@nextera.one/axis-server-sdk 2.2.8 → 2.3.0

package/dist/sensors/index.mjs

@@ -569,6 +569,16 @@ function AxisPublic() {
     return target;
   };
 }
+function AxisAuthorized() {
+  return (target, propertyKey, descriptor) => {
+    if (descriptor) {
+      Reflect.defineMetadata(AXIS_AUTHORIZED_KEY, true, target, propertyKey);
+      return descriptor;
+    }
+    Reflect.defineMetadata(AXIS_AUTHORIZED_KEY, true, target);
+    return target;
+  };
+}
 function AxisAnonymous() {
   return (target, propertyKey, descriptor) => {
     if (descriptor) {
@@ -585,7 +595,7 @@ function AxisRateLimit(config) {
     return descriptor;
   };
 }
-var AXIS_META_KEY, SENSITIVITY_METADATA_KEY, CONTRACT_METADATA_KEY, REQUIRED_PROOF_METADATA_KEY, AXIS_PUBLIC_KEY, AXIS_ANONYMOUS_KEY, AXIS_RATE_LIMIT_KEY;
+var AXIS_META_KEY, SENSITIVITY_METADATA_KEY, CONTRACT_METADATA_KEY, REQUIRED_PROOF_METADATA_KEY, AXIS_PUBLIC_KEY, AXIS_ANONYMOUS_KEY, AXIS_AUTHORIZED_KEY, AXIS_RATE_LIMIT_KEY;
 var init_intent_policy_decorator = __esm({
   "src/decorators/intent-policy.decorator.ts"() {
     AXIS_META_KEY = "axis:axis";
@@ -594,6 +604,7 @@ var init_intent_policy_decorator = __esm({
     REQUIRED_PROOF_METADATA_KEY = "axis:required_proof";
     AXIS_PUBLIC_KEY = "axis:public";
     AXIS_ANONYMOUS_KEY = "axis:anonymous";
+    AXIS_AUTHORIZED_KEY = "axis:authorized";
     AXIS_RATE_LIMIT_KEY = "axis:rateLimit";
   }
 });
@@ -1619,199 +1630,464 @@ var init_axis_chain_executor = __esm({
   }
 });
 
-// src/cce/cce.types.ts
-var CCE_PROTOCOL_VERSION, CCE_DERIVATION, CCE_AES_KEY_BYTES, CCE_IV_BYTES, CCE_NONCE_BYTES, CCE_ERROR, CceError;
-var init_cce_types = __esm({
-  "src/cce/cce.types.ts"() {
-    CCE_PROTOCOL_VERSION = "cce-v1";
-    CCE_DERIVATION = {
-      /** Request execution context */
-      REQUEST: "axis:cce:req:v1",
-      /** Response execution context */
-      RESPONSE: "axis:cce:resp:v1",
-      /** Witness binding context */
-      WITNESS: "axis:cce:witness:v1"
-    };
-    CCE_AES_KEY_BYTES = 32;
-    CCE_IV_BYTES = 12;
-    CCE_NONCE_BYTES = 32;
-    CCE_ERROR = {
-      // Envelope errors
-      INVALID_ENVELOPE: "CCE_INVALID_ENVELOPE",
-      UNSUPPORTED_VERSION: "CCE_UNSUPPORTED_VERSION",
-      MISSING_CAPSULE: "CCE_MISSING_CAPSULE",
-      MISSING_ENCRYPTED_KEY: "CCE_MISSING_ENCRYPTED_KEY",
-      // Signature errors
-      CLIENT_SIG_INVALID: "CCE_CLIENT_SIG_INVALID",
-      CLIENT_KEY_NOT_FOUND: "CCE_CLIENT_KEY_NOT_FOUND",
-      // Capsule errors
-      CAPSULE_SIG_INVALID: "CCE_CAPSULE_SIG_INVALID",
-      CAPSULE_EXPIRED: "CCE_CAPSULE_EXPIRED",
-      CAPSULE_NOT_YET_VALID: "CCE_CAPSULE_NOT_YET_VALID",
-      CAPSULE_REVOKED: "CCE_CAPSULE_REVOKED",
-      CAPSULE_CONSUMED: "CCE_CAPSULE_CONSUMED",
-      CAPSULE_NOT_VERIFIED: "CCE_CAPSULE_NOT_VERIFIED",
-      // Binding errors
-      AUDIENCE_MISMATCH: "CCE_AUDIENCE_MISMATCH",
-      INTENT_MISMATCH: "CCE_INTENT_MISMATCH",
-      TPS_WINDOW_EXPIRED: "CCE_TPS_WINDOW_EXPIRED",
-      TPS_WINDOW_FUTURE: "CCE_TPS_WINDOW_FUTURE",
-      // Replay / nonce errors
-      REPLAY_DETECTED: "CCE_REPLAY_DETECTED",
-      NONCE_REUSED: "CCE_NONCE_REUSED",
-      // Decryption errors
-      DECRYPTION_FAILED: "CCE_DECRYPTION_FAILED",
-      KEY_UNWRAP_FAILED: "CCE_KEY_UNWRAP_FAILED",
-      AEAD_TAG_MISMATCH: "CCE_AEAD_TAG_MISMATCH",
-      PAYLOAD_TOO_LARGE: "CCE_PAYLOAD_TOO_LARGE",
-      // Schema / validation errors
-      PAYLOAD_SCHEMA_INVALID: "CCE_PAYLOAD_SCHEMA_INVALID",
-      INTENT_SCHEMA_MISMATCH: "CCE_INTENT_SCHEMA_MISMATCH",
-      // Policy errors
-      POLICY_DENIED: "CCE_POLICY_DENIED",
-      CONSTRAINT_VIOLATED: "CCE_CONSTRAINT_VIOLATED",
-      // Handler errors
-      HANDLER_NOT_FOUND: "CCE_HANDLER_NOT_FOUND",
-      HANDLER_EXECUTION_FAILED: "CCE_HANDLER_EXECUTION_FAILED",
-      HANDLER_TIMEOUT: "CCE_HANDLER_TIMEOUT",
-      // Response errors
-      RESPONSE_ENCRYPTION_FAILED: "CCE_RESPONSE_ENCRYPTION_FAILED"
-    };
-    CceError = class extends Error {
-      constructor(code, message, metadata) {
-        super(`[${code}] ${message}`);
-        this.code = code;
-        this.metadata = metadata;
-        this.name = "CceError";
-      }
-      /** Whether this error is safe to expose to the client */
-      get clientSafe() {
-        const internal = [
-          CCE_ERROR.DECRYPTION_FAILED,
-          CCE_ERROR.KEY_UNWRAP_FAILED,
-          CCE_ERROR.AEAD_TAG_MISMATCH,
-          CCE_ERROR.HANDLER_EXECUTION_FAILED,
-          CCE_ERROR.RESPONSE_ENCRYPTION_FAILED
-        ];
-        return !internal.includes(this.code);
-      }
-      /** Get client-safe representation */
-      toClientError() {
-        if (this.clientSafe) {
-          return { code: this.code, message: this.message };
-        }
-        return {
-          code: CCE_ERROR.DECRYPTION_FAILED,
-          message: "Request processing failed"
-        };
-      }
-    };
+// src/security/scopes.ts
+function hasScope(scopes, required) {
+  if (!Array.isArray(scopes) || scopes.length === 0) {
+    return false;
   }
-});
-
-// src/cce/cce-derivation.service.ts
-import { bytesToHex, hexToBytes } from "@noble/hashes/utils.js";
-import { hkdf } from "@noble/hashes/hkdf.js";
-import { sha256 } from "@noble/hashes/sha2.js";
-function buildSalt(capsuleId, capsuleNonce, requestNonce) {
-  const encoder = new TextEncoder();
-  const data = encoder.encode(
-    capsuleId + "|" + capsuleNonce + "|" + requestNonce
-  );
-  return sha256(data);
-}
-function buildInfo(contextPrefix, capsule, extraNonce) {
-  const encoder = new TextEncoder();
-  const parts = [
-    contextPrefix,
-    capsule.sub,
-    capsule.kid,
-    capsule.intent,
-    capsule.aud,
-    String(capsule.tps_from),
-    String(capsule.tps_to),
-    capsule.policy_hash ?? "",
-    capsule.ver
-  ];
-  if (extraNonce) {
-    parts.push(extraNonce);
+  if (scopes.includes(required)) {
+    return true;
   }
-  return encoder.encode(parts.join("|"));
+  const [resource, id] = required.split(":");
+  if (resource && id) {
+    const wildcard = `${resource}:*`;
+    if (scopes.includes(wildcard)) {
+      return true;
+    }
+  }
+  return false;
 }
-function deriveRequestExecutionKey(input) {
-  const ikm = hexToBytes(input.axisLocalSecret);
-  const salt = buildSalt(
-    input.capsule.capsule_id,
-    input.capsule.capsule_nonce,
-    input.requestNonce
-  );
-  const info = buildInfo(CCE_DERIVATION.REQUEST, input.capsule);
-  return hkdf(sha256, ikm, salt, info, CCE_AES_KEY_BYTES);
+function parseScope(scope) {
+  const parts = scope.split(":");
+  if (parts.length !== 2) return null;
+  return { resource: parts[0], id: parts[1] };
 }
-function buildExecutionContext(input, requestId) {
-  const executionKey = deriveRequestExecutionKey(input);
-  const keyHash = bytesToHex(sha256(executionKey));
-  executionKey.fill(0);
-  return {
-    execution_key_hash: keyHash,
-    request_id: requestId,
-    capsule_id: input.capsule.capsule_id,
-    sub: input.capsule.sub,
-    kid: input.capsule.kid,
-    intent: input.capsule.intent,
-    aud: input.capsule.aud,
-    tps_from: input.capsule.tps_from,
-    tps_to: input.capsule.tps_to,
-    policy_hash: input.capsule.policy_hash,
-    derived_at: Math.floor(Date.now() / 1e3),
-    valid: true
-  };
+function canAccessResource(scopes, resourceType, resourceId) {
+  const required = `${resourceType}:${resourceId}`;
+  return hasScope(scopes, required);
 }
-var init_cce_derivation_service = __esm({
-  "src/cce/cce-derivation.service.ts"() {
-    init_cce_types();
+var init_scopes = __esm({
+  "src/security/scopes.ts"() {
   }
 });
 
-// src/cce/cce-crypto.ts
-import { bytesToHex as bytesToHex2 } from "@noble/hashes/utils.js";
-import { sha256 as sha2562 } from "@noble/hashes/sha2.js";
-import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
-function aesGcmEncrypt(key, plaintext, aad) {
-  if (key.length !== CCE_AES_KEY_BYTES) {
-    throw new Error(`AES key must be ${CCE_AES_KEY_BYTES} bytes`);
-  }
-  const iv = randomBytes(CCE_IV_BYTES);
-  const cipher = createCipheriv("aes-256-gcm", key, iv);
-  if (aad) {
-    cipher.setAAD(aad);
+// src/security/inline-capsule.ts
+function normalizeInlineCapsule(input) {
+  if (!input || typeof input !== "object" || Array.isArray(input)) {
+    return null;
   }
-  const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
-  const tag = cipher.getAuthTag();
+  const raw = input;
+  const scopes = normalizeStringList(raw.scopes ?? raw.scope);
   return {
-    iv: new Uint8Array(iv),
-    ciphertext: new Uint8Array(encrypted),
-    tag: new Uint8Array(tag)
+    id: normalizeScalar(raw.id),
+    actorId: normalizeScalar(raw.actorId),
+    intents: normalizeStringList(raw.intents),
+    issuedAt: normalizeTimestamp(raw.issuedAt ?? raw.iat),
+    expiresAt: normalizeTimestamp(raw.expiresAt ?? raw.exp),
+    realm: normalizeScalar(raw.realm),
+    node: normalizeScalar(raw.node),
+    scopes,
+    raw
   };
 }
-function generateAesKey() {
-  return new Uint8Array(randomBytes(CCE_AES_KEY_BYTES));
+function inlineCapsuleAllowsIntent(capsule, intent) {
+  if (!capsule.intents || capsule.intents.length === 0) {
+    return false;
+  }
+  for (const pattern of capsule.intents) {
+    if (pattern === "*" || pattern === intent) {
+      return true;
+    }
+    if (pattern.endsWith(".*")) {
+      const prefix = pattern.slice(0, -1);
+      if (intent.startsWith(prefix)) {
+        return true;
+      }
+    }
+  }
+  return false;
 }
-function base64UrlEncode(bytes2) {
-  return Buffer.from(bytes2).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+function isInlineCapsuleExpired(capsule, clockSkewMs = 3e4) {
+  if (capsule.expiresAt === void 0) {
+    return false;
+  }
+  return BigInt(Date.now()) > capsule.expiresAt + BigInt(clockSkewMs);
 }
-function hashPayload(payload) {
-  return bytesToHex2(sha2562(payload));
+function resolvePolicyScopes(scopes, context) {
+  return scopes.map(
+    (scope) => scope.replace(/\$\{([^}]+)\}/g, (_match, expression) => {
+      const resolved = resolveTemplateExpression(expression.trim(), context);
+      if (resolved === void 0 || resolved === null || resolved === "") {
+        throw new Error(`CAPSULE_SCOPE_TEMPLATE_UNRESOLVED:${expression}`);
+      }
+      return String(resolved);
+    })
+  );
 }
-var init_cce_crypto = __esm({
-  "src/cce/cce-crypto.ts"() {
-    init_cce_types();
+function inlineCapsuleSatisfiesScopes(capsule, requiredScopes, mode = "all") {
+  if (!capsule.scopes || capsule.scopes.length === 0) {
+    return false;
   }
-});
-
-// src/cce/cce-response.service.ts
-import { bytesToHex as bytesToHex3 } from "@noble/hashes/utils.js";
-import { randomBytes as randomBytes2 } from "crypto";
+  if (mode === "any") {
+    return requiredScopes.some((scope) => hasScope(capsule.scopes, scope));
+  }
+  return requiredScopes.every((scope) => hasScope(capsule.scopes, scope));
+}
+function resolveTemplateExpression(expression, context) {
+  if (expression === "intent") {
+    return context.intent;
+  }
+  if (expression === "actorId") {
+    return context.actorId;
+  }
+  if (expression === "chainId") {
+    return context.chainId;
+  }
+  if (expression === "stepId") {
+    return context.stepId;
+  }
+  if (expression.startsWith("body.")) {
+    return getNestedValue(context.body, expression.slice(5));
+  }
+  return void 0;
+}
+function getNestedValue(value, path2) {
+  if (!value || typeof value !== "object") {
+    return void 0;
+  }
+  return path2.split(".").reduce((current, segment) => {
+    if (!current || typeof current !== "object") {
+      return void 0;
+    }
+    return current[segment];
+  }, value);
+}
+function normalizeScalar(value) {
+  if (typeof value === "string") {
+    return value;
+  }
+  if (value instanceof Uint8Array) {
+    return Buffer.from(value).toString("hex");
+  }
+  return void 0;
+}
+function normalizeStringList(value) {
+  if (!value) {
+    return void 0;
+  }
+  const list = Array.isArray(value) ? value : [value];
+  const normalized = list.map((entry) => typeof entry === "string" ? entry : void 0).filter((entry) => !!entry && entry.trim().length > 0);
+  return normalized.length > 0 ? Array.from(new Set(normalized)) : void 0;
+}
+function normalizeTimestamp(value) {
+  if (typeof value === "bigint") {
+    return value;
+  }
+  if (typeof value === "number" && Number.isFinite(value)) {
+    return BigInt(Math.trunc(value));
+  }
+  if (typeof value === "string" && value.trim().length > 0) {
+    try {
+      return BigInt(value);
+    } catch {
+      return void 0;
+    }
+  }
+  return void 0;
+}
+var init_inline_capsule = __esm({
+  "src/security/inline-capsule.ts"() {
+    init_scopes();
+  }
+});
+
+// src/sensor/axis-sensor.ts
+function normalizeSensorDecision(sensorDecision) {
+  if ("action" in sensorDecision) {
+    switch (sensorDecision.action) {
+      case "ALLOW":
+        return {
+          allow: true,
+          riskScore: 0,
+          reasons: [],
+          meta: sensorDecision.meta
+        };
+      case "DENY":
+        return {
+          allow: false,
+          riskScore: 100,
+          reasons: [sensorDecision.code, sensorDecision.reason].filter(
+            Boolean
+          ),
+          meta: sensorDecision.meta,
+          retryAfterMs: sensorDecision.retryAfterMs
+        };
+      case "THROTTLE":
+        return {
+          allow: false,
+          riskScore: 50,
+          reasons: ["RATE_LIMIT"],
+          retryAfterMs: sensorDecision.retryAfterMs,
+          meta: sensorDecision.meta
+        };
+      case "FLAG":
+        return {
+          allow: true,
+          riskScore: sensorDecision.scoreDelta,
+          reasons: sensorDecision.reasons,
+          meta: sensorDecision.meta
+        };
+    }
+  }
+  return {
+    allow: sensorDecision.allow,
+    riskScore: sensorDecision.riskScore,
+    reasons: sensorDecision.reasons,
+    tags: sensorDecision.tags,
+    meta: sensorDecision.meta,
+    tighten: sensorDecision.tighten,
+    retryAfterMs: sensorDecision.retryAfterMs
+  };
+}
+var Decision, SensorDecisions;
+var init_axis_sensor = __esm({
+  "src/sensor/axis-sensor.ts"() {
+    Decision = /* @__PURE__ */ ((Decision2) => {
+      Decision2["ALLOW"] = "ALLOW";
+      Decision2["DENY"] = "DENY";
+      Decision2["THROTTLE"] = "THROTTLE";
+      Decision2["FLAG"] = "FLAG";
+      return Decision2;
+    })(Decision || {});
+    SensorDecisions = {
+      allow(meta, tags) {
+        return {
+          decision: "ALLOW" /* ALLOW */,
+          allow: true,
+          riskScore: 0,
+          reasons: [],
+          tags,
+          meta
+        };
+      },
+      deny(code, reason, meta) {
+        return {
+          decision: "DENY" /* DENY */,
+          allow: false,
+          riskScore: 100,
+          code,
+          reasons: [code, reason].filter(Boolean),
+          meta
+        };
+      },
+      throttle(retryAfterMs, meta) {
+        return {
+          decision: "THROTTLE" /* THROTTLE */,
+          allow: false,
+          riskScore: 50,
+          retryAfterMs,
+          code: "RATE_LIMIT",
+          reasons: ["RATE_LIMIT"],
+          meta
+        };
+      },
+      flag(scoreDelta, reasons, meta) {
+        return {
+          decision: "FLAG" /* FLAG */,
+          allow: true,
+          riskScore: scoreDelta,
+          scoreDelta,
+          reasons,
+          meta
+        };
+      }
+    };
+  }
+});
+
+// src/cce/cce.types.ts
+var CCE_PROTOCOL_VERSION, CCE_DERIVATION, CCE_AES_KEY_BYTES, CCE_IV_BYTES, CCE_NONCE_BYTES, CCE_ERROR, CceError;
+var init_cce_types = __esm({
+  "src/cce/cce.types.ts"() {
+    CCE_PROTOCOL_VERSION = "cce-v1";
+    CCE_DERIVATION = {
+      /** Request execution context */
+      REQUEST: "axis:cce:req:v1",
+      /** Response execution context */
+      RESPONSE: "axis:cce:resp:v1",
+      /** Witness binding context */
+      WITNESS: "axis:cce:witness:v1"
+    };
+    CCE_AES_KEY_BYTES = 32;
+    CCE_IV_BYTES = 12;
+    CCE_NONCE_BYTES = 32;
+    CCE_ERROR = {
+      // Envelope errors
+      INVALID_ENVELOPE: "CCE_INVALID_ENVELOPE",
+      UNSUPPORTED_VERSION: "CCE_UNSUPPORTED_VERSION",
+      MISSING_CAPSULE: "CCE_MISSING_CAPSULE",
+      MISSING_ENCRYPTED_KEY: "CCE_MISSING_ENCRYPTED_KEY",
+      // Signature errors
+      CLIENT_SIG_INVALID: "CCE_CLIENT_SIG_INVALID",
+      CLIENT_KEY_NOT_FOUND: "CCE_CLIENT_KEY_NOT_FOUND",
+      // Capsule errors
+      CAPSULE_SIG_INVALID: "CCE_CAPSULE_SIG_INVALID",
+      CAPSULE_EXPIRED: "CCE_CAPSULE_EXPIRED",
+      CAPSULE_NOT_YET_VALID: "CCE_CAPSULE_NOT_YET_VALID",
+      CAPSULE_REVOKED: "CCE_CAPSULE_REVOKED",
+      CAPSULE_CONSUMED: "CCE_CAPSULE_CONSUMED",
+      CAPSULE_NOT_VERIFIED: "CCE_CAPSULE_NOT_VERIFIED",
+      // Binding errors
+      AUDIENCE_MISMATCH: "CCE_AUDIENCE_MISMATCH",
+      INTENT_MISMATCH: "CCE_INTENT_MISMATCH",
+      TPS_WINDOW_EXPIRED: "CCE_TPS_WINDOW_EXPIRED",
+      TPS_WINDOW_FUTURE: "CCE_TPS_WINDOW_FUTURE",
+      // Replay / nonce errors
+      REPLAY_DETECTED: "CCE_REPLAY_DETECTED",
+      NONCE_REUSED: "CCE_NONCE_REUSED",
+      // Decryption errors
+      DECRYPTION_FAILED: "CCE_DECRYPTION_FAILED",
+      KEY_UNWRAP_FAILED: "CCE_KEY_UNWRAP_FAILED",
+      AEAD_TAG_MISMATCH: "CCE_AEAD_TAG_MISMATCH",
+      PAYLOAD_TOO_LARGE: "CCE_PAYLOAD_TOO_LARGE",
+      // Schema / validation errors
+      PAYLOAD_SCHEMA_INVALID: "CCE_PAYLOAD_SCHEMA_INVALID",
+      INTENT_SCHEMA_MISMATCH: "CCE_INTENT_SCHEMA_MISMATCH",
+      // Policy errors
+      POLICY_DENIED: "CCE_POLICY_DENIED",
+      CONSTRAINT_VIOLATED: "CCE_CONSTRAINT_VIOLATED",
+      // Handler errors
+      HANDLER_NOT_FOUND: "CCE_HANDLER_NOT_FOUND",
+      HANDLER_EXECUTION_FAILED: "CCE_HANDLER_EXECUTION_FAILED",
+      HANDLER_TIMEOUT: "CCE_HANDLER_TIMEOUT",
+      // Response errors
+      RESPONSE_ENCRYPTION_FAILED: "CCE_RESPONSE_ENCRYPTION_FAILED"
+    };
+    CceError = class extends Error {
+      constructor(code, message, metadata) {
+        super(`[${code}] ${message}`);
+        this.code = code;
+        this.metadata = metadata;
+        this.name = "CceError";
+      }
+      /** Whether this error is safe to expose to the client */
+      get clientSafe() {
+        const internal = [
+          CCE_ERROR.DECRYPTION_FAILED,
+          CCE_ERROR.KEY_UNWRAP_FAILED,
+          CCE_ERROR.AEAD_TAG_MISMATCH,
+          CCE_ERROR.HANDLER_EXECUTION_FAILED,
+          CCE_ERROR.RESPONSE_ENCRYPTION_FAILED
+        ];
+        return !internal.includes(this.code);
+      }
+      /** Get client-safe representation */
+      toClientError() {
+        if (this.clientSafe) {
+          return { code: this.code, message: this.message };
+        }
+        return {
+          code: CCE_ERROR.DECRYPTION_FAILED,
+          message: "Request processing failed"
+        };
+      }
+    };
+  }
+});
+
+// src/cce/cce-derivation.service.ts
+import { bytesToHex, hexToBytes } from "@noble/hashes/utils.js";
+import { hkdf } from "@noble/hashes/hkdf.js";
+import { sha256 } from "@noble/hashes/sha2.js";
+function buildSalt(capsuleId, capsuleNonce, requestNonce) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(
+    capsuleId + "|" + capsuleNonce + "|" + requestNonce
+  );
+  return sha256(data);
+}
+function buildInfo(contextPrefix, capsule, extraNonce) {
+  const encoder = new TextEncoder();
+  const parts = [
+    contextPrefix,
+    capsule.sub,
+    capsule.kid,
+    capsule.intent,
+    capsule.aud,
+    String(capsule.tps_from),
+    String(capsule.tps_to),
+    capsule.policy_hash ?? "",
+    capsule.ver
+  ];
+  if (extraNonce) {
+    parts.push(extraNonce);
+  }
+  return encoder.encode(parts.join("|"));
+}
+function deriveRequestExecutionKey(input) {
+  const ikm = hexToBytes(input.axisLocalSecret);
+  const salt = buildSalt(
+    input.capsule.capsule_id,
+    input.capsule.capsule_nonce,
+    input.requestNonce
+  );
+  const info = buildInfo(CCE_DERIVATION.REQUEST, input.capsule);
+  return hkdf(sha256, ikm, salt, info, CCE_AES_KEY_BYTES);
+}
+function buildExecutionContext(input, requestId) {
+  const executionKey = deriveRequestExecutionKey(input);
+  const keyHash = bytesToHex(sha256(executionKey));
+  executionKey.fill(0);
+  return {
+    execution_key_hash: keyHash,
+    request_id: requestId,
+    capsule_id: input.capsule.capsule_id,
+    sub: input.capsule.sub,
+    kid: input.capsule.kid,
+    intent: input.capsule.intent,
+    aud: input.capsule.aud,
+    tps_from: input.capsule.tps_from,
+    tps_to: input.capsule.tps_to,
+    policy_hash: input.capsule.policy_hash,
+    derived_at: Math.floor(Date.now() / 1e3),
+    valid: true
+  };
+}
+var init_cce_derivation_service = __esm({
+  "src/cce/cce-derivation.service.ts"() {
+    init_cce_types();
+  }
+});
+
+// src/cce/cce-crypto.ts
+import { bytesToHex as bytesToHex2 } from "@noble/hashes/utils.js";
+import { sha256 as sha2562 } from "@noble/hashes/sha2.js";
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
+function aesGcmEncrypt(key, plaintext, aad) {
+  if (key.length !== CCE_AES_KEY_BYTES) {
+    throw new Error(`AES key must be ${CCE_AES_KEY_BYTES} bytes`);
+  }
+  const iv = randomBytes(CCE_IV_BYTES);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  if (aad) {
+    cipher.setAAD(aad);
+  }
+  const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return {
+    iv: new Uint8Array(iv),
+    ciphertext: new Uint8Array(encrypted),
+    tag: new Uint8Array(tag)
+  };
+}
+function generateAesKey() {
+  return new Uint8Array(randomBytes(CCE_AES_KEY_BYTES));
+}
+function base64UrlEncode(bytes2) {
+  return Buffer.from(bytes2).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function hashPayload(payload) {
+  return bytesToHex2(sha2562(payload));
+}
+var init_cce_crypto = __esm({
+  "src/cce/cce-crypto.ts"() {
+    init_cce_types();
+  }
+});
+
+// src/cce/cce-response.service.ts
+import { bytesToHex as bytesToHex3 } from "@noble/hashes/utils.js";
+import { randomBytes as randomBytes2 } from "crypto";
 async function buildCceResponse(options, clientKeyEncryptor, axisSigner) {
   const { request, capsule, status, body, clientPublicKeyHex, witnessRef } = options;
   const responseNonce = bytesToHex3(
@@ -1984,124 +2260,20 @@ function computeExecutionContextHash(axisLocalSecret, capsule, requestNonce) {
   );
   const witnessKey = hkdf2(sha2563, ikm, salt, info, 32);
   const hash = bytesToHex4(sha2563(witnessKey));
-  witnessKey.fill(0);
-  return hash;
-}
-function hexToBytes2(hex) {
-  const bytes2 = new Uint8Array(hex.length / 2);
-  for (let i = 0; i < bytes2.length; i++) {
-    bytes2[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
-  }
-  return bytes2;
-}
-var init_cce_witness_observer = __esm({
-  "src/cce/cce-witness.observer.ts"() {
-    init_cce_crypto();
-    init_cce_types();
-  }
-});
-
-// src/sensor/axis-sensor.ts
-function normalizeSensorDecision(sensorDecision) {
-  if ("action" in sensorDecision) {
-    switch (sensorDecision.action) {
-      case "ALLOW":
-        return {
-          allow: true,
-          riskScore: 0,
-          reasons: [],
-          meta: sensorDecision.meta
-        };
-      case "DENY":
-        return {
-          allow: false,
-          riskScore: 100,
-          reasons: [sensorDecision.code, sensorDecision.reason].filter(
-            Boolean
-          ),
-          meta: sensorDecision.meta,
-          retryAfterMs: sensorDecision.retryAfterMs
-        };
-      case "THROTTLE":
-        return {
-          allow: false,
-          riskScore: 50,
-          reasons: ["RATE_LIMIT"],
-          retryAfterMs: sensorDecision.retryAfterMs,
-          meta: sensorDecision.meta
-        };
-      case "FLAG":
-        return {
-          allow: true,
-          riskScore: sensorDecision.scoreDelta,
-          reasons: sensorDecision.reasons,
-          meta: sensorDecision.meta
-        };
-    }
-  }
-  return {
-    allow: sensorDecision.allow,
-    riskScore: sensorDecision.riskScore,
-    reasons: sensorDecision.reasons,
-    tags: sensorDecision.tags,
-    meta: sensorDecision.meta,
-    tighten: sensorDecision.tighten,
-    retryAfterMs: sensorDecision.retryAfterMs
-  };
+  witnessKey.fill(0);
+  return hash;
 }
-var Decision, SensorDecisions;
-var init_axis_sensor = __esm({
-  "src/sensor/axis-sensor.ts"() {
-    Decision = /* @__PURE__ */ ((Decision2) => {
-      Decision2["ALLOW"] = "ALLOW";
-      Decision2["DENY"] = "DENY";
-      Decision2["THROTTLE"] = "THROTTLE";
-      Decision2["FLAG"] = "FLAG";
-      return Decision2;
-    })(Decision || {});
-    SensorDecisions = {
-      allow(meta, tags) {
-        return {
-          decision: "ALLOW" /* ALLOW */,
-          allow: true,
-          riskScore: 0,
-          reasons: [],
-          tags,
-          meta
-        };
-      },
-      deny(code, reason, meta) {
-        return {
-          decision: "DENY" /* DENY */,
-          allow: false,
-          riskScore: 100,
-          code,
-          reasons: [code, reason].filter(Boolean),
-          meta
-        };
-      },
-      throttle(retryAfterMs, meta) {
-        return {
-          decision: "THROTTLE" /* THROTTLE */,
-          allow: false,
-          riskScore: 50,
-          retryAfterMs,
-          code: "RATE_LIMIT",
-          reasons: ["RATE_LIMIT"],
-          meta
-        };
-      },
-      flag(scoreDelta, reasons, meta) {
-        return {
-          decision: "FLAG" /* FLAG */,
-          allow: true,
-          riskScore: scoreDelta,
-          scoreDelta,
-          reasons,
-          meta
-        };
-      }
-    };
+function hexToBytes2(hex) {
+  const bytes2 = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < bytes2.length; i++) {
+    bytes2[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+  }
+  return bytes2;
+}
+var init_cce_witness_observer = __esm({
+  "src/cce/cce-witness.observer.ts"() {
+    init_cce_crypto();
+    init_cce_types();
   }
 });
 
@@ -2353,167 +2525,6 @@ var init_axis_error = __esm({
   }
 });
 
-// src/security/scopes.ts
-function hasScope(scopes, required) {
-  if (!Array.isArray(scopes) || scopes.length === 0) {
-    return false;
-  }
-  if (scopes.includes(required)) {
-    return true;
-  }
-  const [resource, id] = required.split(":");
-  if (resource && id) {
-    const wildcard = `${resource}:*`;
-    if (scopes.includes(wildcard)) {
-      return true;
-    }
-  }
-  return false;
-}
-function parseScope(scope) {
-  const parts = scope.split(":");
-  if (parts.length !== 2) return null;
-  return { resource: parts[0], id: parts[1] };
-}
-function canAccessResource(scopes, resourceType, resourceId) {
-  const required = `${resourceType}:${resourceId}`;
-  return hasScope(scopes, required);
-}
-var init_scopes = __esm({
-  "src/security/scopes.ts"() {
-  }
-});
-
-// src/security/inline-capsule.ts
-function normalizeInlineCapsule(input) {
-  if (!input || typeof input !== "object" || Array.isArray(input)) {
-    return null;
-  }
-  const raw = input;
-  const scopes = normalizeStringList(raw.scopes ?? raw.scope);
-  return {
-    id: normalizeScalar(raw.id),
-    actorId: normalizeScalar(raw.actorId),
-    intents: normalizeStringList(raw.intents),
-    issuedAt: normalizeTimestamp(raw.issuedAt ?? raw.iat),
-    expiresAt: normalizeTimestamp(raw.expiresAt ?? raw.exp),
-    realm: normalizeScalar(raw.realm),
-    node: normalizeScalar(raw.node),
-    scopes,
-    raw
-  };
-}
-function inlineCapsuleAllowsIntent(capsule, intent) {
-  if (!capsule.intents || capsule.intents.length === 0) {
-    return false;
-  }
-  for (const pattern of capsule.intents) {
-    if (pattern === "*" || pattern === intent) {
-      return true;
-    }
-    if (pattern.endsWith(".*")) {
-      const prefix = pattern.slice(0, -1);
-      if (intent.startsWith(prefix)) {
-        return true;
-      }
-    }
-  }
-  return false;
-}
-function isInlineCapsuleExpired(capsule, clockSkewMs = 3e4) {
-  if (capsule.expiresAt === void 0) {
-    return false;
-  }
-  return BigInt(Date.now()) > capsule.expiresAt + BigInt(clockSkewMs);
-}
-function resolvePolicyScopes(scopes, context) {
-  return scopes.map(
-    (scope) => scope.replace(/\$\{([^}]+)\}/g, (_match, expression) => {
-      const resolved = resolveTemplateExpression(expression.trim(), context);
-      if (resolved === void 0 || resolved === null || resolved === "") {
-        throw new Error(`CAPSULE_SCOPE_TEMPLATE_UNRESOLVED:${expression}`);
-      }
-      return String(resolved);
-    })
-  );
-}
-function inlineCapsuleSatisfiesScopes(capsule, requiredScopes, mode = "all") {
-  if (!capsule.scopes || capsule.scopes.length === 0) {
-    return false;
-  }
-  if (mode === "any") {
-    return requiredScopes.some((scope) => hasScope(capsule.scopes, scope));
-  }
-  return requiredScopes.every((scope) => hasScope(capsule.scopes, scope));
-}
-function resolveTemplateExpression(expression, context) {
-  if (expression === "intent") {
-    return context.intent;
-  }
-  if (expression === "actorId") {
-    return context.actorId;
-  }
-  if (expression === "chainId") {
-    return context.chainId;
-  }
-  if (expression === "stepId") {
-    return context.stepId;
-  }
-  if (expression.startsWith("body.")) {
-    return getNestedValue(context.body, expression.slice(5));
-  }
-  return void 0;
-}
-function getNestedValue(value, path2) {
-  if (!value || typeof value !== "object") {
-    return void 0;
-  }
-  return path2.split(".").reduce((current, segment) => {
-    if (!current || typeof current !== "object") {
-      return void 0;
-    }
-    return current[segment];
-  }, value);
-}
-function normalizeScalar(value) {
-  if (typeof value === "string") {
-    return value;
-  }
-  if (value instanceof Uint8Array) {
-    return Buffer.from(value).toString("hex");
-  }
-  return void 0;
-}
-function normalizeStringList(value) {
-  if (!value) {
-    return void 0;
-  }
-  const list = Array.isArray(value) ? value : [value];
-  const normalized = list.map((entry) => typeof entry === "string" ? entry : void 0).filter((entry) => !!entry && entry.trim().length > 0);
-  return normalized.length > 0 ? Array.from(new Set(normalized)) : void 0;
-}
-function normalizeTimestamp(value) {
-  if (typeof value === "bigint") {
-    return value;
-  }
-  if (typeof value === "number" && Number.isFinite(value)) {
-    return BigInt(Math.trunc(value));
-  }
-  if (typeof value === "string" && value.trim().length > 0) {
-    try {
-      return BigInt(value);
-    } catch {
-      return void 0;
-    }
-  }
-  return void 0;
-}
-var init_inline_capsule = __esm({
-  "src/security/inline-capsule.ts"() {
-    init_scopes();
-  }
-});
-
 // src/engine/intent.router.ts
 var intent_router_exports = {};
 __export(intent_router_exports, {
@@ -2590,23 +2601,23 @@ function normalizeChainConfig(decoratorConfig, intentConfig) {
 var import_dto_schema, _IntentRouter, IntentRouter;
 var init_intent_router = __esm({
   "src/engine/intent.router.ts"() {
-    init_cce_pipeline();
-    init_axis_error();
-    init_constants();
-    init_capsule_policy_decorator();
-    init_chain_decorator();
-    import_dto_schema = __toESM(require_dto_schema_util());
     init_handler_sensors_decorator();
-    init_handler_decorator();
-    init_intent_body_decorator();
-    init_intent_policy_decorator();
+    init_capsule_policy_decorator();
     init_intent_sensors_decorator();
-    init_intent_decorator();
+    init_intent_policy_decorator();
+    init_intent_body_decorator();
     init_observer_decorator();
+    init_handler_decorator();
+    init_intent_decorator();
+    init_chain_decorator();
+    import_dto_schema = __toESM(require_dto_schema_util());
     init_inline_capsule();
-    init_axis_sensor();
     init_axis_execution_context();
+    init_axis_sensor();
     init_axis_logger();
+    init_cce_pipeline();
+    init_axis_error();
+    init_constants();
     _IntentRouter = class _IntentRouter {
       constructor(dependencyResolver, observerDispatcher, sensorRegistry) {
         this.logger = createAxisLogger(_IntentRouter.name);
@@ -2642,6 +2653,8 @@ var init_intent_router = __esm({
         this.publicIntents = /* @__PURE__ */ new Set();
         /** Intents flagged as anonymous-session accessible */
         this.anonymousIntents = /* @__PURE__ */ new Set();
+        /** Intents flagged as authorized-session accessible */
+        this.authorizedIntents = /* @__PURE__ */ new Set();
         /** Per-intent rate limit config */
         this.intentRateLimits = /* @__PURE__ */ new Map();
         /** CCE handler registry */
@@ -3068,6 +3081,18 @@ var init_intent_router = __esm({
         if (isAnonMethod || isAnonClass) {
           this.anonymousIntents.add(intent);
         }
+        const isAuthorizedMethod = Reflect.getMetadata(
+          AXIS_AUTHORIZED_KEY,
+          proto,
+          methodName
+        );
+        const isAuthorizedClass = Reflect.getMetadata(
+          AXIS_AUTHORIZED_KEY,
+          proto.constructor
+        );
+        if (isAuthorizedMethod || isAuthorizedClass) {
+          this.authorizedIntents.add(intent);
+        }
         const rateLimit = Reflect.getMetadata(
           AXIS_RATE_LIMIT_KEY,
           proto,
@@ -3093,6 +3118,9 @@ var init_intent_router = __esm({
       isAnonymous(intent) {
         return this.anonymousIntents.has(intent);
       }
+      isAuthorized(intent) {
+        return this.authorizedIntents.has(intent);
+      }
       getRateLimit(intent) {
         return this.intentRateLimits.get(intent);
       }
@@ -10597,6 +10625,7 @@ __export(index_exports, {
   ATS1_HDR: () => ATS1_HDR,
   ATS1_SCHEMA: () => ATS1_SCHEMA,
   AXIS_ANONYMOUS_KEY: () => AXIS_ANONYMOUS_KEY,
+  AXIS_AUTHORIZED_KEY: () => AXIS_AUTHORIZED_KEY,
   AXIS_EXECUTION_CONTEXT_KEY: () => AXIS_EXECUTION_CONTEXT_KEY,
   AXIS_MAGIC: () => AXIS_MAGIC,
   AXIS_META_KEY: () => AXIS_META_KEY,
@@ -10610,6 +10639,7 @@ __export(index_exports, {
   Ats1Codec: () => ats1_exports,
   Axis: () => Axis,
   AxisAnonymous: () => AxisAnonymous,
+  AxisAuthorized: () => AxisAuthorized,
   AxisChainExecutor: () => AxisChainExecutor,
   AxisError: () => AxisError,
   AxisFrameZ: () => AxisFrameZ,