@atlasent/sdk 1.5.0

package/dist/index.cjs

@@ -0,0 +1,763 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  AtlaSentClient: () => AtlaSentClient,
+  AtlaSentDeniedError: () => AtlaSentDeniedError,
+  AtlaSentError: () => AtlaSentError,
+  DEFAULT_RETRY_POLICY: () => DEFAULT_RETRY_POLICY,
+  canonicalJSON: () => canonicalJSON,
+  computeBackoffMs: () => computeBackoffMs,
+  configure: () => configure,
+  default: () => index_default,
+  hasAttemptsLeft: () => hasAttemptsLeft,
+  isRetryable: () => isRetryable,
+  mergePolicy: () => mergePolicy,
+  protect: () => protect,
+  signedBytesFor: () => signedBytesFor,
+  verifyAuditBundle: () => verifyAuditBundle,
+  verifyBundle: () => verifyBundle
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/errors.ts
+var AtlaSentError = class extends Error {
+  // Subclasses override to their own literal (e.g. "AtlaSentDeniedError");
+  // keep this assignable rather than pinned to a single literal.
+  name = "AtlaSentError";
+  /** HTTP status code, when the error originated from an API response. */
+  status;
+  /** Coarse category — useful for `switch` statements at call sites. */
+  code;
+  /** Correlation ID echoed from the `X-Request-ID` header the SDK sent. */
+  requestId;
+  /** Parsed `Retry-After` header value, in milliseconds. Only set for 429. */
+  retryAfterMs;
+  constructor(message, init = {}) {
+    super(
+      message,
+      init.cause !== void 0 ? { cause: init.cause } : void 0
+    );
+    this.status = init.status;
+    this.code = init.code;
+    this.requestId = init.requestId;
+    this.retryAfterMs = init.retryAfterMs;
+  }
+};
+var AtlaSentDeniedError = class extends AtlaSentError {
+  name = "AtlaSentDeniedError";
+  /** Policy decision — `"deny"` today; `"hold"` / `"escalate"` reserved. */
+  decision;
+  /** Opaque permit/decision id from `/v1-evaluate`. */
+  evaluationId;
+  /** Human-readable explanation from the policy engine, if provided. */
+  reason;
+  /** Hash-chained audit-trail entry associated with the decision. */
+  auditHash;
+  constructor(init) {
+    const msg = init.reason ? `AtlaSent ${init.decision}: ${init.reason}` : `AtlaSent ${init.decision}`;
+    const errInit = { status: 200 };
+    if (init.requestId !== void 0) errInit.requestId = init.requestId;
+    super(msg, errInit);
+    this.decision = init.decision;
+    this.evaluationId = init.evaluationId;
+    this.reason = init.reason;
+    this.auditHash = init.auditHash;
+  }
+};
+
+// src/client.ts
+var DEFAULT_BASE_URL = "https://api.atlasent.io";
+var DEFAULT_TIMEOUT_MS = 1e4;
+var SDK_VERSION = "0.1.0";
+var AtlaSentClient = class {
+  apiKey;
+  baseUrl;
+  timeoutMs;
+  fetchImpl;
+  constructor(options) {
+    if (!options.apiKey || typeof options.apiKey !== "string") {
+      throw new AtlaSentError("apiKey is required", {
+        code: "invalid_api_key"
+      });
+    }
+    this.apiKey = options.apiKey;
+    this.baseUrl = (options.baseUrl ?? DEFAULT_BASE_URL).replace(/\/+$/, "");
+    this.timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    this.fetchImpl = options.fetch ?? globalThis.fetch.bind(globalThis);
+  }
+  /**
+   * Ask the policy engine whether an agent action is permitted.
+   *
+   * A "DENY" is **not** thrown — it is returned in
+   * `response.decision`. Network errors, invalid API key, rate
+   * limits, timeouts, and malformed responses throw
+   * {@link AtlaSentError}.
+   */
+  async evaluate(input) {
+    const body = {
+      action: input.action,
+      agent: input.agent,
+      context: input.context ?? {},
+      api_key: this.apiKey
+    };
+    const { body: wire, rateLimit } = await this.post("/v1-evaluate", body);
+    if (typeof wire.permitted !== "boolean" || typeof wire.decision_id !== "string") {
+      throw new AtlaSentError(
+        "Malformed response from /v1-evaluate: missing `permitted` or `decision_id`",
+        { code: "bad_response" }
+      );
+    }
+    return {
+      decision: wire.permitted ? "ALLOW" : "DENY",
+      permitId: wire.decision_id,
+      reason: wire.reason ?? "",
+      auditHash: wire.audit_hash ?? "",
+      timestamp: wire.timestamp ?? "",
+      rateLimit
+    };
+  }
+  /**
+   * Verify that a previously issued permit is still valid.
+   *
+   * A `verified: false` response is **not** thrown — inspect the
+   * returned object. Only transport / server errors throw.
+   */
+  async verifyPermit(input) {
+    const body = {
+      decision_id: input.permitId,
+      action: input.action ?? "",
+      agent: input.agent ?? "",
+      context: input.context ?? {},
+      api_key: this.apiKey
+    };
+    const { body: wire, rateLimit } = await this.post(
+      "/v1-verify-permit",
+      body
+    );
+    if (typeof wire.verified !== "boolean") {
+      throw new AtlaSentError(
+        "Malformed response from /v1-verify-permit: missing `verified`",
+        { code: "bad_response" }
+      );
+    }
+    return {
+      verified: wire.verified,
+      outcome: wire.outcome ?? "",
+      permitHash: wire.permit_hash ?? "",
+      timestamp: wire.timestamp ?? "",
+      rateLimit
+    };
+  }
+  /**
+   * Self-introspection: ask the server to describe the API key this
+   * client was constructed with. Returns the key's ID, organization,
+   * environment, scopes, IP allowlist, per-minute rate limit, the
+   * client IP the server observed, and the expiry (if any).
+   *
+   * Never includes the raw key or its hash. Safe to surface in operator
+   * dashboards. Useful for `IP_NOT_ALLOWED` debugging (the server tells
+   * you exactly which IP it saw) and for proactive expiry warnings.
+   *
+   * Throws {@link AtlaSentError} on transport / auth failures — same
+   * taxonomy as {@link AtlaSentClient.evaluate}.
+   */
+  async keySelf() {
+    const { body: wire, rateLimit } = await this.get(
+      "/v1-api-key-self"
+    );
+    if (typeof wire.key_id !== "string" || typeof wire.organization_id !== "string") {
+      throw new AtlaSentError(
+        "Malformed response from /v1-api-key-self: missing `key_id` or `organization_id`",
+        { code: "bad_response" }
+      );
+    }
+    return {
+      keyId: wire.key_id,
+      organizationId: wire.organization_id,
+      environment: wire.environment,
+      scopes: wire.scopes ?? [],
+      allowedCidrs: wire.allowed_cidrs ?? null,
+      rateLimitPerMinute: wire.rate_limit_per_minute,
+      clientIp: wire.client_ip ?? null,
+      expiresAt: wire.expires_at ?? null,
+      rateLimit
+    };
+  }
+  /**
+   * List persisted audit events for the authenticated organization
+   * (`GET /v1-audit/events`). Returned rows are wire-identical with
+   * the server: snake_case field names, including `previous_hash` and
+   * the `hash` chain, so the response can be fed straight into the
+   * offline verifier when paired with a signed export.
+   *
+   * `query.types` is a comma-joined list (e.g.
+   * `"evaluate.allow,policy.updated"`). `cursor` is the opaque
+   * `next_cursor` from the prior page. All fields are optional; the
+   * server defaults `limit` to 50 (capped at 500).
+   *
+   * Throws {@link AtlaSentError} on transport / auth failures — same
+   * taxonomy as {@link AtlaSentClient.evaluate}.
+   */
+  async listAuditEvents(query = {}) {
+    const { body: wire, rateLimit } = await this.get(
+      "/v1-audit/events",
+      buildAuditEventsQuery(query)
+    );
+    if (!Array.isArray(wire.events) || typeof wire.total !== "number") {
+      throw new AtlaSentError(
+        "Malformed response from /v1-audit/events: missing `events` or `total`",
+        { code: "bad_response" }
+      );
+    }
+    return { ...wire, rateLimit };
+  }
+  /**
+   * Request a signed audit export bundle
+   * (`POST /v1-audit/exports`). The returned object is wire-identical
+   * with the server — `signature`, `chain_head_hash`, `events`, and
+   * friends survive untouched so the bundle can be persisted to disk
+   * and handed to the offline verifier (`verifyBundle` /
+   * `verifyAuditBundle`) without any reshaping.
+   *
+   * Pass `filter.types`, `filter.from`, `filter.to`, or `filter.actor_id`
+   * to narrow the export; omit for a full-org bundle. `rateLimit` is
+   * attached alongside the wire fields for observability.
+   *
+   * Throws {@link AtlaSentError} on transport / auth failures — same
+   * taxonomy as {@link AtlaSentClient.evaluate}.
+   */
+  async createAuditExport(filter = {}) {
+    const { body: wire, rateLimit } = await this.post(
+      "/v1-audit/exports",
+      filter
+    );
+    if (typeof wire.export_id !== "string" || typeof wire.chain_head_hash !== "string" || !Array.isArray(wire.events)) {
+      throw new AtlaSentError(
+        "Malformed response from /v1-audit/exports: missing `export_id`, `chain_head_hash`, or `events`",
+        { code: "bad_response" }
+      );
+    }
+    return { ...wire, rateLimit };
+  }
+  async post(path, body) {
+    return this.request(path, "POST", body, void 0);
+  }
+  async get(path, query) {
+    return this.request(path, "GET", void 0, query);
+  }
+  async request(path, method, body, query) {
+    const qs = query && Array.from(query).length > 0 ? `?${query.toString()}` : "";
+    const url = `${this.baseUrl}${path}${qs}`;
+    const requestId = globalThis.crypto.randomUUID();
+    const headers = {
+      Accept: "application/json",
+      Authorization: `Bearer ${this.apiKey}`,
+      "User-Agent": `@atlasent/sdk/${SDK_VERSION} node/${process.version}`,
+      "X-Request-ID": requestId
+    };
+    if (method === "POST") headers["Content-Type"] = "application/json";
+    const init = {
+      method,
+      headers,
+      signal: AbortSignal.timeout(this.timeoutMs)
+    };
+    if (method === "POST") init.body = JSON.stringify(body);
+    let response;
+    try {
+      response = await this.fetchImpl(url, init);
+    } catch (err) {
+      throw mapFetchError(err, requestId);
+    }
+    if (!response.ok) {
+      throw await buildHttpError(response, requestId);
+    }
+    let parsed;
+    try {
+      parsed = await response.json();
+    } catch (err) {
+      throw new AtlaSentError("Invalid JSON response from AtlaSent API", {
+        code: "bad_response",
+        status: response.status,
+        requestId,
+        cause: err
+      });
+    }
+    if (parsed === null || typeof parsed !== "object") {
+      throw new AtlaSentError("Expected a JSON object from AtlaSent API", {
+        code: "bad_response",
+        status: response.status,
+        requestId
+      });
+    }
+    return {
+      body: parsed,
+      rateLimit: parseRateLimitHeaders(response.headers)
+    };
+  }
+};
+function parseRateLimitHeaders(headers) {
+  const rawLimit = headers.get("x-ratelimit-limit");
+  const rawRemaining = headers.get("x-ratelimit-remaining");
+  const rawReset = headers.get("x-ratelimit-reset");
+  if (rawLimit === null || rawRemaining === null || rawReset === null) {
+    return null;
+  }
+  const limit = Number(rawLimit);
+  const remaining = Number(rawRemaining);
+  if (!Number.isFinite(limit) || !Number.isFinite(remaining)) {
+    return null;
+  }
+  const resetAt = parseResetHeader(rawReset);
+  if (resetAt === null) {
+    return null;
+  }
+  return { limit, remaining, resetAt };
+}
+function parseResetHeader(raw) {
+  const seconds = Number(raw);
+  if (Number.isFinite(seconds)) {
+    return new Date(seconds * 1e3);
+  }
+  const ms = Date.parse(raw);
+  if (Number.isFinite(ms)) {
+    return new Date(ms);
+  }
+  return null;
+}
+function mapFetchError(err, requestId) {
+  if (err instanceof AtlaSentError) return err;
+  if (err instanceof DOMException && err.name === "TimeoutError") {
+    return new AtlaSentError("Request to AtlaSent API timed out", {
+      code: "timeout",
+      requestId,
+      cause: err
+    });
+  }
+  if (err instanceof Error && err.name === "AbortError") {
+    return new AtlaSentError("Request to AtlaSent API timed out", {
+      code: "timeout",
+      requestId,
+      cause: err
+    });
+  }
+  const message = err instanceof Error ? err.message : "network error";
+  return new AtlaSentError(`Failed to reach AtlaSent API: ${message}`, {
+    code: "network",
+    requestId,
+    cause: err
+  });
+}
+async function buildHttpError(response, requestId) {
+  const status = response.status;
+  const classified = await classifyHttpStatus(response);
+  const init = {
+    status,
+    code: classified.code,
+    requestId
+  };
+  if (classified.retryAfterMs !== void 0) {
+    init.retryAfterMs = classified.retryAfterMs;
+  }
+  return new AtlaSentError(classified.message, init);
+}
+async function classifyHttpStatus(response) {
+  const status = response.status;
+  const serverMessage = await readServerMessage(response);
+  if (status === 401) {
+    return {
+      message: serverMessage ?? "Invalid API key",
+      code: "invalid_api_key",
+      retryAfterMs: void 0
+    };
+  }
+  if (status === 403) {
+    return {
+      message: serverMessage ?? "Access forbidden \u2014 check your API key permissions",
+      code: "forbidden",
+      retryAfterMs: void 0
+    };
+  }
+  if (status === 429) {
+    return {
+      message: serverMessage ?? "Rate limited by AtlaSent API",
+      code: "rate_limited",
+      retryAfterMs: parseRetryAfter(response.headers.get("retry-after"))
+    };
+  }
+  if (status >= 500) {
+    return {
+      message: serverMessage ?? `AtlaSent API returned HTTP ${status}`,
+      code: "server_error",
+      retryAfterMs: void 0
+    };
+  }
+  return {
+    message: serverMessage ?? `AtlaSent API returned HTTP ${status}`,
+    code: "bad_request",
+    retryAfterMs: void 0
+  };
+}
+async function readServerMessage(response) {
+  try {
+    const text = await response.text();
+    if (!text) return null;
+    try {
+      const parsed = JSON.parse(text);
+      if (parsed && typeof parsed === "object") {
+        const msg = parsed.message;
+        const reason = parsed.reason;
+        if (typeof msg === "string" && msg.length > 0) return msg;
+        if (typeof reason === "string" && reason.length > 0) return reason;
+      }
+    } catch {
+    }
+    return text.length > 500 ? `${text.slice(0, 500)}\u2026` : text;
+  } catch {
+    return null;
+  }
+}
+function buildAuditEventsQuery(query) {
+  const params = new URLSearchParams();
+  if (query.types !== void 0 && query.types !== "") {
+    params.set("types", query.types);
+  }
+  if (query.actor_id !== void 0 && query.actor_id !== "") {
+    params.set("actor_id", query.actor_id);
+  }
+  if (query.from !== void 0 && query.from !== "") {
+    params.set("from", query.from);
+  }
+  if (query.to !== void 0 && query.to !== "") {
+    params.set("to", query.to);
+  }
+  if (query.limit !== void 0) {
+    params.set("limit", String(query.limit));
+  }
+  if (query.cursor !== void 0 && query.cursor !== "") {
+    params.set("cursor", query.cursor);
+  }
+  return params;
+}
+function parseRetryAfter(raw) {
+  if (!raw) return void 0;
+  const seconds = Number(raw);
+  if (Number.isFinite(seconds)) return Math.max(0, seconds * 1e3);
+  const date = Date.parse(raw);
+  if (Number.isFinite(date)) {
+    const delta = date - Date.now();
+    return delta > 0 ? delta : 0;
+  }
+  return void 0;
+}
+
+// src/auditBundle.ts
+var import_promises = require("fs/promises");
+var import_node_crypto = require("crypto");
+var GENESIS_HASH = "0".repeat(64);
+var subtle = import_node_crypto.webcrypto.subtle;
+function canonicalJSON(value) {
+  if (value === null || value === void 0) return "null";
+  if (typeof value === "number") return Number.isFinite(value) ? String(value) : "null";
+  if (typeof value === "boolean") return value ? "true" : "false";
+  if (typeof value === "string") return JSON.stringify(value);
+  if (Array.isArray(value)) return "[" + value.map(canonicalJSON).join(",") + "]";
+  if (typeof value === "object") {
+    const obj = value;
+    const keys = Object.keys(obj).sort();
+    return "{" + keys.map((k) => JSON.stringify(k) + ":" + canonicalJSON(obj[k])).join(",") + "}";
+  }
+  return "null";
+}
+async function sha256Hex(input) {
+  const buf = await subtle.digest("SHA-256", new TextEncoder().encode(input));
+  return Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function signedBytesFor(bundle) {
+  const envelope = {
+    export_id: bundle.export_id,
+    org_id: bundle.org_id,
+    chain_head_hash: bundle.chain_head_hash,
+    event_count: bundle.event_count,
+    signed_at: bundle.signed_at,
+    events: bundle.events
+  };
+  return new TextEncoder().encode(JSON.stringify(envelope));
+}
+async function verifyChainEvents(events) {
+  const tamperedIds = [];
+  let adjacencyOk = true;
+  const first = events[0];
+  let prevHash = first && typeof first.previous_hash === "string" ? first.previous_hash : GENESIS_HASH;
+  for (let i = 0; i < events.length; i++) {
+    const e = events[i];
+    if (!e || typeof e.hash !== "string" || typeof e.previous_hash !== "string") {
+      tamperedIds.push(String(e?.id ?? `index_${i}`));
+      adjacencyOk = false;
+      continue;
+    }
+    if (e.previous_hash !== prevHash) adjacencyOk = false;
+    const canonical = canonicalJSON(e.payload ?? {});
+    const recomputed = await sha256Hex(prevHash + canonical);
+    if (recomputed !== e.hash) tamperedIds.push(String(e.id));
+    prevHash = e.hash;
+  }
+  return { adjacencyOk, tamperedIds };
+}
+function base64UrlDecode(s) {
+  const pad = s.length % 4 === 0 ? "" : "=".repeat(4 - s.length % 4);
+  const b64 = s.replace(/-/g, "+").replace(/_/g, "/") + pad;
+  const bin = Buffer.from(b64, "base64");
+  const out = new Uint8Array(bin.byteLength);
+  out.set(bin);
+  return out;
+}
+async function importSpkiPem(pem) {
+  const b64 = pem.replace(/-----BEGIN PUBLIC KEY-----/, "").replace(/-----END PUBLIC KEY-----/, "").replace(/\s+/g, "");
+  const bytes = Uint8Array.from(Buffer.from(b64, "base64"));
+  return subtle.importKey("spki", bytes, { name: "Ed25519" }, false, ["verify"]);
+}
+async function resolveKeys(options) {
+  const out = [];
+  if (options?.keys) out.push(...options.keys);
+  if (options?.publicKeysPem) {
+    for (let i = 0; i < options.publicKeysPem.length; i++) {
+      const pem = options.publicKeysPem[i];
+      if (!pem) continue;
+      try {
+        const pk = await importSpkiPem(pem);
+        out.push({ keyId: `pem_${i}`, publicKey: pk });
+      } catch {
+      }
+    }
+  }
+  return out;
+}
+async function verifyAuditBundle(bundle, keys) {
+  const events = Array.isArray(bundle.events) ? bundle.events : [];
+  const { adjacencyOk, tamperedIds } = await verifyChainEvents(events);
+  const last = events[events.length - 1];
+  const lastHash = last && typeof last.hash === "string" ? last.hash : GENESIS_HASH;
+  const headHashMatches = typeof bundle.chain_head_hash === "string" ? bundle.chain_head_hash === lastHash : false;
+  const chainIntegrityOk = adjacencyOk && tamperedIds.length === 0 && headHashMatches;
+  let signatureValid = false;
+  let matchedKeyId;
+  let reason;
+  if (keys.length === 0) {
+    reason = "no signing keys configured (signing_keys table empty and ATLASENT_EXPORT_SIGNING_KEY_PUBLIC unset)";
+  } else if (typeof bundle.signature !== "string" || bundle.signature.length === 0) {
+    reason = "bundle carries no signature";
+  } else {
+    try {
+      const sigBytes = base64UrlDecode(bundle.signature);
+      const envelopeBytes = signedBytesFor(bundle);
+      const hint = typeof bundle.signing_key_id === "string" ? bundle.signing_key_id : null;
+      const ordered = hint ? [
+        ...keys.filter((k) => k.keyId === hint),
+        ...keys.filter((k) => k.keyId !== hint)
+      ] : Array.from(keys);
+      for (const k of ordered) {
+        const ok = await subtle.verify("Ed25519", k.publicKey, sigBytes, envelopeBytes);
+        if (ok) {
+          signatureValid = true;
+          matchedKeyId = k.keyId;
+          break;
+        }
+      }
+      if (!signatureValid) {
+        reason = `signature did not verify under any of ${keys.length} configured public key(s)`;
+      }
+    } catch (err) {
+      reason = `signature check failed: ${err instanceof Error ? err.message : String(err)}`;
+    }
+  }
+  if (!chainIntegrityOk && reason === void 0) {
+    if (tamperedIds.length > 0) reason = `hash mismatch for ${tamperedIds.length} event(s)`;
+    else if (!adjacencyOk) reason = "chain adjacency broken";
+    else if (!headHashMatches) reason = "chain_head_hash does not match last event";
+  }
+  return {
+    chainIntegrityOk,
+    signatureValid,
+    headHashMatches,
+    tamperedEventIds: tamperedIds,
+    matchedKeyId,
+    reason,
+    verified: chainIntegrityOk && signatureValid
+  };
+}
+async function verifyBundle(pathOrBundle, options) {
+  let bundle;
+  if (typeof pathOrBundle === "string") {
+    const raw = await (0, import_promises.readFile)(pathOrBundle, "utf8");
+    const parsed = JSON.parse(raw);
+    bundle = parsed && typeof parsed === "object" && "bundle" in parsed && typeof parsed.bundle === "object" ? parsed.bundle : parsed;
+  } else {
+    bundle = pathOrBundle;
+  }
+  const keys = await resolveKeys(options);
+  return verifyAuditBundle(bundle, keys);
+}
+
+// src/protect.ts
+var sharedClient = null;
+var overrides = {};
+function configure(options) {
+  overrides = { ...overrides, ...options };
+  sharedClient = null;
+}
+function getClient() {
+  if (sharedClient) return sharedClient;
+  const apiKey = overrides.apiKey ?? process.env.ATLASENT_API_KEY;
+  if (!apiKey) {
+    throw new AtlaSentError(
+      "AtlaSent is not configured. Set ATLASENT_API_KEY in the environment, or call atlasent.configure({ apiKey }).",
+      { code: "invalid_api_key" }
+    );
+  }
+  const options = { apiKey };
+  if (overrides.baseUrl !== void 0) options.baseUrl = overrides.baseUrl;
+  if (overrides.timeoutMs !== void 0) options.timeoutMs = overrides.timeoutMs;
+  if (overrides.fetch !== void 0) options.fetch = overrides.fetch;
+  sharedClient = new AtlaSentClient(options);
+  return sharedClient;
+}
+function wireDecisionToDenied(serverDecision) {
+  const lower = serverDecision.toLowerCase();
+  if (lower === "hold" || lower === "escalate") return lower;
+  return "deny";
+}
+async function protect(request) {
+  const client = getClient();
+  const evaluation = await client.evaluate(request);
+  if (evaluation.decision !== "ALLOW") {
+    throw new AtlaSentDeniedError({
+      decision: wireDecisionToDenied(evaluation.decision),
+      evaluationId: evaluation.permitId,
+      reason: evaluation.reason,
+      auditHash: evaluation.auditHash
+    });
+  }
+  const verifyRequest = {
+    permitId: evaluation.permitId,
+    agent: request.agent,
+    action: request.action
+  };
+  if (request.context !== void 0) verifyRequest.context = request.context;
+  const verification = await client.verifyPermit(verifyRequest);
+  if (!verification.verified) {
+    throw new AtlaSentDeniedError({
+      decision: "deny",
+      evaluationId: evaluation.permitId,
+      reason: `Permit failed verification (${verification.outcome})`,
+      auditHash: evaluation.auditHash
+    });
+  }
+  return {
+    permitId: evaluation.permitId,
+    permitHash: verification.permitHash,
+    auditHash: evaluation.auditHash,
+    reason: evaluation.reason,
+    timestamp: verification.timestamp
+  };
+}
+
+// src/retry.ts
+var DEFAULT_RETRY_POLICY = {
+  maxAttempts: 3,
+  baseDelayMs: 250,
+  maxDelayMs: 7e3
+};
+var RETRYABLE_CODES = /* @__PURE__ */ new Set([
+  "network",
+  "timeout",
+  "rate_limited",
+  "server_error",
+  "bad_response"
+]);
+function isRetryable(err) {
+  if (!(err instanceof AtlaSentError)) return false;
+  if (err.code === void 0) return false;
+  return RETRYABLE_CODES.has(err.code);
+}
+function computeBackoffMs(attempt, policy = {}, err, random = Math.random) {
+  const merged = mergePolicy(policy);
+  const safeAttempt = Math.max(0, Math.floor(attempt));
+  const exp = Math.min(safeAttempt, 30);
+  const ceiling = Math.min(merged.maxDelayMs, merged.baseDelayMs * 2 ** exp);
+  const jittered = Math.floor(ceiling * clampUnit(random()));
+  const retryAfterMs = err instanceof AtlaSentError && typeof err.retryAfterMs === "number" ? Math.max(0, err.retryAfterMs) : 0;
+  return Math.max(retryAfterMs, jittered);
+}
+function hasAttemptsLeft(attempt, policy = {}) {
+  const merged = mergePolicy(policy);
+  return attempt + 1 < merged.maxAttempts;
+}
+function mergePolicy(policy) {
+  const maxAttempts = Math.max(
+    1,
+    Math.floor(policy.maxAttempts ?? DEFAULT_RETRY_POLICY.maxAttempts)
+  );
+  const baseDelayMs = Math.max(
+    0,
+    policy.baseDelayMs ?? DEFAULT_RETRY_POLICY.baseDelayMs
+  );
+  const maxDelayMs = Math.max(
+    baseDelayMs,
+    policy.maxDelayMs ?? DEFAULT_RETRY_POLICY.maxDelayMs
+  );
+  return { maxAttempts, baseDelayMs, maxDelayMs };
+}
+function clampUnit(n) {
+  if (!Number.isFinite(n)) return 0;
+  if (n < 0) return 0;
+  if (n >= 1) return 0.999999999;
+  return n;
+}
+
+// src/index.ts
+var atlasent = {
+  protect,
+  configure,
+  verifyBundle,
+  AtlaSentClient,
+  AtlaSentError,
+  AtlaSentDeniedError
+};
+var index_default = atlasent;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AtlaSentClient,
+  AtlaSentDeniedError,
+  AtlaSentError,
+  DEFAULT_RETRY_POLICY,
+  canonicalJSON,
+  computeBackoffMs,
+  configure,
+  hasAttemptsLeft,
+  isRetryable,
+  mergePolicy,
+  protect,
+  signedBytesFor,
+  verifyAuditBundle,
+  verifyBundle
+});
+//# sourceMappingURL=index.cjs.map