npm - blockintel-gate-sdk - Versions diffs - 0.3.7 → 0.3.9 - Mend

blockintel-gate-sdk 0.3.7 → 0.3.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +2 -0
package/dist/contracts-KKk945Ox.d.cts +380 -0
package/dist/contracts-KKk945Ox.d.ts +380 -0
package/dist/index.cjs +1020 -1
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +392 -298
package/dist/index.d.ts +392 -298
package/dist/index.js +1015 -4
package/dist/index.js.map +1 -1
package/dist/pilot/index.cjs +2401 -0
package/dist/pilot/index.cjs.map +1 -0
package/dist/pilot/index.d.cts +38 -0
package/dist/pilot/index.d.ts +38 -0
package/dist/pilot/index.js +2397 -0
package/dist/pilot/index.js.map +1 -0
package/package.json +14 -1

package/dist/index.cjs CHANGED Viewed

@@ -5,7 +5,9 @@ Object.defineProperty(exports, '__esModule', { value: true });
 var crypto = require('crypto');
 var uuid = require('uuid');
 var clientKms = require('@aws-sdk/client-kms');
+var module$1 = require('module');
+var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __esm = (fn, res) => function __init() {
@@ -50,6 +52,55 @@ var init_canonicalJson = __esm({
   "src/utils/canonicalJson.ts"() {
   }
 });
+// src/utils/decisionTokenVerify.ts
+var decisionTokenVerify_exports = {};
+__export(decisionTokenVerify_exports, {
+  decodeJwtUnsafe: () => decodeJwtUnsafe,
+  verifyDecisionTokenRs256: () => verifyDecisionTokenRs256
+});
+function decodeJwtUnsafe(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const header = JSON.parse(
+      Buffer.from(parts[0], "base64url").toString("utf8")
+    );
+    const payload = JSON.parse(
+      Buffer.from(parts[1], "base64url").toString("utf8")
+    );
+    return { header, payload };
+  } catch {
+    return null;
+  }
+}
+function verifyDecisionTokenRs256(token, publicKeyPem) {
+  const decoded = decodeJwtUnsafe(token);
+  if (!decoded || (decoded.header.alg || "").toUpperCase() !== "RS256") return null;
+  const { payload } = decoded;
+  const now = Math.floor(Date.now() / 1e3);
+  if (payload.iss !== ISS || payload.aud !== AUD) return null;
+  if (payload.exp != null && payload.exp < now - 5) return null;
+  try {
+    const parts = token.split(".");
+    const signingInput = `${parts[0]}.${parts[1]}`;
+    const signature = Buffer.from(parts[2], "base64url");
+    const verify = crypto.createVerify("RSA-SHA256");
+    verify.update(signingInput);
+    verify.end();
+    const ok = verify.verify(publicKeyPem, signature);
+    return ok ? payload : null;
+  } catch {
+    return null;
+  }
+}
+var ISS, AUD;
+var init_decisionTokenVerify = __esm({
+  "src/utils/decisionTokenVerify.ts"() {
+    ISS = "blockintel-gate";
+    AUD = "gate-decision";
+  }
+});
 async function hmacSha256(secret, message) {
   const hmac = crypto.createHmac("sha256", secret);
   hmac.update(message, "utf8");
@@ -869,6 +920,12 @@ var MetricsCollector = class {
     this.circuitBreakerOpenTotal++;
     this.emitMetrics();
   }
+  /**
+   * Record soft-enforce override (app chose to sign despite BLOCK decision)
+   */
+  recordSoftBlockOverride(decision) {
+    this.emitMetrics();
+  }
   /**
    * Get current metrics snapshot
    */
@@ -922,6 +979,75 @@ var MetricsCollector = class {
     this.latencyMs = [];
   }
 };
+function canonicalJsonBinding(obj) {
+  if (obj === null || obj === void 0) return "null";
+  if (typeof obj === "string") return JSON.stringify(obj);
+  if (typeof obj === "number") return obj.toString();
+  if (typeof obj === "boolean") return obj ? "true" : "false";
+  if (Array.isArray(obj)) {
+    const items = obj.map((item) => canonicalJsonBinding(item));
+    return "[" + items.join(",") + "]";
+  }
+  if (typeof obj === "object") {
+    const keys = Object.keys(obj).sort();
+    const pairs = [];
+    for (const key of keys) {
+      const value = obj[key];
+      if (value !== void 0) {
+        pairs.push(JSON.stringify(key) + ":" + canonicalJsonBinding(value));
+      }
+    }
+    return "{" + pairs.join(",") + "}";
+  }
+  return JSON.stringify(obj);
+}
+function normalizeAddress(addr) {
+  if (addr == null || addr === "") return "";
+  const s = String(addr).trim();
+  if (s.startsWith("0x")) return s.toLowerCase();
+  return "0x" + s.toLowerCase();
+}
+function normalizeData(data) {
+  if (data == null || data === "") return "";
+  const s = String(data).trim().toLowerCase();
+  return s.startsWith("0x") ? s : "0x" + s;
+}
+function buildTxBindingObject(txIntent, signerId, decodedRecipient, decodedFields, fromAddress) {
+  const toAddr = txIntent.toAddress ?? txIntent.to ?? "";
+  const value = (txIntent.valueAtomic ?? txIntent.valueDecimal ?? txIntent.value ?? "0").toString();
+  const data = normalizeData(
+    txIntent.data ?? txIntent.payloadHash ?? txIntent.dataHash ?? ""
+  );
+  const chainId = (txIntent.chainId ?? txIntent.chain ?? "").toString();
+  const toAddress = normalizeAddress(toAddr);
+  const nonce = txIntent.nonce != null ? String(txIntent.nonce) : "";
+  const decoded = {};
+  if (decodedFields && typeof decodedFields === "object") {
+    for (const [k, v] of Object.entries(decodedFields)) {
+      if (v !== void 0) decoded[k] = v;
+    }
+  }
+  const out = {
+    chainId,
+    toAddress,
+    value,
+    data,
+    nonce
+  };
+  if (fromAddress) out.fromAddress = normalizeAddress(fromAddress);
+  if (decodedRecipient != null)
+    out.decodedRecipient = decodedRecipient ? normalizeAddress(decodedRecipient) : null;
+  if (Object.keys(decoded).length > 0) out.decoded = decoded;
+  if (signerId) out.signerId = signerId;
+  if (txIntent.networkFamily) out.networkFamily = txIntent.networkFamily;
+  return out;
+}
+function computeTxDigest(binding) {
+  const canonical = canonicalJsonBinding(binding);
+  return crypto.createHash("sha256").update(canonical, "utf8").digest("hex");
+}
+// src/kms/wrapAwsSdkV3KmsClient.ts
 function wrapKmsClient(kmsClient, gateClient, options = {}) {
   const defaultOptions = {
     mode: options.mode || "enforce",
@@ -997,6 +1123,34 @@ async function handleSignCommand(command, originalClient, gateClient, options) {
       // Type assertion - txIntent may have extra fields
       signingContext
     });
+    if (decision.decision === "ALLOW" && gateClient.getRequireDecisionToken() && decision.txDigest != null) {
+      const binding = buildTxBindingObject(
+        txIntent,
+        signerId,
+        void 0,
+        void 0,
+        signingContext.actorPrincipal
+      );
+      const computedDigest = computeTxDigest(binding);
+      if (computedDigest !== decision.txDigest) {
+        options.onDecision("BLOCK", {
+          error: new BlockIntelBlockedError(
+            "DECISION_TOKEN_TX_MISMATCH",
+            decision.decisionId,
+            decision.correlationId,
+            void 0
+          ),
+          signerId,
+          command
+        });
+        throw new BlockIntelBlockedError(
+          "DECISION_TOKEN_TX_MISMATCH",
+          decision.decisionId,
+          decision.correlationId,
+          void 0
+        );
+      }
+    }
     options.onDecision("ALLOW", { decision, signerId, command });
     if (options.mode === "dry-run") {
       return await originalClient.send(new clientKms.SignCommand(command));
@@ -1593,6 +1747,16 @@ var GateClient = class {
       });
     }
   }
+  /**
+   * Whether the SDK requires a decision token for ALLOW before sign (ENFORCE/HARD).
+   * Env GATE_REQUIRE_DECISION_TOKEN overrides config.
+   */
+  getRequireDecisionToken() {
+    if (typeof process !== "undefined" && process.env.GATE_REQUIRE_DECISION_TOKEN !== void 0) {
+      return process.env.GATE_REQUIRE_DECISION_TOKEN === "true" || process.env.GATE_REQUIRE_DECISION_TOKEN === "1";
+    }
+    return this.config.requireDecisionToken ?? (this.mode === "ENFORCE" || this.config.enforcementMode === "HARD");
+  }
   /**
    * Perform async IAM permission risk check (non-blocking)
    *
@@ -1622,7 +1786,9 @@ var GateClient = class {
     const timestampMs = req.timestampMs ?? nowMs();
     const startTime = Date.now();
     const failSafeMode = this.config.failSafeMode ?? "ALLOW_ON_TIMEOUT";
+    const evaluationMode = this.config.evaluationMode ?? "BLOCKING";
     const requestMode = req.mode || this.mode;
+    const requireToken = this.getRequireDecisionToken();
     const executeRequest = async () => {
       if (!this.config.local && this.heartbeatManager && req.signingContext?.signerId) {
         this.heartbeatManager.updateSignerId(req.signingContext.signerId);
@@ -1765,6 +1931,10 @@ var GateClient = class {
         reasonCodes: responseData.reason_codes ?? responseData.reasonCodes ?? [],
         policyVersion: responseData.policy_version ?? responseData.policyVersion,
         correlationId: responseData.correlation_id ?? responseData.correlationId,
+        decisionId: responseData.decision_id ?? responseData.decisionId,
+        decisionToken: responseData.decision_token ?? responseData.decisionToken,
+        expiresAt: responseData.expires_at ?? responseData.expiresAt,
+        txDigest: responseData.tx_digest ?? responseData.txDigest,
         stepUp: responseData.step_up ? {
           requestId: responseData.step_up.request_id ?? (responseData.stepUp?.requestId ?? ""),
           ttlSeconds: responseData.step_up.ttl_seconds ?? responseData.stepUp?.ttlSeconds
@@ -1780,10 +1950,115 @@ var GateClient = class {
             errorReason: simulationData.errorReason ?? simulationData.error_reason
           },
           simulationLatencyMs: metadata.simulationLatencyMs ?? metadata.simulation_latency_ms
-        } : {}
+        } : {},
+        metadata: {
+          evaluationLatencyMs: metadata.evaluationLatencyMs ?? metadata.evaluation_latency_ms,
+          policyHash: metadata.policyHash ?? metadata.policy_hash,
+          snapshotVersion: metadata.snapshotVersion ?? metadata.snapshot_version
+        }
       };
       const latencyMs = Date.now() - startTime;
+      const expectedPolicyHash = this.config.expectedPolicyHash;
+      const expectedSnapshotVersion = this.config.expectedSnapshotVersion;
+      if (expectedPolicyHash != null && result.metadata?.policyHash !== expectedPolicyHash) {
+        if (this.config.debug) {
+          console.warn("[GATE SDK] Policy hash mismatch (pinning)", {
+            expected: expectedPolicyHash,
+            received: result.metadata?.policyHash,
+            requestId
+          });
+        }
+        this.metrics.recordRequest("BLOCK", latencyMs);
+        throw new BlockIntelBlockedError(
+          "POLICY_HASH_MISMATCH",
+          result.decisionId ?? requestId,
+          result.correlationId,
+          requestId
+        );
+      }
+      if (expectedSnapshotVersion != null && result.metadata?.snapshotVersion !== void 0 && result.metadata.snapshotVersion !== expectedSnapshotVersion) {
+        if (this.config.debug) {
+          console.warn("[GATE SDK] Snapshot version mismatch (pinning)", {
+            expected: expectedSnapshotVersion,
+            received: result.metadata?.snapshotVersion,
+            requestId
+          });
+        }
+        this.metrics.recordRequest("BLOCK", latencyMs);
+        throw new BlockIntelBlockedError(
+          "SNAPSHOT_VERSION_MISMATCH",
+          result.decisionId ?? requestId,
+          result.correlationId,
+          requestId
+        );
+      }
+      if (requireToken && requestMode === "ENFORCE" && result.decision === "ALLOW" && !this.config.local) {
+        if (!result.decisionToken || !result.txDigest) {
+          this.metrics.recordRequest("BLOCK", latencyMs);
+          throw new BlockIntelBlockedError(
+            "DECISION_TOKEN_MISSING",
+            result.decisionId ?? requestId,
+            result.correlationId,
+            requestId
+          );
+        }
+        const nowSec = Math.floor(Date.now() / 1e3);
+        if (result.expiresAt != null && result.expiresAt < nowSec - 5) {
+          this.metrics.recordRequest("BLOCK", latencyMs);
+          throw new BlockIntelBlockedError(
+            "DECISION_TOKEN_EXPIRED",
+            result.decisionId ?? requestId,
+            result.correlationId,
+            requestId
+          );
+        }
+        const publicKeyPem = this.config.decisionTokenPublicKey;
+        if (publicKeyPem && result.decisionToken) {
+          const { decodeJwtUnsafe: decodeJwtUnsafe2, verifyDecisionTokenRs256: verifyDecisionTokenRs2562 } = await Promise.resolve().then(() => (init_decisionTokenVerify(), decisionTokenVerify_exports));
+          const decoded = decodeJwtUnsafe2(result.decisionToken);
+          if (decoded && (decoded.header.alg || "").toUpperCase() === "RS256") {
+            const resolvedPem = publicKeyPem.startsWith("-----") ? publicKeyPem : Buffer.from(publicKeyPem, "base64").toString("utf8");
+            const verified = verifyDecisionTokenRs2562(result.decisionToken, resolvedPem);
+            if (verified === null) {
+              this.metrics.recordRequest("BLOCK", latencyMs);
+              throw new BlockIntelBlockedError(
+                "DECISION_TOKEN_INVALID",
+                result.decisionId ?? requestId,
+                result.correlationId,
+                requestId
+              );
+            }
+          }
+        }
+        const signerId = signingContext?.signerId ?? req.signingContext?.signerId;
+        const fromAddress = txIntent.fromAddress ?? txIntent.from;
+        const binding = buildTxBindingObject(txIntent, signerId, void 0, void 0, fromAddress);
+        const computedDigest = computeTxDigest(binding);
+        if (computedDigest !== result.txDigest) {
+          this.metrics.recordRequest("BLOCK", latencyMs);
+          throw new BlockIntelBlockedError(
+            "DECISION_TOKEN_DIGEST_MISMATCH",
+            result.decisionId ?? requestId,
+            result.correlationId,
+            requestId
+          );
+        }
+      }
       if (result.decision === "BLOCK") {
+        if (requestMode === "SOFT_ENFORCE") {
+          console.warn("[SOFT ENFORCE] Policy violation detected - app can override", {
+            requestId,
+            reasonCodes: result.reasonCodes
+          });
+          this.metrics.recordRequest("BLOCK", latencyMs);
+          return {
+            ...result,
+            decision: "BLOCK",
+            enforced: false,
+            mode: "SOFT_ENFORCE",
+            warning: "Policy violation detected. Override at your own risk."
+          };
+        }
         if (requestMode === "SHADOW") {
           console.warn("[GATE SHADOW MODE] Would have blocked transaction", {
             requestId,
@@ -1822,6 +2097,26 @@ var GateClient = class {
       this.metrics.recordRequest("ALLOW", latencyMs);
       return result;
     };
+    if (evaluationMode === "FIRE_AND_FORGET") {
+      executeRequest().then((res) => {
+        if (res.decision === "BLOCK" || res.shadowWouldBlock) {
+          console.warn("[FIRE-AND-FORGET] Would have blocked:", res.reasonCodes);
+        }
+        this.metrics.recordRequest(res.decision === "ALLOW" ? "ALLOW" : "WOULD_BLOCK", Date.now() - startTime);
+      }).catch((err) => {
+        console.error("[FIRE-AND-FORGET] Attestation failed:", err);
+        this.metrics.recordError();
+      });
+      return {
+        decision: "ALLOW",
+        decisionId: requestId,
+        correlationId: requestId,
+        reasonCodes: [],
+        enforced: false,
+        mode: requestMode,
+        fireAndForget: true
+      };
+    }
     try {
       if (this.circuitBreaker) {
         return await this.circuitBreaker.execute(executeRequest);
@@ -1962,6 +2257,102 @@ var GateClient = class {
       intervalMs: args.intervalMs ?? this.config.stepUp?.pollingIntervalMs
     });
   }
+  /**
+   * Evaluate policy and sign in one call when decision is ALLOW.
+   * Convenience for: evaluate → if ALLOW then sign → return { decision, signature }.
+   */
+  async evaluateAndSign(params) {
+    const decision = await this.evaluate({
+      txIntent: params.txIntent,
+      signingContext: params.signingContext
+    });
+    if (decision.decision === "ALLOW") {
+      const signature = await params.signer.sign({
+        keyId: params.keyId,
+        message: params.message,
+        algorithm: params.algorithm ?? "ECDSA_SHA_256"
+      });
+      return { decision, signature };
+    }
+    return { decision };
+  }
+  /**
+   * Attest a completed signature (post-sign). Use when you want zero latency impact on signing
+   * but still want an audit trail. Policy is evaluated against txIntent; returns ALLOW or
+   * POLICY_VIOLATION_DETECTED. Cannot be used for enforcement (signature already created).
+   */
+  async attestCompleted(req) {
+    const requestId = uuid.v4();
+    const timestampMs = nowMs();
+    const txIntent = { ...req.txIntent };
+    if (txIntent.to && !txIntent.toAddress) {
+      txIntent.toAddress = txIntent.to;
+      delete txIntent.to;
+    }
+    if (!txIntent.networkFamily && txIntent.chainId) txIntent.networkFamily = "EVM";
+    const signingContext = {
+      ...req.signingContext,
+      signerId: req.signingContext?.signerId ?? req.signature.signerId
+    };
+    const body = {
+      tenantId: this.config.tenantId,
+      requestId,
+      timestampMs,
+      txIntent,
+      signature: req.signature,
+      signingContext
+    };
+    let headers = { "Content-Type": "application/json" };
+    if (this.config.local) ; else if (this.hmacSigner) {
+      const { canonicalizeJson: canonicalizeJson2 } = await Promise.resolve().then(() => (init_canonicalJson(), canonicalJson_exports));
+      const canonicalBodyJson = canonicalizeJson2(body);
+      const hmacHeaders = await this.hmacSigner.signRequest({
+        method: "POST",
+        path: "/defense/attest-completed",
+        tenantId: this.config.tenantId,
+        timestampMs,
+        requestId,
+        body
+      });
+      headers = { ...hmacHeaders };
+      body.__canonicalJson = canonicalBodyJson;
+    } else if (this.apiKeyAuth) {
+      const apiKeyHeaders = this.apiKeyAuth.createHeaders({
+        tenantId: this.config.tenantId,
+        timestampMs,
+        requestId
+      });
+      headers = { ...apiKeyHeaders };
+    } else {
+      throw new Error("No authentication configured");
+    }
+    const apiResponse = await this.httpClient.request({
+      method: "POST",
+      path: "/defense/attest-completed",
+      headers,
+      body,
+      requestId
+    });
+    if (apiResponse.success === true && apiResponse.data) {
+      const data = apiResponse.data;
+      if (data.decision === "POLICY_VIOLATION_DETECTED") {
+        console.warn("[POST-SIGN ATTESTATION] Policy violation detected after signing", {
+          requestId,
+          reasonCodes: data.reasonCodes
+        });
+      }
+      return data;
+    }
+    if (apiResponse.error) {
+      const err = apiResponse.error;
+      throw new GateError(err.code || "SERVER_ERROR", err.message || "Request failed", {
+        status: err.status,
+        correlationId: err.correlationId,
+        requestId
+      });
+    }
+    throw new GateError("INVALID_RESPONSE" /* INVALID_RESPONSE */, "Invalid response from attest-completed", { requestId });
+  }
   /**
    * Wrap AWS SDK v3 KMS client to intercept SignCommand calls
    *
@@ -1994,6 +2385,39 @@ var Gate = class {
   constructor(opts) {
     this.apiKey = opts?.apiKey ?? process.env.BLOCKINTEL_API_KEY;
   }
+  /**
+   * Create a GateClient from environment variables (5-line integration).
+   *
+   * Reads: GATE_BASE_URL, GATE_TENANT_ID, GATE_API_KEY (or GATE_KEY_ID + GATE_HMAC_SECRET), GATE_MODE.
+   */
+  static fromEnv(overrides) {
+    const baseUrl = process.env.GATE_BASE_URL;
+    const tenantId = process.env.GATE_TENANT_ID;
+    const apiKey = process.env.GATE_API_KEY;
+    const keyId = process.env.GATE_KEY_ID;
+    const hmacSecret = process.env.GATE_HMAC_SECRET;
+    const mode = process.env.GATE_MODE ?? "SHADOW";
+    if (!baseUrl || !tenantId) {
+      throw new Error("GATE_BASE_URL and GATE_TENANT_ID environment variables are required");
+    }
+    let auth;
+    if (apiKey) {
+      auth = { mode: "apiKey", apiKey };
+    } else if (keyId && hmacSecret) {
+      auth = { mode: "hmac", keyId, secret: hmacSecret };
+    } else {
+      throw new Error(
+        "Either GATE_API_KEY or (GATE_KEY_ID and GATE_HMAC_SECRET) environment variables are required"
+      );
+    }
+    return new GateClient({
+      baseUrl,
+      tenantId,
+      auth,
+      mode,
+      ...overrides
+    });
+  }
   /**
    * Guard a signing operation. In passthrough mode, executes the callback.
    * For full Gate integration, use GateClient with evaluate() before sending.
@@ -2002,18 +2426,613 @@ var Gate = class {
     return cb();
   }
 };
+var AwsKmsSigner = class {
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  getName() {
+    return "AWS KMS";
+  }
+  isAvailable() {
+    return !!this.config.kmsClient;
+  }
+  async sign(request) {
+    if (!this.isAvailable()) {
+      throw new Error("AWS KMS client not configured");
+    }
+    const algorithm = this.mapAlgorithm(request.algorithm || this.config.defaultAlgorithm || "ECDSA_SHA_256");
+    const signInput = {
+      KeyId: request.keyId,
+      Message: Buffer.from(request.message),
+      MessageType: request.messageType || this.config.defaultMessageType || "RAW",
+      SigningAlgorithm: algorithm
+    };
+    const command = new clientKms.SignCommand(signInput);
+    const response = await this.config.kmsClient.send(command);
+    if (!response.Signature) {
+      throw new Error("AWS KMS sign response missing signature");
+    }
+    return {
+      signature: Buffer.from(response.Signature),
+      keyId: response.KeyId || request.keyId,
+      algorithm: response.SigningAlgorithm || algorithm,
+      metadata: {
+        keyId: response.KeyId,
+        signingAlgorithm: response.SigningAlgorithm
+      }
+    };
+  }
+  /**
+   * Map algorithm string to AWS KMS SigningAlgorithmSpec
+   */
+  mapAlgorithm(algorithm) {
+    if (Object.values(clientKms.SigningAlgorithmSpec).includes(algorithm)) {
+      return algorithm;
+    }
+    const algorithmMap = {
+      "ECDSA_SHA_256": clientKms.SigningAlgorithmSpec.ECDSA_SHA_256,
+      "ECDSA_SHA_384": clientKms.SigningAlgorithmSpec.ECDSA_SHA_384,
+      "ECDSA_SHA_512": clientKms.SigningAlgorithmSpec.ECDSA_SHA_512,
+      "RSASSA_PSS_SHA_256": clientKms.SigningAlgorithmSpec.RSASSA_PSS_SHA_256,
+      "RSASSA_PSS_SHA_384": clientKms.SigningAlgorithmSpec.RSASSA_PSS_SHA_384,
+      "RSASSA_PSS_SHA_512": clientKms.SigningAlgorithmSpec.RSASSA_PSS_SHA_512,
+      "RSASSA_PKCS1_V1_5_SHA_256": clientKms.SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_256,
+      "RSASSA_PKCS1_V1_5_SHA_384": clientKms.SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_384,
+      "RSASSA_PKCS1_V1_5_SHA_512": clientKms.SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_512
+    };
+    return algorithmMap[algorithm.toUpperCase()] || clientKms.SigningAlgorithmSpec.ECDSA_SHA_256;
+  }
+};
+// src/signer/VaultSigner.ts
+var VaultSigner = class {
+  config;
+  authToken = null;
+  constructor(config) {
+    this.config = {
+      mountPath: "transit",
+      ...config
+    };
+  }
+  getName() {
+    return "HashiCorp Vault";
+  }
+  isAvailable() {
+    return !!this.config.vaultUrl && (!!this.config.token || !!this.config.appRole);
+  }
+  async sign(request) {
+    if (!this.isAvailable()) {
+      throw new Error("Vault signer not configured");
+    }
+    if (!this.authToken && this.config.appRole) {
+      await this.authenticateAppRole();
+    }
+    const token = this.config.token || this.authToken;
+    if (!token) {
+      throw new Error("Vault authentication token not available");
+    }
+    const algorithm = this.mapAlgorithm(request.algorithm || this.config.defaultAlgorithm || "ecdsa-sha2-256");
+    const url = `${this.config.vaultUrl}/v1/${this.config.mountPath}/sign/${request.keyId}`;
+    const messageBase64 = Buffer.from(request.message).toString("base64");
+    const requestBody = {
+      input: messageBase64,
+      ...algorithm && { algorithm },
+      ...request.options || {}
+    };
+    const timeout = this.config.httpOptions?.timeout || 5e3;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-Vault-Token": token
+        },
+        body: JSON.stringify(requestBody),
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`Vault sign failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      if (!data.data || !data.data.signature) {
+        throw new Error("Vault sign response missing signature");
+      }
+      const signatureParts = data.data.signature.split(":");
+      const signatureBase64 = signatureParts[signatureParts.length - 1];
+      const signature = Buffer.from(signatureBase64, "base64");
+      return {
+        signature,
+        keyId: request.keyId,
+        algorithm,
+        metadata: {
+          vaultSignature: data.data.signature,
+          keyVersion: data.data.key_version
+        }
+      };
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error.name === "AbortError") {
+        throw new Error("Vault sign request timeout");
+      }
+      throw error;
+    }
+  }
+  /**
+   * Authenticate using AppRole
+   */
+  async authenticateAppRole() {
+    if (!this.config.appRole) {
+      throw new Error("AppRole not configured");
+    }
+    const url = `${this.config.vaultUrl}/v1/auth/approle/login`;
+    const response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        role_id: this.config.appRole.roleId,
+        secret_id: this.config.appRole.secretId
+      })
+    });
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(`Vault AppRole authentication failed: ${response.status} ${errorText}`);
+    }
+    const data = await response.json();
+    if (!data.auth || !data.auth.client_token) {
+      throw new Error("Vault AppRole authentication response missing token");
+    }
+    this.authToken = data.auth.client_token;
+  }
+  /**
+   * Map algorithm string to Vault format
+   */
+  mapAlgorithm(algorithm) {
+    const algorithmMap = {
+      "ECDSA_SHA_256": "ecdsa-sha2-256",
+      "ECDSA_SHA_384": "ecdsa-sha2-384",
+      "ECDSA_SHA_512": "ecdsa-sha2-512",
+      "RSASSA_PSS_SHA_256": "rsa-sha2-256",
+      "RSASSA_PSS_SHA_384": "rsa-sha2-384",
+      "RSASSA_PSS_SHA_512": "rsa-sha2-512"
+    };
+    if (algorithm.startsWith("ecdsa-") || algorithm.startsWith("rsa-")) {
+      return algorithm;
+    }
+    return algorithmMap[algorithm.toUpperCase()] || "ecdsa-sha2-256";
+  }
+};
+// src/signer/GcpKmsSigner.ts
+var GcpKmsSigner = class {
+  config;
+  accessToken = null;
+  tokenExpiry = 0;
+  constructor(config) {
+    this.config = {
+      useWorkloadIdentity: false,
+      ...config
+    };
+  }
+  getName() {
+    return "Google Cloud KMS";
+  }
+  isAvailable() {
+    if (this.config.useWorkloadIdentity) {
+      return true;
+    }
+    return !!this.config.credentials && !!this.config.projectId;
+  }
+  async sign(request) {
+    if (!this.isAvailable()) {
+      throw new Error("GCP KMS signer not configured");
+    }
+    const accessToken = await this.getAccessToken();
+    const algorithm = this.mapAlgorithm(request.algorithm || this.config.defaultAlgorithm || "EC_SIGN_P256_SHA256");
+    const keyName = request.keyId.includes("/") ? request.keyId : `projects/${this.config.projectId}/locations/${this.config.location}/keyRings/${this.config.keyRing}/cryptoKeys/${request.keyId}`;
+    const url = `https://cloudkms.googleapis.com/v1/${keyName}:asymmetricSign`;
+    const messageBase64 = Buffer.from(request.message).toString("base64");
+    const requestBody = {
+      digest: {
+        sha256: messageBase64
+        // GCP expects digest, not raw message
+      }
+    };
+    const timeout = this.config.httpOptions?.timeout || 5e3;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${accessToken}`
+        },
+        body: JSON.stringify(requestBody),
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`GCP KMS sign failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      if (!data.signature) {
+        throw new Error("GCP KMS sign response missing signature");
+      }
+      const signature = Buffer.from(data.signature, "base64");
+      return {
+        signature,
+        keyId: request.keyId,
+        algorithm,
+        metadata: {
+          name: data.name,
+          verifiedDigestCrc32c: data.verifiedDigestCrc32c
+        }
+      };
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error.name === "AbortError") {
+        throw new Error("GCP KMS sign request timeout");
+      }
+      throw error;
+    }
+  }
+  /**
+   * Get GCP access token
+   */
+  async getAccessToken() {
+    if (this.accessToken && Date.now() < this.tokenExpiry - 5 * 60 * 1e3) {
+      return this.accessToken;
+    }
+    if (this.config.useWorkloadIdentity) {
+      const metadataUrl = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token";
+      const response = await fetch(metadataUrl, {
+        method: "GET",
+        headers: {
+          "Metadata-Flavor": "Google"
+        }
+      });
+      if (!response.ok) {
+        throw new Error(`GCP metadata service authentication failed: ${response.status}`);
+      }
+      const data = await response.json();
+      this.accessToken = data.access_token;
+      this.tokenExpiry = Date.now() + data.expires_in * 1e3;
+      return data.access_token;
+    } else {
+      if (!this.config.credentials) {
+        throw new Error("GCP credentials not configured");
+      }
+      throw new Error("Service account authentication requires @google-cloud/kms SDK. Install it with: npm install @google-cloud/kms. Alternatively, use workload identity (recommended for GCP environments).");
+    }
+  }
+  /**
+   * Map algorithm string to GCP format
+   */
+  mapAlgorithm(algorithm) {
+    const algorithmMap = {
+      "ECDSA_SHA_256": "EC_SIGN_P256_SHA256",
+      "ECDSA_SHA_384": "EC_SIGN_P384_SHA384",
+      "ECDSA_SHA_512": "EC_SIGN_P512_SHA512",
+      "RSASSA_PSS_SHA_256": "RSA_SIGN_PSS_2048_SHA256",
+      "RSASSA_PSS_SHA_384": "RSA_SIGN_PSS_3072_SHA256",
+      "RSASSA_PSS_SHA_512": "RSA_SIGN_PSS_4096_SHA256",
+      "RSASSA_PKCS1_V1_5_SHA_256": "RSA_SIGN_PKCS1_2048_SHA256",
+      "RSASSA_PKCS1_V1_5_SHA_384": "RSA_SIGN_PKCS1_3072_SHA256",
+      "RSASSA_PKCS1_V1_5_SHA_512": "RSA_SIGN_PKCS1_4096_SHA256"
+    };
+    if (algorithm.startsWith("EC_SIGN_") || algorithm.startsWith("RSA_SIGN_")) {
+      return algorithm;
+    }
+    return algorithmMap[algorithm.toUpperCase()] || "EC_SIGN_P256_SHA256";
+  }
+};
+var FireblocksSigner = class {
+  config;
+  apiBaseUrl;
+  constructor(config) {
+    this.config = config;
+    this.apiBaseUrl = config.apiBaseUrl ?? "https://api.fireblocks.io";
+  }
+  getName() {
+    return "Fireblocks";
+  }
+  isAvailable() {
+    return !!this.config.apiKey && !!this.config.apiSecret;
+  }
+  async sign(request) {
+    if (!this.isAvailable()) {
+      throw new Error("Fireblocks API key and secret required");
+    }
+    const keyIdMatch = request.keyId.match(/^fireblocks:\/\/([^/]+)\/(.+)$/);
+    if (!keyIdMatch) {
+      throw new Error(
+        "Invalid Fireblocks keyId format. Expected: fireblocks://vaultAccountId/assetId"
+      );
+    }
+    const [, vaultAccountId, assetId] = keyIdMatch;
+    const messageHex = request.message instanceof Buffer ? request.message.toString("hex") : Buffer.from(request.message).toString("hex");
+    const requestId = request.options?.requestId || request.requestId;
+    const txRequest = {
+      operation: "RAW",
+      source: { type: "VAULT_ACCOUNT", id: vaultAccountId },
+      assetId,
+      note: `Gate signing request: ${requestId ?? "unknown"}`,
+      extraParameters: {
+        rawMessageData: {
+          messages: [{ content: messageHex }]
+        }
+      }
+    };
+    const token = this.createAuthToken("/v1/transactions", JSON.stringify(txRequest));
+    const response = await fetch(`${this.apiBaseUrl}/v1/transactions`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-API-Key": this.config.apiKey,
+        Authorization: `Bearer ${token}`
+      },
+      body: JSON.stringify(txRequest)
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Fireblocks API error: ${response.status} ${error}`);
+    }
+    const result = await response.json();
+    const txId = result.id;
+    if (!txId) {
+      throw new Error("Fireblocks API did not return transaction id");
+    }
+    const signed = await this.pollTransaction(txId);
+    const sigHex = signed?.signature ?? signed?.signedMessages?.[0]?.signature;
+    if (!sigHex) {
+      throw new Error(`Fireblocks transaction ${txId} did not return signature`);
+    }
+    return {
+      signature: Buffer.from(sigHex, "hex"),
+      keyId: request.keyId,
+      algorithm: request.algorithm ?? "ECDSA_SHA_256"
+    };
+  }
+  /**
+   * Create JWT for Fireblocks API (RS256, uri + bodyHash in payload).
+   */
+  createAuthToken(uri, bodyJson) {
+    const now = Math.floor(Date.now() / 1e3);
+    const nonce = crypto.randomBytes(16).toString("hex");
+    const bodyHash = bodyJson ? crypto.createHash("sha256").update(bodyJson, "utf8").digest("hex") : "";
+    const payload = {
+      uri,
+      nonce,
+      iat: now,
+      exp: now + 30,
+      sub: this.config.apiKey,
+      bodyHash
+    };
+    const header = { alg: "RS256", typ: "JWT" };
+    const encodedHeader = base64UrlEncode(JSON.stringify(header));
+    const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+    const signingInput = `${encodedHeader}.${encodedPayload}`;
+    const sign = crypto.createSign("RSA-SHA256");
+    sign.update(signingInput);
+    const signature = sign.sign(this.config.apiSecret);
+    const encodedSig = base64UrlEncode(signature);
+    return `${signingInput}.${encodedSig}`;
+  }
+  async pollTransaction(txId, maxAttempts = 30) {
+    for (let i = 0; i < maxAttempts; i++) {
+      const token = this.createAuthToken(`/v1/transactions/${txId}`);
+      const response = await fetch(`${this.apiBaseUrl}/v1/transactions/${txId}`, {
+        headers: {
+          "X-API-Key": this.config.apiKey,
+          Authorization: `Bearer ${token}`
+        }
+      });
+      if (!response.ok) {
+        throw new Error(`Failed to fetch transaction status: ${await response.text()}`);
+      }
+      const tx = await response.json();
+      if (tx.status === "COMPLETED") {
+        return tx.signedMessages?.[0] ? { signature: tx.signedMessages[0].signature } : tx;
+      }
+      if (tx.status === "FAILED" || tx.status === "REJECTED") {
+        throw new Error(`Fireblocks transaction ${txId} failed: ${tx.status}`);
+      }
+      await new Promise((r) => setTimeout(r, 1e3));
+    }
+    throw new Error(
+      `Fireblocks transaction ${txId} did not complete within ${maxAttempts} seconds`
+    );
+  }
+};
+function base64UrlEncode(input) {
+  const raw = typeof input === "string" ? Buffer.from(input, "utf8").toString("base64") : input.toString("base64");
+  return raw.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+var require2 = module$1.createRequire((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('index.cjs', document.baseURI).href)));
+var NOT_LINKED = "PKCS#11 runtime not linked. Install pkcs11js (npm install pkcs11js) and ensure the HSM library path is correct, or provide a custom pkcs11Session to GenericHsmSigner.";
+function mechanismToPkcs11(mechanism) {
+  switch (mechanism) {
+    case "CKM_ECDSA_SHA256":
+      return getPkcs11().CKM_ECDSA_SHA256;
+    case "CKM_RSA_PKCS":
+      return getPkcs11().CKM_SHA256_RSA_PKCS;
+    default:
+      throw new Error(`Unsupported PKCS#11 mechanism: ${mechanism}`);
+  }
+}
+var pkcs11Module = void 0;
+function getPkcs11() {
+  if (pkcs11Module !== void 0) {
+    if (pkcs11Module === null) throw new Error(NOT_LINKED);
+    return pkcs11Module;
+  }
+  try {
+    pkcs11Module = require2("pkcs11js");
+    return pkcs11Module;
+  } catch {
+    pkcs11Module = null;
+    throw new Error(NOT_LINKED);
+  }
+}
+var Pkcs11SessionImpl = class {
+  libPath = "";
+  pin = "";
+  pkcs11 = null;
+  session = null;
+  initialized = false;
+  async initialize(libraryPath, pin, options) {
+    const p = getPkcs11();
+    this.libPath = libraryPath;
+    this.pin = pin;
+    this.pkcs11 = new p.PKCS11();
+    this.pkcs11.load(libraryPath);
+    this.pkcs11.C_Initialize();
+    this.initialized = true;
+    const slots = this.pkcs11.C_GetSlotList(true);
+    if (!slots || slots.length === 0) {
+      await this.close();
+      throw new Error("PKCS#11: no token present in any slot");
+    }
+    const slotIndex = options?.slotId ?? 0;
+    if (slotIndex < 0 || slotIndex >= slots.length) {
+      await this.close();
+      throw new Error(`PKCS#11: slotId ${slotIndex} out of range (0..${slots.length - 1})`);
+    }
+    const slot = slots[slotIndex];
+    const flags = p.CKF_SERIAL_SESSION | p.CKF_RW_SESSION;
+    this.session = this.pkcs11.C_OpenSession(slot, flags);
+    this.pkcs11.C_Login(this.session, p.CKU_USER, pin);
+  }
+  async sign(keyHandle, mechanism, data) {
+    if (!this.pkcs11 || !this.session) {
+      throw new Error("PKCS#11 session not initialized. Call initialize() first.");
+    }
+    getPkcs11();
+    const mechCode = mechanismToPkcs11(mechanism);
+    this.pkcs11.C_SignInit(this.session, { mechanism: mechCode }, keyHandle);
+    const maxSigLen = 512;
+    const outData = Buffer.alloc(maxSigLen);
+    const signature = this.pkcs11.C_Sign(this.session, data, outData);
+    return Buffer.from(signature);
+  }
+  async close() {
+    if (!this.initialized) return;
+    this.initialized = false;
+    try {
+      if (this.pkcs11 && this.session) {
+        try {
+          this.pkcs11.C_Logout(this.session);
+        } catch {
+        }
+        try {
+          this.pkcs11.C_CloseSession(this.session);
+        } catch {
+        }
+      }
+      if (this.pkcs11) {
+        try {
+          this.pkcs11.C_Finalize();
+        } catch {
+        }
+        try {
+          this.pkcs11.close();
+        } catch {
+        }
+      }
+    } finally {
+      this.pkcs11 = null;
+      this.session = null;
+    }
+  }
+};
+// src/signer/GenericHsmSigner.ts
+var GenericHsmSigner = class {
+  config;
+  session = null;
+  constructor(config) {
+    this.config = config;
+  }
+  getName() {
+    return "Generic HSM (PKCS#11)";
+  }
+  isAvailable() {
+    return !!this.config.pkcs11LibraryPath && !!this.config.pin;
+  }
+  async sign(request) {
+    if (!this.session) {
+      this.session = this.config.pkcs11Session ?? await this.initializePkcs11Session();
+    }
+    const keyIdMatch = request.keyId.match(/^hsm:\/\/(.+)$/);
+    if (!keyIdMatch) {
+      throw new Error(
+        "Invalid HSM keyId format. Expected: hsm://keyHandle (hex-encoded) or hsm://keyLabel"
+      );
+    }
+    const keyHandle = Buffer.from(keyIdMatch[1], "hex");
+    const mechanism = this.mapAlgorithmToMechanism(
+      request.algorithm ?? "ECDSA_SHA_256"
+    );
+    const message = request.message instanceof Buffer ? request.message : Buffer.from(request.message);
+    const signature = await this.session.sign(keyHandle, mechanism, message);
+    return {
+      signature,
+      keyId: request.keyId,
+      algorithm: request.algorithm ?? "ECDSA_SHA_256"
+    };
+  }
+  async initializePkcs11Session() {
+    const session = new Pkcs11SessionImpl();
+    await session.initialize(this.config.pkcs11LibraryPath, this.config.pin, {
+      slotId: this.config.slotId
+    });
+    return session;
+  }
+  mapAlgorithmToMechanism(algorithm) {
+    switch (algorithm) {
+      case "ECDSA_SHA_256":
+        return "CKM_ECDSA_SHA256";
+      case "RSASSA_PKCS1_V1_5_SHA_256":
+        return "CKM_RSA_PKCS";
+      default:
+        throw new Error(`Unsupported algorithm for HSM: ${algorithm}`);
+    }
+  }
+  /** Release the PKCS#11 session. Call when done to free resources. */
+  async close() {
+    if (this.session) {
+      await this.session.close();
+      this.session = null;
+    }
+  }
+};
+exports.AwsKmsSigner = AwsKmsSigner;
 exports.BlockIntelAuthError = BlockIntelAuthError;
 exports.BlockIntelBlockedError = BlockIntelBlockedError;
 exports.BlockIntelStepUpRequiredError = BlockIntelStepUpRequiredError;
 exports.BlockIntelUnavailableError = BlockIntelUnavailableError;
+exports.FireblocksSigner = FireblocksSigner;
 exports.Gate = Gate;
 exports.GateClient = GateClient;
 exports.GateError = GateError;
 exports.GateErrorCode = GateErrorCode;
+exports.GcpKmsSigner = GcpKmsSigner;
+exports.GenericHsmSigner = GenericHsmSigner;
 exports.HeartbeatManager = HeartbeatManager;
 exports.ProvenanceProvider = ProvenanceProvider;
 exports.StepUpNotConfiguredError = StepUpNotConfiguredError;
+exports.VaultSigner = VaultSigner;
+exports.buildTxBindingObject = buildTxBindingObject;
+exports.computeTxDigest = computeTxDigest;
 exports.createGateClient = createGateClient;
 exports.default = GateClient;
 exports.wrapKmsClient = wrapKmsClient;