@qnsp/tenant-sdk 0.2.0 → 0.3.1

package/src/index.ts

@@ -1,5 +1,7 @@
 import { performance } from "node:perf_hooks";
 
+import { activateSdk, type SdkActivationConfig } from "@qnsp/sdk-activation";
+
 import type {
 	TenantClientTelemetry,
 	TenantClientTelemetryConfig,
@@ -17,7 +19,7 @@ import { validateUUID } from "./validation.js";
 
 export interface TenantClientConfig {
 	readonly baseUrl: string;
-	readonly apiKey?: string;
+	readonly apiKey: string;
 	readonly timeoutMs?: number;
 	readonly telemetry?: TenantClientTelemetry | TenantClientTelemetryConfig;
 	readonly maxRetries?: number;
@@ -34,12 +36,102 @@ type InternalTenantClientConfig = {
 
 export type TenantStatus = "active" | "suspended" | "pending" | "deleted";
 
+export type HsmMode = "none" | "supported" | "required";
+
 /**
  * Crypto policy tier determines which PQC algorithms are allowed.
  * Maps to tenant_crypto_policies.policy_tier in tenant-service.
  */
 export type CryptoPolicyTier = "default" | "strict" | "maximum" | "government";
 
+/**
+ * Crypto policy v1 uses profiles + tiers (evidence-first model).
+ */
+export type QnspTier =
+	| "TIER0_LEGACY"
+	| "TIER1_APPROVED"
+	| "TIER2_HIGH_ASSURANCE"
+	| "TIER3_DIVERSITY"
+	| "TIER4_EXPERIMENTAL";
+
+export type TenantType =
+	| "FREE_FOREVER"
+	| "DEV_STARTER"
+	| "DEV_PRO"
+	| "DEV_ELITE"
+	| "BUSINESS_TEAM"
+	| "BUSINESS_ADVANCED"
+	| "BUSINESS_ELITE"
+	| "ENTERPRISE_STANDARD"
+	| "ENTERPRISE_PRO"
+	| "ENTERPRISE_ELITE"
+	| "PUBLIC_SECTOR";
+
+export type CryptoProfileId =
+	| "gov-high-assurance"
+	| "defense-long-life-data"
+	| "financial-hybrid-pqc"
+	| "research-eval";
+
+export type TenantCryptoPolicyV1Action = "CREATE" | "UPDATE" | "ROLLBACK";
+
+export interface CryptoPolicyV1 {
+	readonly version: "v1";
+	readonly tenantType: TenantType;
+	readonly profile: CryptoProfileId;
+	readonly enabledTiers: readonly QnspTier[];
+	readonly tier0Expiry?: string;
+	readonly tier4Acknowledgement?: {
+		readonly nonCompliant: true;
+		readonly noProductionSecrets: true;
+		readonly approvedBy: string;
+		readonly approvedAt: string;
+	};
+	readonly overrides?: {
+		readonly allowFalcon?: boolean;
+	};
+	readonly requirements: {
+		readonly fipsAligned: boolean;
+		readonly evidenceRequired: boolean;
+		readonly cryptoAgilityMetadataRequired: boolean;
+		readonly statefulLifecycleGuards: boolean;
+		readonly downgradeDetection: boolean;
+	};
+}
+
+export interface TenantCryptoPolicyV1Record {
+	readonly id: string;
+	readonly tenantId: string;
+	readonly version: "v1";
+	readonly policy: CryptoPolicyV1;
+	readonly policyHash: string;
+	readonly etag: string;
+	readonly createdAt: string;
+	readonly createdByPrincipal: string;
+	readonly createdByIp: string | null;
+	readonly updatedAt: string;
+	readonly updatedByPrincipal: string;
+	readonly updatedByIp: string | null;
+}
+
+export interface TenantCryptoPolicyV1HistoryRecord {
+	readonly id: string;
+	readonly tenantId: string;
+	readonly version: "v1";
+	readonly policy: CryptoPolicyV1;
+	readonly policyHash: string;
+	readonly action: TenantCryptoPolicyV1Action;
+	readonly reason: string | null;
+	readonly changedAt: string;
+	readonly changedByPrincipal: string;
+	readonly changedByIp: string | null;
+}
+
+export interface TenantCryptoPolicyV1HistoryResponse {
+	readonly tenantId: string;
+	readonly items: readonly TenantCryptoPolicyV1HistoryRecord[];
+}
+
 /**
  * Tenant crypto policy configuration.
  */
@@ -80,48 +172,272 @@ export interface TierAlgorithmConfig {
 
 /**
  * Default algorithms per crypto policy tier.
+ * These match the definitions in packages/security/src/crypto-policy.ts
+ * and determine which algorithms appear in the portal's Generate Key dropdown.
+ *
+ * default: All supported PQC algorithms (NIST-finalized + candidates via liboqs)
+ * strict: NIST-finalized/selected at higher security levels
+ * maximum: Highest-security NIST-finalized only
+ * government: FIPS-finalized only (no draft standards)
  */
 export const CRYPTO_POLICY_ALGORITHMS: Record<CryptoPolicyTier, TierAlgorithmConfig> = {
 	default: {
-		kemAlgorithms: ["kyber-512", "kyber-768", "kyber-1024"],
-		signatureAlgorithms: ["dilithium-2", "dilithium-3", "dilithium-5"],
+		kemAlgorithms: [
+			// FIPS 203 — ML-KEM (NIST finalized)
+			"kyber-512",
+			"kyber-768",
+			"kyber-1024",
+			// HQC (NIST selected March 2025)
+			"hqc-128",
+			"hqc-192",
+			"hqc-256",
+			// BIKE (NIST Round 4 candidate)
+			"bike-l1",
+			"bike-l3",
+			"bike-l5",
+			// Classic McEliece (ISO standard)
+			"mceliece-348864",
+			"mceliece-460896",
+			"mceliece-6688128",
+			"mceliece-6960119",
+			"mceliece-8192128",
+			// FrodoKEM (ISO standard)
+			"frodokem-640-aes",
+			"frodokem-640-shake",
+			"frodokem-976-aes",
+			"frodokem-976-shake",
+			"frodokem-1344-aes",
+			"frodokem-1344-shake",
+			// NTRU (lattice-based)
+			"ntru-hps-2048-509",
+			"ntru-hps-2048-677",
+			"ntru-hps-4096-821",
+			"ntru-hps-4096-1229",
+			"ntru-hrss-701",
+			"ntru-hrss-1373",
+			// NTRU-Prime
+			"sntrup761",
+		],
+		signatureAlgorithms: [
+			// FIPS 204 — ML-DSA (NIST finalized)
+			"dilithium-2",
+			"dilithium-3",
+			"dilithium-5",
+			// FIPS 205 — SLH-DSA (NIST finalized, SHA-2 variants)
+			"sphincs-sha2-128f-simple",
+			"sphincs-sha2-128s-simple",
+			"sphincs-sha2-192f-simple",
+			"sphincs-sha2-192s-simple",
+			"sphincs-sha2-256f-simple",
+			"sphincs-sha2-256s-simple",
+			// FIPS 205 — SLH-DSA (NIST finalized, SHAKE variants)
+			"sphincs-shake-128f-simple",
+			"sphincs-shake-128s-simple",
+			"sphincs-shake-192f-simple",
+			"sphincs-shake-192s-simple",
+			"sphincs-shake-256f-simple",
+			"sphincs-shake-256s-simple",
+			// FN-DSA / Falcon (FIPS 206 draft)
+			"falcon-512",
+			"falcon-1024",
+			// MAYO (NIST Additional Signatures Round 2)
+			"mayo-1",
+			"mayo-2",
+			"mayo-3",
+			"mayo-5",
+			// CROSS (NIST Additional Signatures Round 2)
+			"cross-rsdp-128-balanced",
+			"cross-rsdp-128-fast",
+			"cross-rsdp-128-small",
+			"cross-rsdp-192-balanced",
+			"cross-rsdp-192-fast",
+			"cross-rsdp-192-small",
+			"cross-rsdp-256-balanced",
+			"cross-rsdp-256-fast",
+			"cross-rsdp-256-small",
+			"cross-rsdpg-128-balanced",
+			"cross-rsdpg-128-fast",
+			"cross-rsdpg-128-small",
+			"cross-rsdpg-192-balanced",
+			"cross-rsdpg-192-fast",
+			"cross-rsdpg-192-small",
+			"cross-rsdpg-256-balanced",
+			"cross-rsdpg-256-fast",
+			"cross-rsdpg-256-small",
+			// UOV (NIST Additional Signatures Round 2)
+			"ov-Is",
+			"ov-Ip",
+			"ov-III",
+			"ov-V",
+			"ov-Is-pkc",
+			"ov-Ip-pkc",
+			"ov-III-pkc",
+			"ov-V-pkc",
+			"ov-Is-pkc-skc",
+			"ov-Ip-pkc-skc",
+			"ov-III-pkc-skc",
+			"ov-V-pkc-skc",
+			// SNOVA (NIST Additional Signatures Round 2)
+			"snova-24-5-4",
+			"snova-24-5-4-shake",
+			"snova-24-5-4-esk",
+			"snova-24-5-4-shake-esk",
+			"snova-25-8-3",
+			"snova-37-17-2",
+			"snova-37-8-4",
+			"snova-24-5-5",
+			"snova-56-25-2",
+			"snova-49-11-3",
+			"snova-60-10-4",
+			"snova-29-6-5",
+		],
 		defaultKemAlgorithm: "kyber-768",
 		defaultSignatureAlgorithm: "dilithium-3",
 	},
 	strict: {
-		kemAlgorithms: ["kyber-768", "kyber-1024"],
-		signatureAlgorithms: ["dilithium-3", "dilithium-5", "falcon-1024"],
+		kemAlgorithms: ["kyber-768", "kyber-1024", "hqc-192", "hqc-256"],
+		signatureAlgorithms: [
+			"dilithium-3",
+			"dilithium-5",
+			"falcon-1024",
+			"sphincs-sha2-256f-simple",
+			"sphincs-sha2-256s-simple",
+			"sphincs-shake-256f-simple",
+			"sphincs-shake-256s-simple",
+		],
 		defaultKemAlgorithm: "kyber-768",
 		defaultSignatureAlgorithm: "dilithium-3",
 	},
 	maximum: {
-		kemAlgorithms: ["kyber-1024"],
-		signatureAlgorithms: ["dilithium-5", "falcon-1024", "sphincs-shake-256f-simple"],
+		kemAlgorithms: ["kyber-1024", "hqc-256"],
+		signatureAlgorithms: [
+			"dilithium-5",
+			"falcon-1024",
+			"sphincs-sha2-256f-simple",
+			"sphincs-shake-256f-simple",
+		],
 		defaultKemAlgorithm: "kyber-1024",
 		defaultSignatureAlgorithm: "dilithium-5",
 	},
 	government: {
 		kemAlgorithms: ["kyber-1024"],
-		signatureAlgorithms: ["dilithium-5", "sphincs-shake-256f-simple"],
+		signatureAlgorithms: ["dilithium-5", "sphincs-sha2-256f-simple", "sphincs-shake-256f-simple"],
 		defaultKemAlgorithm: "kyber-1024",
 		defaultSignatureAlgorithm: "dilithium-5",
 	},
 };
 
 /**
- * Mapping from internal algorithm names to NIST standardized names.
+ * Mapping from internal algorithm names to NIST/standards display names.
+ * Covers all 90 PQC algorithms supported by QNSP.
+ * Canonical source: @qnsp/cryptography pqc-standards.ts ALGORITHM_NIST_NAMES
  */
 export const ALGORITHM_TO_NIST: Record<string, string> = {
+	// FIPS 203 — ML-KEM
 	"kyber-512": "ML-KEM-512",
 	"kyber-768": "ML-KEM-768",
 	"kyber-1024": "ML-KEM-1024",
+	// FIPS 204 — ML-DSA
 	"dilithium-2": "ML-DSA-44",
 	"dilithium-3": "ML-DSA-65",
 	"dilithium-5": "ML-DSA-87",
-	"falcon-512": "FN-DSA-512",
-	"falcon-1024": "FN-DSA-1024",
+	// FIPS 205 — SLH-DSA (SHA-2 variants)
+	"sphincs-sha2-128f-simple": "SLH-DSA-SHA2-128f",
+	"sphincs-sha2-128s-simple": "SLH-DSA-SHA2-128s",
+	"sphincs-sha2-192f-simple": "SLH-DSA-SHA2-192f",
+	"sphincs-sha2-192s-simple": "SLH-DSA-SHA2-192s",
+	"sphincs-sha2-256f-simple": "SLH-DSA-SHA2-256f",
+	"sphincs-sha2-256s-simple": "SLH-DSA-SHA2-256s",
+	// FIPS 205 — SLH-DSA (SHAKE variants)
 	"sphincs-shake-128f-simple": "SLH-DSA-SHAKE-128f",
+	"sphincs-shake-128s-simple": "SLH-DSA-SHAKE-128s",
+	"sphincs-shake-192f-simple": "SLH-DSA-SHAKE-192f",
+	"sphincs-shake-192s-simple": "SLH-DSA-SHAKE-192s",
 	"sphincs-shake-256f-simple": "SLH-DSA-SHAKE-256f",
+	"sphincs-shake-256s-simple": "SLH-DSA-SHAKE-256s",
+	// FN-DSA (FIPS 206 draft)
+	"falcon-512": "FN-DSA-512",
+	"falcon-1024": "FN-DSA-1024",
+	// HQC (NIST selected March 2025)
+	"hqc-128": "HQC-128",
+	"hqc-192": "HQC-192",
+	"hqc-256": "HQC-256",
+	// BIKE (NIST Round 4)
+	"bike-l1": "BIKE-L1",
+	"bike-l3": "BIKE-L3",
+	"bike-l5": "BIKE-L5",
+	// Classic McEliece (ISO standard)
+	"mceliece-348864": "Classic-McEliece-348864",
+	"mceliece-460896": "Classic-McEliece-460896",
+	"mceliece-6688128": "Classic-McEliece-6688128",
+	"mceliece-6960119": "Classic-McEliece-6960119",
+	"mceliece-8192128": "Classic-McEliece-8192128",
+	// FrodoKEM (ISO standard)
+	"frodokem-640-aes": "FrodoKEM-640-AES",
+	"frodokem-640-shake": "FrodoKEM-640-SHAKE",
+	"frodokem-976-aes": "FrodoKEM-976-AES",
+	"frodokem-976-shake": "FrodoKEM-976-SHAKE",
+	"frodokem-1344-aes": "FrodoKEM-1344-AES",
+	"frodokem-1344-shake": "FrodoKEM-1344-SHAKE",
+	// NTRU (lattice-based, re-added in liboqs 0.15)
+	"ntru-hps-2048-509": "NTRU-HPS-2048-509",
+	"ntru-hps-2048-677": "NTRU-HPS-2048-677",
+	"ntru-hps-4096-821": "NTRU-HPS-4096-821",
+	"ntru-hps-4096-1229": "NTRU-HPS-4096-1229",
+	"ntru-hrss-701": "NTRU-HRSS-701",
+	"ntru-hrss-1373": "NTRU-HRSS-1373",
+	// NTRU-Prime
+	sntrup761: "sntrup761",
+	// MAYO (NIST Additional Signatures Round 2)
+	"mayo-1": "MAYO-1",
+	"mayo-2": "MAYO-2",
+	"mayo-3": "MAYO-3",
+	"mayo-5": "MAYO-5",
+	// CROSS (NIST Additional Signatures Round 2)
+	"cross-rsdp-128-balanced": "CROSS-RSDP-128-balanced",
+	"cross-rsdp-128-fast": "CROSS-RSDP-128-fast",
+	"cross-rsdp-128-small": "CROSS-RSDP-128-small",
+	"cross-rsdp-192-balanced": "CROSS-RSDP-192-balanced",
+	"cross-rsdp-192-fast": "CROSS-RSDP-192-fast",
+	"cross-rsdp-192-small": "CROSS-RSDP-192-small",
+	"cross-rsdp-256-balanced": "CROSS-RSDP-256-balanced",
+	"cross-rsdp-256-fast": "CROSS-RSDP-256-fast",
+	"cross-rsdp-256-small": "CROSS-RSDP-256-small",
+	"cross-rsdpg-128-balanced": "CROSS-RSDPG-128-balanced",
+	"cross-rsdpg-128-fast": "CROSS-RSDPG-128-fast",
+	"cross-rsdpg-128-small": "CROSS-RSDPG-128-small",
+	"cross-rsdpg-192-balanced": "CROSS-RSDPG-192-balanced",
+	"cross-rsdpg-192-fast": "CROSS-RSDPG-192-fast",
+	"cross-rsdpg-192-small": "CROSS-RSDPG-192-small",
+	"cross-rsdpg-256-balanced": "CROSS-RSDPG-256-balanced",
+	"cross-rsdpg-256-fast": "CROSS-RSDPG-256-fast",
+	"cross-rsdpg-256-small": "CROSS-RSDPG-256-small",
+	// UOV (NIST Additional Signatures Round 2)
+	"ov-Is": "UOV-Is",
+	"ov-Ip": "UOV-Ip",
+	"ov-III": "UOV-III",
+	"ov-V": "UOV-V",
+	"ov-Is-pkc": "UOV-Is-pkc",
+	"ov-Ip-pkc": "UOV-Ip-pkc",
+	"ov-III-pkc": "UOV-III-pkc",
+	"ov-V-pkc": "UOV-V-pkc",
+	"ov-Is-pkc-skc": "UOV-Is-pkc-skc",
+	"ov-Ip-pkc-skc": "UOV-Ip-pkc-skc",
+	"ov-III-pkc-skc": "UOV-III-pkc-skc",
+	"ov-V-pkc-skc": "UOV-V-pkc-skc",
+	// SNOVA (NIST Additional Signatures Round 2, liboqs 0.14+)
+	"snova-24-5-4": "SNOVA-24-5-4",
+	"snova-24-5-4-shake": "SNOVA-24-5-4-SHAKE",
+	"snova-24-5-4-esk": "SNOVA-24-5-4-ESK",
+	"snova-24-5-4-shake-esk": "SNOVA-24-5-4-SHAKE-ESK",
+	"snova-25-8-3": "SNOVA-25-8-3",
+	"snova-37-17-2": "SNOVA-37-17-2",
+	"snova-37-8-4": "SNOVA-37-8-4",
+	"snova-24-5-5": "SNOVA-24-5-5",
+	"snova-56-25-2": "SNOVA-56-25-2",
+	"snova-49-11-3": "SNOVA-49-11-3",
+	"snova-60-10-4": "SNOVA-60-10-4",
+	"snova-29-6-5": "SNOVA-29-6-5",
 };
 
 /**
@@ -174,6 +490,7 @@ export interface Tenant {
 	readonly plan: string;
 	readonly region: string;
 	readonly complianceTags: readonly string[];
+	readonly hsmMode: HsmMode;
 	readonly metadata: Record<string, unknown>;
 	readonly security: TenantSecurityEnvelope;
 	readonly domains: readonly TenantDomain[];
@@ -187,6 +504,7 @@ export interface CreateTenantRequest {
 	readonly plan?: string;
 	readonly region?: string;
 	readonly complianceTags?: readonly string[];
+	readonly hsmMode?: HsmMode;
 	readonly metadata?: Record<string, unknown>;
 	readonly domains?: readonly {
 		readonly domain: string;
@@ -200,6 +518,7 @@ export interface UpdateTenantRequest {
 	readonly plan?: string;
 	readonly status?: TenantStatus;
 	readonly complianceTags?: readonly string[];
+	readonly hsmMode?: HsmMode;
 	readonly metadata?: Record<string, unknown>;
 	readonly security: TenantSecurityEnvelope;
 	readonly signature?: TenantSignature;
@@ -223,17 +542,48 @@ export class TenantClient {
 	private readonly config: InternalTenantClientConfig;
 	private readonly telemetry: TenantClientTelemetry | null;
 	private readonly targetService: string;
+	private activationPromise: Promise<void> | null = null;
+	private readonly activationConfig: SdkActivationConfig;
+
+	private async ensureActivated(): Promise<void> {
+		if (!this.activationPromise) {
+			this.activationPromise = activateSdk(this.activationConfig).then(() => undefined);
+		}
+		await this.activationPromise;
+	}
 
 	constructor(config: TenantClientConfig) {
+		if (!config.apiKey || config.apiKey.trim().length === 0) {
+			throw new Error(
+				"QNSP Tenant SDK: apiKey is required. " +
+					"Get your free API key at https://cloud.qnsp.cuilabs.io/signup — " +
+					"no credit card required (FREE tier: 10 GB storage, 50,000 API calls/month). " +
+					"Docs: https://docs.qnsp.cuilabs.io/sdk/tenant-sdk",
+			);
+		}
+
 		const baseUrl = config.baseUrl.replace(/\/$/, "");
 
-		// Enforce HTTPS in production (allow HTTP only for localhost in development)
+		// Enforce HTTPS in production (allow HTTP for localhost in development and
+		// for internal service-mesh hostnames — e.g. *.internal — which are on a
+		// private VPC network and do not require TLS termination at the transport layer).
 		if (!baseUrl.startsWith("https://")) {
 			const isLocalhost =
 				baseUrl.startsWith("http://localhost") || baseUrl.startsWith("http://127.0.0.1");
+			let isInternalService = false;
+			try {
+				const parsed = new URL(baseUrl);
+				isInternalService =
+					parsed.protocol === "http:" &&
+					(parsed.hostname.endsWith(".internal") ||
+						parsed.hostname === "localhost" ||
+						parsed.hostname === "127.0.0.1");
+			} catch {
+				// ignore; invalid URL will be caught later by fetch
+			}
 			const isDevelopment =
 				process.env["NODE_ENV"] === "development" || process.env["NODE_ENV"] === "test";
-			if (!isLocalhost || !isDevelopment) {
+			if ((!isLocalhost || !isDevelopment) && !isInternalService) {
 				throw new Error(
 					"baseUrl must use HTTPS in production. HTTP is only allowed for localhost in development.",
 				);
@@ -242,7 +592,7 @@ export class TenantClient {
 
 		this.config = {
 			baseUrl,
-			apiKey: config.apiKey ?? "",
+			apiKey: config.apiKey,
 			timeoutMs: config.timeoutMs ?? 30_000,
 			maxRetries: config.maxRetries ?? 3,
 			retryDelayMs: config.retryDelayMs ?? 1_000,
@@ -259,6 +609,13 @@ export class TenantClient {
 		} catch {
 			this.targetService = "tenant-service";
 		}
+
+		this.activationConfig = {
+			apiKey: config.apiKey,
+			sdkId: "tenant-sdk",
+			sdkVersion: "0.3.0",
+			platformUrl: config.baseUrl,
+		};
 	}
 
 	private async request<T>(method: string, path: string, options?: RequestOptions): Promise<T> {
@@ -277,9 +634,7 @@ export class TenantClient {
 			...options?.headers,
 		};
 
-		if (this.config.apiKey) {
-			headers["Authorization"] = `Bearer ${this.config.apiKey}`;
-		}
+		headers["Authorization"] = `Bearer ${this.config.apiKey}`;
 
 		const controller = new AbortController();
 		const timeoutId = setTimeout(() => controller.abort(), this.config.timeoutMs);
@@ -386,6 +741,7 @@ export class TenantClient {
 	 * Requires PQC-signed security envelope and optional signature.
 	 */
 	async createTenant(request: CreateTenantRequest): Promise<Tenant> {
+		await this.ensureActivated();
 		// Validation is handled by the service, but we validate format here for early feedback
 		return this.request<Tenant>("POST", "/tenant/v1/tenants", {
 			body: {
@@ -394,6 +750,7 @@ export class TenantClient {
 				...(request.plan !== undefined ? { plan: request.plan } : {}),
 				...(request.region !== undefined ? { region: request.region } : {}),
 				...(request.complianceTags !== undefined ? { complianceTags: request.complianceTags } : {}),
+				...(request.hsmMode !== undefined ? { hsmMode: request.hsmMode } : {}),
 				...(request.metadata !== undefined ? { metadata: request.metadata } : {}),
 				...(request.domains !== undefined ? { domains: request.domains } : {}),
 				security: request.security,
@@ -409,12 +766,14 @@ export class TenantClient {
 	 */
 	async updateTenant(id: string, request: UpdateTenantRequest): Promise<Tenant> {
 		validateUUID(id, "id");
+		await this.ensureActivated();
 
 		return this.request<Tenant>("PATCH", `/tenant/v1/tenants/${id}`, {
 			body: {
 				...(request.plan !== undefined ? { plan: request.plan } : {}),
 				...(request.status !== undefined ? { status: request.status } : {}),
 				...(request.complianceTags !== undefined ? { complianceTags: request.complianceTags } : {}),
+				...(request.hsmMode !== undefined ? { hsmMode: request.hsmMode } : {}),
 				...(request.metadata !== undefined ? { metadata: request.metadata } : {}),
 				security: request.security,
 				...(request.signature !== undefined ? { signature: request.signature } : {}),
@@ -429,6 +788,7 @@ export class TenantClient {
 	 */
 	async getTenant(id: string): Promise<Tenant> {
 		validateUUID(id, "id");
+		await this.ensureActivated();
 
 		return this.request<Tenant>("GET", `/tenant/v1/tenants/${id}`, {
 			operation: "getTenant",
@@ -443,6 +803,7 @@ export class TenantClient {
 		readonly limit?: number;
 		readonly cursor?: string;
 	}): Promise<ListTenantsResponse> {
+		await this.ensureActivated();
 		const params = new URLSearchParams();
 		if (options?.limit !== undefined) {
 			params.set("limit", String(options.limit));
@@ -465,12 +826,53 @@ export class TenantClient {
 	 */
 	async getTenantCryptoPolicy(tenantId: string): Promise<TenantCryptoPolicy> {
 		validateUUID(tenantId, "tenantId");
+		await this.ensureActivated();
 
 		return this.request<TenantCryptoPolicy>("GET", `/tenant/v1/tenants/${tenantId}/crypto-policy`, {
 			operation: "getTenantCryptoPolicy",
 		});
 	}
 
+	/**
+	 * Get the v1 crypto policy for a tenant (profiles + tiers model).
+	 * If no policy exists, a default policy is created and returned.
+	 */
+	async getTenantCryptoPolicyV1(tenantId: string): Promise<TenantCryptoPolicyV1Record> {
+		validateUUID(tenantId, "tenantId");
+		await this.ensureActivated();
+
+		return this.request<TenantCryptoPolicyV1Record>(
+			"GET",
+			`/tenant/v1/tenants/${tenantId}/crypto-policy-v1`,
+			{
+				operation: "getTenantCryptoPolicyV1",
+			},
+		);
+	}
+
+	/**
+	 * List v1 crypto policy history entries.
+	 */
+	async listTenantCryptoPolicyV1History(
+		tenantId: string,
+		options?: { readonly limit?: number },
+	): Promise<TenantCryptoPolicyV1HistoryResponse> {
+		validateUUID(tenantId, "tenantId");
+		await this.ensureActivated();
+		const params = new URLSearchParams();
+		if (options?.limit !== undefined) {
+			params.set("limit", String(options.limit));
+		}
+		const query = params.toString();
+		const path = query
+			? `/tenant/v1/tenants/${tenantId}/crypto-policy-v1/history?${query}`
+			: `/tenant/v1/tenants/${tenantId}/crypto-policy-v1/history`;
+
+		return this.request<TenantCryptoPolicyV1HistoryResponse>("GET", path, {
+			operation: "listTenantCryptoPolicyV1History",
+		});
+	}
+
 	/**
 	 * Create or update the crypto policy for a tenant.
 	 * Sets the policy tier and optional custom algorithm restrictions.
@@ -480,6 +882,7 @@ export class TenantClient {
 		policy: TenantCryptoPolicyInput,
 	): Promise<TenantCryptoPolicy> {
 		validateUUID(tenantId, "tenantId");
+		await this.ensureActivated();
 
 		return this.request<TenantCryptoPolicy>("PUT", `/tenant/v1/tenants/${tenantId}/crypto-policy`, {
 			body: {
@@ -499,11 +902,150 @@ export class TenantClient {
 		});
 	}
 
+	/**
+	 * Update the v1 crypto policy for a tenant (requires If-Match with current ETag).
+	 */
+	async updateTenantCryptoPolicyV1(
+		tenantId: string,
+		policy: CryptoPolicyV1,
+		etag: string,
+	): Promise<TenantCryptoPolicyV1Record> {
+		validateUUID(tenantId, "tenantId");
+		await this.ensureActivated();
+		if (!etag) {
+			throw new Error("etag is required for updateTenantCryptoPolicyV1");
+		}
+
+		return this.request<TenantCryptoPolicyV1Record>(
+			"PUT",
+			`/tenant/v1/tenants/${tenantId}/crypto-policy-v1`,
+			{
+				body: { policy },
+				headers: {
+					"If-Match": etag,
+				},
+				operation: "updateTenantCryptoPolicyV1",
+			},
+		);
+	}
+
+	/**
+	 * Enable Tier0 legacy algorithms (time-bounded) for a tenant.
+	 */
+	async enableTier0Legacy(
+		tenantId: string,
+		input: { readonly expiry: string },
+		etag: string,
+	): Promise<TenantCryptoPolicyV1Record> {
+		validateUUID(tenantId, "tenantId");
+		await this.ensureActivated();
+		if (!etag) {
+			throw new Error("etag is required for enableTier0Legacy");
+		}
+
+		return this.request<TenantCryptoPolicyV1Record>(
+			"POST",
+			`/tenant/v1/tenants/${tenantId}/crypto-policy-v1/tier0/enable`,
+			{
+				body: { expiry: input.expiry },
+				headers: {
+					"If-Match": etag,
+				},
+				operation: "enableTier0Legacy",
+			},
+		);
+	}
+
+	/**
+	 * Disable Tier0 legacy algorithms for a tenant.
+	 */
+	async disableTier0Legacy(tenantId: string, etag: string): Promise<TenantCryptoPolicyV1Record> {
+		validateUUID(tenantId, "tenantId");
+		await this.ensureActivated();
+		if (!etag) {
+			throw new Error("etag is required for disableTier0Legacy");
+		}
+
+		return this.request<TenantCryptoPolicyV1Record>(
+			"POST",
+			`/tenant/v1/tenants/${tenantId}/crypto-policy-v1/tier0/disable`,
+			{
+				body: {},
+				headers: {
+					"If-Match": etag,
+				},
+				operation: "disableTier0Legacy",
+			},
+		);
+	}
+
+	/**
+	 * Enable Tier4 experimental algorithms with acknowledgement.
+	 */
+	async enableTier4Experimental(
+		tenantId: string,
+		input: { readonly approvedBy: string },
+		etag: string,
+	): Promise<TenantCryptoPolicyV1Record> {
+		validateUUID(tenantId, "tenantId");
+		await this.ensureActivated();
+		if (!etag) {
+			throw new Error("etag is required for enableTier4Experimental");
+		}
+
+		return this.request<TenantCryptoPolicyV1Record>(
+			"POST",
+			`/tenant/v1/tenants/${tenantId}/crypto-policy-v1/tier4/enable`,
+			{
+				body: { approvedBy: input.approvedBy },
+				headers: {
+					"If-Match": etag,
+				},
+				operation: "enableTier4Experimental",
+			},
+		);
+	}
+
+	/**
+	 * Roll back the v1 crypto policy to a previous history record or policy hash.
+	 */
+	async rollbackTenantCryptoPolicyV1(
+		tenantId: string,
+		input: { readonly historyId?: string; readonly policyHash?: string },
+		etag: string,
+	): Promise<TenantCryptoPolicyV1Record> {
+		validateUUID(tenantId, "tenantId");
+		await this.ensureActivated();
+		if (!etag) {
+			throw new Error("etag is required for rollbackTenantCryptoPolicyV1");
+		}
+		if (!input.historyId && !input.policyHash) {
+			throw new Error("historyId or policyHash is required for rollbackTenantCryptoPolicyV1");
+		}
+
+		return this.request<TenantCryptoPolicyV1Record>(
+			"POST",
+			`/tenant/v1/tenants/${tenantId}/crypto-policy-v1/rollback`,
+			{
+				body: {
+					...(input.historyId ? { historyId: input.historyId } : {}),
+					...(input.policyHash ? { policyHash: input.policyHash } : {}),
+				},
+				headers: {
+					"If-Match": etag,
+				},
+				operation: "rollbackTenantCryptoPolicyV1",
+			},
+		);
+	}
+
 	/**
 	 * Get the allowed KEM algorithms for a tenant based on their crypto policy.
 	 * Convenience method that fetches the policy and returns the allowed algorithms.
 	 */
 	async getAllowedKemAlgorithms(tenantId: string): Promise<readonly string[]> {
+		validateUUID(tenantId, "tenantId");
+		await this.ensureActivated();
 		const policy = await this.getTenantCryptoPolicy(tenantId);
 		if (policy.customAllowedKemAlgorithms && policy.customAllowedKemAlgorithms.length > 0) {
 			return policy.customAllowedKemAlgorithms;
@@ -516,6 +1058,8 @@ export class TenantClient {
 	 * Convenience method that fetches the policy and returns the allowed algorithms.
 	 */
 	async getAllowedSignatureAlgorithms(tenantId: string): Promise<readonly string[]> {
+		validateUUID(tenantId, "tenantId");
+		await this.ensureActivated();
 		const policy = await this.getTenantCryptoPolicy(tenantId);
 		if (
 			policy.customAllowedSignatureAlgorithms &&
@@ -530,6 +1074,8 @@ export class TenantClient {
 	 * Get the default KEM algorithm for a tenant based on their crypto policy tier.
 	 */
 	async getDefaultKemAlgorithm(tenantId: string): Promise<string> {
+		validateUUID(tenantId, "tenantId");
+		await this.ensureActivated();
 		const policy = await this.getTenantCryptoPolicy(tenantId);
 		return CRYPTO_POLICY_ALGORITHMS[policy.policyTier].defaultKemAlgorithm;
 	}
@@ -538,6 +1084,8 @@ export class TenantClient {
 	 * Get the default signature algorithm for a tenant based on their crypto policy tier.
 	 */
 	async getDefaultSignatureAlgorithm(tenantId: string): Promise<string> {
+		validateUUID(tenantId, "tenantId");
+		await this.ensureActivated();
 		const policy = await this.getTenantCryptoPolicy(tenantId);
 		return CRYPTO_POLICY_ALGORITHMS[policy.policyTier].defaultSignatureAlgorithm;
 	}