blockintel-gate-sdk 0.1.0

package/dist/index.cjs

@@ -0,0 +1,1193 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var uuid = require('uuid');
+var clientKms = require('@aws-sdk/client-kms');
+var crypto$1 = require('crypto');
+
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+// src/utils/crypto.ts
+async function hmacSha256(secret, message) {
+  if (typeof crypto !== "undefined" && crypto.subtle) {
+    const encoder = new TextEncoder();
+    const keyData = encoder.encode(secret);
+    const messageData = encoder.encode(message);
+    const key = await crypto.subtle.importKey(
+      "raw",
+      keyData,
+      { name: "HMAC", hash: "SHA-256" },
+      false,
+      ["sign"]
+    );
+    const signature = await crypto.subtle.sign("HMAC", key, messageData);
+    const hashArray = Array.from(new Uint8Array(signature));
+    return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+  }
+  if (typeof __require !== "undefined") {
+    const crypto2 = __require("crypto");
+    const hmac = crypto2.createHmac("sha256", secret);
+    hmac.update(message, "utf8");
+    return hmac.digest("hex");
+  }
+  throw new Error("HMAC-SHA256 not available in this environment");
+}
+
+// src/utils/canonicalJson.ts
+function canonicalizeJson(obj) {
+  if (obj === null || obj === void 0) {
+    return "null";
+  }
+  if (typeof obj === "string") {
+    return JSON.stringify(obj);
+  }
+  if (typeof obj === "number" || typeof obj === "boolean") {
+    return String(obj);
+  }
+  if (Array.isArray(obj)) {
+    const items = obj.map((item) => canonicalizeJson(item));
+    return `[${items.join(",")}]`;
+  }
+  if (typeof obj === "object") {
+    const keys = Object.keys(obj).sort();
+    const pairs = keys.map((key) => {
+      const value = obj[key];
+      const canonicalValue = canonicalizeJson(value);
+      return `${JSON.stringify(key)}:${canonicalValue}`;
+    });
+    return `{${pairs.join(",")}}`;
+  }
+  return JSON.stringify(obj);
+}
+async function sha256Hex(input) {
+  if (typeof crypto !== "undefined" && crypto.subtle) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(input);
+    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+  }
+  if (typeof __require !== "undefined") {
+    const crypto2 = __require("crypto");
+    return crypto2.createHash("sha256").update(input, "utf8").digest("hex");
+  }
+  throw new Error("SHA-256 not available in this environment");
+}
+
+// src/auth/HmacSigner.ts
+var HmacSigner = class {
+  keyId;
+  secret;
+  constructor(config) {
+    this.keyId = config.keyId;
+    this.secret = config.secret;
+    if (!this.secret || this.secret.length === 0) {
+      throw new Error("HMAC secret cannot be empty");
+    }
+  }
+  /**
+   * Sign a request and return headers
+   */
+  async signRequest(params) {
+    const { method, path, tenantId, timestampMs, requestId, body } = params;
+    const bodyJson = body ? canonicalizeJson(body) : "";
+    const bodyHash = await sha256Hex(bodyJson);
+    const signingString = [
+      "v1",
+      method.toUpperCase(),
+      path,
+      tenantId,
+      this.keyId,
+      String(timestampMs),
+      requestId,
+      // Used as nonce in canonical string
+      bodyHash
+    ].join("\n");
+    const signature = await hmacSha256(this.secret, signingString);
+    return {
+      "X-GATE-TENANT-ID": tenantId,
+      "X-GATE-KEY-ID": this.keyId,
+      "X-GATE-TIMESTAMP-MS": String(timestampMs),
+      "X-GATE-REQUEST-ID": requestId,
+      "X-GATE-SIGNATURE": signature
+    };
+  }
+};
+
+// src/auth/ApiKeyAuth.ts
+var ApiKeyAuth = class {
+  apiKey;
+  constructor(config) {
+    this.apiKey = config.apiKey;
+    if (!this.apiKey || this.apiKey.length === 0) {
+      throw new Error("API key cannot be empty");
+    }
+  }
+  /**
+   * Create headers for API key authentication
+   */
+  createHeaders(params) {
+    const { tenantId, timestampMs, requestId } = params;
+    return {
+      "X-API-KEY": this.apiKey,
+      "X-GATE-TENANT-ID": tenantId,
+      "X-GATE-REQUEST-ID": requestId,
+      "X-GATE-TIMESTAMP-MS": String(timestampMs)
+    };
+  }
+};
+
+// src/types/errors.ts
+var GateErrorCode = /* @__PURE__ */ ((GateErrorCode2) => {
+  GateErrorCode2["NETWORK_ERROR"] = "NETWORK_ERROR";
+  GateErrorCode2["TIMEOUT"] = "TIMEOUT";
+  GateErrorCode2["NOT_FOUND"] = "NOT_FOUND";
+  GateErrorCode2["UNAUTHORIZED"] = "UNAUTHORIZED";
+  GateErrorCode2["FORBIDDEN"] = "FORBIDDEN";
+  GateErrorCode2["RATE_LIMITED"] = "RATE_LIMITED";
+  GateErrorCode2["SERVER_ERROR"] = "SERVER_ERROR";
+  GateErrorCode2["INVALID_RESPONSE"] = "INVALID_RESPONSE";
+  GateErrorCode2["STEP_UP_NOT_CONFIGURED"] = "STEP_UP_NOT_CONFIGURED";
+  GateErrorCode2["STEP_UP_TIMEOUT"] = "STEP_UP_TIMEOUT";
+  GateErrorCode2["BLOCKED"] = "BLOCKED";
+  GateErrorCode2["SERVICE_UNAVAILABLE"] = "SERVICE_UNAVAILABLE";
+  GateErrorCode2["AUTH_ERROR"] = "AUTH_ERROR";
+  return GateErrorCode2;
+})(GateErrorCode || {});
+var GateError = class extends Error {
+  code;
+  status;
+  details;
+  requestId;
+  correlationId;
+  constructor(code, message, options) {
+    super(message);
+    this.name = "GateError";
+    this.code = code;
+    this.status = options?.status;
+    this.details = options?.details;
+    this.requestId = options?.requestId;
+    this.correlationId = options?.correlationId;
+    if (options?.cause) {
+      this.cause = options.cause;
+    }
+    Error.captureStackTrace(this, this.constructor);
+  }
+  toJSON() {
+    return {
+      name: this.name,
+      code: this.code,
+      message: this.message,
+      status: this.status,
+      details: this.details,
+      requestId: this.requestId,
+      correlationId: this.correlationId
+    };
+  }
+};
+var StepUpNotConfiguredError = class extends GateError {
+  constructor(requestId) {
+    super(
+      "STEP_UP_NOT_CONFIGURED" /* STEP_UP_NOT_CONFIGURED */,
+      "Step-up is required but not configured in SDK. Enable step-up in client config or treat REQUIRE_STEP_UP as BLOCK.",
+      { requestId }
+    );
+    this.name = "StepUpNotConfiguredError";
+  }
+};
+var BlockIntelBlockedError = class extends GateError {
+  receiptId;
+  reasonCode;
+  constructor(reasonCode, receiptId, correlationId, requestId) {
+    super(
+      "BLOCKED" /* BLOCKED */,
+      `Transaction blocked: ${reasonCode}`,
+      { correlationId, requestId, details: { reasonCode, receiptId } }
+    );
+    this.name = "BlockIntelBlockedError";
+    this.receiptId = receiptId;
+    this.reasonCode = reasonCode;
+  }
+};
+var BlockIntelUnavailableError = class extends GateError {
+  constructor(message, requestId) {
+    super("SERVICE_UNAVAILABLE" /* SERVICE_UNAVAILABLE */, message, { requestId });
+    this.name = "BlockIntelUnavailableError";
+  }
+};
+var BlockIntelAuthError = class extends GateError {
+  constructor(message, status, requestId) {
+    super(
+      status === 401 ? "UNAUTHORIZED" /* UNAUTHORIZED */ : "FORBIDDEN" /* FORBIDDEN */,
+      message,
+      { status, requestId }
+    );
+    this.name = "BlockIntelAuthError";
+  }
+};
+var BlockIntelStepUpRequiredError = class extends GateError {
+  stepUpRequestId;
+  statusUrl;
+  expiresAtMs;
+  constructor(stepUpRequestId, statusUrl, expiresAtMs, requestId) {
+    super(
+      "STEP_UP_NOT_CONFIGURED" /* STEP_UP_NOT_CONFIGURED */,
+      "Step-up approval required",
+      {
+        requestId,
+        details: { stepUpRequestId, statusUrl, expiresAtMs }
+      }
+    );
+    this.name = "BlockIntelStepUpRequiredError";
+    this.stepUpRequestId = stepUpRequestId;
+    this.statusUrl = statusUrl;
+    this.expiresAtMs = expiresAtMs;
+  }
+};
+
+// src/http/retry.ts
+var DEFAULT_RETRY_OPTIONS = {
+  maxAttempts: 3,
+  baseDelayMs: 100,
+  maxDelayMs: 800,
+  factor: 2
+};
+function isRetryableStatus(status) {
+  return status === 429 || status >= 500 && status < 600;
+}
+function isRetryableError(error) {
+  if (error instanceof Error) {
+    const message = error.message.toLowerCase();
+    return message.includes("network") || message.includes("timeout") || message.includes("connection") || message.includes("econnrefused") || message.includes("enotfound") || message.includes("econnreset");
+  }
+  return false;
+}
+function calculateBackoffDelay(attempt, options) {
+  const exponentialDelay = options.baseDelayMs * Math.pow(options.factor, attempt - 1);
+  const jitter = Math.random() * 0.3 * exponentialDelay;
+  const delay = exponentialDelay + jitter;
+  return Math.min(delay, options.maxDelayMs);
+}
+function isRetryableGateError(error) {
+  if (error && typeof error === "object" && "code" in error) {
+    const gateError = error;
+    if (gateError.code === "SERVER_ERROR" || gateError.code === "RATE_LIMITED") {
+      return true;
+    }
+    if (gateError.status && isRetryableStatus(gateError.status)) {
+      return true;
+    }
+  }
+  return false;
+}
+async function retryWithBackoff(fn, options = {}) {
+  const opts = { ...DEFAULT_RETRY_OPTIONS, ...options };
+  let lastError;
+  for (let attempt = 1; attempt <= opts.maxAttempts; attempt++) {
+    try {
+      return await fn();
+    } catch (error) {
+      lastError = error;
+      if (attempt >= opts.maxAttempts) {
+        break;
+      }
+      if (error instanceof Response && !isRetryableStatus(error.status)) {
+        throw error;
+      }
+      const isRetryable = error instanceof Response && isRetryableStatus(error.status) || isRetryableError(error) || isRetryableGateError(error);
+      if (!isRetryable) {
+        throw error;
+      }
+      const delay = calculateBackoffDelay(attempt, opts);
+      await new Promise((resolve) => setTimeout(resolve, delay));
+    }
+  }
+  throw lastError;
+}
+
+// src/http/HttpClient.ts
+var HttpClient = class {
+  baseUrl;
+  timeoutMs;
+  userAgent;
+  retryOptions;
+  constructor(config) {
+    this.baseUrl = config.baseUrl.replace(/\/$/, "");
+    this.timeoutMs = config.timeoutMs ?? 15e3;
+    this.userAgent = config.userAgent ?? "blockintel-gate-sdk/0.1.0";
+    this.retryOptions = config.retryOptions;
+    if (!this.baseUrl) {
+      throw new Error("baseUrl is required");
+    }
+    if (typeof process !== "undefined" && process.env.NODE_ENV === "production") {
+      if (!this.baseUrl.startsWith("https://") && !this.baseUrl.includes("localhost")) {
+        throw new Error("baseUrl must use HTTPS in production (except localhost)");
+      }
+    }
+  }
+  /**
+   * Make an HTTP request with retry and timeout
+   */
+  async request(options) {
+    const { method, path, headers = {}, body, requestId } = options;
+    const url = `${this.baseUrl}${path}`;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeoutMs);
+    try {
+      const response = await retryWithBackoff(
+        async () => {
+          const fetchOptions = {
+            method,
+            headers: {
+              ...headers,
+              "User-Agent": this.userAgent,
+              "Content-Type": "application/json"
+            },
+            signal: controller.signal
+          };
+          if (body) {
+            fetchOptions.body = JSON.stringify(body);
+          }
+          const res = await fetch(url, fetchOptions);
+          if (!res.ok && isRetryableStatus(res.status)) {
+            throw res;
+          }
+          if (!res.ok && !isRetryableStatus(res.status)) {
+            throw res;
+          }
+          return res;
+        },
+        {
+          ...this.retryOptions
+          // Custom retry logic that handles Response objects
+        }
+      );
+      clearTimeout(timeoutId);
+      let data;
+      const contentType = response.headers.get("content-type");
+      if (contentType && contentType.includes("application/json")) {
+        try {
+          data = await response.json();
+        } catch (parseError) {
+          throw new GateError(
+            "INVALID_RESPONSE" /* INVALID_RESPONSE */,
+            "Failed to parse JSON response",
+            {
+              status: response.status,
+              requestId,
+              cause: parseError instanceof Error ? parseError : void 0
+            }
+          );
+        }
+      } else {
+        const text = await response.text();
+        throw new GateError(
+          "INVALID_RESPONSE" /* INVALID_RESPONSE */,
+          `Unexpected content type: ${contentType}`,
+          {
+            status: response.status,
+            details: { body: text.substring(0, 200) },
+            requestId
+          }
+        );
+      }
+      if (!response.ok) {
+        const errorCode = this.statusToErrorCode(response.status);
+        const correlationId = response.headers.get("X-Correlation-ID") ?? void 0;
+        throw new GateError(errorCode, `HTTP ${response.status}: ${response.statusText}`, {
+          status: response.status,
+          correlationId,
+          requestId,
+          details: data
+        });
+      }
+      return data;
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof Error && error.name === "AbortError") {
+        throw new GateError("TIMEOUT" /* TIMEOUT */, `Request timeout after ${this.timeoutMs}ms`, {
+          requestId
+        });
+      }
+      if (error instanceof Response) {
+        const errorCode = this.statusToErrorCode(error.status);
+        const correlationId = error.headers.get("X-Correlation-ID") ?? void 0;
+        let details;
+        try {
+          const text = await error.text();
+          try {
+            details = JSON.parse(text);
+          } catch {
+            details = { body: text.substring(0, 200) };
+          }
+        } catch {
+        }
+        throw new GateError(errorCode, `HTTP ${error.status}: ${error.statusText}`, {
+          status: error.status,
+          correlationId,
+          requestId,
+          details
+        });
+      }
+      if (isRetryableError(error)) {
+        throw new GateError(
+          "NETWORK_ERROR" /* NETWORK_ERROR */,
+          `Network error: ${error instanceof Error ? error.message : String(error)}`,
+          {
+            requestId,
+            cause: error instanceof Error ? error : void 0
+          }
+        );
+      }
+      if (error instanceof GateError) {
+        throw error;
+      }
+      throw new GateError(
+        "NETWORK_ERROR" /* NETWORK_ERROR */,
+        `Unexpected error: ${error instanceof Error ? error.message : String(error)}`,
+        {
+          requestId,
+          cause: error instanceof Error ? error : void 0
+        }
+      );
+    }
+  }
+  /**
+   * Map HTTP status code to GateErrorCode
+   */
+  statusToErrorCode(status) {
+    if (status === 401) return "UNAUTHORIZED" /* UNAUTHORIZED */;
+    if (status === 403) return "FORBIDDEN" /* FORBIDDEN */;
+    if (status === 404) return "NOT_FOUND" /* NOT_FOUND */;
+    if (status === 429) return "RATE_LIMITED" /* RATE_LIMITED */;
+    if (status >= 500 && status < 600) return "SERVER_ERROR" /* SERVER_ERROR */;
+    return "NETWORK_ERROR" /* NETWORK_ERROR */;
+  }
+};
+
+// src/utils/time.ts
+function nowMs() {
+  return Date.now();
+}
+function nowEpochSeconds() {
+  return Math.floor(Date.now() / 1e3);
+}
+function clamp(value, min, max) {
+  return Math.max(min, Math.min(max, value));
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/stepup/stepup.ts
+var DEFAULT_POLLING_INTERVAL_MS = 250;
+var DEFAULT_MAX_WAIT_MS = 15e3;
+var DEFAULT_TTL_MIN_SECONDS = 300;
+var DEFAULT_TTL_MAX_SECONDS = 900;
+var DEFAULT_TTL_DEFAULT_SECONDS = 600;
+var StepUpPoller = class {
+  httpClient;
+  tenantId;
+  pollingIntervalMs;
+  maxWaitMs;
+  ttlMinSeconds;
+  ttlMaxSeconds;
+  ttlDefaultSeconds;
+  constructor(config) {
+    this.httpClient = config.httpClient;
+    this.tenantId = config.tenantId;
+    this.pollingIntervalMs = config.pollingIntervalMs ?? DEFAULT_POLLING_INTERVAL_MS;
+    this.maxWaitMs = config.maxWaitMs ?? DEFAULT_MAX_WAIT_MS;
+    this.ttlMinSeconds = config.ttlMinSeconds ?? DEFAULT_TTL_MIN_SECONDS;
+    this.ttlMaxSeconds = config.ttlMaxSeconds ?? DEFAULT_TTL_MAX_SECONDS;
+    this.ttlDefaultSeconds = config.ttlDefaultSeconds ?? DEFAULT_TTL_DEFAULT_SECONDS;
+  }
+  /**
+   * Get current step-up status
+   */
+  async getStatus(requestId) {
+    const path = `/defense/stepup/status?tenantId=${encodeURIComponent(this.tenantId)}&requestId=${encodeURIComponent(requestId)}`;
+    try {
+      const apiResponse = await this.httpClient.request({
+        method: "GET",
+        path,
+        requestId
+      });
+      const response = {
+        status: apiResponse.status,
+        tenantId: apiResponse.tenant_id ?? apiResponse.tenantId,
+        requestId: apiResponse.request_id ?? apiResponse.requestId,
+        decision: apiResponse.decision,
+        reasonCodes: apiResponse.reason_codes ?? apiResponse.reasonCodes,
+        correlationId: apiResponse.correlation_id ?? apiResponse.correlationId,
+        expiresAtMs: apiResponse.expires_at_ms ?? apiResponse.expiresAtMs,
+        ttl: apiResponse.ttl
+      };
+      const now = nowEpochSeconds();
+      if (response.ttl !== void 0 && response.ttl <= now) {
+        return {
+          ...response,
+          status: "EXPIRED"
+        };
+      }
+      return response;
+    } catch (error) {
+      if (error instanceof GateError && error.code === "NOT_FOUND" /* NOT_FOUND */) {
+        throw new GateError(
+          "NOT_FOUND" /* NOT_FOUND */,
+          `Step-up request not found: ${requestId}`,
+          { requestId }
+        );
+      }
+      throw error;
+    }
+  }
+  /**
+   * Wait for step-up decision with polling
+   * 
+   * Polls until status is APPROVED, DENIED, or EXPIRED, or timeout is reached.
+   */
+  async awaitDecision(requestId, options) {
+    const startTime = Date.now();
+    const maxWaitMs = options?.maxWaitMs ?? this.maxWaitMs;
+    const intervalMs = options?.intervalMs ?? this.pollingIntervalMs;
+    while (true) {
+      const elapsedMs = Date.now() - startTime;
+      if (elapsedMs >= maxWaitMs) {
+        throw new GateError(
+          "STEP_UP_TIMEOUT" /* STEP_UP_TIMEOUT */,
+          `Step-up decision timeout after ${maxWaitMs}ms`,
+          { requestId }
+        );
+      }
+      try {
+        const status = await this.getStatus(requestId);
+        const now = nowEpochSeconds();
+        if (status.ttl !== void 0 && status.ttl <= now) {
+          return {
+            status: "EXPIRED",
+            requestId,
+            elapsedMs,
+            correlationId: status.correlationId
+          };
+        }
+        if (status.status === "APPROVED" || status.status === "DENIED" || status.status === "EXPIRED") {
+          return {
+            status: status.status,
+            requestId,
+            elapsedMs,
+            decision: status.decision,
+            reasonCodes: status.reasonCodes,
+            correlationId: status.correlationId
+          };
+        }
+        await sleep(intervalMs);
+      } catch (error) {
+        if (error instanceof GateError && error.code === "NOT_FOUND" /* NOT_FOUND */) {
+          throw error;
+        }
+        const remainingMs = maxWaitMs - (Date.now() - startTime);
+        if (remainingMs <= 0) {
+          throw new GateError(
+            "STEP_UP_TIMEOUT" /* STEP_UP_TIMEOUT */,
+            `Step-up decision timeout after ${maxWaitMs}ms`,
+            { requestId, cause: error instanceof Error ? error : void 0 }
+          );
+        }
+        await sleep(Math.min(intervalMs, remainingMs));
+      }
+    }
+  }
+  /**
+   * Clamp TTL to guardrails
+   */
+  clampTtl(ttlSeconds) {
+    if (ttlSeconds === void 0) {
+      return this.ttlDefaultSeconds;
+    }
+    return clamp(ttlSeconds, this.ttlMinSeconds, this.ttlMaxSeconds);
+  }
+};
+
+// src/circuit/CircuitBreaker.ts
+var CircuitBreaker = class {
+  state = "CLOSED";
+  failures = 0;
+  successes = 0;
+  lastFailureTime;
+  lastSuccessTime;
+  tripsToOpen = 0;
+  tripThreshold;
+  coolDownMs;
+  constructor(config = {}) {
+    this.tripThreshold = config.tripAfterConsecutiveFailures ?? 5;
+    this.coolDownMs = config.coolDownMs ?? 3e4;
+  }
+  /**
+   * Execute function with circuit breaker protection
+   */
+  async execute(fn) {
+    if (this.state === "OPEN") {
+      const now = Date.now();
+      const timeSinceLastFailure = this.lastFailureTime ? now - this.lastFailureTime : Infinity;
+      if (timeSinceLastFailure >= this.coolDownMs) {
+        this.state = "HALF_OPEN";
+        this.failures = 0;
+      } else {
+        throw new CircuitBreakerOpenError(
+          `Circuit breaker is OPEN. Will retry after ${this.coolDownMs - timeSinceLastFailure}ms`
+        );
+      }
+    }
+    try {
+      const result = await fn();
+      this.onSuccess();
+      return result;
+    } catch (error) {
+      this.onFailure();
+      throw error;
+    }
+  }
+  onSuccess() {
+    this.successes++;
+    this.lastSuccessTime = Date.now();
+    if (this.state === "HALF_OPEN") {
+      this.state = "CLOSED";
+      this.failures = 0;
+    } else if (this.state === "CLOSED") {
+      this.failures = 0;
+    }
+  }
+  onFailure() {
+    this.failures++;
+    this.lastFailureTime = Date.now();
+    if (this.state === "HALF_OPEN") {
+      this.state = "OPEN";
+      this.tripsToOpen++;
+    } else if (this.state === "CLOSED" && this.failures >= this.tripThreshold) {
+      this.state = "OPEN";
+      this.tripsToOpen++;
+    }
+  }
+  /**
+   * Get current metrics
+   */
+  getMetrics() {
+    return {
+      failures: this.failures,
+      successes: this.successes,
+      state: this.state,
+      lastFailureTime: this.lastFailureTime,
+      lastSuccessTime: this.lastSuccessTime,
+      tripsToOpen: this.tripsToOpen
+    };
+  }
+  /**
+   * Reset circuit breaker to CLOSED state
+   */
+  reset() {
+    this.state = "CLOSED";
+    this.failures = 0;
+    this.successes = 0;
+    this.lastFailureTime = void 0;
+    this.lastSuccessTime = void 0;
+    this.tripsToOpen = 0;
+  }
+};
+var CircuitBreakerOpenError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "CircuitBreakerOpenError";
+  }
+};
+
+// src/metrics/MetricsCollector.ts
+var MetricsCollector = class {
+  requestsTotal = 0;
+  allowedTotal = 0;
+  blockedTotal = 0;
+  stepupTotal = 0;
+  timeoutsTotal = 0;
+  errorsTotal = 0;
+  circuitBreakerOpenTotal = 0;
+  latencyMs = [];
+  maxSamples = 1e3;
+  // Keep last 1000 samples
+  hooks = [];
+  /**
+   * Record a request
+   */
+  recordRequest(decision, latencyMs) {
+    this.requestsTotal++;
+    if (decision === "ALLOW") {
+      this.allowedTotal++;
+    } else if (decision === "BLOCK") {
+      this.blockedTotal++;
+    } else if (decision === "REQUIRE_STEP_UP") {
+      this.stepupTotal++;
+    }
+    this.latencyMs.push(latencyMs);
+    if (this.latencyMs.length > this.maxSamples) {
+      this.latencyMs.shift();
+    }
+    this.emitMetrics();
+  }
+  /**
+   * Record a timeout
+   */
+  recordTimeout() {
+    this.timeoutsTotal++;
+    this.errorsTotal++;
+    this.emitMetrics();
+  }
+  /**
+   * Record an error
+   */
+  recordError() {
+    this.errorsTotal++;
+    this.emitMetrics();
+  }
+  /**
+   * Record circuit breaker open
+   */
+  recordCircuitBreakerOpen() {
+    this.circuitBreakerOpenTotal++;
+    this.emitMetrics();
+  }
+  /**
+   * Get current metrics snapshot
+   */
+  getMetrics() {
+    return {
+      requestsTotal: this.requestsTotal,
+      allowedTotal: this.allowedTotal,
+      blockedTotal: this.blockedTotal,
+      stepupTotal: this.stepupTotal,
+      timeoutsTotal: this.timeoutsTotal,
+      errorsTotal: this.errorsTotal,
+      circuitBreakerOpenTotal: this.circuitBreakerOpenTotal,
+      latencyMs: [...this.latencyMs]
+      // Copy array
+    };
+  }
+  /**
+   * Register a metrics hook (e.g., for Prometheus/OpenTelemetry export)
+   */
+  registerHook(hook) {
+    this.hooks.push(hook);
+  }
+  /**
+   * Emit metrics to all registered hooks
+   */
+  emitMetrics() {
+    const metrics = this.getMetrics();
+    for (const hook of this.hooks) {
+      try {
+        hook(metrics);
+      } catch (error) {
+        console.error("Error in metrics hook:", error);
+      }
+    }
+  }
+  /**
+   * Reset all metrics
+   */
+  reset() {
+    this.requestsTotal = 0;
+    this.allowedTotal = 0;
+    this.blockedTotal = 0;
+    this.stepupTotal = 0;
+    this.timeoutsTotal = 0;
+    this.errorsTotal = 0;
+    this.circuitBreakerOpenTotal = 0;
+    this.latencyMs = [];
+  }
+};
+function wrapKmsClient(kmsClient, gateClient, options = {}) {
+  const defaultOptions = {
+    mode: options.mode || "enforce",
+    onDecision: options.onDecision || (() => {
+    }),
+    extractTxIntent: options.extractTxIntent || defaultExtractTxIntent
+  };
+  const wrapped = new Proxy(kmsClient, {
+    get(target, prop, receiver) {
+      if (prop === "send") {
+        return async function(command) {
+          if (command && command.constructor && command.constructor.name === "SignCommand") {
+            return await handleSignCommand(
+              command,
+              target,
+              gateClient,
+              defaultOptions
+            );
+          }
+          return await target.send(command);
+        };
+      }
+      return Reflect.get(target, prop, receiver);
+    }
+  });
+  wrapped._originalClient = kmsClient;
+  wrapped._gateClient = gateClient;
+  wrapped._wrapperOptions = defaultOptions;
+  return wrapped;
+}
+function defaultExtractTxIntent(command) {
+  const message = command.input?.Message ?? command.Message;
+  if (!message) {
+    throw new Error("SignCommand missing required Message property");
+  }
+  const messageBuffer = message instanceof Buffer ? message : Buffer.from(message);
+  const messageHash = crypto$1.createHash("sha256").update(messageBuffer).digest("hex");
+  return {
+    networkFamily: "OTHER",
+    toAddress: void 0,
+    // Unknown from KMS message alone
+    payloadHash: messageHash,
+    dataHash: messageHash
+    // Backward compatibility
+  };
+}
+async function handleSignCommand(command, originalClient, gateClient, options) {
+  const txIntent = options.extractTxIntent(command);
+  const signerId = command.input?.KeyId ?? command.KeyId ?? "unknown";
+  const signingContext = {
+    signerId,
+    actorPrincipal: "kms-signer"
+    // Default - can be customized via extractTxIntent
+  };
+  try {
+    const decision = await gateClient.evaluate({
+      txIntent,
+      // Type assertion - txIntent may have extra fields
+      signingContext
+    });
+    options.onDecision("ALLOW", { decision, signerId, command });
+    if (options.mode === "dry-run") {
+      return await originalClient.send(new clientKms.SignCommand(command));
+    }
+    return await originalClient.send(new clientKms.SignCommand(command));
+  } catch (error) {
+    if (error instanceof BlockIntelBlockedError) {
+      options.onDecision("BLOCK", { error, signerId, command });
+      throw error;
+    }
+    if (error instanceof BlockIntelStepUpRequiredError) {
+      options.onDecision("REQUIRE_STEP_UP", { error, signerId, command });
+      throw error;
+    }
+    throw error;
+  }
+}
+
+// src/client/GateClient.ts
+var GateClient = class {
+  config;
+  httpClient;
+  hmacSigner;
+  apiKeyAuth;
+  stepUpPoller;
+  circuitBreaker;
+  metrics;
+  constructor(config) {
+    this.config = config;
+    if (config.auth.mode === "hmac") {
+      this.hmacSigner = new HmacSigner({
+        keyId: config.auth.keyId,
+        secret: config.auth.secret
+      });
+    } else {
+      this.apiKeyAuth = new ApiKeyAuth({
+        apiKey: config.auth.apiKey
+      });
+    }
+    this.httpClient = new HttpClient({
+      baseUrl: config.baseUrl,
+      timeoutMs: config.timeoutMs,
+      userAgent: config.userAgent
+    });
+    if (config.enableStepUp) {
+      this.stepUpPoller = new StepUpPoller({
+        httpClient: this.httpClient,
+        tenantId: config.tenantId,
+        pollingIntervalMs: config.stepUp?.pollingIntervalMs,
+        maxWaitMs: config.stepUp?.maxWaitMs
+      });
+    }
+    if (config.circuitBreaker) {
+      this.circuitBreaker = new CircuitBreaker(config.circuitBreaker);
+    }
+    this.metrics = new MetricsCollector();
+    if (config.onMetrics) {
+      this.metrics.registerHook(config.onMetrics);
+    }
+  }
+  /**
+   * Evaluate a transaction defense request
+   * 
+   * Implements:
+   * - Circuit breaker protection
+   * - Fail-safe modes (ALLOW_ON_TIMEOUT, BLOCK_ON_TIMEOUT, BLOCK_ON_ANOMALY)
+   * - Metrics collection
+   * - Error handling (BLOCK → BlockIntelBlockedError, REQUIRE_STEP_UP → BlockIntelStepUpRequiredError)
+   */
+  async evaluate(req, opts) {
+    const requestId = opts?.requestId ?? uuid.v4();
+    const timestampMs = req.timestampMs ?? nowMs();
+    const startTime = Date.now();
+    const failSafeMode = this.config.failSafeMode ?? "ALLOW_ON_TIMEOUT";
+    const executeRequest = async () => {
+      const txIntent = { ...req.txIntent };
+      if (txIntent.to && !txIntent.toAddress) {
+        txIntent.toAddress = txIntent.to;
+        delete txIntent.to;
+      }
+      if (!txIntent.networkFamily && txIntent.chainId) {
+        txIntent.networkFamily = "EVM";
+      }
+      if (txIntent.from && !txIntent.fromAddress) {
+        delete txIntent.from;
+      }
+      const signingContext = {
+        ...req.signingContext,
+        actorPrincipal: req.signingContext?.actorPrincipal || req.signingContext?.signerId || "unknown"
+      };
+      const body = {
+        requestId,
+        tenantId: this.config.tenantId,
+        timestampMs,
+        txIntent,
+        signingContext,
+        // Add SDK info (required by Hot Path validation)
+        sdk: {
+          name: "blockintel-gate-sdk",
+          version: "0.1.0"
+        }
+      };
+      let headers;
+      if (this.hmacSigner) {
+        const hmacHeaders = await this.hmacSigner.signRequest({
+          method: "POST",
+          path: "/defense/evaluate",
+          tenantId: this.config.tenantId,
+          timestampMs,
+          requestId,
+          body
+        });
+        headers = { ...hmacHeaders };
+      } else if (this.apiKeyAuth) {
+        const apiKeyHeaders = this.apiKeyAuth.createHeaders({
+          tenantId: this.config.tenantId,
+          timestampMs,
+          requestId
+        });
+        headers = { ...apiKeyHeaders };
+      } else {
+        throw new Error("No authentication configured");
+      }
+      const apiResponse = await this.httpClient.request({
+        method: "POST",
+        path: "/defense/evaluate",
+        headers,
+        body,
+        requestId
+      });
+      if (!apiResponse.success || !apiResponse.data) {
+        throw new GateError(
+          "INVALID_RESPONSE" /* INVALID_RESPONSE */,
+          "Invalid response format: expected { success: true, data: { ... } }",
+          {
+            requestId,
+            details: apiResponse
+          }
+        );
+      }
+      const responseData = apiResponse.data;
+      const result = {
+        decision: responseData.decision,
+        reasonCodes: responseData.reason_codes ?? responseData.reasonCodes ?? [],
+        policyVersion: responseData.policy_version ?? responseData.policyVersion,
+        correlationId: responseData.correlation_id ?? responseData.correlationId,
+        stepUp: responseData.step_up ? {
+          requestId: responseData.step_up.request_id ?? (responseData.stepUp?.requestId ?? ""),
+          ttlSeconds: responseData.step_up.ttl_seconds ?? responseData.stepUp?.ttlSeconds
+        } : responseData.stepUp
+      };
+      const latencyMs = Date.now() - startTime;
+      if (result.decision === "BLOCK") {
+        const receiptId = responseData.decision_id || requestId;
+        const reasonCode = result.reasonCodes[0] || "POLICY_VIOLATION";
+        this.metrics.recordRequest("BLOCK", latencyMs);
+        throw new BlockIntelBlockedError(reasonCode, receiptId, result.correlationId, requestId);
+      }
+      if (result.decision === "REQUIRE_STEP_UP") {
+        if (this.config.enableStepUp && this.stepUpPoller && result.stepUp) {
+          const stepUpRequestId = result.stepUp.requestId || requestId;
+          const expiresAtMs = responseData.step_up?.expires_at_ms;
+          const statusUrl = `/defense/stepup/status?tenantId=${this.config.tenantId}&requestId=${stepUpRequestId}`;
+          this.metrics.recordRequest("REQUIRE_STEP_UP", latencyMs);
+          throw new BlockIntelStepUpRequiredError(stepUpRequestId, statusUrl, expiresAtMs, requestId);
+        } else {
+          const receiptId = responseData.decision_id || requestId;
+          const reasonCode = "STEPUP_REQUIRED";
+          this.metrics.recordRequest("BLOCK", latencyMs);
+          throw new BlockIntelBlockedError(reasonCode, receiptId, result.correlationId, requestId);
+        }
+      }
+      this.metrics.recordRequest("ALLOW", latencyMs);
+      return result;
+    };
+    try {
+      if (this.circuitBreaker) {
+        return await this.circuitBreaker.execute(executeRequest);
+      }
+      return await executeRequest();
+    } catch (error) {
+      if (error instanceof CircuitBreakerOpenError) {
+        this.metrics.recordCircuitBreakerOpen();
+        const failSafeResult = this.handleFailSafe(failSafeMode, error, requestId);
+        if (failSafeResult) {
+          return failSafeResult;
+        }
+        throw error;
+      }
+      if (error instanceof GateError && (error.code === "UNAUTHORIZED" /* UNAUTHORIZED */ || error.code === "FORBIDDEN" /* FORBIDDEN */)) {
+        this.metrics.recordError();
+        throw new BlockIntelAuthError(
+          error.message,
+          error.status || 401,
+          requestId
+        );
+      }
+      if (error instanceof GateError && error.code === "TIMEOUT" /* TIMEOUT */) {
+        this.metrics.recordTimeout();
+        const failSafeResult = this.handleFailSafe(failSafeMode, error, requestId);
+        if (failSafeResult) {
+          return failSafeResult;
+        }
+        throw new BlockIntelUnavailableError(`Service timeout: ${error.message}`, requestId);
+      }
+      if (error instanceof GateError && error.code === "SERVER_ERROR" /* SERVER_ERROR */) {
+        this.metrics.recordError();
+        const failSafeResult = this.handleFailSafe(failSafeMode, error, requestId);
+        if (failSafeResult) {
+          return failSafeResult;
+        }
+        throw error;
+      }
+      if (error instanceof BlockIntelBlockedError || error instanceof BlockIntelStepUpRequiredError) {
+        throw error;
+      }
+      this.metrics.recordError();
+      throw error;
+    }
+  }
+  /**
+   * Handle fail-safe modes for timeouts/errors
+   */
+  handleFailSafe(mode, error, requestId) {
+    if (mode === "ALLOW_ON_TIMEOUT") {
+      return {
+        decision: "ALLOW",
+        reasonCodes: ["FAIL_SAFE_ALLOW"],
+        correlationId: requestId
+      };
+    }
+    if (mode === "BLOCK_ON_TIMEOUT") {
+      return null;
+    }
+    if (mode === "BLOCK_ON_ANOMALY") {
+      return {
+        decision: "ALLOW",
+        reasonCodes: ["FAIL_SAFE_ALLOW"],
+        correlationId: requestId
+      };
+    }
+    return null;
+  }
+  /**
+   * Get current metrics
+   */
+  getMetrics() {
+    return this.metrics.getMetrics();
+  }
+  /**
+   * Get circuit breaker metrics (if enabled)
+   */
+  getCircuitBreakerMetrics() {
+    return this.circuitBreaker?.getMetrics() || null;
+  }
+  /**
+   * Get step-up status
+   */
+  async getStepUpStatus(args) {
+    if (!this.stepUpPoller) {
+      throw new StepUpNotConfiguredError(args.requestId);
+    }
+    const tenantId = args.tenantId ?? this.config.tenantId;
+    const poller = new StepUpPoller({
+      httpClient: this.httpClient,
+      tenantId,
+      pollingIntervalMs: this.config.stepUp?.pollingIntervalMs,
+      maxWaitMs: this.config.stepUp?.maxWaitMs
+    });
+    return poller.getStatus(args.requestId);
+  }
+  /**
+   * Wait for step-up decision with polling
+   */
+  async awaitStepUpDecision(args) {
+    if (!this.stepUpPoller) {
+      throw new StepUpNotConfiguredError(args.requestId);
+    }
+    return this.stepUpPoller.awaitDecision(args.requestId, {
+      maxWaitMs: args.maxWaitMs ?? this.config.stepUp?.maxWaitMs,
+      intervalMs: args.intervalMs ?? this.config.stepUp?.pollingIntervalMs
+    });
+  }
+  /**
+   * Wrap AWS SDK v3 KMS client to intercept SignCommand calls
+   * 
+   * @param kmsClient - AWS SDK v3 KMSClient instance
+   * @param options - Wrapper options
+   * @returns Wrapped KMS client that enforces Gate policies
+   * 
+   * @example
+   * ```typescript
+   * import { KMSClient } from '@aws-sdk/client-kms';
+   * 
+   * const kms = new KMSClient({});
+   * const protectedKms = gateClient.wrapKmsClient(kms);
+   * 
+   * // Now SignCommand calls will be intercepted and evaluated by Gate
+   * const result = await protectedKms.send(new SignCommand({ ... }));
+   * ```
+   */
+  wrapKmsClient(kmsClient, options) {
+    return wrapKmsClient(kmsClient, this, options);
+  }
+};
+function createGateClient(config) {
+  return new GateClient(config);
+}
+
+exports.BlockIntelAuthError = BlockIntelAuthError;
+exports.BlockIntelBlockedError = BlockIntelBlockedError;
+exports.BlockIntelStepUpRequiredError = BlockIntelStepUpRequiredError;
+exports.BlockIntelUnavailableError = BlockIntelUnavailableError;
+exports.GateClient = GateClient;
+exports.GateError = GateError;
+exports.GateErrorCode = GateErrorCode;
+exports.StepUpNotConfiguredError = StepUpNotConfiguredError;
+exports.createGateClient = createGateClient;
+exports.default = GateClient;
+exports.wrapKmsClient = wrapKmsClient;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map