blockintel-gate-sdk 0.2.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +79 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -254,6 +254,10 @@ try {
|
|
|
254
254
|
- `INVALID_RESPONSE` - Invalid response format
|
|
255
255
|
- `STEP_UP_NOT_CONFIGURED` - Step-up required but not enabled
|
|
256
256
|
- `STEP_UP_TIMEOUT` - Step-up polling timeout
|
|
257
|
+
- `HEARTBEAT_MISSING` - Heartbeat token is missing or expired
|
|
258
|
+
- `HEARTBEAT_EXPIRED` - Heartbeat token has expired
|
|
259
|
+
- `HEARTBEAT_INVALID` - Heartbeat token is invalid
|
|
260
|
+
- `HEARTBEAT_MISMATCH` - Heartbeat token does not match expected parameters
|
|
257
261
|
|
|
258
262
|
## Authentication
|
|
259
263
|
|
|
@@ -263,9 +267,11 @@ The SDK implements HMAC v1 signing for secure authentication:
|
|
|
263
267
|
|
|
264
268
|
**Signing String:**
|
|
265
269
|
```
|
|
270
|
+
v1\n
|
|
266
271
|
<HTTP_METHOD>\n
|
|
267
272
|
<PATH>\n
|
|
268
273
|
<TENANT_ID>\n
|
|
274
|
+
<KEY_ID>\n
|
|
269
275
|
<TIMESTAMP_MS>\n
|
|
270
276
|
<REQUEST_ID>\n
|
|
271
277
|
<SHA256_HEX_OF_BODY>\n
|
|
@@ -329,6 +335,78 @@ The SDK automatically retries failed requests:
|
|
|
329
335
|
- Same `requestId` is used across all retries
|
|
330
336
|
- Ensures idempotency on Gate server
|
|
331
337
|
|
|
338
|
+
## Heartbeat System
|
|
339
|
+
|
|
340
|
+
The SDK includes a **Heartbeat Manager** that automatically acquires and refreshes heartbeat tokens from the Gate Control Plane. Heartbeat tokens are required for all signing operations and ensure that Gate is alive and enforcing policy.
|
|
341
|
+
|
|
342
|
+
### How It Works
|
|
343
|
+
|
|
344
|
+
1. **Automatic Token Acquisition**: The SDK automatically starts a background heartbeat refresher when the `GateClient` is initialized
|
|
345
|
+
2. **Token Refresh**: Heartbeat tokens are refreshed every 10 seconds (configurable) to maintain a valid token
|
|
346
|
+
3. **Signing Enforcement**: Before any `evaluate()` call, the SDK checks for a valid heartbeat token. If missing or expired, it throws `HEARTBEAT_MISSING` error
|
|
347
|
+
4. **Token Inclusion**: The heartbeat token is automatically included in the `signingContext` of every evaluation request
|
|
348
|
+
|
|
349
|
+
### Configuration
|
|
350
|
+
|
|
351
|
+
The heartbeat manager is automatically configured based on your `GateClientConfig`:
|
|
352
|
+
|
|
353
|
+
```typescript
|
|
354
|
+
const gate = new GateClient({
|
|
355
|
+
baseUrl: 'https://gate.blockintelai.net', // Hot Path URL
|
|
356
|
+
tenantId: 'your-tenant-id',
|
|
357
|
+
auth: { mode: 'hmac', ... },
|
|
358
|
+
// Heartbeat manager uses baseUrl to infer Control Plane URL
|
|
359
|
+
// Or explicitly set controlPlaneUrl if different
|
|
360
|
+
controlPlaneUrl: 'https://control-plane.blockintelai.net', // Optional
|
|
361
|
+
defaultSignerId: 'my-signer-id', // Optional: default signerId for heartbeat
|
|
362
|
+
});
|
|
363
|
+
```
|
|
364
|
+
|
|
365
|
+
### Heartbeat Token Properties
|
|
366
|
+
|
|
367
|
+
- **TTL**: 15-30 seconds (short-lived for security)
|
|
368
|
+
- **Scope**: Scoped to `tenantId`, `signerId`, `environment`, and `policyVersion`
|
|
369
|
+
- **Validation**: Hot Path validates heartbeat tokens before processing any transaction
|
|
370
|
+
- **Enforcement**: "No valid heartbeat → NO SIGNATURE" - transactions are blocked if heartbeat is missing or expired
|
|
371
|
+
|
|
372
|
+
### Error Handling
|
|
373
|
+
|
|
374
|
+
```typescript
|
|
375
|
+
import { GateError, GateErrorCode } from '@blockintel/gate-sdk';
|
|
376
|
+
|
|
377
|
+
try {
|
|
378
|
+
const response = await gate.evaluate({ ... });
|
|
379
|
+
} catch (error) {
|
|
380
|
+
if (error instanceof GateError) {
|
|
381
|
+
if (error.code === GateErrorCode.HEARTBEAT_MISSING) {
|
|
382
|
+
console.error('Heartbeat token missing - Gate may be down or unreachable');
|
|
383
|
+
} else if (error.code === GateErrorCode.HEARTBEAT_EXPIRED) {
|
|
384
|
+
console.error('Heartbeat token expired - will retry automatically');
|
|
385
|
+
}
|
|
386
|
+
}
|
|
387
|
+
}
|
|
388
|
+
```
|
|
389
|
+
|
|
390
|
+
### Heartbeat Manager API
|
|
391
|
+
|
|
392
|
+
The heartbeat manager is internal to the SDK, but you can access it if needed:
|
|
393
|
+
|
|
394
|
+
```typescript
|
|
395
|
+
// Check if heartbeat is valid
|
|
396
|
+
const isValid = gate.heartbeatManager.isValid();
|
|
397
|
+
|
|
398
|
+
// Get current heartbeat token (if valid)
|
|
399
|
+
const token = gate.heartbeatManager.getToken();
|
|
400
|
+
|
|
401
|
+
// Update signer ID (called automatically when signer is known)
|
|
402
|
+
gate.heartbeatManager.updateSignerId('new-signer-id');
|
|
403
|
+
|
|
404
|
+
// Stop heartbeat refresher (e.g., on shutdown)
|
|
405
|
+
gate.heartbeatManager.stop();
|
|
406
|
+
```
|
|
407
|
+
|
|
408
|
+
**Note**: The heartbeat manager automatically updates the `signerId` when using the KMS wrapper, so manual updates are typically not needed.
|
|
409
|
+
|
|
332
410
|
## Secret Rotation
|
|
333
411
|
|
|
334
412
|
For HMAC authentication, secret rotation is the customer's responsibility:
|
|
@@ -345,6 +423,7 @@ The SDK does not cache secrets across process restarts unless the user explicitl
|
|
|
345
423
|
- **Secret Protection:** Never logs secrets or API keys
|
|
346
424
|
- **Clock Skew:** Configurable tolerance for timestamp validation
|
|
347
425
|
- **Replay Protection:** Request ID + timestamp prevent replay attacks
|
|
426
|
+
- **Heartbeat Enforcement:** All signing operations require valid heartbeat tokens
|
|
348
427
|
|
|
349
428
|
## TypeScript Support
|
|
350
429
|
|