@nextera.one/axis-server-sdk 2.2.6 → 2.2.7

package/dist/{axis-sensor-GBEI3Fab.d.mts → axis-sensor-DMW4rfRg.d.mts}

@@ -104,7 +104,7 @@ interface AxisRequestContext {
 }
 
 interface SensorPhaseMetadata {
-    phase: 'PRE_DECODE' | 'POST_DECODE';
+    phase: "PRE_DECODE" | "POST_DECODE";
     dependencies?: string[];
     asyncOk?: boolean;
     cryptoOk?: boolean;
@@ -113,18 +113,18 @@ interface SensorPhaseMetadata {
 interface AxisSensor {
     readonly name: string;
     readonly order?: number;
-    phase?: SensorPhaseMetadata | 'PRE_DECODE' | 'POST_DECODE';
-    supports?(input: SensorInput): boolean;
+    phase?: SensorPhaseMetadata | "PRE_DECODE" | "POST_DECODE";
+    supports?(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 interface AxisSensorInit extends AxisSensor {
     onModuleInit?(): void | Promise<void>;
 }
 interface AxisPreSensor extends AxisSensor {
-    phase: 'PRE_DECODE';
+    phase: "PRE_DECODE";
 }
 interface AxisPostSensor extends AxisSensor {
-    phase: 'POST_DECODE';
+    phase: "POST_DECODE";
 }
 interface SensorInput {
     rawBytes?: Buffer | Uint8Array;
@@ -168,20 +168,20 @@ type SensorDecision = {
         constraintsPatch?: Record<string, any>;
     };
 } | {
-    action: 'ALLOW';
+    action: "ALLOW";
     meta?: any;
 } | {
-    action: 'DENY';
+    action: "DENY";
     code: string;
     reason?: string;
     retryAfterMs?: number;
     meta?: any;
 } | {
-    action: 'THROTTLE';
+    action: "THROTTLE";
     retryAfterMs: number;
     meta?: any;
 } | {
-    action: 'FLAG';
+    action: "FLAG";
     scoreDelta: number;
     reasons: string[];
     meta?: any;

package/dist/{axis-sensor-GBEI3Fab.d.ts → axis-sensor-DMW4rfRg.d.ts}

@@ -104,7 +104,7 @@ interface AxisRequestContext {
 }
 
 interface SensorPhaseMetadata {
-    phase: 'PRE_DECODE' | 'POST_DECODE';
+    phase: "PRE_DECODE" | "POST_DECODE";
     dependencies?: string[];
     asyncOk?: boolean;
     cryptoOk?: boolean;
@@ -113,18 +113,18 @@ interface SensorPhaseMetadata {
 interface AxisSensor {
     readonly name: string;
     readonly order?: number;
-    phase?: SensorPhaseMetadata | 'PRE_DECODE' | 'POST_DECODE';
-    supports?(input: SensorInput): boolean;
+    phase?: SensorPhaseMetadata | "PRE_DECODE" | "POST_DECODE";
+    supports?(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 interface AxisSensorInit extends AxisSensor {
     onModuleInit?(): void | Promise<void>;
 }
 interface AxisPreSensor extends AxisSensor {
-    phase: 'PRE_DECODE';
+    phase: "PRE_DECODE";
 }
 interface AxisPostSensor extends AxisSensor {
-    phase: 'POST_DECODE';
+    phase: "POST_DECODE";
 }
 interface SensorInput {
     rawBytes?: Buffer | Uint8Array;
@@ -168,20 +168,20 @@ type SensorDecision = {
         constraintsPatch?: Record<string, any>;
     };
 } | {
-    action: 'ALLOW';
+    action: "ALLOW";
     meta?: any;
 } | {
-    action: 'DENY';
+    action: "DENY";
     code: string;
     reason?: string;
     retryAfterMs?: number;
     meta?: any;
 } | {
-    action: 'THROTTLE';
+    action: "THROTTLE";
     retryAfterMs: number;
     meta?: any;
 } | {
-    action: 'FLAG';
+    action: "FLAG";
     scoreDelta: number;
     reasons: string[];
     meta?: any;

package/dist/cce/index.d.mts

@@ -1,6 +1,6 @@
-import { C as CceCapsuleClaims, a as CceExecutionContext, b as CceRequestEnvelope } from '../cce-pipeline-B-zUBHo3.mjs';
-export { c as CCE_AES_KEY_BYTES, d as CCE_DERIVATION, e as CCE_ERROR, f as CCE_IV_BYTES, g as CCE_NONCE_BYTES, h as CCE_PROTOCOL_VERSION, i as CCE_TAG_BYTES, j as CceAlgorithm, k as CceAlgorithmDescriptor, l as CceAxisSigner, m as CceClientKeyEncryptor, n as CceConstraints, o as CceEncryptedKey, p as CceEncryptedPayload, q as CceError, r as CceErrorCode, s as CceHandler, t as CceHandlerContext, u as CceHandlerResult, v as CceKdfAlgorithm, w as CceKemAlgorithm, x as CcePipelineConfig, y as CcePipelineResult, z as CcePolicyContext, A as CcePolicyDecision, B as CcePolicyEvaluator, D as CceResponseEnvelope, E as CceResponseOptions, F as CceResponseStatus, G as CceSignature, H as CceVerificationState, I as CceWitnessRecord, J as CceWitnessStore, K as InMemoryCceWitnessStore, L as buildCceErrorResponse, M as buildCceResponse, N as buildWitnessRecord, O as executeCcePipeline, P as extractVerificationState } from '../cce-pipeline-B-zUBHo3.mjs';
-import { A as AxisSensor, S as SensorInput, a as SensorDecision } from '../axis-sensor-GBEI3Fab.mjs';
+import { C as CceCapsuleClaims, a as CceExecutionContext, b as CceRequestEnvelope } from '../cce-pipeline-CBt56guN.mjs';
+export { c as CCE_AES_KEY_BYTES, d as CCE_DERIVATION, e as CCE_ERROR, f as CCE_IV_BYTES, g as CCE_NONCE_BYTES, h as CCE_PROTOCOL_VERSION, i as CCE_TAG_BYTES, j as CceAlgorithm, k as CceAlgorithmDescriptor, l as CceAxisSigner, m as CceClientKeyEncryptor, n as CceConstraints, o as CceEncryptedKey, p as CceEncryptedPayload, q as CceError, r as CceErrorCode, s as CceHandler, t as CceHandlerContext, u as CceHandlerResult, v as CceKdfAlgorithm, w as CceKemAlgorithm, x as CcePipelineConfig, y as CcePipelineResult, z as CcePolicyContext, A as CcePolicyDecision, B as CcePolicyEvaluator, D as CceResponseEnvelope, E as CceResponseOptions, F as CceResponseStatus, G as CceSignature, H as CceVerificationState, I as CceWitnessRecord, J as CceWitnessStore, K as InMemoryCceWitnessStore, L as buildCceErrorResponse, M as buildCceResponse, N as buildWitnessRecord, O as executeCcePipeline, P as extractVerificationState } from '../cce-pipeline-CBt56guN.mjs';
+import { A as AxisSensor, S as SensorInput, a as SensorDecision } from '../axis-sensor-DMW4rfRg.mjs';
 
 interface CceDerivationInput {
     axisLocalSecret: string;
@@ -40,7 +40,7 @@ declare class CcePayloadDecryptionSensor implements AxisSensor {
     readonly order = 145;
     readonly phase: "POST_DECODE";
     constructor(keyProvider: CceAxisKeyProvider, aesProvider: CceAesGcmProvider, maxPayloadBytes?: number, payloadValidator?: CcePayloadValidator | undefined);
-    supports(input: SensorInput): boolean;
+    supports(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 
@@ -62,7 +62,7 @@ declare class CceEnvelopeValidationSensor implements AxisSensor {
     readonly name = "cce.envelope.validation";
     readonly order = 5;
     readonly phase: "PRE_DECODE";
-    supports(input: SensorInput): boolean;
+    supports(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 
@@ -82,7 +82,7 @@ declare class CceClientSignatureSensor implements AxisSensor {
     readonly order = 45;
     readonly phase: "POST_DECODE";
     constructor(keyResolver: CceClientKeyResolver, signatureVerifier: CceSignatureVerifier);
-    supports(input: SensorInput): boolean;
+    supports(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 
@@ -105,7 +105,7 @@ declare class CceCapsuleVerificationSensor implements AxisSensor {
     readonly order = 50;
     readonly phase: "POST_DECODE";
     constructor(issuerKeyResolver: CceIssuerKeyResolver, capsuleVerifier: CceCapsuleSignatureVerifier);
-    supports(input: SensorInput): boolean;
+    supports(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 
@@ -115,7 +115,7 @@ declare class CceTpsWindowSensor implements AxisSensor {
     readonly order = 92;
     readonly phase: "POST_DECODE";
     constructor(skewMs?: number);
-    supports(input: SensorInput): boolean;
+    supports(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 
@@ -125,7 +125,7 @@ declare class CceAudienceIntentBindingSensor implements AxisSensor {
     readonly order = 95;
     readonly phase: "POST_DECODE";
     constructor(axisAudience: string);
-    supports(input: SensorInput): boolean;
+    supports(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 
@@ -155,7 +155,7 @@ declare class CceReplayProtectionSensor implements AxisSensor {
     constructor(replayStore: CceReplayStore, options?: {
         nonceTtlMs?: number;
     });
-    supports(input: SensorInput): boolean;
+    supports(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 

package/dist/cce/index.d.ts

@@ -1,6 +1,6 @@
-import { C as CceCapsuleClaims, a as CceExecutionContext, b as CceRequestEnvelope } from '../cce-pipeline-DbGBSsCG.js';
-export { c as CCE_AES_KEY_BYTES, d as CCE_DERIVATION, e as CCE_ERROR, f as CCE_IV_BYTES, g as CCE_NONCE_BYTES, h as CCE_PROTOCOL_VERSION, i as CCE_TAG_BYTES, j as CceAlgorithm, k as CceAlgorithmDescriptor, l as CceAxisSigner, m as CceClientKeyEncryptor, n as CceConstraints, o as CceEncryptedKey, p as CceEncryptedPayload, q as CceError, r as CceErrorCode, s as CceHandler, t as CceHandlerContext, u as CceHandlerResult, v as CceKdfAlgorithm, w as CceKemAlgorithm, x as CcePipelineConfig, y as CcePipelineResult, z as CcePolicyContext, A as CcePolicyDecision, B as CcePolicyEvaluator, D as CceResponseEnvelope, E as CceResponseOptions, F as CceResponseStatus, G as CceSignature, H as CceVerificationState, I as CceWitnessRecord, J as CceWitnessStore, K as InMemoryCceWitnessStore, L as buildCceErrorResponse, M as buildCceResponse, N as buildWitnessRecord, O as executeCcePipeline, P as extractVerificationState } from '../cce-pipeline-DbGBSsCG.js';
-import { A as AxisSensor, S as SensorInput, a as SensorDecision } from '../axis-sensor-GBEI3Fab.js';
+import { C as CceCapsuleClaims, a as CceExecutionContext, b as CceRequestEnvelope } from '../cce-pipeline-BJ-F1isr.js';
+export { c as CCE_AES_KEY_BYTES, d as CCE_DERIVATION, e as CCE_ERROR, f as CCE_IV_BYTES, g as CCE_NONCE_BYTES, h as CCE_PROTOCOL_VERSION, i as CCE_TAG_BYTES, j as CceAlgorithm, k as CceAlgorithmDescriptor, l as CceAxisSigner, m as CceClientKeyEncryptor, n as CceConstraints, o as CceEncryptedKey, p as CceEncryptedPayload, q as CceError, r as CceErrorCode, s as CceHandler, t as CceHandlerContext, u as CceHandlerResult, v as CceKdfAlgorithm, w as CceKemAlgorithm, x as CcePipelineConfig, y as CcePipelineResult, z as CcePolicyContext, A as CcePolicyDecision, B as CcePolicyEvaluator, D as CceResponseEnvelope, E as CceResponseOptions, F as CceResponseStatus, G as CceSignature, H as CceVerificationState, I as CceWitnessRecord, J as CceWitnessStore, K as InMemoryCceWitnessStore, L as buildCceErrorResponse, M as buildCceResponse, N as buildWitnessRecord, O as executeCcePipeline, P as extractVerificationState } from '../cce-pipeline-BJ-F1isr.js';
+import { A as AxisSensor, S as SensorInput, a as SensorDecision } from '../axis-sensor-DMW4rfRg.js';
 
 interface CceDerivationInput {
     axisLocalSecret: string;
@@ -40,7 +40,7 @@ declare class CcePayloadDecryptionSensor implements AxisSensor {
     readonly order = 145;
     readonly phase: "POST_DECODE";
     constructor(keyProvider: CceAxisKeyProvider, aesProvider: CceAesGcmProvider, maxPayloadBytes?: number, payloadValidator?: CcePayloadValidator | undefined);
-    supports(input: SensorInput): boolean;
+    supports(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 
@@ -62,7 +62,7 @@ declare class CceEnvelopeValidationSensor implements AxisSensor {
     readonly name = "cce.envelope.validation";
     readonly order = 5;
     readonly phase: "PRE_DECODE";
-    supports(input: SensorInput): boolean;
+    supports(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 
@@ -82,7 +82,7 @@ declare class CceClientSignatureSensor implements AxisSensor {
     readonly order = 45;
     readonly phase: "POST_DECODE";
     constructor(keyResolver: CceClientKeyResolver, signatureVerifier: CceSignatureVerifier);
-    supports(input: SensorInput): boolean;
+    supports(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 
@@ -105,7 +105,7 @@ declare class CceCapsuleVerificationSensor implements AxisSensor {
     readonly order = 50;
     readonly phase: "POST_DECODE";
     constructor(issuerKeyResolver: CceIssuerKeyResolver, capsuleVerifier: CceCapsuleSignatureVerifier);
-    supports(input: SensorInput): boolean;
+    supports(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 
@@ -115,7 +115,7 @@ declare class CceTpsWindowSensor implements AxisSensor {
     readonly order = 92;
     readonly phase: "POST_DECODE";
     constructor(skewMs?: number);
-    supports(input: SensorInput): boolean;
+    supports(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 
@@ -125,7 +125,7 @@ declare class CceAudienceIntentBindingSensor implements AxisSensor {
     readonly order = 95;
     readonly phase: "POST_DECODE";
     constructor(axisAudience: string);
-    supports(input: SensorInput): boolean;
+    supports(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 
@@ -155,7 +155,7 @@ declare class CceReplayProtectionSensor implements AxisSensor {
     constructor(replayStore: CceReplayStore, options?: {
         nonceTtlMs?: number;
     });
-    supports(input: SensorInput): boolean;
+    supports(input: SensorInput): Promise<SensorDecision>;
     run(input: SensorInput): Promise<SensorDecision>;
 }
 

package/dist/cce/index.js

@@ -86,6 +86,7 @@ var CCE_ERROR = {
   CAPSULE_NOT_YET_VALID: "CCE_CAPSULE_NOT_YET_VALID",
   CAPSULE_REVOKED: "CCE_CAPSULE_REVOKED",
   CAPSULE_CONSUMED: "CCE_CAPSULE_CONSUMED",
+  CAPSULE_NOT_VERIFIED: "CCE_CAPSULE_NOT_VERIFIED",
   // Binding errors
   AUDIENCE_MISMATCH: "CCE_AUDIENCE_MISMATCH",
   INTENT_MISMATCH: "CCE_INTENT_MISMATCH",
@@ -790,8 +791,12 @@ var CceEnvelopeValidationSensor = class {
     this.order = 5;
     this.phase = "PRE_DECODE";
   }
-  supports(input) {
-    return input.metadata?.cce === true || input.metadata?.contentType === "application/axis-cce";
+  async supports(input) {
+    return input.metadata?.cce === true || input.metadata?.contentType === "application/axis-cce" ? { action: "ALLOW" } : {
+      action: "DENY",
+      code: "SENSOR_NOT_APPLICABLE",
+      reason: "Not a CCE envelope"
+    };
   }
   async run(input) {
     const envelope = input.metadata?.cceEnvelope;
@@ -878,8 +883,12 @@ var CceClientSignatureSensor = class {
     this.order = 45;
     this.phase = "POST_DECODE";
   }
-  supports(input) {
-    return input.metadata?.cceEnvelopeValid === true;
+  async supports(input) {
+    return input.metadata?.cceEnvelopeValid === true ? { action: "ALLOW" } : {
+      action: "DENY",
+      code: "SENSOR_NOT_APPLICABLE",
+      reason: "CCE envelope not validated"
+    };
   }
   async run(input) {
     const envelope = input.metadata?.cceEnvelope;
@@ -955,8 +964,12 @@ var CceCapsuleVerificationSensor = class {
     this.order = 50;
     this.phase = "POST_DECODE";
   }
-  supports(input) {
-    return input.metadata?.cceEnvelopeValid === true;
+  async supports(input) {
+    return input.metadata?.cceEnvelopeValid === true ? { action: "ALLOW" } : {
+      action: "DENY",
+      code: CCE_ERROR.CAPSULE_NOT_VERIFIED,
+      reason: "CCE capsule not verified"
+    };
   }
   async run(input) {
     const capsule = input.metadata?.cceEnvelope?.capsule;
@@ -1069,8 +1082,12 @@ var CceTpsWindowSensor = class {
     this.order = 92;
     this.phase = "POST_DECODE";
   }
-  supports(input) {
-    return input.metadata?.cceCapsuleVerified === true;
+  async supports(input) {
+    return input.metadata?.cceCapsuleVerified === true ? { action: "ALLOW" } : {
+      action: "DENY",
+      code: "SENSOR_NOT_APPLICABLE",
+      reason: "CCE capsule not verified"
+    };
   }
   async run(input) {
     const capsule = input.metadata?.cceCapsule;
@@ -1122,8 +1139,12 @@ var CceAudienceIntentBindingSensor = class {
     this.order = 95;
     this.phase = "POST_DECODE";
   }
-  supports(input) {
-    return input.metadata?.cceCapsuleVerified === true;
+  async supports(input) {
+    return input.metadata?.cceCapsuleVerified === true ? { action: "ALLOW" } : {
+      action: "DENY",
+      code: CCE_ERROR.CAPSULE_NOT_VERIFIED,
+      reason: "CCE capsule not verified"
+    };
   }
   async run(input) {
     const capsule = input.metadata?.cceCapsule;
@@ -1219,8 +1240,12 @@ var CceReplayProtectionSensor = class {
     this.phase = "POST_DECODE";
     this.nonceTtlMs = options?.nonceTtlMs ?? 5 * 60 * 1e3;
   }
-  supports(input) {
-    return input.metadata?.cceCapsuleVerified === true;
+  async supports(input) {
+    return input.metadata?.cceCapsuleVerified === true ? { action: "ALLOW" } : {
+      action: "DENY",
+      code: "SENSOR_NOT_APPLICABLE",
+      reason: "CCE capsule not verified"
+    };
   }
   async run(input) {
     const capsule = input.metadata?.cceCapsule;
@@ -1299,8 +1324,12 @@ var CcePayloadDecryptionSensor = class {
     this.order = 145;
     this.phase = "POST_DECODE";
   }
-  supports(input) {
-    return input.metadata?.cceEnvelopeValid === true && input.metadata?.cceClientSigVerified === true && input.metadata?.cceCapsuleVerified === true && input.metadata?.cceReplayClean === true;
+  async supports(input) {
+    return input.metadata?.cceEnvelopeValid === true && input.metadata?.cceClientSigVerified === true && input.metadata?.cceCapsuleVerified === true && input.metadata?.cceReplayClean === true ? { action: "ALLOW" } : {
+      action: "DENY",
+      code: "SENSOR_NOT_APPLICABLE",
+      reason: "CCE preconditions not met"
+    };
   }
   async run(input) {
     const envelope = input.metadata?.cceEnvelope;