILED,
+        message: "Handler execution failed"
+      },
+      status: "FAILED"
+    };
+  }
+  const handlerDuration = Date.now() - handlerStart;
+  let responseEnvelope;
+  let responsePayloadHash;
+  try {
+    const responseResult = await buildCceResponse(
+      {
+        request: envelope,
+        capsule,
+        status: result.status,
+        body: result.body,
+        clientPublicKeyHex: clientKey.publicKeyHex
+      },
+      config.clientKeyEncryptor,
+      config.axisSigner
+    );
+    responseEnvelope = responseResult.envelope;
+    responsePayloadHash = responseResult.responsePayloadHash;
+  } catch (err) {
+    return {
+      ok: false,
+      error: {
+        code: CCE_ERROR.RESPONSE_ENCRYPTION_FAILED,
+        message: "Response encryption failed"
+      },
+      status: "ERROR"
+    };
+  }
+  const verification = extractVerificationState(sensorInput.metadata ?? {});
+  const witness = buildWitnessRecord(
+    envelope,
+    capsule,
+    verification,
+    {
+      status: result.status,
+      handlerDurationMs: handlerDuration,
+      effect: result.effect
+    },
+    {
+      axisLocalSecret: config.axisLocalSecret,
+      requestPayload: decryptedPayload,
+      responsePayload: result.body,
+      responseEncrypted: true
+    }
+  );
+  await config.witnessStore.record(witness);
+  return {
+    ok: true,
+    response: responseEnvelope,
+    witnessId: witness.witness_id
+  };
+}
+
 // src/engine/intent.router.ts
 var IntentRouter = class {
   constructor(moduleRef) {
@@ -653,6 +1286,10 @@ var IntentRouter = class {
     this.intentValidators = /* @__PURE__ */ new Map();
     /** Per-intent operation kind */
     this.intentKinds = /* @__PURE__ */ new Map();
+    /** CCE handler registry */
+    this.cceHandlers = /* @__PURE__ */ new Map();
+    /** CCE pipeline configuration (set via configureCce) */
+    this.ccePipelineConfig = null;
   }
   getSchema(intent) {
     return this.intentSchemas.get(intent);
@@ -916,6 +1553,58 @@ var IntentRouter = class {
       }
     }
   }
+  // ===========================================================================
+  // CCE — Capsule-Carried Encryption Support
+  // ===========================================================================
+  /**
+   * Configure the CCE pipeline.
+   * Must be called before routeCce() can process encrypted requests.
+   */
+  configureCce(config) {
+    this.ccePipelineConfig = config;
+    this.logger.log("CCE pipeline configured");
+  }
+  /**
+   * Register a CCE-encrypted intent handler.
+   * CCE handlers receive decrypted payloads and execution context.
+   */
+  registerCceHandler(intent, handler) {
+    this.cceHandlers.set(intent, handler);
+    this.logger.debug(`CCE handler registered: ${intent}`);
+  }
+  /**
+   * Check if a CCE handler exists for the given intent.
+   */
+  hasCceHandler(intent) {
+    return this.cceHandlers.has(intent);
+  }
+  /**
+   * Route a CCE-encrypted request through the full pipeline.
+   *
+   * Steps:
+   * 1. Sensor chain (envelope validation → capsule verification → replay → decrypt)
+   * 2. Execution context derivation
+   * 3. Handler execution
+   * 4. Response encryption
+   * 5. Witness recording
+   */
+  async routeCce(envelope) {
+    if (!this.ccePipelineConfig) {
+      return {
+        ok: false,
+        error: {
+          code: "CCE_NOT_CONFIGURED",
+          message: "CCE pipeline not configured. Call configureCce() first."
+        },
+        status: "ERROR"
+      };
+    }
+    const config = {
+      ...this.ccePipelineConfig,
+      handlers: this.cceHandlers
+    };
+    return executeCcePipeline(envelope, config);
+  }
   storeSchema(meta) {
     if (meta.dto) {
       if (meta.tlv && meta.tlv.length > 0) {
@@ -1095,7 +1784,7 @@ function fieldsToMap(fields) {
 }
 
 // src/engine/observation/observation-hash.ts
-var import_crypto = require("crypto");
+var import_crypto3 = require("crypto");
 function canonicalizeObservation(obs) {
   const obj = {
     id: obs.id,
@@ -1132,7 +1821,7 @@ function canonicalizeObservation(obs) {
 }
 function hashObservation(obs) {
   const canonical = canonicalizeObservation(obs);
-  return (0, import_crypto.createHash)("sha256").update(canonical).digest("hex");
+  return (0, import_crypto3.createHash)("sha256").update(canonical).digest("hex");
 }
 function buildUnsignedWitness(obs) {
   if (!obs.decision || !obs.endMs) {
@@ -1207,7 +1896,7 @@ function verifyResponse(ctx, response) {
 var import_axis_protocol3 = require("@nextera.one/axis-protocol");
 
 // src/core/signature.ts
-var crypto = __toESM(require("crypto"));
+var crypto2 = __toESM(require("crypto"));
 
 // src/core/axis-bin.ts
 var z = __toESM(require("zod"));
@@ -1337,19 +2026,19 @@ function signFrame(frame, privateKey) {
       32
     ]);
     const pkcs8Key = Buffer.concat([pkcs8Prefix, privateKey]);
-    keyObject = crypto.createPrivateKey({
+    keyObject = crypto2.createPrivateKey({
       key: pkcs8Key,
       format: "der",
       type: "pkcs8"
     });
   } else {
-    keyObject = crypto.createPrivateKey({
+    keyObject = crypto2.createPrivateKey({
       key: privateKey,
       format: "der",
       type: "pkcs8"
     });
   }
-  const signature = crypto.sign(null, payload, keyObject);
+  const signature = crypto2.sign(null, payload, keyObject);
   if (signature.length !== 64) {
     throw new Error("Ed25519 signature must be 64 bytes");
   }
@@ -1381,19 +2070,19 @@ function verifyFrameSignature(frame, publicKey) {
         0
       ]);
       const spkiKey = Buffer.concat([spkiPrefix, publicKey]);
-      keyObject = crypto.createPublicKey({
+      keyObject = crypto2.createPublicKey({
         key: spkiKey,
         format: "der",
         type: "spki"
       });
     } else {
-      keyObject = crypto.createPublicKey({
+      keyObject = crypto2.createPublicKey({
         key: publicKey,
         format: "der",
         type: "spki"
       });
     }
-    const valid = crypto.verify(
+    const valid = crypto2.verify(
       null,
       payload,
       keyObject,
@@ -1405,17 +2094,17 @@ function verifyFrameSignature(frame, publicKey) {
   }
 }
 function generateEd25519KeyPair() {
-  const { privateKey, publicKey } = crypto.generateKeyPairSync("ed25519");
+  const { privateKey, publicKey } = crypto2.generateKeyPairSync("ed25519");
   return {
     privateKey: privateKey.export({ type: "pkcs8", format: "der" }),
     publicKey: publicKey.export({ type: "spki", format: "der" })
   };
 }
-function sha256(data) {
-  return crypto.createHash("sha256").update(data).digest();
+function sha2564(data) {
+  return crypto2.createHash("sha256").update(data).digest();
 }
 function computeReceiptHash(receiptBytes, prevHash) {
-  const hasher = crypto.createHash("sha256");
+  const hasher = crypto2.createHash("sha256");
   hasher.update(receiptBytes);
   if (prevHash && prevHash.length > 0) {
     hasher.update(prevHash);
@@ -1473,12 +2162,12 @@ __export(ats1_exports, {
   encodeU64BE: () => encodeU64BE,
   encodeUVarint: () => encodeUVarint,
   logicalBodyToTLVs: () => logicalBodyToTLVs,
-  sha256: () => sha2562,
+  sha256: () => sha2565,
   tlvsToLogicalBody: () => tlvsToLogicalBody,
   tlvsToMap: () => tlvsToMap,
   validateTLVsAgainstSchema: () => validateTLVsAgainstSchema
 });
-var import_crypto2 = require("crypto");
+var import_crypto4 = require("crypto");
 var DEFAULT_LIMITS = {
   maxVarintBytes: 10,
   maxTlvCount: 512,
@@ -1527,8 +2216,8 @@ function decodeU64BE(buf) {
   if (buf.length !== 8) throw new Error("decodeU64BE: length must be 8");
   return buf.readBigUInt64BE(0);
 }
-function sha2562(data) {
-  return (0, import_crypto2.createHash)("sha256").update(data).digest();
+function sha2565(data) {
+  return (0, import_crypto4.createHash)("sha256").update(data).digest();
 }
 function encodeTLV(tag, value) {
   if (!Number.isInteger(tag) || tag <= 0)
@@ -1844,7 +2533,7 @@ function decodeAxisHeaderFromTLVs(hdrTlvs, limits = DEFAULT_LIMITS) {
 function encodeAxisRequestBinary(schema, req, limits = DEFAULT_LIMITS) {
   const bodyTlvs = logicalBodyToTLVs(schema, req.body, limits);
   const bodyBytes = encodeTLVStreamCanonical(bodyTlvs);
-  const bodyHash = sha2562(bodyBytes);
+  const bodyHash = sha2565(bodyBytes);
   const hdr = {
     ...req.hdr,
     schemaId: schema.schemaId,
@@ -1860,7 +2549,7 @@ function decodeAxisRequestBinary(schema, hdrBytes, bodyBytes, limits = DEFAULT_L
   const hdr = decodeAxisHeaderFromTLVs(hdrTlvs, limits);
   if (hdr.schemaId !== schema.schemaId)
     throw new Error("decodeAxisRequestBinary: schemaId mismatch");
-  const bh = sha2562(bodyBytes);
+  const bh = sha2565(bodyBytes);
   if (!Buffer.from(hdr.bodyHash).equals(bh))
     throw new Error("decodeAxisRequestBinary: body_hash mismatch");
   const body = tlvsToLogicalBody(schema, bodyTlvs, limits);
@@ -1933,7 +2622,7 @@ function packPasskeyLoginOptionsReq(params) {
     }
   );
   const body = encodeTLVStreamCanonical(bodyTlvs);
-  const bodyHash = sha2562(body);
+  const bodyHash = sha2565(body);
   const hdr = buildAts1Hdr({
     intentId: params.intentId,
     schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_REQ,
@@ -2002,7 +2691,7 @@ function packPasskeyRegisterOptionsReq(params) {
     }
   );
   const body = encodeTLVStreamCanonical(bodyTlvs);
-  const bodyHash = sha2562(body);
+  const bodyHash = sha2565(body);
   const hdr = buildAts1Hdr({
     intentId: params.intentId,
     schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,
@@ -2033,7 +2722,7 @@ function packPasskeyLoginVerifyReq(params) {
     }
   });
   const body = encodeTLVStreamCanonical(bodyTlvs);
-  const bodyHash = sha2562(body);
+  const bodyHash = sha2565(body);
   const hdr = buildAts1Hdr({
     intentId: params.intentId,
     schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,
@@ -2117,7 +2806,7 @@ function packPasskeyLoginVerifyRes(params) {
 }
 
 // src/codec/tlv.encode.ts
-var import_crypto3 = require("crypto");
+var import_crypto5 = require("crypto");
 function encVarint(x) {
   if (x < 0n) throw new Error("VARINT_NEG");
   const out = [];
@@ -2145,7 +2834,7 @@ function bytes(b) {
   return Buffer.isBuffer(b) ? b : Buffer.from(b);
 }
 function nonce16() {
-  return (0, import_crypto3.randomBytes)(16);
+  return (0, import_crypto5.randomBytes)(16);
 }
 function tlv(type, value) {
   if (!Number.isSafeInteger(type) || type < 0) throw new Error("TLV_BAD_TYPE");
@@ -2691,9 +3380,9 @@ function isAdminOpcode(op) {
 }
 
 // src/core/receipt.ts
-var import_crypto4 = require("crypto");
+var import_crypto6 = require("crypto");
 function buildReceiptHash(prevHash, pid, actorId, intent, effect, ts) {
-  const h = (0, import_crypto4.createHash)("sha256");
+  const h = (0, import_crypto6.createHash)("sha256");
   if (prevHash) h.update(prevHash);
   h.update(pid);
   h.update(Buffer.from(actorId, "utf8"));
@@ -2873,7 +3562,7 @@ function isTimestampValid(ts, skewSeconds = 120) {
 
 // src/upload/axis-files.handlers.ts
 var import_common4 = require("@nestjs/common");
-var crypto2 = __toESM(require("crypto"));
+var crypto3 = __toESM(require("crypto"));
 
 // src/upload/upload.tokens.ts
 var AXIS_UPLOAD_SESSION_STORE = "AXIS_UPLOAD_SESSION_STORE";
@@ -2974,7 +3663,7 @@ var AxisFilesFinalizeHandler = class {
     if (!await this.files.hasTemp(fileId)) {
       throw new Error("CHUNKS_NOT_FOUND");
     }
-    const hash = crypto2.createHash("sha256");
+    const hash = crypto3.createHash("sha256");
     const rs = this.files.createTempReadStream(fileId);
     for await (const chunk of rs) {
       hash.update(chunk);
@@ -3394,10 +4083,10 @@ SensorRegistry = __decorateClass([
 ], SensorRegistry);
 
 // src/engine/axis-observation.ts
-var import_crypto5 = require("crypto");
+var import_crypto7 = require("crypto");
 function createObservation(transport, ip) {
   return {
-    id: (0, import_crypto5.randomBytes)(16).toString("hex"),
+    id: (0, import_crypto7.randomBytes)(16).toString("hex"),
     startMs: Date.now(),
     transport,
     ip,
@@ -3555,88 +4244,857 @@ AxisSensorChainService = __decorateClass([
   (0, import_common9.Injectable)()
 ], AxisSensorChainService);
 
-// src/core/index.ts
-var core_exports = {};
-__export(core_exports, {
-  AXIS_MAGIC: () => import_axis_protocol2.AXIS_MAGIC,
-  AXIS_VERSION: () => import_axis_protocol2.AXIS_VERSION,
-  AxisError: () => AxisError,
-  AxisFrameZ: () => AxisFrameZ,
-  BodyProfile: () => import_axis_protocol2.BodyProfile,
-  ERR_BAD_SIGNATURE: () => import_axis_protocol2.ERR_BAD_SIGNATURE,
-  ERR_CONTRACT_VIOLATION: () => import_axis_protocol2.ERR_CONTRACT_VIOLATION,
-  ERR_INVALID_PACKET: () => import_axis_protocol2.ERR_INVALID_PACKET,
-  ERR_REPLAY_DETECTED: () => import_axis_protocol2.ERR_REPLAY_DETECTED,
-  FLAG_BODY_TLV: () => import_axis_protocol2.FLAG_BODY_TLV,
-  FLAG_CHAIN_REQ: () => import_axis_protocol2.FLAG_CHAIN_REQ,
-  FLAG_HAS_WITNESS: () => import_axis_protocol2.FLAG_HAS_WITNESS,
-  MAX_BODY_LEN: () => import_axis_protocol2.MAX_BODY_LEN,
-  MAX_FRAME_LEN: () => import_axis_protocol2.MAX_FRAME_LEN,
-  MAX_HDR_LEN: () => import_axis_protocol2.MAX_HDR_LEN,
-  MAX_SIG_LEN: () => import_axis_protocol2.MAX_SIG_LEN,
-  NCERT_ALG: () => import_axis_protocol2.NCERT_ALG,
-  NCERT_EXP: () => import_axis_protocol2.NCERT_EXP,
-  NCERT_ISSUER_KID: () => import_axis_protocol2.NCERT_ISSUER_KID,
-  NCERT_KID: () => import_axis_protocol2.NCERT_KID,
-  NCERT_NBF: () => import_axis_protocol2.NCERT_NBF,
-  NCERT_NODE_ID: () => import_axis_protocol2.NCERT_NODE_ID,
-  NCERT_PAYLOAD: () => import_axis_protocol2.NCERT_PAYLOAD,
-  NCERT_PUB: () => import_axis_protocol2.NCERT_PUB,
-  NCERT_SCOPE: () => import_axis_protocol2.NCERT_SCOPE,
-  NCERT_SIG: () => import_axis_protocol2.NCERT_SIG,
-  PROOF_CAPSULE: () => import_axis_protocol2.PROOF_CAPSULE,
-  PROOF_JWT: () => import_axis_protocol2.PROOF_JWT,
-  PROOF_LOOM: () => import_axis_protocol2.PROOF_LOOM,
-  PROOF_MTLS: () => import_axis_protocol2.PROOF_MTLS,
-  PROOF_NONE: () => import_axis_protocol2.PROOF_NONE,
-  PROOF_WITNESS: () => import_axis_protocol2.PROOF_WITNESS,
-  ProofType: () => import_axis_protocol2.ProofType,
-  TLV: () => import_axis_protocol.TLV,
-  TLV_ACTOR_ID: () => import_axis_protocol2.TLV_ACTOR_ID,
-  TLV_AUD: () => import_axis_protocol2.TLV_AUD,
-  TLV_BODY_ARR: () => import_axis_protocol2.TLV_BODY_ARR,
-  TLV_BODY_OBJ: () => import_axis_protocol2.TLV_BODY_OBJ,
-  TLV_CAPSULE: () => import_axis_protocol2.TLV_CAPSULE,
-  TLV_EFFECT: () => import_axis_protocol2.TLV_EFFECT,
-  TLV_ERROR_CODE: () => import_axis_protocol2.TLV_ERROR_CODE,
-  TLV_ERROR_MSG: () => import_axis_protocol2.TLV_ERROR_MSG,
-  TLV_INDEX: () => import_axis_protocol2.TLV_INDEX,
-  TLV_INTENT: () => import_axis_protocol2.TLV_INTENT,
-  TLV_KID: () => import_axis_protocol2.TLV_KID,
-  TLV_LOOM_PRESENCE_ID: () => import_axis_protocol2.TLV_LOOM_PRESENCE_ID,
-  TLV_LOOM_THREAD_HASH: () => import_axis_protocol2.TLV_LOOM_THREAD_HASH,
-  TLV_LOOM_WRIT: () => import_axis_protocol2.TLV_LOOM_WRIT,
-  TLV_NODE: () => import_axis_protocol2.TLV_NODE,
-  TLV_NODE_CERT_HASH: () => import_axis_protocol2.TLV_NODE_CERT_HASH,
-  TLV_NODE_KID: () => import_axis_protocol2.TLV_NODE_KID,
-  TLV_NONCE: () => import_axis_protocol2.TLV_NONCE,
-  TLV_OFFSET: () => import_axis_protocol2.TLV_OFFSET,
-  TLV_OK: () => import_axis_protocol2.TLV_OK,
-  TLV_PID: () => import_axis_protocol2.TLV_PID,
-  TLV_PREV_HASH: () => import_axis_protocol2.TLV_PREV_HASH,
-  TLV_PROOF_REF: () => import_axis_protocol2.TLV_PROOF_REF,
-  TLV_PROOF_TYPE: () => import_axis_protocol2.TLV_PROOF_TYPE,
-  TLV_REALM: () => import_axis_protocol2.TLV_REALM,
-  TLV_RECEIPT_HASH: () => import_axis_protocol2.TLV_RECEIPT_HASH,
-  TLV_RID: () => import_axis_protocol2.TLV_RID,
-  TLV_SHA256_CHUNK: () => import_axis_protocol2.TLV_SHA256_CHUNK,
-  TLV_TRACE_ID: () => import_axis_protocol2.TLV_TRACE_ID,
-  TLV_TS: () => import_axis_protocol2.TLV_TS,
-  TLV_UPLOAD_ID: () => import_axis_protocol2.TLV_UPLOAD_ID,
-  computeReceiptHash: () => computeReceiptHash,
-  computeSignaturePayload: () => computeSignaturePayload,
-  decodeArray: () => import_axis_protocol.decodeArray,
-  decodeFrame: () => decodeFrame,
-  decodeObject: () => import_axis_protocol.decodeObject,
-  decodeTLVs: () => import_axis_protocol.decodeTLVs,
-  decodeTLVsList: () => import_axis_protocol.decodeTLVsList,
-  decodeVarint: () => import_axis_protocol3.decodeVarint,
-  encodeFrame: () => encodeFrame,
+// src/utils/axis-tlv-codec.ts
+function encodeAxisTlvDto(dtoClass, data) {
+  const schema = extractDtoSchema(dtoClass);
+  const items = schema.fields.flatMap((field) => {
+    const value = data[field.name];
+    if (value === void 0 || value === null) {
+      if (field.required) {
+        throw new Error(`Missing required TLV response field: ${field.name}`);
+      }
+      return [];
+    }
+    return [{ type: field.tag, value: encodeField(field, value) }];
+  });
+  return buildTLVs(items);
+}
+function encodeField(field, value) {
+  switch (field.kind) {
+    case "utf8":
+      return Buffer.from(String(value), "utf8");
+    case "u64":
+      return encodeU64(value);
+    case "bytes":
+    case "bytes16":
+      return toBuffer(value);
+    case "bool":
+      return Buffer.from([value ? 1 : 0]);
+    case "obj":
+    case "arr":
+      return Buffer.from(JSON.stringify(value), "utf8");
+    default:
+      return toBuffer(value);
+  }
+}
+function encodeU64(value) {
+  const encoded = Buffer.alloc(8);
+  encoded.writeBigUInt64BE(
+    typeof value === "bigint" ? value : BigInt(value)
+  );
+  return encoded;
+}
+function toBuffer(value) {
+  if (Buffer.isBuffer(value)) {
+    return value;
+  }
+  if (value instanceof Uint8Array) {
+    return Buffer.from(value);
+  }
+  if (typeof value === "string") {
+    return Buffer.from(value, "utf8");
+  }
+  throw new Error(`Unsupported TLV bytes value: ${typeof value}`);
+}
+
+// src/loom/loom.types.ts
+function deriveAnchorReflection(softid, context = "openlogs", scope = "loom") {
+  return `ar:${context}:${scope}:${softid}`;
+}
+function canonicalizeWrit(writ) {
+  const ordered = {
+    head: { tid: writ.head.tid, seq: writ.head.seq },
+    body: {
+      who: writ.body.who,
+      act: writ.body.act,
+      res: writ.body.res,
+      law: writ.body.law
+    },
+    meta: { iat: writ.meta.iat, exp: writ.meta.exp, prev: writ.meta.prev }
+  };
+  return JSON.stringify(ordered);
+}
+function canonicalizeGrant(grant) {
+  const ordered = {
+    grant_id: grant.grant_id,
+    issuer: grant.issuer,
+    subject: grant.subject,
+    grant_type: grant.grant_type,
+    caps: grant.caps,
+    meta: grant.meta
+  };
+  return JSON.stringify(ordered);
+}
+
+// src/cce/index.ts
+var cce_exports = {};
+__export(cce_exports, {
+  CCE_AES_KEY_BYTES: () => CCE_AES_KEY_BYTES,
+  CCE_DERIVATION: () => CCE_DERIVATION,
+  CCE_ERROR: () => CCE_ERROR,
+  CCE_IV_BYTES: () => CCE_IV_BYTES,
+  CCE_NONCE_BYTES: () => CCE_NONCE_BYTES,
+  CCE_PROTOCOL_VERSION: () => CCE_PROTOCOL_VERSION,
+  CCE_TAG_BYTES: () => CCE_TAG_BYTES,
+  CceAudienceIntentBindingSensor: () => CceAudienceIntentBindingSensor,
+  CceCapsuleVerificationSensor: () => CceCapsuleVerificationSensor,
+  CceClientSignatureSensor: () => CceClientSignatureSensor,
+  CceEnvelopeValidationSensor: () => CceEnvelopeValidationSensor,
+  CceError: () => CceError,
+  CcePayloadDecryptionSensor: () => CcePayloadDecryptionSensor,
+  CceReplayProtectionSensor: () => CceReplayProtectionSensor,
+  CceTpsWindowSensor: () => CceTpsWindowSensor,
+  InMemoryCceReplayStore: () => InMemoryCceReplayStore,
+  InMemoryCceWitnessStore: () => InMemoryCceWitnessStore,
+  aesGcmDecrypt: () => aesGcmDecrypt,
+  aesGcmEncrypt: () => aesGcmEncrypt,
+  base64UrlDecode: () => base64UrlDecode,
+  base64UrlEncode: () => base64UrlEncode,
+  buildCceErrorResponse: () => buildCceErrorResponse,
+  buildCceResponse: () => buildCceResponse,
+  buildExecutionContext: () => buildExecutionContext,
+  buildWitnessRecord: () => buildWitnessRecord,
+  deriveRequestExecutionKey: () => deriveRequestExecutionKey,
+  deriveResponseExecutionKey: () => deriveResponseExecutionKey,
+  deriveWitnessKey: () => deriveWitnessKey,
+  executeCcePipeline: () => executeCcePipeline,
+  extractVerificationState: () => extractVerificationState,
+  generateAesKey: () => generateAesKey,
+  generateCceNonce: () => generateCceNonce,
+  generateIv: () => generateIv,
+  hashPayload: () => hashPayload,
+  nodeAesGcmProvider: () => nodeAesGcmProvider
+});
+
+// src/cce/sensors/cce-envelope-validation.sensor.ts
+var REQUIRED_FIELDS = [
+  "ver",
+  "request_id",
+  "correlation_id",
+  "client_kid",
+  "capsule",
+  "encrypted_key",
+  "encrypted_payload",
+  "request_nonce",
+  "client_sig",
+  "algorithms"
+];
+var CceEnvelopeValidationSensor = class {
+  constructor() {
+    this.name = "cce.envelope.validation";
+    this.order = 5;
+    this.phase = "PRE_DECODE";
+  }
+  supports(input) {
+    return input.metadata?.cce === true || input.metadata?.contentType === "application/axis-cce";
+  }
+  async run(input) {
+    const envelope = input.metadata?.cceEnvelope;
+    if (!envelope) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.INVALID_ENVELOPE],
+        code: CCE_ERROR.INVALID_ENVELOPE
+      };
+    }
+    for (const field of REQUIRED_FIELDS) {
+      if (envelope[field] === void 0 || envelope[field] === null) {
+        return {
+          allow: false,
+          riskScore: 100,
+          reasons: [`${CCE_ERROR.INVALID_ENVELOPE}: missing ${field}`],
+          code: CCE_ERROR.INVALID_ENVELOPE
+        };
+      }
+    }
+    if (envelope.ver !== CCE_PROTOCOL_VERSION) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.UNSUPPORTED_VERSION}: ${envelope.ver}`],
+        code: CCE_ERROR.UNSUPPORTED_VERSION
+      };
+    }
+    if (!/^[0-9a-f]+$/i.test(envelope.request_nonce)) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.INVALID_ENVELOPE}: invalid request_nonce format`
+        ],
+        code: CCE_ERROR.INVALID_ENVELOPE
+      };
+    }
+    if (envelope.request_nonce.length !== CCE_NONCE_BYTES * 2) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.INVALID_ENVELOPE}: request_nonce wrong length`],
+        code: CCE_ERROR.INVALID_ENVELOPE
+      };
+    }
+    const capsule = envelope.capsule;
+    if (!capsule.capsule_id || !capsule.ver || !capsule.sub || !capsule.kid || !capsule.intent || !capsule.aud || !capsule.issuer_sig) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.MISSING_CAPSULE}: incomplete capsule claims`],
+        code: CCE_ERROR.MISSING_CAPSULE
+      };
+    }
+    if (!envelope.encrypted_key.ciphertext || !envelope.encrypted_key.alg) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.MISSING_ENCRYPTED_KEY}: incomplete encrypted_key`
+        ],
+        code: CCE_ERROR.MISSING_ENCRYPTED_KEY
+      };
+    }
+    input.metadata = input.metadata ?? {};
+    input.metadata.cceEnvelopeValid = true;
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: []
+    };
+  }
+};
+
+// src/cce/sensors/cce-client-signature.sensor.ts
+var CceClientSignatureSensor = class {
+  constructor(keyResolver, signatureVerifier) {
+    this.keyResolver = keyResolver;
+    this.signatureVerifier = signatureVerifier;
+    this.name = "cce.client.signature";
+    this.order = 45;
+    this.phase = "POST_DECODE";
+  }
+  supports(input) {
+    return input.metadata?.cceEnvelopeValid === true;
+  }
+  async run(input) {
+    const envelope = input.metadata?.cceEnvelope;
+    if (!envelope) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.INVALID_ENVELOPE],
+        code: CCE_ERROR.INVALID_ENVELOPE
+      };
+    }
+    const keyRecord = await this.keyResolver.resolve(envelope.client_kid);
+    if (!keyRecord) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.CLIENT_KEY_NOT_FOUND}: kid=${envelope.client_kid}`
+        ],
+        code: CCE_ERROR.CLIENT_KEY_NOT_FOUND
+      };
+    }
+    const { client_sig, ...signable } = envelope;
+    const canonical = canonicalize2(signable);
+    const message = new TextEncoder().encode(canonical);
+    const valid = await this.signatureVerifier.verify(
+      message,
+      client_sig.value,
+      keyRecord.publicKeyHex,
+      keyRecord.alg
+    );
+    if (!valid) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.CLIENT_SIG_INVALID],
+        code: CCE_ERROR.CLIENT_SIG_INVALID
+      };
+    }
+    input.metadata = input.metadata ?? {};
+    input.metadata.cceClientKey = keyRecord;
+    input.metadata.cceClientSigVerified = true;
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: [],
+      meta: { kid: envelope.client_kid }
+    };
+  }
+};
+function canonicalize2(obj) {
+  if (Array.isArray(obj)) {
+    return "[" + obj.map(canonicalize2).join(",") + "]";
+  }
+  if (obj !== null && typeof obj === "object") {
+    const sorted = Object.keys(obj).sort().map(
+      (k) => JSON.stringify(k) + ":" + canonicalize2(obj[k])
+    );
+    return "{" + sorted.join(",") + "}";
+  }
+  return JSON.stringify(obj);
+}
+
+// src/cce/sensors/cce-capsule-verification.sensor.ts
+var import_blake3 = require("@noble/hashes/blake3.js");
+var import_utils5 = require("@noble/hashes/utils.js");
+var CceCapsuleVerificationSensor = class {
+  constructor(issuerKeyResolver, capsuleVerifier) {
+    this.issuerKeyResolver = issuerKeyResolver;
+    this.capsuleVerifier = capsuleVerifier;
+    this.name = "cce.capsule.verification";
+    this.order = 50;
+    this.phase = "POST_DECODE";
+  }
+  supports(input) {
+    return input.metadata?.cceEnvelopeValid === true;
+  }
+  async run(input) {
+    const capsule = input.metadata?.cceEnvelope?.capsule;
+    if (!capsule) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.MISSING_CAPSULE],
+        code: CCE_ERROR.MISSING_CAPSULE
+      };
+    }
+    if (capsule.ver !== CCE_PROTOCOL_VERSION) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.CAPSULE_SIG_INVALID}: wrong version ${capsule.ver}`
+        ],
+        code: CCE_ERROR.CAPSULE_SIG_INVALID
+      };
+    }
+    const { capsule_id, issuer_sig, ...claimsBody } = capsule;
+    const expectedId = computeCceCapsuleId(claimsBody);
+    if (capsule_id !== expectedId) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.CAPSULE_SIG_INVALID}: content hash mismatch`],
+        code: CCE_ERROR.CAPSULE_SIG_INVALID
+      };
+    }
+    const issuerKey = await this.issuerKeyResolver.resolve(
+      capsule.issuer_sig.kid
+    );
+    if (!issuerKey) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.CAPSULE_SIG_INVALID}: issuer key not found`],
+        code: CCE_ERROR.CAPSULE_SIG_INVALID
+      };
+    }
+    const { issuer_sig: sig, ...rest } = capsule;
+    const sigValid = await this.capsuleVerifier.verify(
+      rest,
+      sig,
+      issuerKey.publicKeyHex
+    );
+    if (!sigValid) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.CAPSULE_SIG_INVALID],
+        code: CCE_ERROR.CAPSULE_SIG_INVALID
+      };
+    }
+    const nowSeconds = Math.floor(Date.now() / 1e3);
+    if (capsule.exp < nowSeconds) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.CAPSULE_EXPIRED}: exp=${capsule.exp}`],
+        code: CCE_ERROR.CAPSULE_EXPIRED
+      };
+    }
+    if (capsule.iat > nowSeconds + 5) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.CAPSULE_NOT_YET_VALID}: iat=${capsule.iat}`],
+        code: CCE_ERROR.CAPSULE_NOT_YET_VALID
+      };
+    }
+    input.metadata = input.metadata ?? {};
+    input.metadata.cceCapsuleVerified = true;
+    input.metadata.cceCapsule = capsule;
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: [],
+      meta: { capsule_id: capsule.capsule_id }
+    };
+  }
+};
+function canonicalize3(obj) {
+  if (Array.isArray(obj)) {
+    return "[" + obj.map(canonicalize3).join(",") + "]";
+  }
+  if (obj !== null && typeof obj === "object") {
+    const sorted = Object.keys(obj).sort().map(
+      (k) => JSON.stringify(k) + ":" + canonicalize3(obj[k])
+    );
+    return "{" + sorted.join(",") + "}";
+  }
+  return JSON.stringify(obj);
+}
+function computeCceCapsuleId(claims) {
+  const canonical = canonicalize3(claims);
+  const hash = (0, import_blake3.blake3)(new TextEncoder().encode(canonical));
+  return "cce_b3_" + (0, import_utils5.bytesToHex)(hash).slice(0, 32);
+}
+
+// src/cce/sensors/cce-tps-window.sensor.ts
+var DEFAULT_SKEW_MS = 5e3;
+var CceTpsWindowSensor = class {
+  constructor(skewMs = DEFAULT_SKEW_MS) {
+    this.skewMs = skewMs;
+    this.name = "cce.tps.window";
+    this.order = 92;
+    this.phase = "POST_DECODE";
+  }
+  supports(input) {
+    return input.metadata?.cceCapsuleVerified === true;
+  }
+  async run(input) {
+    const capsule = input.metadata?.cceCapsule;
+    if (!capsule) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.MISSING_CAPSULE],
+        code: CCE_ERROR.MISSING_CAPSULE
+      };
+    }
+    const nowMs = Date.now();
+    if (nowMs > capsule.tps_to + this.skewMs) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.TPS_WINDOW_EXPIRED}: window ended at ${capsule.tps_to}, now=${nowMs}`
+        ],
+        code: CCE_ERROR.TPS_WINDOW_EXPIRED
+      };
+    }
+    if (nowMs < capsule.tps_from - this.skewMs) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.TPS_WINDOW_FUTURE}: window starts at ${capsule.tps_from}, now=${nowMs}`
+        ],
+        code: CCE_ERROR.TPS_WINDOW_FUTURE
+      };
+    }
+    input.metadata = input.metadata ?? {};
+    input.metadata.cceTpsValid = true;
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: []
+    };
+  }
+};
+
+// src/cce/sensors/cce-audience-intent-binding.sensor.ts
+var CceAudienceIntentBindingSensor = class {
+  constructor(axisAudience) {
+    this.axisAudience = axisAudience;
+    this.name = "cce.audience.intent.binding";
+    this.order = 95;
+    this.phase = "POST_DECODE";
+  }
+  supports(input) {
+    return input.metadata?.cceCapsuleVerified === true;
+  }
+  async run(input) {
+    const capsule = input.metadata?.cceCapsule;
+    const envelope = input.metadata?.cceEnvelope;
+    if (!capsule || !envelope) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.MISSING_CAPSULE],
+        code: CCE_ERROR.MISSING_CAPSULE
+      };
+    }
+    if (capsule.aud !== this.axisAudience) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.AUDIENCE_MISMATCH}: capsule.aud=${capsule.aud}, expected=${this.axisAudience}`
+        ],
+        code: CCE_ERROR.AUDIENCE_MISMATCH
+      };
+    }
+    const requestIntent = input.intent ?? input.metadata?.cceRequestIntent;
+    if (requestIntent && capsule.intent !== requestIntent) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.INTENT_MISMATCH}: capsule.intent=${capsule.intent}, request=${requestIntent}`
+        ],
+        code: CCE_ERROR.INTENT_MISMATCH
+      };
+    }
+    if (envelope.client_kid !== capsule.kid) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.INTENT_MISMATCH}: envelope.kid=${envelope.client_kid}, capsule.kid=${capsule.kid}`
+        ],
+        code: CCE_ERROR.INTENT_MISMATCH
+      };
+    }
+    input.metadata = input.metadata ?? {};
+    input.metadata.cceBindingVerified = true;
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: []
+    };
+  }
+};
+
+// src/cce/sensors/cce-replay-protection.sensor.ts
+var InMemoryCceReplayStore = class {
+  constructor() {
+    this.nonces = /* @__PURE__ */ new Map();
+    this.consumed = /* @__PURE__ */ new Set();
+    this.revoked = /* @__PURE__ */ new Set();
+  }
+  async checkAndMark(key, ttlMs) {
+    this.cleanup();
+    if (this.nonces.has(key)) return false;
+    this.nonces.set(key, Date.now() + ttlMs);
+    return true;
+  }
+  async isCapsuleConsumed(capsuleId) {
+    return this.consumed.has(capsuleId);
+  }
+  async markCapsuleConsumed(capsuleId, _ttlMs) {
+    this.consumed.add(capsuleId);
+  }
+  async isCapsuleRevoked(capsuleId) {
+    return this.revoked.has(capsuleId);
+  }
+  /** Revoke a capsule (for testing/admin) */
+  revoke(capsuleId) {
+    this.revoked.add(capsuleId);
+  }
+  cleanup() {
+    const now = Date.now();
+    for (const [key, expiresAt] of this.nonces) {
+      if (expiresAt < now) this.nonces.delete(key);
+    }
+  }
+};
+var CceReplayProtectionSensor = class {
+  constructor(replayStore, options) {
+    this.replayStore = replayStore;
+    this.name = "cce.replay.protection";
+    this.order = 98;
+    this.phase = "POST_DECODE";
+    this.nonceTtlMs = options?.nonceTtlMs ?? 5 * 60 * 1e3;
+  }
+  supports(input) {
+    return input.metadata?.cceCapsuleVerified === true;
+  }
+  async run(input) {
+    const capsule = input.metadata?.cceCapsule;
+    const envelope = input.metadata?.cceEnvelope;
+    if (!capsule || !envelope) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.MISSING_CAPSULE],
+        code: CCE_ERROR.MISSING_CAPSULE
+      };
+    }
+    const revoked = await this.replayStore.isCapsuleRevoked(capsule.capsule_id);
+    if (revoked) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.CAPSULE_REVOKED}: ${capsule.capsule_id}`],
+        code: CCE_ERROR.CAPSULE_REVOKED
+      };
+    }
+    if (capsule.mode === "SINGLE_USE") {
+      const consumed = await this.replayStore.isCapsuleConsumed(
+        capsule.capsule_id
+      );
+      if (consumed) {
+        return {
+          allow: false,
+          riskScore: 100,
+          reasons: [`${CCE_ERROR.CAPSULE_CONSUMED}: ${capsule.capsule_id}`],
+          code: CCE_ERROR.CAPSULE_CONSUMED
+        };
+      }
+    }
+    const nonceKey = `cce:nonce:${capsule.sub}:${capsule.aud}:${capsule.intent}:${envelope.request_nonce}`;
+    const nonceValid = await this.replayStore.checkAndMark(
+      nonceKey,
+      this.nonceTtlMs
+    );
+    if (!nonceValid) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.NONCE_REUSED}: ${envelope.request_nonce.slice(0, 16)}...`
+        ],
+        code: CCE_ERROR.NONCE_REUSED
+      };
+    }
+    if (capsule.mode === "SINGLE_USE") {
+      const capsuleTtl = (capsule.exp - capsule.iat) * 1e3 + 6e4;
+      await this.replayStore.markCapsuleConsumed(
+        capsule.capsule_id,
+        capsuleTtl
+      );
+    }
+    input.metadata = input.metadata ?? {};
+    input.metadata.cceReplayClean = true;
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: []
+    };
+  }
+};
+
+// src/cce/sensors/cce-payload-decryption.sensor.ts
+var CcePayloadDecryptionSensor = class {
+  constructor(keyProvider, aesProvider, maxPayloadBytes = 64 * 1024) {
+    this.keyProvider = keyProvider;
+    this.aesProvider = aesProvider;
+    this.maxPayloadBytes = maxPayloadBytes;
+    this.name = "cce.payload.decryption";
+    this.order = 145;
+    this.phase = "POST_DECODE";
+  }
+  supports(input) {
+    return input.metadata?.cceEnvelopeValid === true && input.metadata?.cceClientSigVerified === true && input.metadata?.cceCapsuleVerified === true && input.metadata?.cceReplayClean === true;
+  }
+  async run(input) {
+    const envelope = input.metadata?.cceEnvelope;
+    if (!envelope) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.INVALID_ENVELOPE],
+        code: CCE_ERROR.INVALID_ENVELOPE
+      };
+    }
+    let aesKey;
+    try {
+      aesKey = await this.keyProvider.unwrapKey(
+        envelope.encrypted_key.ciphertext,
+        envelope.encrypted_key.alg,
+        envelope.encrypted_key.axis_kid,
+        envelope.encrypted_key.ephemeral_pk
+      );
+    } catch {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.KEY_UNWRAP_FAILED],
+        code: CCE_ERROR.KEY_UNWRAP_FAILED
+      };
+    }
+    if (!aesKey) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.KEY_UNWRAP_FAILED],
+        code: CCE_ERROR.KEY_UNWRAP_FAILED
+      };
+    }
+    let iv;
+    let ciphertext;
+    let tag;
+    try {
+      iv = base64UrlDecode2(envelope.encrypted_payload.iv);
+      ciphertext = base64UrlDecode2(envelope.encrypted_payload.ciphertext);
+      tag = base64UrlDecode2(envelope.encrypted_payload.tag);
+    } catch {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [`${CCE_ERROR.DECRYPTION_FAILED}: invalid base64url encoding`],
+        code: CCE_ERROR.DECRYPTION_FAILED
+      };
+    }
+    if (ciphertext.length > this.maxPayloadBytes) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [
+          `${CCE_ERROR.PAYLOAD_TOO_LARGE}: ${ciphertext.length} > ${this.maxPayloadBytes}`
+        ],
+        code: CCE_ERROR.PAYLOAD_TOO_LARGE
+      };
+    }
+    const aad = buildAad(envelope);
+    let plaintext;
+    try {
+      plaintext = await this.aesProvider.decrypt(
+        aesKey,
+        iv,
+        ciphertext,
+        tag,
+        aad
+      );
+    } catch {
+      plaintext = null;
+    } finally {
+      aesKey.fill(0);
+    }
+    if (!plaintext) {
+      return {
+        allow: false,
+        riskScore: 100,
+        reasons: [CCE_ERROR.AEAD_TAG_MISMATCH],
+        code: CCE_ERROR.AEAD_TAG_MISMATCH
+      };
+    }
+    input.metadata = input.metadata ?? {};
+    input.metadata.cceDecryptedPayload = plaintext;
+    input.metadata.cceDecryptionOk = true;
+    return {
+      decision: "ALLOW" /* ALLOW */,
+      allow: true,
+      riskScore: 0,
+      reasons: []
+    };
+  }
+};
+function buildAad(envelope) {
+  const parts = [
+    envelope.ver,
+    envelope.request_id,
+    envelope.correlation_id,
+    envelope.client_kid,
+    envelope.capsule.capsule_id,
+    envelope.capsule.intent,
+    envelope.capsule.aud,
+    envelope.request_nonce
+  ];
+  return new TextEncoder().encode(parts.join("|"));
+}
+function base64UrlDecode2(input) {
+  const base64 = input.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = "=".repeat((4 - base64.length % 4) % 4);
+  const binary = atob(base64 + padding);
+  const bytes2 = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes2[i] = binary.charCodeAt(i);
+  }
+  return bytes2;
+}
+
+// src/core/index.ts
+var core_exports = {};
+__export(core_exports, {
+  AXIS_MAGIC: () => import_axis_protocol2.AXIS_MAGIC,
+  AXIS_VERSION: () => import_axis_protocol2.AXIS_VERSION,
+  AxisError: () => AxisError,
+  AxisFrameZ: () => AxisFrameZ,
+  BodyProfile: () => import_axis_protocol2.BodyProfile,
+  ERR_BAD_SIGNATURE: () => import_axis_protocol2.ERR_BAD_SIGNATURE,
+  ERR_CONTRACT_VIOLATION: () => import_axis_protocol2.ERR_CONTRACT_VIOLATION,
+  ERR_INVALID_PACKET: () => import_axis_protocol2.ERR_INVALID_PACKET,
+  ERR_REPLAY_DETECTED: () => import_axis_protocol2.ERR_REPLAY_DETECTED,
+  FLAG_BODY_TLV: () => import_axis_protocol2.FLAG_BODY_TLV,
+  FLAG_CHAIN_REQ: () => import_axis_protocol2.FLAG_CHAIN_REQ,
+  FLAG_HAS_WITNESS: () => import_axis_protocol2.FLAG_HAS_WITNESS,
+  MAX_BODY_LEN: () => import_axis_protocol2.MAX_BODY_LEN,
+  MAX_FRAME_LEN: () => import_axis_protocol2.MAX_FRAME_LEN,
+  MAX_HDR_LEN: () => import_axis_protocol2.MAX_HDR_LEN,
+  MAX_SIG_LEN: () => import_axis_protocol2.MAX_SIG_LEN,
+  NCERT_ALG: () => import_axis_protocol2.NCERT_ALG,
+  NCERT_EXP: () => import_axis_protocol2.NCERT_EXP,
+  NCERT_ISSUER_KID: () => import_axis_protocol2.NCERT_ISSUER_KID,
+  NCERT_KID: () => import_axis_protocol2.NCERT_KID,
+  NCERT_NBF: () => import_axis_protocol2.NCERT_NBF,
+  NCERT_NODE_ID: () => import_axis_protocol2.NCERT_NODE_ID,
+  NCERT_PAYLOAD: () => import_axis_protocol2.NCERT_PAYLOAD,
+  NCERT_PUB: () => import_axis_protocol2.NCERT_PUB,
+  NCERT_SCOPE: () => import_axis_protocol2.NCERT_SCOPE,
+  NCERT_SIG: () => import_axis_protocol2.NCERT_SIG,
+  PROOF_CAPSULE: () => import_axis_protocol2.PROOF_CAPSULE,
+  PROOF_JWT: () => import_axis_protocol2.PROOF_JWT,
+  PROOF_LOOM: () => import_axis_protocol2.PROOF_LOOM,
+  PROOF_MTLS: () => import_axis_protocol2.PROOF_MTLS,
+  PROOF_NONE: () => import_axis_protocol2.PROOF_NONE,
+  PROOF_WITNESS: () => import_axis_protocol2.PROOF_WITNESS,
+  ProofType: () => import_axis_protocol2.ProofType,
+  TLV: () => import_axis_protocol.TLV,
+  TLV_ACTOR_ID: () => import_axis_protocol2.TLV_ACTOR_ID,
+  TLV_AUD: () => import_axis_protocol2.TLV_AUD,
+  TLV_BODY_ARR: () => import_axis_protocol2.TLV_BODY_ARR,
+  TLV_BODY_OBJ: () => import_axis_protocol2.TLV_BODY_OBJ,
+  TLV_CAPSULE: () => import_axis_protocol2.TLV_CAPSULE,
+  TLV_EFFECT: () => import_axis_protocol2.TLV_EFFECT,
+  TLV_ERROR_CODE: () => import_axis_protocol2.TLV_ERROR_CODE,
+  TLV_ERROR_MSG: () => import_axis_protocol2.TLV_ERROR_MSG,
+  TLV_INDEX: () => import_axis_protocol2.TLV_INDEX,
+  TLV_INTENT: () => import_axis_protocol2.TLV_INTENT,
+  TLV_KID: () => import_axis_protocol2.TLV_KID,
+  TLV_LOOM_PRESENCE_ID: () => import_axis_protocol2.TLV_LOOM_PRESENCE_ID,
+  TLV_LOOM_THREAD_HASH: () => import_axis_protocol2.TLV_LOOM_THREAD_HASH,
+  TLV_LOOM_WRIT: () => import_axis_protocol2.TLV_LOOM_WRIT,
+  TLV_NODE: () => import_axis_protocol2.TLV_NODE,
+  TLV_NODE_CERT_HASH: () => import_axis_protocol2.TLV_NODE_CERT_HASH,
+  TLV_NODE_KID: () => import_axis_protocol2.TLV_NODE_KID,
+  TLV_NONCE: () => import_axis_protocol2.TLV_NONCE,
+  TLV_OFFSET: () => import_axis_protocol2.TLV_OFFSET,
+  TLV_OK: () => import_axis_protocol2.TLV_OK,
+  TLV_PID: () => import_axis_protocol2.TLV_PID,
+  TLV_PREV_HASH: () => import_axis_protocol2.TLV_PREV_HASH,
+  TLV_PROOF_REF: () => import_axis_protocol2.TLV_PROOF_REF,
+  TLV_PROOF_TYPE: () => import_axis_protocol2.TLV_PROOF_TYPE,
+  TLV_REALM: () => import_axis_protocol2.TLV_REALM,
+  TLV_RECEIPT_HASH: () => import_axis_protocol2.TLV_RECEIPT_HASH,
+  TLV_RID: () => import_axis_protocol2.TLV_RID,
+  TLV_SHA256_CHUNK: () => import_axis_protocol2.TLV_SHA256_CHUNK,
+  TLV_TRACE_ID: () => import_axis_protocol2.TLV_TRACE_ID,
+  TLV_TS: () => import_axis_protocol2.TLV_TS,
+  TLV_UPLOAD_ID: () => import_axis_protocol2.TLV_UPLOAD_ID,
+  computeReceiptHash: () => computeReceiptHash,
+  computeSignaturePayload: () => computeSignaturePayload,
+  decodeArray: () => import_axis_protocol.decodeArray,
+  decodeFrame: () => decodeFrame,
+  decodeObject: () => import_axis_protocol.decodeObject,
+  decodeTLVs: () => import_axis_protocol.decodeTLVs,
+  decodeTLVsList: () => import_axis_protocol.decodeTLVsList,
+  decodeVarint: () => import_axis_protocol3.decodeVarint,
+  encodeFrame: () => encodeFrame,
   encodeTLVs: () => import_axis_protocol.encodeTLVs,
   encodeVarint: () => import_axis_protocol3.encodeVarint,
   generateEd25519KeyPair: () => generateEd25519KeyPair,
   getSignTarget: () => getSignTarget,
-  sha256: () => sha256,
+  sha256: () => sha2564,
   signFrame: () => signFrame,
   varintLength: () => import_axis_protocol3.varintLength,
   verifyFrameSignature: () => verifyFrameSignature
@@ -3656,7 +5114,7 @@ __export(crypto_exports, {
 
 // src/crypto/proof-verification.service.ts
 var import_common10 = require("@nestjs/common");
-var crypto3 = __toESM(require("crypto"));
+var crypto4 = __toESM(require("crypto"));
 var nacl = __toESM(require("tweetnacl"));
 var ProofVerificationService = class {
   constructor() {
@@ -3868,7 +5326,7 @@ var ProofVerificationService = class {
       certPem.replace(/-----BEGIN CERTIFICATE-----/, "").replace(/-----END CERTIFICATE-----/, "").replace(/\s/g, ""),
       "base64"
     );
-    return crypto3.createHash("sha256").update(der).digest("hex");
+    return crypto4.createHash("sha256").update(der).digest("hex");
   }
 };
 ProofVerificationService = __decorateClass([
@@ -3915,12 +5373,22 @@ __export(engine_exports, {
   PRE_DECODE_BOUNDARY: () => PRE_DECODE_BOUNDARY,
   SensorDiscoveryService: () => SensorDiscoveryService,
   SensorRegistry: () => SensorRegistry,
+  buildQueueMessage: () => buildQueueMessage,
+  buildUnsignedWitness: () => buildUnsignedWitness,
+  canonicalizeObservation: () => canonicalizeObservation,
   createObservation: () => createObservation,
+  decodeQueueMessage: () => decodeQueueMessage,
+  encodeQueueMessage: () => encodeQueueMessage,
   endStage: () => endStage,
   finalizeObservation: () => finalizeObservation,
+  hashObservation: () => hashObservation,
   observation: () => observation_exports,
+  parseAutoClaimEntries: () => parseAutoClaimEntries,
+  parseStreamEntries: () => parseStreamEntries,
   recordSensor: () => recordSensor,
-  startStage: () => startStage
+  stableJsonStringify: () => stableJsonStringify,
+  startStage: () => startStage,
+  verifyResponse: () => verifyResponse
 });
 
 // src/engine/observation/index.ts
@@ -3950,35 +5418,6 @@ __export(loom_exports, {
   deriveAnchorReflection: () => deriveAnchorReflection
 });
 
-// src/loom/loom.types.ts
-function deriveAnchorReflection(softid, context = "openlogs", scope = "loom") {
-  return `ar:${context}:${scope}:${softid}`;
-}
-function canonicalizeWrit(writ) {
-  const ordered = {
-    head: { tid: writ.head.tid, seq: writ.head.seq },
-    body: {
-      who: writ.body.who,
-      act: writ.body.act,
-      res: writ.body.res,
-      law: writ.body.law
-    },
-    meta: { iat: writ.meta.iat, exp: writ.meta.exp, prev: writ.meta.prev }
-  };
-  return JSON.stringify(ordered);
-}
-function canonicalizeGrant(grant) {
-  const ordered = {
-    grant_id: grant.grant_id,
-    issuer: grant.issuer,
-    subject: grant.subject,
-    grant_type: grant.grant_type,
-    caps: grant.caps,
-    meta: grant.meta
-  };
-  return JSON.stringify(ordered);
-}
-
 // src/schemas/index.ts
 var schemas_exports = {};
 __export(schemas_exports, {
@@ -4681,7 +6120,7 @@ CapabilityEnforcementSensor = __decorateClass([
 
 // src/sensors/chunk-hash.sensor.ts
 var import_common15 = require("@nestjs/common");
-var import_crypto6 = require("crypto");
+var import_crypto8 = require("crypto");
 var ChunkHashSensor = class {
   constructor() {
     /** Sensor identifier */
@@ -4740,7 +6179,7 @@ var ChunkHashSensor = class {
         reason: "Missing sha256Chunk TLV in header"
       };
     }
-    const actual = (0, import_crypto6.createHash)("sha256").update(bodyBytes).digest();
+    const actual = (0, import_crypto8.createHash)("sha256").update(bodyBytes).digest();
     if (!Buffer.from(actual).equals(Buffer.from(expected))) {
       return {
         action: "DENY",
@@ -4758,7 +6197,7 @@ ChunkHashSensor = __decorateClass([
 
 // src/sensors/entropy.sensor.ts
 var import_common16 = require("@nestjs/common");
-var crypto4 = __toESM(require("crypto"));
+var crypto5 = __toESM(require("crypto"));
 var EntropySensor = class {
   constructor() {
     this.logger = new import_common16.Logger(EntropySensor.name);
@@ -4926,7 +6365,7 @@ var EntropySensor = class {
    * @returns {Uint8Array} Cryptographically secure random bytes
    */
   static generateSecureRandom(length) {
-    return new Uint8Array(crypto4.randomBytes(length));
+    return new Uint8Array(crypto5.randomBytes(length));
   }
 };
 EntropySensor = __decorateClass([
@@ -5989,59 +7428,6 @@ var utils_exports = {};
 __export(utils_exports, {
   encodeAxisTlvDto: () => encodeAxisTlvDto
 });
-
-// src/utils/axis-tlv-codec.ts
-function encodeAxisTlvDto(dtoClass, data) {
-  const schema = extractDtoSchema(dtoClass);
-  const items = schema.fields.flatMap((field) => {
-    const value = data[field.name];
-    if (value === void 0 || value === null) {
-      if (field.required) {
-        throw new Error(`Missing required TLV response field: ${field.name}`);
-      }
-      return [];
-    }
-    return [{ type: field.tag, value: encodeField(field, value) }];
-  });
-  return buildTLVs(items);
-}
-function encodeField(field, value) {
-  switch (field.kind) {
-    case "utf8":
-      return Buffer.from(String(value), "utf8");
-    case "u64":
-      return encodeU64(value);
-    case "bytes":
-    case "bytes16":
-      return toBuffer(value);
-    case "bool":
-      return Buffer.from([value ? 1 : 0]);
-    case "obj":
-    case "arr":
-      return Buffer.from(JSON.stringify(value), "utf8");
-    default:
-      return toBuffer(value);
-  }
-}
-function encodeU64(value) {
-  const encoded = Buffer.alloc(8);
-  encoded.writeBigUInt64BE(
-    typeof value === "bigint" ? value : BigInt(value)
-  );
-  return encoded;
-}
-function toBuffer(value) {
-  if (Buffer.isBuffer(value)) {
-    return value;
-  }
-  if (value instanceof Uint8Array) {
-    return Buffer.from(value);
-  }
-  if (typeof value === "string") {
-    return Buffer.from(value, "utf8");
-  }
-  throw new Error(`Unsupported TLV bytes value: ${typeof value}`);
-}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ATS1_HDR,
@@ -6070,6 +7456,9 @@ function toBuffer(value) {
   BAND,
   BodyProfile,
   CAPABILITIES,
+  CCE_ERROR,
+  CCE_PROTOCOL_VERSION,
+  CceError,
   ContractViolationError,
   DEFAULT_CONTRACTS,
   DEFAULT_TIMEOUT,
@@ -6129,6 +7518,7 @@ function toBuffer(value) {
   RESPONSE_TAG_ID,
   RESPONSE_TAG_UPDATED_AT,
   RESPONSE_TAG_UPDATED_BY,
+  ResponseObserver,
   RiskDecision,
   SENSOR_METADATA_KEY,
   Schema2002_PasskeyLoginOptionsRes,
@@ -6162,6 +7552,7 @@ function toBuffer(value) {
   TLV_OFFSET,
   TLV_OK,
   TLV_PID,
+  TLV_PRESENCE_ID,
   TLV_PREV_HASH,
   TLV_PROOF_REF,
   TLV_PROOF_TYPE,
@@ -6169,10 +7560,12 @@ function toBuffer(value) {
   TLV_RECEIPT_HASH,
   TLV_RID,
   TLV_SHA256_CHUNK,
+  TLV_THREAD_HASH,
   TLV_TRACE_ID,
   TLV_TS,
   TLV_UPLOAD_ID,
   TLV_VALIDATORS_KEY,
+  TLV_WRIT,
   TlvEnum,
   TlvField,
   TlvMinLen,
@@ -6195,7 +7588,10 @@ function toBuffer(value) {
   canAccessResource,
   canonicalJson,
   canonicalJsonExcluding,
+  canonicalizeGrant,
   canonicalizeObservation,
+  canonicalizeWrit,
+  cce,
   classifyIntent,
   computeReceiptHash,
   computeSignaturePayload,
@@ -6211,14 +7607,17 @@ function toBuffer(value) {
   decodeTLVsList,
   decodeVarint,
   decorators,
+  deriveAnchorReflection,
   encVarint,
   encodeAxis1Frame,
+  encodeAxisTlvDto,
   encodeFrame,
   encodeQueueMessage,
   encodeTLVs,
   encodeVarint,
   endStage,
   engine,
+  executeCcePipeline,
   extractDtoSchema,
   finalizeObservation,
   generateEd25519KeyPair,