@axonflow/sdk 2.2.0 → 3.3.0

package/dist/cjs/client.js

@@ -2,8 +2,6 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AxonFlow = void 0;
 const errors_1 = require("./errors");
-const openai_1 = require("./interceptors/openai");
-const anthropic_1 = require("./interceptors/anthropic");
 const helpers_1 = require("./utils/helpers");
 /**
  * Main AxonFlow client for invisible AI governance
@@ -27,7 +25,7 @@ class AxonFlow {
             clientSecret: config.clientSecret,
             endpoint,
             mode: config.mode || (hasCredentials ? 'production' : 'sandbox'),
-            tenant: config.tenant || 'default',
+            tenant: config.tenant || '',
             debug: config.debug || false,
             timeout: config.timeout || 30000,
             mapTimeout: config.mapTimeout || 120000, // 2 minutes for MAP operations
@@ -41,8 +39,8 @@ class AxonFlow {
                 ttl: config.cache?.ttl || 60000,
             },
         };
-        // Initialize interceptors
-        this.interceptors = [new openai_1.OpenAIInterceptor(), new anthropic_1.AnthropicInterceptor()];
+        // Interceptors removed in v3.0.0 (deprecated wrapOpenAIClient/wrapAnthropicClient)
+        this.interceptors = [];
         if (this.config.debug) {
             // Determine auth method for logging
             const authMethod = hasCredentials ? 'client-credentials' : 'community (no auth)';
@@ -67,10 +65,25 @@ class AxonFlow {
         if (this.config.clientId && this.config.clientSecret) {
             const credentials = Buffer.from(`${this.config.clientId}:${this.config.clientSecret}`).toString('base64');
             headers['Authorization'] = `Basic ${credentials}`;
+        }
+        // Always add X-Tenant-ID when clientId is set (required for multi-tenant APIs)
+        if (this.config.clientId) {
             headers['X-Tenant-ID'] = this.config.clientId;
         }
         return headers;
     }
+    /**
+     * Get the effective clientId, using smart default for community mode.
+     *
+     * Returns the configured clientId if set, otherwise returns "community"
+     * as a smart default. This enables zero-config usage for community/self-hosted
+     * deployments while still supporting enterprise deployments with explicit credentials.
+     *
+     * @returns The clientId to use in requests
+     */
+    getEffectiveClientId() {
+        return this.config.clientId || this.config.tenant || 'community';
+    }
     /**
      * Main method to protect AI calls with governance
      * @param aiCall The AI call to protect
@@ -108,7 +121,7 @@ class AxonFlow {
      *
      * **Proxy Mode:**
      * ```typescript
-     * const response = await axonflow.executeQuery({
+     * const response = await axonflow.proxyLLMCall({
      *   userToken: 'user-123',
      *   query: 'Your prompt here',
      *   requestType: 'chat'
@@ -118,8 +131,8 @@ class AxonFlow {
      * See: https://docs.getaxonflow.com/sdk/gateway-mode
      */
     async protect(aiCall) {
-        console.warn('[AxonFlow] protect() is deprecated and will be removed in v2.0.0. ' +
-            'Use Gateway Mode (getPolicyApprovedContext + auditLLMCall) or Proxy Mode (executeQuery) instead. ' +
+        console.warn('[AxonFlow] protect() is deprecated and will be removed in a future version. ' +
+            'Use Gateway Mode (getPolicyApprovedContext + auditLLMCall) or Proxy Mode (proxyLLMCall) instead. ' +
             'See: https://docs.getaxonflow.com/sdk/gateway-mode');
         try {
             // Extract request details from the AI call
@@ -380,10 +393,19 @@ class AxonFlow {
         }
     }
     /**
-     * Execute a query through AxonFlow with policy enforcement (Proxy Mode).
+     * Send a query through AxonFlow with full policy enforcement (Proxy Mode).
+     *
+     * This is Proxy Mode - AxonFlow acts as an intermediary, making the LLM call on your behalf.
      *
-     * This is the primary method for Proxy Mode, where AxonFlow handles policy
-     * checking and optionally routes requests to LLM providers.
+     * Use this when you want AxonFlow to:
+     *   - Evaluate policies before the LLM call
+     *   - Make the LLM call to the configured provider
+     *   - Filter/redact sensitive data from responses
+     *   - Automatically track costs and audit the interaction
+     *
+     * For Gateway Mode (lower latency, you make the LLM call), use:
+     *   - getPolicyApprovedContext() before your LLM call
+     *   - auditLLMCall() after your LLM call
      *
      * @param options - Query execution options
      * @returns ExecuteQueryResponse with results or error information
@@ -393,7 +415,7 @@ class AxonFlow {
      *
      * @example
      * ```typescript
-     * const response = await axonflow.executeQuery({
+     * const response = await axonflow.proxyLLMCall({
      *   userToken: 'user-123',
      *   query: 'Explain quantum computing',
      *   requestType: 'chat',
@@ -405,13 +427,13 @@ class AxonFlow {
      * }
      * ```
      */
-    async executeQuery(options) {
+    async proxyLLMCall(options) {
         // Default to "anonymous" if userToken is empty/undefined (community mode)
         const effectiveUserToken = options.userToken || 'anonymous';
         const agentRequest = {
             query: options.query,
             user_token: effectiveUserToken,
-            client_id: this.config.tenant,
+            client_id: this.config.clientId || this.config.tenant,
             request_type: options.requestType,
             context: options.context || {},
         };
@@ -421,7 +443,7 @@ class AxonFlow {
             ...this.getAuthHeaders(),
         };
         if (this.config.debug) {
-            (0, helpers_1.debugLog)('Proxy Mode: executeQuery', {
+            (0, helpers_1.debugLog)('Proxy Mode: proxyLLMCall', {
                 requestType: options.requestType,
                 query: options.query.substring(0, 50),
             });
@@ -432,9 +454,28 @@ class AxonFlow {
             body: JSON.stringify(agentRequest),
             signal: AbortSignal.timeout(this.config.timeout),
         });
+        let data;
         if (!response.ok) {
             const errorText = await response.text();
-            if (response.status === 401 || response.status === 403) {
+            // Handle HTTP 402 (Payment Required) for budget exceeded - parse as blocked response with budgetInfo
+            if (response.status === 402) {
+                try {
+                    data = JSON.parse(errorText);
+                    // If it has budget_info, treat as valid blocked response (fall through to normal processing)
+                    if (data.budget_info) {
+                        // Fall through to normal response processing below
+                    }
+                    else {
+                        throw new errors_1.APIError(response.status, 'Payment Required', errorText);
+                    }
+                }
+                catch (e) {
+                    if (e instanceof errors_1.APIError)
+                        throw e;
+                    throw new errors_1.APIError(response.status, 'Payment Required', errorText);
+                }
+            }
+            else if (response.status === 401 || response.status === 403) {
                 // Try to parse as JSON for policy violation info
                 try {
                     const errorJson = JSON.parse(errorText);
@@ -448,11 +489,17 @@ class AxonFlow {
                 }
                 throw new errors_1.AuthenticationError(`Request failed: ${errorText}`);
             }
-            throw new errors_1.APIError(response.status, response.statusText, errorText);
+            else {
+                throw new errors_1.APIError(response.status, response.statusText, errorText);
+            }
+        }
+        // Parse response if not already parsed (from 402 handling)
+        if (!data) {
+            data = await response.json();
         }
-        const data = await response.json();
         // Check for policy violation in successful response (some blocked responses return 200)
-        if (data.blocked) {
+        // Note: Don't throw for budget blocks (402 responses) - return with budgetInfo instead
+        if (data.blocked && !data.budget_info) {
             throw new errors_1.PolicyViolationError(data.block_reason || 'Request blocked by policy', data.policy_info?.policies_evaluated);
         }
         // Transform snake_case response to camelCase
@@ -477,8 +524,20 @@ class AxonFlow {
                 codeArtifact: data.policy_info.code_artifact,
             };
         }
+        // Parse budget info if present (Issue #1082)
+        if (data.budget_info) {
+            result.budgetInfo = {
+                budgetId: data.budget_info.budget_id,
+                budgetName: data.budget_info.budget_name,
+                usedUsd: data.budget_info.used_usd || 0,
+                limitUsd: data.budget_info.limit_usd || 0,
+                percentage: data.budget_info.percentage || 0,
+                exceeded: data.budget_info.exceeded || false,
+                action: data.budget_info.action,
+            };
+        }
         if (this.config.debug) {
-            (0, helpers_1.debugLog)('Proxy Mode: executeQuery result', {
+            (0, helpers_1.debugLog)('Proxy Mode: proxyLLMCall result', {
                 success: result.success,
                 blocked: result.blocked,
                 hasData: !!result.data,
@@ -578,19 +637,115 @@ class AxonFlow {
             meta: agentResponse.metadata,
         };
     }
+    /**
+     * Execute a query directly against the MCP connector endpoint.
+     *
+     * This method calls the agent's /mcp/resources/query endpoint which provides:
+     * - Request-phase policy evaluation (SQLi blocking, PII blocking)
+     * - Response-phase policy evaluation (PII redaction)
+     * - PolicyInfo metadata in responses
+     *
+     * @example
+     * ```typescript
+     * const response = await axonflow.mcpQuery({
+     *   connector: 'postgres',
+     *   statement: 'SELECT * FROM customers LIMIT 10',
+     * });
+     *
+     * if (response.redacted) {
+     *   console.log('Fields redacted:', response.redacted_fields);
+     * }
+     * console.log('Policies evaluated:', response.policy_info?.policies_evaluated);
+     * ```
+     *
+     * @param options - Query options including connector name and SQL statement
+     * @returns ConnectorResponse with data, redaction info, and policy_info
+     * @throws ConnectorError if the request is blocked by policy or fails
+     */
+    async mcpQuery(options) {
+        if (!options.connector) {
+            throw new errors_1.ConnectorError('connector name is required', undefined, 'mcpQuery');
+        }
+        if (!options.statement) {
+            throw new errors_1.ConnectorError('statement is required', undefined, 'mcpQuery');
+        }
+        const url = `${this.config.endpoint}/mcp/resources/query`;
+        const headers = {
+            'Content-Type': 'application/json',
+            ...this.getAuthHeaders(),
+        };
+        const body = {
+            connector: options.connector,
+            statement: options.statement,
+            options: options.options || {},
+        };
+        if (this.config.debug) {
+            (0, helpers_1.debugLog)('MCP Query', {
+                connector: options.connector,
+                statement: options.statement.substring(0, 50),
+            });
+        }
+        const response = await fetch(url, {
+            method: 'POST',
+            headers,
+            body: JSON.stringify(body),
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        const responseData = await response.json();
+        // Handle policy blocks (403 responses)
+        if (!response.ok) {
+            throw new errors_1.ConnectorError(responseData.error || `MCP query failed: ${response.status} ${response.statusText}`, options.connector, 'mcpQuery');
+        }
+        if (this.config.debug) {
+            (0, helpers_1.debugLog)('MCP Query result', {
+                connector: options.connector,
+                success: responseData.success,
+                redacted: responseData.redacted,
+                policiesEvaluated: responseData.policy_info?.policies_evaluated,
+            });
+        }
+        return {
+            success: responseData.success,
+            data: responseData.data,
+            error: responseData.error,
+            meta: responseData.meta,
+            redacted: responseData.redacted,
+            redacted_fields: responseData.redacted_fields,
+            policy_info: responseData.policy_info,
+        };
+    }
+    /**
+     * Execute a statement against an MCP connector (alias for mcpQuery).
+     *
+     * Same as mcpQuery but follows the naming convention of other execute* methods.
+     *
+     * @param options - Query options including connector name and SQL statement
+     * @returns ConnectorResponse with data, redaction info, and policy_info
+     */
+    async mcpExecute(options) {
+        return this.mcpQuery(options);
+    }
     /**
      * Generate a multi-agent execution plan from a natural language query
      * @param query - Natural language query describing the task
      * @param domain - Optional domain hint (travel, healthcare, etc.)
      * @param userToken - Optional user token for authentication (defaults to tenant/client_id)
+     * @param options - Optional plan generation options (execution mode, etc.)
      */
-    async generatePlan(query, domain, userToken) {
+    async generatePlan(query, domain, userToken, options) {
+        const context = {};
+        if (domain) {
+            context.domain = domain;
+        }
+        if (options?.executionMode) {
+            context.execution_mode = options.executionMode;
+        }
         const agentRequest = {
             query,
-            user_token: userToken || this.config.tenant,
-            client_id: this.config.tenant,
+            user_token: userToken || this.config.clientId || this.config.tenant,
+            client_id: this.config.clientId || this.config.tenant,
             request_type: 'multi-agent-plan',
-            context: domain ? { domain } : {},
+            context,
         };
         const url = `${this.config.endpoint}/api/request`;
         const headers = {
@@ -634,8 +789,8 @@ class AxonFlow {
     async executePlan(planId, userToken) {
         const agentRequest = {
             query: '',
-            user_token: userToken || this.config.tenant,
-            client_id: this.config.tenant,
+            user_token: userToken || this.config.clientId || this.config.tenant,
+            client_id: this.config.clientId || this.config.tenant,
             request_type: 'execute-plan',
             context: { plan_id: planId },
         };
@@ -656,16 +811,43 @@ class AxonFlow {
             throw new errors_1.PlanExecutionError(`Plan execution failed: ${response.status} ${response.statusText} - ${errorText}`, planId, 'execution');
         }
         const agentResponse = await response.json();
+        // Detect nested data.success=false (agent wraps orchestrator errors)
+        let success = agentResponse.success;
+        let error = agentResponse.error;
+        let result = agentResponse.result;
+        const data = agentResponse.data;
+        if (data && typeof data === 'object' && data.success === false) {
+            success = false;
+            if (data.error && !error)
+                error = data.error;
+            // Throw on nested failure (e.g., cancelled plan execution)
+            throw new errors_1.PlanExecutionError(error || 'Plan execution failed', planId, 'execution');
+        }
+        if (!result && data?.result)
+            result = data.result;
         if (this.config.debug) {
-            (0, helpers_1.debugLog)('Plan executed', { planId, success: agentResponse.success });
+            (0, helpers_1.debugLog)('Plan executed', { planId, success });
+        }
+        // Read status from response data if available (e.g., "awaiting_approval" for confirm mode)
+        let status = success ? 'completed' : 'failed';
+        if (data &&
+            typeof data === 'object' &&
+            'status' in data &&
+            typeof data.status === 'string' &&
+            data.status) {
+            status = data.status;
+        }
+        else if (agentResponse.metadata?.status) {
+            status = agentResponse.metadata.status;
         }
         return {
             planId,
-            status: agentResponse.success ? 'completed' : 'failed',
-            result: agentResponse.result,
-            stepResults: agentResponse.metadata?.step_results,
-            error: agentResponse.error,
-            duration: agentResponse.metadata?.duration,
+            status,
+            result,
+            workflowId: data?.workflow_id,
+            stepResults: agentResponse.metadata?.step_results ?? data?.metadata?.step_results,
+            error,
+            duration: agentResponse.metadata?.duration ?? data?.metadata?.duration,
         };
     }
     /**
@@ -691,6 +873,150 @@ class AxonFlow {
             duration: status.duration,
         };
     }
+    /**
+     * Cancel a running or pending plan
+     * @param planId - ID of the plan to cancel
+     * @param reason - Optional reason for cancellation
+     */
+    async cancelPlan(planId, reason) {
+        const url = `${this.config.endpoint}/api/v1/plan/${planId}/cancel`;
+        const headers = {
+            'Content-Type': 'application/json',
+            ...this.getAuthHeaders(),
+        };
+        const body = {};
+        if (reason) {
+            body.reason = reason;
+        }
+        const response = await fetch(url, {
+            method: 'POST',
+            headers,
+            body: JSON.stringify(body),
+            signal: AbortSignal.timeout(this.config.mapTimeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.PlanExecutionError(`Plan cancellation failed: ${response.status} ${response.statusText} - ${errorText}`, planId, 'cancel');
+        }
+        const data = await response.json();
+        if (this.config.debug) {
+            (0, helpers_1.debugLog)('Plan cancelled', { planId, status: data.status });
+        }
+        return {
+            planId: data.plan_id || planId,
+            status: data.status,
+            message: data.message,
+        };
+    }
+    /**
+     * Update a plan with optimistic concurrency control.
+     * Throws VersionConflictError on 409 (version mismatch).
+     * @param planId - ID of the plan to update
+     * @param request - Update request with version and fields to change
+     */
+    async updatePlan(planId, request) {
+        const url = `${this.config.endpoint}/api/v1/plan/${planId}`;
+        const headers = {
+            'Content-Type': 'application/json',
+            ...this.getAuthHeaders(),
+        };
+        const body = {
+            version: request.version,
+        };
+        if (request.executionMode) {
+            body.execution_mode = request.executionMode;
+        }
+        if (request.domain) {
+            body.domain = request.domain;
+        }
+        const response = await fetch(url, {
+            method: 'PUT',
+            headers,
+            body: JSON.stringify(body),
+            signal: AbortSignal.timeout(this.config.mapTimeout),
+        });
+        if (response.status === 409) {
+            const errorData = await response.json().catch(() => ({}));
+            throw new errors_1.VersionConflictError(planId, request.version, errorData.current_version);
+        }
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.PlanExecutionError(`Plan update failed: ${response.status} ${response.statusText} - ${errorText}`, planId, 'update');
+        }
+        const data = await response.json();
+        if (this.config.debug) {
+            (0, helpers_1.debugLog)('Plan updated', { planId, version: data.version });
+        }
+        return {
+            planId: data.plan_id || planId,
+            version: data.version,
+            status: data.status,
+            success: data.success ?? true,
+        };
+    }
+    /**
+     * Get version history for a plan
+     * @param planId - ID of the plan
+     */
+    async getPlanVersions(planId) {
+        const url = `${this.config.endpoint}/api/v1/plan/${planId}/versions`;
+        const headers = {
+            ...this.getAuthHeaders(),
+        };
+        const response = await fetch(url, {
+            method: 'GET',
+            headers,
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.PlanExecutionError(`Get plan versions failed: ${response.status} ${response.statusText} - ${errorText}`, planId, 'versions');
+        }
+        const data = await response.json();
+        const versions = (data.versions || []).map((v) => ({
+            version: v.version,
+            changedAt: v.changed_at,
+            changedBy: v.changed_by,
+            changeType: v.change_type,
+            changeSummary: v.change_summary,
+        }));
+        return {
+            planId: data.plan_id || planId,
+            versions,
+        };
+    }
+    /**
+     * Resume a paused plan (e.g., after approval gate or confirm mode)
+     * @param planId - ID of the plan to resume
+     * @param approved - Whether the plan is approved to proceed (defaults to true)
+     */
+    async resumePlan(planId, approved) {
+        const url = `${this.config.endpoint}/api/v1/plan/${planId}/resume`;
+        const headers = {
+            'Content-Type': 'application/json',
+            ...this.getAuthHeaders(),
+        };
+        const response = await fetch(url, {
+            method: 'POST',
+            headers,
+            body: JSON.stringify({ approved: approved ?? true }),
+            signal: AbortSignal.timeout(this.config.mapTimeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.PlanExecutionError(`Plan resume failed: ${response.status} ${response.statusText} - ${errorText}`, planId, 'resume');
+        }
+        const data = await response.json();
+        if (this.config.debug) {
+            (0, helpers_1.debugLog)('Plan resumed', { planId, approved: data.approved });
+        }
+        return {
+            planId: data.plan_id || planId,
+            status: data.status,
+            approved: data.approved,
+            message: data.message,
+        };
+    }
     // ============================================================================
     // Gateway Mode Methods
     // ============================================================================
@@ -743,12 +1069,12 @@ class AxonFlow {
      * ```
      */
     async getPolicyApprovedContext(options) {
-        // Gateway Mode - credentials optional for community/self-hosted mode
-        // Server decides whether to require authentication based on DEPLOYMENT_MODE
+        // Use smart default for clientId - enables zero-config community mode
+        const clientId = this.getEffectiveClientId();
         const url = `${this.config.endpoint}/api/policy/pre-check`;
         const requestBody = {
             user_token: options.userToken,
-            client_id: this.config.tenant,
+            client_id: clientId,
             query: options.query,
             data_sources: options.dataSources || [],
             context: options.context || {},
@@ -828,12 +1154,12 @@ class AxonFlow {
      * ```
      */
     async auditLLMCall(options) {
-        // Gateway Mode - credentials optional for community/self-hosted mode
-        // Server decides whether to require authentication based on DEPLOYMENT_MODE
+        // Use smart default for clientId - enables zero-config community mode
+        const clientId = this.getEffectiveClientId();
         const url = `${this.config.endpoint}/api/audit/llm-call`;
         const requestBody = {
             context_id: options.contextId,
-            client_id: this.config.tenant,
+            client_id: clientId,
             response_summary: options.responseSummary,
             provider: options.provider,
             model: options.model,
@@ -1039,11 +1365,9 @@ class AxonFlow {
             'Content-Type': 'application/json',
             ...this.getAuthHeaders(),
         };
-        // Always include tenant ID for policy APIs (X-Org-ID header for server compatibility)
-        // Note: getAuthHeaders() already adds X-Tenant-ID when tenant is non-default
-        if (this.config.tenant) {
-            headers['X-Org-ID'] = this.config.tenant;
-        }
+        // Note: X-Tenant-ID is set by getAuthHeaders() from clientId
+        // Do NOT set X-Org-ID here - the server derives org from tenant context
+        // Setting X-Org-ID to 'default' breaks budget queries which expect org_id to match client.OrgID
         return headers;
     }
     /**
@@ -1403,6 +1727,10 @@ class AxonFlow {
         const params = new URLSearchParams();
         if (options?.type)
             params.set('type', options.type);
+        if (options?.tier)
+            params.set('tier', options.tier);
+        if (options?.organizationId)
+            params.set('organization_id', options.organizationId);
         if (options?.enabled !== undefined)
             params.set('enabled', String(options.enabled));
         if (options?.limit)
@@ -1463,8 +1791,27 @@ class AxonFlow {
         if (this.config.debug) {
             (0, helpers_1.debugLog)('Creating dynamic policy', { name: policy.name });
         }
+        // Convert camelCase to snake_case for API compatibility
+        const requestBody = {
+            name: policy.name,
+            type: policy.type,
+            conditions: policy.conditions,
+            actions: policy.actions,
+        };
+        if (policy.description)
+            requestBody.description = policy.description;
+        if (policy.category)
+            requestBody.category = policy.category;
+        if (policy.priority !== undefined)
+            requestBody.priority = policy.priority;
+        if (policy.enabled !== undefined)
+            requestBody.enabled = policy.enabled;
+        requestBody.tier = policy.tier || 'tenant';
+        if (policy.organizationId) {
+            requestBody.organization_id = policy.organizationId;
+        }
         // API returns {"policy": {...}} wrapper via Agent proxy
-        const response = await this.orchestratorRequest('POST', '/api/v1/dynamic-policies', policy);
+        const response = await this.orchestratorRequest('POST', '/api/v1/dynamic-policies', requestBody);
         // Handle both wrapped and unwrapped responses for compatibility
         return 'policy' in response ? response.policy : response;
     }
@@ -1479,8 +1826,30 @@ class AxonFlow {
         if (this.config.debug) {
             (0, helpers_1.debugLog)('Updating dynamic policy', { id, updates: Object.keys(policy) });
         }
+        // Convert camelCase to snake_case for API compatibility
+        const requestBody = {};
+        if (policy.name !== undefined)
+            requestBody.name = policy.name;
+        if (policy.description !== undefined)
+            requestBody.description = policy.description;
+        if (policy.type !== undefined)
+            requestBody.type = policy.type;
+        if (policy.category !== undefined)
+            requestBody.category = policy.category;
+        if (policy.tier !== undefined)
+            requestBody.tier = policy.tier;
+        if (policy.organizationId !== undefined)
+            requestBody.organization_id = policy.organizationId;
+        if (policy.conditions !== undefined)
+            requestBody.conditions = policy.conditions;
+        if (policy.actions !== undefined)
+            requestBody.actions = policy.actions;
+        if (policy.priority !== undefined)
+            requestBody.priority = policy.priority;
+        if (policy.enabled !== undefined)
+            requestBody.enabled = policy.enabled;
         // API returns {"policy": {...}} wrapper via Agent proxy
-        const response = await this.orchestratorRequest('PUT', `/api/v1/dynamic-policies/${id}`, policy);
+        const response = await this.orchestratorRequest('PUT', `/api/v1/dynamic-policies/${id}`, requestBody);
         // Handle both wrapped and unwrapped responses for compatibility
         return 'policy' in response ? response.policy : response;
     }
@@ -2789,6 +3158,1352 @@ class AxonFlow {
         }
         return response.text();
     }
+    // =============================================================================
+    // Workflow Control Plane (Issue #834)
+    // =============================================================================
+    /**
+     * Create a new workflow for governance tracking.
+     *
+     * Call this at the start of your external orchestrator workflow (LangChain, LangGraph, CrewAI, etc.)
+     * to register it with AxonFlow for governance tracking.
+     *
+     * @example
+     * ```typescript
+     * const workflow = await client.createWorkflow({
+     *   workflow_name: 'customer-support-agent',
+     *   source: 'langgraph',
+     *   total_steps: 5,
+     *   metadata: { customer_id: 'cust-123' }
+     * });
+     * console.log(`Workflow created: ${workflow.workflow_id}`);
+     * ```
+     */
+    async createWorkflow(request) {
+        const response = await this.orchestratorRequest('POST', '/api/v1/workflows', request);
+        return response;
+    }
+    /**
+     * Get the status of a workflow.
+     *
+     * @example
+     * ```typescript
+     * const status = await client.getWorkflow('wf_123');
+     * console.log(`Status: ${status.status}, Step: ${status.current_step_index}`);
+     * ```
+     */
+    async getWorkflow(workflowId) {
+        if (!workflowId) {
+            throw new errors_1.ConfigurationError('Workflow ID is required');
+        }
+        const response = await this.orchestratorRequest('GET', `/api/v1/workflows/${workflowId}`);
+        return response;
+    }
+    /**
+     * Check if a workflow step is allowed to proceed (step gate).
+     *
+     * This is the core governance method. Call this before executing each step
+     * in your workflow to check if the step is allowed based on policies.
+     *
+     * @example
+     * ```typescript
+     * const gate = await client.stepGate('wf_123', 'step-generate-code', {
+     *   step_name: 'Generate Code',
+     *   step_type: 'llm_call',
+     *   model: 'gpt-4',
+     *   provider: 'openai',
+     *   step_input: { prompt: 'Generate a hello world function' }
+     * });
+     *
+     * if (gate.decision === 'block') {
+     *   throw new Error(`Step blocked: ${gate.reason}`);
+     * }
+     * if (gate.decision === 'require_approval') {
+     *   console.log(`Approval required: ${gate.approval_url}`);
+     *   return;
+     * }
+     * // Step is allowed, proceed with execution
+     * ```
+     */
+    async stepGate(workflowId, stepId, request) {
+        if (!workflowId) {
+            throw new errors_1.ConfigurationError('Workflow ID is required');
+        }
+        if (!stepId) {
+            throw new errors_1.ConfigurationError('Step ID is required');
+        }
+        const response = await this.orchestratorRequest('POST', `/api/v1/workflows/${workflowId}/steps/${stepId}/gate`, request);
+        return response;
+    }
+    /**
+     * Complete a workflow successfully.
+     *
+     * Call this when your workflow has completed all steps successfully.
+     *
+     * @example
+     * ```typescript
+     * await client.completeWorkflow('wf_123');
+     * ```
+     */
+    async completeWorkflow(workflowId) {
+        if (!workflowId) {
+            throw new errors_1.ConfigurationError('Workflow ID is required');
+        }
+        await this.orchestratorRequest('POST', `/api/v1/workflows/${workflowId}/complete`, {});
+    }
+    /**
+     * Abort a workflow.
+     *
+     * Call this when you need to stop a workflow due to an error or user request.
+     *
+     * @example
+     * ```typescript
+     * await client.abortWorkflow('wf_123', 'User cancelled the operation');
+     * ```
+     */
+    async abortWorkflow(workflowId, reason) {
+        if (!workflowId) {
+            throw new errors_1.ConfigurationError('Workflow ID is required');
+        }
+        const request = reason ? { reason } : {};
+        await this.orchestratorRequest('POST', `/api/v1/workflows/${workflowId}/abort`, request);
+    }
+    /**
+     * Mark a workflow step as completed.
+     *
+     * Call this after a step has been executed successfully.
+     *
+     * @example
+     * ```typescript
+     * await client.markStepCompleted('wf_123', 'step-1', {
+     *   output: { result: 'success' }
+     * });
+     * ```
+     */
+    async markStepCompleted(workflowId, stepId, request) {
+        if (!workflowId) {
+            throw new errors_1.ConfigurationError('Workflow ID is required');
+        }
+        if (!stepId) {
+            throw new errors_1.ConfigurationError('Step ID is required');
+        }
+        await this.orchestratorRequest('POST', `/api/v1/workflows/${workflowId}/steps/${stepId}/complete`, request || {});
+    }
+    /**
+     * Resume a workflow after approval.
+     *
+     * Call this after a step has been approved to continue the workflow.
+     *
+     * @example
+     * ```typescript
+     * // After approval received via webhook or polling
+     * await client.resumeWorkflow('wf_123');
+     * ```
+     */
+    async resumeWorkflow(workflowId) {
+        if (!workflowId) {
+            throw new errors_1.ConfigurationError('Workflow ID is required');
+        }
+        await this.orchestratorRequest('POST', `/api/v1/workflows/${workflowId}/resume`, {});
+    }
+    /**
+     * List workflows with optional filters.
+     *
+     * @example
+     * ```typescript
+     * const result = await client.listWorkflows({
+     *   status: 'in_progress',
+     *   source: 'langgraph',
+     *   limit: 10
+     * });
+     * console.log(`Found ${result.total} workflows`);
+     * ```
+     */
+    async listWorkflows(options) {
+        const params = new URLSearchParams();
+        if (options?.status) {
+            params.set('status', options.status);
+        }
+        if (options?.source) {
+            params.set('source', options.source);
+        }
+        if (options?.limit !== undefined) {
+            params.set('limit', options.limit.toString());
+        }
+        if (options?.offset !== undefined) {
+            params.set('offset', options.offset.toString());
+        }
+        const queryString = params.toString();
+        const path = queryString ? `/api/v1/workflows?${queryString}` : '/api/v1/workflows';
+        const response = await this.orchestratorRequest('GET', path);
+        return response;
+    }
+    // =============================================================================
+    // WCP Approval Methods (Feature 5)
+    // =============================================================================
+    /**
+     * Approve a workflow step that requires human approval.
+     *
+     * Call this to approve a step that was gated with a 'require_approval' decision.
+     *
+     * @param workflowId - ID of the workflow
+     * @param stepId - ID of the step to approve
+     * @returns Approval response with status
+     *
+     * @example
+     * ```typescript
+     * const result = await client.approveStep('wf_123', 'step_456');
+     * console.log(`Step ${result.step_id} status: ${result.status}`);
+     * ```
+     */
+    async approveStep(workflowId, stepId) {
+        if (!workflowId) {
+            throw new errors_1.ConfigurationError('Workflow ID is required');
+        }
+        if (!stepId) {
+            throw new errors_1.ConfigurationError('Step ID is required');
+        }
+        return this.orchestratorRequest('POST', `/api/v1/workflow-control/${workflowId}/steps/${stepId}/approve`, {});
+    }
+    /**
+     * Reject a workflow step that requires human approval.
+     *
+     * Call this to reject a step that was gated with a 'require_approval' decision.
+     *
+     * @param workflowId - ID of the workflow
+     * @param stepId - ID of the step to reject
+     * @param reason - Optional reason for rejection
+     * @returns Rejection response with status
+     *
+     * @example
+     * ```typescript
+     * const result = await client.rejectStep('wf_123', 'step_456', 'Policy violation detected');
+     * console.log(`Step ${result.step_id} status: ${result.status}`);
+     * ```
+     */
+    async rejectStep(workflowId, stepId, reason) {
+        if (!workflowId) {
+            throw new errors_1.ConfigurationError('Workflow ID is required');
+        }
+        if (!stepId) {
+            throw new errors_1.ConfigurationError('Step ID is required');
+        }
+        const body = {};
+        if (reason) {
+            body.reason = reason;
+        }
+        return this.orchestratorRequest('POST', `/api/v1/workflow-control/${workflowId}/steps/${stepId}/reject`, body);
+    }
+    /**
+     * Get pending approvals for workflow steps.
+     *
+     * Lists all steps that are waiting for human approval across all workflows.
+     *
+     * @param options - Optional filtering options
+     * @returns List of pending approvals with total count
+     *
+     * @example
+     * ```typescript
+     * const pending = await client.getPendingApprovals({ limit: 10 });
+     * console.log(`${pending.total} approvals pending`);
+     * for (const approval of pending.approvals) {
+     *   console.log(`${approval.workflow_name} / ${approval.step_name}`);
+     * }
+     * ```
+     */
+    async getPendingApprovals(options) {
+        const params = new URLSearchParams();
+        if (options?.limit !== undefined) {
+            params.set('limit', options.limit.toString());
+        }
+        const queryString = params.toString();
+        const path = queryString
+            ? `/api/v1/workflow-control/pending-approvals?${queryString}`
+            : '/api/v1/workflow-control/pending-approvals';
+        return this.orchestratorRequest('GET', path);
+    }
+    // =============================================================================
+    // Plan Rollback (Feature 7)
+    // =============================================================================
+    /**
+     * Rollback a plan to a previous version.
+     *
+     * @param planId - ID of the plan to rollback
+     * @param targetVersion - Version number to rollback to
+     * @returns Rollback response with version information
+     *
+     * @example
+     * ```typescript
+     * const result = await client.rollbackPlan('plan_123', 2);
+     * console.log(`Rolled back to v${result.version} from v${result.previousVersion}`);
+     * ```
+     */
+    async rollbackPlan(planId, targetVersion) {
+        const url = `${this.config.endpoint}/api/v1/plan/${planId}/rollback/${targetVersion}`;
+        const headers = {
+            'Content-Type': 'application/json',
+            ...this.getAuthHeaders(),
+        };
+        const response = await fetch(url, {
+            method: 'POST',
+            headers,
+            body: JSON.stringify({}),
+            signal: AbortSignal.timeout(this.config.mapTimeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.PlanExecutionError(`Plan rollback failed: ${response.status} ${response.statusText} - ${errorText}`, planId, 'rollback');
+        }
+        const data = await response.json();
+        if (this.config.debug) {
+            (0, helpers_1.debugLog)('Plan rolled back', { planId, version: data.version });
+        }
+        return {
+            planId: data.plan_id || planId,
+            version: data.version,
+            previousVersion: data.previous_version,
+            status: data.status,
+        };
+    }
+    // =============================================================================
+    // Webhook CRUD Methods (Feature 7)
+    // =============================================================================
+    /**
+     * Create a webhook subscription.
+     *
+     * @param request - Webhook configuration
+     * @returns Created webhook subscription
+     *
+     * @example
+     * ```typescript
+     * const webhook = await client.createWebhook({
+     *   url: 'https://example.com/webhook',
+     *   events: ['workflow.completed', 'step.approval_required'],
+     *   active: true
+     * });
+     * console.log(`Webhook created: ${webhook.id}`);
+     * ```
+     */
+    async createWebhook(request) {
+        return this.orchestratorRequest('POST', '/api/v1/webhooks', request);
+    }
+    /**
+     * Get a webhook subscription by ID.
+     *
+     * @param webhookId - ID of the webhook to retrieve
+     * @returns Webhook subscription details
+     *
+     * @example
+     * ```typescript
+     * const webhook = await client.getWebhook('wh_123');
+     * console.log(`Webhook URL: ${webhook.url}, Active: ${webhook.active}`);
+     * ```
+     */
+    async getWebhook(webhookId) {
+        if (!webhookId) {
+            throw new errors_1.ConfigurationError('Webhook ID is required');
+        }
+        return this.orchestratorRequest('GET', `/api/v1/webhooks/${webhookId}`);
+    }
+    /**
+     * Update a webhook subscription.
+     *
+     * @param webhookId - ID of the webhook to update
+     * @param request - Fields to update
+     * @returns Updated webhook subscription
+     *
+     * @example
+     * ```typescript
+     * const webhook = await client.updateWebhook('wh_123', {
+     *   events: ['workflow.completed'],
+     *   active: false
+     * });
+     * ```
+     */
+    async updateWebhook(webhookId, request) {
+        if (!webhookId) {
+            throw new errors_1.ConfigurationError('Webhook ID is required');
+        }
+        return this.orchestratorRequest('PUT', `/api/v1/webhooks/${webhookId}`, request);
+    }
+    /**
+     * Delete a webhook subscription.
+     *
+     * @param webhookId - ID of the webhook to delete
+     *
+     * @example
+     * ```typescript
+     * await client.deleteWebhook('wh_123');
+     * ```
+     */
+    async deleteWebhook(webhookId) {
+        if (!webhookId) {
+            throw new errors_1.ConfigurationError('Webhook ID is required');
+        }
+        await this.orchestratorRequest('DELETE', `/api/v1/webhooks/${webhookId}`);
+    }
+    /**
+     * List all webhook subscriptions.
+     *
+     * @returns List of webhook subscriptions with total count
+     *
+     * @example
+     * ```typescript
+     * const result = await client.listWebhooks();
+     * console.log(`${result.total} webhooks configured`);
+     * for (const wh of result.webhooks) {
+     *   console.log(`${wh.id}: ${wh.url} (${wh.active ? 'active' : 'inactive'})`);
+     * }
+     * ```
+     */
+    async listWebhooks() {
+        return this.orchestratorRequest('GET', '/api/v1/webhooks');
+    }
+    // ===========================================================================
+    // MAS FEAT Compliance Methods (Enterprise)
+    // ===========================================================================
+    /**
+     * MAS FEAT compliance module for Singapore regulatory compliance.
+     *
+     * Enterprise Feature: Requires AxonFlow Enterprise license.
+     *
+     * @example
+     * ```typescript
+     * // Register an AI system
+     * const system = await axonflow.masfeat.registerSystem({
+     *   systemId: 'credit-scoring-v1',
+     *   systemName: 'Credit Scoring AI',
+     *   useCase: 'credit_scoring',
+     *   ownerTeam: 'Risk Management',
+     *   customerImpact: 4,
+     *   modelComplexity: 3,
+     *   humanReliance: 5
+     * });
+     *
+     * // Configure kill switch
+     * const ks = await axonflow.masfeat.configureKillSwitch('credit-scoring-v1', {
+     *   accuracyThreshold: 0.85,
+     *   biasThreshold: 0.15,
+     *   autoTriggerEnabled: true
+     * });
+     * ```
+     */
+    get masfeat() {
+        return {
+            // Registry methods
+            registerSystem: this.masfeatRegisterSystem.bind(this),
+            getSystem: this.masfeatGetSystem.bind(this),
+            updateSystem: this.masfeatUpdateSystem.bind(this),
+            listSystems: this.masfeatListSystems.bind(this),
+            activateSystem: this.masfeatActivateSystem.bind(this),
+            retireSystem: this.masfeatRetireSystem.bind(this),
+            getRegistrySummary: this.masfeatGetRegistrySummary.bind(this),
+            // Assessment methods
+            createAssessment: this.masfeatCreateAssessment.bind(this),
+            getAssessment: this.masfeatGetAssessment.bind(this),
+            updateAssessment: this.masfeatUpdateAssessment.bind(this),
+            listAssessments: this.masfeatListAssessments.bind(this),
+            submitAssessment: this.masfeatSubmitAssessment.bind(this),
+            approveAssessment: this.masfeatApproveAssessment.bind(this),
+            rejectAssessment: this.masfeatRejectAssessment.bind(this),
+            // Kill switch methods
+            getKillSwitch: this.masfeatGetKillSwitch.bind(this),
+            configureKillSwitch: this.masfeatConfigureKillSwitch.bind(this),
+            checkKillSwitch: this.masfeatCheckKillSwitch.bind(this),
+            triggerKillSwitch: this.masfeatTriggerKillSwitch.bind(this),
+            restoreKillSwitch: this.masfeatRestoreKillSwitch.bind(this),
+            enableKillSwitch: this.masfeatEnableKillSwitch.bind(this),
+            disableKillSwitch: this.masfeatDisableKillSwitch.bind(this),
+            getKillSwitchHistory: this.masfeatGetKillSwitchHistory.bind(this),
+        };
+    }
+    // Registry Methods
+    async masfeatRegisterSystem(request) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/registry`;
+        const body = {
+            system_id: request.systemId,
+            system_name: request.systemName,
+            description: request.description,
+            use_case: request.useCase,
+            owner_team: request.ownerTeam,
+            technical_owner: request.technicalOwner,
+            owner_email: request.businessOwner,
+            risk_rating_impact: request.customerImpact,
+            risk_rating_complexity: request.modelComplexity,
+            risk_rating_reliance: request.humanReliance,
+            metadata: request.metadata,
+        };
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                ...this.getAuthHeaders(),
+            },
+            body: JSON.stringify(body),
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapSystemResponse(await response.json());
+    }
+    async masfeatGetSystem(systemId) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/registry/${systemId}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                ...this.getAuthHeaders(),
+            },
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapSystemResponse(await response.json());
+    }
+    async masfeatUpdateSystem(systemId, request) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/registry/${systemId}`;
+        const body = {};
+        if (request.systemName !== undefined)
+            body.system_name = request.systemName;
+        if (request.description !== undefined)
+            body.description = request.description;
+        if (request.ownerTeam !== undefined)
+            body.owner_team = request.ownerTeam;
+        if (request.technicalOwner !== undefined)
+            body.technical_owner = request.technicalOwner;
+        if (request.businessOwner !== undefined)
+            body.business_owner = request.businessOwner;
+        if (request.customerImpact !== undefined)
+            body.customer_impact = request.customerImpact;
+        if (request.modelComplexity !== undefined)
+            body.model_complexity = request.modelComplexity;
+        if (request.humanReliance !== undefined)
+            body.human_reliance = request.humanReliance;
+        if (request.metadata !== undefined)
+            body.metadata = request.metadata;
+        const response = await fetch(url, {
+            method: 'PUT',
+            headers: {
+                'Content-Type': 'application/json',
+                ...this.getAuthHeaders(),
+            },
+            body: JSON.stringify(body),
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapSystemResponse(await response.json());
+    }
+    async masfeatListSystems(options) {
+        const params = new URLSearchParams();
+        if (options?.status)
+            params.append('status', options.status);
+        if (options?.useCase)
+            params.append('use_case', options.useCase);
+        if (options?.materiality)
+            params.append('materiality', options.materiality);
+        if (options?.limit)
+            params.append('limit', options.limit.toString());
+        if (options?.offset)
+            params.append('offset', options.offset.toString());
+        const queryString = params.toString();
+        const url = `${this.config.endpoint}/api/v1/masfeat/registry${queryString ? `?${queryString}` : ''}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                ...this.getAuthHeaders(),
+            },
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        const data = await response.json();
+        return (data || []).map((s) => this.mapSystemResponse(s));
+    }
+    async masfeatActivateSystem(systemId) {
+        // Use PUT to update status - the /activate endpoint doesn't exist
+        const url = `${this.config.endpoint}/api/v1/masfeat/registry/${systemId}`;
+        const response = await fetch(url, {
+            method: 'PUT',
+            headers: {
+                'Content-Type': 'application/json',
+                ...this.getAuthHeaders(),
+            },
+            body: JSON.stringify({ status: 'active' }),
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapSystemResponse(await response.json());
+    }
+    async masfeatRetireSystem(systemId) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/registry/${systemId}`;
+        const response = await fetch(url, {
+            method: 'DELETE',
+            headers: {
+                ...this.getAuthHeaders(),
+            },
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapSystemResponse(await response.json());
+    }
+    async masfeatGetRegistrySummary() {
+        const url = `${this.config.endpoint}/api/v1/masfeat/registry/summary`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                ...this.getAuthHeaders(),
+            },
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        const data = await response.json();
+        return {
+            totalSystems: data.total_systems,
+            activeSystems: data.active_systems,
+            highMaterialityCount: data.high_materiality_count ?? data.high_materiality ?? 0,
+            mediumMaterialityCount: data.medium_materiality_count ?? data.medium_materiality ?? 0,
+            lowMaterialityCount: data.low_materiality_count ?? data.low_materiality ?? 0,
+            byUseCase: data.by_use_case || {},
+            byStatus: data.by_status || {},
+        };
+    }
+    // Assessment Methods
+    async masfeatCreateAssessment(request) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/assessments`;
+        const body = {
+            system_id: request.systemId,
+            assessment_type: request.assessmentType || 'periodic',
+            assessors: request.assessors,
+        };
+        if (request.assessmentDate)
+            body.assessment_date = request.assessmentDate.toISOString();
+        if (request.fairnessScore !== undefined)
+            body.fairness_score = request.fairnessScore;
+        if (request.ethicsScore !== undefined)
+            body.ethics_score = request.ethicsScore;
+        if (request.accountabilityScore !== undefined)
+            body.accountability_score = request.accountabilityScore;
+        if (request.transparencyScore !== undefined)
+            body.transparency_score = request.transparencyScore;
+        if (request.fairnessDetails)
+            body.fairness_details = request.fairnessDetails;
+        if (request.ethicsDetails)
+            body.ethics_details = request.ethicsDetails;
+        if (request.accountabilityDetails)
+            body.accountability_details = request.accountabilityDetails;
+        if (request.transparencyDetails)
+            body.transparency_details = request.transparencyDetails;
+        if (request.recommendations)
+            body.recommendations = request.recommendations;
+        if (request.findings) {
+            body.findings = request.findings.map(f => ({
+                id: f.id,
+                pillar: f.pillar,
+                severity: f.severity,
+                category: f.category,
+                description: f.description,
+                status: f.status,
+                remediation: f.remediation,
+                due_date: f.dueDate?.toISOString(),
+            }));
+        }
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                ...this.getAuthHeaders(),
+            },
+            body: JSON.stringify(body),
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapAssessmentResponse(await response.json());
+    }
+    async masfeatGetAssessment(assessmentId) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/assessments/${assessmentId}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                ...this.getAuthHeaders(),
+            },
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapAssessmentResponse(await response.json());
+    }
+    async masfeatUpdateAssessment(assessmentId, request) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/assessments/${assessmentId}`;
+        const body = {};
+        if (request.fairnessScore !== undefined)
+            body.fairness_score = request.fairnessScore;
+        if (request.ethicsScore !== undefined)
+            body.ethics_score = request.ethicsScore;
+        if (request.accountabilityScore !== undefined)
+            body.accountability_score = request.accountabilityScore;
+        if (request.transparencyScore !== undefined)
+            body.transparency_score = request.transparencyScore;
+        if (request.fairnessDetails !== undefined)
+            body.fairness_details = request.fairnessDetails;
+        if (request.ethicsDetails !== undefined)
+            body.ethics_details = request.ethicsDetails;
+        if (request.accountabilityDetails !== undefined)
+            body.accountability_details = request.accountabilityDetails;
+        if (request.transparencyDetails !== undefined)
+            body.transparency_details = request.transparencyDetails;
+        if (request.findings !== undefined) {
+            body.findings = request.findings.map(f => ({
+                id: f.id,
+                pillar: f.pillar,
+                severity: f.severity,
+                category: f.category,
+                description: f.description,
+                status: f.status,
+                remediation: f.remediation,
+                due_date: f.dueDate?.toISOString(),
+            }));
+        }
+        if (request.recommendations !== undefined)
+            body.recommendations = request.recommendations;
+        if (request.assessors !== undefined)
+            body.assessors = request.assessors;
+        const response = await fetch(url, {
+            method: 'PUT',
+            headers: {
+                'Content-Type': 'application/json',
+                ...this.getAuthHeaders(),
+            },
+            body: JSON.stringify(body),
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapAssessmentResponse(await response.json());
+    }
+    async masfeatListAssessments(options) {
+        const params = new URLSearchParams();
+        if (options?.systemId)
+            params.append('system_id', options.systemId);
+        if (options?.status)
+            params.append('status', options.status);
+        if (options?.limit)
+            params.append('limit', options.limit.toString());
+        if (options?.offset)
+            params.append('offset', options.offset.toString());
+        const queryString = params.toString();
+        const url = `${this.config.endpoint}/api/v1/masfeat/assessments${queryString ? `?${queryString}` : ''}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                ...this.getAuthHeaders(),
+            },
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        const data = await response.json();
+        return (data || []).map((a) => this.mapAssessmentResponse(a));
+    }
+    async masfeatSubmitAssessment(assessmentId) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/assessments/${assessmentId}/submit`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                ...this.getAuthHeaders(),
+            },
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapAssessmentResponse(await response.json());
+    }
+    async masfeatApproveAssessment(assessmentId, request) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/assessments/${assessmentId}/approve`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                ...this.getAuthHeaders(),
+            },
+            body: JSON.stringify({
+                approved_by: request.approvedBy,
+                comments: request.comments,
+            }),
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapAssessmentResponse(await response.json());
+    }
+    async masfeatRejectAssessment(assessmentId, request) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/assessments/${assessmentId}/reject`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                ...this.getAuthHeaders(),
+            },
+            body: JSON.stringify({
+                rejected_by: request.rejectedBy,
+                reason: request.reason,
+            }),
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapAssessmentResponse(await response.json());
+    }
+    // Kill Switch Methods
+    async masfeatGetKillSwitch(systemId) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/killswitch/${systemId}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                ...this.getAuthHeaders(),
+            },
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapKillSwitchResponse(await response.json());
+    }
+    async masfeatConfigureKillSwitch(systemId, request) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/killswitch/${systemId}/configure`;
+        const body = {};
+        if (request.accuracyThreshold !== undefined)
+            body.accuracy_threshold = request.accuracyThreshold;
+        if (request.biasThreshold !== undefined)
+            body.bias_threshold = request.biasThreshold;
+        if (request.errorRateThreshold !== undefined)
+            body.error_rate_threshold = request.errorRateThreshold;
+        if (request.autoTriggerEnabled !== undefined)
+            body.auto_trigger_enabled = request.autoTriggerEnabled;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                ...this.getAuthHeaders(),
+            },
+            body: JSON.stringify(body),
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapKillSwitchResponse(await response.json());
+    }
+    async masfeatCheckKillSwitch(systemId, request) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/killswitch/${systemId}/check`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                ...this.getAuthHeaders(),
+            },
+            body: JSON.stringify({
+                accuracy: request.accuracy,
+                bias_score: request.biasScore,
+                error_rate: request.errorRate,
+            }),
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapKillSwitchResponse(await response.json());
+    }
+    async masfeatTriggerKillSwitch(systemId, request) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/killswitch/${systemId}/trigger`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                ...this.getAuthHeaders(),
+            },
+            body: JSON.stringify({
+                reason: request.reason,
+                triggered_by: request.triggeredBy,
+            }),
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapKillSwitchResponse(await response.json());
+    }
+    async masfeatRestoreKillSwitch(systemId, request) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/killswitch/${systemId}/restore`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                ...this.getAuthHeaders(),
+            },
+            body: JSON.stringify({
+                reason: request.reason,
+                restored_by: request.restoredBy,
+            }),
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapKillSwitchResponse(await response.json());
+    }
+    async masfeatEnableKillSwitch(systemId) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/killswitch/${systemId}/enable`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                ...this.getAuthHeaders(),
+            },
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapKillSwitchResponse(await response.json());
+    }
+    async masfeatDisableKillSwitch(systemId, request) {
+        const url = `${this.config.endpoint}/api/v1/masfeat/killswitch/${systemId}/disable`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                ...this.getAuthHeaders(),
+            },
+            body: JSON.stringify({ reason: request?.reason }),
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        return this.mapKillSwitchResponse(await response.json());
+    }
+    async masfeatGetKillSwitchHistory(systemId, limit) {
+        const params = new URLSearchParams();
+        if (limit)
+            params.append('limit', limit.toString());
+        const queryString = params.toString();
+        const url = `${this.config.endpoint}/api/v1/masfeat/killswitch/${systemId}/history${queryString ? `?${queryString}` : ''}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                ...this.getAuthHeaders(),
+            },
+            signal: AbortSignal.timeout(this.config.timeout),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        let data = await response.json();
+        // Handle nested response format {history: [...], count: N}
+        if (data && typeof data === 'object' && 'history' in data) {
+            data = data.history;
+        }
+        return (data || []).map((e) => ({
+            id: e.id,
+            killSwitchId: e.kill_switch_id,
+            // Handle both API formats: event_type (SDK expected) vs action (API actual)
+            eventType: e.event_type || e.action,
+            // Build eventData from additional fields if not present
+            eventData: e.event_data ||
+                (e.previous_status || e.new_status || e.reason
+                    ? { previousStatus: e.previous_status, newStatus: e.new_status, reason: e.reason }
+                    : undefined),
+            // Handle both API formats: created_by vs performed_by
+            createdBy: e.created_by || e.performed_by,
+            // Handle both API formats: created_at vs performed_at
+            createdAt: new Date(e.created_at || e.performed_at),
+        }));
+    }
+    // Helper methods for MAS FEAT
+    mapSystemResponse(data) {
+        return {
+            id: data.id,
+            orgId: data.org_id,
+            systemId: data.system_id,
+            systemName: data.system_name,
+            description: data.description,
+            useCase: data.use_case,
+            ownerTeam: data.owner_team,
+            technicalOwner: data.technical_owner,
+            businessOwner: data.business_owner || data.owner_email,
+            customerImpact: data.customer_impact ?? data.risk_rating_impact,
+            modelComplexity: data.model_complexity ?? data.risk_rating_complexity,
+            humanReliance: data.human_reliance ?? data.risk_rating_reliance,
+            materiality: data.materiality || data.materiality_classification,
+            status: data.status,
+            metadata: data.metadata,
+            createdAt: new Date(data.created_at),
+            updatedAt: new Date(data.updated_at),
+            createdBy: data.created_by,
+        };
+    }
+    mapFindingResponse(data) {
+        return {
+            id: data.id,
+            pillar: data.pillar,
+            severity: data.severity,
+            category: data.category,
+            description: data.description,
+            status: data.status,
+            remediation: data.remediation,
+            dueDate: data.due_date ? new Date(data.due_date) : undefined,
+        };
+    }
+    mapAssessmentResponse(data) {
+        return {
+            id: data.id,
+            orgId: data.org_id,
+            systemId: data.system_id,
+            assessmentType: data.assessment_type,
+            status: data.status,
+            assessmentDate: new Date(data.assessment_date),
+            validUntil: data.valid_until ? new Date(data.valid_until) : undefined,
+            fairnessScore: data.fairness_score,
+            ethicsScore: data.ethics_score,
+            accountabilityScore: data.accountability_score,
+            transparencyScore: data.transparency_score,
+            overallScore: data.overall_score,
+            fairnessDetails: data.fairness_details,
+            ethicsDetails: data.ethics_details,
+            accountabilityDetails: data.accountability_details,
+            transparencyDetails: data.transparency_details,
+            findings: data.findings?.map((f) => this.mapFindingResponse(f)),
+            recommendations: data.recommendations,
+            assessors: data.assessors,
+            approvedBy: data.approved_by,
+            approvedAt: data.approved_at ? new Date(data.approved_at) : undefined,
+            createdAt: new Date(data.created_at),
+            updatedAt: new Date(data.updated_at),
+            createdBy: data.created_by,
+        };
+    }
+    mapKillSwitchResponse(data) {
+        // Handle nested response format (trigger/restore return {kill_switch: {...}, message: ...})
+        if (data.kill_switch) {
+            data = data.kill_switch;
+        }
+        return {
+            id: data.id,
+            orgId: data.org_id,
+            systemId: data.system_id,
+            status: data.status,
+            accuracyThreshold: data.accuracy_threshold,
+            biasThreshold: data.bias_threshold,
+            errorRateThreshold: data.error_rate_threshold,
+            autoTriggerEnabled: data.auto_trigger_enabled,
+            triggeredAt: data.triggered_at ? new Date(data.triggered_at) : undefined,
+            triggeredBy: data.triggered_by,
+            triggeredReason: data.triggered_reason || data.trigger_reason,
+            restoredAt: data.restored_at ? new Date(data.restored_at) : undefined,
+            restoredBy: data.restored_by,
+            createdAt: new Date(data.created_at),
+            updatedAt: new Date(data.updated_at),
+        };
+    }
+    // ============================================================================
+    // Unified Execution Tracking Methods (Issue #1075)
+    // ============================================================================
+    /**
+     * Get unified execution status for a MAP plan or WCP workflow.
+     *
+     * This method provides a consistent interface for tracking execution progress
+     * regardless of whether the underlying execution is a MAP plan or WCP workflow.
+     *
+     * @param executionId - The execution ID (plan ID or workflow ID)
+     * @returns Unified execution status
+     *
+     * @example
+     * ```typescript
+     * // Get status for any execution (MAP or WCP)
+     * const status = await client.getExecutionStatus('exec_123');
+     * console.log(`Type: ${status.execution_type}`);
+     * console.log(`Status: ${status.status}`);
+     * console.log(`Progress: ${status.progress_percent}%`);
+     *
+     * // Check steps
+     * for (const step of status.steps) {
+     *   console.log(`  Step ${step.step_index}: ${step.step_name} - ${step.status}`);
+     * }
+     * ```
+     */
+    async getExecutionStatus(executionId) {
+        if (!executionId) {
+            throw new errors_1.ConfigurationError('Execution ID is required');
+        }
+        if (this.config.debug) {
+            (0, helpers_1.debugLog)('Getting execution status', { executionId });
+        }
+        return this.orchestratorRequest('GET', `/api/v1/unified/executions/${executionId}`);
+    }
+    /**
+     * List unified executions with optional filters.
+     *
+     * Returns a paginated list of executions (both MAP plans and WCP workflows)
+     * with optional filtering by type, status, tenant, or organization.
+     * This method provides a unified view across all execution types.
+     *
+     * @param options - Filter and pagination options
+     * @returns Paginated list of unified executions
+     *
+     * @example
+     * ```typescript
+     * // List all running executions
+     * const result = await client.listUnifiedExecutions({
+     *   status: 'running',
+     *   limit: 20
+     * });
+     * console.log(`Found ${result.total} running executions`);
+     *
+     * // List only MAP plans
+     * const mapPlans = await client.listUnifiedExecutions({
+     *   execution_type: 'map_plan',
+     *   limit: 50
+     * });
+     *
+     * // List WCP workflows for a specific tenant
+     * const workflows = await client.listUnifiedExecutions({
+     *   execution_type: 'wcp_workflow',
+     *   tenant_id: 'tenant_123'
+     * });
+     * ```
+     */
+    async listUnifiedExecutions(options) {
+        const params = new URLSearchParams();
+        if (options?.execution_type) {
+            params.set('execution_type', options.execution_type);
+        }
+        if (options?.status) {
+            params.set('status', options.status);
+        }
+        if (options?.tenant_id) {
+            params.set('tenant_id', options.tenant_id);
+        }
+        if (options?.org_id) {
+            params.set('org_id', options.org_id);
+        }
+        if (options?.limit !== undefined) {
+            params.set('limit', options.limit.toString());
+        }
+        if (options?.offset !== undefined) {
+            params.set('offset', options.offset.toString());
+        }
+        const queryString = params.toString();
+        const path = queryString
+            ? `/api/v1/unified/executions?${queryString}`
+            : '/api/v1/unified/executions';
+        if (this.config.debug) {
+            (0, helpers_1.debugLog)('Listing unified executions', { options });
+        }
+        return this.orchestratorRequest('GET', path);
+    }
+    /**
+     * Cancel a unified execution (MAP plan or WCP workflow).
+     *
+     * This method cancels an execution via the unified execution API,
+     * automatically propagating to the correct subsystem (MAP or WCP).
+     *
+     * @param executionId - The execution ID (plan ID or workflow ID)
+     * @param reason - Optional reason for cancellation
+     *
+     * @example
+     * ```typescript
+     * await client.cancelExecution('wf_abc123', 'User requested cancellation');
+     * ```
+     */
+    async cancelExecution(executionId, reason) {
+        if (!executionId) {
+            throw new errors_1.ConfigurationError('Execution ID is required');
+        }
+        const body = reason ? { reason } : {};
+        await this.orchestratorRequest('POST', `/api/v1/unified/executions/${executionId}/cancel`, body);
+    }
+    /**
+     * Stream real-time execution status updates via Server-Sent Events (SSE).
+     *
+     * Connects to the SSE streaming endpoint and invokes the callback with each
+     * ExecutionStatus update as it arrives. The stream automatically closes when
+     * the execution reaches a terminal state (completed, failed, cancelled, aborted,
+     * or expired).
+     *
+     * @param executionId - The execution ID (plan ID or workflow ID)
+     * @param callback - Function called with each ExecutionStatus update
+     * @param options - Optional configuration including an AbortSignal for cancellation
+     *
+     * @example
+     * ```typescript
+     * // Stream with a callback
+     * await client.streamExecutionStatus('exec_123', (status) => {
+     *   console.log(`Progress: ${status.progress_percent}%`);
+     *   console.log(`Status: ${status.status}`);
+     *   for (const step of status.steps) {
+     *     console.log(`  Step ${step.step_index}: ${step.step_name} - ${step.status}`);
+     *   }
+     * });
+     *
+     * // Stream with abort support
+     * const controller = new AbortController();
+     * setTimeout(() => controller.abort(), 60000); // timeout after 1 minute
+     * await client.streamExecutionStatus('exec_123', (status) => {
+     *   console.log(`${status.status}: ${status.progress_percent}%`);
+     * }, { signal: controller.signal });
+     * ```
+     */
+    async streamExecutionStatus(executionId, callback, options) {
+        if (!executionId) {
+            throw new errors_1.ConfigurationError('Execution ID is required');
+        }
+        const url = `${this.config.endpoint}/api/v1/executions/${executionId}/stream`;
+        const headers = this.buildAuthHeaders();
+        // Override Content-Type for SSE — Accept is what matters
+        headers['Accept'] = 'text/event-stream';
+        delete headers['Content-Type'];
+        if (this.config.debug) {
+            (0, helpers_1.debugLog)('Streaming execution status', { executionId, url });
+        }
+        const fetchOptions = {
+            method: 'GET',
+            headers,
+        };
+        if (options?.signal) {
+            fetchOptions.signal = options.signal;
+        }
+        let response;
+        try {
+            response = await fetch(url, fetchOptions);
+        }
+        catch (error) {
+            if (error instanceof Error && error.name === 'AbortError') {
+                return; // Clean exit on abort
+            }
+            throw error;
+        }
+        if (!response.ok) {
+            const errorText = await response.text();
+            if (response.status === 401 || response.status === 403) {
+                throw new errors_1.AuthenticationError(`Stream request failed: ${errorText}`);
+            }
+            if (response.status === 404) {
+                throw new errors_1.APIError(404, 'Not Found', errorText);
+            }
+            throw new errors_1.APIError(response.status, response.statusText, errorText);
+        }
+        if (!response.body) {
+            throw new errors_1.APIError(0, 'No Body', 'SSE response has no body');
+        }
+        const reader = response.body.getReader();
+        const decoder = new TextDecoder();
+        let buffer = '';
+        try {
+            while (true) {
+                const { done, value } = await reader.read();
+                if (done) {
+                    break;
+                }
+                buffer += decoder.decode(value, { stream: true });
+                // Process complete SSE events (separated by double newline)
+                const events = buffer.split('\n\n');
+                // Keep the last (potentially incomplete) chunk in the buffer
+                buffer = events.pop() || '';
+                for (const event of events) {
+                    const trimmed = event.trim();
+                    if (!trimmed) {
+                        continue;
+                    }
+                    // Parse SSE data lines (handle both "data: " and "data:" formats per SSE spec)
+                    for (const line of trimmed.split('\n')) {
+                        let jsonStr;
+                        if (line.startsWith('data: ')) {
+                            jsonStr = line.slice(6);
+                        }
+                        else if (line.startsWith('data:')) {
+                            jsonStr = line.slice(5);
+                        }
+                        if (jsonStr !== undefined) {
+                            if (!jsonStr || jsonStr === '[DONE]') {
+                                continue;
+                            }
+                            try {
+                                const status = JSON.parse(jsonStr);
+                                callback(status);
+                                // Check for terminal status — stream is done
+                                if (status.status === 'completed' ||
+                                    status.status === 'failed' ||
+                                    status.status === 'cancelled' ||
+                                    status.status === 'aborted' ||
+                                    status.status === 'expired') {
+                                    return;
+                                }
+                            }
+                            catch (parseError) {
+                                if (this.config.debug) {
+                                    (0, helpers_1.debugLog)('Failed to parse SSE data', { jsonStr, error: parseError });
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        catch (error) {
+            if (error instanceof Error && error.name === 'AbortError') {
+                return; // Clean exit on abort
+            }
+            throw error;
+        }
+        finally {
+            try {
+                reader.releaseLock();
+            }
+            catch {
+                // Reader may already be released
+            }
+        }
+    }
 }
 exports.AxonFlow = AxonFlow;
 //# sourceMappingURL=client.js.map