@nextera.one/axis-server-sdk 2.2.0 → 2.2.2

package/dist/cce-pipeline-DbGBSsCG.d.ts

@@ -0,0 +1,294 @@
+import { A as AxisSensor } from './axis-sensor-GBEI3Fab.js';
+
+declare const CCE_PROTOCOL_VERSION: "cce-v1";
+declare const CCE_DERIVATION: {
+    readonly REQUEST: "axis:cce:req:v1";
+    readonly RESPONSE: "axis:cce:resp:v1";
+    readonly WITNESS: "axis:cce:witness:v1";
+};
+type CceAlgorithm = "AES-256-GCM";
+type CceKemAlgorithm = "X25519" | "RSA-OAEP-256";
+type CceKdfAlgorithm = "HKDF-SHA256";
+declare const CCE_AES_KEY_BYTES = 32;
+declare const CCE_IV_BYTES = 12;
+declare const CCE_TAG_BYTES = 16;
+declare const CCE_NONCE_BYTES = 32;
+interface CceCapsuleClaims {
+    capsule_id: string;
+    ver: typeof CCE_PROTOCOL_VERSION;
+    sub: string;
+    kid: string;
+    intent: string;
+    aud: string;
+    tps_from: number;
+    tps_to: number;
+    capsule_nonce: string;
+    challenge_id: string;
+    proof_hash?: string;
+    policy_hash?: string;
+    iat: number;
+    exp: number;
+    mode: "SINGLE_USE" | "SESSION";
+    scope?: string[];
+    constraints?: CceConstraints;
+    issuer_sig: CceSignature;
+}
+interface CceConstraints {
+    max_payload_bytes?: number;
+    ip_allow?: string[];
+    device_allow?: string[];
+    country_allow?: string[];
+}
+interface CceSignature {
+    alg: "EdDSA" | "ES256";
+    kid: string;
+    value: string;
+}
+interface CceRequestEnvelope {
+    ver: typeof CCE_PROTOCOL_VERSION;
+    request_id: string;
+    correlation_id: string;
+    client_kid: string;
+    capsule: CceCapsuleClaims;
+    encrypted_key: CceEncryptedKey;
+    encrypted_payload: CceEncryptedPayload;
+    request_nonce: string;
+    client_sig: CceSignature;
+    content_type: string;
+    algorithms: CceAlgorithmDescriptor;
+    aad_descriptor?: string;
+}
+interface CceEncryptedKey {
+    alg: CceKemAlgorithm;
+    axis_kid: string;
+    ciphertext: string;
+    ephemeral_pk?: string;
+}
+interface CceEncryptedPayload {
+    alg: CceAlgorithm;
+    iv: string;
+    ciphertext: string;
+    tag: string;
+}
+interface CceAlgorithmDescriptor {
+    kem: CceKemAlgorithm;
+    enc: CceAlgorithm;
+    kdf: CceKdfAlgorithm;
+    sig: "EdDSA" | "ES256";
+}
+interface CceResponseEnvelope {
+    ver: typeof CCE_PROTOCOL_VERSION;
+    response_id: string;
+    request_id: string;
+    correlation_id: string;
+    capsule_id: string;
+    encrypted_key: CceEncryptedKey;
+    encrypted_payload: CceEncryptedPayload;
+    response_nonce: string;
+    axis_sig: CceSignature;
+    witness_ref?: string;
+    algorithms: CceAlgorithmDescriptor;
+    status: CceResponseStatus;
+}
+type CceResponseStatus = "SUCCESS" | "DENIED" | "PARTIAL" | "FAILED" | "ERROR";
+interface CceExecutionContext {
+    execution_key_hash: string;
+    request_id: string;
+    capsule_id: string;
+    sub: string;
+    kid: string;
+    intent: string;
+    aud: string;
+    tps_from: number;
+    tps_to: number;
+    policy_hash?: string;
+    derived_at: number;
+    valid: boolean;
+}
+interface CceWitnessRecord {
+    witness_id: string;
+    request_id: string;
+    capsule_id: string;
+    sub: string;
+    intent: string;
+    aud: string;
+    tps_from: number;
+    tps_to: number;
+    timestamp: number;
+    verification: {
+        client_sig: boolean;
+        capsule_sig: boolean;
+        tps_valid: boolean;
+        audience_match: boolean;
+        intent_match: boolean;
+        replay_clean: boolean;
+        nonce_unique: boolean;
+        decryption_ok: boolean;
+    };
+    execution: {
+        status: CceResponseStatus;
+        handler_duration_ms: number;
+        effect?: string;
+    };
+    response_encrypted: boolean;
+    execution_context_hash: string;
+    request_payload_hash?: string;
+    response_payload_hash?: string;
+}
+declare const CCE_ERROR: {
+    readonly INVALID_ENVELOPE: "CCE_INVALID_ENVELOPE";
+    readonly UNSUPPORTED_VERSION: "CCE_UNSUPPORTED_VERSION";
+    readonly MISSING_CAPSULE: "CCE_MISSING_CAPSULE";
+    readonly MISSING_ENCRYPTED_KEY: "CCE_MISSING_ENCRYPTED_KEY";
+    readonly CLIENT_SIG_INVALID: "CCE_CLIENT_SIG_INVALID";
+    readonly CLIENT_KEY_NOT_FOUND: "CCE_CLIENT_KEY_NOT_FOUND";
+    readonly CAPSULE_SIG_INVALID: "CCE_CAPSULE_SIG_INVALID";
+    readonly CAPSULE_EXPIRED: "CCE_CAPSULE_EXPIRED";
+    readonly CAPSULE_NOT_YET_VALID: "CCE_CAPSULE_NOT_YET_VALID";
+    readonly CAPSULE_REVOKED: "CCE_CAPSULE_REVOKED";
+    readonly CAPSULE_CONSUMED: "CCE_CAPSULE_CONSUMED";
+    readonly AUDIENCE_MISMATCH: "CCE_AUDIENCE_MISMATCH";
+    readonly INTENT_MISMATCH: "CCE_INTENT_MISMATCH";
+    readonly TPS_WINDOW_EXPIRED: "CCE_TPS_WINDOW_EXPIRED";
+    readonly TPS_WINDOW_FUTURE: "CCE_TPS_WINDOW_FUTURE";
+    readonly REPLAY_DETECTED: "CCE_REPLAY_DETECTED";
+    readonly NONCE_REUSED: "CCE_NONCE_REUSED";
+    readonly DECRYPTION_FAILED: "CCE_DECRYPTION_FAILED";
+    readonly KEY_UNWRAP_FAILED: "CCE_KEY_UNWRAP_FAILED";
+    readonly AEAD_TAG_MISMATCH: "CCE_AEAD_TAG_MISMATCH";
+    readonly PAYLOAD_TOO_LARGE: "CCE_PAYLOAD_TOO_LARGE";
+    readonly PAYLOAD_SCHEMA_INVALID: "CCE_PAYLOAD_SCHEMA_INVALID";
+    readonly INTENT_SCHEMA_MISMATCH: "CCE_INTENT_SCHEMA_MISMATCH";
+    readonly POLICY_DENIED: "CCE_POLICY_DENIED";
+    readonly CONSTRAINT_VIOLATED: "CCE_CONSTRAINT_VIOLATED";
+    readonly HANDLER_NOT_FOUND: "CCE_HANDLER_NOT_FOUND";
+    readonly HANDLER_EXECUTION_FAILED: "CCE_HANDLER_EXECUTION_FAILED";
+    readonly HANDLER_TIMEOUT: "CCE_HANDLER_TIMEOUT";
+    readonly RESPONSE_ENCRYPTION_FAILED: "CCE_RESPONSE_ENCRYPTION_FAILED";
+};
+type CceErrorCode = (typeof CCE_ERROR)[keyof typeof CCE_ERROR];
+declare class CceError extends Error {
+    readonly code: CceErrorCode;
+    readonly metadata?: Record<string, unknown> | undefined;
+    constructor(code: CceErrorCode, message: string, metadata?: Record<string, unknown> | undefined);
+    get clientSafe(): boolean;
+    toClientError(): {
+        code: CceErrorCode;
+        message: string;
+    };
+}
+
+interface CceClientKeyEncryptor {
+    wrapKey(aesKey: Uint8Array, clientKid: string, clientPublicKeyHex: string): Promise<CceEncryptedKey>;
+}
+interface CceAxisSigner {
+    sign(payload: Uint8Array): Promise<CceSignature>;
+}
+interface CceResponseOptions {
+    request: CceRequestEnvelope;
+    capsule: CceCapsuleClaims;
+    status: CceResponseStatus;
+    body: Uint8Array;
+    clientPublicKeyHex: string;
+    witnessRef?: string;
+}
+declare function buildCceResponse(options: CceResponseOptions, clientKeyEncryptor: CceClientKeyEncryptor, axisSigner: CceAxisSigner): Promise<{
+    envelope: CceResponseEnvelope;
+    responsePayloadHash: string;
+}>;
+declare function buildCceErrorResponse(requestId: string, correlationId: string, status: CceResponseStatus, errorCode: string, message: string): {
+    ver: string;
+    request_id: string;
+    correlation_id: string;
+    status: CceResponseStatus;
+    error: {
+        code: string;
+        message: string;
+    };
+};
+
+interface CceWitnessStore {
+    record(witness: CceWitnessRecord): Promise<void>;
+}
+declare class InMemoryCceWitnessStore implements CceWitnessStore {
+    readonly records: CceWitnessRecord[];
+    record(witness: CceWitnessRecord): Promise<void>;
+    getByRequestId(requestId: string): CceWitnessRecord | undefined;
+    getByCapsuleId(capsuleId: string): CceWitnessRecord[];
+}
+interface CceVerificationState {
+    clientSigVerified: boolean;
+    capsuleSigVerified: boolean;
+    tpsValid: boolean;
+    audienceMatch: boolean;
+    intentMatch: boolean;
+    replayClean: boolean;
+    nonceUnique: boolean;
+    decryptionOk: boolean;
+}
+declare function buildWitnessRecord(envelope: CceRequestEnvelope, capsule: CceCapsuleClaims, verification: CceVerificationState, execution: {
+    status: CceResponseStatus;
+    handlerDurationMs: number;
+    effect?: string;
+}, options: {
+    axisLocalSecret: string;
+    requestPayload?: Uint8Array;
+    responsePayload?: Uint8Array;
+    responseEncrypted: boolean;
+}): CceWitnessRecord;
+declare function extractVerificationState(metadata: Record<string, any>): CceVerificationState;
+
+type CceHandler = (payload: Uint8Array, context: CceHandlerContext) => Promise<CceHandlerResult>;
+interface CceHandlerContext {
+    capsule: CceCapsuleClaims;
+    executionContext: CceExecutionContext;
+    envelope: CceRequestEnvelope;
+    clientPublicKeyHex: string;
+    intent: string;
+    sub: string;
+}
+interface CceHandlerResult {
+    status: CceResponseStatus;
+    body: Uint8Array;
+    effect?: string;
+}
+interface CcePolicyContext {
+    envelope: CceRequestEnvelope;
+    capsule: CceCapsuleClaims;
+    executionContext: CceExecutionContext;
+    decryptedPayload: Uint8Array;
+    clientPublicKeyHex: string;
+}
+interface CcePolicyDecision {
+    allow: boolean;
+    code?: string;
+    message?: string;
+}
+interface CcePolicyEvaluator {
+    evaluate(context: CcePolicyContext): Promise<CcePolicyDecision>;
+}
+interface CcePipelineConfig {
+    axisLocalSecret: string;
+    axisAudience: string;
+    sensors: AxisSensor[];
+    handlers: Map<string, CceHandler>;
+    witnessStore: CceWitnessStore;
+    clientKeyEncryptor: CceClientKeyEncryptor;
+    axisSigner: CceAxisSigner;
+    policyEvaluator?: CcePolicyEvaluator;
+}
+type CcePipelineResult = {
+    ok: true;
+    response: CceResponseEnvelope;
+    witnessId: string;
+} | {
+    ok: false;
+    error: {
+        code: string;
+        message: string;
+    };
+    status: CceResponseStatus;
+};
+declare function executeCcePipeline(envelope: CceRequestEnvelope, config: CcePipelineConfig): Promise<CcePipelineResult>;
+
+export { type CcePolicyDecision as A, type CcePolicyEvaluator as B, type CceCapsuleClaims as C, type CceResponseEnvelope as D, type CceResponseOptions as E, type CceResponseStatus as F, type CceSignature as G, type CceVerificationState as H, type CceWitnessRecord as I, type CceWitnessStore as J, InMemoryCceWitnessStore as K, buildCceErrorResponse as L, buildCceResponse as M, buildWitnessRecord as N, executeCcePipeline as O, extractVerificationState as P, type CceExecutionContext as a, type CceRequestEnvelope as b, CCE_AES_KEY_BYTES as c, CCE_DERIVATION as d, CCE_ERROR as e, CCE_IV_BYTES as f, CCE_NONCE_BYTES as g, CCE_PROTOCOL_VERSION as h, CCE_TAG_BYTES as i, type CceAlgorithm as j, type CceAlgorithmDescriptor as k, type CceAxisSigner as l, type CceClientKeyEncryptor as m, type CceConstraints as n, type CceEncryptedKey as o, type CceEncryptedPayload as p, CceError as q, type CceErrorCode as r, type CceHandler as s, type CceHandlerContext as t, type CceHandlerResult as u, type CceKdfAlgorithm as v, type CceKemAlgorithm as w, type CcePipelineConfig as x, type CcePipelineResult as y, type CcePolicyContext as z };

package/dist/core/index.d.mts

@@ -1,3 +1,24 @@
+import { AxisFrame } from '@nextera.one/axis-protocol';
 export * from '@nextera.one/axis-protocol';
-export { A as AxisError, a as AxisFrameZ, c as computeReceiptHash, b as computeSignaturePayload, g as generateEd25519KeyPair, s as sha256, d as signFrame, v as verifyFrameSignature } from '../index-VxXqZPuH.mjs';
-import 'zod';
+import * as z from 'zod';
+
+declare const AxisFrameZ: z.ZodType<AxisFrame>;
+
+declare function computeSignaturePayload(frame: AxisFrame): Buffer;
+declare function signFrame(frame: AxisFrame, privateKey: Buffer): Buffer;
+declare function verifyFrameSignature(frame: AxisFrame, publicKey: Buffer): boolean;
+declare function generateEd25519KeyPair(): {
+    privateKey: Buffer;
+    publicKey: Buffer;
+};
+declare function sha256(data: Buffer | Uint8Array): Buffer;
+declare function computeReceiptHash(receiptBytes: Buffer | Uint8Array, prevHash?: Buffer | Uint8Array): Buffer;
+
+declare class AxisError extends Error {
+    code: string;
+    httpStatus: number;
+    details?: Record<string, any> | undefined;
+    constructor(code: string, message: string, httpStatus?: number, details?: Record<string, any> | undefined);
+}
+
+export { AxisError, AxisFrameZ, computeReceiptHash, computeSignaturePayload, generateEd25519KeyPair, sha256, signFrame, verifyFrameSignature };

package/dist/core/index.d.ts

@@ -1,3 +1,24 @@
+import { AxisFrame } from '@nextera.one/axis-protocol';
 export * from '@nextera.one/axis-protocol';
-export { A as AxisError, a as AxisFrameZ, c as computeReceiptHash, b as computeSignaturePayload, g as generateEd25519KeyPair, s as sha256, d as signFrame, v as verifyFrameSignature } from '../index-VxXqZPuH.js';
-import 'zod';
+import * as z from 'zod';
+
+declare const AxisFrameZ: z.ZodType<AxisFrame>;
+
+declare function computeSignaturePayload(frame: AxisFrame): Buffer;
+declare function signFrame(frame: AxisFrame, privateKey: Buffer): Buffer;
+declare function verifyFrameSignature(frame: AxisFrame, publicKey: Buffer): boolean;
+declare function generateEd25519KeyPair(): {
+    privateKey: Buffer;
+    publicKey: Buffer;
+};
+declare function sha256(data: Buffer | Uint8Array): Buffer;
+declare function computeReceiptHash(receiptBytes: Buffer | Uint8Array, prevHash?: Buffer | Uint8Array): Buffer;
+
+declare class AxisError extends Error {
+    code: string;
+    httpStatus: number;
+    details?: Record<string, any> | undefined;
+    constructor(code: string, message: string, httpStatus?: number, details?: Record<string, any> | undefined);
+}
+
+export { AxisError, AxisFrameZ, computeReceiptHash, computeSignaturePayload, generateEd25519KeyPair, sha256, signFrame, verifyFrameSignature };

package/dist/idel/index.d.mts

@@ -0,0 +1,24 @@
+import { h as IntentSchema, f as IntentProposal, b as CompilationResult, c as CompiledIntent } from '../idel.types-DuUAcOnQ.mjs';
+export { A as AlternativeIntent, C as ClarificationQuestion, a as CompilationError, d as ConstraintKind, I as IntentConstraint, e as IntentParamSchema, g as IntentRisk, R as RiskLevel } from '../idel.types-DuUAcOnQ.mjs';
+
+declare class IdelSchemaRegistry {
+    private schemas;
+    private aliases;
+    register(schema: IntentSchema): void;
+    registerAlias(alias: string, intent: string): void;
+    get(intent: string): IntentSchema | undefined;
+    resolve(raw: string): IntentSchema | undefined;
+    findCandidates(raw: string): Array<{
+        schema: IntentSchema;
+        score: number;
+    }>;
+    list(): IntentSchema[];
+}
+declare class IdelCompiler {
+    private readonly registry;
+    constructor(registry: IdelSchemaRegistry);
+    compile(proposal: IntentProposal): CompilationResult;
+    applyClarifications(compiled: CompiledIntent, answers: Record<string, unknown>): CompilationResult;
+}
+
+export { CompilationResult, CompiledIntent, IdelCompiler, IdelSchemaRegistry, IntentProposal, IntentSchema };

package/dist/idel/index.d.ts

@@ -0,0 +1,24 @@
+import { h as IntentSchema, f as IntentProposal, b as CompilationResult, c as CompiledIntent } from '../idel.types-DuUAcOnQ.js';
+export { A as AlternativeIntent, C as ClarificationQuestion, a as CompilationError, d as ConstraintKind, I as IntentConstraint, e as IntentParamSchema, g as IntentRisk, R as RiskLevel } from '../idel.types-DuUAcOnQ.js';
+
+declare class IdelSchemaRegistry {
+    private schemas;
+    private aliases;
+    register(schema: IntentSchema): void;
+    registerAlias(alias: string, intent: string): void;
+    get(intent: string): IntentSchema | undefined;
+    resolve(raw: string): IntentSchema | undefined;
+    findCandidates(raw: string): Array<{
+        schema: IntentSchema;
+        score: number;
+    }>;
+    list(): IntentSchema[];
+}
+declare class IdelCompiler {
+    private readonly registry;
+    constructor(registry: IdelSchemaRegistry);
+    compile(proposal: IntentProposal): CompilationResult;
+    applyClarifications(compiled: CompiledIntent, answers: Record<string, unknown>): CompilationResult;
+}
+
+export { CompilationResult, CompiledIntent, IdelCompiler, IdelSchemaRegistry, IntentProposal, IntentSchema };