@nextera.one/axis-server-sdk 2.2.8 → 2.2.9

package/dist/index.mjs

@@ -260,7 +260,7 @@ function AxisRateLimit(config) {
     return descriptor;
   };
 }
-var AXIS_META_KEY, SENSITIVITY_METADATA_KEY, CONTRACT_METADATA_KEY, REQUIRED_PROOF_METADATA_KEY, AXIS_PUBLIC_KEY, AXIS_ANONYMOUS_KEY, AXIS_RATE_LIMIT_KEY;
+var AXIS_META_KEY, SENSITIVITY_METADATA_KEY, CONTRACT_METADATA_KEY, REQUIRED_PROOF_METADATA_KEY, AXIS_PUBLIC_KEY, AXIS_ANONYMOUS_KEY, AXIS_AUTHORIZED_KEY, AXIS_RATE_LIMIT_KEY;
 var init_intent_policy_decorator = __esm({
   "src/decorators/intent-policy.decorator.ts"() {
     AXIS_META_KEY = "axis:axis";
@@ -269,6 +269,7 @@ var init_intent_policy_decorator = __esm({
     REQUIRED_PROOF_METADATA_KEY = "axis:required_proof";
     AXIS_PUBLIC_KEY = "axis:public";
     AXIS_ANONYMOUS_KEY = "axis:anonymous";
+    AXIS_AUTHORIZED_KEY = "axis:authorized";
     AXIS_RATE_LIMIT_KEY = "axis:rateLimit";
   }
 });
@@ -1471,6 +1472,271 @@ var init_axis_chain_executor = __esm({
   }
 });
 
+// src/security/scopes.ts
+function hasScope(scopes, required) {
+  if (!Array.isArray(scopes) || scopes.length === 0) {
+    return false;
+  }
+  if (scopes.includes(required)) {
+    return true;
+  }
+  const [resource, id] = required.split(":");
+  if (resource && id) {
+    const wildcard = `${resource}:*`;
+    if (scopes.includes(wildcard)) {
+      return true;
+    }
+  }
+  return false;
+}
+function parseScope(scope) {
+  const parts = scope.split(":");
+  if (parts.length !== 2) return null;
+  return { resource: parts[0], id: parts[1] };
+}
+function canAccessResource(scopes, resourceType, resourceId) {
+  const required = `${resourceType}:${resourceId}`;
+  return hasScope(scopes, required);
+}
+var init_scopes = __esm({
+  "src/security/scopes.ts"() {
+  }
+});
+
+// src/security/inline-capsule.ts
+function normalizeInlineCapsule(input) {
+  if (!input || typeof input !== "object" || Array.isArray(input)) {
+    return null;
+  }
+  const raw = input;
+  const scopes = normalizeStringList(raw.scopes ?? raw.scope);
+  return {
+    id: normalizeScalar(raw.id),
+    actorId: normalizeScalar(raw.actorId),
+    intents: normalizeStringList(raw.intents),
+    issuedAt: normalizeTimestamp(raw.issuedAt ?? raw.iat),
+    expiresAt: normalizeTimestamp(raw.expiresAt ?? raw.exp),
+    realm: normalizeScalar(raw.realm),
+    node: normalizeScalar(raw.node),
+    scopes,
+    raw
+  };
+}
+function inlineCapsuleAllowsIntent(capsule, intent) {
+  if (!capsule.intents || capsule.intents.length === 0) {
+    return false;
+  }
+  for (const pattern of capsule.intents) {
+    if (pattern === "*" || pattern === intent) {
+      return true;
+    }
+    if (pattern.endsWith(".*")) {
+      const prefix = pattern.slice(0, -1);
+      if (intent.startsWith(prefix)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function isInlineCapsuleExpired(capsule, clockSkewMs = 3e4) {
+  if (capsule.expiresAt === void 0) {
+    return false;
+  }
+  return BigInt(Date.now()) > capsule.expiresAt + BigInt(clockSkewMs);
+}
+function resolvePolicyScopes(scopes, context) {
+  return scopes.map(
+    (scope) => scope.replace(/\$\{([^}]+)\}/g, (_match, expression) => {
+      const resolved = resolveTemplateExpression(expression.trim(), context);
+      if (resolved === void 0 || resolved === null || resolved === "") {
+        throw new Error(`CAPSULE_SCOPE_TEMPLATE_UNRESOLVED:${expression}`);
+      }
+      return String(resolved);
+    })
+  );
+}
+function inlineCapsuleSatisfiesScopes(capsule, requiredScopes, mode = "all") {
+  if (!capsule.scopes || capsule.scopes.length === 0) {
+    return false;
+  }
+  if (mode === "any") {
+    return requiredScopes.some((scope) => hasScope(capsule.scopes, scope));
+  }
+  return requiredScopes.every((scope) => hasScope(capsule.scopes, scope));
+}
+function resolveTemplateExpression(expression, context) {
+  if (expression === "intent") {
+    return context.intent;
+  }
+  if (expression === "actorId") {
+    return context.actorId;
+  }
+  if (expression === "chainId") {
+    return context.chainId;
+  }
+  if (expression === "stepId") {
+    return context.stepId;
+  }
+  if (expression.startsWith("body.")) {
+    return getNestedValue(context.body, expression.slice(5));
+  }
+  return void 0;
+}
+function getNestedValue(value, path2) {
+  if (!value || typeof value !== "object") {
+    return void 0;
+  }
+  return path2.split(".").reduce((current, segment) => {
+    if (!current || typeof current !== "object") {
+      return void 0;
+    }
+    return current[segment];
+  }, value);
+}
+function normalizeScalar(value) {
+  if (typeof value === "string") {
+    return value;
+  }
+  if (value instanceof Uint8Array) {
+    return Buffer.from(value).toString("hex");
+  }
+  return void 0;
+}
+function normalizeStringList(value) {
+  if (!value) {
+    return void 0;
+  }
+  const list = Array.isArray(value) ? value : [value];
+  const normalized = list.map((entry) => typeof entry === "string" ? entry : void 0).filter((entry) => !!entry && entry.trim().length > 0);
+  return normalized.length > 0 ? Array.from(new Set(normalized)) : void 0;
+}
+function normalizeTimestamp(value) {
+  if (typeof value === "bigint") {
+    return value;
+  }
+  if (typeof value === "number" && Number.isFinite(value)) {
+    return BigInt(Math.trunc(value));
+  }
+  if (typeof value === "string" && value.trim().length > 0) {
+    try {
+      return BigInt(value);
+    } catch {
+      return void 0;
+    }
+  }
+  return void 0;
+}
+var init_inline_capsule = __esm({
+  "src/security/inline-capsule.ts"() {
+    init_scopes();
+  }
+});
+
+// src/sensor/axis-sensor.ts
+function normalizeSensorDecision(sensorDecision) {
+  if ("action" in sensorDecision) {
+    switch (sensorDecision.action) {
+      case "ALLOW":
+        return {
+          allow: true,
+          riskScore: 0,
+          reasons: [],
+          meta: sensorDecision.meta
+        };
+      case "DENY":
+        return {
+          allow: false,
+          riskScore: 100,
+          reasons: [sensorDecision.code, sensorDecision.reason].filter(
+            Boolean
+          ),
+          meta: sensorDecision.meta,
+          retryAfterMs: sensorDecision.retryAfterMs
+        };
+      case "THROTTLE":
+        return {
+          allow: false,
+          riskScore: 50,
+          reasons: ["RATE_LIMIT"],
+          retryAfterMs: sensorDecision.retryAfterMs,
+          meta: sensorDecision.meta
+        };
+      case "FLAG":
+        return {
+          allow: true,
+          riskScore: sensorDecision.scoreDelta,
+          reasons: sensorDecision.reasons,
+          meta: sensorDecision.meta
+        };
+    }
+  }
+  return {
+    allow: sensorDecision.allow,
+    riskScore: sensorDecision.riskScore,
+    reasons: sensorDecision.reasons,
+    tags: sensorDecision.tags,
+    meta: sensorDecision.meta,
+    tighten: sensorDecision.tighten,
+    retryAfterMs: sensorDecision.retryAfterMs
+  };
+}
+var Decision, SensorDecisions;
+var init_axis_sensor = __esm({
+  "src/sensor/axis-sensor.ts"() {
+    Decision = /* @__PURE__ */ ((Decision2) => {
+      Decision2["ALLOW"] = "ALLOW";
+      Decision2["DENY"] = "DENY";
+      Decision2["THROTTLE"] = "THROTTLE";
+      Decision2["FLAG"] = "FLAG";
+      return Decision2;
+    })(Decision || {});
+    SensorDecisions = {
+      allow(meta, tags) {
+        return {
+          decision: "ALLOW" /* ALLOW */,
+          allow: true,
+          riskScore: 0,
+          reasons: [],
+          tags,
+          meta
+        };
+      },
+      deny(code, reason, meta) {
+        return {
+          decision: "DENY" /* DENY */,
+          allow: false,
+          riskScore: 100,
+          code,
+          reasons: [code, reason].filter(Boolean),
+          meta
+        };
+      },
+      throttle(retryAfterMs, meta) {
+        return {
+          decision: "THROTTLE" /* THROTTLE */,
+          allow: false,
+          riskScore: 50,
+          retryAfterMs,
+          code: "RATE_LIMIT",
+          reasons: ["RATE_LIMIT"],
+          meta
+        };
+      },
+      flag(scoreDelta, reasons, meta) {
+        return {
+          decision: "FLAG" /* FLAG */,
+          allow: true,
+          riskScore: scoreDelta,
+          scoreDelta,
+          reasons,
+          meta
+        };
+      }
+    };
+  }
+});
+
 // src/cce/cce.types.ts
 var CCE_PROTOCOL_VERSION, CCE_DERIVATION, CCE_AES_KEY_BYTES, CCE_IV_BYTES, CCE_NONCE_BYTES, CCE_ERROR, CceError;
 var init_cce_types = __esm({
@@ -1836,124 +2102,20 @@ function computeExecutionContextHash(axisLocalSecret, capsule, requestNonce) {
   );
   const witnessKey = hkdf2(sha2563, ikm, salt, info, 32);
   const hash = bytesToHex4(sha2563(witnessKey));
-  witnessKey.fill(0);
-  return hash;
-}
-function hexToBytes2(hex) {
-  const bytes2 = new Uint8Array(hex.length / 2);
-  for (let i = 0; i < bytes2.length; i++) {
-    bytes2[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
-  }
-  return bytes2;
-}
-var init_cce_witness_observer = __esm({
-  "src/cce/cce-witness.observer.ts"() {
-    init_cce_crypto();
-    init_cce_types();
-  }
-});
-
-// src/sensor/axis-sensor.ts
-function normalizeSensorDecision(sensorDecision) {
-  if ("action" in sensorDecision) {
-    switch (sensorDecision.action) {
-      case "ALLOW":
-        return {
-          allow: true,
-          riskScore: 0,
-          reasons: [],
-          meta: sensorDecision.meta
-        };
-      case "DENY":
-        return {
-          allow: false,
-          riskScore: 100,
-          reasons: [sensorDecision.code, sensorDecision.reason].filter(
-            Boolean
-          ),
-          meta: sensorDecision.meta,
-          retryAfterMs: sensorDecision.retryAfterMs
-        };
-      case "THROTTLE":
-        return {
-          allow: false,
-          riskScore: 50,
-          reasons: ["RATE_LIMIT"],
-          retryAfterMs: sensorDecision.retryAfterMs,
-          meta: sensorDecision.meta
-        };
-      case "FLAG":
-        return {
-          allow: true,
-          riskScore: sensorDecision.scoreDelta,
-          reasons: sensorDecision.reasons,
-          meta: sensorDecision.meta
-        };
-    }
-  }
-  return {
-    allow: sensorDecision.allow,
-    riskScore: sensorDecision.riskScore,
-    reasons: sensorDecision.reasons,
-    tags: sensorDecision.tags,
-    meta: sensorDecision.meta,
-    tighten: sensorDecision.tighten,
-    retryAfterMs: sensorDecision.retryAfterMs
-  };
+  witnessKey.fill(0);
+  return hash;
 }
-var Decision, SensorDecisions;
-var init_axis_sensor = __esm({
-  "src/sensor/axis-sensor.ts"() {
-    Decision = /* @__PURE__ */ ((Decision2) => {
-      Decision2["ALLOW"] = "ALLOW";
-      Decision2["DENY"] = "DENY";
-      Decision2["THROTTLE"] = "THROTTLE";
-      Decision2["FLAG"] = "FLAG";
-      return Decision2;
-    })(Decision || {});
-    SensorDecisions = {
-      allow(meta, tags) {
-        return {
-          decision: "ALLOW" /* ALLOW */,
-          allow: true,
-          riskScore: 0,
-          reasons: [],
-          tags,
-          meta
-        };
-      },
-      deny(code, reason, meta) {
-        return {
-          decision: "DENY" /* DENY */,
-          allow: false,
-          riskScore: 100,
-          code,
-          reasons: [code, reason].filter(Boolean),
-          meta
-        };
-      },
-      throttle(retryAfterMs, meta) {
-        return {
-          decision: "THROTTLE" /* THROTTLE */,
-          allow: false,
-          riskScore: 50,
-          retryAfterMs,
-          code: "RATE_LIMIT",
-          reasons: ["RATE_LIMIT"],
-          meta
-        };
-      },
-      flag(scoreDelta, reasons, meta) {
-        return {
-          decision: "FLAG" /* FLAG */,
-          allow: true,
-          riskScore: scoreDelta,
-          scoreDelta,
-          reasons,
-          meta
-        };
-      }
-    };
+function hexToBytes2(hex) {
+  const bytes2 = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < bytes2.length; i++) {
+    bytes2[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+  }
+  return bytes2;
+}
+var init_cce_witness_observer = __esm({
+  "src/cce/cce-witness.observer.ts"() {
+    init_cce_crypto();
+    init_cce_types();
   }
 });
 
@@ -2205,167 +2367,6 @@ var init_axis_error = __esm({
   }
 });
 
-// src/security/scopes.ts
-function hasScope(scopes, required) {
-  if (!Array.isArray(scopes) || scopes.length === 0) {
-    return false;
-  }
-  if (scopes.includes(required)) {
-    return true;
-  }
-  const [resource, id] = required.split(":");
-  if (resource && id) {
-    const wildcard = `${resource}:*`;
-    if (scopes.includes(wildcard)) {
-      return true;
-    }
-  }
-  return false;
-}
-function parseScope(scope) {
-  const parts = scope.split(":");
-  if (parts.length !== 2) return null;
-  return { resource: parts[0], id: parts[1] };
-}
-function canAccessResource(scopes, resourceType, resourceId) {
-  const required = `${resourceType}:${resourceId}`;
-  return hasScope(scopes, required);
-}
-var init_scopes = __esm({
-  "src/security/scopes.ts"() {
-  }
-});
-
-// src/security/inline-capsule.ts
-function normalizeInlineCapsule(input) {
-  if (!input || typeof input !== "object" || Array.isArray(input)) {
-    return null;
-  }
-  const raw = input;
-  const scopes = normalizeStringList(raw.scopes ?? raw.scope);
-  return {
-    id: normalizeScalar(raw.id),
-    actorId: normalizeScalar(raw.actorId),
-    intents: normalizeStringList(raw.intents),
-    issuedAt: normalizeTimestamp(raw.issuedAt ?? raw.iat),
-    expiresAt: normalizeTimestamp(raw.expiresAt ?? raw.exp),
-    realm: normalizeScalar(raw.realm),
-    node: normalizeScalar(raw.node),
-    scopes,
-    raw
-  };
-}
-function inlineCapsuleAllowsIntent(capsule, intent) {
-  if (!capsule.intents || capsule.intents.length === 0) {
-    return false;
-  }
-  for (const pattern of capsule.intents) {
-    if (pattern === "*" || pattern === intent) {
-      return true;
-    }
-    if (pattern.endsWith(".*")) {
-      const prefix = pattern.slice(0, -1);
-      if (intent.startsWith(prefix)) {
-        return true;
-      }
-    }
-  }
-  return false;
-}
-function isInlineCapsuleExpired(capsule, clockSkewMs = 3e4) {
-  if (capsule.expiresAt === void 0) {
-    return false;
-  }
-  return BigInt(Date.now()) > capsule.expiresAt + BigInt(clockSkewMs);
-}
-function resolvePolicyScopes(scopes, context) {
-  return scopes.map(
-    (scope) => scope.replace(/\$\{([^}]+)\}/g, (_match, expression) => {
-      const resolved = resolveTemplateExpression(expression.trim(), context);
-      if (resolved === void 0 || resolved === null || resolved === "") {
-        throw new Error(`CAPSULE_SCOPE_TEMPLATE_UNRESOLVED:${expression}`);
-      }
-      return String(resolved);
-    })
-  );
-}
-function inlineCapsuleSatisfiesScopes(capsule, requiredScopes, mode = "all") {
-  if (!capsule.scopes || capsule.scopes.length === 0) {
-    return false;
-  }
-  if (mode === "any") {
-    return requiredScopes.some((scope) => hasScope(capsule.scopes, scope));
-  }
-  return requiredScopes.every((scope) => hasScope(capsule.scopes, scope));
-}
-function resolveTemplateExpression(expression, context) {
-  if (expression === "intent") {
-    return context.intent;
-  }
-  if (expression === "actorId") {
-    return context.actorId;
-  }
-  if (expression === "chainId") {
-    return context.chainId;
-  }
-  if (expression === "stepId") {
-    return context.stepId;
-  }
-  if (expression.startsWith("body.")) {
-    return getNestedValue(context.body, expression.slice(5));
-  }
-  return void 0;
-}
-function getNestedValue(value, path2) {
-  if (!value || typeof value !== "object") {
-    return void 0;
-  }
-  return path2.split(".").reduce((current, segment) => {
-    if (!current || typeof current !== "object") {
-      return void 0;
-    }
-    return current[segment];
-  }, value);
-}
-function normalizeScalar(value) {
-  if (typeof value === "string") {
-    return value;
-  }
-  if (value instanceof Uint8Array) {
-    return Buffer.from(value).toString("hex");
-  }
-  return void 0;
-}
-function normalizeStringList(value) {
-  if (!value) {
-    return void 0;
-  }
-  const list = Array.isArray(value) ? value : [value];
-  const normalized = list.map((entry) => typeof entry === "string" ? entry : void 0).filter((entry) => !!entry && entry.trim().length > 0);
-  return normalized.length > 0 ? Array.from(new Set(normalized)) : void 0;
-}
-function normalizeTimestamp(value) {
-  if (typeof value === "bigint") {
-    return value;
-  }
-  if (typeof value === "number" && Number.isFinite(value)) {
-    return BigInt(Math.trunc(value));
-  }
-  if (typeof value === "string" && value.trim().length > 0) {
-    try {
-      return BigInt(value);
-    } catch {
-      return void 0;
-    }
-  }
-  return void 0;
-}
-var init_inline_capsule = __esm({
-  "src/security/inline-capsule.ts"() {
-    init_scopes();
-  }
-});
-
 // src/engine/intent.router.ts
 var intent_router_exports = {};
 __export(intent_router_exports, {
@@ -2442,23 +2443,23 @@ function normalizeChainConfig(decoratorConfig, intentConfig) {
 var import_dto_schema, _IntentRouter, IntentRouter;
 var init_intent_router = __esm({
   "src/engine/intent.router.ts"() {
-    init_cce_pipeline();
-    init_axis_error();
-    init_constants();
-    init_capsule_policy_decorator();
-    init_chain_decorator();
-    import_dto_schema = __toESM(require_dto_schema_util());
     init_handler_sensors_decorator();
-    init_handler_decorator();
-    init_intent_body_decorator();
-    init_intent_policy_decorator();
+    init_capsule_policy_decorator();
     init_intent_sensors_decorator();
-    init_intent_decorator();
+    init_intent_policy_decorator();
+    init_intent_body_decorator();
     init_observer_decorator();
+    init_handler_decorator();
+    init_intent_decorator();
+    init_chain_decorator();
+    import_dto_schema = __toESM(require_dto_schema_util());
     init_inline_capsule();
-    init_axis_sensor();
     init_axis_execution_context();
+    init_axis_sensor();
     init_axis_logger();
+    init_cce_pipeline();
+    init_axis_error();
+    init_constants();
     _IntentRouter = class _IntentRouter {
       constructor(dependencyResolver, observerDispatcher, sensorRegistry) {
         this.logger = createAxisLogger(_IntentRouter.name);
@@ -2494,6 +2495,8 @@ var init_intent_router = __esm({
         this.publicIntents = /* @__PURE__ */ new Set();
         /** Intents flagged as anonymous-session accessible */
         this.anonymousIntents = /* @__PURE__ */ new Set();
+        /** Intents flagged as authorized-session accessible */
+        this.authorizedIntents = /* @__PURE__ */ new Set();
         /** Per-intent rate limit config */
         this.intentRateLimits = /* @__PURE__ */ new Map();
         /** CCE handler registry */
@@ -2920,6 +2923,18 @@ var init_intent_router = __esm({
         if (isAnonMethod || isAnonClass) {
           this.anonymousIntents.add(intent);
         }
+        const isAuthorizedMethod = Reflect.getMetadata(
+          AXIS_AUTHORIZED_KEY,
+          proto,
+          methodName
+        );
+        const isAuthorizedClass = Reflect.getMetadata(
+          AXIS_AUTHORIZED_KEY,
+          proto.constructor
+        );
+        if (isAuthorizedMethod || isAuthorizedClass) {
+          this.authorizedIntents.add(intent);
+        }
         const rateLimit = Reflect.getMetadata(
           AXIS_RATE_LIMIT_KEY,
           proto,
@@ -2945,6 +2960,9 @@ var init_intent_router = __esm({
       isAnonymous(intent) {
         return this.anonymousIntents.has(intent);
       }
+      isAuthorized(intent) {
+        return this.authorizedIntents.has(intent);
+      }
       getRateLimit(intent) {
         return this.intentRateLimits.get(intent);
       }