npm - blockintel-gate-sdk - Versions diffs - 0.3.7 → 0.3.8 - Mend

blockintel-gate-sdk 0.3.7 → 0.3.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -50,6 +50,55 @@ var init_canonicalJson = __esm({
   "src/utils/canonicalJson.ts"() {
   }
 });
+// src/utils/decisionTokenVerify.ts
+var decisionTokenVerify_exports = {};
+__export(decisionTokenVerify_exports, {
+  decodeJwtUnsafe: () => decodeJwtUnsafe,
+  verifyDecisionTokenRs256: () => verifyDecisionTokenRs256
+});
+function decodeJwtUnsafe(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const header = JSON.parse(
+      Buffer.from(parts[0], "base64url").toString("utf8")
+    );
+    const payload = JSON.parse(
+      Buffer.from(parts[1], "base64url").toString("utf8")
+    );
+    return { header, payload };
+  } catch {
+    return null;
+  }
+}
+function verifyDecisionTokenRs256(token, publicKeyPem) {
+  const decoded = decodeJwtUnsafe(token);
+  if (!decoded || (decoded.header.alg || "").toUpperCase() !== "RS256") return null;
+  const { payload } = decoded;
+  const now = Math.floor(Date.now() / 1e3);
+  if (payload.iss !== ISS || payload.aud !== AUD) return null;
+  if (payload.exp != null && payload.exp < now - 5) return null;
+  try {
+    const parts = token.split(".");
+    const signingInput = `${parts[0]}.${parts[1]}`;
+    const signature = Buffer.from(parts[2], "base64url");
+    const verify = crypto.createVerify("RSA-SHA256");
+    verify.update(signingInput);
+    verify.end();
+    const ok = verify.verify(publicKeyPem, signature);
+    return ok ? payload : null;
+  } catch {
+    return null;
+  }
+}
+var ISS, AUD;
+var init_decisionTokenVerify = __esm({
+  "src/utils/decisionTokenVerify.ts"() {
+    ISS = "blockintel-gate";
+    AUD = "gate-decision";
+  }
+});
 async function hmacSha256(secret, message) {
   const hmac = crypto.createHmac("sha256", secret);
   hmac.update(message, "utf8");
@@ -922,6 +971,75 @@ var MetricsCollector = class {
     this.latencyMs = [];
   }
 };
+function canonicalJsonBinding(obj) {
+  if (obj === null || obj === void 0) return "null";
+  if (typeof obj === "string") return JSON.stringify(obj);
+  if (typeof obj === "number") return obj.toString();
+  if (typeof obj === "boolean") return obj ? "true" : "false";
+  if (Array.isArray(obj)) {
+    const items = obj.map((item) => canonicalJsonBinding(item));
+    return "[" + items.join(",") + "]";
+  }
+  if (typeof obj === "object") {
+    const keys = Object.keys(obj).sort();
+    const pairs = [];
+    for (const key of keys) {
+      const value = obj[key];
+      if (value !== void 0) {
+        pairs.push(JSON.stringify(key) + ":" + canonicalJsonBinding(value));
+      }
+    }
+    return "{" + pairs.join(",") + "}";
+  }
+  return JSON.stringify(obj);
+}
+function normalizeAddress(addr) {
+  if (addr == null || addr === "") return "";
+  const s = String(addr).trim();
+  if (s.startsWith("0x")) return s.toLowerCase();
+  return "0x" + s.toLowerCase();
+}
+function normalizeData(data) {
+  if (data == null || data === "") return "";
+  const s = String(data).trim().toLowerCase();
+  return s.startsWith("0x") ? s : "0x" + s;
+}
+function buildTxBindingObject(txIntent, signerId, decodedRecipient, decodedFields, fromAddress) {
+  const toAddr = txIntent.toAddress ?? txIntent.to ?? "";
+  const value = (txIntent.valueAtomic ?? txIntent.valueDecimal ?? txIntent.value ?? "0").toString();
+  const data = normalizeData(
+    txIntent.data ?? txIntent.payloadHash ?? txIntent.dataHash ?? ""
+  );
+  const chainId = (txIntent.chainId ?? txIntent.chain ?? "").toString();
+  const toAddress = normalizeAddress(toAddr);
+  const nonce = txIntent.nonce != null ? String(txIntent.nonce) : "";
+  const decoded = {};
+  if (decodedFields && typeof decodedFields === "object") {
+    for (const [k, v] of Object.entries(decodedFields)) {
+      if (v !== void 0) decoded[k] = v;
+    }
+  }
+  const out = {
+    chainId,
+    toAddress,
+    value,
+    data,
+    nonce
+  };
+  if (fromAddress) out.fromAddress = normalizeAddress(fromAddress);
+  if (decodedRecipient != null)
+    out.decodedRecipient = decodedRecipient ? normalizeAddress(decodedRecipient) : null;
+  if (Object.keys(decoded).length > 0) out.decoded = decoded;
+  if (signerId) out.signerId = signerId;
+  if (txIntent.networkFamily) out.networkFamily = txIntent.networkFamily;
+  return out;
+}
+function computeTxDigest(binding) {
+  const canonical = canonicalJsonBinding(binding);
+  return crypto.createHash("sha256").update(canonical, "utf8").digest("hex");
+}
+// src/kms/wrapAwsSdkV3KmsClient.ts
 function wrapKmsClient(kmsClient, gateClient, options = {}) {
   const defaultOptions = {
     mode: options.mode || "enforce",
@@ -997,6 +1115,34 @@ async function handleSignCommand(command, originalClient, gateClient, options) {
       // Type assertion - txIntent may have extra fields
       signingContext
     });
+    if (decision.decision === "ALLOW" && gateClient.getRequireDecisionToken() && decision.txDigest != null) {
+      const binding = buildTxBindingObject(
+        txIntent,
+        signerId,
+        void 0,
+        void 0,
+        signingContext.actorPrincipal
+      );
+      const computedDigest = computeTxDigest(binding);
+      if (computedDigest !== decision.txDigest) {
+        options.onDecision("BLOCK", {
+          error: new BlockIntelBlockedError(
+            "DECISION_TOKEN_TX_MISMATCH",
+            decision.decisionId,
+            decision.correlationId,
+            void 0
+          ),
+          signerId,
+          command
+        });
+        throw new BlockIntelBlockedError(
+          "DECISION_TOKEN_TX_MISMATCH",
+          decision.decisionId,
+          decision.correlationId,
+          void 0
+        );
+      }
+    }
     options.onDecision("ALLOW", { decision, signerId, command });
     if (options.mode === "dry-run") {
       return await originalClient.send(new clientKms.SignCommand(command));
@@ -1593,6 +1739,16 @@ var GateClient = class {
       });
     }
   }
+  /**
+   * Whether the SDK requires a decision token for ALLOW before sign (ENFORCE/HARD).
+   * Env GATE_REQUIRE_DECISION_TOKEN overrides config.
+   */
+  getRequireDecisionToken() {
+    if (typeof process !== "undefined" && process.env.GATE_REQUIRE_DECISION_TOKEN !== void 0) {
+      return process.env.GATE_REQUIRE_DECISION_TOKEN === "true" || process.env.GATE_REQUIRE_DECISION_TOKEN === "1";
+    }
+    return this.config.requireDecisionToken ?? (this.mode === "ENFORCE" || this.config.enforcementMode === "HARD");
+  }
   /**
    * Perform async IAM permission risk check (non-blocking)
    *
@@ -1623,6 +1779,7 @@ var GateClient = class {
     const startTime = Date.now();
     const failSafeMode = this.config.failSafeMode ?? "ALLOW_ON_TIMEOUT";
     const requestMode = req.mode || this.mode;
+    const requireToken = this.getRequireDecisionToken();
     const executeRequest = async () => {
       if (!this.config.local && this.heartbeatManager && req.signingContext?.signerId) {
         this.heartbeatManager.updateSignerId(req.signingContext.signerId);
@@ -1765,6 +1922,10 @@ var GateClient = class {
         reasonCodes: responseData.reason_codes ?? responseData.reasonCodes ?? [],
         policyVersion: responseData.policy_version ?? responseData.policyVersion,
         correlationId: responseData.correlation_id ?? responseData.correlationId,
+        decisionId: responseData.decision_id ?? responseData.decisionId,
+        decisionToken: responseData.decision_token ?? responseData.decisionToken,
+        expiresAt: responseData.expires_at ?? responseData.expiresAt,
+        txDigest: responseData.tx_digest ?? responseData.txDigest,
         stepUp: responseData.step_up ? {
           requestId: responseData.step_up.request_id ?? (responseData.stepUp?.requestId ?? ""),
           ttlSeconds: responseData.step_up.ttl_seconds ?? responseData.stepUp?.ttlSeconds
@@ -1780,9 +1941,100 @@ var GateClient = class {
             errorReason: simulationData.errorReason ?? simulationData.error_reason
           },
           simulationLatencyMs: metadata.simulationLatencyMs ?? metadata.simulation_latency_ms
-        } : {}
+        } : {},
+        metadata: {
+          evaluationLatencyMs: metadata.evaluationLatencyMs ?? metadata.evaluation_latency_ms,
+          policyHash: metadata.policyHash ?? metadata.policy_hash,
+          snapshotVersion: metadata.snapshotVersion ?? metadata.snapshot_version
+        }
       };
       const latencyMs = Date.now() - startTime;
+      const expectedPolicyHash = this.config.expectedPolicyHash;
+      const expectedSnapshotVersion = this.config.expectedSnapshotVersion;
+      if (expectedPolicyHash != null && result.metadata?.policyHash !== expectedPolicyHash) {
+        if (this.config.debug) {
+          console.warn("[GATE SDK] Policy hash mismatch (pinning)", {
+            expected: expectedPolicyHash,
+            received: result.metadata?.policyHash,
+            requestId
+          });
+        }
+        this.metrics.recordRequest("BLOCK", latencyMs);
+        throw new BlockIntelBlockedError(
+          "POLICY_HASH_MISMATCH",
+          result.decisionId ?? requestId,
+          result.correlationId,
+          requestId
+        );
+      }
+      if (expectedSnapshotVersion != null && result.metadata?.snapshotVersion !== void 0 && result.metadata.snapshotVersion !== expectedSnapshotVersion) {
+        if (this.config.debug) {
+          console.warn("[GATE SDK] Snapshot version mismatch (pinning)", {
+            expected: expectedSnapshotVersion,
+            received: result.metadata?.snapshotVersion,
+            requestId
+          });
+        }
+        this.metrics.recordRequest("BLOCK", latencyMs);
+        throw new BlockIntelBlockedError(
+          "SNAPSHOT_VERSION_MISMATCH",
+          result.decisionId ?? requestId,
+          result.correlationId,
+          requestId
+        );
+      }
+      if (requireToken && requestMode === "ENFORCE" && result.decision === "ALLOW" && !this.config.local) {
+        if (!result.decisionToken || !result.txDigest) {
+          this.metrics.recordRequest("BLOCK", latencyMs);
+          throw new BlockIntelBlockedError(
+            "DECISION_TOKEN_MISSING",
+            result.decisionId ?? requestId,
+            result.correlationId,
+            requestId
+          );
+        }
+        const nowSec = Math.floor(Date.now() / 1e3);
+        if (result.expiresAt != null && result.expiresAt < nowSec - 5) {
+          this.metrics.recordRequest("BLOCK", latencyMs);
+          throw new BlockIntelBlockedError(
+            "DECISION_TOKEN_EXPIRED",
+            result.decisionId ?? requestId,
+            result.correlationId,
+            requestId
+          );
+        }
+        const publicKeyPem = this.config.decisionTokenPublicKey;
+        if (publicKeyPem && result.decisionToken) {
+          const { decodeJwtUnsafe: decodeJwtUnsafe2, verifyDecisionTokenRs256: verifyDecisionTokenRs2562 } = await Promise.resolve().then(() => (init_decisionTokenVerify(), decisionTokenVerify_exports));
+          const decoded = decodeJwtUnsafe2(result.decisionToken);
+          if (decoded && (decoded.header.alg || "").toUpperCase() === "RS256") {
+            const resolvedPem = publicKeyPem.startsWith("-----") ? publicKeyPem : Buffer.from(publicKeyPem, "base64").toString("utf8");
+            const verified = verifyDecisionTokenRs2562(result.decisionToken, resolvedPem);
+            if (verified === null) {
+              this.metrics.recordRequest("BLOCK", latencyMs);
+              throw new BlockIntelBlockedError(
+                "DECISION_TOKEN_INVALID",
+                result.decisionId ?? requestId,
+                result.correlationId,
+                requestId
+              );
+            }
+          }
+        }
+        const signerId = signingContext?.signerId ?? req.signingContext?.signerId;
+        const fromAddress = txIntent.fromAddress ?? txIntent.from;
+        const binding = buildTxBindingObject(txIntent, signerId, void 0, void 0, fromAddress);
+        const computedDigest = computeTxDigest(binding);
+        if (computedDigest !== result.txDigest) {
+          this.metrics.recordRequest("BLOCK", latencyMs);
+          throw new BlockIntelBlockedError(
+            "DECISION_TOKEN_DIGEST_MISMATCH",
+            result.decisionId ?? requestId,
+            result.correlationId,
+            requestId
+          );
+        }
+      }
       if (result.decision === "BLOCK") {
         if (requestMode === "SHADOW") {
           console.warn("[GATE SHADOW MODE] Would have blocked transaction", {
@@ -2014,6 +2266,8 @@ exports.GateErrorCode = GateErrorCode;
 exports.HeartbeatManager = HeartbeatManager;
 exports.ProvenanceProvider = ProvenanceProvider;
 exports.StepUpNotConfiguredError = StepUpNotConfiguredError;
+exports.buildTxBindingObject = buildTxBindingObject;
+exports.computeTxDigest = computeTxDigest;
 exports.createGateClient = createGateClient;
 exports.default = GateClient;
 exports.wrapKmsClient = wrapKmsClient;