npm - @nextera.one/axis-server-sdk - Versions diffs - 2.2.7 → 2.2.9 - Mend

@nextera.one/axis-server-sdk 2.2.7 → 2.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/{index-BAoKsEOu.d.ts → index-Dci5tlZE.d.ts} +24 -12
package/dist/{index-BLK3AtRm.d.mts → index-DypvaTKs.d.mts} +24 -12
package/dist/index.d.mts +2 -2
package/dist/index.d.ts +2 -2
package/dist/index.js +402 -339
package/dist/index.js.map +1 -1
package/dist/index.mjs +349 -286
package/dist/index.mjs.map +1 -1
package/dist/sensors/index.d.mts +3 -3
package/dist/sensors/index.d.ts +3 -3
package/dist/sensors/index.js +402 -339
package/dist/sensors/index.js.map +1 -1
package/dist/sensors/index.mjs +349 -286
package/dist/sensors/index.mjs.map +1 -1
package/package.json +7 -7

package/dist/index.js CHANGED Viewed

@@ -253,7 +253,7 @@ function AxisRateLimit(config) {
     return descriptor;
   };
 }
-var import_reflect_metadata3, AXIS_META_KEY, SENSITIVITY_METADATA_KEY, CONTRACT_METADATA_KEY, REQUIRED_PROOF_METADATA_KEY, AXIS_PUBLIC_KEY, AXIS_ANONYMOUS_KEY, AXIS_RATE_LIMIT_KEY;
+var import_reflect_metadata3, AXIS_META_KEY, SENSITIVITY_METADATA_KEY, CONTRACT_METADATA_KEY, REQUIRED_PROOF_METADATA_KEY, AXIS_PUBLIC_KEY, AXIS_ANONYMOUS_KEY, AXIS_AUTHORIZED_KEY, AXIS_RATE_LIMIT_KEY;
 var init_intent_policy_decorator = __esm({
   "src/decorators/intent-policy.decorator.ts"() {
     import_reflect_metadata3 = require("reflect-metadata");
@@ -263,6 +263,7 @@ var init_intent_policy_decorator = __esm({
     REQUIRED_PROOF_METADATA_KEY = "axis:required_proof";
     AXIS_PUBLIC_KEY = "axis:public";
     AXIS_ANONYMOUS_KEY = "axis:anonymous";
+    AXIS_AUTHORIZED_KEY = "axis:authorized";
     AXIS_RATE_LIMIT_KEY = "axis:rateLimit";
   }
 });
@@ -1396,6 +1397,271 @@ var init_axis_chain_executor = __esm({
   }
 });
+// src/security/scopes.ts
+function hasScope(scopes, required) {
+  if (!Array.isArray(scopes) || scopes.length === 0) {
+    return false;
+  }
+  if (scopes.includes(required)) {
+    return true;
+  }
+  const [resource, id] = required.split(":");
+  if (resource && id) {
+    const wildcard = `${resource}:*`;
+    if (scopes.includes(wildcard)) {
+      return true;
+    }
+  }
+  return false;
+}
+function parseScope(scope) {
+  const parts = scope.split(":");
+  if (parts.length !== 2) return null;
+  return { resource: parts[0], id: parts[1] };
+}
+function canAccessResource(scopes, resourceType, resourceId) {
+  const required = `${resourceType}:${resourceId}`;
+  return hasScope(scopes, required);
+}
+var init_scopes = __esm({
+  "src/security/scopes.ts"() {
+  }
+});
+// src/security/inline-capsule.ts
+function normalizeInlineCapsule(input) {
+  if (!input || typeof input !== "object" || Array.isArray(input)) {
+    return null;
+  }
+  const raw = input;
+  const scopes = normalizeStringList(raw.scopes ?? raw.scope);
+  return {
+    id: normalizeScalar(raw.id),
+    actorId: normalizeScalar(raw.actorId),
+    intents: normalizeStringList(raw.intents),
+    issuedAt: normalizeTimestamp(raw.issuedAt ?? raw.iat),
+    expiresAt: normalizeTimestamp(raw.expiresAt ?? raw.exp),
+    realm: normalizeScalar(raw.realm),
+    node: normalizeScalar(raw.node),
+    scopes,
+    raw
+  };
+}
+function inlineCapsuleAllowsIntent(capsule, intent) {
+  if (!capsule.intents || capsule.intents.length === 0) {
+    return false;
+  }
+  for (const pattern of capsule.intents) {
+    if (pattern === "*" || pattern === intent) {
+      return true;
+    }
+    if (pattern.endsWith(".*")) {
+      const prefix = pattern.slice(0, -1);
+      if (intent.startsWith(prefix)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function isInlineCapsuleExpired(capsule, clockSkewMs = 3e4) {
+  if (capsule.expiresAt === void 0) {
+    return false;
+  }
+  return BigInt(Date.now()) > capsule.expiresAt + BigInt(clockSkewMs);
+}
+function resolvePolicyScopes(scopes, context) {
+  return scopes.map(
+    (scope) => scope.replace(/\$\{([^}]+)\}/g, (_match, expression) => {
+      const resolved = resolveTemplateExpression(expression.trim(), context);
+      if (resolved === void 0 || resolved === null || resolved === "") {
+        throw new Error(`CAPSULE_SCOPE_TEMPLATE_UNRESOLVED:${expression}`);
+      }
+      return String(resolved);
+    })
+  );
+}
+function inlineCapsuleSatisfiesScopes(capsule, requiredScopes, mode = "all") {
+  if (!capsule.scopes || capsule.scopes.length === 0) {
+    return false;
+  }
+  if (mode === "any") {
+    return requiredScopes.some((scope) => hasScope(capsule.scopes, scope));
+  }
+  return requiredScopes.every((scope) => hasScope(capsule.scopes, scope));
+}
+function resolveTemplateExpression(expression, context) {
+  if (expression === "intent") {
+    return context.intent;
+  }
+  if (expression === "actorId") {
+    return context.actorId;
+  }
+  if (expression === "chainId") {
+    return context.chainId;
+  }
+  if (expression === "stepId") {
+    return context.stepId;
+  }
+  if (expression.startsWith("body.")) {
+    return getNestedValue(context.body, expression.slice(5));
+  }
+  return void 0;
+}
+function getNestedValue(value, path2) {
+  if (!value || typeof value !== "object") {
+    return void 0;
+  }
+  return path2.split(".").reduce((current, segment) => {
+    if (!current || typeof current !== "object") {
+      return void 0;
+    }
+    return current[segment];
+  }, value);
+}
+function normalizeScalar(value) {
+  if (typeof value === "string") {
+    return value;
+  }
+  if (value instanceof Uint8Array) {
+    return Buffer.from(value).toString("hex");
+  }
+  return void 0;
+}
+function normalizeStringList(value) {
+  if (!value) {
+    return void 0;
+  }
+  const list = Array.isArray(value) ? value : [value];
+  const normalized = list.map((entry) => typeof entry === "string" ? entry : void 0).filter((entry) => !!entry && entry.trim().length > 0);
+  return normalized.length > 0 ? Array.from(new Set(normalized)) : void 0;
+}
+function normalizeTimestamp(value) {
+  if (typeof value === "bigint") {
+    return value;
+  }
+  if (typeof value === "number" && Number.isFinite(value)) {
+    return BigInt(Math.trunc(value));
+  }
+  if (typeof value === "string" && value.trim().length > 0) {
+    try {
+      return BigInt(value);
+    } catch {
+      return void 0;
+    }
+  }
+  return void 0;
+}
+var init_inline_capsule = __esm({
+  "src/security/inline-capsule.ts"() {
+    init_scopes();
+  }
+});
+// src/sensor/axis-sensor.ts
+function normalizeSensorDecision(sensorDecision) {
+  if ("action" in sensorDecision) {
+    switch (sensorDecision.action) {
+      case "ALLOW":
+        return {
+          allow: true,
+          riskScore: 0,
+          reasons: [],
+          meta: sensorDecision.meta
+        };
+      case "DENY":
+        return {
+          allow: false,
+          riskScore: 100,
+          reasons: [sensorDecision.code, sensorDecision.reason].filter(
+            Boolean
+          ),
+          meta: sensorDecision.meta,
+          retryAfterMs: sensorDecision.retryAfterMs
+        };
+      case "THROTTLE":
+        return {
+          allow: false,
+          riskScore: 50,
+          reasons: ["RATE_LIMIT"],
+          retryAfterMs: sensorDecision.retryAfterMs,
+          meta: sensorDecision.meta
+        };
+      case "FLAG":
+        return {
+          allow: true,
+          riskScore: sensorDecision.scoreDelta,
+          reasons: sensorDecision.reasons,
+          meta: sensorDecision.meta
+        };
+    }
+  }
+  return {
+    allow: sensorDecision.allow,
+    riskScore: sensorDecision.riskScore,
+    reasons: sensorDecision.reasons,
+    tags: sensorDecision.tags,
+    meta: sensorDecision.meta,
+    tighten: sensorDecision.tighten,
+    retryAfterMs: sensorDecision.retryAfterMs
+  };
+}
+var Decision, SensorDecisions;
+var init_axis_sensor = __esm({
+  "src/sensor/axis-sensor.ts"() {
+    Decision = /* @__PURE__ */ ((Decision2) => {
+      Decision2["ALLOW"] = "ALLOW";
+      Decision2["DENY"] = "DENY";
+      Decision2["THROTTLE"] = "THROTTLE";
+      Decision2["FLAG"] = "FLAG";
+      return Decision2;
+    })(Decision || {});
+    SensorDecisions = {
+      allow(meta, tags) {
+        return {
+          decision: "ALLOW" /* ALLOW */,
+          allow: true,
+          riskScore: 0,
+          reasons: [],
+          tags,
+          meta
+        };
+      },
+      deny(code, reason, meta) {
+        return {
+          decision: "DENY" /* DENY */,
+          allow: false,
+          riskScore: 100,
+          code,
+          reasons: [code, reason].filter(Boolean),
+          meta
+        };
+      },
+      throttle(retryAfterMs, meta) {
+        return {
+          decision: "THROTTLE" /* THROTTLE */,
+          allow: false,
+          riskScore: 50,
+          retryAfterMs,
+          code: "RATE_LIMIT",
+          reasons: ["RATE_LIMIT"],
+          meta
+        };
+      },
+      flag(scoreDelta, reasons, meta) {
+        return {
+          decision: "FLAG" /* FLAG */,
+          allow: true,
+          riskScore: scoreDelta,
+          scoreDelta,
+          reasons,
+          meta
+        };
+      }
+    };
+  }
+});
 // src/cce/cce.types.ts
 var CCE_PROTOCOL_VERSION, CCE_DERIVATION, CCE_AES_KEY_BYTES, CCE_IV_BYTES, CCE_NONCE_BYTES, CCE_ERROR, CceError;
 var init_cce_types = __esm({
@@ -1721,168 +1987,64 @@ function buildWitnessRecord(envelope, capsule, verification, execution, options)
     ...options.responsePayload ? { response_payload_hash: hashPayload(options.responsePayload) } : {}
   };
 }
-function extractVerificationState(metadata) {
-  return {
-    clientSigVerified: metadata.cceClientSigVerified === true,
-    capsuleSigVerified: metadata.cceCapsuleVerified === true,
-    tpsValid: metadata.cceTpsValid === true,
-    audienceMatch: metadata.cceBindingVerified === true,
-    intentMatch: metadata.cceBindingVerified === true,
-    replayClean: metadata.cceReplayClean === true,
-    nonceUnique: metadata.cceReplayClean === true,
-    decryptionOk: metadata.cceDecryptionOk === true
-  };
-}
-function generateWitnessId(requestId, capsuleId) {
-  const input = `witness:${requestId}:${capsuleId}:${Date.now()}`;
-  const hash = (0, import_sha23.sha256)(new TextEncoder().encode(input));
-  return "wit_" + (0, import_utils4.bytesToHex)(hash).slice(0, 24);
-}
-function computeExecutionContextHash(axisLocalSecret, capsule, requestNonce) {
-  const encoder = new TextEncoder();
-  const ikm = hexToBytes2(axisLocalSecret);
-  const salt = (0, import_sha23.sha256)(
-    encoder.encode(
-      capsule.capsule_id + "|" + capsule.capsule_nonce + "|" + requestNonce
-    )
-  );
-  const info = encoder.encode(
-    [
-      CCE_DERIVATION.WITNESS,
-      capsule.sub,
-      capsule.kid,
-      capsule.intent,
-      capsule.aud,
-      String(capsule.tps_from),
-      String(capsule.tps_to),
-      capsule.policy_hash ?? "",
-      capsule.ver
-    ].join("|")
-  );
-  const witnessKey = (0, import_hkdf2.hkdf)(import_sha23.sha256, ikm, salt, info, 32);
-  const hash = (0, import_utils4.bytesToHex)((0, import_sha23.sha256)(witnessKey));
-  witnessKey.fill(0);
-  return hash;
-}
-function hexToBytes2(hex) {
-  const bytes2 = new Uint8Array(hex.length / 2);
-  for (let i = 0; i < bytes2.length; i++) {
-    bytes2[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
-  }
-  return bytes2;
-}
-var import_utils4, import_hkdf2, import_sha23;
-var init_cce_witness_observer = __esm({
-  "src/cce/cce-witness.observer.ts"() {
-    import_utils4 = require("@noble/hashes/utils.js");
-    import_hkdf2 = require("@noble/hashes/hkdf.js");
-    import_sha23 = require("@noble/hashes/sha2.js");
-    init_cce_crypto();
-    init_cce_types();
-  }
-});
-// src/sensor/axis-sensor.ts
-function normalizeSensorDecision(sensorDecision) {
-  if ("action" in sensorDecision) {
-    switch (sensorDecision.action) {
-      case "ALLOW":
-        return {
-          allow: true,
-          riskScore: 0,
-          reasons: [],
-          meta: sensorDecision.meta
-        };
-      case "DENY":
-        return {
-          allow: false,
-          riskScore: 100,
-          reasons: [sensorDecision.code, sensorDecision.reason].filter(
-            Boolean
-          ),
-          meta: sensorDecision.meta,
-          retryAfterMs: sensorDecision.retryAfterMs
-        };
-      case "THROTTLE":
-        return {
-          allow: false,
-          riskScore: 50,
-          reasons: ["RATE_LIMIT"],
-          retryAfterMs: sensorDecision.retryAfterMs,
-          meta: sensorDecision.meta
-        };
-      case "FLAG":
-        return {
-          allow: true,
-          riskScore: sensorDecision.scoreDelta,
-          reasons: sensorDecision.reasons,
-          meta: sensorDecision.meta
-        };
-    }
-  }
-  return {
-    allow: sensorDecision.allow,
-    riskScore: sensorDecision.riskScore,
-    reasons: sensorDecision.reasons,
-    tags: sensorDecision.tags,
-    meta: sensorDecision.meta,
-    tighten: sensorDecision.tighten,
-    retryAfterMs: sensorDecision.retryAfterMs
-  };
-}
-var Decision, SensorDecisions;
-var init_axis_sensor = __esm({
-  "src/sensor/axis-sensor.ts"() {
-    Decision = /* @__PURE__ */ ((Decision2) => {
-      Decision2["ALLOW"] = "ALLOW";
-      Decision2["DENY"] = "DENY";
-      Decision2["THROTTLE"] = "THROTTLE";
-      Decision2["FLAG"] = "FLAG";
-      return Decision2;
-    })(Decision || {});
-    SensorDecisions = {
-      allow(meta, tags) {
-        return {
-          decision: "ALLOW" /* ALLOW */,
-          allow: true,
-          riskScore: 0,
-          reasons: [],
-          tags,
-          meta
-        };
-      },
-      deny(code, reason, meta) {
-        return {
-          decision: "DENY" /* DENY */,
-          allow: false,
-          riskScore: 100,
-          code,
-          reasons: [code, reason].filter(Boolean),
-          meta
-        };
-      },
-      throttle(retryAfterMs, meta) {
-        return {
-          decision: "THROTTLE" /* THROTTLE */,
-          allow: false,
-          riskScore: 50,
-          retryAfterMs,
-          code: "RATE_LIMIT",
-          reasons: ["RATE_LIMIT"],
-          meta
-        };
-      },
-      flag(scoreDelta, reasons, meta) {
-        return {
-          decision: "FLAG" /* FLAG */,
-          allow: true,
-          riskScore: scoreDelta,
-          scoreDelta,
-          reasons,
-          meta
-        };
-      }
-    };
+function extractVerificationState(metadata) {
+  return {
+    clientSigVerified: metadata.cceClientSigVerified === true,
+    capsuleSigVerified: metadata.cceCapsuleVerified === true,
+    tpsValid: metadata.cceTpsValid === true,
+    audienceMatch: metadata.cceBindingVerified === true,
+    intentMatch: metadata.cceBindingVerified === true,
+    replayClean: metadata.cceReplayClean === true,
+    nonceUnique: metadata.cceReplayClean === true,
+    decryptionOk: metadata.cceDecryptionOk === true
+  };
+}
+function generateWitnessId(requestId, capsuleId) {
+  const input = `witness:${requestId}:${capsuleId}:${Date.now()}`;
+  const hash = (0, import_sha23.sha256)(new TextEncoder().encode(input));
+  return "wit_" + (0, import_utils4.bytesToHex)(hash).slice(0, 24);
+}
+function computeExecutionContextHash(axisLocalSecret, capsule, requestNonce) {
+  const encoder = new TextEncoder();
+  const ikm = hexToBytes2(axisLocalSecret);
+  const salt = (0, import_sha23.sha256)(
+    encoder.encode(
+      capsule.capsule_id + "|" + capsule.capsule_nonce + "|" + requestNonce
+    )
+  );
+  const info = encoder.encode(
+    [
+      CCE_DERIVATION.WITNESS,
+      capsule.sub,
+      capsule.kid,
+      capsule.intent,
+      capsule.aud,
+      String(capsule.tps_from),
+      String(capsule.tps_to),
+      capsule.policy_hash ?? "",
+      capsule.ver
+    ].join("|")
+  );
+  const witnessKey = (0, import_hkdf2.hkdf)(import_sha23.sha256, ikm, salt, info, 32);
+  const hash = (0, import_utils4.bytesToHex)((0, import_sha23.sha256)(witnessKey));
+  witnessKey.fill(0);
+  return hash;
+}
+function hexToBytes2(hex) {
+  const bytes2 = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < bytes2.length; i++) {
+    bytes2[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+  }
+  return bytes2;
+}
+var import_utils4, import_hkdf2, import_sha23;
+var init_cce_witness_observer = __esm({
+  "src/cce/cce-witness.observer.ts"() {
+    import_utils4 = require("@noble/hashes/utils.js");
+    import_hkdf2 = require("@noble/hashes/hkdf.js");
+    import_sha23 = require("@noble/hashes/sha2.js");
+    init_cce_crypto();
+    init_cce_types();
   }
 });
@@ -2134,167 +2296,6 @@ var init_axis_error = __esm({
   }
 });
-// src/security/scopes.ts
-function hasScope(scopes, required) {
-  if (!Array.isArray(scopes) || scopes.length === 0) {
-    return false;
-  }
-  if (scopes.includes(required)) {
-    return true;
-  }
-  const [resource, id] = required.split(":");
-  if (resource && id) {
-    const wildcard = `${resource}:*`;
-    if (scopes.includes(wildcard)) {
-      return true;
-    }
-  }
-  return false;
-}
-function parseScope(scope) {
-  const parts = scope.split(":");
-  if (parts.length !== 2) return null;
-  return { resource: parts[0], id: parts[1] };
-}
-function canAccessResource(scopes, resourceType, resourceId) {
-  const required = `${resourceType}:${resourceId}`;
-  return hasScope(scopes, required);
-}
-var init_scopes = __esm({
-  "src/security/scopes.ts"() {
-  }
-});
-// src/security/inline-capsule.ts
-function normalizeInlineCapsule(input) {
-  if (!input || typeof input !== "object" || Array.isArray(input)) {
-    return null;
-  }
-  const raw = input;
-  const scopes = normalizeStringList(raw.scopes ?? raw.scope);
-  return {
-    id: normalizeScalar(raw.id),
-    actorId: normalizeScalar(raw.actorId),
-    intents: normalizeStringList(raw.intents),
-    issuedAt: normalizeTimestamp(raw.issuedAt ?? raw.iat),
-    expiresAt: normalizeTimestamp(raw.expiresAt ?? raw.exp),
-    realm: normalizeScalar(raw.realm),
-    node: normalizeScalar(raw.node),
-    scopes,
-    raw
-  };
-}
-function inlineCapsuleAllowsIntent(capsule, intent) {
-  if (!capsule.intents || capsule.intents.length === 0) {
-    return false;
-  }
-  for (const pattern of capsule.intents) {
-    if (pattern === "*" || pattern === intent) {
-      return true;
-    }
-    if (pattern.endsWith(".*")) {
-      const prefix = pattern.slice(0, -1);
-      if (intent.startsWith(prefix)) {
-        return true;
-      }
-    }
-  }
-  return false;
-}
-function isInlineCapsuleExpired(capsule, clockSkewMs = 3e4) {
-  if (capsule.expiresAt === void 0) {
-    return false;
-  }
-  return BigInt(Date.now()) > capsule.expiresAt + BigInt(clockSkewMs);
-}
-function resolvePolicyScopes(scopes, context) {
-  return scopes.map(
-    (scope) => scope.replace(/\$\{([^}]+)\}/g, (_match, expression) => {
-      const resolved = resolveTemplateExpression(expression.trim(), context);
-      if (resolved === void 0 || resolved === null || resolved === "") {
-        throw new Error(`CAPSULE_SCOPE_TEMPLATE_UNRESOLVED:${expression}`);
-      }
-      return String(resolved);
-    })
-  );
-}
-function inlineCapsuleSatisfiesScopes(capsule, requiredScopes, mode = "all") {
-  if (!capsule.scopes || capsule.scopes.length === 0) {
-    return false;
-  }
-  if (mode === "any") {
-    return requiredScopes.some((scope) => hasScope(capsule.scopes, scope));
-  }
-  return requiredScopes.every((scope) => hasScope(capsule.scopes, scope));
-}
-function resolveTemplateExpression(expression, context) {
-  if (expression === "intent") {
-    return context.intent;
-  }
-  if (expression === "actorId") {
-    return context.actorId;
-  }
-  if (expression === "chainId") {
-    return context.chainId;
-  }
-  if (expression === "stepId") {
-    return context.stepId;
-  }
-  if (expression.startsWith("body.")) {
-    return getNestedValue(context.body, expression.slice(5));
-  }
-  return void 0;
-}
-function getNestedValue(value, path2) {
-  if (!value || typeof value !== "object") {
-    return void 0;
-  }
-  return path2.split(".").reduce((current, segment) => {
-    if (!current || typeof current !== "object") {
-      return void 0;
-    }
-    return current[segment];
-  }, value);
-}
-function normalizeScalar(value) {
-  if (typeof value === "string") {
-    return value;
-  }
-  if (value instanceof Uint8Array) {
-    return Buffer.from(value).toString("hex");
-  }
-  return void 0;
-}
-function normalizeStringList(value) {
-  if (!value) {
-    return void 0;
-  }
-  const list = Array.isArray(value) ? value : [value];
-  const normalized = list.map((entry) => typeof entry === "string" ? entry : void 0).filter((entry) => !!entry && entry.trim().length > 0);
-  return normalized.length > 0 ? Array.from(new Set(normalized)) : void 0;
-}
-function normalizeTimestamp(value) {
-  if (typeof value === "bigint") {
-    return value;
-  }
-  if (typeof value === "number" && Number.isFinite(value)) {
-    return BigInt(Math.trunc(value));
-  }
-  if (typeof value === "string" && value.trim().length > 0) {
-    try {
-      return BigInt(value);
-    } catch {
-      return void 0;
-    }
-  }
-  return void 0;
-}
-var init_inline_capsule = __esm({
-  "src/security/inline-capsule.ts"() {
-    init_scopes();
-  }
-});
 // src/engine/intent.router.ts
 var intent_router_exports = {};
 __export(intent_router_exports, {
@@ -2368,23 +2369,23 @@ var import_axis_protocol3, import_dto_schema, _IntentRouter, IntentRouter;
 var init_intent_router = __esm({
   "src/engine/intent.router.ts"() {
     import_axis_protocol3 = require("@nextera.one/axis-protocol");
-    init_cce_pipeline();
-    init_axis_error();
-    init_constants();
-    init_capsule_policy_decorator();
-    init_chain_decorator();
-    import_dto_schema = __toESM(require_dto_schema_util());
     init_handler_sensors_decorator();
-    init_handler_decorator();
-    init_intent_body_decorator();
-    init_intent_policy_decorator();
+    init_capsule_policy_decorator();
     init_intent_sensors_decorator();
-    init_intent_decorator();
+    init_intent_policy_decorator();
+    init_intent_body_decorator();
     init_observer_decorator();
+    init_handler_decorator();
+    init_intent_decorator();
+    init_chain_decorator();
+    import_dto_schema = __toESM(require_dto_schema_util());
     init_inline_capsule();
-    init_axis_sensor();
     init_axis_execution_context();
+    init_axis_sensor();
     init_axis_logger();
+    init_cce_pipeline();
+    init_axis_error();
+    init_constants();
     _IntentRouter = class _IntentRouter {
       constructor(dependencyResolver, observerDispatcher, sensorRegistry) {
         this.logger = createAxisLogger(_IntentRouter.name);
@@ -2420,6 +2421,8 @@ var init_intent_router = __esm({
         this.publicIntents = /* @__PURE__ */ new Set();
         /** Intents flagged as anonymous-session accessible */
         this.anonymousIntents = /* @__PURE__ */ new Set();
+        /** Intents flagged as authorized-session accessible */
+        this.authorizedIntents = /* @__PURE__ */ new Set();
         /** Per-intent rate limit config */
         this.intentRateLimits = /* @__PURE__ */ new Map();
         /** CCE handler registry */
@@ -2846,6 +2849,18 @@ var init_intent_router = __esm({
         if (isAnonMethod || isAnonClass) {
           this.anonymousIntents.add(intent);
         }
+        const isAuthorizedMethod = Reflect.getMetadata(
+          AXIS_AUTHORIZED_KEY,
+          proto,
+          methodName
+        );
+        const isAuthorizedClass = Reflect.getMetadata(
+          AXIS_AUTHORIZED_KEY,
+          proto.constructor
+        );
+        if (isAuthorizedMethod || isAuthorizedClass) {
+          this.authorizedIntents.add(intent);
+        }
         const rateLimit = Reflect.getMetadata(
           AXIS_RATE_LIMIT_KEY,
           proto,
@@ -2871,6 +2886,9 @@ var init_intent_router = __esm({
       isAnonymous(intent) {
         return this.anonymousIntents.has(intent);
       }
+      isAuthorized(intent) {
+        return this.authorizedIntents.has(intent);
+      }
       getRateLimit(intent) {
         return this.intentRateLimits.get(intent);
       }
@@ -10661,15 +10679,52 @@ var require_chunk_hash_sensor = __commonJS({
 var require_entropy_sensor = __commonJS({
   "src/sensors/entropy.sensor.ts"(exports2) {
     "use strict";
+    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
+      Object.defineProperty(o, "default", { enumerable: true, value: v });
+    }) : function(o, v) {
+      o["default"] = v;
+    });
     var __decorate = exports2 && exports2.__decorate || function(decorators, target, key, desc) {
       var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
       if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
       else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
       return c > 3 && r && Object.defineProperty(target, key, r), r;
     };
+    var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
+      var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function(o2) {
+          var ar = [];
+          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
+          return ar;
+        };
+        return ownKeys(o);
+      };
+      return function(mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) {
+          for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        }
+        __setModuleDefault(result, mod);
+        return result;
+      };
+    })();
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.EntropySensor = void 0;
-    var crypto4 = require("crypto");
+    var crypto4 = __importStar(require("crypto"));
     var sensor_decorator_1 = (init_sensor_decorator(), __toCommonJS(sensor_decorator_exports));
     var sensor_bands_1 = (init_sensor_bands(), __toCommonJS(sensor_bands_exports));
     var constants_1 = (init_constants(), __toCommonJS(constants_exports));
@@ -11348,10 +11403,15 @@ var init_axis_schemas = __esm({
     ScanBurstDecisionZ = SensorDecisionWithMetadataZ;
     ProofKindZ = z2.enum([
       "NONE",
-      "CAPSULE",
+      "ANONYMOUS",
       "PASSPORT",
+      "CAPSULE",
+      "JWT",
+      "CONTRACT",
+      "WITNESS",
       "MTLS",
-      "JWT"
+      "DEVICE",
+      "AUTHORIZED"
     ]);
     AccessProfileZ = z2.enum(["PUBLIC", "PARTNER", "INTERNAL", "NODE"]);
     ProofPresenceInputZ = z2.object({
@@ -11473,7 +11533,10 @@ var init_axis_schemas = __esm({
       ip: z2.string().min(1)
     });
     ProtocolStrictInputZ = z2.object({
-      rawBytes: z2.union([z2.custom((v) => Buffer.isBuffer(v)), z2.instanceof(Uint8Array)]).optional(),
+      rawBytes: z2.union([
+        z2.custom((v) => Buffer.isBuffer(v)),
+        z2.instanceof(Uint8Array)
+      ]).optional(),
       ip: z2.string().min(1),
       path: z2.string().min(1),
       contentLength: z2.number().int().nonnegative(),