@atlasent/sdk 2.10.0 → 2.13.0

package/dist/hono.js

@@ -47,7 +47,8 @@ var KNOWN_PERMIT_OUTCOMES = /* @__PURE__ */ new Set([
   "permit_consumed",
   "permit_expired",
   "permit_revoked",
-  "permit_not_found"
+  "permit_not_found",
+  "permit_signing_key_revoked"
 ]);
 function normalizePermitOutcome(raw) {
   if (raw !== void 0 && KNOWN_PERMIT_OUTCOMES.has(raw)) {
@@ -108,7 +109,197 @@ var AtlaSentDeniedError = class extends AtlaSentError {
   get isNotFound() {
     return this.outcome === "permit_not_found";
   }
+  /**
+   * `true` when the permit's signing key KID appears in the
+   * trust-root revocation list (ADR-005 D3 R2/R3 key rotation).
+   */
+  get isSigningKeyRevoked() {
+    return this.outcome === "permit_signing_key_revoked";
+  }
 };
+var BundleVerificationError = class extends AtlaSentError {
+  name = "BundleVerificationError";
+  reason;
+  snapshotValidUntil;
+  snapshotFetchedAt;
+  snapshotSource;
+  kid;
+  constructor(init) {
+    super(`AtlaSent audit bundle verification failed: ${init.reason}`);
+    this.reason = init.reason;
+    this.snapshotValidUntil = init.snapshotValidUntil;
+    this.snapshotFetchedAt = init.snapshotFetchedAt;
+    this.snapshotSource = init.snapshotSource;
+    this.kid = init.kid;
+  }
+};
+
+// src/trustRoot.ts
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import { resolve, dirname } from "path";
+var REFRESH_INTERVAL_MS_DEFAULT = 4 * 60 * 60 * 1e3;
+var REFRESH_INTERVAL_MS_FLOOR = 5 * 60 * 1e3;
+var KEYS_BASE_URL = "https://keys.atlasent.io/.well-known";
+var _halfLifeWarningEmitted = false;
+var _expiredWarningEmitted = false;
+var TrustRootManager = class {
+  _snapshot;
+  _refreshTimer = null;
+  _opts;
+  constructor(initialSnapshot, opts = {}) {
+    this._snapshot = initialSnapshot;
+    const intervalMs = Math.max(
+      opts.refreshIntervalMs ?? REFRESH_INTERVAL_MS_DEFAULT,
+      REFRESH_INTERVAL_MS_FLOOR
+    );
+    this._opts = {
+      refreshBaseUrl: opts.refreshBaseUrl ?? KEYS_BASE_URL,
+      refreshIntervalMs: intervalMs,
+      disableRefresh: opts.disableRefresh ?? false,
+      fetch: opts.fetch ?? (typeof globalThis !== "undefined" && globalThis.fetch ? globalThis.fetch.bind(globalThis) : ((_url) => Promise.reject(new Error("fetch not available"))))
+    };
+    if (!this._opts.disableRefresh) {
+      this._scheduleRefresh();
+    }
+  }
+  getSnapshot() {
+    return this._snapshot;
+  }
+  /**
+   * Check whether the snapshot is expired, emit one-time warnings at
+   * half-life and expiry.  Returns "ok" | "half_life" | "expired".
+   *
+   * Emits console.warn once per process at half-life (ADR-005 D3).
+   * Emits console.warn once per process on expiry.
+   */
+  checkExpiry() {
+    const snap = this._snapshot;
+    const now = Date.now();
+    const issuedAt = new Date(snap.issued_at).getTime();
+    const validUntil = new Date(snap.valid_until).getTime();
+    if (now > validUntil) {
+      if (!_expiredWarningEmitted) {
+        _expiredWarningEmitted = true;
+        const daysAgo = Math.floor((now - validUntil) / (24 * 60 * 60 * 1e3));
+        console.warn(
+          `[atlasent] Trust snapshot expired ${daysAgo} day(s) ago (valid_until: ${snap.valid_until}). Update to a newer SDK build or enable allowExpiredSnapshot.`
+        );
+      }
+      return "expired";
+    }
+    const window = validUntil - issuedAt;
+    const halfLife = issuedAt + window / 2;
+    if (now > halfLife) {
+      if (!_halfLifeWarningEmitted) {
+        _halfLifeWarningEmitted = true;
+        const daysLeft = Math.floor((validUntil - now) / (24 * 60 * 60 * 1e3));
+        console.warn(
+          `[atlasent] Trust snapshot at half-life: expires in ${daysLeft} day(s) (valid_until: ${snap.valid_until}). Plan an SDK update.`
+        );
+      }
+      return "half_life";
+    }
+    return "ok";
+  }
+  /** Look up a key entry by kid. Returns undefined if not found. */
+  lookupKey(kid) {
+    return this._snapshot.keys.find((k) => k.kid === kid);
+  }
+  /** Returns true if the kid appears in revoked_keys. */
+  isRevoked(kid) {
+    return this._snapshot.revoked_keys.some((r) => r.kid === kid);
+  }
+  /** Replace the snapshot (e.g. after a successful refresh). */
+  replaceSnapshot(next) {
+    this._snapshot = next;
+  }
+  stopRefresh() {
+    if (this._refreshTimer !== null) {
+      clearInterval(this._refreshTimer);
+      this._refreshTimer = null;
+    }
+  }
+  _scheduleRefresh() {
+    this._refreshTimer = setInterval(() => {
+      void this._doRefresh();
+    }, this._opts.refreshIntervalMs);
+    if (this._refreshTimer && typeof this._refreshTimer === "object" && "unref" in this._refreshTimer) {
+      this._refreshTimer.unref();
+    }
+  }
+  async _doRefresh() {
+    try {
+      const base = this._opts.refreshBaseUrl.replace(/\/$/, "");
+      const [keysRes, revocRes] = await Promise.all([
+        this._opts.fetch(`${base}/atlasent-verifier-keys.json`),
+        this._opts.fetch(`${base}/atlasent-revocations.json`)
+      ]);
+      const indexRes = await this._opts.fetch(`${base}/atlasent-trust-root.json`);
+      if (!keysRes.ok || !revocRes.ok || !indexRes.ok) return;
+      const [keys, revoc, index] = await Promise.all([
+        keysRes.json(),
+        revocRes.json(),
+        indexRes.json()
+      ]);
+      if (!index.valid_until || !Array.isArray(keys.keys)) return;
+      this._snapshot = {
+        valid_until: index.valid_until,
+        issued_at: index.issued_at ?? this._snapshot.issued_at,
+        keys: keys.keys,
+        revoked_keys: revoc.revoked_keys ?? [],
+        revoked_identities: revoc.revoked_identities ?? []
+      };
+    } catch {
+    }
+  }
+};
+function _loadVendorSnapshot() {
+  try {
+    let packageRoot;
+    try {
+      const thisFile = fileURLToPath(import.meta.url);
+      packageRoot = resolve(dirname(thisFile), "..", "..");
+    } catch {
+      packageRoot = resolve(__dirname, "..", "..");
+    }
+    const vendorDir = resolve(packageRoot, "vendor", "trust-root");
+    const index = JSON.parse(
+      readFileSync(resolve(vendorDir, "atlasent-trust-root.json"), "utf8")
+    );
+    const verifierKeys = JSON.parse(
+      readFileSync(resolve(vendorDir, "atlasent-verifier-keys.json"), "utf8")
+    );
+    const revocations = JSON.parse(
+      readFileSync(resolve(vendorDir, "atlasent-revocations.json"), "utf8")
+    );
+    return {
+      valid_until: index.valid_until,
+      issued_at: index.issued_at,
+      keys: verifierKeys.keys ?? [],
+      revoked_keys: revocations.revoked_keys ?? [],
+      revoked_identities: revocations.revoked_identities ?? []
+    };
+  } catch {
+    return {
+      valid_until: "2099-01-01T00:00:00Z",
+      issued_at: "2026-05-26T00:00:00Z",
+      keys: [],
+      revoked_keys: [],
+      revoked_identities: []
+    };
+  }
+}
+var _globalManager = null;
+function getGlobalTrustRootManager(opts) {
+  if (!_globalManager) {
+    _globalManager = new TrustRootManager(
+      _loadVendorSnapshot(),
+      opts ?? { disableRefresh: false }
+    );
+  }
+  return _globalManager;
+}
 
 // src/types.ts
 var PRODUCTION_DEPLOY_ACTION = "production.deploy";
@@ -135,7 +326,13 @@ function normalizeEvaluateRequest(input) {
       actor_id: legacy.agent
     };
     if (legacy.context !== void 0) normalized.context = legacy.context;
-    if (legacy.explain !== void 0) normalized.explain = legacy.explain;
+    const l = legacy;
+    if (l.explain !== void 0) normalized.explain = l.explain;
+    if (l.environment !== void 0) normalized.environment = l.environment;
+    if (l.resource !== void 0) normalized.resource = l.resource;
+    if (l.current_state !== void 0) normalized.current_state = l.current_state;
+    if (l.proposed_state !== void 0) normalized.proposed_state = l.proposed_state;
+    if (l.execution_binding !== void 0) normalized.execution_binding = l.execution_binding;
     return normalized;
   }
   return input;
@@ -143,9 +340,9 @@ function normalizeEvaluateRequest(input) {
 
 // src/retry.ts
 var DEFAULT_RETRY_POLICY = {
-  maxAttempts: 4,
-  baseDelayMs: 2e3,
-  maxDelayMs: 16e3
+  maxAttempts: 3,
+  baseDelayMs: 250,
+  maxDelayMs: 1e4
 };
 var RETRYABLE_CODES = /* @__PURE__ */ new Set([
   "network",
@@ -194,10 +391,371 @@ function clampUnit(n) {
   return n;
 }
 
+// src/scim.ts
+var SCIM_USER_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:User";
+var SCIM_GROUP_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:Group";
+function scimUsersPath(orgId) {
+  return `/scim/v2/${encodeURIComponent(orgId)}/Users`;
+}
+function scimGroupsPath(orgId) {
+  return `/scim/v2/${encodeURIComponent(orgId)}/Groups`;
+}
+function buildScimQuery(filter, startIndex, count) {
+  const params = new URLSearchParams();
+  if (filter !== void 0) params.set("filter", filter);
+  if (startIndex !== void 0) params.set("startIndex", String(startIndex));
+  if (count !== void 0) params.set("count", String(count));
+  return params.size > 0 ? params : void 0;
+}
+function makeScimClient(postFn, getFn, putFn, deleteFn) {
+  const users = {
+    async list(params) {
+      const qs = buildScimQuery(
+        params.filter,
+        params.startIndex,
+        params.count
+      );
+      const { body } = await getFn(
+        scimUsersPath(params.orgId),
+        qs
+      );
+      return body;
+    },
+    async create(orgId, user) {
+      const payload = user.schemas ? user : { ...user, schemas: [SCIM_USER_SCHEMA] };
+      const { body } = await postFn(scimUsersPath(orgId), payload);
+      return body;
+    },
+    async update(orgId, id, user) {
+      const payload = user.schemas ? user : { ...user, schemas: [SCIM_USER_SCHEMA] };
+      const { body } = await putFn(
+        `${scimUsersPath(orgId)}/${encodeURIComponent(id)}`,
+        payload
+      );
+      return body;
+    },
+    async delete(orgId, id) {
+      return deleteFn(
+        `${scimUsersPath(orgId)}/${encodeURIComponent(id)}`
+      );
+    }
+  };
+  const groups = {
+    async list(params) {
+      const qs = buildScimQuery(
+        params.filter,
+        params.startIndex,
+        params.count
+      );
+      const { body } = await getFn(
+        scimGroupsPath(params.orgId),
+        qs
+      );
+      return body;
+    },
+    async create(orgId, group) {
+      const payload = group["schemas"] ? group : { ...group, schemas: [SCIM_GROUP_SCHEMA] };
+      const { body } = await postFn(
+        scimGroupsPath(orgId),
+        payload
+      );
+      return body;
+    },
+    async delete(orgId, id) {
+      return deleteFn(
+        `${scimGroupsPath(orgId)}/${encodeURIComponent(id)}`
+      );
+    }
+  };
+  return { users, groups };
+}
+
+// src/evidence-bundle.ts
+function wireToBundle(w) {
+  return {
+    bundleId: w.bundle_id,
+    orgId: w.org_id,
+    incidentId: w.incident_id,
+    status: w.status,
+    includedPermits: w.included_permits ?? [],
+    includeOverrides: w.include_overrides ?? false,
+    format: w.format,
+    createdAt: w.created_at,
+    expiresAt: w.expires_at,
+    ...w.download_url !== void 0 ? { downloadUrl: w.download_url } : {},
+    ...w.metadata !== void 0 ? { metadata: w.metadata } : {}
+  };
+}
+function makeEvidenceBundleClient(postFn, getFn, getRawFn) {
+  return {
+    async list(params = {}) {
+      const qs = new URLSearchParams();
+      if (params.executionId !== void 0) qs.set("execution_id", params.executionId);
+      if (params.limit !== void 0) qs.set("limit", String(params.limit));
+      if (params.cursor !== void 0) qs.set("cursor", params.cursor);
+      const { body } = await getFn("/v1/evidence-bundles", qs.size > 0 ? qs : void 0);
+      return {
+        bundles: (body.bundles ?? []).map(wireToBundle),
+        nextCursor: body.next_cursor ?? null
+      };
+    },
+    async create(params) {
+      const payload = {
+        incident_id: params.incidentId
+      };
+      if (params.includedPermits !== void 0) {
+        payload["included_permits"] = params.includedPermits;
+      }
+      if (params.includeOverrides !== void 0) {
+        payload["include_overrides"] = params.includeOverrides;
+      }
+      const { body } = await postFn(
+        "/v1/evidence-bundles",
+        payload
+      );
+      return wireToBundle(body);
+    },
+    async get(bundleId) {
+      const { body } = await getFn(
+        `/v1/evidence-bundles/${encodeURIComponent(bundleId)}`
+      );
+      return wireToBundle(body);
+    },
+    async download(bundleId, format = "json") {
+      const qs = new URLSearchParams({ format });
+      const raw = await getRawFn(
+        `/v1/evidence-bundles/${encodeURIComponent(bundleId)}/download?${qs}`
+      );
+      return Buffer.from(raw);
+    }
+  };
+}
+
+// src/auth.ts
+function wireToTokenResponse(w) {
+  return {
+    accessToken: w.access_token,
+    refreshToken: w.refresh_token,
+    tokenType: w.token_type,
+    expiresIn: w.expires_in,
+    ...w.scope !== void 0 ? { scope: w.scope } : {},
+    ...w.idp_id !== void 0 ? { idpId: w.idp_id } : {}
+  };
+}
+function wireToIdpConnection(w) {
+  return {
+    id: w.id,
+    name: w.name,
+    provider: w.provider,
+    enabled: w.enabled,
+    isDefault: w.default,
+    ...w.domains !== void 0 ? { domains: w.domains } : {},
+    createdAt: w.created_at
+  };
+}
+function makeAuthClient(postFn, getFn) {
+  return {
+    async refresh(refreshToken) {
+      const { body } = await postFn(
+        "/v1/auth/token/refresh",
+        { refresh_token: refreshToken, grant_type: "refresh_token" }
+      );
+      return wireToTokenResponse(body);
+    },
+    async refreshWithIdp(idpId, refreshToken) {
+      const path = `/v1/auth/idp/${encodeURIComponent(idpId)}/token/refresh`;
+      const { body } = await postFn(path, {
+        refresh_token: refreshToken,
+        grant_type: "refresh_token",
+        idp_id: idpId
+      });
+      return wireToTokenResponse(body);
+    },
+    async listIdpConnections() {
+      const { body } = await getFn(
+        "/v1/auth/idp-connections"
+      );
+      return (body.connections ?? []).map(wireToIdpConnection);
+    }
+  };
+}
+
+// src/sso.ts
+function wireToSsoConnection(w) {
+  return {
+    id: w.id,
+    organizationId: w.organization_id,
+    name: w.name,
+    protocol: w.protocol,
+    idpEntityId: w.idp_entity_id,
+    metadataUrl: w.metadata_url,
+    metadataXml: w.metadata_xml,
+    emailDomain: w.email_domain,
+    enforceForDomain: w.enforce_for_domain,
+    isActive: w.is_active,
+    supabaseProviderId: w.supabase_provider_id,
+    createdBy: w.created_by,
+    createdAt: w.created_at,
+    updatedAt: w.updated_at
+  };
+}
+function wireToSsoJitRule(w) {
+  return {
+    id: w.id,
+    connectionId: w.connection_id,
+    organizationId: w.organization_id,
+    claimAttribute: w.claim_attribute,
+    claimValue: w.claim_value,
+    grantedRole: w.granted_role,
+    precedence: w.precedence,
+    isActive: w.is_active,
+    createdAt: w.created_at,
+    updatedAt: w.updated_at
+  };
+}
+function wireToSsoReadiness(w) {
+  return {
+    connectionConfigured: w.connection_configured,
+    connectionTested: w.connection_tested,
+    breakGlassSet: w.break_glass_set,
+    serviceApiKeysReviewed: w.service_api_keys_reviewed
+  };
+}
+function ssoConnectionInputToWire(input) {
+  const w = {};
+  if (input.name !== void 0) w["name"] = input.name;
+  if (input.protocol !== void 0) w["protocol"] = input.protocol;
+  if (input.idpEntityId !== void 0) w["idp_entity_id"] = input.idpEntityId;
+  if (input.metadataUrl !== void 0) w["metadata_url"] = input.metadataUrl;
+  if (input.metadataXml !== void 0) w["metadata_xml"] = input.metadataXml;
+  if (input.emailDomain !== void 0) w["email_domain"] = input.emailDomain;
+  if (input.enforceForDomain !== void 0) w["enforce_for_domain"] = input.enforceForDomain;
+  return w;
+}
+function makeSsoClient(getFn, postFn, patchFn, deleteFn) {
+  return {
+    async listConnections() {
+      const { body } = await getFn("/v1/sso/connections");
+      return { connections: (body.connections ?? []).map(wireToSsoConnection) };
+    },
+    async getConnection(id) {
+      const { body } = await getFn(`/v1/sso/connections/${encodeURIComponent(id)}`);
+      return wireToSsoConnection(body);
+    },
+    async createConnection(input) {
+      const { body } = await postFn("/v1/sso/connections", ssoConnectionInputToWire(input));
+      return wireToSsoConnection(body);
+    },
+    async updateConnection(id, input) {
+      const { body } = await patchFn(
+        `/v1/sso/connections/${encodeURIComponent(id)}`,
+        ssoConnectionInputToWire(input)
+      );
+      return wireToSsoConnection(body);
+    },
+    async deleteConnection(id) {
+      await deleteFn(`/v1/sso/connections/${encodeURIComponent(id)}`);
+    },
+    async activateConnection(id) {
+      const { body } = await postFn(
+        `/v1/sso/connections/${encodeURIComponent(id)}/activate`,
+        {}
+      );
+      return { ok: body.ok, supabaseProviderId: body.supabase_provider_id };
+    },
+    async enforce(action) {
+      const { body } = await postFn("/v1/sso/enforce", { action });
+      return {
+        ok: body.ok,
+        action: body.action,
+        enforceSso: body.enforce_sso,
+        enforceSsoAt: body.enforce_sso_at
+      };
+    },
+    async getStatus() {
+      const { body } = await getFn("/v1/sso/status");
+      return wireToSsoReadiness(body.readiness);
+    },
+    async listJitRules(connectionId) {
+      const qs = connectionId ? new URLSearchParams({ connection_id: connectionId }) : void 0;
+      const { body } = await getFn("/v1/sso/jit-rules", qs);
+      return { rules: (body.rules ?? []).map(wireToSsoJitRule) };
+    },
+    async createJitRule(input) {
+      const payload = {
+        connection_id: input.connectionId,
+        claim_attribute: input.claimAttribute,
+        claim_value: input.claimValue,
+        granted_role: input.grantedRole
+      };
+      if (input.precedence !== void 0) payload["precedence"] = input.precedence;
+      const { body } = await postFn("/v1/sso/jit-rules", payload);
+      return wireToSsoJitRule(body);
+    },
+    async patchJitRule(id, patch) {
+      const payload = {};
+      if (patch.claimAttribute !== void 0) payload["claim_attribute"] = patch.claimAttribute;
+      if (patch.claimValue !== void 0) payload["claim_value"] = patch.claimValue;
+      if (patch.grantedRole !== void 0) payload["granted_role"] = patch.grantedRole;
+      if (patch.precedence !== void 0) payload["precedence"] = patch.precedence;
+      if (patch.isActive !== void 0) payload["is_active"] = patch.isActive;
+      const { body } = await patchFn(
+        `/v1/sso/jit-rules/${encodeURIComponent(id)}`,
+        payload
+      );
+      return wireToSsoJitRule(body);
+    },
+    async deleteJitRule(id) {
+      await deleteFn(`/v1/sso/jit-rules/${encodeURIComponent(id)}`);
+    }
+  };
+}
+
+// src/access-governance-log.ts
+function wireToEvent(w) {
+  return {
+    id: w.id,
+    eventType: w.event_type,
+    orgId: w.org_id,
+    actorId: w.actor_id,
+    actorEmail: w.actor_email,
+    ipAddress: w.ip_address,
+    metadata: w.metadata ?? {},
+    createdAt: w.created_at
+  };
+}
+function makeAccessGovernanceLogClient(getFn) {
+  return {
+    async list(query = {}) {
+      const qs = new URLSearchParams();
+      if (query.limit !== void 0) qs.set("limit", String(query.limit));
+      if (query.cursor) qs.set("cursor", query.cursor);
+      if (query.eventType) qs.set("event_type", query.eventType);
+      if (query.actorId) qs.set("actor_id", query.actorId);
+      if (query.from) qs.set("from", query.from);
+      if (query.to) qs.set("to", query.to);
+      const { body } = await getFn(
+        "/v1/access-governance-log",
+        qs.size > 0 ? qs : void 0
+      );
+      return {
+        events: (body.events ?? []).map(wireToEvent),
+        nextCursor: body.next_cursor,
+        totalCount: body.total_count ?? 0
+      };
+    }
+  };
+}
+
 // src/client.ts
 var DEFAULT_BASE_URL = "https://api.atlasent.io";
 var DEFAULT_TIMEOUT_MS = 1e4;
-var SDK_VERSION = "2.2.0";
+var SDK_VERSION = "2.10.0";
+var warnedBrowser = false;
+var V1_EVALUATE_BATCH_PATH = "/v1/evaluate/batch";
+var V1_EVALUATE_BATCH_LEGACY_PATH = "/v1-evaluate-batch";
+var V1_EVALUATE_STREAM_PATH = "/v1/evaluate/stream";
+var V1_EVALUATE_STREAM_LEGACY_PATH = "/v1-evaluate-stream";
 function _buildUserAgent() {
   const isNode2 = typeof process !== "undefined" && typeof process?.versions?.node === "string";
   return isNode2 ? `@atlasent/sdk/${SDK_VERSION} node/${process.version}` : `@atlasent/sdk/${SDK_VERSION} browser`;
@@ -261,6 +819,18 @@ var AtlaSentClient = class {
   fetchImpl;
   userAgent;
   retryPolicy;
+  /** SCIM 2.0 provisioning sub-client. Access as `client.scim`. */
+  scim;
+  /** Evidence bundle sub-client. Access as `client.evidenceBundles`. */
+  evidenceBundles;
+  /** Auth / token management sub-client. Access as `client.auth`. */
+  auth;
+  /** SSO administration sub-client. Access as `client.sso`. */
+  sso;
+  /** Access governance log sub-client. Access as `client.accessGovernanceLog`. */
+  accessGovernanceLog;
+  /** Trust-root snapshot manager for this client instance. */
+  trustRoot;
   constructor(options) {
     if (!options.apiKey || typeof options.apiKey !== "string") {
       throw new AtlaSentError("apiKey is required", {
@@ -273,6 +843,12 @@ var AtlaSentClient = class {
         { code: "network" }
       );
     }
+    if (!warnedBrowser && typeof globalThis["window"] !== "undefined" && typeof process === "undefined") {
+      warnedBrowser = true;
+      console.warn(
+        "[@atlasent/sdk] Running in a browser environment. API keys should not be exposed in client-side bundles. Use a server-side proxy instead."
+      );
+    }
     this.apiKey = _validateApiKey(options.apiKey);
     this.baseUrl = _enforceTls(options.baseUrl ?? DEFAULT_BASE_URL).replace(
       /\/+$/,
@@ -282,6 +858,44 @@ var AtlaSentClient = class {
     this.fetchImpl = options.fetch ?? globalThis.fetch.bind(globalThis);
     this.userAgent = _buildUserAgent();
     this.retryPolicy = mergePolicy(options.retryPolicy ?? {});
+    this.scim = makeScimClient(
+      (path, body, query) => this._post(path, body, query),
+      (path, query) => this._get(path, query),
+      (path, body) => this._put(path, body),
+      (path) => this._delete(path)
+    );
+    this.evidenceBundles = makeEvidenceBundleClient(
+      (path, body) => this._post(path, body),
+      (path, query) => this._get(path, query),
+      (path) => this._getRaw(path)
+    );
+    this.auth = makeAuthClient(
+      (path, body) => this._post(path, body),
+      (path) => this._get(path)
+    );
+    this.sso = makeSsoClient(
+      (path, query) => this._get(path, query),
+      (path, body) => this._post(path, body),
+      (path, body) => this._patch(path, body),
+      (path) => this._delete(path)
+    );
+    this.accessGovernanceLog = makeAccessGovernanceLogClient(
+      (path, query) => this._get(path, query)
+    );
+    if (options.trustRootUrl !== void 0 || options.trustSnapshotRefreshMs !== void 0) {
+      const globalSnap = getGlobalTrustRootManager({ disableRefresh: true }).getSnapshot();
+      this.trustRoot = new TrustRootManager(globalSnap, {
+        ...options.trustRootUrl !== void 0 && { refreshBaseUrl: options.trustRootUrl },
+        ...options.trustSnapshotRefreshMs !== void 0 && { refreshIntervalMs: options.trustSnapshotRefreshMs }
+      });
+    } else {
+      this.trustRoot = getGlobalTrustRootManager();
+    }
+    this.trustRoot.checkExpiry();
+  }
+  /** Return the current trust-root snapshot (pinned or last successful refresh). */
+  getTrustSnapshot() {
+    return this.trustRoot.getSnapshot();
   }
   /**
    * Ask the policy engine whether an agent action is permitted.
@@ -308,6 +922,11 @@ var AtlaSentClient = class {
       context: normalized.context ?? {}
     };
     if (normalized.explain !== void 0) body.explain = normalized.explain;
+    if (normalized.environment !== void 0) body.environment = normalized.environment;
+    if (normalized.resource !== void 0) body.resource = normalized.resource;
+    if (normalized.current_state !== void 0) body.current_state = normalized.current_state;
+    if (normalized.proposed_state !== void 0) body.proposed_state = normalized.proposed_state;
+    if (normalized.execution_binding !== void 0) body.execution_binding = normalized.execution_binding;
     const { body: wire, rateLimit } = await this.post(
       "/v1-evaluate",
       body
@@ -354,13 +973,25 @@ var AtlaSentClient = class {
           hardBlocks: wire.risk_envelope.hard_blocks ?? [],
           ...wire.risk_envelope.factors && { factors: wire.risk_envelope.factors }
         }
-      }
+      },
+      ...wire.risk_class !== void 0 && { riskClass: wire.risk_class },
+      ...wire.authority_basis && {
+        authorityBasis: {
+          kind: wire.authority_basis.kind,
+          ...wire.authority_basis.reference !== void 0 && { reference: wire.authority_basis.reference },
+          ...wire.authority_basis.granted_by !== void 0 && { grantedBy: wire.authority_basis.granted_by },
+          ...wire.authority_basis.rationale !== void 0 && { rationale: wire.authority_basis.rationale },
+          ...wire.authority_basis.expires_at !== void 0 && { expiresAt: wire.authority_basis.expires_at }
+        }
+      },
+      ...wire.escalation_id !== void 0 && { escalationId: wire.escalation_id }
     };
   }
   /**
    * Batch evaluate — send up to 100 decisions in a single round-trip.
    *
-   * Wraps `POST /v1-evaluate-batch`. The server evaluates each item
+  * Wraps `POST /v1/evaluate/batch` (with fallback to
+  * `POST /v1-evaluate-batch` on older runtimes). The server evaluates each item
    * against the active policy bundle and returns results in the same
    * order as the input. One rate-limit token is consumed for the
    * whole batch, and one audit-chain entry lists every included
@@ -398,8 +1029,9 @@ var AtlaSentClient = class {
     }));
     const wireBody = { items: wireItems };
     if (batchId) wireBody.batch_id = batchId;
-    const { body: wire, rateLimit } = await this.post(
-      "/v1-evaluate-batch",
+    const { body: wire, rateLimit } = await this.postWithPathFallback(
+      V1_EVALUATE_BATCH_PATH,
+      V1_EVALUATE_BATCH_LEGACY_PATH,
       wireBody
     );
     const items = (wire.items ?? []).map(
@@ -692,6 +1324,7 @@ var AtlaSentClient = class {
     const agent = input.agent ?? "ci-deploy-bot";
     const action = input.action ?? PRODUCTION_DEPLOY_ACTION;
     const context = input.context ?? {};
+    const environment = typeof context.environment === "string" ? context.environment : typeof context.environment_name === "string" ? context.environment_name : void 0;
     const evaluation = await this.evaluate({ agent, action, context });
     if (evaluation.decision !== "allow") {
       return {
@@ -708,7 +1341,8 @@ var AtlaSentClient = class {
       permitId: evaluation.permitId,
       agent,
       action,
-      context
+      context,
+      ...environment !== void 0 ? { environment } : {}
     });
     if (!verification.verified) {
       return {
@@ -922,15 +1556,15 @@ var AtlaSentClient = class {
    */
   async keySelf() {
     const { body: wire, rateLimit } = await this.get("/v1-api-key-self");
-    if (typeof wire.key_id !== "string" || typeof wire.organization_id !== "string") {
+    if (typeof wire.key_id !== "string" || typeof wire.org_id !== "string") {
       throw new AtlaSentError(
-        "Malformed response from /v1-api-key-self: missing `key_id` or `organization_id`",
+        "Malformed response from /v1-api-key-self: missing `key_id` or `org_id`",
         { code: "bad_response" }
       );
     }
     return {
       keyId: wire.key_id,
-      organizationId: wire.organization_id,
+      orgId: wire.org_id,
       environment: wire.environment,
       scopes: wire.scopes ?? [],
       allowedCidrs: wire.allowed_cidrs ?? null,
@@ -1142,7 +1776,8 @@ var AtlaSentClient = class {
     return response;
   }
   /**
-   * Open a streaming evaluation session against `POST /v1-evaluate-stream`.
+  * Open a streaming evaluation session against `POST /v1/evaluate/stream`
+  * (with fallback to `POST /v1-evaluate-stream` on older runtimes).
    *
    * Yields {@link StreamDecisionEvent} and {@link StreamProgressEvent} objects
    * as the server emits them. The iterator ends cleanly when the server sends
@@ -1180,7 +1815,7 @@ var AtlaSentClient = class {
       api_key: this.apiKey
     };
     const requestId = globalThis.crypto.randomUUID();
-    const url = `${this.baseUrl}/v1-evaluate-stream`;
+    let streamPath = V1_EVALUATE_STREAM_PATH;
     let lastEventId;
     let retryCount = 0;
     while (true) {
@@ -1200,7 +1835,7 @@ var AtlaSentClient = class {
       const signal = opts.signal ? AbortSignal.any([connectionTimeoutSignal, opts.signal]) : connectionTimeoutSignal;
       let response;
       try {
-        response = await this.fetchImpl(url, {
+        response = await this.fetchImpl(`${this.baseUrl}${streamPath}`, {
           method: "POST",
           headers,
           body: JSON.stringify(body),
@@ -1216,6 +1851,10 @@ var AtlaSentClient = class {
         throw mapped;
       }
       if (!response.ok) {
+        if (streamPath === V1_EVALUATE_STREAM_PATH && (response.status === 404 || response.status === 405)) {
+          streamPath = V1_EVALUATE_STREAM_LEGACY_PATH;
+          continue;
+        }
         throw await buildHttpError(response, requestId);
       }
       if (!response.body) {
@@ -1264,9 +1903,61 @@ var AtlaSentClient = class {
       break;
     }
   }
+  // ── License verification (self-hosted / air-gapped) ──────────────────────
+  /**
+   * Retrieve the license status of this self-hosted or air-gapped deployment.
+   *
+   * Calls `GET /v1/license`. Returns the current validity state, expiry,
+   * enabled feature flags, and optional capacity limits for the installed
+   * license key.
+   *
+   * Callers should check `result.status === "active"` before proceeding.
+   * A `"grace"` status means the license has lapsed but a grace window
+   * (`grace_until`) is still open — the deployment continues to function
+   * but the license should be renewed immediately.
+   *
+   * Throws {@link AtlaSentError} on transport / auth failures.
+   */
+  async getLicense() {
+    const { body, rateLimit } = await this.get("/v1/license");
+    return { ...body, rateLimit };
+  }
+  /**
+   * Validate a signed license blob against this deployment's installed
+   * public key.
+   *
+   * Calls `POST /v1/license/verify`. Use this when onboarding a new license
+   * key or rotating an expiring one — submit the blob received from AtlaSent
+   * and check `result.valid` before applying the new license.
+   *
+   * A `valid: false` response is **not** thrown — inspect the returned
+   * object. Only transport / server errors throw {@link AtlaSentError}.
+   *
+   * @param blob — The signed license blob string provided by AtlaSent.
+   */
+  async verifyLicense(blob) {
+    if (!blob || typeof blob !== "string") {
+      throw new AtlaSentError("blob is required", { code: "bad_request" });
+    }
+    const { body, rateLimit } = await this.post(
+      "/v1/license/verify",
+      { blob }
+    );
+    return { ...body, rateLimit };
+  }
   async post(path, body, query) {
     return this.request(path, "POST", body, query);
   }
+  async postWithPathFallback(primaryPath, fallbackPath, body, query) {
+    try {
+      return await this.post(primaryPath, body, query);
+    } catch (err) {
+      if (err instanceof AtlaSentError && (err.status === 404 || err.status === 405)) {
+        return this.post(fallbackPath, body, query);
+      }
+      throw err;
+    }
+  }
   async get(path, query) {
     return this.request(path, "GET", void 0, query);
   }
@@ -1959,6 +2650,82 @@ var AtlaSentClient = class {
     );
     return [...body.evaluations ?? []];
   }
+  // ── Private adapters for sub-client factories ──────────────────────────────
+  // Thin wrappers that expose the private request infrastructure to sub-client
+  // factories (scim, evidenceBundles, auth) without widening the public API.
+  async _post(path, body, query) {
+    const { body: b } = await this.post(path, body, query);
+    return { body: b };
+  }
+  async _get(path, query) {
+    const { body: b } = await this.get(path, query);
+    return { body: b };
+  }
+  async _put(path, body) {
+    return this._requestRaw(path, "PUT", body, void 0);
+  }
+  async _patch(path, body) {
+    return this._requestRaw(path, "PATCH", body, void 0);
+  }
+  async _delete(path) {
+    await this._requestRaw(path, "DELETE", void 0, void 0);
+  }
+  async _getRaw(path) {
+    const url = `${this.baseUrl}${path}`;
+    const requestId = globalThis.crypto.randomUUID();
+    const headers = {
+      Authorization: `Bearer ${this.apiKey}`,
+      "User-Agent": this.userAgent,
+      "X-Request-ID": requestId,
+      "X-AtlaSent-Protocol-Version": "1"
+    };
+    const response = await this.fetchImpl(url, {
+      method: "GET",
+      headers,
+      signal: AbortSignal.timeout(this.timeoutMs)
+    });
+    if (!response.ok) {
+      const text = await response.text().catch(() => "");
+      throw new AtlaSentError(`GET ${path} returned ${response.status}`, {
+        code: response.status >= 500 ? "server_error" : "bad_request",
+        status: response.status,
+        requestId
+      });
+    }
+    return response.arrayBuffer();
+  }
+  async _requestRaw(path, method, body, query) {
+    const qs = query && Array.from(query).length > 0 ? `?${query.toString()}` : "";
+    const url = `${this.baseUrl}${path}${qs}`;
+    const requestId = globalThis.crypto.randomUUID();
+    const headers = {
+      Accept: "application/json",
+      Authorization: `Bearer ${this.apiKey}`,
+      "User-Agent": this.userAgent,
+      "X-Request-ID": requestId,
+      "X-AtlaSent-Protocol-Version": "1"
+    };
+    if (method === "PUT" && body !== void 0) {
+      headers["Content-Type"] = "application/json";
+    }
+    const init = { method, headers, signal: AbortSignal.timeout(this.timeoutMs) };
+    if (method === "PUT" && body !== void 0) {
+      init.body = JSON.stringify(body);
+    }
+    const response = await this.fetchImpl(url, init);
+    if (!response.ok) {
+      const text = await response.text().catch(() => "");
+      throw new AtlaSentError(`${method} ${path} returned ${response.status}`, {
+        code: response.status >= 500 ? "server_error" : "bad_request",
+        status: response.status,
+        requestId
+      });
+    }
+    if (method === "DELETE") {
+      return { body: {} };
+    }
+    return { body: await response.json() };
+  }
 };
 function parseRateLimitHeaders(headers) {
   const rawLimit = headers.get("x-ratelimit-limit");
@@ -2104,7 +2871,7 @@ function buildAuditEventsQuery(query) {
   return params;
 }
 function sleep(ms) {
-  return new Promise((resolve2) => setTimeout(resolve2, ms));
+  return new Promise((resolve3) => setTimeout(resolve3, ms));
 }
 function parseRetryAfter(raw) {
   if (!raw) return void 0;
@@ -2125,14 +2892,14 @@ async function* parseSseStream(body, requestId, timeoutMs, onEventId) {
     if (timeoutMs <= 0) {
       return reader.read();
     }
-    return new Promise((resolve2, reject) => {
+    return new Promise((resolve3, reject) => {
       const timer = setTimeout(() => {
         reject(new StreamTimeoutError(timeoutMs));
       }, timeoutMs);
       reader.read().then(
         (result) => {
           clearTimeout(timer);
-          resolve2(result);
+          resolve3(result);
         },
         (err) => {
           clearTimeout(timer);
@@ -2305,6 +3072,15 @@ async function protect(request) {
       { code: "bad_request" }
     );
   }
+  const trustMgr = getGlobalTrustRootManager({ disableRefresh: false });
+  if (trustMgr.checkExpiry() === "expired") {
+    const snap = trustMgr.getSnapshot();
+    throw new BundleVerificationError({
+      reason: "trust_snapshot_expired",
+      snapshotValidUntil: snap.valid_until,
+      snapshotFetchedAt: snap.issued_at
+    });
+  }
   const client = getClient();
   const evaluation = await client.evaluate(request);
   if (evaluation.decision !== "allow") {
@@ -2359,15 +3135,15 @@ async function protect(request) {
 
 // src/hono.ts
 var DEFAULT_CONTEXT_KEY = "atlasent";
-async function resolve(value, c) {
+async function resolve2(value, c) {
   return typeof value === "function" ? await value(c) : value;
 }
 function atlaSentGuard(options) {
   const contextKey = options.key ?? DEFAULT_CONTEXT_KEY;
   return async (c, next) => {
     const [agent, action, ctx] = await Promise.all([
-      resolve(options.agent, c),
-      resolve(options.action, c),
+      resolve2(options.agent, c),
+      resolve2(options.action, c),
       options.context ? options.context(c) : Promise.resolve(void 0)
     ]);
     const request = { agent, action };