blockintel-gate-sdk 0.3.7 → 0.3.9

package/dist/pilot/index.js

@@ -0,0 +1,2397 @@
+import { createHash, createVerify, createHmac } from 'crypto';
+import { v4 } from 'uuid';
+import { SignCommand } from '@aws-sdk/client-kms';
+
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/utils/canonicalJson.ts
+var canonicalJson_exports = {};
+__export(canonicalJson_exports, {
+  canonicalizeJson: () => canonicalizeJson,
+  sha256Hex: () => sha256Hex
+});
+function canonicalizeJson(obj) {
+  if (obj === null || obj === void 0) {
+    return "null";
+  }
+  const cloned = JSON.parse(JSON.stringify(obj));
+  function sortKeys(item) {
+    if (Array.isArray(item)) {
+      return item.map(sortKeys);
+    }
+    if (item !== null && typeof item === "object") {
+      const sorted2 = {};
+      Object.keys(item).sort().forEach((key) => {
+        sorted2[key] = sortKeys(item[key]);
+      });
+      return sorted2;
+    }
+    return item;
+  }
+  const sorted = sortKeys(cloned);
+  return JSON.stringify(sorted);
+}
+async function sha256Hex(input) {
+  return createHash("sha256").update(input, "utf8").digest("hex");
+}
+var init_canonicalJson = __esm({
+  "src/utils/canonicalJson.ts"() {
+  }
+});
+
+// src/utils/decisionTokenVerify.ts
+var decisionTokenVerify_exports = {};
+__export(decisionTokenVerify_exports, {
+  decodeJwtUnsafe: () => decodeJwtUnsafe,
+  verifyDecisionTokenRs256: () => verifyDecisionTokenRs256
+});
+function decodeJwtUnsafe(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const header = JSON.parse(
+      Buffer.from(parts[0], "base64url").toString("utf8")
+    );
+    const payload = JSON.parse(
+      Buffer.from(parts[1], "base64url").toString("utf8")
+    );
+    return { header, payload };
+  } catch {
+    return null;
+  }
+}
+function verifyDecisionTokenRs256(token, publicKeyPem) {
+  const decoded = decodeJwtUnsafe(token);
+  if (!decoded || (decoded.header.alg || "").toUpperCase() !== "RS256") return null;
+  const { payload } = decoded;
+  const now = Math.floor(Date.now() / 1e3);
+  if (payload.iss !== ISS || payload.aud !== AUD) return null;
+  if (payload.exp != null && payload.exp < now - 5) return null;
+  try {
+    const parts = token.split(".");
+    const signingInput = `${parts[0]}.${parts[1]}`;
+    const signature = Buffer.from(parts[2], "base64url");
+    const verify = createVerify("RSA-SHA256");
+    verify.update(signingInput);
+    verify.end();
+    const ok = verify.verify(publicKeyPem, signature);
+    return ok ? payload : null;
+  } catch {
+    return null;
+  }
+}
+var ISS, AUD;
+var init_decisionTokenVerify = __esm({
+  "src/utils/decisionTokenVerify.ts"() {
+    ISS = "blockintel-gate";
+    AUD = "gate-decision";
+  }
+});
+async function hmacSha256(secret, message) {
+  const hmac = createHmac("sha256", secret);
+  hmac.update(message, "utf8");
+  const signatureHex = hmac.digest("hex");
+  console.error("[HMAC CRYPTO DEBUG] Signature computation:", JSON.stringify({
+    secretLength: secret.length,
+    messageLength: message.length,
+    messagePreview: message.substring(0, 200) + "...",
+    signatureLength: signatureHex.length,
+    signaturePreview: signatureHex.substring(0, 16) + "..."
+  }, null, 2));
+  return signatureHex;
+}
+
+// src/auth/HmacSigner.ts
+init_canonicalJson();
+var HmacSigner = class {
+  keyId;
+  secret;
+  constructor(config) {
+    this.keyId = config.keyId;
+    this.secret = config.secret.trim();
+    if (!this.secret || this.secret.length === 0) {
+      throw new Error("HMAC secret cannot be empty");
+    }
+  }
+  /**
+   * Sign a request and return headers
+   */
+  async signRequest(params) {
+    const { method, path, tenantId, timestampMs, requestId, body } = params;
+    const bodyJson = body ? canonicalizeJson(body) : "";
+    const bodyHash = await sha256Hex(bodyJson);
+    const signingString = [
+      "v1",
+      method.toUpperCase(),
+      path,
+      tenantId,
+      this.keyId,
+      String(timestampMs),
+      requestId,
+      // Used as nonce in canonical string
+      bodyHash
+    ].join("\n");
+    const signature = await hmacSha256(this.secret, signingString);
+    return {
+      "X-GATE-TENANT-ID": tenantId,
+      "X-GATE-KEY-ID": this.keyId,
+      "X-GATE-TIMESTAMP-MS": String(timestampMs),
+      "X-GATE-REQUEST-ID": requestId,
+      "X-GATE-SIGNATURE": signature
+    };
+  }
+};
+
+// src/auth/ApiKeyAuth.ts
+var ApiKeyAuth = class {
+  apiKey;
+  constructor(config) {
+    this.apiKey = config.apiKey;
+    if (!this.apiKey || this.apiKey.length === 0) {
+      throw new Error("API key cannot be empty");
+    }
+  }
+  /**
+   * Create headers for API key authentication
+   */
+  createHeaders(params) {
+    const { tenantId, timestampMs, requestId } = params;
+    return {
+      "X-API-KEY": this.apiKey,
+      "X-GATE-TENANT-ID": tenantId,
+      "X-GATE-REQUEST-ID": requestId,
+      "X-GATE-TIMESTAMP-MS": String(timestampMs)
+    };
+  }
+};
+
+// src/types/errors.ts
+var GateError = class extends Error {
+  code;
+  status;
+  details;
+  requestId;
+  correlationId;
+  constructor(code, message, options) {
+    super(message);
+    this.name = "GateError";
+    this.code = code;
+    this.status = options?.status;
+    this.details = options?.details;
+    this.requestId = options?.requestId;
+    this.correlationId = options?.correlationId;
+    if (options?.cause) {
+      this.cause = options.cause;
+    }
+    Error.captureStackTrace(this, this.constructor);
+  }
+  toJSON() {
+    return {
+      name: this.name,
+      code: this.code,
+      message: this.message,
+      status: this.status,
+      details: this.details,
+      requestId: this.requestId,
+      correlationId: this.correlationId
+    };
+  }
+};
+var StepUpNotConfiguredError = class extends GateError {
+  constructor(requestId) {
+    super(
+      "STEP_UP_NOT_CONFIGURED" /* STEP_UP_NOT_CONFIGURED */,
+      "Step-up is required but not configured in SDK. Enable step-up in client config or treat REQUIRE_STEP_UP as BLOCK.",
+      { requestId }
+    );
+    this.name = "StepUpNotConfiguredError";
+  }
+};
+var BlockIntelBlockedError = class extends GateError {
+  receiptId;
+  reasonCode;
+  constructor(reasonCode, receiptId, correlationId, requestId) {
+    super(
+      "BLOCKED" /* BLOCKED */,
+      `Transaction blocked: ${reasonCode}`,
+      { correlationId, requestId, details: { reasonCode, receiptId } }
+    );
+    this.name = "BlockIntelBlockedError";
+    this.receiptId = receiptId;
+    this.reasonCode = reasonCode;
+  }
+};
+var BlockIntelUnavailableError = class extends GateError {
+  constructor(message, requestId) {
+    super("SERVICE_UNAVAILABLE" /* SERVICE_UNAVAILABLE */, message, { requestId });
+    this.name = "BlockIntelUnavailableError";
+  }
+};
+var BlockIntelAuthError = class extends GateError {
+  constructor(message, status, requestId) {
+    super(
+      status === 401 ? "UNAUTHORIZED" /* UNAUTHORIZED */ : "FORBIDDEN" /* FORBIDDEN */,
+      message,
+      { status, requestId }
+    );
+    this.name = "BlockIntelAuthError";
+  }
+};
+var BlockIntelStepUpRequiredError = class extends GateError {
+  stepUpRequestId;
+  statusUrl;
+  expiresAtMs;
+  constructor(stepUpRequestId, statusUrl, expiresAtMs, requestId) {
+    super(
+      "STEP_UP_NOT_CONFIGURED" /* STEP_UP_NOT_CONFIGURED */,
+      "Step-up approval required",
+      {
+        requestId,
+        details: { stepUpRequestId, statusUrl, expiresAtMs }
+      }
+    );
+    this.name = "BlockIntelStepUpRequiredError";
+    this.stepUpRequestId = stepUpRequestId;
+    this.statusUrl = statusUrl;
+    this.expiresAtMs = expiresAtMs;
+  }
+};
+
+// src/http/retry.ts
+var DEFAULT_RETRY_OPTIONS = {
+  maxAttempts: 3,
+  baseDelayMs: 100,
+  maxDelayMs: 800,
+  factor: 2
+};
+function isRetryableStatus(status) {
+  return status === 429 || status >= 500 && status < 600;
+}
+function isRetryableError(error) {
+  if (error instanceof Error) {
+    const message = error.message.toLowerCase();
+    return message.includes("network") || message.includes("timeout") || message.includes("connection") || message.includes("econnrefused") || message.includes("enotfound") || message.includes("econnreset");
+  }
+  return false;
+}
+function calculateBackoffDelay(attempt, options) {
+  const exponentialDelay = options.baseDelayMs * Math.pow(options.factor, attempt - 1);
+  const jitter = Math.random() * 0.3 * exponentialDelay;
+  const delay = exponentialDelay + jitter;
+  return Math.min(delay, options.maxDelayMs);
+}
+function isRetryableGateError(error) {
+  if (error && typeof error === "object" && "code" in error) {
+    const gateError = error;
+    if (gateError.code === "SERVER_ERROR" || gateError.code === "RATE_LIMITED") {
+      return true;
+    }
+    if (gateError.status && isRetryableStatus(gateError.status)) {
+      return true;
+    }
+  }
+  return false;
+}
+async function retryWithBackoff(fn, options = {}) {
+  const opts = { ...DEFAULT_RETRY_OPTIONS, ...options };
+  let lastError;
+  for (let attempt = 1; attempt <= opts.maxAttempts; attempt++) {
+    try {
+      return await fn();
+    } catch (error) {
+      lastError = error;
+      if (attempt >= opts.maxAttempts) {
+        break;
+      }
+      if (error instanceof Response && !isRetryableStatus(error.status)) {
+        throw error;
+      }
+      const isRetryable = error instanceof Response && isRetryableStatus(error.status) || isRetryableError(error) || isRetryableGateError(error);
+      if (!isRetryable) {
+        throw error;
+      }
+      const status = error instanceof Response && error.status || error && typeof error === "object" && "status" in error && error.status || error && typeof error === "object" && "statusCode" in error && error.statusCode;
+      const errName = error instanceof Error ? error.name : error && typeof error === "object" && "code" in error ? error.code : "Unknown";
+      const extra = ` attempt=${attempt}/${opts.maxAttempts} status=${status ?? "n/a"} err=${errName}`;
+      console.warn("[GATE SDK] X-BlockIntel-Degraded: true (reason=retry)" + extra);
+      const delay = calculateBackoffDelay(attempt, opts);
+      await new Promise((resolve) => setTimeout(resolve, delay));
+    }
+  }
+  throw lastError;
+}
+
+// src/utils/sanitize.ts
+var SENSITIVE_HEADER_NAMES = /* @__PURE__ */ new Set([
+  "authorization",
+  "x-api-key",
+  "x-gate-heartbeat-key",
+  "x-gate-signature",
+  "cookie"
+]);
+var MAX_STRING_LENGTH = 80;
+function sanitizeHeaders(headers) {
+  const out = {};
+  for (const [key, value] of Object.entries(headers)) {
+    const lower = key.toLowerCase();
+    if (SENSITIVE_HEADER_NAMES.has(lower) || lower.includes("signature") || lower.includes("secret") || lower.includes("token")) {
+      out[key] = value ? "[REDACTED]" : "[empty]";
+    } else {
+      out[key] = truncate(String(value), MAX_STRING_LENGTH);
+    }
+  }
+  return out;
+}
+function sanitizeBodyShape(body) {
+  if (body === null || body === void 0) {
+    return {};
+  }
+  if (typeof body !== "object") {
+    return { _: typeof body };
+  }
+  if (Array.isArray(body)) {
+    return { _: "array", length: String(body.length) };
+  }
+  const out = {};
+  for (const key of Object.keys(body).sort()) {
+    const val = body[key];
+    if (val !== null && typeof val === "object" && !Array.isArray(val)) {
+      out[key] = "object";
+    } else if (Array.isArray(val)) {
+      out[key] = "array";
+    } else {
+      out[key] = typeof val;
+    }
+  }
+  return out;
+}
+function truncate(s, max) {
+  if (s.length <= max) return s;
+  return s.slice(0, max) + "...";
+}
+function isDebugEnabled(debugOption) {
+  if (debugOption === true) return true;
+  if (typeof process !== "undefined" && process.env.GATE_SDK_DEBUG === "1") return true;
+  return false;
+}
+
+// src/http/HttpClient.ts
+var HttpClient = class {
+  baseUrl;
+  timeoutMs;
+  userAgent;
+  retryOptions;
+  debug;
+  constructor(config) {
+    this.baseUrl = config.baseUrl.replace(/\/$/, "");
+    this.timeoutMs = config.timeoutMs ?? 15e3;
+    this.userAgent = config.userAgent ?? "blockintel-gate-sdk/0.1.0";
+    this.retryOptions = config.retryOptions;
+    this.debug = isDebugEnabled(config.debug);
+    if (!this.baseUrl) {
+      throw new Error("baseUrl is required");
+    }
+    if (typeof process !== "undefined" && process.env.NODE_ENV === "production") {
+      if (!this.baseUrl.startsWith("https://") && !this.baseUrl.includes("localhost")) {
+        throw new Error("baseUrl must use HTTPS in production (except localhost)");
+      }
+    }
+  }
+  /**
+   * Make an HTTP request with retry and timeout
+   */
+  async request(options) {
+    const { method, path, headers = {}, body, requestId } = options;
+    const url = `${this.baseUrl}${path}`;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeoutMs);
+    let requestDetailsForLogging = null;
+    try {
+      const response = await retryWithBackoff(
+        async () => {
+          const requestHeaders = {};
+          for (const [key, value] of Object.entries(headers)) {
+            requestHeaders[key] = String(value);
+          }
+          requestHeaders["User-Agent"] = this.userAgent;
+          requestHeaders["Content-Type"] = "application/json";
+          const fetchOptions = {
+            method,
+            headers: requestHeaders,
+            signal: controller.signal
+          };
+          if (body) {
+            if (body.__canonicalJson) {
+              fetchOptions.body = body.__canonicalJson;
+              delete body.__canonicalJson;
+            } else {
+              fetchOptions.body = JSON.stringify(body);
+            }
+          }
+          const bodyStr = typeof fetchOptions.body === "string" ? fetchOptions.body : null;
+          requestDetailsForLogging = {
+            headers: this.debug ? sanitizeHeaders(requestHeaders) : {},
+            bodyLength: bodyStr ? bodyStr.length : 0
+          };
+          if (this.debug) {
+            const bodyShape = body && typeof body === "object" ? sanitizeBodyShape(body) : {};
+            console.error("[GATE SDK] Request:", JSON.stringify({
+              url,
+              method,
+              headerNames: Object.keys(requestHeaders),
+              headersRedacted: requestDetailsForLogging.headers,
+              bodyLength: requestDetailsForLogging.bodyLength,
+              bodyKeysAndTypes: bodyShape
+            }, null, 2));
+          }
+          const res = await fetch(url, fetchOptions);
+          if (!res.ok && isRetryableStatus(res.status)) {
+            throw res;
+          }
+          if (!res.ok && !isRetryableStatus(res.status)) {
+            throw res;
+          }
+          return res;
+        },
+        {
+          ...this.retryOptions
+          // Custom retry logic that handles Response objects
+        }
+      );
+      clearTimeout(timeoutId);
+      let data;
+      const contentType = response.headers.get("content-type");
+      if (this.debug) {
+        console.error("[GATE SDK] Response:", JSON.stringify({
+          status: response.status,
+          ok: response.ok,
+          url: response.url
+        }, null, 2));
+      }
+      if (contentType && contentType.includes("application/json")) {
+        try {
+          const jsonText = await response.text();
+          data = JSON.parse(jsonText);
+          if (this.debug && data && typeof data === "object") {
+            console.error("[GATE SDK] Response keys:", Object.keys(data));
+          }
+        } catch (parseError) {
+          if (this.debug) {
+            console.error("[GATE SDK] JSON parse error:", parseError instanceof Error ? parseError.message : String(parseError));
+          }
+          throw new GateError(
+            "INVALID_RESPONSE" /* INVALID_RESPONSE */,
+            "Failed to parse JSON response",
+            {
+              status: response.status,
+              requestId,
+              cause: parseError instanceof Error ? parseError : void 0
+            }
+          );
+        }
+      } else {
+        const text = await response.text();
+        throw new GateError(
+          "INVALID_RESPONSE" /* INVALID_RESPONSE */,
+          `Unexpected content type: ${contentType}`,
+          {
+            status: response.status,
+            details: { body: text.substring(0, 200) },
+            requestId
+          }
+        );
+      }
+      if (!response.ok) {
+        const responseHeaders = {};
+        response.headers.forEach((value, key) => {
+          responseHeaders[key] = value;
+        });
+        if (this.debug) {
+          console.error("[GATE SDK] Error response:", JSON.stringify({
+            status: response.status,
+            url: response.url,
+            requestPath: path,
+            responseKeys: data && typeof data === "object" ? Object.keys(data) : []
+          }, null, 2));
+        }
+        const errorCode = this.statusToErrorCode(response.status);
+        const correlationId = response.headers.get("X-Correlation-ID") ?? void 0;
+        throw new GateError(errorCode, `HTTP ${response.status}: ${response.statusText}`, {
+          status: response.status,
+          correlationId,
+          requestId,
+          details: data
+        });
+      }
+      return data;
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof Error && error.name === "AbortError") {
+        throw new GateError("TIMEOUT" /* TIMEOUT */, `Request timeout after ${this.timeoutMs}ms`, {
+          requestId
+        });
+      }
+      if (error instanceof Response) {
+        const errorCode = this.statusToErrorCode(error.status);
+        const correlationId = error.headers.get("X-Correlation-ID") ?? void 0;
+        let details;
+        try {
+          const text = await error.text();
+          try {
+            details = JSON.parse(text);
+          } catch {
+            details = { body: text.substring(0, 200) };
+          }
+        } catch {
+        }
+        throw new GateError(errorCode, `HTTP ${error.status}: ${error.statusText}`, {
+          status: error.status,
+          correlationId,
+          requestId,
+          details
+        });
+      }
+      if (isRetryableError(error)) {
+        throw new GateError(
+          "NETWORK_ERROR" /* NETWORK_ERROR */,
+          `Network error: ${error instanceof Error ? error.message : String(error)}`,
+          {
+            requestId,
+            cause: error instanceof Error ? error : void 0
+          }
+        );
+      }
+      if (error instanceof GateError) {
+        throw error;
+      }
+      throw new GateError(
+        "NETWORK_ERROR" /* NETWORK_ERROR */,
+        `Unexpected error: ${error instanceof Error ? error.message : String(error)}`,
+        {
+          requestId,
+          cause: error instanceof Error ? error : void 0
+        }
+      );
+    }
+  }
+  /**
+   * Map HTTP status code to GateErrorCode
+   */
+  statusToErrorCode(status) {
+    if (status === 401) return "UNAUTHORIZED" /* UNAUTHORIZED */;
+    if (status === 403) return "FORBIDDEN" /* FORBIDDEN */;
+    if (status === 404) return "NOT_FOUND" /* NOT_FOUND */;
+    if (status === 429) return "RATE_LIMITED" /* RATE_LIMITED */;
+    if (status >= 500 && status < 600) return "SERVER_ERROR" /* SERVER_ERROR */;
+    return "NETWORK_ERROR" /* NETWORK_ERROR */;
+  }
+};
+
+// src/utils/time.ts
+function nowMs() {
+  return Date.now();
+}
+function nowEpochSeconds() {
+  return Math.floor(Date.now() / 1e3);
+}
+function clamp(value, min, max) {
+  return Math.max(min, Math.min(max, value));
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/stepup/stepup.ts
+var DEFAULT_POLLING_INTERVAL_MS = 250;
+var DEFAULT_MAX_WAIT_MS = 15e3;
+var DEFAULT_TTL_MIN_SECONDS = 300;
+var DEFAULT_TTL_MAX_SECONDS = 900;
+var DEFAULT_TTL_DEFAULT_SECONDS = 600;
+var StepUpPoller = class {
+  httpClient;
+  tenantId;
+  pollingIntervalMs;
+  maxWaitMs;
+  ttlMinSeconds;
+  ttlMaxSeconds;
+  ttlDefaultSeconds;
+  constructor(config) {
+    this.httpClient = config.httpClient;
+    this.tenantId = config.tenantId;
+    this.pollingIntervalMs = config.pollingIntervalMs ?? DEFAULT_POLLING_INTERVAL_MS;
+    this.maxWaitMs = config.maxWaitMs ?? DEFAULT_MAX_WAIT_MS;
+    this.ttlMinSeconds = config.ttlMinSeconds ?? DEFAULT_TTL_MIN_SECONDS;
+    this.ttlMaxSeconds = config.ttlMaxSeconds ?? DEFAULT_TTL_MAX_SECONDS;
+    this.ttlDefaultSeconds = config.ttlDefaultSeconds ?? DEFAULT_TTL_DEFAULT_SECONDS;
+  }
+  /**
+   * Get current step-up status
+   */
+  async getStatus(requestId) {
+    const path = `/defense/stepup/status?tenantId=${encodeURIComponent(this.tenantId)}&requestId=${encodeURIComponent(requestId)}`;
+    try {
+      const apiResponse = await this.httpClient.request({
+        method: "GET",
+        path,
+        requestId
+      });
+      const response = {
+        status: apiResponse.status,
+        tenantId: apiResponse.tenant_id ?? apiResponse.tenantId,
+        requestId: apiResponse.request_id ?? apiResponse.requestId,
+        decision: apiResponse.decision,
+        reasonCodes: apiResponse.reason_codes ?? apiResponse.reasonCodes,
+        correlationId: apiResponse.correlation_id ?? apiResponse.correlationId,
+        expiresAtMs: apiResponse.expires_at_ms ?? apiResponse.expiresAtMs,
+        ttl: apiResponse.ttl
+      };
+      const now = nowEpochSeconds();
+      if (response.ttl !== void 0 && response.ttl <= now) {
+        return {
+          ...response,
+          status: "EXPIRED"
+        };
+      }
+      return response;
+    } catch (error) {
+      if (error instanceof GateError && error.code === "NOT_FOUND" /* NOT_FOUND */) {
+        throw new GateError(
+          "NOT_FOUND" /* NOT_FOUND */,
+          `Step-up request not found: ${requestId}`,
+          { requestId }
+        );
+      }
+      throw error;
+    }
+  }
+  /**
+   * Wait for step-up decision with polling
+   * 
+   * Polls until status is APPROVED, DENIED, or EXPIRED, or timeout is reached.
+   */
+  async awaitDecision(requestId, options) {
+    const startTime = Date.now();
+    const maxWaitMs = options?.maxWaitMs ?? this.maxWaitMs;
+    const intervalMs = options?.intervalMs ?? this.pollingIntervalMs;
+    while (true) {
+      const elapsedMs = Date.now() - startTime;
+      if (elapsedMs >= maxWaitMs) {
+        throw new GateError(
+          "STEP_UP_TIMEOUT" /* STEP_UP_TIMEOUT */,
+          `Step-up decision timeout after ${maxWaitMs}ms`,
+          { requestId }
+        );
+      }
+      try {
+        const status = await this.getStatus(requestId);
+        const now = nowEpochSeconds();
+        if (status.ttl !== void 0 && status.ttl <= now) {
+          return {
+            status: "EXPIRED",
+            requestId,
+            elapsedMs,
+            correlationId: status.correlationId
+          };
+        }
+        if (status.status === "APPROVED" || status.status === "DENIED" || status.status === "EXPIRED") {
+          return {
+            status: status.status,
+            requestId,
+            elapsedMs,
+            decision: status.decision,
+            reasonCodes: status.reasonCodes,
+            correlationId: status.correlationId
+          };
+        }
+        await sleep(intervalMs);
+      } catch (error) {
+        if (error instanceof GateError && error.code === "NOT_FOUND" /* NOT_FOUND */) {
+          throw error;
+        }
+        const remainingMs = maxWaitMs - (Date.now() - startTime);
+        if (remainingMs <= 0) {
+          throw new GateError(
+            "STEP_UP_TIMEOUT" /* STEP_UP_TIMEOUT */,
+            `Step-up decision timeout after ${maxWaitMs}ms`,
+            { requestId, cause: error instanceof Error ? error : void 0 }
+          );
+        }
+        await sleep(Math.min(intervalMs, remainingMs));
+      }
+    }
+  }
+  /**
+   * Clamp TTL to guardrails
+   */
+  clampTtl(ttlSeconds) {
+    if (ttlSeconds === void 0) {
+      return this.ttlDefaultSeconds;
+    }
+    return clamp(ttlSeconds, this.ttlMinSeconds, this.ttlMaxSeconds);
+  }
+};
+
+// src/circuit/CircuitBreaker.ts
+var CircuitBreaker = class {
+  state = "CLOSED";
+  failures = 0;
+  successes = 0;
+  lastFailureTime;
+  lastSuccessTime;
+  tripsToOpen = 0;
+  tripThreshold;
+  coolDownMs;
+  constructor(config = {}) {
+    this.tripThreshold = config.tripAfterConsecutiveFailures ?? 5;
+    this.coolDownMs = config.coolDownMs ?? 3e4;
+  }
+  /**
+   * Execute function with circuit breaker protection
+   */
+  async execute(fn) {
+    if (this.state === "OPEN") {
+      const now = Date.now();
+      const timeSinceLastFailure = this.lastFailureTime ? now - this.lastFailureTime : Infinity;
+      if (timeSinceLastFailure >= this.coolDownMs) {
+        this.state = "HALF_OPEN";
+        this.failures = 0;
+      } else {
+        throw new CircuitBreakerOpenError(
+          `Circuit breaker is OPEN. Will retry after ${this.coolDownMs - timeSinceLastFailure}ms`
+        );
+      }
+    }
+    try {
+      const result = await fn();
+      this.onSuccess();
+      return result;
+    } catch (error) {
+      this.onFailure();
+      throw error;
+    }
+  }
+  onSuccess() {
+    this.successes++;
+    this.lastSuccessTime = Date.now();
+    if (this.state === "HALF_OPEN") {
+      this.state = "CLOSED";
+      this.failures = 0;
+    } else if (this.state === "CLOSED") {
+      this.failures = 0;
+    }
+  }
+  onFailure() {
+    this.failures++;
+    this.lastFailureTime = Date.now();
+    if (this.state === "HALF_OPEN") {
+      this.state = "OPEN";
+      this.tripsToOpen++;
+    } else if (this.state === "CLOSED" && this.failures >= this.tripThreshold) {
+      this.state = "OPEN";
+      this.tripsToOpen++;
+    }
+  }
+  /**
+   * Get current metrics
+   */
+  getMetrics() {
+    return {
+      failures: this.failures,
+      successes: this.successes,
+      state: this.state,
+      lastFailureTime: this.lastFailureTime,
+      lastSuccessTime: this.lastSuccessTime,
+      tripsToOpen: this.tripsToOpen
+    };
+  }
+  /**
+   * Reset circuit breaker to CLOSED state
+   */
+  reset() {
+    this.state = "CLOSED";
+    this.failures = 0;
+    this.successes = 0;
+    this.lastFailureTime = void 0;
+    this.lastSuccessTime = void 0;
+    this.tripsToOpen = 0;
+  }
+};
+var CircuitBreakerOpenError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "CircuitBreakerOpenError";
+  }
+};
+
+// src/metrics/MetricsCollector.ts
+var MetricsCollector = class {
+  requestsTotal = 0;
+  allowedTotal = 0;
+  blockedTotal = 0;
+  stepupTotal = 0;
+  timeoutsTotal = 0;
+  errorsTotal = 0;
+  circuitBreakerOpenTotal = 0;
+  wouldBlockTotal = 0;
+  // Shadow mode would-block count
+  failOpenTotal = 0;
+  // Fail-open count
+  latencyMs = [];
+  maxSamples = 1e3;
+  // Keep last 1000 samples
+  hooks = [];
+  /**
+   * Record a request
+   */
+  recordRequest(decision, latencyMs) {
+    this.requestsTotal++;
+    if (decision === "ALLOW") {
+      this.allowedTotal++;
+    } else if (decision === "BLOCK") {
+      this.blockedTotal++;
+    } else if (decision === "REQUIRE_STEP_UP") {
+      this.stepupTotal++;
+    } else if (decision === "WOULD_BLOCK") {
+      this.wouldBlockTotal++;
+      this.allowedTotal++;
+    } else if (decision === "FAIL_OPEN") {
+      this.failOpenTotal++;
+      this.allowedTotal++;
+    }
+    this.latencyMs.push(latencyMs);
+    if (this.latencyMs.length > this.maxSamples) {
+      this.latencyMs.shift();
+    }
+    this.emitMetrics();
+  }
+  /**
+   * Record a timeout
+   */
+  recordTimeout() {
+    this.timeoutsTotal++;
+    this.errorsTotal++;
+    this.emitMetrics();
+  }
+  /**
+   * Record an error
+   */
+  recordError() {
+    this.errorsTotal++;
+    this.emitMetrics();
+  }
+  /**
+   * Record circuit breaker open
+   */
+  recordCircuitBreakerOpen() {
+    this.circuitBreakerOpenTotal++;
+    this.emitMetrics();
+  }
+  /**
+   * Record soft-enforce override (app chose to sign despite BLOCK decision)
+   */
+  recordSoftBlockOverride(decision) {
+    this.emitMetrics();
+  }
+  /**
+   * Get current metrics snapshot
+   */
+  getMetrics() {
+    return {
+      requestsTotal: this.requestsTotal,
+      allowedTotal: this.allowedTotal,
+      blockedTotal: this.blockedTotal,
+      stepupTotal: this.stepupTotal,
+      timeoutsTotal: this.timeoutsTotal,
+      errorsTotal: this.errorsTotal,
+      circuitBreakerOpenTotal: this.circuitBreakerOpenTotal,
+      wouldBlockTotal: this.wouldBlockTotal,
+      failOpenTotal: this.failOpenTotal,
+      latencyMs: [...this.latencyMs]
+      // Copy array
+    };
+  }
+  /**
+   * Register a metrics hook (e.g., for Prometheus/OpenTelemetry export)
+   */
+  registerHook(hook) {
+    this.hooks.push(hook);
+  }
+  /**
+   * Emit metrics to all registered hooks
+   */
+  emitMetrics() {
+    const metrics = this.getMetrics();
+    for (const hook of this.hooks) {
+      try {
+        hook(metrics);
+      } catch (error) {
+        console.error("Error in metrics hook:", error);
+      }
+    }
+  }
+  /**
+   * Reset all metrics
+   */
+  reset() {
+    this.requestsTotal = 0;
+    this.allowedTotal = 0;
+    this.blockedTotal = 0;
+    this.stepupTotal = 0;
+    this.timeoutsTotal = 0;
+    this.errorsTotal = 0;
+    this.circuitBreakerOpenTotal = 0;
+    this.wouldBlockTotal = 0;
+    this.failOpenTotal = 0;
+    this.latencyMs = [];
+  }
+};
+function canonicalJsonBinding(obj) {
+  if (obj === null || obj === void 0) return "null";
+  if (typeof obj === "string") return JSON.stringify(obj);
+  if (typeof obj === "number") return obj.toString();
+  if (typeof obj === "boolean") return obj ? "true" : "false";
+  if (Array.isArray(obj)) {
+    const items = obj.map((item) => canonicalJsonBinding(item));
+    return "[" + items.join(",") + "]";
+  }
+  if (typeof obj === "object") {
+    const keys = Object.keys(obj).sort();
+    const pairs = [];
+    for (const key of keys) {
+      const value = obj[key];
+      if (value !== void 0) {
+        pairs.push(JSON.stringify(key) + ":" + canonicalJsonBinding(value));
+      }
+    }
+    return "{" + pairs.join(",") + "}";
+  }
+  return JSON.stringify(obj);
+}
+function normalizeAddress(addr) {
+  if (addr == null || addr === "") return "";
+  const s = String(addr).trim();
+  if (s.startsWith("0x")) return s.toLowerCase();
+  return "0x" + s.toLowerCase();
+}
+function normalizeData(data) {
+  if (data == null || data === "") return "";
+  const s = String(data).trim().toLowerCase();
+  return s.startsWith("0x") ? s : "0x" + s;
+}
+function buildTxBindingObject(txIntent, signerId, decodedRecipient, decodedFields, fromAddress) {
+  const toAddr = txIntent.toAddress ?? txIntent.to ?? "";
+  const value = (txIntent.valueAtomic ?? txIntent.valueDecimal ?? txIntent.value ?? "0").toString();
+  const data = normalizeData(
+    txIntent.data ?? txIntent.payloadHash ?? txIntent.dataHash ?? ""
+  );
+  const chainId = (txIntent.chainId ?? txIntent.chain ?? "").toString();
+  const toAddress = normalizeAddress(toAddr);
+  const nonce = txIntent.nonce != null ? String(txIntent.nonce) : "";
+  const decoded = {};
+  const out = {
+    chainId,
+    toAddress,
+    value,
+    data,
+    nonce
+  };
+  if (fromAddress) out.fromAddress = normalizeAddress(fromAddress);
+  if (Object.keys(decoded).length > 0) out.decoded = decoded;
+  if (signerId) out.signerId = signerId;
+  if (txIntent.networkFamily) out.networkFamily = txIntent.networkFamily;
+  return out;
+}
+function computeTxDigest(binding) {
+  const canonical = canonicalJsonBinding(binding);
+  return createHash("sha256").update(canonical, "utf8").digest("hex");
+}
+
+// src/kms/wrapAwsSdkV3KmsClient.ts
+function wrapKmsClient(kmsClient, gateClient, options = {}) {
+  const defaultOptions = {
+    mode: options.mode || "enforce",
+    onDecision: options.onDecision || (() => {
+    }),
+    extractTxIntent: options.extractTxIntent || defaultExtractTxIntent
+  };
+  const wrapped = new Proxy(kmsClient, {
+    get(target, prop, receiver) {
+      if (prop === "send") {
+        return async function(command) {
+          if (command && command.constructor && command.constructor.name === "SignCommand") {
+            return await handleSignCommand(
+              command,
+              target,
+              gateClient,
+              defaultOptions
+            );
+          }
+          return await target.send(command);
+        };
+      }
+      return Reflect.get(target, prop, receiver);
+    }
+  });
+  wrapped._originalClient = kmsClient;
+  wrapped._gateClient = gateClient;
+  wrapped._wrapperOptions = defaultOptions;
+  return wrapped;
+}
+function defaultExtractTxIntent(command) {
+  const message = command.input?.Message ?? command.Message;
+  if (!message) {
+    throw new Error("SignCommand missing required Message property");
+  }
+  const messageBuffer = message instanceof Buffer ? message : Buffer.from(message);
+  const messageHash = createHash("sha256").update(messageBuffer).digest("hex");
+  return {
+    networkFamily: "OTHER",
+    toAddress: void 0,
+    // Unknown from KMS message alone
+    payloadHash: messageHash,
+    dataHash: messageHash
+    // Backward compatibility
+  };
+}
+async function handleSignCommand(command, originalClient, gateClient, options) {
+  const txIntent = options.extractTxIntent(command);
+  const signerId = command.input?.KeyId ?? command.KeyId ?? "unknown";
+  gateClient.heartbeatManager.updateSignerId(signerId);
+  const heartbeatToken = gateClient.heartbeatManager.getToken();
+  if (!heartbeatToken) {
+    throw new BlockIntelBlockedError(
+      "HEARTBEAT_MISSING",
+      void 0,
+      // receiptId
+      void 0,
+      // correlationId
+      void 0
+      // requestId
+    );
+  }
+  const signingContext = {
+    signerId,
+    actorPrincipal: "kms-signer",
+    // Default - can be customized via extractTxIntent
+    heartbeatToken
+    // Attach heartbeat token
+  };
+  try {
+    const decision = await gateClient.evaluate({
+      txIntent,
+      // Type assertion - txIntent may have extra fields
+      signingContext
+    });
+    if (decision.decision === "ALLOW" && gateClient.getRequireDecisionToken() && decision.txDigest != null) {
+      const binding = buildTxBindingObject(
+        txIntent,
+        signerId,
+        void 0,
+        void 0,
+        signingContext.actorPrincipal
+      );
+      const computedDigest = computeTxDigest(binding);
+      if (computedDigest !== decision.txDigest) {
+        options.onDecision("BLOCK", {
+          error: new BlockIntelBlockedError(
+            "DECISION_TOKEN_TX_MISMATCH",
+            decision.decisionId,
+            decision.correlationId,
+            void 0
+          ),
+          signerId,
+          command
+        });
+        throw new BlockIntelBlockedError(
+          "DECISION_TOKEN_TX_MISMATCH",
+          decision.decisionId,
+          decision.correlationId,
+          void 0
+        );
+      }
+    }
+    options.onDecision("ALLOW", { decision, signerId, command });
+    if (options.mode === "dry-run") {
+      return await originalClient.send(new SignCommand(command));
+    }
+    return await originalClient.send(new SignCommand(command));
+  } catch (error) {
+    if (error instanceof BlockIntelBlockedError) {
+      options.onDecision("BLOCK", { error, signerId, command });
+      throw error;
+    }
+    if (error instanceof BlockIntelStepUpRequiredError) {
+      options.onDecision("REQUIRE_STEP_UP", { error, signerId, command });
+      throw error;
+    }
+    throw error;
+  }
+}
+
+// src/provenance/ProvenanceProvider.ts
+var ProvenanceProvider = class {
+  /**
+   * Get provenance from environment variables
+   */
+  static getProvenance() {
+    const repo = process.env.GATE_CALLER_REPO;
+    const workflow = process.env.GATE_CALLER_WORKFLOW;
+    const ref = process.env.GATE_CALLER_REF;
+    const actor = process.env.GATE_CALLER_ACTOR;
+    const attestationValid = process.env.GATE_ATTESTATION_VALID;
+    const attestationIssuer = process.env.GATE_ATTESTATION_ISSUER;
+    const attestationSubject = process.env.GATE_ATTESTATION_SUBJECT;
+    const attestationSha = process.env.GATE_ATTESTATION_SHA;
+    if (!repo && !workflow && !ref && !actor && !attestationValid) {
+      return null;
+    }
+    const provenance = {};
+    if (repo) provenance.repo = repo;
+    if (workflow) provenance.workflow = workflow;
+    if (ref) provenance.ref = ref;
+    if (actor) provenance.actor = actor;
+    if (attestationValid || attestationIssuer || attestationSubject || attestationSha) {
+      provenance.attestation = {
+        valid: attestationValid === "true" || attestationValid === "1",
+        issuer: attestationIssuer,
+        subject: attestationSubject,
+        sha: attestationSha
+      };
+    }
+    return provenance;
+  }
+  /**
+   * Check if provenance is enabled (env vars present)
+   */
+  static isEnabled() {
+    return !!(process.env.GATE_CALLER_REPO || process.env.GATE_CALLER_WORKFLOW || process.env.GATE_ATTESTATION_VALID);
+  }
+};
+var HeartbeatManager = class {
+  httpClient;
+  tenantId;
+  signerId;
+  environment;
+  baseRefreshIntervalSeconds;
+  clientInstanceId;
+  // Unique per process
+  sdkVersion;
+  // SDK version for tracking
+  apiKey;
+  // x-gate-heartbeat-key for Control Plane auth
+  currentToken = null;
+  refreshTimer = null;
+  started = false;
+  consecutiveFailures = 0;
+  maxBackoffSeconds = 30;
+  // Maximum backoff interval
+  constructor(options) {
+    this.httpClient = options.httpClient;
+    this.tenantId = options.tenantId;
+    this.signerId = options.signerId;
+    this.environment = options.environment ?? "prod";
+    this.baseRefreshIntervalSeconds = options.refreshIntervalSeconds ?? 10;
+    this.apiKey = options.apiKey;
+    this.clientInstanceId = options.clientInstanceId || v4();
+    this.sdkVersion = options.sdkVersion || "1.0.0";
+    this.apiKey = options.apiKey;
+  }
+  /**
+   * Start background heartbeat refresher.
+   * Optionally wait for initial token (first evaluate() will otherwise wait up to 2s for token).
+   */
+  start(options) {
+    if (this.started) {
+      return;
+    }
+    this.started = true;
+    this.acquireHeartbeat().catch((error) => {
+      console.error("[HEARTBEAT] Failed to acquire initial heartbeat:", error instanceof Error ? error.message : error);
+    });
+    this.scheduleNextRefresh();
+  }
+  /**
+   * Schedule next refresh with jitter and backoff
+   */
+  scheduleNextRefresh() {
+    if (!this.started) {
+      return;
+    }
+    const baseInterval = this.baseRefreshIntervalSeconds * 1e3;
+    const jitter = Math.random() * 2e3;
+    const backoff = this.calculateBackoff();
+    const interval = baseInterval + jitter + backoff;
+    this.refreshTimer = setTimeout(() => {
+      this.acquireHeartbeat().then(() => {
+        this.consecutiveFailures = 0;
+        this.scheduleNextRefresh();
+      }).catch((error) => {
+        this.consecutiveFailures++;
+        console.error("[HEARTBEAT] Refresh failed (will retry):", error);
+        this.scheduleNextRefresh();
+      });
+    }, interval);
+  }
+  /**
+   * Calculate exponential backoff (capped at maxBackoffSeconds)
+   */
+  calculateBackoff() {
+    if (this.consecutiveFailures === 0) {
+      return 0;
+    }
+    const backoffSeconds = Math.min(
+      Math.pow(2, this.consecutiveFailures) * 1e3,
+      this.maxBackoffSeconds * 1e3
+    );
+    return backoffSeconds;
+  }
+  /**
+   * Stop background heartbeat refresher
+   */
+  stop() {
+    if (!this.started) {
+      return;
+    }
+    this.started = false;
+    if (this.refreshTimer) {
+      clearTimeout(this.refreshTimer);
+      this.refreshTimer = null;
+    }
+  }
+  /**
+   * Get current heartbeat token if valid
+   */
+  getToken() {
+    if (!this.currentToken) {
+      return null;
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    if (this.currentToken.expiresAt <= now + 2) {
+      return null;
+    }
+    return this.currentToken.token;
+  }
+  /**
+   * Check if current heartbeat token is valid
+   */
+  isValid() {
+    return this.getToken() !== null;
+  }
+  /**
+   * Update signer ID (called when signer is known)
+   */
+  updateSignerId(signerId) {
+    if (this.signerId !== signerId) {
+      this.signerId = signerId;
+      this.currentToken = null;
+    }
+  }
+  /**
+   * Acquire a new heartbeat token from Control Plane
+   * NEVER logs token value (security)
+   * Requires x-gate-heartbeat-key header (apiKey) for authentication.
+   */
+  async acquireHeartbeat() {
+    if (!this.apiKey || this.apiKey.length === 0) {
+      throw new GateError(
+        "UNAUTHORIZED" /* UNAUTHORIZED */,
+        "Heartbeat API key is required. Set GATE_HEARTBEAT_KEY in environment or pass heartbeatApiKey in GateClientConfig.",
+        {}
+      );
+    }
+    try {
+      const response = await this.httpClient.request({
+        method: "POST",
+        path: "/api/v1/gate/heartbeat",
+        headers: {
+          "x-gate-heartbeat-key": this.apiKey
+        },
+        body: {
+          tenantId: this.tenantId,
+          signerId: this.signerId,
+          environment: this.environment,
+          clientInstanceId: this.clientInstanceId,
+          sdkVersion: this.sdkVersion
+        }
+      });
+      if (response.success && response.data) {
+        const token = response.data.heartbeatToken;
+        const expiresAt = response.data.expiresAt;
+        if (!token || !expiresAt) {
+          throw new GateError(
+            "INVALID_RESPONSE" /* INVALID_RESPONSE */,
+            "Invalid heartbeat response: missing token or expiresAt"
+          );
+        }
+        this.currentToken = {
+          token,
+          expiresAt,
+          jti: response.data.jti,
+          policyHash: response.data.policyHash
+        };
+        console.log("[HEARTBEAT] Acquired heartbeat token", {
+          expiresAt,
+          jti: response.data.jti,
+          policyHash: response.data.policyHash?.substring(0, 8) + "..."
+          // DO NOT log token value
+        });
+      } else {
+        const error = response.error || {};
+        throw new GateError(
+          "SERVER_ERROR" /* SERVER_ERROR */,
+          `Heartbeat acquisition failed: ${error.message || "Unknown error"}`
+        );
+      }
+    } catch (error) {
+      console.error("[HEARTBEAT] Failed to acquire heartbeat:", error.message || error);
+      throw error;
+    }
+  }
+  /**
+   * Get client instance ID (for tracking)
+   */
+  getClientInstanceId() {
+    return this.clientInstanceId;
+  }
+};
+
+// src/security/IamPermissionRiskChecker.ts
+var IamPermissionRiskChecker = class {
+  options;
+  constructor(options) {
+    this.options = options;
+  }
+  /**
+   * Perform synchronous IAM permission risk check
+   * 
+   * Performs quick checks (credentials, environment markers) synchronously.
+   * In HARD mode, throws error if risk detected and override not set.
+   * 
+   * Use this for blocking initialization checks.
+   */
+  checkSync() {
+    const checks = [];
+    const credentialsCheck = this.checkAwsCredentials();
+    if (credentialsCheck.hasRisk) {
+      checks.push(credentialsCheck);
+    }
+    const envCheck = this.checkEnvironmentMarkers();
+    if (envCheck.hasRisk) {
+      checks.push(envCheck);
+    }
+    const highestConfidence = this.getHighestConfidence(checks);
+    const highestRisk = checks.find((c) => c.confidence === highestConfidence);
+    if (!highestRisk || !highestRisk.hasRisk) {
+      return {
+        hasRisk: false,
+        confidence: "LOW",
+        details: "No IAM permission risk detected (synchronous check)"
+      };
+    }
+    if (this.options.enforcementMode === "HARD" && !this.options.allowInsecureKmsSignPermission) {
+      const errorMessage = this.buildErrorMessage(highestRisk);
+      throw new Error(errorMessage);
+    }
+    this.logWarning(highestRisk);
+    return highestRisk;
+  }
+  /**
+   * Perform full IAM permission risk check (including async IAM simulation)
+   * 
+   * Returns risk assessment with confidence level.
+   * In HARD mode, throws error if risk detected and override not set.
+   */
+  async check() {
+    const syncResult = this.checkSync();
+    const simulationCheck = await this.checkIamSimulation();
+    if (simulationCheck.hasRisk) {
+      if (this.options.enforcementMode === "HARD" && !this.options.allowInsecureKmsSignPermission) {
+        const errorMessage = this.buildErrorMessage(simulationCheck);
+        throw new Error(errorMessage);
+      }
+      this.logWarning(simulationCheck);
+      return simulationCheck;
+    }
+    return syncResult;
+  }
+  /**
+   * Check if AWS credentials are present
+   */
+  checkAwsCredentials() {
+    const hasEnvVars = !!(process.env.AWS_ACCESS_KEY_ID || process.env.AWS_SECRET_ACCESS_KEY || process.env.AWS_SESSION_TOKEN);
+    const hasRoleCredentials = !!(process.env.AWS_ROLE_ARN || process.env.AWS_WEB_IDENTITY_TOKEN_FILE || process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI);
+    if (hasEnvVars || hasRoleCredentials) {
+      return {
+        hasRisk: true,
+        riskType: "AWS_CREDENTIALS_DETECTED",
+        confidence: "MEDIUM",
+        details: "AWS credentials detected in environment. Application may have direct KMS signing permissions.",
+        remediation: "Remove kms:Sign permission from application role. See https://docs.blockintelai.com/gate/IAM_HARDENING"
+      };
+    }
+    return {
+      hasRisk: false,
+      confidence: "LOW",
+      details: "No AWS credentials detected in environment variables"
+    };
+  }
+  /**
+   * Check IAM permissions using simulation API (if available)
+   */
+  async checkIamSimulation() {
+    try {
+      const iamModule = await import('@aws-sdk/client-iam').catch(() => null);
+      if (!iamModule || !iamModule.IAMClient || !iamModule.SimulatePrincipalPolicyCommand) {
+        return {
+          hasRisk: false,
+          confidence: "LOW",
+          details: "AWS SDK not available for IAM simulation"
+        };
+      }
+      const { IAMClient, SimulatePrincipalPolicyCommand } = iamModule;
+      const principalArn = await this.getCurrentPrincipalArn();
+      if (!principalArn) {
+        return {
+          hasRisk: false,
+          confidence: "LOW",
+          details: "Could not determine current principal ARN for simulation"
+        };
+      }
+      const client = new IAMClient({});
+      const command = new SimulatePrincipalPolicyCommand({
+        PolicySourceArn: principalArn,
+        ActionNames: ["kms:Sign"],
+        ResourceArns: this.options.kmsKeyIds?.map((id) => `arn:aws:kms:*:*:key/${id}`) || ["arn:aws:kms:*:*:key/*"]
+      });
+      const response = await client.send(command).catch(() => null);
+      if (!response) {
+        return {
+          hasRisk: false,
+          confidence: "LOW",
+          details: "IAM simulation not available (may require additional permissions)"
+        };
+      }
+      const allowsSign = response.EvaluationResults?.some(
+        (result) => result.EvalDecision === "allowed" || result.EvalDecision === "explicitAllow"
+      );
+      if (allowsSign) {
+        return {
+          hasRisk: true,
+          riskType: "DIRECT_KMS_SIGN_PERMISSION",
+          confidence: "HIGH",
+          details: `IAM simulation confirms principal ${principalArn} has kms:Sign permission. Direct KMS signing can bypass Gate.`,
+          remediation: "Remove kms:Sign permission from application role. See https://docs.blockintelai.com/gate/IAM_HARDENING"
+        };
+      }
+      return {
+        hasRisk: false,
+        confidence: "HIGH",
+        details: "IAM simulation confirms no kms:Sign permission"
+      };
+    } catch (error) {
+      return {
+        hasRisk: false,
+        confidence: "LOW",
+        details: `IAM simulation failed: ${error instanceof Error ? error.message : "Unknown error"}`
+      };
+    }
+  }
+  /**
+   * Check environment markers that suggest direct KMS usage
+   */
+  checkEnvironmentMarkers() {
+    const markers = [
+      "KMS_KEY_ID",
+      "AWS_KMS_KEY_ID",
+      "KMS_KEY_ARN",
+      "AWS_KMS_KEY_ARN"
+    ];
+    const foundMarkers = markers.filter((marker) => process.env[marker]);
+    if (foundMarkers.length > 0) {
+      return {
+        hasRisk: true,
+        riskType: "ENVIRONMENT_MARKERS",
+        confidence: "LOW",
+        details: `Environment markers suggest direct KMS usage: ${foundMarkers.join(", ")}`,
+        remediation: "Review environment variables and ensure KMS access is gated through Gate SDK"
+      };
+    }
+    return {
+      hasRisk: false,
+      confidence: "LOW",
+      details: "No environment markers suggesting direct KMS usage"
+    };
+  }
+  /**
+   * Get current principal ARN (best-effort)
+   */
+  async getCurrentPrincipalArn() {
+    try {
+      const stsModule = await import('@aws-sdk/client-sts').catch(() => null);
+      if (!stsModule || !stsModule.STSClient || !stsModule.GetCallerIdentityCommand) {
+        return null;
+      }
+      const { STSClient, GetCallerIdentityCommand } = stsModule;
+      const client = new STSClient({});
+      const command = new GetCallerIdentityCommand({});
+      const response = await client.send(command).catch(() => null);
+      if (response?.Arn) {
+        return response.Arn;
+      }
+    } catch (error) {
+    }
+    return null;
+  }
+  /**
+   * Get highest confidence level from checks
+   */
+  getHighestConfidence(checks) {
+    if (checks.some((c) => c.confidence === "HIGH")) {
+      return "HIGH";
+    }
+    if (checks.some((c) => c.confidence === "MEDIUM")) {
+      return "MEDIUM";
+    }
+    return "LOW";
+  }
+  /**
+   * Build error message for HARD mode
+   */
+  buildErrorMessage(result) {
+    const parts = [
+      "[GATE ERROR] Hard enforcement mode blocked initialization:",
+      `  - IAM permission risk: ${result.details}`,
+      `  - Risk type: ${result.riskType}`,
+      `  - Confidence: ${result.confidence}`,
+      `  - Tenant ID: ${this.options.tenantId}`
+    ];
+    if (this.options.signerId) {
+      parts.push(`  - Signer ID: ${this.options.signerId}`);
+    }
+    if (this.options.environment) {
+      parts.push(`  - Environment: ${this.options.environment}`);
+    }
+    if (result.remediation) {
+      parts.push(`  - Remediation: ${result.remediation}`);
+    }
+    parts.push("  - See: https://docs.blockintelai.com/gate/IAM_HARDENING");
+    parts.push(`  - Override: Set allowInsecureKmsSignPermission=true (not recommended for production)`);
+    return parts.join("\n");
+  }
+  /**
+   * Log warning (SOFT mode or override set)
+   */
+  logWarning(result) {
+    const logData = {
+      level: "WARN",
+      message: "IAM permission risk detected",
+      tenantId: this.options.tenantId,
+      signerId: this.options.signerId,
+      environment: this.options.environment,
+      enforcementMode: this.options.enforcementMode,
+      riskType: result.riskType,
+      confidence: result.confidence,
+      details: result.details,
+      remediation: result.remediation,
+      documentation: "https://docs.blockintelai.com/gate/IAM_HARDENING"
+    };
+    console.warn("[GATE WARNING]", JSON.stringify(logData, null, 2));
+  }
+};
+
+// src/client/GateClient.ts
+var GateClient = class {
+  config;
+  httpClient;
+  hmacSigner;
+  apiKeyAuth;
+  stepUpPoller;
+  circuitBreaker;
+  metrics;
+  heartbeatManager;
+  mode;
+  onConnectionFailure;
+  constructor(config) {
+    this.config = config;
+    const envMode = process.env.GATE_MODE;
+    this.mode = envMode || config.mode || "SHADOW";
+    if (config.onConnectionFailure) {
+      this.onConnectionFailure = config.onConnectionFailure;
+    } else {
+      this.onConnectionFailure = this.mode === "SHADOW" ? "FAIL_OPEN" : "FAIL_CLOSED";
+    }
+    if (config.auth.mode === "hmac") {
+      this.hmacSigner = new HmacSigner({
+        keyId: config.auth.keyId,
+        secret: config.auth.secret
+      });
+    } else {
+      this.apiKeyAuth = new ApiKeyAuth({
+        apiKey: config.auth.apiKey
+      });
+    }
+    this.httpClient = new HttpClient({
+      baseUrl: config.baseUrl,
+      timeoutMs: config.timeoutMs,
+      userAgent: config.userAgent,
+      debug: config.debug
+    });
+    if (config.enableStepUp) {
+      this.stepUpPoller = new StepUpPoller({
+        httpClient: this.httpClient,
+        tenantId: config.tenantId,
+        pollingIntervalMs: config.stepUp?.pollingIntervalMs,
+        maxWaitMs: config.stepUp?.maxWaitMs
+      });
+    }
+    if (config.circuitBreaker) {
+      this.circuitBreaker = new CircuitBreaker(config.circuitBreaker);
+    }
+    this.metrics = new MetricsCollector();
+    if (config.onMetrics) {
+      this.metrics.registerHook(config.onMetrics);
+    }
+    if (config.local) {
+      console.warn("[GATE CLIENT] LOCAL MODE ENABLED - Auth, heartbeat, and break-glass are disabled");
+      this.heartbeatManager = null;
+    } else {
+      const heartbeatApiKey = config.heartbeatApiKey ?? (typeof process !== "undefined" ? process.env.GATE_HEARTBEAT_KEY : void 0);
+      if (!heartbeatApiKey || heartbeatApiKey.length === 0) {
+        throw new Error(
+          "GATE_HEARTBEAT_KEY environment variable or heartbeatApiKey in config is required for heartbeat authentication. Set GATE_HEARTBEAT_KEY in your environment or pass heartbeatApiKey in GateClientConfig."
+        );
+      }
+      let controlPlaneUrl = config.baseUrl;
+      if (controlPlaneUrl.includes("/defense")) {
+        controlPlaneUrl = controlPlaneUrl.split("/defense")[0];
+      }
+      if (config.controlPlaneUrl) {
+        controlPlaneUrl = config.controlPlaneUrl;
+      }
+      const heartbeatHttpClient = new HttpClient({
+        baseUrl: controlPlaneUrl,
+        timeoutMs: 5e3,
+        // 5s timeout for heartbeat
+        userAgent: config.userAgent
+      });
+      const initialSignerId = config.signerId ?? "trading-bot-signer";
+      this.heartbeatManager = new HeartbeatManager({
+        httpClient: heartbeatHttpClient,
+        tenantId: config.tenantId,
+        signerId: initialSignerId,
+        environment: config.environment ?? "prod",
+        refreshIntervalSeconds: config.heartbeatRefreshIntervalSeconds ?? 10,
+        apiKey: heartbeatApiKey
+      });
+      this.heartbeatManager.start();
+    }
+    if (!config.local) {
+      const enforcementMode = config.enforcementMode || "SOFT";
+      const allowInsecureKmsSignPermission = config.allowInsecureKmsSignPermission ?? enforcementMode === "SOFT";
+      const riskChecker = new IamPermissionRiskChecker({
+        tenantId: config.tenantId,
+        signerId: config.signerId,
+        environment: config.environment,
+        enforcementMode,
+        allowInsecureKmsSignPermission,
+        kmsKeyIds: config.kmsKeyIds
+      });
+      riskChecker.checkSync();
+      this.performIamRiskCheckAsync(riskChecker, enforcementMode).catch((error) => {
+        if (enforcementMode === "SOFT" || allowInsecureKmsSignPermission) {
+          console.warn("[GATE CLIENT] Async IAM risk check warning:", error instanceof Error ? error.message : String(error));
+        } else {
+          console.error("[GATE CLIENT] Async IAM risk check found risk after initialization:", error);
+        }
+      });
+    }
+  }
+  /**
+   * Whether the SDK requires a decision token for ALLOW before sign (ENFORCE/HARD).
+   * Env GATE_REQUIRE_DECISION_TOKEN overrides config.
+   */
+  getRequireDecisionToken() {
+    if (typeof process !== "undefined" && process.env.GATE_REQUIRE_DECISION_TOKEN !== void 0) {
+      return process.env.GATE_REQUIRE_DECISION_TOKEN === "true" || process.env.GATE_REQUIRE_DECISION_TOKEN === "1";
+    }
+    return this.config.requireDecisionToken ?? (this.mode === "ENFORCE" || this.config.enforcementMode === "HARD");
+  }
+  /**
+   * Perform async IAM permission risk check (non-blocking)
+   * 
+   * Performs async IAM simulation check in background.
+   * Logs warnings but doesn't block (initialization already completed).
+   */
+  async performIamRiskCheckAsync(riskChecker, enforcementMode) {
+    try {
+      await riskChecker.check();
+    } catch (error) {
+      console.warn("[GATE CLIENT] Async IAM risk check warning:", error instanceof Error ? error.message : String(error));
+    }
+  }
+  /**
+   * Evaluate a transaction defense request
+   * 
+   * Implements:
+   * - Shadow Mode (SHADOW: monitor-only, ENFORCE: enforce decisions)
+   * - Connection failure strategy (FAIL_OPEN vs FAIL_CLOSED)
+   * - Circuit breaker protection
+   * - Fail-safe modes (ALLOW_ON_TIMEOUT, BLOCK_ON_TIMEOUT, BLOCK_ON_ANOMALY)
+   * - Metrics collection
+   * - Error handling (BLOCK → BlockIntelBlockedError, REQUIRE_STEP_UP → BlockIntelStepUpRequiredError)
+   */
+  async evaluate(req, opts) {
+    const requestId = opts?.requestId ?? v4();
+    const timestampMs = req.timestampMs ?? nowMs();
+    const startTime = Date.now();
+    const failSafeMode = this.config.failSafeMode ?? "ALLOW_ON_TIMEOUT";
+    const evaluationMode = this.config.evaluationMode ?? "BLOCKING";
+    const requestMode = req.mode || this.mode;
+    const requireToken = this.getRequireDecisionToken();
+    const executeRequest = async () => {
+      if (!this.config.local && this.heartbeatManager && req.signingContext?.signerId) {
+        this.heartbeatManager.updateSignerId(req.signingContext.signerId);
+      }
+      let heartbeatToken = null;
+      if (!this.config.local && this.heartbeatManager) {
+        heartbeatToken = this.heartbeatManager.getToken();
+        if (!heartbeatToken) {
+          const maxWaitMs = 2e3;
+          const startTime2 = Date.now();
+          while (!heartbeatToken && Date.now() - startTime2 < maxWaitMs) {
+            await new Promise((resolve) => setTimeout(resolve, 50));
+            heartbeatToken = this.heartbeatManager.getToken();
+          }
+        }
+        if (!heartbeatToken) {
+          throw new GateError(
+            "HEARTBEAT_MISSING" /* HEARTBEAT_MISSING */,
+            "Signing blocked: Heartbeat token is missing or expired. Gate must be alive and enforcing policy."
+          );
+        }
+      }
+      const txIntent = { ...req.txIntent };
+      if (txIntent.to && !txIntent.toAddress) {
+        txIntent.toAddress = txIntent.to;
+        delete txIntent.to;
+      }
+      if (!txIntent.networkFamily && txIntent.chainId) {
+        txIntent.networkFamily = "EVM";
+      }
+      if (txIntent.from && !txIntent.fromAddress) {
+        delete txIntent.from;
+      }
+      const signingContext = {
+        ...req.signingContext,
+        actorPrincipal: req.signingContext?.actorPrincipal ?? req.signingContext?.signerId ?? "gate-sdk-client",
+        signerId: req.signingContext?.signerId ?? req.signingContext?.actorPrincipal ?? "gate-sdk-client"
+      };
+      if (heartbeatToken) {
+        signingContext.heartbeatToken = heartbeatToken;
+      }
+      const provenance = ProvenanceProvider.getProvenance();
+      if (provenance) {
+        signingContext.caller = {
+          repo: provenance.repo,
+          workflow: provenance.workflow,
+          ref: provenance.ref,
+          actor: provenance.actor,
+          attestation: provenance.attestation
+        };
+      }
+      let body = {
+        tenantId: this.config.tenantId,
+        requestId,
+        timestampMs,
+        txIntent,
+        signingContext,
+        // Add SDK info (required by Hot Path validation)
+        sdk: {
+          name: "gate-sdk",
+          version: "0.1.0"
+        },
+        mode: requestMode,
+        onConnectionFailure: this.onConnectionFailure
+      };
+      if (req.simulate === true) {
+        body.simulate = true;
+      }
+      if (!this.config.local && this.config.breakglassToken) {
+        signingContext.breakglassToken = this.config.breakglassToken;
+      }
+      let headers = {};
+      if (this.config.local) {
+        headers = {
+          "Content-Type": "application/json"
+        };
+        console.log("[GATE CLIENT] LOCAL MODE - Skipping authentication");
+      } else if (this.hmacSigner) {
+        const { canonicalizeJson: canonicalizeJson2 } = await Promise.resolve().then(() => (init_canonicalJson(), canonicalJson_exports));
+        const canonicalBodyJson = canonicalizeJson2(body);
+        const hmacHeaders = await this.hmacSigner.signRequest({
+          method: "POST",
+          path: "/defense/evaluate",
+          tenantId: this.config.tenantId,
+          timestampMs,
+          requestId,
+          body
+          // Pass original body - HmacSigner will canonicalize it internally
+        });
+        headers = { ...hmacHeaders };
+        body.__canonicalJson = canonicalBodyJson;
+      } else if (this.apiKeyAuth) {
+        const apiKeyHeaders = this.apiKeyAuth.createHeaders({
+          tenantId: this.config.tenantId,
+          timestampMs,
+          requestId
+        });
+        headers = { ...apiKeyHeaders };
+      } else {
+        throw new Error("No authentication configured");
+      }
+      const apiResponse = await this.httpClient.request({
+        method: "POST",
+        path: "/defense/evaluate",
+        headers,
+        body,
+        requestId
+      });
+      let responseData;
+      if (apiResponse.success === true && apiResponse.data) {
+        responseData = apiResponse.data;
+      } else if (apiResponse.success === false && apiResponse.error) {
+        const error = apiResponse.error;
+        throw new GateError(
+          error.code || "SERVER_ERROR" /* SERVER_ERROR */,
+          error.message || "Request failed",
+          {
+            status: error.status,
+            correlationId: error.correlationId,
+            requestId,
+            details: error
+          }
+        );
+      } else if (apiResponse.decision) {
+        responseData = apiResponse;
+      } else {
+        throw new GateError(
+          "INVALID_RESPONSE" /* INVALID_RESPONSE */,
+          "Invalid response format: expected { success: true, data: { ... } } or unwrapped response",
+          {
+            requestId,
+            details: apiResponse
+          }
+        );
+      }
+      const metadata = responseData.metadata || {};
+      const simulationData = metadata.simulation;
+      const result = {
+        decision: responseData.decision,
+        reasonCodes: responseData.reason_codes ?? responseData.reasonCodes ?? [],
+        policyVersion: responseData.policy_version ?? responseData.policyVersion,
+        correlationId: responseData.correlation_id ?? responseData.correlationId,
+        decisionId: responseData.decision_id ?? responseData.decisionId,
+        decisionToken: responseData.decision_token ?? responseData.decisionToken,
+        expiresAt: responseData.expires_at ?? responseData.expiresAt,
+        txDigest: responseData.tx_digest ?? responseData.txDigest,
+        stepUp: responseData.step_up ? {
+          requestId: responseData.step_up.request_id ?? (responseData.stepUp?.requestId ?? ""),
+          ttlSeconds: responseData.step_up.ttl_seconds ?? responseData.stepUp?.ttlSeconds
+        } : responseData.stepUp,
+        enforced: responseData.enforced ?? requestMode === "ENFORCE",
+        shadowWouldBlock: responseData.shadow_would_block ?? responseData.shadowWouldBlock ?? false,
+        mode: responseData.mode ?? requestMode,
+        ...simulationData ? {
+          simulation: {
+            willRevert: simulationData.willRevert ?? simulationData.will_revert ?? false,
+            gasUsed: simulationData.gasUsed ?? simulationData.gas_used,
+            balanceChanges: simulationData.balanceChanges ?? simulationData.balance_changes,
+            errorReason: simulationData.errorReason ?? simulationData.error_reason
+          },
+          simulationLatencyMs: metadata.simulationLatencyMs ?? metadata.simulation_latency_ms
+        } : {},
+        metadata: {
+          evaluationLatencyMs: metadata.evaluationLatencyMs ?? metadata.evaluation_latency_ms,
+          policyHash: metadata.policyHash ?? metadata.policy_hash,
+          snapshotVersion: metadata.snapshotVersion ?? metadata.snapshot_version
+        }
+      };
+      const latencyMs = Date.now() - startTime;
+      const expectedPolicyHash = this.config.expectedPolicyHash;
+      const expectedSnapshotVersion = this.config.expectedSnapshotVersion;
+      if (expectedPolicyHash != null && result.metadata?.policyHash !== expectedPolicyHash) {
+        if (this.config.debug) {
+          console.warn("[GATE SDK] Policy hash mismatch (pinning)", {
+            expected: expectedPolicyHash,
+            received: result.metadata?.policyHash,
+            requestId
+          });
+        }
+        this.metrics.recordRequest("BLOCK", latencyMs);
+        throw new BlockIntelBlockedError(
+          "POLICY_HASH_MISMATCH",
+          result.decisionId ?? requestId,
+          result.correlationId,
+          requestId
+        );
+      }
+      if (expectedSnapshotVersion != null && result.metadata?.snapshotVersion !== void 0 && result.metadata.snapshotVersion !== expectedSnapshotVersion) {
+        if (this.config.debug) {
+          console.warn("[GATE SDK] Snapshot version mismatch (pinning)", {
+            expected: expectedSnapshotVersion,
+            received: result.metadata?.snapshotVersion,
+            requestId
+          });
+        }
+        this.metrics.recordRequest("BLOCK", latencyMs);
+        throw new BlockIntelBlockedError(
+          "SNAPSHOT_VERSION_MISMATCH",
+          result.decisionId ?? requestId,
+          result.correlationId,
+          requestId
+        );
+      }
+      if (requireToken && requestMode === "ENFORCE" && result.decision === "ALLOW" && !this.config.local) {
+        if (!result.decisionToken || !result.txDigest) {
+          this.metrics.recordRequest("BLOCK", latencyMs);
+          throw new BlockIntelBlockedError(
+            "DECISION_TOKEN_MISSING",
+            result.decisionId ?? requestId,
+            result.correlationId,
+            requestId
+          );
+        }
+        const nowSec = Math.floor(Date.now() / 1e3);
+        if (result.expiresAt != null && result.expiresAt < nowSec - 5) {
+          this.metrics.recordRequest("BLOCK", latencyMs);
+          throw new BlockIntelBlockedError(
+            "DECISION_TOKEN_EXPIRED",
+            result.decisionId ?? requestId,
+            result.correlationId,
+            requestId
+          );
+        }
+        const publicKeyPem = this.config.decisionTokenPublicKey;
+        if (publicKeyPem && result.decisionToken) {
+          const { decodeJwtUnsafe: decodeJwtUnsafe2, verifyDecisionTokenRs256: verifyDecisionTokenRs2562 } = await Promise.resolve().then(() => (init_decisionTokenVerify(), decisionTokenVerify_exports));
+          const decoded = decodeJwtUnsafe2(result.decisionToken);
+          if (decoded && (decoded.header.alg || "").toUpperCase() === "RS256") {
+            const resolvedPem = publicKeyPem.startsWith("-----") ? publicKeyPem : Buffer.from(publicKeyPem, "base64").toString("utf8");
+            const verified = verifyDecisionTokenRs2562(result.decisionToken, resolvedPem);
+            if (verified === null) {
+              this.metrics.recordRequest("BLOCK", latencyMs);
+              throw new BlockIntelBlockedError(
+                "DECISION_TOKEN_INVALID",
+                result.decisionId ?? requestId,
+                result.correlationId,
+                requestId
+              );
+            }
+          }
+        }
+        const signerId = signingContext?.signerId ?? req.signingContext?.signerId;
+        const fromAddress = txIntent.fromAddress ?? txIntent.from;
+        const binding = buildTxBindingObject(txIntent, signerId, void 0, void 0, fromAddress);
+        const computedDigest = computeTxDigest(binding);
+        if (computedDigest !== result.txDigest) {
+          this.metrics.recordRequest("BLOCK", latencyMs);
+          throw new BlockIntelBlockedError(
+            "DECISION_TOKEN_DIGEST_MISMATCH",
+            result.decisionId ?? requestId,
+            result.correlationId,
+            requestId
+          );
+        }
+      }
+      if (result.decision === "BLOCK") {
+        if (requestMode === "SOFT_ENFORCE") {
+          console.warn("[SOFT ENFORCE] Policy violation detected - app can override", {
+            requestId,
+            reasonCodes: result.reasonCodes
+          });
+          this.metrics.recordRequest("BLOCK", latencyMs);
+          return {
+            ...result,
+            decision: "BLOCK",
+            enforced: false,
+            mode: "SOFT_ENFORCE",
+            warning: "Policy violation detected. Override at your own risk."
+          };
+        }
+        if (requestMode === "SHADOW") {
+          console.warn("[GATE SHADOW MODE] Would have blocked transaction", {
+            requestId,
+            reasonCodes: result.reasonCodes,
+            correlationId: result.correlationId,
+            tenantId: this.config.tenantId,
+            signerId: req.signingContext?.signerId
+          });
+          this.metrics.recordRequest("WOULD_BLOCK", latencyMs);
+          return {
+            ...result,
+            decision: "ALLOW",
+            enforced: false,
+            shadowWouldBlock: true
+          };
+        }
+        const receiptId = responseData.decision_id || requestId;
+        const reasonCode = result.reasonCodes[0] || "POLICY_VIOLATION";
+        this.metrics.recordRequest("BLOCK", latencyMs);
+        throw new BlockIntelBlockedError(reasonCode, receiptId, result.correlationId, requestId);
+      }
+      if (result.decision === "REQUIRE_STEP_UP") {
+        if (this.config.enableStepUp && this.stepUpPoller && result.stepUp) {
+          const stepUpRequestId = result.stepUp.requestId || requestId;
+          const expiresAtMs = responseData.step_up?.expires_at_ms;
+          const statusUrl = `/defense/stepup/status?tenantId=${this.config.tenantId}&requestId=${stepUpRequestId}`;
+          this.metrics.recordRequest("REQUIRE_STEP_UP", latencyMs);
+          throw new BlockIntelStepUpRequiredError(stepUpRequestId, statusUrl, expiresAtMs, requestId);
+        } else {
+          const receiptId = responseData.decision_id || requestId;
+          const reasonCode = "STEPUP_REQUIRED";
+          this.metrics.recordRequest("BLOCK", latencyMs);
+          throw new BlockIntelBlockedError(reasonCode, receiptId, result.correlationId, requestId);
+        }
+      }
+      this.metrics.recordRequest("ALLOW", latencyMs);
+      return result;
+    };
+    if (evaluationMode === "FIRE_AND_FORGET") {
+      executeRequest().then((res) => {
+        if (res.decision === "BLOCK" || res.shadowWouldBlock) {
+          console.warn("[FIRE-AND-FORGET] Would have blocked:", res.reasonCodes);
+        }
+        this.metrics.recordRequest(res.decision === "ALLOW" ? "ALLOW" : "WOULD_BLOCK", Date.now() - startTime);
+      }).catch((err) => {
+        console.error("[FIRE-AND-FORGET] Attestation failed:", err);
+        this.metrics.recordError();
+      });
+      return {
+        decision: "ALLOW",
+        decisionId: requestId,
+        correlationId: requestId,
+        reasonCodes: [],
+        enforced: false,
+        mode: requestMode,
+        fireAndForget: true
+      };
+    }
+    try {
+      if (this.circuitBreaker) {
+        return await this.circuitBreaker.execute(executeRequest);
+      }
+      return await executeRequest();
+    } catch (error) {
+      if (error instanceof CircuitBreakerOpenError) {
+        this.metrics.recordCircuitBreakerOpen();
+        const failSafeResult = this.handleFailSafe(failSafeMode, error, requestId);
+        if (failSafeResult) {
+          return failSafeResult;
+        }
+        throw error;
+      }
+      if (error instanceof GateError && (error.code === "UNAUTHORIZED" /* UNAUTHORIZED */ || error.code === "FORBIDDEN" /* FORBIDDEN */)) {
+        this.metrics.recordError();
+        throw new BlockIntelAuthError(
+          error.message,
+          error.status || 401,
+          requestId
+        );
+      }
+      const isConnectionFailure = error instanceof GateError && (error.code === "TIMEOUT" /* TIMEOUT */ || error.code === "SERVER_ERROR" /* SERVER_ERROR */) || error instanceof BlockIntelUnavailableError || error?.code === "ECONNREFUSED" || error?.code === "ENOTFOUND" || error?.code === "ETIMEDOUT";
+      if (isConnectionFailure) {
+        this.metrics.recordTimeout();
+        if (this.onConnectionFailure === "FAIL_OPEN") {
+          console.error("[GATE CONNECTION FAILURE] FAIL_OPEN mode - allowing transaction", {
+            requestId,
+            error: error.message,
+            tenantId: this.config.tenantId,
+            mode: requestMode
+          });
+          console.warn("[GATE SDK] X-BlockIntel-Degraded: true (reason: fail_open)");
+          this.metrics.recordRequest("FAIL_OPEN", Date.now() - startTime);
+          return {
+            decision: "ALLOW",
+            reasonCodes: ["GATE_HOTPATH_UNAVAILABLE"],
+            correlationId: requestId,
+            enforced: false,
+            mode: requestMode
+          };
+        } else {
+          throw new BlockIntelUnavailableError(
+            `Signing blocked: Gate hot path unreachable (fail-closed). ${error.message}`,
+            requestId
+          );
+        }
+      }
+      if (error instanceof GateError && error.code === "TIMEOUT" /* TIMEOUT */) {
+        this.metrics.recordTimeout();
+        const failSafeResult = this.handleFailSafe(failSafeMode, error, requestId);
+        if (failSafeResult) {
+          return failSafeResult;
+        }
+        throw new BlockIntelUnavailableError(`Service timeout: ${error.message}`, requestId);
+      }
+      if (error instanceof GateError && error.code === "SERVER_ERROR" /* SERVER_ERROR */) {
+        this.metrics.recordError();
+        const failSafeResult = this.handleFailSafe(failSafeMode, error, requestId);
+        if (failSafeResult) {
+          return failSafeResult;
+        }
+        throw error;
+      }
+      if (error instanceof GateError && error.code === "RATE_LIMITED" /* RATE_LIMITED */) {
+        console.warn("[GATE SDK] X-BlockIntel-Degraded: true (reason: 429)");
+        throw error;
+      }
+      if (error instanceof BlockIntelBlockedError || error instanceof BlockIntelStepUpRequiredError) {
+        throw error;
+      }
+      this.metrics.recordError();
+      throw error;
+    }
+  }
+  /**
+   * Handle fail-safe modes for timeouts/errors
+   */
+  handleFailSafe(mode, error, requestId) {
+    if (mode === "ALLOW_ON_TIMEOUT") {
+      console.warn("[GATE SDK] X-BlockIntel-Degraded: true (reason: fail_safe_allow)");
+      return {
+        decision: "ALLOW",
+        reasonCodes: ["FAIL_SAFE_ALLOW"],
+        correlationId: requestId
+      };
+    }
+    if (mode === "BLOCK_ON_TIMEOUT") {
+      return null;
+    }
+    if (mode === "BLOCK_ON_ANOMALY") {
+      console.warn("[GATE SDK] X-BlockIntel-Degraded: true (reason: fail_safe_allow)");
+      return {
+        decision: "ALLOW",
+        reasonCodes: ["FAIL_SAFE_ALLOW"],
+        correlationId: requestId
+      };
+    }
+    return null;
+  }
+  /**
+   * Get current metrics
+   */
+  getMetrics() {
+    return this.metrics.getMetrics();
+  }
+  /**
+   * Get circuit breaker metrics (if enabled)
+   */
+  getCircuitBreakerMetrics() {
+    return this.circuitBreaker?.getMetrics() || null;
+  }
+  /**
+   * Get step-up status
+   */
+  async getStepUpStatus(args) {
+    if (!this.stepUpPoller) {
+      throw new StepUpNotConfiguredError(args.requestId);
+    }
+    const tenantId = args.tenantId ?? this.config.tenantId;
+    const poller = new StepUpPoller({
+      httpClient: this.httpClient,
+      tenantId,
+      pollingIntervalMs: this.config.stepUp?.pollingIntervalMs,
+      maxWaitMs: this.config.stepUp?.maxWaitMs
+    });
+    return poller.getStatus(args.requestId);
+  }
+  /**
+   * Wait for step-up decision with polling
+   */
+  async awaitStepUpDecision(args) {
+    if (!this.stepUpPoller) {
+      throw new StepUpNotConfiguredError(args.requestId);
+    }
+    return this.stepUpPoller.awaitDecision(args.requestId, {
+      maxWaitMs: args.maxWaitMs ?? this.config.stepUp?.maxWaitMs,
+      intervalMs: args.intervalMs ?? this.config.stepUp?.pollingIntervalMs
+    });
+  }
+  /**
+   * Evaluate policy and sign in one call when decision is ALLOW.
+   * Convenience for: evaluate → if ALLOW then sign → return { decision, signature }.
+   */
+  async evaluateAndSign(params) {
+    const decision = await this.evaluate({
+      txIntent: params.txIntent,
+      signingContext: params.signingContext
+    });
+    if (decision.decision === "ALLOW") {
+      const signature = await params.signer.sign({
+        keyId: params.keyId,
+        message: params.message,
+        algorithm: params.algorithm ?? "ECDSA_SHA_256"
+      });
+      return { decision, signature };
+    }
+    return { decision };
+  }
+  /**
+   * Attest a completed signature (post-sign). Use when you want zero latency impact on signing
+   * but still want an audit trail. Policy is evaluated against txIntent; returns ALLOW or
+   * POLICY_VIOLATION_DETECTED. Cannot be used for enforcement (signature already created).
+   */
+  async attestCompleted(req) {
+    const requestId = v4();
+    const timestampMs = nowMs();
+    const txIntent = { ...req.txIntent };
+    if (txIntent.to && !txIntent.toAddress) {
+      txIntent.toAddress = txIntent.to;
+      delete txIntent.to;
+    }
+    if (!txIntent.networkFamily && txIntent.chainId) txIntent.networkFamily = "EVM";
+    const signingContext = {
+      ...req.signingContext,
+      signerId: req.signingContext?.signerId ?? req.signature.signerId
+    };
+    const body = {
+      tenantId: this.config.tenantId,
+      requestId,
+      timestampMs,
+      txIntent,
+      signature: req.signature,
+      signingContext
+    };
+    let headers = { "Content-Type": "application/json" };
+    if (this.config.local) ; else if (this.hmacSigner) {
+      const { canonicalizeJson: canonicalizeJson2 } = await Promise.resolve().then(() => (init_canonicalJson(), canonicalJson_exports));
+      const canonicalBodyJson = canonicalizeJson2(body);
+      const hmacHeaders = await this.hmacSigner.signRequest({
+        method: "POST",
+        path: "/defense/attest-completed",
+        tenantId: this.config.tenantId,
+        timestampMs,
+        requestId,
+        body
+      });
+      headers = { ...hmacHeaders };
+      body.__canonicalJson = canonicalBodyJson;
+    } else if (this.apiKeyAuth) {
+      const apiKeyHeaders = this.apiKeyAuth.createHeaders({
+        tenantId: this.config.tenantId,
+        timestampMs,
+        requestId
+      });
+      headers = { ...apiKeyHeaders };
+    } else {
+      throw new Error("No authentication configured");
+    }
+    const apiResponse = await this.httpClient.request({
+      method: "POST",
+      path: "/defense/attest-completed",
+      headers,
+      body,
+      requestId
+    });
+    if (apiResponse.success === true && apiResponse.data) {
+      const data = apiResponse.data;
+      if (data.decision === "POLICY_VIOLATION_DETECTED") {
+        console.warn("[POST-SIGN ATTESTATION] Policy violation detected after signing", {
+          requestId,
+          reasonCodes: data.reasonCodes
+        });
+      }
+      return data;
+    }
+    if (apiResponse.error) {
+      const err = apiResponse.error;
+      throw new GateError(err.code || "SERVER_ERROR", err.message || "Request failed", {
+        status: err.status,
+        correlationId: err.correlationId,
+        requestId
+      });
+    }
+    throw new GateError("INVALID_RESPONSE" /* INVALID_RESPONSE */, "Invalid response from attest-completed", { requestId });
+  }
+  /**
+   * Wrap AWS SDK v3 KMS client to intercept SignCommand calls
+   * 
+   * @param kmsClient - AWS SDK v3 KMSClient instance
+   * @param options - Wrapper options
+   * @returns Wrapped KMS client that enforces Gate policies
+   * 
+   * @example
+   * ```typescript
+   * import { KMSClient } from '@aws-sdk/client-kms';
+   * 
+   * const kms = new KMSClient({});
+   * const protectedKms = gateClient.wrapKmsClient(kms);
+   * 
+   * // Now SignCommand calls will be intercepted and evaluated by Gate
+   * const result = await protectedKms.send(new SignCommand({ ... }));
+   * ```
+   */
+  wrapKmsClient(kmsClient, options) {
+    return wrapKmsClient(kmsClient, this, options);
+  }
+};
+
+// src/pilot/pilotToken.ts
+function encodePilotToken(config) {
+  const baseUrl = config.baseUrl ?? "https://gate.blockintelai.com";
+  const mode = config.mode ?? "SHADOW";
+  const payload = `${config.tenantId}:${config.keyId}:${config.hmacSecret}:${baseUrl}:${mode}`;
+  return `gp_${Buffer.from(payload, "utf-8").toString("base64")}`;
+}
+function decodePilotToken(token) {
+  if (!token || !token.startsWith("gp_")) {
+    throw new Error("Invalid pilot token format. Expected GATE_PILOT_TOKEN=gp_<base64>. Get it from: https://gate.blockintelai.com/pilot/setup");
+  }
+  const decoded = Buffer.from(token.slice(3), "base64").toString("utf-8");
+  const parts = decoded.split(":");
+  if (parts.length < 3) {
+    throw new Error("Invalid pilot token: missing tenantId, keyId, or secret");
+  }
+  const [tenantId, keyId, hmacSecret, baseUrl, mode] = parts;
+  return {
+    baseUrl: baseUrl || "https://gate.blockintelai.com",
+    tenantId,
+    auth: { mode: "hmac", keyId, secret: hmacSecret },
+    mode: mode || "SHADOW"
+  };
+}
+
+// src/pilot/attestOnly.ts
+var cachedClient = null;
+async function attestOnly(request) {
+  const pilotToken = typeof process !== "undefined" ? process.env?.GATE_PILOT_TOKEN : void 0;
+  if (!pilotToken) {
+    throw new Error(
+      "GATE_PILOT_TOKEN env var not set. Get it from: https://gate.blockintelai.com/pilot/setup"
+    );
+  }
+  if (!cachedClient) {
+    const config = decodePilotToken(pilotToken);
+    cachedClient = new GateClient({
+      ...config,
+      mode: "SHADOW",
+      evaluationMode: "FIRE_AND_FORGET"
+    });
+  }
+  return cachedClient.attestCompleted({
+    signature: request.signature,
+    txIntent: request.txIntent,
+    signingContext: request.signingContext
+  });
+}
+
+export { attestOnly, decodePilotToken, encodePilotToken };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map