@nextera.one/axis-server-sdk 2.1.4 → 2.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.d.mts +905 -905
  2. package/dist/index.d.ts +905 -905
  3. package/dist/index.js +200 -171
  4. package/dist/index.js.map +1 -1
  5. package/dist/index.mjs +186 -157
  6. package/dist/index.mjs.map +1 -1
  7. package/package.json +1 -1
package/dist/index.d.ts CHANGED
@@ -1,7 +1,7 @@
1
+ import * as z from 'zod';
1
2
  import { A as AxisFrame$2 } from './index-DXHfWxLG.js';
2
3
  export { a as AxisBinaryFrame, b as AxisError, c as AxisFrameZ, d as AxisMediaTypes, e as computeReceiptHash, f as computeSignaturePayload, i as core, g as decodeFrame, h as encodeFrame, j as generateEd25519KeyPair, k as getSignTarget, s as sha256, l as signFrame, v as verifyFrameSignature } from './index-DXHfWxLG.js';
3
4
  import { ModuleRef, DiscoveryService, Reflector, MetadataScanner } from '@nestjs/core';
4
- import * as z from 'zod';
5
5
  import { PROOF_LOOM, TLV_LOOM_PRESENCE_ID, TLV_LOOM_THREAD_HASH, TLV_LOOM_WRIT } from '@nextera.one/axis-protocol';
6
6
  export { AXIS_MAGIC, AXIS_VERSION, TLV as AxisTlvType, BodyProfile, ERR_BAD_SIGNATURE, ERR_CONTRACT_VIOLATION, ERR_INVALID_PACKET, ERR_REPLAY_DETECTED, FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS, MAX_BODY_LEN, MAX_FRAME_LEN, MAX_HDR_LEN, MAX_SIG_LEN, NCERT_ALG, NCERT_EXP, NCERT_ISSUER_KID, NCERT_KID, NCERT_NBF, NCERT_NODE_ID, NCERT_PAYLOAD, NCERT_PUB, NCERT_SCOPE, NCERT_SIG, PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, PROOF_NONE, PROOF_WITNESS, ProofType, TLV, TLV_ACTOR_ID, TLV_AUD, TLV_BODY_ARR, TLV_BODY_OBJ, TLV_CAPSULE, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG, TLV_INDEX, TLV_INTENT, TLV_KID, TLV_LOOM_PRESENCE_ID, TLV_LOOM_THREAD_HASH, TLV_LOOM_WRIT, TLV_NODE, TLV_NODE_CERT_HASH, TLV_NODE_KID, TLV_NONCE, TLV_OFFSET, TLV_OK, TLV_PID, TLV_LOOM_PRESENCE_ID as TLV_PRESENCE_ID, TLV_PREV_HASH, TLV_PROOF_REF, TLV_PROOF_TYPE, TLV_REALM, TLV_RECEIPT_HASH, TLV_RID, TLV_SHA256_CHUNK, TLV_LOOM_THREAD_HASH as TLV_THREAD_HASH, TLV_TRACE_ID, TLV_TS, TLV_UPLOAD_ID, TLV_LOOM_WRIT as TLV_WRIT, decodeArray, decodeObject, decodeTLVs, decodeTLVsList, decodeVarint, encodeTLVs, encodeVarint, varintLength } from '@nextera.one/axis-protocol';
7
7
  import { OnApplicationBootstrap, OnModuleInit } from '@nestjs/common';
@@ -139,800 +139,73 @@ declare function CapsulePolicy(options?: CapsulePolicyOptions): ClassDecorator &
139
139
  declare function normalizeCapsulePolicyOptions(options?: CapsulePolicyOptions): CapsulePolicyOptions;
140
140
  declare function mergeCapsulePolicyOptions(base?: CapsulePolicyOptions, override?: CapsulePolicyOptions): CapsulePolicyOptions | undefined;
141
141
 
142
- declare const HANDLER_METADATA_KEY = "axis:handler";
143
- declare function Handler(intent?: string): ClassDecorator;
144
-
145
- declare const INTENT_METADATA_KEY = "axis:intent";
146
- declare const INTENT_ROUTES_KEY = "axis:intent_routes";
147
- type IntentKind = 'create' | 'read' | 'update' | 'delete' | 'action';
148
- interface IntentTlvField {
149
- name: string;
150
- tag: number;
151
- kind: 'utf8' | 'u64' | 'bytes' | 'bytes16' | 'bool' | 'obj' | 'arr';
152
- required?: boolean;
153
- maxLen?: number;
154
- max?: string;
155
- scope?: 'header' | 'body';
156
- }
157
- interface IntentRoute {
158
- action: string;
159
- methodName: string | symbol;
160
- absolute?: boolean;
161
- frame?: boolean;
162
- kind?: IntentKind;
163
- chain?: boolean | ChainOptions;
164
- bodyProfile?: 'TLV_MAP' | 'RAW' | 'TLV_OBJ' | 'TLV_ARR';
165
- tlv?: IntentTlvField[];
166
- dto?: Function;
167
- }
168
- interface IntentOptions {
169
- kind?: IntentKind;
170
- absolute?: boolean;
171
- frame?: boolean;
172
- chain?: boolean | ChainOptions;
173
- bodyProfile?: 'TLV_MAP' | 'RAW' | 'TLV_OBJ' | 'TLV_ARR';
174
- tlv?: IntentTlvField[];
175
- dto?: Function;
176
- }
177
- declare function Intent(action: string, options?: IntentOptions): MethodDecorator;
178
-
179
- declare const INTENT_BODY_KEY = "axis:intent:body";
180
- declare function IntentBody(decoder: (buf: Buffer) => any): MethodDecorator;
181
-
182
- declare const INTENT_SENSORS_KEY = "axis:intent:sensors";
183
- declare function IntentSensors(sensors: Function[]): MethodDecorator;
184
-
185
- declare const OBSERVER_METADATA_KEY = "axis:observer";
186
- declare const OBSERVER_BINDINGS_KEY = "axis:observer:bindings";
187
- type AxisObserverRef = string | Function;
188
- interface AxisObserverDefinition {
189
- name?: string;
190
- tags?: string[];
191
- events?: AxisObserverEvent[];
192
- intents?: string[];
193
- handlers?: string[];
194
- }
195
- interface AxisObserverBinding {
196
- refs: AxisObserverRef[];
197
- tags?: string[];
198
- events?: AxisObserverEvent[];
199
- }
200
- interface AxisObserverBindingOptions {
201
- use: AxisObserverRef | AxisObserverRef[];
202
- tags?: string[];
203
- events?: AxisObserverEvent[];
204
- }
205
- declare function Observer(input?: AxisObserverDefinition | AxisObserverBindingOptions | AxisObserverRef | AxisObserverRef[]): ClassDecorator & MethodDecorator;
206
-
207
- declare const HANDLER_SENSORS_KEY = "axis:handler:sensors";
208
- declare function HandlerSensors(sensors: Function[]): ClassDecorator;
209
-
210
- declare const SENSOR_METADATA_KEY = "axis:sensor";
211
- type SensorPhase = 'PRE_DECODE' | 'POST_DECODE';
212
- interface SensorOptions {
213
- phase?: SensorPhase;
214
- }
215
- declare function Sensor(options?: SensorOptions): ClassDecorator;
216
-
217
- declare const TLV_FIELDS_KEY = "axis:tlv:fields";
218
- declare const TLV_VALIDATORS_KEY = "axis:tlv:validators";
219
- type TlvFieldKind = 'utf8' | 'u64' | 'bytes' | 'bytes16' | 'bool' | 'obj' | 'arr';
220
- interface TlvFieldOptions {
221
- kind: TlvFieldKind;
222
- required?: boolean;
223
- maxLen?: number;
224
- max?: string;
225
- scope?: 'header' | 'body';
226
- }
227
- interface TlvFieldMeta {
228
- property: string;
229
- tag: number;
230
- options: TlvFieldOptions;
231
- }
232
- type TlvValidatorFn = (value: Uint8Array, property: string) => string | null | undefined;
233
- interface TlvValidatorMeta {
234
- property: string;
235
- tag: number;
236
- validators: TlvValidatorFn[];
237
- }
238
- declare function TlvField(tag: number, options: TlvFieldOptions): PropertyDecorator;
239
- declare function TlvValidate(validator: TlvValidatorFn): PropertyDecorator;
240
- declare function TlvUtf8Pattern(pattern: RegExp, message?: string): PropertyDecorator;
241
- declare function TlvMinLen(min: number, message?: string): PropertyDecorator;
242
- declare function TlvEnum(allowed: string[], message?: string): PropertyDecorator;
243
- declare function TlvRange(min: bigint, max: bigint, message?: string): PropertyDecorator;
244
-
245
- interface DtoSchema {
246
- fields: IntentTlvField[];
247
- validators: Map<number, TlvValidatorFn[]>;
248
- }
249
- declare function extractDtoSchema(dto: Function): DtoSchema;
250
- declare function buildDtoDecoder(dto: Function): (bodyBytes: Buffer) => Record<string, any>;
251
-
252
- declare abstract class AxisTlvDto {
253
- }
254
-
255
- declare class AxisIdDto extends AxisTlvDto {
256
- id: string;
257
- }
258
-
259
- declare function AxisPartialType<T extends new (...args: any[]) => AxisTlvDto>(BaseDto: T): new (...args: any[]) => Partial<InstanceType<T>> & AxisTlvDto;
260
-
261
- declare const RESPONSE_TAG_ID = 1;
262
- declare const RESPONSE_TAG_CREATED_AT = 2;
263
- declare const RESPONSE_TAG_UPDATED_AT = 3;
264
- declare const RESPONSE_TAG_CREATED_BY = 4;
265
- declare const RESPONSE_TAG_UPDATED_BY = 5;
266
- declare abstract class AxisResponseDto extends AxisTlvDto {
267
- id?: string;
268
- created_at?: bigint;
269
- updated_at?: bigint;
270
- created_by?: string;
271
- updated_by?: string;
142
+ interface ExecutionContract {
143
+ maxDbWrites: number;
144
+ maxDbReads?: number;
145
+ maxExternalCalls: number;
146
+ maxTimeMs: number;
147
+ allowedEffects: string[];
148
+ maxMemoryMb?: number;
272
149
  }
150
+ declare const DEFAULT_CONTRACTS: Record<string, ExecutionContract>;
151
+ declare const FALLBACK_CONTRACT: ExecutionContract;
273
152
 
274
- declare const CCE_PROTOCOL_VERSION: "cce-v1";
275
- declare const CCE_DERIVATION: {
276
- readonly REQUEST: "axis:cce:req:v1";
277
- readonly RESPONSE: "axis:cce:resp:v1";
278
- readonly WITNESS: "axis:cce:witness:v1";
279
- };
280
- type CceAlgorithm = "AES-256-GCM";
281
- type CceKemAlgorithm = "X25519" | "RSA-OAEP-256";
282
- type CceKdfAlgorithm = "HKDF-SHA256";
283
- declare const CCE_AES_KEY_BYTES = 32;
284
- declare const CCE_IV_BYTES = 12;
285
- declare const CCE_TAG_BYTES = 16;
286
- declare const CCE_NONCE_BYTES = 32;
287
- interface CceCapsuleClaims {
288
- capsule_id: string;
289
- ver: typeof CCE_PROTOCOL_VERSION;
290
- sub: string;
291
- kid: string;
292
- intent: string;
293
- aud: string;
294
- tps_from: number;
295
- tps_to: number;
296
- capsule_nonce: string;
297
- challenge_id: string;
298
- proof_hash?: string;
299
- policy_hash?: string;
300
- iat: number;
301
- exp: number;
302
- mode: "SINGLE_USE" | "SESSION";
303
- scope?: string[];
304
- constraints?: CceConstraints;
305
- issuer_sig: CceSignature;
306
- }
307
- interface CceConstraints {
308
- max_payload_bytes?: number;
309
- ip_allow?: string[];
310
- device_allow?: string[];
311
- country_allow?: string[];
312
- }
313
- interface CceSignature {
314
- alg: "EdDSA" | "ES256";
315
- kid: string;
316
- value: string;
317
- }
318
- interface CceRequestEnvelope {
319
- ver: typeof CCE_PROTOCOL_VERSION;
320
- request_id: string;
321
- correlation_id: string;
322
- client_kid: string;
323
- capsule: CceCapsuleClaims;
324
- encrypted_key: CceEncryptedKey;
325
- encrypted_payload: CceEncryptedPayload;
326
- request_nonce: string;
327
- client_sig: CceSignature;
328
- content_type: string;
329
- algorithms: CceAlgorithmDescriptor;
330
- aad_descriptor?: string;
331
- }
332
- interface CceEncryptedKey {
333
- alg: CceKemAlgorithm;
334
- axis_kid: string;
335
- ciphertext: string;
336
- ephemeral_pk?: string;
337
- }
338
- interface CceEncryptedPayload {
339
- alg: CceAlgorithm;
340
- iv: string;
341
- ciphertext: string;
342
- tag: string;
343
- }
344
- interface CceAlgorithmDescriptor {
345
- kem: CceKemAlgorithm;
346
- enc: CceAlgorithm;
347
- kdf: CceKdfAlgorithm;
348
- sig: "EdDSA" | "ES256";
349
- }
350
- interface CceResponseEnvelope {
351
- ver: typeof CCE_PROTOCOL_VERSION;
352
- response_id: string;
353
- request_id: string;
354
- correlation_id: string;
355
- capsule_id: string;
356
- encrypted_key: CceEncryptedKey;
357
- encrypted_payload: CceEncryptedPayload;
358
- response_nonce: string;
359
- axis_sig: CceSignature;
360
- witness_ref?: string;
361
- algorithms: CceAlgorithmDescriptor;
362
- status: CceResponseStatus;
363
- }
364
- type CceResponseStatus = "SUCCESS" | "DENIED" | "PARTIAL" | "FAILED" | "ERROR";
365
- interface CceExecutionContext {
366
- execution_key_hash: string;
367
- request_id: string;
368
- capsule_id: string;
369
- sub: string;
370
- kid: string;
371
- intent: string;
372
- aud: string;
373
- tps_from: number;
374
- tps_to: number;
375
- policy_hash?: string;
376
- derived_at: number;
377
- valid: boolean;
378
- }
379
- interface CceWitnessRecord {
380
- witness_id: string;
381
- request_id: string;
382
- capsule_id: string;
383
- sub: string;
384
- intent: string;
385
- aud: string;
386
- tps_from: number;
387
- tps_to: number;
388
- timestamp: number;
389
- verification: {
390
- client_sig: boolean;
391
- capsule_sig: boolean;
392
- tps_valid: boolean;
393
- audience_match: boolean;
394
- intent_match: boolean;
395
- replay_clean: boolean;
396
- nonce_unique: boolean;
397
- decryption_ok: boolean;
398
- };
399
- execution: {
400
- status: CceResponseStatus;
401
- handler_duration_ms: number;
402
- effect?: string;
403
- };
404
- response_encrypted: boolean;
405
- execution_context_hash: string;
406
- request_payload_hash?: string;
407
- response_payload_hash?: string;
408
- }
409
- declare const CCE_ERROR: {
410
- readonly INVALID_ENVELOPE: "CCE_INVALID_ENVELOPE";
411
- readonly UNSUPPORTED_VERSION: "CCE_UNSUPPORTED_VERSION";
412
- readonly MISSING_CAPSULE: "CCE_MISSING_CAPSULE";
413
- readonly MISSING_ENCRYPTED_KEY: "CCE_MISSING_ENCRYPTED_KEY";
414
- readonly CLIENT_SIG_INVALID: "CCE_CLIENT_SIG_INVALID";
415
- readonly CLIENT_KEY_NOT_FOUND: "CCE_CLIENT_KEY_NOT_FOUND";
416
- readonly CAPSULE_SIG_INVALID: "CCE_CAPSULE_SIG_INVALID";
417
- readonly CAPSULE_EXPIRED: "CCE_CAPSULE_EXPIRED";
418
- readonly CAPSULE_NOT_YET_VALID: "CCE_CAPSULE_NOT_YET_VALID";
419
- readonly CAPSULE_REVOKED: "CCE_CAPSULE_REVOKED";
420
- readonly CAPSULE_CONSUMED: "CCE_CAPSULE_CONSUMED";
421
- readonly AUDIENCE_MISMATCH: "CCE_AUDIENCE_MISMATCH";
422
- readonly INTENT_MISMATCH: "CCE_INTENT_MISMATCH";
423
- readonly TPS_WINDOW_EXPIRED: "CCE_TPS_WINDOW_EXPIRED";
424
- readonly TPS_WINDOW_FUTURE: "CCE_TPS_WINDOW_FUTURE";
425
- readonly REPLAY_DETECTED: "CCE_REPLAY_DETECTED";
426
- readonly NONCE_REUSED: "CCE_NONCE_REUSED";
427
- readonly DECRYPTION_FAILED: "CCE_DECRYPTION_FAILED";
428
- readonly KEY_UNWRAP_FAILED: "CCE_KEY_UNWRAP_FAILED";
429
- readonly AEAD_TAG_MISMATCH: "CCE_AEAD_TAG_MISMATCH";
430
- readonly PAYLOAD_TOO_LARGE: "CCE_PAYLOAD_TOO_LARGE";
431
- readonly PAYLOAD_SCHEMA_INVALID: "CCE_PAYLOAD_SCHEMA_INVALID";
432
- readonly INTENT_SCHEMA_MISMATCH: "CCE_INTENT_SCHEMA_MISMATCH";
433
- readonly POLICY_DENIED: "CCE_POLICY_DENIED";
434
- readonly CONSTRAINT_VIOLATED: "CCE_CONSTRAINT_VIOLATED";
435
- readonly HANDLER_NOT_FOUND: "CCE_HANDLER_NOT_FOUND";
436
- readonly HANDLER_EXECUTION_FAILED: "CCE_HANDLER_EXECUTION_FAILED";
437
- readonly HANDLER_TIMEOUT: "CCE_HANDLER_TIMEOUT";
438
- readonly RESPONSE_ENCRYPTION_FAILED: "CCE_RESPONSE_ENCRYPTION_FAILED";
439
- };
440
- type CceErrorCode = (typeof CCE_ERROR)[keyof typeof CCE_ERROR];
441
- declare class CceError extends Error {
442
- readonly code: CceErrorCode;
443
- readonly metadata?: Record<string, unknown> | undefined;
444
- constructor(code: CceErrorCode, message: string, metadata?: Record<string, unknown> | undefined);
445
- get clientSafe(): boolean;
446
- toClientError(): {
447
- code: CceErrorCode;
448
- message: string;
449
- };
450
- }
451
-
452
- interface CceClientKeyEncryptor {
453
- wrapKey(aesKey: Uint8Array, clientKid: string, clientPublicKeyHex: string): Promise<CceEncryptedKey>;
454
- }
455
- interface CceAxisSigner {
456
- sign(payload: Uint8Array): Promise<CceSignature>;
457
- }
458
- interface CceResponseOptions {
459
- request: CceRequestEnvelope;
460
- capsule: CceCapsuleClaims;
461
- status: CceResponseStatus;
462
- body: Uint8Array;
463
- clientPublicKeyHex: string;
464
- witnessRef?: string;
465
- }
466
- declare function buildCceResponse(options: CceResponseOptions, clientKeyEncryptor: CceClientKeyEncryptor, axisSigner: CceAxisSigner): Promise<{
467
- envelope: CceResponseEnvelope;
468
- responsePayloadHash: string;
469
- }>;
470
- declare function buildCceErrorResponse(requestId: string, correlationId: string, status: CceResponseStatus, errorCode: string, message: string): {
471
- ver: string;
472
- request_id: string;
473
- correlation_id: string;
474
- status: CceResponseStatus;
475
- error: {
476
- code: string;
477
- message: string;
478
- };
479
- };
480
-
481
- interface CceWitnessStore {
482
- record(witness: CceWitnessRecord): Promise<void>;
483
- }
484
- declare class InMemoryCceWitnessStore implements CceWitnessStore {
485
- readonly records: CceWitnessRecord[];
486
- record(witness: CceWitnessRecord): Promise<void>;
487
- getByRequestId(requestId: string): CceWitnessRecord | undefined;
488
- getByCapsuleId(capsuleId: string): CceWitnessRecord[];
489
- }
490
- interface CceVerificationState {
491
- clientSigVerified: boolean;
492
- capsuleSigVerified: boolean;
493
- tpsValid: boolean;
494
- audienceMatch: boolean;
495
- intentMatch: boolean;
496
- replayClean: boolean;
497
- nonceUnique: boolean;
498
- decryptionOk: boolean;
499
- }
500
- declare function buildWitnessRecord(envelope: CceRequestEnvelope, capsule: CceCapsuleClaims, verification: CceVerificationState, execution: {
501
- status: CceResponseStatus;
502
- handlerDurationMs: number;
503
- effect?: string;
504
- }, options: {
505
- axisLocalSecret: string;
506
- requestPayload?: Uint8Array;
507
- responsePayload?: Uint8Array;
508
- responseEncrypted: boolean;
509
- }): CceWitnessRecord;
510
- declare function extractVerificationState(metadata: Record<string, any>): CceVerificationState;
511
-
512
- type AxisAlg$1 = 'EdDSA' | 'ES256' | 'RS256';
513
- type CapsuleStatus = 'ACTIVE' | 'CONSUMED' | 'REVOKED' | 'EXPIRED';
514
- type CapsuleMode = 'SINGLE_USE' | 'MULTI_USE';
515
- type KeyStatus = 'ACTIVE' | 'GRACE' | 'REVOKED' | 'RETIRED';
516
- interface AxisSig$1 {
517
- alg: AxisAlg$1;
518
- kid: string;
519
- value: string;
520
- }
521
- interface AxisPacket$1<T = any> {
522
- v: 1;
523
- pid: string;
524
- nonce: string;
525
- ts: number;
526
- actorId: string;
527
- opcode: string;
528
- body: T;
529
- sig: AxisSig$1;
530
- }
531
- interface AxisCapsuleConstraints {
532
- maxAmount?: number;
533
- maxCount?: number;
534
- ttlSeconds?: number;
535
- ipCidrAllow?: string[];
536
- countryAllow?: string[];
537
- deviceIdAllow?: string[];
538
- sessionIdLock?: string;
539
- nonceRequired?: boolean;
540
- }
541
- interface TickWindow {
542
- start: number;
543
- end: number;
544
- }
545
- interface AxisCapsulePayload {
546
- v: 1;
547
- capsuleId: string;
548
- actorId: string;
549
- issuer: string;
550
- audience: string;
551
- subject?: string;
552
- intent: string;
553
- scopes: string[];
554
- actions?: string[];
555
- iat: number;
556
- nbf?: number;
557
- exp: number;
558
- tickWindow?: TickWindow;
559
- mode: CapsuleMode;
560
- maxUses: number;
561
- nonceSeed?: string;
562
- policyRefs?: string[];
563
- riskScore?: number;
564
- constraints?: AxisCapsuleConstraints;
565
- meta?: Record<string, unknown>;
566
- }
567
- interface AxisCapsule {
568
- payload: AxisCapsulePayload;
569
- sig: AxisSig$1;
570
- }
571
- interface CapsuleIssueBody {
572
- intent: string;
573
- audience: string;
574
- scopes: string[];
575
- subject?: string;
576
- mode: CapsuleMode;
577
- maxUses?: number;
578
- expSeconds?: number;
579
- constraints?: AxisCapsuleConstraints;
580
- hints?: {
581
- ip?: string;
582
- ua?: string;
583
- deviceId?: string;
584
- geo?: string;
585
- };
586
- }
587
- interface CapsuleBatchBody extends Omit<CapsuleIssueBody, 'mode' | 'maxUses'> {
588
- count: number;
589
- mode: 'SINGLE_USE';
590
- }
591
- interface IntentExecBody {
592
- intent: string;
593
- capsule: AxisCapsule;
594
- execNonce?: string;
595
- args: Record<string, any>;
596
- }
597
- interface CapsuleRevokeBody {
598
- capsuleId: string;
599
- reason: string;
600
- }
601
- interface AxisResponse$1<T = any> {
602
- ok: boolean;
603
- pid: string;
604
- decisionId: string;
605
- code: string;
606
- message?: string;
607
- data?: T;
608
- meta?: Record<string, unknown>;
609
- }
610
- interface CapsuleIssueResult {
611
- capsule: AxisCapsule;
612
- }
613
- interface CapsuleBatchResult {
614
- capsules: AxisCapsule[];
615
- }
616
- interface ActorKeyRecord {
617
- id: Buffer;
618
- actor_id: string;
619
- key_id: string;
620
- algorithm: string;
621
- public_key: Buffer;
622
- purpose: string;
623
- status: KeyStatus;
624
- is_primary: boolean;
625
- not_before: Date | null;
626
- expires_at: Date | null;
627
- rotated_from_key_id: string | null;
628
- revoked_at: Date | null;
629
- revocation_reason: string | null;
630
- metadata: any;
631
- created_at: Date;
632
- updated_at: Date;
633
- }
634
- interface IssuerKeyRecord {
635
- id: Buffer;
636
- kid: string;
637
- issuer_id: string;
638
- alg: string;
639
- public_key_pem: string;
640
- status: KeyStatus;
641
- not_before: Date | null;
642
- not_after: Date | null;
643
- fingerprint: string | null;
644
- metadata: any;
645
- created_at: Date;
646
- updated_at: Date;
647
- }
648
- interface CapsuleRecord {
649
- id: Buffer;
650
- capsule_id: string;
651
- actor_id: string;
652
- intent: string;
653
- audience: string;
654
- issuer: string;
655
- subject: string | null;
656
- status: CapsuleStatus;
657
- mode: CapsuleMode;
658
- max_uses: number;
659
- used_count: number;
660
- iat: Date;
661
- nbf: Date | null;
662
- exp: Date;
663
- scopes_json: any;
664
- constraints_json: any;
665
- policy_refs_json: any;
666
- risk_score: number | null;
667
- payload_hash: Buffer;
668
- sig_alg: string;
669
- sig_kid: string;
670
- sig_value: Buffer;
671
- created_at: Date;
672
- updated_at: Date;
673
- last_used_at: Date | null;
674
- }
675
-
676
- type AxisAlg = Extract<AxisAlg$1, 'EdDSA'>;
677
- type AxisSig = AxisSig$1 & {
678
- alg: AxisAlg;
679
- };
680
- interface AxisFrame$1<T = any> {
681
- v: 1;
682
- pid: string;
683
- nonce: string;
684
- ts: number;
685
- actorId: string;
686
- aud?: string;
687
- opcode: string;
688
- headers: Map<number, Uint8Array>;
689
- body: T;
690
- sig: AxisSig;
691
- }
692
- type AxisResponse<T = any> = AxisResponse$1<T> & {
693
- policyRefs?: string[];
694
- riskScore?: number;
695
- };
696
- interface AxisObservedContext {
697
- ip?: string;
698
- ua?: string;
699
- geo?: string;
700
- }
701
- interface AxisRequestContext {
702
- observed: AxisObservedContext;
703
- actorKeyKid?: string;
704
- issuerKeyKid?: string;
705
- decisionId: string;
706
- actorId: string;
707
- aud?: string;
708
- opcode: string;
709
- deviceId?: string;
710
- sessionId?: string;
711
- }
712
-
713
- interface SensorPhaseMetadata {
714
- phase: 'PRE_DECODE' | 'POST_DECODE';
715
- dependencies?: string[];
716
- asyncOk?: boolean;
717
- cryptoOk?: boolean;
718
- description?: string;
719
- }
720
- interface AxisSensor {
721
- readonly name: string;
722
- readonly order?: number;
723
- phase?: SensorPhaseMetadata | 'PRE_DECODE' | 'POST_DECODE';
724
- supports?(input: SensorInput): boolean;
725
- run(input: SensorInput): Promise<SensorDecision>;
726
- }
727
- interface AxisSensorInit extends AxisSensor {
728
- onModuleInit?(): void | Promise<void>;
729
- }
730
- interface AxisPreSensor extends AxisSensor {
731
- phase: 'PRE_DECODE';
732
- }
733
- interface AxisPostSensor extends AxisSensor {
734
- phase: 'POST_DECODE';
735
- }
736
- interface SensorInput {
737
- rawBytes?: Buffer | Uint8Array;
738
- intent?: string;
739
- ip?: string;
740
- path?: string;
741
- contentLength?: number;
742
- peek?: Uint8Array;
743
- country?: string;
744
- clientId?: string;
745
- isWs?: boolean;
746
- metadata?: Record<string, any>;
747
- actorId?: string;
748
- opcode?: string;
749
- aud?: string;
750
- observed?: AxisObservedContext;
751
- frameBody?: any;
752
- deviceId?: string;
753
- sessionId?: string;
754
- packet?: Record<string, any>;
755
- [key: string]: any;
756
- }
757
- declare enum Decision {
758
- ALLOW = "ALLOW",
759
- DENY = "DENY",
760
- THROTTLE = "THROTTLE",
761
- FLAG = "FLAG"
762
- }
763
- type SensorDecision = {
764
- decision?: Decision;
765
- allow: boolean;
766
- riskScore: number;
767
- reasons: string[];
768
- code?: string;
769
- retryAfterMs?: number;
770
- scoreDelta?: number;
771
- tags?: Record<string, any>;
772
- meta?: any;
773
- tighten?: {
774
- expSecondsMax?: number;
775
- constraintsPatch?: Record<string, any>;
776
- };
777
- } | {
778
- action: 'ALLOW';
779
- meta?: any;
780
- } | {
781
- action: 'DENY';
782
- code: string;
783
- reason?: string;
784
- retryAfterMs?: number;
785
- meta?: any;
786
- } | {
787
- action: 'THROTTLE';
788
- retryAfterMs: number;
789
- meta?: any;
790
- } | {
791
- action: 'FLAG';
792
- scoreDelta: number;
793
- reasons: string[];
794
- meta?: any;
795
- };
796
- type SensorMinifiedDecision = {
797
- allow: boolean;
798
- riskScore: number;
799
- reasons: string[];
800
- tags?: Record<string, any>;
801
- meta?: any;
802
- tighten?: {
803
- expSecondsMax?: number;
804
- constraintsPatch?: Record<string, any>;
805
- };
806
- retryAfterMs?: number;
807
- };
808
- declare function normalizeSensorDecision(sensorDecision: SensorDecision): SensorMinifiedDecision;
809
- declare const SensorDecisions: {
810
- allow(meta?: any, tags?: Record<string, any>): SensorDecision;
811
- deny(code: string, reason?: string, meta?: any): SensorDecision;
812
- throttle(retryAfterMs: number, meta?: any): SensorDecision;
813
- flag(scoreDelta: number, reasons: string[], meta?: any): SensorDecision;
814
- };
815
-
816
- type CceHandler = (payload: Uint8Array, context: CceHandlerContext) => Promise<CceHandlerResult>;
817
- interface CceHandlerContext {
818
- capsule: CceCapsuleClaims;
819
- executionContext: CceExecutionContext;
820
- envelope: CceRequestEnvelope;
821
- clientPublicKeyHex: string;
822
- intent: string;
823
- sub: string;
824
- }
825
- interface CceHandlerResult {
826
- status: CceResponseStatus;
827
- body: Uint8Array;
828
- effect?: string;
829
- }
830
- interface CcePolicyContext {
831
- envelope: CceRequestEnvelope;
832
- capsule: CceCapsuleClaims;
833
- executionContext: CceExecutionContext;
834
- decryptedPayload: Uint8Array;
835
- clientPublicKeyHex: string;
836
- }
837
- interface CcePolicyDecision {
838
- allow: boolean;
839
- code?: string;
840
- message?: string;
841
- }
842
- interface CcePolicyEvaluator {
843
- evaluate(context: CcePolicyContext): Promise<CcePolicyDecision>;
844
- }
845
- interface CcePipelineConfig {
846
- axisLocalSecret: string;
847
- axisAudience: string;
848
- sensors: AxisSensor[];
849
- handlers: Map<string, CceHandler>;
850
- witnessStore: CceWitnessStore;
851
- clientKeyEncryptor: CceClientKeyEncryptor;
852
- axisSigner: CceAxisSigner;
853
- policyEvaluator?: CcePolicyEvaluator;
854
- }
855
- type CcePipelineResult = {
856
- ok: true;
857
- response: CceResponseEnvelope;
858
- witnessId: string;
859
- } | {
860
- ok: false;
861
- error: {
862
- code: string;
863
- message: string;
864
- };
865
- status: CceResponseStatus;
866
- };
867
- declare function executeCcePipeline(envelope: CceRequestEnvelope, config: CcePipelineConfig): Promise<CcePipelineResult>;
868
-
869
- interface ExecutionContract {
870
- maxDbWrites: number;
871
- maxDbReads?: number;
872
- maxExternalCalls: number;
873
- maxTimeMs: number;
874
- allowedEffects: string[];
875
- maxMemoryMb?: number;
876
- }
877
- declare const DEFAULT_CONTRACTS: Record<string, ExecutionContract>;
878
- declare const FALLBACK_CONTRACT: ExecutionContract;
879
-
880
- declare const SensorDecisionZ: z.ZodUnion<readonly [z.ZodObject<{
881
- action: z.ZodLiteral<"ALLOW">;
882
- meta: z.ZodOptional<z.ZodAny>;
883
- }, z.z.core.$strip>, z.ZodObject<{
884
- action: z.ZodLiteral<"DENY">;
885
- code: z.ZodString;
886
- reason: z.ZodOptional<z.ZodString>;
887
- meta: z.ZodOptional<z.ZodAny>;
888
- }, z.z.core.$strip>]>;
889
- declare const SensorDecisionWithMetadataZ: z.ZodUnion<readonly [z.ZodObject<{
890
- action: z.ZodLiteral<"ALLOW">;
891
- meta: z.ZodOptional<z.ZodAny>;
892
- }, z.z.core.$strip>, z.ZodObject<{
893
- action: z.ZodLiteral<"DENY">;
894
- code: z.ZodString;
895
- reason: z.ZodOptional<z.ZodString>;
896
- retryAfterMs: z.ZodOptional<z.ZodNumber>;
897
- meta: z.ZodOptional<z.ZodAny>;
898
- }, z.z.core.$strip>]>;
899
- declare const CountryBlockSensorInputZ: z.ZodObject<{
900
- ip: z.ZodString;
901
- country: z.ZodOptional<z.ZodString>;
902
- }, z.z.core.$strip>;
903
- type CountryBlockSensorInput = z.infer<typeof CountryBlockSensorInputZ>;
904
- declare const CountryBlockDecisionZ: z.ZodUnion<readonly [z.ZodObject<{
905
- action: z.ZodLiteral<"ALLOW">;
906
- meta: z.ZodOptional<z.ZodAny>;
907
- }, z.z.core.$strip>, z.ZodObject<{
908
- action: z.ZodLiteral<"DENY">;
909
- code: z.ZodString;
910
- reason: z.ZodOptional<z.ZodString>;
911
- meta: z.ZodOptional<z.ZodAny>;
912
- }, z.z.core.$strip>]>;
913
- type CountryBlockDecision = z.infer<typeof CountryBlockDecisionZ>;
914
- declare const ScanBurstSensorInputZ: z.ZodObject<{
915
- ip: z.ZodString;
916
- isFailure: z.ZodOptional<z.ZodBoolean>;
917
- }, z.z.core.$strip>;
918
- type ScanBurstSensorInput = z.infer<typeof ScanBurstSensorInputZ>;
919
- declare const ScanBurstDecisionZ: z.ZodUnion<readonly [z.ZodObject<{
920
- action: z.ZodLiteral<"ALLOW">;
921
- meta: z.ZodOptional<z.ZodAny>;
922
- }, z.z.core.$strip>, z.ZodObject<{
923
- action: z.ZodLiteral<"DENY">;
924
- code: z.ZodString;
925
- reason: z.ZodOptional<z.ZodString>;
926
- retryAfterMs: z.ZodOptional<z.ZodNumber>;
927
- meta: z.ZodOptional<z.ZodAny>;
928
- }, z.z.core.$strip>]>;
929
- type ScanBurstDecision = z.infer<typeof ScanBurstDecisionZ>;
930
- declare const ProofKindZ: z.ZodEnum<{
931
- NONE: "NONE";
932
- CAPSULE: "CAPSULE";
933
- PASSPORT: "PASSPORT";
934
- MTLS: "MTLS";
935
- JWT: "JWT";
153
+ declare const SensorDecisionZ: z.ZodUnion<readonly [z.ZodObject<{
154
+ action: z.ZodLiteral<"ALLOW">;
155
+ meta: z.ZodOptional<z.ZodAny>;
156
+ }, z.z.core.$strip>, z.ZodObject<{
157
+ action: z.ZodLiteral<"DENY">;
158
+ code: z.ZodString;
159
+ reason: z.ZodOptional<z.ZodString>;
160
+ meta: z.ZodOptional<z.ZodAny>;
161
+ }, z.z.core.$strip>]>;
162
+ declare const SensorDecisionWithMetadataZ: z.ZodUnion<readonly [z.ZodObject<{
163
+ action: z.ZodLiteral<"ALLOW">;
164
+ meta: z.ZodOptional<z.ZodAny>;
165
+ }, z.z.core.$strip>, z.ZodObject<{
166
+ action: z.ZodLiteral<"DENY">;
167
+ code: z.ZodString;
168
+ reason: z.ZodOptional<z.ZodString>;
169
+ retryAfterMs: z.ZodOptional<z.ZodNumber>;
170
+ meta: z.ZodOptional<z.ZodAny>;
171
+ }, z.z.core.$strip>]>;
172
+ declare const CountryBlockSensorInputZ: z.ZodObject<{
173
+ ip: z.ZodString;
174
+ country: z.ZodOptional<z.ZodString>;
175
+ }, z.z.core.$strip>;
176
+ type CountryBlockSensorInput = z.infer<typeof CountryBlockSensorInputZ>;
177
+ declare const CountryBlockDecisionZ: z.ZodUnion<readonly [z.ZodObject<{
178
+ action: z.ZodLiteral<"ALLOW">;
179
+ meta: z.ZodOptional<z.ZodAny>;
180
+ }, z.z.core.$strip>, z.ZodObject<{
181
+ action: z.ZodLiteral<"DENY">;
182
+ code: z.ZodString;
183
+ reason: z.ZodOptional<z.ZodString>;
184
+ meta: z.ZodOptional<z.ZodAny>;
185
+ }, z.z.core.$strip>]>;
186
+ type CountryBlockDecision = z.infer<typeof CountryBlockDecisionZ>;
187
+ declare const ScanBurstSensorInputZ: z.ZodObject<{
188
+ ip: z.ZodString;
189
+ isFailure: z.ZodOptional<z.ZodBoolean>;
190
+ }, z.z.core.$strip>;
191
+ type ScanBurstSensorInput = z.infer<typeof ScanBurstSensorInputZ>;
192
+ declare const ScanBurstDecisionZ: z.ZodUnion<readonly [z.ZodObject<{
193
+ action: z.ZodLiteral<"ALLOW">;
194
+ meta: z.ZodOptional<z.ZodAny>;
195
+ }, z.z.core.$strip>, z.ZodObject<{
196
+ action: z.ZodLiteral<"DENY">;
197
+ code: z.ZodString;
198
+ reason: z.ZodOptional<z.ZodString>;
199
+ retryAfterMs: z.ZodOptional<z.ZodNumber>;
200
+ meta: z.ZodOptional<z.ZodAny>;
201
+ }, z.z.core.$strip>]>;
202
+ type ScanBurstDecision = z.infer<typeof ScanBurstDecisionZ>;
203
+ declare const ProofKindZ: z.ZodEnum<{
204
+ NONE: "NONE";
205
+ CAPSULE: "CAPSULE";
206
+ PASSPORT: "PASSPORT";
207
+ MTLS: "MTLS";
208
+ JWT: "JWT";
936
209
  }>;
937
210
  type ProofKind = z.infer<typeof ProofKindZ>;
938
211
  declare const AccessProfileZ: z.ZodEnum<{
@@ -1195,8 +468,8 @@ declare const SchemaFieldKindZ: z.ZodEnum<{
1195
468
  }>;
1196
469
  type SchemaFieldKind = z.infer<typeof SchemaFieldKindZ>;
1197
470
  declare const ScopeZ: z.ZodEnum<{
1198
- header: "header";
1199
471
  body: "body";
472
+ header: "header";
1200
473
  }>;
1201
474
  type Scope = z.infer<typeof ScopeZ>;
1202
475
  declare const SchemaFieldZ: z.ZodObject<{
@@ -1215,8 +488,8 @@ declare const SchemaFieldZ: z.ZodObject<{
1215
488
  maxLen: z.ZodOptional<z.ZodNumber>;
1216
489
  max: z.ZodOptional<z.ZodString>;
1217
490
  scope: z.ZodOptional<z.ZodEnum<{
1218
- header: "header";
1219
491
  body: "body";
492
+ header: "header";
1220
493
  }>>;
1221
494
  }, z.z.core.$strip>;
1222
495
  type SchemaField = z.infer<typeof SchemaFieldZ>;
@@ -1251,8 +524,8 @@ declare const IntentSchemaZ: z.ZodObject<{
1251
524
  maxLen: z.ZodOptional<z.ZodNumber>;
1252
525
  max: z.ZodOptional<z.ZodString>;
1253
526
  scope: z.ZodOptional<z.ZodEnum<{
1254
- header: "header";
1255
527
  body: "body";
528
+ header: "header";
1256
529
  }>>;
1257
530
  }, z.z.core.$strip>>;
1258
531
  }, z.z.core.$strip>;
@@ -1290,117 +563,844 @@ declare const UploadStatusZ: z.ZodEnum<{
1290
563
  DONE: "DONE";
1291
564
  ABORTED: "ABORTED";
1292
565
  }>;
1293
- type UploadStatus = z.infer<typeof UploadStatusZ>;
1294
- declare const UploadSessionZ: z.ZodObject<{
1295
- uploadIdHex: z.ZodString;
1296
- fileName: z.ZodString;
1297
- totalSize: z.ZodNumber;
1298
- chunkSize: z.ZodNumber;
1299
- totalChunks: z.ZodNumber;
1300
- receivedCount: z.ZodNumber;
1301
- status: z.ZodEnum<{
1302
- INIT: "INIT";
1303
- UPLOADING: "UPLOADING";
1304
- FINALIZING: "FINALIZING";
1305
- DONE: "DONE";
1306
- ABORTED: "ABORTED";
1307
- }>;
1308
- }, z.z.core.$strip>;
1309
- type UploadSession = z.infer<typeof UploadSessionZ>;
1310
- declare const BodyBudgetInputZ: z.ZodObject<{
1311
- intent: z.ZodString;
1312
- headerLen: z.ZodNumber;
1313
- bodyLen: z.ZodNumber;
1314
- }, z.z.core.$strip>;
1315
- type BodyBudgetInput = z.infer<typeof BodyBudgetInputZ>;
1316
- declare const BodyBudgetPolicyZ: z.ZodObject<{
1317
- maxHeaderBytes: z.ZodNumber;
1318
- maxBodyBytes: z.ZodNumber;
1319
- }, z.z.core.$strip>;
1320
- type BodyBudgetPolicy = z.infer<typeof BodyBudgetPolicyZ>;
1321
- declare const ChunkHashInputZ: z.ZodObject<{
1322
- headerTLVs: z.ZodAny;
1323
- bodyBytes: z.ZodAny;
1324
- intent: z.ZodString;
1325
- }, z.z.core.$strip>;
1326
- type ChunkHashInput = z.infer<typeof ChunkHashInputZ>;
1327
- declare enum ProofType$1 {
1328
- CAPSULE = 1,
1329
- JWT = 2,
1330
- MTLS_ID = 3,
1331
- DEVICE_SE = 4,
1332
- WITNESS_SIG = 5
566
+ type UploadStatus = z.infer<typeof UploadStatusZ>;
567
+ declare const UploadSessionZ: z.ZodObject<{
568
+ uploadIdHex: z.ZodString;
569
+ fileName: z.ZodString;
570
+ totalSize: z.ZodNumber;
571
+ chunkSize: z.ZodNumber;
572
+ totalChunks: z.ZodNumber;
573
+ receivedCount: z.ZodNumber;
574
+ status: z.ZodEnum<{
575
+ INIT: "INIT";
576
+ UPLOADING: "UPLOADING";
577
+ FINALIZING: "FINALIZING";
578
+ DONE: "DONE";
579
+ ABORTED: "ABORTED";
580
+ }>;
581
+ }, z.z.core.$strip>;
582
+ type UploadSession = z.infer<typeof UploadSessionZ>;
583
+ declare const BodyBudgetInputZ: z.ZodObject<{
584
+ intent: z.ZodString;
585
+ headerLen: z.ZodNumber;
586
+ bodyLen: z.ZodNumber;
587
+ }, z.z.core.$strip>;
588
+ type BodyBudgetInput = z.infer<typeof BodyBudgetInputZ>;
589
+ declare const BodyBudgetPolicyZ: z.ZodObject<{
590
+ maxHeaderBytes: z.ZodNumber;
591
+ maxBodyBytes: z.ZodNumber;
592
+ }, z.z.core.$strip>;
593
+ type BodyBudgetPolicy = z.infer<typeof BodyBudgetPolicyZ>;
594
+ declare const ChunkHashInputZ: z.ZodObject<{
595
+ headerTLVs: z.ZodAny;
596
+ bodyBytes: z.ZodAny;
597
+ intent: z.ZodString;
598
+ }, z.z.core.$strip>;
599
+ type ChunkHashInput = z.infer<typeof ChunkHashInputZ>;
600
+ declare enum ProofType$1 {
601
+ CAPSULE = 1,
602
+ JWT = 2,
603
+ MTLS_ID = 3,
604
+ DEVICE_SE = 4,
605
+ WITNESS_SIG = 5
606
+ }
607
+ declare const AxisContextZ: z.ZodObject<{
608
+ pid: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
609
+ ts: z.ZodBigInt;
610
+ intent: z.ZodString;
611
+ actorId: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
612
+ proofType: z.ZodEnum<typeof ProofType$1>;
613
+ proofRef: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
614
+ nonce: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
615
+ ip: z.ZodString;
616
+ nodeCertHash: z.ZodOptional<z.ZodString>;
617
+ capsule: z.ZodOptional<z.ZodObject<{
618
+ id: z.ZodString;
619
+ claims: z.ZodObject<{
620
+ capsuleId: z.ZodString;
621
+ allowIntents: z.ZodArray<z.ZodString>;
622
+ limits: z.ZodOptional<z.ZodObject<{
623
+ maxBodyBytes: z.ZodOptional<z.ZodNumber>;
624
+ }, z.z.core.$strip>>;
625
+ scopes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
626
+ }, z.z.core.$strip>;
627
+ issuedAt: z.ZodNumber;
628
+ expiresAt: z.ZodNumber;
629
+ tier: z.ZodEnum<{
630
+ FREE: "FREE";
631
+ STANDARD: "STANDARD";
632
+ PREMIUM: "PREMIUM";
633
+ }>;
634
+ }, z.z.core.$strip>>;
635
+ passport: z.ZodOptional<z.ZodObject<{
636
+ id: z.ZodString;
637
+ public_key: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
638
+ status: z.ZodEnum<{
639
+ ACTIVE: "ACTIVE";
640
+ REVOKED: "REVOKED";
641
+ EXPIRED: "EXPIRED";
642
+ PENDING: "PENDING";
643
+ }>;
644
+ issuedAt: z.ZodNumber;
645
+ expiresAt: z.ZodOptional<z.ZodNumber>;
646
+ }, z.z.core.$strip>>;
647
+ meter: z.ZodOptional<z.ZodAny>;
648
+ }, z.z.core.$strip>;
649
+ type AxisContext$1 = z.infer<typeof AxisContextZ>;
650
+ declare const AxisErrorZ: z.ZodObject<{
651
+ code: z.ZodString;
652
+ message: z.ZodString;
653
+ httpStatus: z.ZodNumber;
654
+ }, z.z.core.$strip>;
655
+ type AxisError = z.infer<typeof AxisErrorZ>;
656
+
657
+ declare const SENSITIVITY_METADATA_KEY = "axis:sensitivity";
658
+ declare const CONTRACT_METADATA_KEY = "axis:contract";
659
+ declare const REQUIRED_PROOF_METADATA_KEY = "axis:required_proof";
660
+ type RequiredProofKind = ProofKind | "WITNESS";
661
+ declare function Sensitivity(level: SensitivityLevel): ClassDecorator & MethodDecorator;
662
+ declare function Contract(options: Partial<ExecutionContract>): ClassDecorator & MethodDecorator;
663
+ declare function RequiredProof(proofs: [RequiredProofKind, ...RequiredProofKind[]]): ClassDecorator & MethodDecorator;
664
+ declare function Capsule(): ClassDecorator & MethodDecorator;
665
+ declare function Witness(): ClassDecorator & MethodDecorator;
666
+ declare const AXIS_PUBLIC_KEY = "axis:public";
667
+ declare function AxisPublic(): ClassDecorator & MethodDecorator;
668
+ declare const AXIS_ANONYMOUS_KEY = "axis:anonymous";
669
+ declare function AxisAnonymous(): ClassDecorator & MethodDecorator;
670
+ declare const AXIS_RATE_LIMIT_KEY = "axis:rateLimit";
671
+ interface AxisRateLimitConfig {
672
+ max: number;
673
+ windowSec: number;
674
+ key?: string;
675
+ }
676
+ declare function AxisRateLimit(config: AxisRateLimitConfig): MethodDecorator;
677
+
678
+ declare const HANDLER_METADATA_KEY = "axis:handler";
679
+ declare function Handler(intent?: string): ClassDecorator;
680
+
681
+ declare const INTENT_METADATA_KEY = "axis:intent";
682
+ declare const INTENT_ROUTES_KEY = "axis:intent_routes";
683
+ type IntentKind = 'create' | 'read' | 'update' | 'delete' | 'action';
684
+ interface IntentTlvField {
685
+ name: string;
686
+ tag: number;
687
+ kind: 'utf8' | 'u64' | 'bytes' | 'bytes16' | 'bool' | 'obj' | 'arr';
688
+ required?: boolean;
689
+ maxLen?: number;
690
+ max?: string;
691
+ scope?: 'header' | 'body';
692
+ }
693
+ interface IntentRoute {
694
+ action: string;
695
+ methodName: string | symbol;
696
+ absolute?: boolean;
697
+ frame?: boolean;
698
+ kind?: IntentKind;
699
+ chain?: boolean | ChainOptions;
700
+ bodyProfile?: 'TLV_MAP' | 'RAW' | 'TLV_OBJ' | 'TLV_ARR';
701
+ tlv?: IntentTlvField[];
702
+ dto?: Function;
703
+ }
704
+ interface IntentOptions {
705
+ kind?: IntentKind;
706
+ absolute?: boolean;
707
+ frame?: boolean;
708
+ chain?: boolean | ChainOptions;
709
+ bodyProfile?: 'TLV_MAP' | 'RAW' | 'TLV_OBJ' | 'TLV_ARR';
710
+ tlv?: IntentTlvField[];
711
+ dto?: Function;
712
+ }
713
+ declare function Intent(action: string, options?: IntentOptions): MethodDecorator;
714
+
715
+ declare const INTENT_BODY_KEY = "axis:intent:body";
716
+ declare function IntentBody(decoder: (buf: Buffer) => any): MethodDecorator;
717
+
718
+ declare const INTENT_SENSORS_KEY = "axis:intent:sensors";
719
+ declare function IntentSensors(sensors: Function[]): MethodDecorator;
720
+
721
+ declare const OBSERVER_METADATA_KEY = "axis:observer";
722
+ declare const OBSERVER_BINDINGS_KEY = "axis:observer:bindings";
723
+ type AxisObserverRef = string | Function;
724
+ interface AxisObserverDefinition {
725
+ name?: string;
726
+ tags?: string[];
727
+ events?: AxisObserverEvent[];
728
+ intents?: string[];
729
+ handlers?: string[];
730
+ }
731
+ interface AxisObserverBinding {
732
+ refs: AxisObserverRef[];
733
+ tags?: string[];
734
+ events?: AxisObserverEvent[];
735
+ }
736
+ interface AxisObserverBindingOptions {
737
+ use: AxisObserverRef | AxisObserverRef[];
738
+ tags?: string[];
739
+ events?: AxisObserverEvent[];
740
+ }
741
+ declare function Observer(input?: AxisObserverDefinition | AxisObserverBindingOptions | AxisObserverRef | AxisObserverRef[]): ClassDecorator & MethodDecorator;
742
+
743
+ declare const HANDLER_SENSORS_KEY = "axis:handler:sensors";
744
+ declare function HandlerSensors(sensors: Function[]): ClassDecorator;
745
+
746
+ declare const SENSOR_METADATA_KEY = "axis:sensor";
747
+ type SensorPhase = 'PRE_DECODE' | 'POST_DECODE';
748
+ interface SensorOptions {
749
+ phase?: SensorPhase;
750
+ }
751
+ declare function Sensor(options?: SensorOptions): ClassDecorator;
752
+
753
+ declare const TLV_FIELDS_KEY = "axis:tlv:fields";
754
+ declare const TLV_VALIDATORS_KEY = "axis:tlv:validators";
755
+ type TlvFieldKind = 'utf8' | 'u64' | 'bytes' | 'bytes16' | 'bool' | 'obj' | 'arr';
756
+ interface TlvFieldOptions {
757
+ kind: TlvFieldKind;
758
+ required?: boolean;
759
+ maxLen?: number;
760
+ max?: string;
761
+ scope?: 'header' | 'body';
762
+ }
763
+ interface TlvFieldMeta {
764
+ property: string;
765
+ tag: number;
766
+ options: TlvFieldOptions;
767
+ }
768
+ type TlvValidatorFn = (value: Uint8Array, property: string) => string | null | undefined;
769
+ interface TlvValidatorMeta {
770
+ property: string;
771
+ tag: number;
772
+ validators: TlvValidatorFn[];
773
+ }
774
+ declare function TlvField(tag: number, options: TlvFieldOptions): PropertyDecorator;
775
+ declare function TlvValidate(validator: TlvValidatorFn): PropertyDecorator;
776
+ declare function TlvUtf8Pattern(pattern: RegExp, message?: string): PropertyDecorator;
777
+ declare function TlvMinLen(min: number, message?: string): PropertyDecorator;
778
+ declare function TlvEnum(allowed: string[], message?: string): PropertyDecorator;
779
+ declare function TlvRange(min: bigint, max: bigint, message?: string): PropertyDecorator;
780
+
781
+ interface DtoSchema {
782
+ fields: IntentTlvField[];
783
+ validators: Map<number, TlvValidatorFn[]>;
784
+ }
785
+ declare function extractDtoSchema(dto: Function): DtoSchema;
786
+ declare function buildDtoDecoder(dto: Function): (bodyBytes: Buffer) => Record<string, any>;
787
+
788
+ declare abstract class AxisTlvDto {
789
+ }
790
+
791
+ declare class AxisIdDto extends AxisTlvDto {
792
+ id: string;
793
+ }
794
+
795
+ declare function AxisPartialType<T extends new (...args: any[]) => AxisTlvDto>(BaseDto: T): new (...args: any[]) => Partial<InstanceType<T>> & AxisTlvDto;
796
+
797
+ declare const RESPONSE_TAG_ID = 1;
798
+ declare const RESPONSE_TAG_CREATED_AT = 2;
799
+ declare const RESPONSE_TAG_UPDATED_AT = 3;
800
+ declare const RESPONSE_TAG_CREATED_BY = 4;
801
+ declare const RESPONSE_TAG_UPDATED_BY = 5;
802
+ declare abstract class AxisResponseDto extends AxisTlvDto {
803
+ id?: string;
804
+ created_at?: bigint;
805
+ updated_at?: bigint;
806
+ created_by?: string;
807
+ updated_by?: string;
808
+ }
809
+
810
+ declare const CCE_PROTOCOL_VERSION: "cce-v1";
811
+ declare const CCE_DERIVATION: {
812
+ readonly REQUEST: "axis:cce:req:v1";
813
+ readonly RESPONSE: "axis:cce:resp:v1";
814
+ readonly WITNESS: "axis:cce:witness:v1";
815
+ };
816
+ type CceAlgorithm = "AES-256-GCM";
817
+ type CceKemAlgorithm = "X25519" | "RSA-OAEP-256";
818
+ type CceKdfAlgorithm = "HKDF-SHA256";
819
+ declare const CCE_AES_KEY_BYTES = 32;
820
+ declare const CCE_IV_BYTES = 12;
821
+ declare const CCE_TAG_BYTES = 16;
822
+ declare const CCE_NONCE_BYTES = 32;
823
+ interface CceCapsuleClaims {
824
+ capsule_id: string;
825
+ ver: typeof CCE_PROTOCOL_VERSION;
826
+ sub: string;
827
+ kid: string;
828
+ intent: string;
829
+ aud: string;
830
+ tps_from: number;
831
+ tps_to: number;
832
+ capsule_nonce: string;
833
+ challenge_id: string;
834
+ proof_hash?: string;
835
+ policy_hash?: string;
836
+ iat: number;
837
+ exp: number;
838
+ mode: "SINGLE_USE" | "SESSION";
839
+ scope?: string[];
840
+ constraints?: CceConstraints;
841
+ issuer_sig: CceSignature;
842
+ }
843
+ interface CceConstraints {
844
+ max_payload_bytes?: number;
845
+ ip_allow?: string[];
846
+ device_allow?: string[];
847
+ country_allow?: string[];
848
+ }
849
+ interface CceSignature {
850
+ alg: "EdDSA" | "ES256";
851
+ kid: string;
852
+ value: string;
853
+ }
854
+ interface CceRequestEnvelope {
855
+ ver: typeof CCE_PROTOCOL_VERSION;
856
+ request_id: string;
857
+ correlation_id: string;
858
+ client_kid: string;
859
+ capsule: CceCapsuleClaims;
860
+ encrypted_key: CceEncryptedKey;
861
+ encrypted_payload: CceEncryptedPayload;
862
+ request_nonce: string;
863
+ client_sig: CceSignature;
864
+ content_type: string;
865
+ algorithms: CceAlgorithmDescriptor;
866
+ aad_descriptor?: string;
867
+ }
868
+ interface CceEncryptedKey {
869
+ alg: CceKemAlgorithm;
870
+ axis_kid: string;
871
+ ciphertext: string;
872
+ ephemeral_pk?: string;
873
+ }
874
+ interface CceEncryptedPayload {
875
+ alg: CceAlgorithm;
876
+ iv: string;
877
+ ciphertext: string;
878
+ tag: string;
879
+ }
880
+ interface CceAlgorithmDescriptor {
881
+ kem: CceKemAlgorithm;
882
+ enc: CceAlgorithm;
883
+ kdf: CceKdfAlgorithm;
884
+ sig: "EdDSA" | "ES256";
885
+ }
886
+ interface CceResponseEnvelope {
887
+ ver: typeof CCE_PROTOCOL_VERSION;
888
+ response_id: string;
889
+ request_id: string;
890
+ correlation_id: string;
891
+ capsule_id: string;
892
+ encrypted_key: CceEncryptedKey;
893
+ encrypted_payload: CceEncryptedPayload;
894
+ response_nonce: string;
895
+ axis_sig: CceSignature;
896
+ witness_ref?: string;
897
+ algorithms: CceAlgorithmDescriptor;
898
+ status: CceResponseStatus;
899
+ }
900
+ type CceResponseStatus = "SUCCESS" | "DENIED" | "PARTIAL" | "FAILED" | "ERROR";
901
+ interface CceExecutionContext {
902
+ execution_key_hash: string;
903
+ request_id: string;
904
+ capsule_id: string;
905
+ sub: string;
906
+ kid: string;
907
+ intent: string;
908
+ aud: string;
909
+ tps_from: number;
910
+ tps_to: number;
911
+ policy_hash?: string;
912
+ derived_at: number;
913
+ valid: boolean;
914
+ }
915
+ interface CceWitnessRecord {
916
+ witness_id: string;
917
+ request_id: string;
918
+ capsule_id: string;
919
+ sub: string;
920
+ intent: string;
921
+ aud: string;
922
+ tps_from: number;
923
+ tps_to: number;
924
+ timestamp: number;
925
+ verification: {
926
+ client_sig: boolean;
927
+ capsule_sig: boolean;
928
+ tps_valid: boolean;
929
+ audience_match: boolean;
930
+ intent_match: boolean;
931
+ replay_clean: boolean;
932
+ nonce_unique: boolean;
933
+ decryption_ok: boolean;
934
+ };
935
+ execution: {
936
+ status: CceResponseStatus;
937
+ handler_duration_ms: number;
938
+ effect?: string;
939
+ };
940
+ response_encrypted: boolean;
941
+ execution_context_hash: string;
942
+ request_payload_hash?: string;
943
+ response_payload_hash?: string;
944
+ }
945
+ declare const CCE_ERROR: {
946
+ readonly INVALID_ENVELOPE: "CCE_INVALID_ENVELOPE";
947
+ readonly UNSUPPORTED_VERSION: "CCE_UNSUPPORTED_VERSION";
948
+ readonly MISSING_CAPSULE: "CCE_MISSING_CAPSULE";
949
+ readonly MISSING_ENCRYPTED_KEY: "CCE_MISSING_ENCRYPTED_KEY";
950
+ readonly CLIENT_SIG_INVALID: "CCE_CLIENT_SIG_INVALID";
951
+ readonly CLIENT_KEY_NOT_FOUND: "CCE_CLIENT_KEY_NOT_FOUND";
952
+ readonly CAPSULE_SIG_INVALID: "CCE_CAPSULE_SIG_INVALID";
953
+ readonly CAPSULE_EXPIRED: "CCE_CAPSULE_EXPIRED";
954
+ readonly CAPSULE_NOT_YET_VALID: "CCE_CAPSULE_NOT_YET_VALID";
955
+ readonly CAPSULE_REVOKED: "CCE_CAPSULE_REVOKED";
956
+ readonly CAPSULE_CONSUMED: "CCE_CAPSULE_CONSUMED";
957
+ readonly AUDIENCE_MISMATCH: "CCE_AUDIENCE_MISMATCH";
958
+ readonly INTENT_MISMATCH: "CCE_INTENT_MISMATCH";
959
+ readonly TPS_WINDOW_EXPIRED: "CCE_TPS_WINDOW_EXPIRED";
960
+ readonly TPS_WINDOW_FUTURE: "CCE_TPS_WINDOW_FUTURE";
961
+ readonly REPLAY_DETECTED: "CCE_REPLAY_DETECTED";
962
+ readonly NONCE_REUSED: "CCE_NONCE_REUSED";
963
+ readonly DECRYPTION_FAILED: "CCE_DECRYPTION_FAILED";
964
+ readonly KEY_UNWRAP_FAILED: "CCE_KEY_UNWRAP_FAILED";
965
+ readonly AEAD_TAG_MISMATCH: "CCE_AEAD_TAG_MISMATCH";
966
+ readonly PAYLOAD_TOO_LARGE: "CCE_PAYLOAD_TOO_LARGE";
967
+ readonly PAYLOAD_SCHEMA_INVALID: "CCE_PAYLOAD_SCHEMA_INVALID";
968
+ readonly INTENT_SCHEMA_MISMATCH: "CCE_INTENT_SCHEMA_MISMATCH";
969
+ readonly POLICY_DENIED: "CCE_POLICY_DENIED";
970
+ readonly CONSTRAINT_VIOLATED: "CCE_CONSTRAINT_VIOLATED";
971
+ readonly HANDLER_NOT_FOUND: "CCE_HANDLER_NOT_FOUND";
972
+ readonly HANDLER_EXECUTION_FAILED: "CCE_HANDLER_EXECUTION_FAILED";
973
+ readonly HANDLER_TIMEOUT: "CCE_HANDLER_TIMEOUT";
974
+ readonly RESPONSE_ENCRYPTION_FAILED: "CCE_RESPONSE_ENCRYPTION_FAILED";
975
+ };
976
+ type CceErrorCode = (typeof CCE_ERROR)[keyof typeof CCE_ERROR];
977
+ declare class CceError extends Error {
978
+ readonly code: CceErrorCode;
979
+ readonly metadata?: Record<string, unknown> | undefined;
980
+ constructor(code: CceErrorCode, message: string, metadata?: Record<string, unknown> | undefined);
981
+ get clientSafe(): boolean;
982
+ toClientError(): {
983
+ code: CceErrorCode;
984
+ message: string;
985
+ };
986
+ }
987
+
988
+ interface CceClientKeyEncryptor {
989
+ wrapKey(aesKey: Uint8Array, clientKid: string, clientPublicKeyHex: string): Promise<CceEncryptedKey>;
990
+ }
991
+ interface CceAxisSigner {
992
+ sign(payload: Uint8Array): Promise<CceSignature>;
993
+ }
994
+ interface CceResponseOptions {
995
+ request: CceRequestEnvelope;
996
+ capsule: CceCapsuleClaims;
997
+ status: CceResponseStatus;
998
+ body: Uint8Array;
999
+ clientPublicKeyHex: string;
1000
+ witnessRef?: string;
1001
+ }
1002
+ declare function buildCceResponse(options: CceResponseOptions, clientKeyEncryptor: CceClientKeyEncryptor, axisSigner: CceAxisSigner): Promise<{
1003
+ envelope: CceResponseEnvelope;
1004
+ responsePayloadHash: string;
1005
+ }>;
1006
+ declare function buildCceErrorResponse(requestId: string, correlationId: string, status: CceResponseStatus, errorCode: string, message: string): {
1007
+ ver: string;
1008
+ request_id: string;
1009
+ correlation_id: string;
1010
+ status: CceResponseStatus;
1011
+ error: {
1012
+ code: string;
1013
+ message: string;
1014
+ };
1015
+ };
1016
+
1017
+ interface CceWitnessStore {
1018
+ record(witness: CceWitnessRecord): Promise<void>;
1019
+ }
1020
+ declare class InMemoryCceWitnessStore implements CceWitnessStore {
1021
+ readonly records: CceWitnessRecord[];
1022
+ record(witness: CceWitnessRecord): Promise<void>;
1023
+ getByRequestId(requestId: string): CceWitnessRecord | undefined;
1024
+ getByCapsuleId(capsuleId: string): CceWitnessRecord[];
1025
+ }
1026
+ interface CceVerificationState {
1027
+ clientSigVerified: boolean;
1028
+ capsuleSigVerified: boolean;
1029
+ tpsValid: boolean;
1030
+ audienceMatch: boolean;
1031
+ intentMatch: boolean;
1032
+ replayClean: boolean;
1033
+ nonceUnique: boolean;
1034
+ decryptionOk: boolean;
1035
+ }
1036
+ declare function buildWitnessRecord(envelope: CceRequestEnvelope, capsule: CceCapsuleClaims, verification: CceVerificationState, execution: {
1037
+ status: CceResponseStatus;
1038
+ handlerDurationMs: number;
1039
+ effect?: string;
1040
+ }, options: {
1041
+ axisLocalSecret: string;
1042
+ requestPayload?: Uint8Array;
1043
+ responsePayload?: Uint8Array;
1044
+ responseEncrypted: boolean;
1045
+ }): CceWitnessRecord;
1046
+ declare function extractVerificationState(metadata: Record<string, any>): CceVerificationState;
1047
+
1048
+ type AxisAlg$1 = 'EdDSA' | 'ES256' | 'RS256';
1049
+ type CapsuleStatus = 'ACTIVE' | 'CONSUMED' | 'REVOKED' | 'EXPIRED';
1050
+ type CapsuleMode = 'SINGLE_USE' | 'MULTI_USE';
1051
+ type KeyStatus = 'ACTIVE' | 'GRACE' | 'REVOKED' | 'RETIRED';
1052
+ interface AxisSig$1 {
1053
+ alg: AxisAlg$1;
1054
+ kid: string;
1055
+ value: string;
1056
+ }
1057
+ interface AxisPacket$1<T = any> {
1058
+ v: 1;
1059
+ pid: string;
1060
+ nonce: string;
1061
+ ts: number;
1062
+ actorId: string;
1063
+ opcode: string;
1064
+ body: T;
1065
+ sig: AxisSig$1;
1066
+ }
1067
+ interface AxisCapsuleConstraints {
1068
+ maxAmount?: number;
1069
+ maxCount?: number;
1070
+ ttlSeconds?: number;
1071
+ ipCidrAllow?: string[];
1072
+ countryAllow?: string[];
1073
+ deviceIdAllow?: string[];
1074
+ sessionIdLock?: string;
1075
+ nonceRequired?: boolean;
1076
+ }
1077
+ interface TickWindow {
1078
+ start: number;
1079
+ end: number;
1080
+ }
1081
+ interface AxisCapsulePayload {
1082
+ v: 1;
1083
+ capsuleId: string;
1084
+ actorId: string;
1085
+ issuer: string;
1086
+ audience: string;
1087
+ subject?: string;
1088
+ intent: string;
1089
+ scopes: string[];
1090
+ actions?: string[];
1091
+ iat: number;
1092
+ nbf?: number;
1093
+ exp: number;
1094
+ tickWindow?: TickWindow;
1095
+ mode: CapsuleMode;
1096
+ maxUses: number;
1097
+ nonceSeed?: string;
1098
+ policyRefs?: string[];
1099
+ riskScore?: number;
1100
+ constraints?: AxisCapsuleConstraints;
1101
+ meta?: Record<string, unknown>;
1102
+ }
1103
+ interface AxisCapsule {
1104
+ payload: AxisCapsulePayload;
1105
+ sig: AxisSig$1;
1106
+ }
1107
+ interface CapsuleIssueBody {
1108
+ intent: string;
1109
+ audience: string;
1110
+ scopes: string[];
1111
+ subject?: string;
1112
+ mode: CapsuleMode;
1113
+ maxUses?: number;
1114
+ expSeconds?: number;
1115
+ constraints?: AxisCapsuleConstraints;
1116
+ hints?: {
1117
+ ip?: string;
1118
+ ua?: string;
1119
+ deviceId?: string;
1120
+ geo?: string;
1121
+ };
1122
+ }
1123
+ interface CapsuleBatchBody extends Omit<CapsuleIssueBody, 'mode' | 'maxUses'> {
1124
+ count: number;
1125
+ mode: 'SINGLE_USE';
1126
+ }
1127
+ interface IntentExecBody {
1128
+ intent: string;
1129
+ capsule: AxisCapsule;
1130
+ execNonce?: string;
1131
+ args: Record<string, any>;
1132
+ }
1133
+ interface CapsuleRevokeBody {
1134
+ capsuleId: string;
1135
+ reason: string;
1136
+ }
1137
+ interface AxisResponse$1<T = any> {
1138
+ ok: boolean;
1139
+ pid: string;
1140
+ decisionId: string;
1141
+ code: string;
1142
+ message?: string;
1143
+ data?: T;
1144
+ meta?: Record<string, unknown>;
1145
+ }
1146
+ interface CapsuleIssueResult {
1147
+ capsule: AxisCapsule;
1148
+ }
1149
+ interface CapsuleBatchResult {
1150
+ capsules: AxisCapsule[];
1151
+ }
1152
+ interface ActorKeyRecord {
1153
+ id: Buffer;
1154
+ actor_id: string;
1155
+ key_id: string;
1156
+ algorithm: string;
1157
+ public_key: Buffer;
1158
+ purpose: string;
1159
+ status: KeyStatus;
1160
+ is_primary: boolean;
1161
+ not_before: Date | null;
1162
+ expires_at: Date | null;
1163
+ rotated_from_key_id: string | null;
1164
+ revoked_at: Date | null;
1165
+ revocation_reason: string | null;
1166
+ metadata: any;
1167
+ created_at: Date;
1168
+ updated_at: Date;
1169
+ }
1170
+ interface IssuerKeyRecord {
1171
+ id: Buffer;
1172
+ kid: string;
1173
+ issuer_id: string;
1174
+ alg: string;
1175
+ public_key_pem: string;
1176
+ status: KeyStatus;
1177
+ not_before: Date | null;
1178
+ not_after: Date | null;
1179
+ fingerprint: string | null;
1180
+ metadata: any;
1181
+ created_at: Date;
1182
+ updated_at: Date;
1183
+ }
1184
+ interface CapsuleRecord {
1185
+ id: Buffer;
1186
+ capsule_id: string;
1187
+ actor_id: string;
1188
+ intent: string;
1189
+ audience: string;
1190
+ issuer: string;
1191
+ subject: string | null;
1192
+ status: CapsuleStatus;
1193
+ mode: CapsuleMode;
1194
+ max_uses: number;
1195
+ used_count: number;
1196
+ iat: Date;
1197
+ nbf: Date | null;
1198
+ exp: Date;
1199
+ scopes_json: any;
1200
+ constraints_json: any;
1201
+ policy_refs_json: any;
1202
+ risk_score: number | null;
1203
+ payload_hash: Buffer;
1204
+ sig_alg: string;
1205
+ sig_kid: string;
1206
+ sig_value: Buffer;
1207
+ created_at: Date;
1208
+ updated_at: Date;
1209
+ last_used_at: Date | null;
1210
+ }
1211
+
1212
+ type AxisAlg = Extract<AxisAlg$1, 'EdDSA'>;
1213
+ type AxisSig = AxisSig$1 & {
1214
+ alg: AxisAlg;
1215
+ };
1216
+ interface AxisFrame$1<T = any> {
1217
+ v: 1;
1218
+ pid: string;
1219
+ nonce: string;
1220
+ ts: number;
1221
+ actorId: string;
1222
+ aud?: string;
1223
+ opcode: string;
1224
+ headers: Map<number, Uint8Array>;
1225
+ body: T;
1226
+ sig: AxisSig;
1227
+ }
1228
+ type AxisResponse<T = any> = AxisResponse$1<T> & {
1229
+ policyRefs?: string[];
1230
+ riskScore?: number;
1231
+ };
1232
+ interface AxisObservedContext {
1233
+ ip?: string;
1234
+ ua?: string;
1235
+ geo?: string;
1236
+ }
1237
+ interface AxisRequestContext {
1238
+ observed: AxisObservedContext;
1239
+ actorKeyKid?: string;
1240
+ issuerKeyKid?: string;
1241
+ decisionId: string;
1242
+ actorId: string;
1243
+ aud?: string;
1244
+ opcode: string;
1245
+ deviceId?: string;
1246
+ sessionId?: string;
1333
1247
  }
1334
- declare const AxisContextZ: z.ZodObject<{
1335
- pid: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
1336
- ts: z.ZodBigInt;
1337
- intent: z.ZodString;
1338
- actorId: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
1339
- proofType: z.ZodEnum<typeof ProofType$1>;
1340
- proofRef: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
1341
- nonce: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
1342
- ip: z.ZodString;
1343
- nodeCertHash: z.ZodOptional<z.ZodString>;
1344
- capsule: z.ZodOptional<z.ZodObject<{
1345
- id: z.ZodString;
1346
- claims: z.ZodObject<{
1347
- capsuleId: z.ZodString;
1348
- allowIntents: z.ZodArray<z.ZodString>;
1349
- limits: z.ZodOptional<z.ZodObject<{
1350
- maxBodyBytes: z.ZodOptional<z.ZodNumber>;
1351
- }, z.z.core.$strip>>;
1352
- scopes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
1353
- }, z.z.core.$strip>;
1354
- issuedAt: z.ZodNumber;
1355
- expiresAt: z.ZodNumber;
1356
- tier: z.ZodEnum<{
1357
- FREE: "FREE";
1358
- STANDARD: "STANDARD";
1359
- PREMIUM: "PREMIUM";
1360
- }>;
1361
- }, z.z.core.$strip>>;
1362
- passport: z.ZodOptional<z.ZodObject<{
1363
- id: z.ZodString;
1364
- public_key: z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>;
1365
- status: z.ZodEnum<{
1366
- ACTIVE: "ACTIVE";
1367
- REVOKED: "REVOKED";
1368
- EXPIRED: "EXPIRED";
1369
- PENDING: "PENDING";
1370
- }>;
1371
- issuedAt: z.ZodNumber;
1372
- expiresAt: z.ZodOptional<z.ZodNumber>;
1373
- }, z.z.core.$strip>>;
1374
- meter: z.ZodOptional<z.ZodAny>;
1375
- }, z.z.core.$strip>;
1376
- type AxisContext$1 = z.infer<typeof AxisContextZ>;
1377
- declare const AxisErrorZ: z.ZodObject<{
1378
- code: z.ZodString;
1379
- message: z.ZodString;
1380
- httpStatus: z.ZodNumber;
1381
- }, z.z.core.$strip>;
1382
- type AxisError = z.infer<typeof AxisErrorZ>;
1383
1248
 
1384
- declare const SENSITIVITY_METADATA_KEY = "axis:sensitivity";
1385
- declare const CONTRACT_METADATA_KEY = "axis:contract";
1386
- declare const REQUIRED_PROOF_METADATA_KEY = "axis:required_proof";
1387
- type RequiredProofKind = ProofKind | "WITNESS";
1388
- declare function Sensitivity(level: SensitivityLevel): ClassDecorator & MethodDecorator;
1389
- declare function Contract(options: Partial<ExecutionContract>): ClassDecorator & MethodDecorator;
1390
- declare function RequiredProof(proofs: [RequiredProofKind, ...RequiredProofKind[]]): ClassDecorator & MethodDecorator;
1391
- declare function Capsule(): ClassDecorator & MethodDecorator;
1392
- declare function Witness(): ClassDecorator & MethodDecorator;
1393
- declare const AXIS_PUBLIC_KEY = "axis:public";
1394
- declare function AxisPublic(): ClassDecorator & MethodDecorator;
1395
- declare const AXIS_ANONYMOUS_KEY = "axis:anonymous";
1396
- declare function AxisAnonymous(): ClassDecorator & MethodDecorator;
1397
- declare const AXIS_RATE_LIMIT_KEY = "axis:rateLimit";
1398
- interface AxisRateLimitConfig {
1399
- max: number;
1400
- windowSec: number;
1401
- key?: string;
1249
+ interface SensorPhaseMetadata {
1250
+ phase: 'PRE_DECODE' | 'POST_DECODE';
1251
+ dependencies?: string[];
1252
+ asyncOk?: boolean;
1253
+ cryptoOk?: boolean;
1254
+ description?: string;
1402
1255
  }
1403
- declare function AxisRateLimit(config: AxisRateLimitConfig): MethodDecorator;
1256
+ interface AxisSensor {
1257
+ readonly name: string;
1258
+ readonly order?: number;
1259
+ phase?: SensorPhaseMetadata | 'PRE_DECODE' | 'POST_DECODE';
1260
+ supports?(input: SensorInput): boolean;
1261
+ run(input: SensorInput): Promise<SensorDecision>;
1262
+ }
1263
+ interface AxisSensorInit extends AxisSensor {
1264
+ onModuleInit?(): void | Promise<void>;
1265
+ }
1266
+ interface AxisPreSensor extends AxisSensor {
1267
+ phase: 'PRE_DECODE';
1268
+ }
1269
+ interface AxisPostSensor extends AxisSensor {
1270
+ phase: 'POST_DECODE';
1271
+ }
1272
+ interface SensorInput {
1273
+ rawBytes?: Buffer | Uint8Array;
1274
+ intent?: string;
1275
+ ip?: string;
1276
+ path?: string;
1277
+ contentLength?: number;
1278
+ peek?: Uint8Array;
1279
+ country?: string;
1280
+ clientId?: string;
1281
+ isWs?: boolean;
1282
+ metadata?: Record<string, any>;
1283
+ actorId?: string;
1284
+ opcode?: string;
1285
+ aud?: string;
1286
+ observed?: AxisObservedContext;
1287
+ frameBody?: any;
1288
+ deviceId?: string;
1289
+ sessionId?: string;
1290
+ packet?: Record<string, any>;
1291
+ [key: string]: any;
1292
+ }
1293
+ declare enum Decision {
1294
+ ALLOW = "ALLOW",
1295
+ DENY = "DENY",
1296
+ THROTTLE = "THROTTLE",
1297
+ FLAG = "FLAG"
1298
+ }
1299
+ type SensorDecision = {
1300
+ decision?: Decision;
1301
+ allow: boolean;
1302
+ riskScore: number;
1303
+ reasons: string[];
1304
+ code?: string;
1305
+ retryAfterMs?: number;
1306
+ scoreDelta?: number;
1307
+ tags?: Record<string, any>;
1308
+ meta?: any;
1309
+ tighten?: {
1310
+ expSecondsMax?: number;
1311
+ constraintsPatch?: Record<string, any>;
1312
+ };
1313
+ } | {
1314
+ action: 'ALLOW';
1315
+ meta?: any;
1316
+ } | {
1317
+ action: 'DENY';
1318
+ code: string;
1319
+ reason?: string;
1320
+ retryAfterMs?: number;
1321
+ meta?: any;
1322
+ } | {
1323
+ action: 'THROTTLE';
1324
+ retryAfterMs: number;
1325
+ meta?: any;
1326
+ } | {
1327
+ action: 'FLAG';
1328
+ scoreDelta: number;
1329
+ reasons: string[];
1330
+ meta?: any;
1331
+ };
1332
+ type SensorMinifiedDecision = {
1333
+ allow: boolean;
1334
+ riskScore: number;
1335
+ reasons: string[];
1336
+ tags?: Record<string, any>;
1337
+ meta?: any;
1338
+ tighten?: {
1339
+ expSecondsMax?: number;
1340
+ constraintsPatch?: Record<string, any>;
1341
+ };
1342
+ retryAfterMs?: number;
1343
+ };
1344
+ declare function normalizeSensorDecision(sensorDecision: SensorDecision): SensorMinifiedDecision;
1345
+ declare const SensorDecisions: {
1346
+ allow(meta?: any, tags?: Record<string, any>): SensorDecision;
1347
+ deny(code: string, reason?: string, meta?: any): SensorDecision;
1348
+ throttle(retryAfterMs: number, meta?: any): SensorDecision;
1349
+ flag(scoreDelta: number, reasons: string[], meta?: any): SensorDecision;
1350
+ };
1351
+
1352
+ type CceHandler = (payload: Uint8Array, context: CceHandlerContext) => Promise<CceHandlerResult>;
1353
+ interface CceHandlerContext {
1354
+ capsule: CceCapsuleClaims;
1355
+ executionContext: CceExecutionContext;
1356
+ envelope: CceRequestEnvelope;
1357
+ clientPublicKeyHex: string;
1358
+ intent: string;
1359
+ sub: string;
1360
+ }
1361
+ interface CceHandlerResult {
1362
+ status: CceResponseStatus;
1363
+ body: Uint8Array;
1364
+ effect?: string;
1365
+ }
1366
+ interface CcePolicyContext {
1367
+ envelope: CceRequestEnvelope;
1368
+ capsule: CceCapsuleClaims;
1369
+ executionContext: CceExecutionContext;
1370
+ decryptedPayload: Uint8Array;
1371
+ clientPublicKeyHex: string;
1372
+ }
1373
+ interface CcePolicyDecision {
1374
+ allow: boolean;
1375
+ code?: string;
1376
+ message?: string;
1377
+ }
1378
+ interface CcePolicyEvaluator {
1379
+ evaluate(context: CcePolicyContext): Promise<CcePolicyDecision>;
1380
+ }
1381
+ interface CcePipelineConfig {
1382
+ axisLocalSecret: string;
1383
+ axisAudience: string;
1384
+ sensors: AxisSensor[];
1385
+ handlers: Map<string, CceHandler>;
1386
+ witnessStore: CceWitnessStore;
1387
+ clientKeyEncryptor: CceClientKeyEncryptor;
1388
+ axisSigner: CceAxisSigner;
1389
+ policyEvaluator?: CcePolicyEvaluator;
1390
+ }
1391
+ type CcePipelineResult = {
1392
+ ok: true;
1393
+ response: CceResponseEnvelope;
1394
+ witnessId: string;
1395
+ } | {
1396
+ ok: false;
1397
+ error: {
1398
+ code: string;
1399
+ message: string;
1400
+ };
1401
+ status: CceResponseStatus;
1402
+ };
1403
+ declare function executeCcePipeline(envelope: CceRequestEnvelope, config: CcePipelineConfig): Promise<CcePipelineResult>;
1404
1404
 
1405
1405
  interface IntentSchema {
1406
1406
  intent: string;
@@ -3317,4 +3317,4 @@ declare namespace index {
3317
3317
  export { index_encodeAxisTlvDto as encodeAxisTlvDto };
3318
3318
  }
3319
3319
 
3320
- export { ATS1_HDR, ATS1_SCHEMA, AXIS_EXECUTION_CONTEXT_KEY, AXIS_OPCODES, AXIS_UPLOAD_FILE_STORE, AXIS_UPLOAD_RECEIPT_SIGNER, AXIS_UPLOAD_SESSION_STORE, ats1 as Ats1Codec, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg$1 as AxisAlg, type AxisPacket as AxisBinaryPacket, type AxisCapsule, type AxisCapsuleConstraints, type AxisCapsulePayload, type AxisCapsuleRef, type AxisChainEncryption, type AxisChainEnvelope, AxisChainExecutor, type AxisChainRequest, type AxisChainResult, type AxisChainStatus, type AxisChainStep, type AxisChainStepResult, type AxisChainStepStatus, AxisContext, type AxisCrudHandler, type AxisDecoded, AxisDemoPubkey, type AxisEffect, type AxisExecutionContext, type AxisExecutionMode, AxisFilesDownloadHandler, AxisFilesFinalizeHandler, AxisFrame$2 as AxisFrame, type AxisHandler, type AxisHandlerInit, AxisIdDto, type AxisIntentEnvelope, type AxisIntentObserver, AxisIp, type AxisAlg as AxisJsonAlg, type AxisFrame$1 as AxisJsonFrame, type AxisResponse as AxisJsonResponse, type AxisSig as AxisJsonSig, type AxisKeyExchangeRef, type AxisObservation, type AxisObservedContext, type AxisObserverBinding, type AxisObserverBindingOptions, type AxisObserverContext, type AxisObserverDefinition, type AxisObserverEvent, type AxisObserverRef, type AxisObserverRegistration, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, AxisPartialType, type AxisPostSensor, type AxisPreSensor, AxisRaw, type AxisRequestContext, type AxisRequestData, AxisResponseDto, type AxisSensor, AxisSensorChainService, type AxisSensorInit, type AxisSig$1 as AxisSig, AxisTlvDto, BAND, CAPABILITIES, CAPSULE_POLICY_METADATA_KEY, CCE_ERROR, CCE_PROTOCOL_VERSION, CHAIN_METADATA_KEY, type Capability, type CapsuleMode, CapsulePolicy, type CapsulePolicyOptions, type CapsuleScopeMode, type CceCapsuleClaims as CceCapsuleClaimsType, CceError, type CceExecutionContext as CceExecutionContextType, type CceHandler, type CceHandlerContext, type CceHandlerResult, type CcePipelineConfig, type CcePipelineResult, type CcePolicyContext, type CcePolicyDecision, type CcePolicyEvaluator, type CceRequestEnvelope as CceRequestEnvelopeType, type CceResponseEnvelope as CceResponseEnvelopeType, type CceWitnessRecord as CceWitnessRecordType, Chain, type ChainOptions, type ChainResult, ContractViolationError, DEFAULT_CONTRACTS, DEFAULT_TIMEOUT, Decision, DiskUploadFileStore, type DtoSchema, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, type Grant, type GrantCapability, type GrantMeta, type GrantStatus, type GrantType, type GrantValidationResult, HANDLER_METADATA_KEY, HANDLER_SENSORS_KEY, Handler, HandlerDiscoveryService, HandlerSensors, INTENT_BODY_KEY, INTENT_METADATA_KEY, INTENT_REQUIREMENTS, INTENT_ROUTES_KEY, INTENT_SENSITIVITY_MAP, INTENT_SENSORS_KEY, INTENT_TIMEOUTS, Intent, IntentBody, type IntentDefinition, type IntentKind, type IntentOptions, type IntentRoute, IntentRouter, IntentSensitivity, IntentSensors, type IntentTlvField, type KeyStatus, type LoomReceipt, type LoomValidationResult, OBSERVER_BINDINGS_KEY, OBSERVER_METADATA_KEY, type ObservationQueueConfig, type ObservationQueueMessage, type ObservationSensor, type ObservationStage, type ObservationStreamEntry, type ObservationWitnessSummary, Observer, ObserverDiscoveryService, ObserverDispatcherService, ObserverRegistry, type ObserverVerdict, PRE_DECODE_BOUNDARY, PROOF_CAPABILITIES, type PresenceChallenge, type PresenceDeclaration, type PresenceProof, type PresenceReceipt, type PresenceStatus, type PresenceVerifyResult, RESPONSE_TAG_CREATED_AT, RESPONSE_TAG_CREATED_BY, RESPONSE_TAG_ID, RESPONSE_TAG_UPDATED_AT, RESPONSE_TAG_UPDATED_BY, type ReceiptEffect, type RegisteredChainConfig, type ResponseContract, ResponseObserver, type ResponseObserverContext, type Revocation, type RevocationTargetType, RiskDecision, type RiskEvaluation, type RiskSignal, SENSOR_METADATA_KEY, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, Sensor, type SensorBand, type SensorDecision, SensorDecisions, SensorDiscoveryService, type SensorInput, type SensorMinifiedDecision, type SensorOptions, type SensorPhase, type SensorPhaseMetadata, SensorRegistry, TLV_FIELDS_KEY, TLV_VALIDATORS_KEY, type ThreadState, TlvEnum, TlvField, type TlvFieldKind, type TlvFieldMeta, type TlvFieldOptions, TlvMinLen, TlvRange, TlvUtf8Pattern, TlvValidate, type TlvValidatorFn, type TlvValidatorMeta, type UnsignedObservationWitness, type UploadFileStat, type UploadFileStore, type UploadReceiptSigner, type UploadSessionRecord, type UploadSessionStatus, type UploadSessionStore, type Writ, type WritBody, type WritHead, type WritMeta, type WritSignature, type WritValidationResult, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildDtoDecoder, buildPacket, buildQueueMessage, buildReceiptHash, buildTLVs, buildUnsignedWitness, bytes, canAccessResource, canonicalJson, canonicalJsonExcluding, canonicalizeGrant, canonicalizeObservation, canonicalizeWrit, index$9 as cce, classifyIntent, createObservation, index$8 as crypto, decodeAxis1Frame, decodeQueueMessage, index$7 as decorators, deriveAnchorReflection, encVarint, encodeAxis1Frame, encodeAxisTlvDto, encodeQueueMessage, endStage, index$5 as engine, executeCcePipeline, extractDtoSchema, finalizeObservation, getAxisExecutionContext, hasScope, hashObservation, isAdminOpcode, isKnownOpcode, isTimestampValid, index$4 as loom, mergeAxisExecutionContext, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, parseAutoClaimEntries, parseScope, parseStreamEntries, recordSensor, resolveTimeout, index$3 as schemas, index$2 as security, sensitivityName, index$1 as sensors, stableJsonStringify, startStage, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, index as utils, validateFrameShape, varintU, verifyResponse, withAxisExecutionContext };
3320
+ export { ATS1_HDR, ATS1_SCHEMA, AXIS_ANONYMOUS_KEY, AXIS_EXECUTION_CONTEXT_KEY, AXIS_OPCODES, AXIS_PUBLIC_KEY, AXIS_RATE_LIMIT_KEY, AXIS_UPLOAD_FILE_STORE, AXIS_UPLOAD_RECEIPT_SIGNER, AXIS_UPLOAD_SESSION_STORE, ats1 as Ats1Codec, type Axis1DecodedFrame, type Axis1FrameToEncode, type AxisAlg$1 as AxisAlg, AxisAnonymous, type AxisPacket as AxisBinaryPacket, type AxisCapsule, type AxisCapsuleConstraints, type AxisCapsulePayload, type AxisCapsuleRef, type AxisChainEncryption, type AxisChainEnvelope, AxisChainExecutor, type AxisChainRequest, type AxisChainResult, type AxisChainStatus, type AxisChainStep, type AxisChainStepResult, type AxisChainStepStatus, AxisContext, type AxisCrudHandler, type AxisDecoded, AxisDemoPubkey, type AxisEffect, type AxisExecutionContext, type AxisExecutionMode, AxisFilesDownloadHandler, AxisFilesFinalizeHandler, AxisFrame$2 as AxisFrame, type AxisHandler, type AxisHandlerInit, AxisIdDto, type AxisIntentEnvelope, type AxisIntentObserver, AxisIp, type AxisAlg as AxisJsonAlg, type AxisFrame$1 as AxisJsonFrame, type AxisResponse as AxisJsonResponse, type AxisSig as AxisJsonSig, type AxisKeyExchangeRef, type AxisObservation, type AxisObservedContext, type AxisObserverBinding, type AxisObserverBindingOptions, type AxisObserverContext, type AxisObserverDefinition, type AxisObserverEvent, type AxisObserverRef, type AxisObserverRegistration, type AxisPacket$1 as AxisPacket, T as AxisPacketTags, AxisPartialType, type AxisPostSensor, type AxisPreSensor, AxisPublic, AxisRateLimit, type AxisRateLimitConfig, AxisRaw, type AxisRequestContext, type AxisRequestData, AxisResponseDto, type AxisSensor, AxisSensorChainService, type AxisSensorInit, type AxisSig$1 as AxisSig, AxisTlvDto, BAND, CAPABILITIES, CAPSULE_POLICY_METADATA_KEY, CCE_ERROR, CCE_PROTOCOL_VERSION, CHAIN_METADATA_KEY, CONTRACT_METADATA_KEY, type Capability, Capsule, type CapsuleMode, CapsulePolicy, type CapsulePolicyOptions, type CapsuleScopeMode, type CceCapsuleClaims as CceCapsuleClaimsType, CceError, type CceExecutionContext as CceExecutionContextType, type CceHandler, type CceHandlerContext, type CceHandlerResult, type CcePipelineConfig, type CcePipelineResult, type CcePolicyContext, type CcePolicyDecision, type CcePolicyEvaluator, type CceRequestEnvelope as CceRequestEnvelopeType, type CceResponseEnvelope as CceResponseEnvelopeType, type CceWitnessRecord as CceWitnessRecordType, Chain, type ChainOptions, type ChainResult, Contract, ContractViolationError, DEFAULT_CONTRACTS, DEFAULT_TIMEOUT, Decision, DiskUploadFileStore, type DtoSchema, type ExecutionContract, ExecutionMeter, type ExecutionMetrics, FALLBACK_CONTRACT, type Grant, type GrantCapability, type GrantMeta, type GrantStatus, type GrantType, type GrantValidationResult, HANDLER_METADATA_KEY, HANDLER_SENSORS_KEY, Handler, HandlerDiscoveryService, HandlerSensors, INTENT_BODY_KEY, INTENT_METADATA_KEY, INTENT_REQUIREMENTS, INTENT_ROUTES_KEY, INTENT_SENSITIVITY_MAP, INTENT_SENSORS_KEY, INTENT_TIMEOUTS, Intent, IntentBody, type IntentDefinition, type IntentKind, type IntentOptions, type IntentRoute, IntentRouter, IntentSensitivity, IntentSensors, type IntentTlvField, type KeyStatus, type LoomReceipt, type LoomValidationResult, OBSERVER_BINDINGS_KEY, OBSERVER_METADATA_KEY, type ObservationQueueConfig, type ObservationQueueMessage, type ObservationSensor, type ObservationStage, type ObservationStreamEntry, type ObservationWitnessSummary, Observer, ObserverDiscoveryService, ObserverDispatcherService, ObserverRegistry, type ObserverVerdict, PRE_DECODE_BOUNDARY, PROOF_CAPABILITIES, type PresenceChallenge, type PresenceDeclaration, type PresenceProof, type PresenceReceipt, type PresenceStatus, type PresenceVerifyResult, REQUIRED_PROOF_METADATA_KEY, RESPONSE_TAG_CREATED_AT, RESPONSE_TAG_CREATED_BY, RESPONSE_TAG_ID, RESPONSE_TAG_UPDATED_AT, RESPONSE_TAG_UPDATED_BY, type ReceiptEffect, type RegisteredChainConfig, RequiredProof, type RequiredProofKind, type ResponseContract, ResponseObserver, type ResponseObserverContext, type Revocation, type RevocationTargetType, RiskDecision, type RiskEvaluation, type RiskSignal, SENSITIVITY_METADATA_KEY, SENSOR_METADATA_KEY, Schema2002_PasskeyLoginOptionsRes, Schema2011_PasskeyLoginVerifyReq, Schema2012_PasskeyLoginVerifyRes, Schema2021_PasskeyRegisterOptionsReq, Sensitivity, Sensor, type SensorBand, type SensorDecision, SensorDecisions, SensorDiscoveryService, type SensorInput, type SensorMinifiedDecision, type SensorOptions, type SensorPhase, type SensorPhaseMetadata, SensorRegistry, TLV_FIELDS_KEY, TLV_VALIDATORS_KEY, type ThreadState, TlvEnum, TlvField, type TlvFieldKind, type TlvFieldMeta, type TlvFieldOptions, TlvMinLen, TlvRange, TlvUtf8Pattern, TlvValidate, type TlvValidatorFn, type TlvValidatorMeta, type UnsignedObservationWitness, type UploadFileStat, type UploadFileStore, type UploadReceiptSigner, type UploadSessionRecord, type UploadSessionStatus, type UploadSessionStore, Witness, type Writ, type WritBody, type WritHead, type WritMeta, type WritSignature, type WritValidationResult, axis1SigningBytes, b64urlDecode, b64urlDecodeString, b64urlEncode, b64urlEncodeString, buildAts1Hdr, buildDtoDecoder, buildPacket, buildQueueMessage, buildReceiptHash, buildTLVs, buildUnsignedWitness, bytes, canAccessResource, canonicalJson, canonicalJsonExcluding, canonicalizeGrant, canonicalizeObservation, canonicalizeWrit, index$9 as cce, classifyIntent, createObservation, index$8 as crypto, decodeAxis1Frame, decodeQueueMessage, index$7 as decorators, deriveAnchorReflection, encVarint, encodeAxis1Frame, encodeAxisTlvDto, encodeQueueMessage, endStage, index$5 as engine, executeCcePipeline, extractDtoSchema, finalizeObservation, getAxisExecutionContext, hasScope, hashObservation, isAdminOpcode, isKnownOpcode, isTimestampValid, index$4 as loom, mergeAxisExecutionContext, nonce16, normalizeSensorDecision, packPasskeyLoginOptionsReq, packPasskeyLoginOptionsRes, packPasskeyLoginVerifyReq, packPasskeyLoginVerifyRes, packPasskeyRegisterOptionsReq, parseAutoClaimEntries, parseScope, parseStreamEntries, recordSensor, resolveTimeout, index$3 as schemas, index$2 as security, sensitivityName, index$1 as sensors, stableJsonStringify, startStage, tlv, u64be, unpackPasskeyLoginOptionsReq, unpackPasskeyLoginVerifyReq, unpackPasskeyRegisterOptionsReq, utf8, index as utils, validateFrameShape, varintU, verifyResponse, withAxisExecutionContext };