@tetrascience-npm/ts-connectors-sdk 3.2.0 → 4.0.0-beta.182.1

package/dist/src/index.d.ts

@@ -6,4 +6,5 @@ export * from './tdp-client';
 export * from './types';
 export * from './auth';
 export * from './schemas';
+export { loadTdpCertificates, loadCertificatesFromLocalVolume } from './certificates';
 //# sourceMappingURL=index.d.ts.map

package/dist/src/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAC;AACzB,cAAc,OAAO,CAAC;AACtB,cAAc,aAAa,CAAC;AAC5B,cAAc,qBAAqB,CAAC;AACpC,cAAc,cAAc,CAAC;AAC7B,cAAc,SAAS,CAAC;AACxB,cAAc,QAAQ,CAAC;AACvB,cAAc,WAAW,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAC;AACzB,cAAc,OAAO,CAAC;AACtB,cAAc,aAAa,CAAC;AAC5B,cAAc,qBAAqB,CAAC;AACpC,cAAc,cAAc,CAAC;AAC7B,cAAc,SAAS,CAAC;AACxB,cAAc,QAAQ,CAAC;AACvB,cAAc,WAAW,CAAC;AAC1B,OAAO,EAAE,mBAAmB,EAAE,+BAA+B,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/src/index.js

@@ -14,6 +14,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadCertificatesFromLocalVolume = exports.loadTdpCertificates = void 0;
 __exportStar(require("./logger"), exports);
 __exportStar(require("./api"), exports);
 __exportStar(require("./connector"), exports);
@@ -22,4 +23,7 @@ __exportStar(require("./tdp-client"), exports);
 __exportStar(require("./types"), exports);
 __exportStar(require("./auth"), exports);
 __exportStar(require("./schemas"), exports);
+var certificates_1 = require("./certificates");
+Object.defineProperty(exports, "loadTdpCertificates", { enumerable: true, get: function () { return certificates_1.loadTdpCertificates; } });
+Object.defineProperty(exports, "loadCertificatesFromLocalVolume", { enumerable: true, get: function () { return certificates_1.loadCertificatesFromLocalVolume; } });
 //# sourceMappingURL=index.js.map

package/dist/src/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2CAAyB;AACzB,wCAAsB;AACtB,8CAA4B;AAC5B,sDAAoC;AACpC,+CAA6B;AAC7B,0CAAwB;AACxB,yCAAuB;AACvB,4CAA0B"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,2CAAyB;AACzB,wCAAsB;AACtB,8CAA4B;AAC5B,sDAAoC;AACpC,+CAA6B;AAC7B,0CAAwB;AACxB,yCAAuB;AACvB,4CAA0B;AAC1B,+CAAsF;AAA7E,mHAAA,mBAAmB,OAAA;AAAE,+HAAA,+BAA+B,OAAA"}

package/dist/src/tdp-client.d.ts

@@ -117,12 +117,14 @@ export declare class TDPClient {
     private _manifest;
     get manifest(): ConnectorManifest | null | undefined;
     private awsClientProvider;
+    private awsNodeHttpHandlers;
     private authTokenProvider;
     private isProxyInitialized;
     private isAwsInitialized;
     private awsInitPromise;
     private userAgent;
     private _certificates;
+    private _tdpDeploymentCertificates;
     listeningForCommands: boolean;
     constructor(options?: TDPClientOptions);
     get isInitialized(): "" | {
@@ -148,6 +150,12 @@ export declare class TDPClient {
         getCertificates: (options?: ApiOtherOptions) => Promise<import("./api").GetCertificatesResponse>;
     } | undefined;
     get certificates(): CertificateDto[];
+    /**
+     * TDP deployment certificates loaded during init() from local volume or S3.
+     * Automatically included in CA bundles created by createAxiosInstance and
+     * createProxyAgentsForBaseUrl when includeAdditionalCertificates is truthy.
+     */
+    get tdpDeploymentCertificates(): readonly string[];
     private setUserAgent;
     /**
      * Assert that the client is initialized with JWT and API.
@@ -192,7 +200,7 @@ export declare class TDPClient {
         getCertificates: (options?: ApiOtherOptions) => Promise<import("./api").GetCertificatesResponse>;
     };
     protected getAdditionalAxiosHeaders(): Headers;
-    createAxiosInstanceWithCertificatesAndHeaders(tdpEndpoint: string, orgSlug: string, jwt: string, certificates: string[], timeout_ms?: number): AxiosInstance;
+    createAxiosInstanceWithCertificatesAndHeaders(tdpEndpoint: string, orgSlug: string, jwt: string, certificates?: string[], timeout_ms?: number): AxiosInstance;
     /**
      * Creates an axios instance for the given base url, with the given config and rejectUnauthorized, and using
      * the appropriate proxies configured for the connector. TDPClient.init must be called first. baseUrl is required
@@ -200,7 +208,8 @@ export declare class TDPClient {
      * @param options.baseUrl base url for proxy selection when this connector is hosted in a Hub
      * @param options.config axios config
      * @param options.rejectUnauthorized rejectUnauthorized, passed to the underlying http(s) Agent
-     * @param options.includeAdditionalCertificates whether to include organization certificates in the http agent
+     * @param options.includeAdditionalCertificates Whether to include TDP deployment certificates and
+     * organization certificates in the http agent. Defaults to true.
      * @param timeout_ms - The axios http request timeout in milliseconds
      * @returns an Axios instance configured with these settings and with proxying http(s) Agents
      */
@@ -221,11 +230,12 @@ export declare class TDPClient {
      * a related axios bug.
      * @param options.baseURL The URL that determines which proxy env var (http_proxy, https_proxy, no_proxy) should apply
      * @param options.rejectUnauthorized Whether to inject unauthorized requests in the httpsAgent
-     * @param options.includeAdditionalCertificates Whether to include organization certificates in the httpsAgent.
-     * If omitted or set falsy: only Node's built-in certificates will be included
-     * If set to true, built-in plus org certificates will be included.
-     * If set to an array, built-in plus this array of certificates will be included.
-     * @returns httpAgent and httpsAgent with proxy, rejectUnauthorized, and includeAdditionalCertificates settings
+     * @param options.includeAdditionalCertificates Whether to include TDP deployment certificates and
+     * organization certificates in the httpsAgent. When true (the default), the CA bundle includes
+     * Node built-in certs, TDP deployment certs loaded during init(), and org certs from the TDP API.
+     * When false, only Node built-in certs are included.
+     * If set to an array, built-in certs plus this array of certificates will be included.
+     * @returns httpAgent and httpsAgent with proxy, rejectUnauthorized, and certificate settings
      */
     createProxyAgentsForBaseUrl({ baseUrl, rejectUnauthorized, includeAdditionalCertificates, }: {
         baseUrl: string;
@@ -236,13 +246,38 @@ export declare class TDPClient {
         httpsAgent: https.Agent;
     } | undefined;
     /**
-     * Creates a NodeHttpHandler using npm proxy-agent, which will select a correct proxy per request.
+     * Creates NodeHttpHandlers for AWS clients (S3, SQS, and generic) with proxy support.
+     *
+     * When the `IAM_PROXY` environment variable is set, all three handlers use a fixed
+     * `HttpsProxyAgent` pointed at that URL, providing an explicit proxy override for AWS
+     * traffic in network-restricted deployments.
+     *
+     * When `IAM_PROXY` is not set, handlers fall back to `proxy-agent`, which performs
+     * per-request proxy selection based on the standard `http_proxy`/`https_proxy`
+     * environment variables.
+     *
      * Only works for connections where rejectUnauthorized or additional certificates are not needed,
      * such as to AWS or trusted servers; if you need to connect to an untrusted server or use organization certificates,
      * use createProxyAgentsForBaseUrl and specify a baseUrl and (optionally) rejectUnauthorized: false.
-     * @returns A NodeHttpHandler with agents that will choose a correct proxy for each request.
+     * @param options - Optional timeout configuration for the handlers
+     * @param options.s3ConnectionTimeout - Connection timeout for S3 handler in milliseconds (default: 10000)
+     * @param options.s3SocketTimeout - Socket timeout for S3 handler in milliseconds (default: 10000)
+     * @param options.sqsRequestTimeout - Request timeout for SQS handler in milliseconds (default: 20000)
+     * @param options.genericRequestTimeout - Request timeout for generic AWS handler in milliseconds (default: 120000)
+     * @returns a set of proxy-aware NodeHttpHandlers for S3, SQS, and generic AWS clients
      */
-    createProxyNodeHttpHandler(): NodeHttpHandler;
+    createProxyAWSNodeHttpHandlers(options?: {
+        s3ConnectionTimeout?: number;
+        s3SocketTimeout?: number;
+        sqsRequestTimeout?: number;
+        genericRequestTimeout?: number;
+    }): {
+        s3Handler: NodeHttpHandler;
+        sqsHandler: NodeHttpHandler;
+        genericHandler: NodeHttpHandler;
+    };
+    private ensureAwsClientDependenciesInitialized;
+    createAwsClient<TClient>(ClientClass: new (config: object) => TClient, overrides?: Record<string, unknown>): TClient;
     private createLogger;
     /**
      * Initialize the TDPClient.
@@ -357,5 +392,6 @@ export declare class TDPClient {
     transformTraceMetadata(trace: Trace): {};
     private buildS3Key;
 }
+export declare const shouldRejectUnauthorized: () => boolean;
 export {};
 //# sourceMappingURL=tdp-client.d.ts.map

package/dist/src/tdp-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tdp-client.d.ts","sourceRoot":"","sources":["../../src/tdp-client.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,MAAM,oBAAoB,CAAC;AACzC,OAAO,KAAK,GAAG,MAAM,qBAAqB,CAAC;AAE3C,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAc,EAAgB,aAAa,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,OAAO,CAAC;AAEpG,OAAO,YAAY,MAAM,QAAQ,CAAC;AAGlC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAG/B,OAAO,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAMlC,OAAO,EACL,GAAG,EACH,eAAe,EACf,cAAc,EACd,YAAY,EACZ,gBAAgB,EAEhB,iBAAiB,EACjB,iBAAiB,EACjB,sBAAsB,EACtB,yBAAyB,EACzB,4BAA4B,EAC5B,wBAAwB,EACxB,0BAA0B,EAC1B,yBAAyB,EACzB,gBAAgB,EAChB,iBAAiB,EACjB,yBAAyB,EAC1B,MAAM,OAAO,CAAC;AACf,OAAO,EAIL,kBAAkB,EAEnB,MAAM,QAAQ,CAAC;AAGhB,OAAO,EAAmB,uBAAuB,EAAE,MAAM,aAAa,CAAC;AACvE,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAG7D,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAGlC,OAAO,EAEL,eAAe,EAGf,iBAAiB,EAElB,MAAM,SAAS,CAAC;AAkBjB,oBAAY,SAAS;IACnB,MAAM,IAAA;IACN,OAAO,IAAA;CACR;AAED,KAAK,QAAQ,GAAG;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAAE,CAAC;AAC1C,KAAK,IAAI,GAAG,MAAM,EAAE,CAAC;AACrB,KAAK,KAAK,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAC7C,KAAK,KAAK,GAAG;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAAE,CAAC;AACvC,KAAK,OAAO,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;AAC9C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC9B,OAAO,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAAC;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,QAAQ,CAAC,EAAE,QAAQ,CAAC;IACpB,iBAAiB,CAAC,EAAE,SAAS,CAAC;IAC9B,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,aAAa,CAAC,EAAE,SAAS,CAAC;IAC1B,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,SAAS,CAAC;IAC5B,SAAS,CAAC,EAAE,uBAAuB,CAAC;IACpC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF;;;;;;;GAOG;AACH,KAAK,kBAAkB,GAAG;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAoBF,wBAAgB,cAAc,CAAC,MAAM,CAAC,EAAE,kBAAkB,gDAUzD;AAED,qBAAa,SAAS;IACpB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,MAAM,EAAE,eAAe,CAAC;IACjC,QAAQ,CAAC,QAAQ,wBAAsB;IAEvC,OAAO,CAAC,GAAG,CAAqB;IAChC,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC;IACrB,OAAO,CAAC,UAAU,CAA2B;IAC7C,IAAI,SAAS,6BAEZ;IAED,OAAO,CAAC,SAAS,CAAuC;IACxD,IAAI,QAAQ,yCAKX;IAED,OAAO,CAAC,iBAAiB,CAAiC;IAC1D,OAAO,CAAC,iBAAiB,CAAiC;IAC1D,OAAO,CAAC,kBAAkB,CAAS;IACnC,OAAO,CAAC,gBAAgB,CAAS;IACjC,OAAO,CAAC,cAAc,CAA4B;IAClD,OAAO,CAAC,SAAS,CAAqB;IAEtC,OAAO,CAAC,aAAa,CAAmB;IAExC,oBAAoB,UAAS;gBAEjB,OAAO,CAAC,EAAE,gBAAgB;IAMtC,IAAI,aAAa;;0BAsEF,CAAC;mBAAkB,CAAC;;;mBAsBnC,CAAF;;;gBAQiD,CAAC;;;;;;;;;;;;kBAlG/C;IAED,IAAI,YAAY,qBAKf;IAED,OAAO,CAAC,YAAY;IAYpB;;;OAGG;IACH,iBAAiB;;;;IAUjB;;;;OAIG;IACG,oBAAoB;;;;;;IAkB1B,sBAAsB;IAMtB,IAAI,WAAW;;0BAIA,CAAC;mBAAkB,CAAC;;;mBAsBnC,CAAF;;;gBAQiD,CAAC;;;;;;;;;;;;MAhC/C;IAED,SAAS,CAAC,yBAAyB,IAAI,OAAO;IAgB9C,6CAA6C,CAC3C,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,YAAY,EAAE,MAAM,EAAE,EACtB,UAAU,CAAC,EAAE,MAAM,GAClB,aAAa;IAsBhB;;;;;;;;;;OAUG;IACH,mBAAmB,CAAC,EAClB,OAAO,EACP,MAAM,EACN,UAAU,EACV,kBAAyB,EACzB,6BAAoC,GACrC,EAAE;QACD,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,CAAC,EAAE,kBAAkB,CAAC;QAC5B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,6BAA6B,CAAC,EAAE,OAAO,CAAC;QACxC,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,GAAG,aAAa;IAiBjB;;;;;;;;;;;;;;;OAeG;IACH,2BAA2B,CAAC,EAC1B,OAAO,EACP,kBAAyB,EACzB,6BAAoC,GACrC,EAAE;QACD,OAAO,EAAE,MAAM,CAAC;QAChB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,6BAA6B,CAAC,EAAE,OAAO,GAAG,MAAM,EAAE,CAAC;KACpD,GAAG;QAAE,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC;QAAC,UAAU,EAAE,KAAK,CAAC,KAAK,CAAA;KAAE,GAAG,SAAS;IA8DlE;;;;;;OAMG;IACH,0BAA0B,IAAI,eAAe;IAU7C,OAAO,CAAC,YAAY;IAWpB;;;;;;OAMG;IACG,IAAI;IA0HV;;;;;;OAMG;YACW,OAAO;YAkBP,SAAS;YAgBT,qBAAqB;IAS7B,sBAAsB,IAAI,OAAO,CAAC,IAAI,CAAC;IA+C7C,qBAAqB;IAiBrB,oBAAoB;YAKN,qBAAqB;YAgBrB,wBAAwB;YAsDxB,eAAe;IAO7B;;;;;;;;;OASG;IACG,mBAAmB,CAAC,OAAO,EAAE,eAAe;IAiClD,OAAO,CAAC,oCAAoC;YAoB9B,yBAAyB;IAejC,eAAe,CAAC,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAIrE,SAAS,CAAC,EAAE,OAAO,EAAE,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC;IAIrF,YAAY,CAChB,EAAE,cAAc,EAAE,OAAO,EAAE,GAAE;QAAE,cAAc,CAAC,EAAE,OAAO,CAAC;QAAC,OAAO,CAAC,EAAE,iBAAiB,EAAE,CAAA;KAAO,EAC7F,OAAO,CAAC,EAAE,eAAe;IAKrB,eAAe,CAAC,OAAO,CAAC,EAAE,eAAe;cAW/B,yBAAyB;cAczB,kBAAkB;IAqB5B,QAAQ,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,CAAC,CAAC;IAKrE,SAAS,CAAC,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC;IAC3E,SAAS,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC;IAiBnD,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG;QAAE,MAAM,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,GAAG,CAAC;IAOjG,UAAU,CAAC,MAAM,EAAE,yBAAyB,EAAE,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC;IAS9G,QAAQ,CAAC,KAAK,EAAE,sBAAsB,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,yBAAyB,CAAC;IAIhG,QAAQ,CAAC,IAAI,EAAE,wBAAwB,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAenE,SAAS,CAAC,KAAK,EAAE,wBAAwB,EAAE,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,0BAA0B,CAAC;IAIlH,aAAa,CAAC,OAAO,EAAE,4BAA4B,EAAE,EAAE,OAAO,CAAC,EAAE,eAAe;IAIhF,kBAAkB,CAAC,OAAO,EAAE,yBAAyB,EAAE,OAAO,CAAC,EAAE,eAAe;IAIhF,SAAS,CAAC,OAAO,CAAC,EAAE,eAAe;IAInC;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,SAAS,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACrC,OAAO,EAAE,gBAAgB,EACzB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAKtC;;;;OAIG;IACH,iBAAiB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM;IAa9C;;;;;;;;;OASG;IACG,UAAU,CAAC,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,GAAE,OAAe,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAsI/G;;;;;;;;OAQG;IACH,sBAAsB,CAAC,KAAK,EAAE,KAAK;IAInC,OAAO,CAAC,UAAU;CAInB"}
+{"version":3,"file":"tdp-client.d.ts","sourceRoot":"","sources":["../../src/tdp-client.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,MAAM,oBAAoB,CAAC;AACzC,OAAO,KAAK,GAAG,MAAM,qBAAqB,CAAC;AAE3C,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAc,EAAgB,aAAa,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,OAAO,CAAC;AAEpG,OAAO,YAAY,MAAM,QAAQ,CAAC;AAGlC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAI/B,OAAO,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAMlC,OAAO,EACL,GAAG,EACH,eAAe,EACf,cAAc,EACd,YAAY,EACZ,gBAAgB,EAEhB,iBAAiB,EACjB,iBAAiB,EACjB,sBAAsB,EACtB,yBAAyB,EACzB,4BAA4B,EAC5B,wBAAwB,EACxB,0BAA0B,EAC1B,yBAAyB,EACzB,gBAAgB,EAChB,iBAAiB,EACjB,yBAAyB,EAC1B,MAAM,OAAO,CAAC;AACf,OAAO,EAIL,kBAAkB,EAEnB,MAAM,QAAQ,CAAC;AAGhB,OAAO,EAAmB,uBAAuB,EAAE,MAAM,aAAa,CAAC;AACvE,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAG7D,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAGlC,OAAO,EAEL,eAAe,EAGf,iBAAiB,EAElB,MAAM,SAAS,CAAC;AAyBjB,oBAAY,SAAS;IACnB,MAAM,IAAA;IACN,OAAO,IAAA;CACR;AAED,KAAK,QAAQ,GAAG;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAAE,CAAC;AAC1C,KAAK,IAAI,GAAG,MAAM,EAAE,CAAC;AACrB,KAAK,KAAK,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAC7C,KAAK,KAAK,GAAG;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAAE,CAAC;AACvC,KAAK,OAAO,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;AAC9C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC9B,OAAO,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAAC;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,QAAQ,CAAC,EAAE,QAAQ,CAAC;IACpB,iBAAiB,CAAC,EAAE,SAAS,CAAC;IAC9B,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,aAAa,CAAC,EAAE,SAAS,CAAC;IAC1B,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,SAAS,CAAC;IAC5B,SAAS,CAAC,EAAE,uBAAuB,CAAC;IACpC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF;;;;;;;GAOG;AACH,KAAK,kBAAkB,GAAG;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAoBF,wBAAgB,cAAc,CAAC,MAAM,CAAC,EAAE,kBAAkB,gDAUzD;AAED,qBAAa,SAAS;IACpB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,MAAM,EAAE,eAAe,CAAC;IACjC,QAAQ,CAAC,QAAQ,wBAAsB;IAEvC,OAAO,CAAC,GAAG,CAAqB;IAChC,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC;IACrB,OAAO,CAAC,UAAU,CAA2B;IAC7C,IAAI,SAAS,6BAEZ;IAED,OAAO,CAAC,SAAS,CAAuC;IACxD,IAAI,QAAQ,yCAKX;IAED,OAAO,CAAC,iBAAiB,CAAiC;IAC1D,OAAO,CAAC,mBAAmB,CAA2G;IACtI,OAAO,CAAC,iBAAiB,CAAiC;IAC1D,OAAO,CAAC,kBAAkB,CAAS;IACnC,OAAO,CAAC,gBAAgB,CAAS;IACjC,OAAO,CAAC,cAAc,CAA4B;IAClD,OAAO,CAAC,SAAS,CAAqB;IAEtC,OAAO,CAAC,aAAa,CAAmB;IACxC,OAAO,CAAC,0BAA0B,CAAW;IAE7C,oBAAoB,UAAS;gBAEjB,OAAO,CAAC,EAAE,gBAAgB;IAOtC,IAAI,aAAa;;0BA0CR,CAAC;mBAAkB,CAAC;;;mBAsBc,CAAC;;;gBAkBX,CAAC;;;;;;;;;;;;kBAhFjC;IAED,IAAI,YAAY,qBAKf;IAED;;;;OAIG;IACH,IAAI,yBAAyB,IAAI,SAAS,MAAM,EAAE,CAEjD;IAED,OAAO,CAAC,YAAY;IAYpB;;;OAGG;IACH,iBAAiB;;;;IAUjB;;;;OAIG;IACG,oBAAoB;;;;;;IAkB1B,sBAAsB;IAMtB,IAAI,WAAW;;0BAjCN,CAAC;mBAAkB,CAAC;;;mBAsBc,CAAC;;;gBAkBX,CAAC;;;;;;;;;;;;MALjC;IAED,SAAS,CAAC,yBAAyB,IAAI,OAAO;IAkB9C,6CAA6C,CAC3C,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,YAAY,CAAC,EAAE,MAAM,EAAE,EACvB,UAAU,CAAC,EAAE,MAAM,GAClB,aAAa;IAsBhB;;;;;;;;;;;OAWG;IACH,mBAAmB,CAAC,EAClB,OAAO,EACP,MAAM,EACN,UAAU,EACV,kBAAyB,EACzB,6BAAoC,GACrC,EAAE;QACD,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,CAAC,EAAE,kBAAkB,CAAC;QAC5B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,6BAA6B,CAAC,EAAE,OAAO,CAAC;QACxC,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,GAAG,aAAa;IAsBjB;;;;;;;;;;;;;;;;OAgBG;IACH,2BAA2B,CAAC,EAC1B,OAAO,EACP,kBAAyB,EACzB,6BAAoC,GACrC,EAAE;QACD,OAAO,EAAE,MAAM,CAAC;QAChB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,6BAA6B,CAAC,EAAE,OAAO,GAAG,MAAM,EAAE,CAAC;KACpD,GAAG;QAAE,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC;QAAC,UAAU,EAAE,KAAK,CAAC,KAAK,CAAA;KAAE,GAAG,SAAS;IAkElE;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,8BAA8B,CAAC,OAAO,CAAC,EAAE;QACvC,mBAAmB,CAAC,EAAE,MAAM,CAAC;QAC7B,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,qBAAqB,CAAC,EAAE,MAAM,CAAC;KAChC,GAAG;QAAE,SAAS,EAAE,eAAe,CAAC;QAAC,UAAU,EAAE,eAAe,CAAC;QAAC,cAAc,EAAE,eAAe,CAAA;KAAE;IA+BhG,OAAO,CAAC,sCAAsC;IAS9C,eAAe,CAAC,OAAO,EACrB,WAAW,EAAE,KAAK,MAAM,EAAE,MAAM,KAAK,OAAO,EAC5C,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAClC,OAAO;IAoBV,OAAO,CAAC,YAAY;IAWpB;;;;;;OAMG;IACG,IAAI;IAyHV;;;;;;OAMG;YACW,OAAO;YAkBP,SAAS;YAcT,qBAAqB;IAS7B,sBAAsB,IAAI,OAAO,CAAC,IAAI,CAAC;IA+C7C,qBAAqB;IAiBrB,oBAAoB;YAKN,qBAAqB;YAarB,wBAAwB;YAqDxB,eAAe;IAO7B;;;;;;;;;OASG;IACG,mBAAmB,CAAC,OAAO,EAAE,eAAe;IAgClD,OAAO,CAAC,oCAAoC;YAoB9B,yBAAyB;IAejC,eAAe,CAAC,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAIrE,SAAS,CAAC,EAAE,OAAO,EAAE,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC;IAIrF,YAAY,CAChB,EAAE,cAAc,EAAE,OAAO,EAAE,GAAE;QAAE,cAAc,CAAC,EAAE,OAAO,CAAC;QAAC,OAAO,CAAC,EAAE,iBAAiB,EAAE,CAAA;KAAO,EAC7F,OAAO,CAAC,EAAE,eAAe;IAKrB,eAAe,CAAC,OAAO,CAAC,EAAE,eAAe;cAW/B,yBAAyB;cAczB,kBAAkB;IAqB5B,QAAQ,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,CAAC,CAAC;IAKrE,SAAS,CAAC,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC;IAC3E,SAAS,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC;IAiBnD,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG;QAAE,MAAM,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,GAAG,CAAC;IAOjG,UAAU,CAAC,MAAM,EAAE,yBAAyB,EAAE,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC;IAS9G,QAAQ,CAAC,KAAK,EAAE,sBAAsB,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,yBAAyB,CAAC;IAIhG,QAAQ,CAAC,IAAI,EAAE,wBAAwB,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAenE,SAAS,CAAC,KAAK,EAAE,wBAAwB,EAAE,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,0BAA0B,CAAC;IAIlH,aAAa,CAAC,OAAO,EAAE,4BAA4B,EAAE,EAAE,OAAO,CAAC,EAAE,eAAe;IAIhF,kBAAkB,CAAC,OAAO,EAAE,yBAAyB,EAAE,OAAO,CAAC,EAAE,eAAe;IAIhF,SAAS,CAAC,OAAO,CAAC,EAAE,eAAe;IAInC;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,SAAS,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACrC,OAAO,EAAE,gBAAgB,EACzB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAKtC;;;;OAIG;IACH,iBAAiB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM;IAa9C;;;;;;;;;OASG;IACG,UAAU,CAAC,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,GAAE,OAAe,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAsI/G;;;;;;;;OAQG;IACH,sBAAsB,CAAC,KAAK,EAAE,KAAK;IAInC,OAAO,CAAC,UAAU;CAInB;AAID,eAAO,MAAM,wBAAwB,eAMpC,CAAC"}

package/dist/src/tdp-client.js

@@ -56,7 +56,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TDPClient = exports.Directive = void 0;
+exports.shouldRejectUnauthorized = exports.TDPClient = exports.Directive = void 0;
 exports.sanitizeConfig = sanitizeConfig;
 const fs = __importStar(require("node:fs"));
 const s3 = __importStar(require("@aws-sdk/client-s3"));
@@ -70,6 +70,7 @@ const fsPromises = __importStar(require("fs/promises"));
 const hpagent_1 = require("hpagent");
 const http = __importStar(require("http"));
 const https = __importStar(require("https"));
+const https_proxy_agent_1 = require("https-proxy-agent");
 const proxy_agent_1 = require("proxy-agent");
 const proxy_from_env_1 = require("proxy-from-env");
 const tls = __importStar(require("tls"));
@@ -82,7 +83,7 @@ const certificates_1 = require("./certificates");
 const checksums_1 = require("./checksums");
 const config_1 = require("./config");
 const constants_1 = require("./constants");
-const https_proxy_agent_1 = require("./https-proxy-agent");
+const https_proxy_agent_2 = require("./https-proxy-agent");
 const logger_1 = require("./logger");
 const manifest_1 = require("./manifest");
 const schemas_1 = require("./schemas");
@@ -90,7 +91,13 @@ const types_1 = require("./types");
 const utils_1 = require("./utils");
 const hubProxyPath = '/etc/hub/proxy.env';
 const HP_AGENT = 'hpagent';
-const AWS_SQS_TIMEOUT = 20 * 1000;
+const AWS_SQS_TIMEOUT_MS = 25 * 1000;
+// TODO: these are called defaults at the moment, but in this initial
+// implementation they are all you get. At some point revisit
+const DEFAULT_S3_CONNECTION_TIMEOUT_MS = 10 * 1000;
+const DEFAULT_S3_SOCKET_TIMEOUT_MS = 10 * 1000;
+// this applies to SSM and CloudWatch, at the moment
+const DEFAULT_GENERIC_AWS_REQUEST_TIMEOUT_MS = 120 * 1000;
 // Key in connector KV store for connector SDK settings
 // The value is expected to be a JSON object
 const TS_SDK_SETTINGS_KEY = 'TS_SDK';
@@ -150,6 +157,7 @@ class TDPClient {
         this.config = new config_1.TDPClientConfig(options);
         this.logger = this.createLogger();
         this._certificates = [];
+        this._tdpDeploymentCertificates = [];
     }
     get isInitialized() {
         var _a;
@@ -161,6 +169,14 @@ class TDPClient {
         }
         return this._certificates;
     }
+    /**
+     * TDP deployment certificates loaded during init() from local volume or S3.
+     * Automatically included in CA bundles created by createAxiosInstance and
+     * createProxyAgentsForBaseUrl when includeAdditionalCertificates is truthy.
+     */
+    get tdpDeploymentCertificates() {
+        return this._tdpDeploymentCertificates;
+    }
     setUserAgent(userAgent) {
         var _a;
         this.logger.debug('Setting TDPClient user agent, will be used for all API requests and axios clients created from this point on', {
@@ -222,11 +238,13 @@ class TDPClient {
         return headers;
     }
     /*
-     * Creates an axios instance with extra provided certificates, TDP jwt + orgSlug headers.
+     * Creates an axios instance with TDP jwt + orgSlug headers and TDP deployment certificates.
+     * When certificates are provided, they are passed as explicit additional certificates.
+     * When omitted, deployment certificates from the instance (loaded during init) are used automatically.
      * @param tdpEndpoint - The TDP endpoint
      * @param orgSlug - The organization slug
      * @param jwt - The TDP jwt
-     * @param certificates - The extra certificates to include
+     * @param certificates - Optional extra certificates to include. If omitted, uses instance deployment certs via includeAdditionalCertificates: true.
      * @param timeout_ms - The axios http request timeout in milliseconds
      */
     createAxiosInstanceWithCertificatesAndHeaders(tdpEndpoint, orgSlug, jwt, certificates, timeout_ms) {
@@ -235,8 +253,8 @@ class TDPClient {
         this.logger.info('Creating axios instance with certificates and headers', { baseUrl: tdpEndpoint, timeout });
         return axios_1.default.create(Object.assign(Object.assign({}, this.createProxyAgentsForBaseUrl({
             baseUrl: tdpEndpoint,
-            rejectUnauthorized: shouldRejectUnauthorized(),
-            includeAdditionalCertificates: certificates,
+            rejectUnauthorized: (0, exports.shouldRejectUnauthorized)(),
+            includeAdditionalCertificates: certificates !== null && certificates !== void 0 ? certificates : true,
         })), { proxy: false, timeout, baseURL: tdpEndpoint, headers: Object.assign({ [constants_1.HTTPAuthKeys.scopeToOrgHeaderKey]: orgSlug, [constants_1.HTTPAuthKeys.jwtAuthTokenHeaderKey]: jwt }, additionalHeaders) }));
     }
     /**
@@ -246,14 +264,20 @@ class TDPClient {
      * @param options.baseUrl base url for proxy selection when this connector is hosted in a Hub
      * @param options.config axios config
      * @param options.rejectUnauthorized rejectUnauthorized, passed to the underlying http(s) Agent
-     * @param options.includeAdditionalCertificates whether to include organization certificates in the http agent
+     * @param options.includeAdditionalCertificates Whether to include TDP deployment certificates and
+     * organization certificates in the http agent. Defaults to true.
      * @param timeout_ms - The axios http request timeout in milliseconds
      * @returns an Axios instance configured with these settings and with proxying http(s) Agents
      */
     createAxiosInstance({ baseUrl, config, timeout_ms, rejectUnauthorized = true, includeAdditionalCertificates = true, }) {
         this.assertInitialized();
         const timeout = timeout_ms !== undefined ? timeout_ms : this.config.httpRequestTimeout;
-        this.logger.info('Creating axios instance', { baseUrl, config: sanitizeConfig(config), rejectUnauthorized, timeout });
+        this.logger.info('Creating axios instance', {
+            baseUrl,
+            config: sanitizeConfig(config),
+            rejectUnauthorized,
+            timeout,
+        });
         const headers = this.getAdditionalAxiosHeaders();
         return axios_1.default.create(Object.assign(Object.assign(Object.assign({ baseURL: baseUrl, timeout }, this.createProxyAgentsForBaseUrl({ baseUrl, rejectUnauthorized, includeAdditionalCertificates })), { proxy: false, headers }), config));
     }
@@ -267,20 +291,25 @@ class TDPClient {
      * a related axios bug.
      * @param options.baseURL The URL that determines which proxy env var (http_proxy, https_proxy, no_proxy) should apply
      * @param options.rejectUnauthorized Whether to inject unauthorized requests in the httpsAgent
-     * @param options.includeAdditionalCertificates Whether to include organization certificates in the httpsAgent.
-     * If omitted or set falsy: only Node's built-in certificates will be included
-     * If set to true, built-in plus org certificates will be included.
-     * If set to an array, built-in plus this array of certificates will be included.
-     * @returns httpAgent and httpsAgent with proxy, rejectUnauthorized, and includeAdditionalCertificates settings
+     * @param options.includeAdditionalCertificates Whether to include TDP deployment certificates and
+     * organization certificates in the httpsAgent. When true (the default), the CA bundle includes
+     * Node built-in certs, TDP deployment certs loaded during init(), and org certs from the TDP API.
+     * When false, only Node built-in certs are included.
+     * If set to an array, built-in certs plus this array of certificates will be included.
+     * @returns httpAgent and httpsAgent with proxy, rejectUnauthorized, and certificate settings
      */
     createProxyAgentsForBaseUrl({ baseUrl, rejectUnauthorized = true, includeAdditionalCertificates = true, }) {
         this.assertProxyInitialized();
         this.logger.info('Checking proxy for url', { baseUrl });
         const proxyUrl = (0, proxy_from_env_1.getProxyForUrl)(baseUrl);
         const builtInCertStrings = tls.rootCertificates;
+        const deploymentCertStrings = includeAdditionalCertificates ? this._tdpDeploymentCertificates : [];
         const orgCertStrings = includeAdditionalCertificates === true ? this.certificates.map((c) => c.content) : [];
         const additionalCertStrings = Array.isArray(includeAdditionalCertificates) ? includeAdditionalCertificates : [];
-        const ca = [...builtInCertStrings, ...orgCertStrings, ...additionalCertStrings];
+        const ca = [...builtInCertStrings, ...deploymentCertStrings, ...orgCertStrings, ...additionalCertStrings];
+        if (deploymentCertStrings.length > 0) {
+            this.logger.info(`Using ${deploymentCertStrings.length} TDP deployment certificates`);
+        }
         if (orgCertStrings.length > 0) {
             this.logger.info(`Using ${orgCertStrings.length} organization certificates`, {
                 certificates: this.certificates.map((c) => ({ id: c.id, name: c.name })),
@@ -306,7 +335,7 @@ class TDPClient {
             }
             else {
                 this.logger.info('Using default https agent');
-                httpsAgent = new https_proxy_agent_1.PatchedHttpsProxyAgent(proxyUrl, {
+                httpsAgent = new https_proxy_agent_2.PatchedHttpsProxyAgent(proxyUrl, {
                     ca,
                     rejectUnauthorized,
                 });
@@ -327,19 +356,72 @@ class TDPClient {
         return undefined;
     }
     /**
-     * Creates a NodeHttpHandler using npm proxy-agent, which will select a correct proxy per request.
+     * Creates NodeHttpHandlers for AWS clients (S3, SQS, and generic) with proxy support.
+     *
+     * When the `IAM_PROXY` environment variable is set, all three handlers use a fixed
+     * `HttpsProxyAgent` pointed at that URL, providing an explicit proxy override for AWS
+     * traffic in network-restricted deployments.
+     *
+     * When `IAM_PROXY` is not set, handlers fall back to `proxy-agent`, which performs
+     * per-request proxy selection based on the standard `http_proxy`/`https_proxy`
+     * environment variables.
+     *
      * Only works for connections where rejectUnauthorized or additional certificates are not needed,
      * such as to AWS or trusted servers; if you need to connect to an untrusted server or use organization certificates,
      * use createProxyAgentsForBaseUrl and specify a baseUrl and (optionally) rejectUnauthorized: false.
-     * @returns A NodeHttpHandler with agents that will choose a correct proxy for each request.
+     * @param options - Optional timeout configuration for the handlers
+     * @param options.s3ConnectionTimeout - Connection timeout for S3 handler in milliseconds (default: 10000)
+     * @param options.s3SocketTimeout - Socket timeout for S3 handler in milliseconds (default: 10000)
+     * @param options.sqsRequestTimeout - Request timeout for SQS handler in milliseconds (default: 20000)
+     * @param options.genericRequestTimeout - Request timeout for generic AWS handler in milliseconds (default: 120000)
+     * @returns a set of proxy-aware NodeHttpHandlers for S3, SQS, and generic AWS clients
      */
-    createProxyNodeHttpHandler() {
+    createProxyAWSNodeHttpHandlers(options) {
+        var _a, _b, _c, _d;
         this.assertProxyInitialized();
-        this.logger.info('Creating NodeHttpHandler');
-        return new node_http_handler_1.NodeHttpHandler({
-            httpAgent: new proxy_agent_1.ProxyAgent(),
-            httpsAgent: new proxy_agent_1.ProxyAgent(),
+        this.logger.info('Creating NodeHttpHandlers for AWS clients');
+        const iamProxy = process.env.IAM_PROXY;
+        const makeAgent = () => (iamProxy ? new https_proxy_agent_1.HttpsProxyAgent(iamProxy) : new proxy_agent_1.ProxyAgent());
+        // because file uploads might take a long time, structure this using socket
+        // idle timeouts rather than request timeout
+        const s3Handler = new node_http_handler_1.NodeHttpHandler({
+            httpAgent: makeAgent(),
+            httpsAgent: makeAgent(),
+            connectionTimeout: (_a = options === null || options === void 0 ? void 0 : options.s3ConnectionTimeout) !== null && _a !== void 0 ? _a : DEFAULT_S3_CONNECTION_TIMEOUT_MS,
+            socketTimeout: (_b = options === null || options === void 0 ? void 0 : options.s3SocketTimeout) !== null && _b !== void 0 ? _b : DEFAULT_S3_SOCKET_TIMEOUT_MS,
+        });
+        const sqsHandler = new node_http_handler_1.NodeHttpHandler({
+            httpAgent: makeAgent(),
+            httpsAgent: makeAgent(),
+            requestTimeout: (_c = options === null || options === void 0 ? void 0 : options.sqsRequestTimeout) !== null && _c !== void 0 ? _c : AWS_SQS_TIMEOUT_MS,
+            throwOnRequestTimeout: true,
         });
+        const genericHandler = new node_http_handler_1.NodeHttpHandler({
+            httpAgent: makeAgent(),
+            httpsAgent: makeAgent(),
+            requestTimeout: (_d = options === null || options === void 0 ? void 0 : options.genericRequestTimeout) !== null && _d !== void 0 ? _d : DEFAULT_GENERIC_AWS_REQUEST_TIMEOUT_MS,
+            throwOnRequestTimeout: true,
+        });
+        return { s3Handler, sqsHandler, genericHandler };
+    }
+    ensureAwsClientDependenciesInitialized() {
+        if (!this.awsNodeHttpHandlers) {
+            this.awsNodeHttpHandlers = this.createProxyAWSNodeHttpHandlers();
+        }
+        if (!this.awsClientProvider) {
+            this.awsClientProvider = new auth_1.AwsEnvClientProvider(this.config.awsRegion, this.awsNodeHttpHandlers);
+        }
+    }
+    createAwsClient(ClientClass, overrides) {
+        if (!this.isProxyInitialized) {
+            throw new Error('AWS not initialized. Call init() first.');
+        }
+        this.ensureAwsClientDependenciesInitialized();
+        if (!this.awsClientProvider || !this.awsNodeHttpHandlers) {
+            throw new Error('AWS client dependencies are unavailable. Call init() first, and if AWS setup was deferred, ensure environment-based AWS configuration is available.');
+        }
+        const credentials = this.awsClientProvider.getCredentialsProvider();
+        return new ClientClass(Object.assign(Object.assign(Object.assign({ region: this.config.awsRegion }, (credentials && { credentials })), { requestHandler: this.awsNodeHttpHandlers.genericHandler }), overrides));
     }
     createLogger() {
         return new logger_1.Logger({
@@ -367,14 +449,18 @@ class TDPClient {
                 this.authTokenProvider = new auth_1.UserSuppliedAuthTokenProvider(this.config.authToken);
                 this.jwt = this.config.authToken;
                 // Load certificates from local file only (no S3 access without AWS init)
-                const localTdpCertificates = yield (0, certificates_1.loadCertificatesFromLocalVolume)(this.config, this.logger);
-                this.api = new api_1.Api(this.config, this.createAxiosInstanceWithCertificatesAndHeaders(this.config.tdpEndpoint, this.config.orgSlug, this.jwt, localTdpCertificates), this.logger);
+                this._tdpDeploymentCertificates = yield (0, certificates_1.loadCertificatesFromLocalVolume)(this.config, this.logger);
+                this.api = new api_1.Api(this.config, this.createAxiosInstanceWithCertificatesAndHeaders(this.config.tdpEndpoint, this.config.orgSlug, this.jwt), this.logger);
             }
             // Priority 2: CONNECTOR_TOKEN env var (Hub connector flow)
             else if (process.env.CONNECTOR_TOKEN) {
-                const localTdpCertificates = yield (0, certificates_1.loadCertificatesFromLocalVolume)(this.config, this.logger);
-                const axiosClientWithLocalCertificates = this.createAxiosInstanceWithCertificatesAndHeaders(this.config.tdpEndpoint, this.config.orgSlug, process.env.CONNECTOR_TOKEN, localTdpCertificates);
-                this.awsClientProvider = new auth_1.AwsRefreshClientProvider(this.createProxyNodeHttpHandler(), axiosClientWithLocalCertificates, this.config.awsRegion, this.config.connectorId, this.logger);
+                // Load local certs first for the bootstrap axios (S3 not yet available).
+                // These are set on the instance so createAxiosInstanceWithCertificatesAndHeaders
+                // picks them up via includeAdditionalCertificates: true.
+                this._tdpDeploymentCertificates = yield (0, certificates_1.loadCertificatesFromLocalVolume)(this.config, this.logger);
+                const axiosClientWithLocalCertificates = this.createAxiosInstanceWithCertificatesAndHeaders(this.config.tdpEndpoint, this.config.orgSlug, process.env.CONNECTOR_TOKEN);
+                this.awsNodeHttpHandlers = this.createProxyAWSNodeHttpHandlers();
+                this.awsClientProvider = new auth_1.AwsRefreshClientProvider(this.awsNodeHttpHandlers, axiosClientWithLocalCertificates, this.config.awsRegion, this.config.connectorId, this.logger);
                 this.authTokenProvider = new auth_1.UserSuppliedAuthTokenProvider(process.env.CONNECTOR_TOKEN);
                 if (!process.env.SKIP_CLOUDWATCH) {
                     yield this.logger.startCloudwatch(this.awsClientProvider.getCloudwatchLogsClient());
@@ -386,13 +472,15 @@ class TDPClient {
                 const authToken = yield this.authTokenProvider.getAuthToken();
                 this.logger.info('Retrieved connector auth token');
                 this.jwt = authToken.value;
-                const tdpCertificates = yield (0, certificates_1.loadTdpCertificates)(this.awsClientProvider.getS3Client(), this.logger, this.config);
-                this.api = new api_1.Api(this.config, this.createAxiosInstanceWithCertificatesAndHeaders(this.config.tdpEndpoint, this.config.orgSlug, this.jwt, tdpCertificates), this.logger);
+                // Full load: local file with S3 fallback. Overwrites the local-only certs above.
+                this._tdpDeploymentCertificates = yield (0, certificates_1.loadTdpCertificates)(this.awsClientProvider.getS3Client(), this.logger, this.config);
+                this.api = new api_1.Api(this.config, this.createAxiosInstanceWithCertificatesAndHeaders(this.config.tdpEndpoint, this.config.orgSlug, this.jwt), this.logger);
                 this.isAwsInitialized = true;
             }
             // Priority 3: AWS credentials from environment (Cloud connector flow)
             else {
-                this.awsClientProvider = new auth_1.AwsEnvClientProvider(this.config.awsRegion, this.createProxyNodeHttpHandler());
+                this.awsNodeHttpHandlers = this.createProxyAWSNodeHttpHandlers();
+                this.awsClientProvider = new auth_1.AwsEnvClientProvider(this.config.awsRegion, this.awsNodeHttpHandlers);
                 this.authTokenProvider =
                     this.config.authTokenProvider ||
                         new auth_1.AwsSecretAuthTokenProvider(this.awsClientProvider.getSsmClient(), this.config.jwtTokenParameter);
@@ -403,8 +491,8 @@ class TDPClient {
                 const authToken = yield this.authTokenProvider.getAuthToken();
                 this.logger.info('Retrieved connector auth token');
                 this.jwt = authToken.value;
-                const tdpCertificates = yield (0, certificates_1.loadTdpCertificates)(this.awsClientProvider.getS3Client(), this.logger, this.config);
-                this.api = new api_1.Api(this.config, this.createAxiosInstanceWithCertificatesAndHeaders(this.config.tdpEndpoint, this.config.orgSlug, this.jwt, tdpCertificates), this.logger);
+                this._tdpDeploymentCertificates = yield (0, certificates_1.loadTdpCertificates)(this.awsClientProvider.getS3Client(), this.logger, this.config);
+                this.api = new api_1.Api(this.config, this.createAxiosInstanceWithCertificatesAndHeaders(this.config.tdpEndpoint, this.config.orgSlug, this.jwt), this.logger);
                 this.isAwsInitialized = true;
             }
             const requestId = (0, uuid_1.v4)();
@@ -453,7 +541,8 @@ class TDPClient {
         return __awaiter(this, void 0, void 0, function* () {
             this.logger.info('Lazily initializing AWS clients');
             try {
-                this.awsClientProvider = new auth_1.AwsEnvClientProvider(this.config.awsRegion, this.createProxyNodeHttpHandler());
+                this.awsNodeHttpHandlers = this.createProxyAWSNodeHttpHandlers();
+                this.awsClientProvider = new auth_1.AwsEnvClientProvider(this.config.awsRegion, this.awsNodeHttpHandlers);
                 this.isAwsInitialized = true;
                 this.logger.info('AWS clients initialized successfully');
             }
@@ -548,9 +637,7 @@ class TDPClient {
                 QueueUrl: this._connector.commandQueue,
                 MaxNumberOfMessages: 1,
                 WaitTimeSeconds: waitTimeSeconds,
-            }), {
-                abortSignal: AbortSignal.timeout(waitTimeSeconds + AWS_SQS_TIMEOUT),
-            });
+            }));
             return Messages.length > 0 ? Messages[0] : null;
         });
     }
@@ -592,7 +679,7 @@ class TDPClient {
             yield sqsClient.send(new sqs.DeleteMessageCommand({
                 QueueUrl: this._connector.commandQueue,
                 ReceiptHandle,
-            }), { abortSignal: AbortSignal.timeout(AWS_SQS_TIMEOUT) });
+            }));
             this.logger.info('Deleted SQS message', { messageId: message.MessageId });
         });
     }
@@ -638,7 +725,7 @@ class TDPClient {
             yield sqsClient.send(new sqs.SendMessageCommand({
                 QueueUrl: this.config.outboundCommandQueue || undefined,
                 MessageBody: JSON.stringify(messageBody),
-            }), { abortSignal: AbortSignal.timeout(AWS_SQS_TIMEOUT) });
+            }));
             this.logger.info('Sent command response', { commandId: command.commandId });
         });
     }
@@ -906,7 +993,7 @@ class TDPClient {
             const isHubConnector = hostType === api_1.ConnectorHostType.HUB;
             const integrationType = isHubConnector ? constants_1.IntegrationTypes.HUB : constants_1.IntegrationTypes.API;
             const integrationId = isHubConnector
-                ? (_e = (_d = this._connector) === null || _d === void 0 ? void 0 : _d.hub.id) !== null && _e !== void 0 ? _e : constants_1.Constants.API_UPLOAD_V1_INTEGRATION_ID
+                ? ((_e = (_d = this._connector) === null || _d === void 0 ? void 0 : _d.hub.id) !== null && _e !== void 0 ? _e : constants_1.Constants.API_UPLOAD_V1_INTEGRATION_ID)
                 : constants_1.Constants.API_UPLOAD_V1_INTEGRATION_ID;
             const sourceName = (_g = (_f = this._connector) === null || _f === void 0 ? void 0 : _f.name) !== null && _g !== void 0 ? _g : 'unknown';
             const trace = request.trace || {};
@@ -962,4 +1049,5 @@ const shouldRejectUnauthorized = () => {
     }
     return !['false', '0'].includes(process.env.NODE_TLS_REJECT_UNAUTHORIZED);
 };
+exports.shouldRejectUnauthorized = shouldRejectUnauthorized;
 //# sourceMappingURL=tdp-client.js.map