blockintel-gate-sdk 0.3.8 → 0.3.10

package/dist/index.js

@@ -1,6 +1,7 @@
-import { createHash, createVerify, createHmac } from 'crypto';
+import { createHash, createVerify, randomBytes, createSign, createHmac } from 'crypto';
 import { v4 } from 'uuid';
-import { SignCommand } from '@aws-sdk/client-kms';
+import { SignCommand, SigningAlgorithmSpec } from '@aws-sdk/client-kms';
+import { createRequire } from 'module';
 
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
@@ -914,6 +915,12 @@ var MetricsCollector = class {
     this.circuitBreakerOpenTotal++;
     this.emitMetrics();
   }
+  /**
+   * Record soft-enforce override (app chose to sign despite BLOCK decision)
+   */
+  recordSoftBlockOverride(decision) {
+    this.emitMetrics();
+  }
   /**
    * Get current metrics snapshot
    */
@@ -1214,6 +1221,8 @@ var HeartbeatManager = class {
   consecutiveFailures = 0;
   maxBackoffSeconds = 30;
   // Maximum backoff interval
+  /** SignerId used for the in-flight request; used to ignore stale responses after updateSignerId(). */
+  acquiringForSignerId = null;
   constructor(options) {
     this.httpClient = options.httpClient;
     this.tenantId = options.tenantId;
@@ -1307,12 +1316,20 @@ var HeartbeatManager = class {
     return this.getToken() !== null;
   }
   /**
-   * Update signer ID (called when signer is known)
+   * Update signer ID (called when signer is known).
+   * Invalidates current token and triggers an immediate heartbeat acquisition so evaluate() can get a matching token.
    */
   updateSignerId(signerId) {
     if (this.signerId !== signerId) {
       this.signerId = signerId;
       this.currentToken = null;
+      if (this.started && this.apiKey) {
+        setImmediate(() => {
+          this.acquireHeartbeat().catch((err) => {
+            console.warn("[HEARTBEAT] Immediate acquire after signerId change failed:", err instanceof Error ? err.message : err);
+          });
+        });
+      }
     }
   }
   /**
@@ -1328,6 +1345,8 @@ var HeartbeatManager = class {
         {}
       );
     }
+    const signerIdAtRequest = this.signerId;
+    this.acquiringForSignerId = signerIdAtRequest;
     try {
       const response = await this.httpClient.request({
         method: "POST",
@@ -1352,18 +1371,20 @@ var HeartbeatManager = class {
             "Invalid heartbeat response: missing token or expiresAt"
           );
         }
-        this.currentToken = {
-          token,
-          expiresAt,
-          jti: response.data.jti,
-          policyHash: response.data.policyHash
-        };
-        console.log("[HEARTBEAT] Acquired heartbeat token", {
-          expiresAt,
-          jti: response.data.jti,
-          policyHash: response.data.policyHash?.substring(0, 8) + "..."
-          // DO NOT log token value
-        });
+        if (this.signerId === signerIdAtRequest) {
+          this.currentToken = {
+            token,
+            expiresAt,
+            jti: response.data.jti,
+            policyHash: response.data.policyHash
+          };
+          console.log("[HEARTBEAT] Acquired heartbeat token", {
+            expiresAt,
+            jti: response.data.jti,
+            policyHash: response.data.policyHash?.substring(0, 8) + "..."
+            // DO NOT log token value
+          });
+        }
       } else {
         const error = response.error || {};
         throw new GateError(
@@ -1374,6 +1395,10 @@ var HeartbeatManager = class {
     } catch (error) {
       console.error("[HEARTBEAT] Failed to acquire heartbeat:", error.message || error);
       throw error;
+    } finally {
+      if (this.acquiringForSignerId === signerIdAtRequest) {
+        this.acquiringForSignerId = null;
+      }
     }
   }
   /**
@@ -1774,6 +1799,7 @@ var GateClient = class {
     const timestampMs = req.timestampMs ?? nowMs();
     const startTime = Date.now();
     const failSafeMode = this.config.failSafeMode ?? "ALLOW_ON_TIMEOUT";
+    const evaluationMode = this.config.evaluationMode ?? "BLOCKING";
     const requestMode = req.mode || this.mode;
     const requireToken = this.getRequireDecisionToken();
     const executeRequest = async () => {
@@ -2032,6 +2058,20 @@ var GateClient = class {
         }
       }
       if (result.decision === "BLOCK") {
+        if (requestMode === "SOFT_ENFORCE") {
+          console.warn("[SOFT ENFORCE] Policy violation detected - app can override", {
+            requestId,
+            reasonCodes: result.reasonCodes
+          });
+          this.metrics.recordRequest("BLOCK", latencyMs);
+          return {
+            ...result,
+            decision: "BLOCK",
+            enforced: false,
+            mode: "SOFT_ENFORCE",
+            warning: "Policy violation detected. Override at your own risk."
+          };
+        }
         if (requestMode === "SHADOW") {
           console.warn("[GATE SHADOW MODE] Would have blocked transaction", {
             requestId,
@@ -2070,6 +2110,26 @@ var GateClient = class {
       this.metrics.recordRequest("ALLOW", latencyMs);
       return result;
     };
+    if (evaluationMode === "FIRE_AND_FORGET") {
+      executeRequest().then((res) => {
+        if (res.decision === "BLOCK" || res.shadowWouldBlock) {
+          console.warn("[FIRE-AND-FORGET] Would have blocked:", res.reasonCodes);
+        }
+        this.metrics.recordRequest(res.decision === "ALLOW" ? "ALLOW" : "WOULD_BLOCK", Date.now() - startTime);
+      }).catch((err) => {
+        console.error("[FIRE-AND-FORGET] Attestation failed:", err);
+        this.metrics.recordError();
+      });
+      return {
+        decision: "ALLOW",
+        decisionId: requestId,
+        correlationId: requestId,
+        reasonCodes: [],
+        enforced: false,
+        mode: requestMode,
+        fireAndForget: true
+      };
+    }
     try {
       if (this.circuitBreaker) {
         return await this.circuitBreaker.execute(executeRequest);
@@ -2210,6 +2270,102 @@ var GateClient = class {
       intervalMs: args.intervalMs ?? this.config.stepUp?.pollingIntervalMs
     });
   }
+  /**
+   * Evaluate policy and sign in one call when decision is ALLOW.
+   * Convenience for: evaluate → if ALLOW then sign → return { decision, signature }.
+   */
+  async evaluateAndSign(params) {
+    const decision = await this.evaluate({
+      txIntent: params.txIntent,
+      signingContext: params.signingContext
+    });
+    if (decision.decision === "ALLOW") {
+      const signature = await params.signer.sign({
+        keyId: params.keyId,
+        message: params.message,
+        algorithm: params.algorithm ?? "ECDSA_SHA_256"
+      });
+      return { decision, signature };
+    }
+    return { decision };
+  }
+  /**
+   * Attest a completed signature (post-sign). Use when you want zero latency impact on signing
+   * but still want an audit trail. Policy is evaluated against txIntent; returns ALLOW or
+   * POLICY_VIOLATION_DETECTED. Cannot be used for enforcement (signature already created).
+   */
+  async attestCompleted(req) {
+    const requestId = v4();
+    const timestampMs = nowMs();
+    const txIntent = { ...req.txIntent };
+    if (txIntent.to && !txIntent.toAddress) {
+      txIntent.toAddress = txIntent.to;
+      delete txIntent.to;
+    }
+    if (!txIntent.networkFamily && txIntent.chainId) txIntent.networkFamily = "EVM";
+    const signingContext = {
+      ...req.signingContext,
+      signerId: req.signingContext?.signerId ?? req.signature.signerId
+    };
+    const body = {
+      tenantId: this.config.tenantId,
+      requestId,
+      timestampMs,
+      txIntent,
+      signature: req.signature,
+      signingContext
+    };
+    let headers = { "Content-Type": "application/json" };
+    if (this.config.local) ; else if (this.hmacSigner) {
+      const { canonicalizeJson: canonicalizeJson2 } = await Promise.resolve().then(() => (init_canonicalJson(), canonicalJson_exports));
+      const canonicalBodyJson = canonicalizeJson2(body);
+      const hmacHeaders = await this.hmacSigner.signRequest({
+        method: "POST",
+        path: "/defense/attest-completed",
+        tenantId: this.config.tenantId,
+        timestampMs,
+        requestId,
+        body
+      });
+      headers = { ...hmacHeaders };
+      body.__canonicalJson = canonicalBodyJson;
+    } else if (this.apiKeyAuth) {
+      const apiKeyHeaders = this.apiKeyAuth.createHeaders({
+        tenantId: this.config.tenantId,
+        timestampMs,
+        requestId
+      });
+      headers = { ...apiKeyHeaders };
+    } else {
+      throw new Error("No authentication configured");
+    }
+    const apiResponse = await this.httpClient.request({
+      method: "POST",
+      path: "/defense/attest-completed",
+      headers,
+      body,
+      requestId
+    });
+    if (apiResponse.success === true && apiResponse.data) {
+      const data = apiResponse.data;
+      if (data.decision === "POLICY_VIOLATION_DETECTED") {
+        console.warn("[POST-SIGN ATTESTATION] Policy violation detected after signing", {
+          requestId,
+          reasonCodes: data.reasonCodes
+        });
+      }
+      return data;
+    }
+    if (apiResponse.error) {
+      const err = apiResponse.error;
+      throw new GateError(err.code || "SERVER_ERROR", err.message || "Request failed", {
+        status: err.status,
+        correlationId: err.correlationId,
+        requestId
+      });
+    }
+    throw new GateError("INVALID_RESPONSE" /* INVALID_RESPONSE */, "Invalid response from attest-completed", { requestId });
+  }
   /**
    * Wrap AWS SDK v3 KMS client to intercept SignCommand calls
    * 
@@ -2242,6 +2398,39 @@ var Gate = class {
   constructor(opts) {
     this.apiKey = opts?.apiKey ?? process.env.BLOCKINTEL_API_KEY;
   }
+  /**
+   * Create a GateClient from environment variables (5-line integration).
+   *
+   * Reads: GATE_BASE_URL, GATE_TENANT_ID, GATE_API_KEY (or GATE_KEY_ID + GATE_HMAC_SECRET), GATE_MODE.
+   */
+  static fromEnv(overrides) {
+    const baseUrl = process.env.GATE_BASE_URL;
+    const tenantId = process.env.GATE_TENANT_ID;
+    const apiKey = process.env.GATE_API_KEY;
+    const keyId = process.env.GATE_KEY_ID;
+    const hmacSecret = process.env.GATE_HMAC_SECRET;
+    const mode = process.env.GATE_MODE ?? "SHADOW";
+    if (!baseUrl || !tenantId) {
+      throw new Error("GATE_BASE_URL and GATE_TENANT_ID environment variables are required");
+    }
+    let auth;
+    if (apiKey) {
+      auth = { mode: "apiKey", apiKey };
+    } else if (keyId && hmacSecret) {
+      auth = { mode: "hmac", keyId, secret: hmacSecret };
+    } else {
+      throw new Error(
+        "Either GATE_API_KEY or (GATE_KEY_ID and GATE_HMAC_SECRET) environment variables are required"
+      );
+    }
+    return new GateClient({
+      baseUrl,
+      tenantId,
+      auth,
+      mode,
+      ...overrides
+    });
+  }
   /**
    * Guard a signing operation. In passthrough mode, executes the callback.
    * For full Gate integration, use GateClient with evaluate() before sending.
@@ -2250,7 +2439,595 @@ var Gate = class {
     return cb();
   }
 };
+var AwsKmsSigner = class {
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  getName() {
+    return "AWS KMS";
+  }
+  isAvailable() {
+    return !!this.config.kmsClient;
+  }
+  async sign(request) {
+    if (!this.isAvailable()) {
+      throw new Error("AWS KMS client not configured");
+    }
+    const algorithm = this.mapAlgorithm(request.algorithm || this.config.defaultAlgorithm || "ECDSA_SHA_256");
+    const signInput = {
+      KeyId: request.keyId,
+      Message: Buffer.from(request.message),
+      MessageType: request.messageType || this.config.defaultMessageType || "RAW",
+      SigningAlgorithm: algorithm
+    };
+    const command = new SignCommand(signInput);
+    const response = await this.config.kmsClient.send(command);
+    if (!response.Signature) {
+      throw new Error("AWS KMS sign response missing signature");
+    }
+    return {
+      signature: Buffer.from(response.Signature),
+      keyId: response.KeyId || request.keyId,
+      algorithm: response.SigningAlgorithm || algorithm,
+      metadata: {
+        keyId: response.KeyId,
+        signingAlgorithm: response.SigningAlgorithm
+      }
+    };
+  }
+  /**
+   * Map algorithm string to AWS KMS SigningAlgorithmSpec
+   */
+  mapAlgorithm(algorithm) {
+    if (Object.values(SigningAlgorithmSpec).includes(algorithm)) {
+      return algorithm;
+    }
+    const algorithmMap = {
+      "ECDSA_SHA_256": SigningAlgorithmSpec.ECDSA_SHA_256,
+      "ECDSA_SHA_384": SigningAlgorithmSpec.ECDSA_SHA_384,
+      "ECDSA_SHA_512": SigningAlgorithmSpec.ECDSA_SHA_512,
+      "RSASSA_PSS_SHA_256": SigningAlgorithmSpec.RSASSA_PSS_SHA_256,
+      "RSASSA_PSS_SHA_384": SigningAlgorithmSpec.RSASSA_PSS_SHA_384,
+      "RSASSA_PSS_SHA_512": SigningAlgorithmSpec.RSASSA_PSS_SHA_512,
+      "RSASSA_PKCS1_V1_5_SHA_256": SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_256,
+      "RSASSA_PKCS1_V1_5_SHA_384": SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_384,
+      "RSASSA_PKCS1_V1_5_SHA_512": SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_512
+    };
+    return algorithmMap[algorithm.toUpperCase()] || SigningAlgorithmSpec.ECDSA_SHA_256;
+  }
+};
+
+// src/signer/VaultSigner.ts
+var VaultSigner = class {
+  config;
+  authToken = null;
+  constructor(config) {
+    this.config = {
+      mountPath: "transit",
+      ...config
+    };
+  }
+  getName() {
+    return "HashiCorp Vault";
+  }
+  isAvailable() {
+    return !!this.config.vaultUrl && (!!this.config.token || !!this.config.appRole);
+  }
+  async sign(request) {
+    if (!this.isAvailable()) {
+      throw new Error("Vault signer not configured");
+    }
+    if (!this.authToken && this.config.appRole) {
+      await this.authenticateAppRole();
+    }
+    const token = this.config.token || this.authToken;
+    if (!token) {
+      throw new Error("Vault authentication token not available");
+    }
+    const algorithm = this.mapAlgorithm(request.algorithm || this.config.defaultAlgorithm || "ecdsa-sha2-256");
+    const url = `${this.config.vaultUrl}/v1/${this.config.mountPath}/sign/${request.keyId}`;
+    const messageBase64 = Buffer.from(request.message).toString("base64");
+    const requestBody = {
+      input: messageBase64,
+      ...algorithm && { algorithm },
+      ...request.options || {}
+    };
+    const timeout = this.config.httpOptions?.timeout || 5e3;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-Vault-Token": token
+        },
+        body: JSON.stringify(requestBody),
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`Vault sign failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      if (!data.data || !data.data.signature) {
+        throw new Error("Vault sign response missing signature");
+      }
+      const signatureParts = data.data.signature.split(":");
+      const signatureBase64 = signatureParts[signatureParts.length - 1];
+      const signature = Buffer.from(signatureBase64, "base64");
+      return {
+        signature,
+        keyId: request.keyId,
+        algorithm,
+        metadata: {
+          vaultSignature: data.data.signature,
+          keyVersion: data.data.key_version
+        }
+      };
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error.name === "AbortError") {
+        throw new Error("Vault sign request timeout");
+      }
+      throw error;
+    }
+  }
+  /**
+   * Authenticate using AppRole
+   */
+  async authenticateAppRole() {
+    if (!this.config.appRole) {
+      throw new Error("AppRole not configured");
+    }
+    const url = `${this.config.vaultUrl}/v1/auth/approle/login`;
+    const response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        role_id: this.config.appRole.roleId,
+        secret_id: this.config.appRole.secretId
+      })
+    });
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(`Vault AppRole authentication failed: ${response.status} ${errorText}`);
+    }
+    const data = await response.json();
+    if (!data.auth || !data.auth.client_token) {
+      throw new Error("Vault AppRole authentication response missing token");
+    }
+    this.authToken = data.auth.client_token;
+  }
+  /**
+   * Map algorithm string to Vault format
+   */
+  mapAlgorithm(algorithm) {
+    const algorithmMap = {
+      "ECDSA_SHA_256": "ecdsa-sha2-256",
+      "ECDSA_SHA_384": "ecdsa-sha2-384",
+      "ECDSA_SHA_512": "ecdsa-sha2-512",
+      "RSASSA_PSS_SHA_256": "rsa-sha2-256",
+      "RSASSA_PSS_SHA_384": "rsa-sha2-384",
+      "RSASSA_PSS_SHA_512": "rsa-sha2-512"
+    };
+    if (algorithm.startsWith("ecdsa-") || algorithm.startsWith("rsa-")) {
+      return algorithm;
+    }
+    return algorithmMap[algorithm.toUpperCase()] || "ecdsa-sha2-256";
+  }
+};
+
+// src/signer/GcpKmsSigner.ts
+var GcpKmsSigner = class {
+  config;
+  accessToken = null;
+  tokenExpiry = 0;
+  constructor(config) {
+    this.config = {
+      useWorkloadIdentity: false,
+      ...config
+    };
+  }
+  getName() {
+    return "Google Cloud KMS";
+  }
+  isAvailable() {
+    if (this.config.useWorkloadIdentity) {
+      return true;
+    }
+    return !!this.config.credentials && !!this.config.projectId;
+  }
+  async sign(request) {
+    if (!this.isAvailable()) {
+      throw new Error("GCP KMS signer not configured");
+    }
+    const accessToken = await this.getAccessToken();
+    const algorithm = this.mapAlgorithm(request.algorithm || this.config.defaultAlgorithm || "EC_SIGN_P256_SHA256");
+    const keyName = request.keyId.includes("/") ? request.keyId : `projects/${this.config.projectId}/locations/${this.config.location}/keyRings/${this.config.keyRing}/cryptoKeys/${request.keyId}`;
+    const url = `https://cloudkms.googleapis.com/v1/${keyName}:asymmetricSign`;
+    const messageBase64 = Buffer.from(request.message).toString("base64");
+    const requestBody = {
+      digest: {
+        sha256: messageBase64
+        // GCP expects digest, not raw message
+      }
+    };
+    const timeout = this.config.httpOptions?.timeout || 5e3;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${accessToken}`
+        },
+        body: JSON.stringify(requestBody),
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`GCP KMS sign failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      if (!data.signature) {
+        throw new Error("GCP KMS sign response missing signature");
+      }
+      const signature = Buffer.from(data.signature, "base64");
+      return {
+        signature,
+        keyId: request.keyId,
+        algorithm,
+        metadata: {
+          name: data.name,
+          verifiedDigestCrc32c: data.verifiedDigestCrc32c
+        }
+      };
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error.name === "AbortError") {
+        throw new Error("GCP KMS sign request timeout");
+      }
+      throw error;
+    }
+  }
+  /**
+   * Get GCP access token
+   */
+  async getAccessToken() {
+    if (this.accessToken && Date.now() < this.tokenExpiry - 5 * 60 * 1e3) {
+      return this.accessToken;
+    }
+    if (this.config.useWorkloadIdentity) {
+      const metadataUrl = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token";
+      const response = await fetch(metadataUrl, {
+        method: "GET",
+        headers: {
+          "Metadata-Flavor": "Google"
+        }
+      });
+      if (!response.ok) {
+        throw new Error(`GCP metadata service authentication failed: ${response.status}`);
+      }
+      const data = await response.json();
+      this.accessToken = data.access_token;
+      this.tokenExpiry = Date.now() + data.expires_in * 1e3;
+      return data.access_token;
+    } else {
+      if (!this.config.credentials) {
+        throw new Error("GCP credentials not configured");
+      }
+      throw new Error("Service account authentication requires @google-cloud/kms SDK. Install it with: npm install @google-cloud/kms. Alternatively, use workload identity (recommended for GCP environments).");
+    }
+  }
+  /**
+   * Map algorithm string to GCP format
+   */
+  mapAlgorithm(algorithm) {
+    const algorithmMap = {
+      "ECDSA_SHA_256": "EC_SIGN_P256_SHA256",
+      "ECDSA_SHA_384": "EC_SIGN_P384_SHA384",
+      "ECDSA_SHA_512": "EC_SIGN_P512_SHA512",
+      "RSASSA_PSS_SHA_256": "RSA_SIGN_PSS_2048_SHA256",
+      "RSASSA_PSS_SHA_384": "RSA_SIGN_PSS_3072_SHA256",
+      "RSASSA_PSS_SHA_512": "RSA_SIGN_PSS_4096_SHA256",
+      "RSASSA_PKCS1_V1_5_SHA_256": "RSA_SIGN_PKCS1_2048_SHA256",
+      "RSASSA_PKCS1_V1_5_SHA_384": "RSA_SIGN_PKCS1_3072_SHA256",
+      "RSASSA_PKCS1_V1_5_SHA_512": "RSA_SIGN_PKCS1_4096_SHA256"
+    };
+    if (algorithm.startsWith("EC_SIGN_") || algorithm.startsWith("RSA_SIGN_")) {
+      return algorithm;
+    }
+    return algorithmMap[algorithm.toUpperCase()] || "EC_SIGN_P256_SHA256";
+  }
+};
+var FireblocksSigner = class {
+  config;
+  apiBaseUrl;
+  constructor(config) {
+    this.config = config;
+    this.apiBaseUrl = config.apiBaseUrl ?? "https://api.fireblocks.io";
+  }
+  getName() {
+    return "Fireblocks";
+  }
+  isAvailable() {
+    return !!this.config.apiKey && !!this.config.apiSecret;
+  }
+  async sign(request) {
+    if (!this.isAvailable()) {
+      throw new Error("Fireblocks API key and secret required");
+    }
+    const keyIdMatch = request.keyId.match(/^fireblocks:\/\/([^/]+)\/(.+)$/);
+    if (!keyIdMatch) {
+      throw new Error(
+        "Invalid Fireblocks keyId format. Expected: fireblocks://vaultAccountId/assetId"
+      );
+    }
+    const [, vaultAccountId, assetId] = keyIdMatch;
+    const messageHex = request.message instanceof Buffer ? request.message.toString("hex") : Buffer.from(request.message).toString("hex");
+    const requestId = request.options?.requestId || request.requestId;
+    const txRequest = {
+      operation: "RAW",
+      source: { type: "VAULT_ACCOUNT", id: vaultAccountId },
+      assetId,
+      note: `Gate signing request: ${requestId ?? "unknown"}`,
+      extraParameters: {
+        rawMessageData: {
+          messages: [{ content: messageHex }]
+        }
+      }
+    };
+    const token = this.createAuthToken("/v1/transactions", JSON.stringify(txRequest));
+    const response = await fetch(`${this.apiBaseUrl}/v1/transactions`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-API-Key": this.config.apiKey,
+        Authorization: `Bearer ${token}`
+      },
+      body: JSON.stringify(txRequest)
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Fireblocks API error: ${response.status} ${error}`);
+    }
+    const result = await response.json();
+    const txId = result.id;
+    if (!txId) {
+      throw new Error("Fireblocks API did not return transaction id");
+    }
+    const signed = await this.pollTransaction(txId);
+    const sigHex = signed?.signature ?? signed?.signedMessages?.[0]?.signature;
+    if (!sigHex) {
+      throw new Error(`Fireblocks transaction ${txId} did not return signature`);
+    }
+    return {
+      signature: Buffer.from(sigHex, "hex"),
+      keyId: request.keyId,
+      algorithm: request.algorithm ?? "ECDSA_SHA_256"
+    };
+  }
+  /**
+   * Create JWT for Fireblocks API (RS256, uri + bodyHash in payload).
+   */
+  createAuthToken(uri, bodyJson) {
+    const now = Math.floor(Date.now() / 1e3);
+    const nonce = randomBytes(16).toString("hex");
+    const bodyHash = bodyJson ? createHash("sha256").update(bodyJson, "utf8").digest("hex") : "";
+    const payload = {
+      uri,
+      nonce,
+      iat: now,
+      exp: now + 30,
+      sub: this.config.apiKey,
+      bodyHash
+    };
+    const header = { alg: "RS256", typ: "JWT" };
+    const encodedHeader = base64UrlEncode(JSON.stringify(header));
+    const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+    const signingInput = `${encodedHeader}.${encodedPayload}`;
+    const sign = createSign("RSA-SHA256");
+    sign.update(signingInput);
+    const signature = sign.sign(this.config.apiSecret);
+    const encodedSig = base64UrlEncode(signature);
+    return `${signingInput}.${encodedSig}`;
+  }
+  async pollTransaction(txId, maxAttempts = 30) {
+    for (let i = 0; i < maxAttempts; i++) {
+      const token = this.createAuthToken(`/v1/transactions/${txId}`);
+      const response = await fetch(`${this.apiBaseUrl}/v1/transactions/${txId}`, {
+        headers: {
+          "X-API-Key": this.config.apiKey,
+          Authorization: `Bearer ${token}`
+        }
+      });
+      if (!response.ok) {
+        throw new Error(`Failed to fetch transaction status: ${await response.text()}`);
+      }
+      const tx = await response.json();
+      if (tx.status === "COMPLETED") {
+        return tx.signedMessages?.[0] ? { signature: tx.signedMessages[0].signature } : tx;
+      }
+      if (tx.status === "FAILED" || tx.status === "REJECTED") {
+        throw new Error(`Fireblocks transaction ${txId} failed: ${tx.status}`);
+      }
+      await new Promise((r) => setTimeout(r, 1e3));
+    }
+    throw new Error(
+      `Fireblocks transaction ${txId} did not complete within ${maxAttempts} seconds`
+    );
+  }
+};
+function base64UrlEncode(input) {
+  const raw = typeof input === "string" ? Buffer.from(input, "utf8").toString("base64") : input.toString("base64");
+  return raw.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+var require2 = createRequire(import.meta.url);
+var NOT_LINKED = "PKCS#11 runtime not linked. Install pkcs11js (npm install pkcs11js) and ensure the HSM library path is correct, or provide a custom pkcs11Session to GenericHsmSigner.";
+function mechanismToPkcs11(mechanism) {
+  switch (mechanism) {
+    case "CKM_ECDSA_SHA256":
+      return getPkcs11().CKM_ECDSA_SHA256;
+    case "CKM_RSA_PKCS":
+      return getPkcs11().CKM_SHA256_RSA_PKCS;
+    default:
+      throw new Error(`Unsupported PKCS#11 mechanism: ${mechanism}`);
+  }
+}
+var pkcs11Module = void 0;
+function getPkcs11() {
+  if (pkcs11Module !== void 0) {
+    if (pkcs11Module === null) throw new Error(NOT_LINKED);
+    return pkcs11Module;
+  }
+  try {
+    pkcs11Module = require2("pkcs11js");
+    return pkcs11Module;
+  } catch {
+    pkcs11Module = null;
+    throw new Error(NOT_LINKED);
+  }
+}
+var Pkcs11SessionImpl = class {
+  libPath = "";
+  pin = "";
+  pkcs11 = null;
+  session = null;
+  initialized = false;
+  async initialize(libraryPath, pin, options) {
+    const p = getPkcs11();
+    this.libPath = libraryPath;
+    this.pin = pin;
+    this.pkcs11 = new p.PKCS11();
+    this.pkcs11.load(libraryPath);
+    this.pkcs11.C_Initialize();
+    this.initialized = true;
+    const slots = this.pkcs11.C_GetSlotList(true);
+    if (!slots || slots.length === 0) {
+      await this.close();
+      throw new Error("PKCS#11: no token present in any slot");
+    }
+    const slotIndex = options?.slotId ?? 0;
+    if (slotIndex < 0 || slotIndex >= slots.length) {
+      await this.close();
+      throw new Error(`PKCS#11: slotId ${slotIndex} out of range (0..${slots.length - 1})`);
+    }
+    const slot = slots[slotIndex];
+    const flags = p.CKF_SERIAL_SESSION | p.CKF_RW_SESSION;
+    this.session = this.pkcs11.C_OpenSession(slot, flags);
+    this.pkcs11.C_Login(this.session, p.CKU_USER, pin);
+  }
+  async sign(keyHandle, mechanism, data) {
+    if (!this.pkcs11 || !this.session) {
+      throw new Error("PKCS#11 session not initialized. Call initialize() first.");
+    }
+    getPkcs11();
+    const mechCode = mechanismToPkcs11(mechanism);
+    this.pkcs11.C_SignInit(this.session, { mechanism: mechCode }, keyHandle);
+    const maxSigLen = 512;
+    const outData = Buffer.alloc(maxSigLen);
+    const signature = this.pkcs11.C_Sign(this.session, data, outData);
+    return Buffer.from(signature);
+  }
+  async close() {
+    if (!this.initialized) return;
+    this.initialized = false;
+    try {
+      if (this.pkcs11 && this.session) {
+        try {
+          this.pkcs11.C_Logout(this.session);
+        } catch {
+        }
+        try {
+          this.pkcs11.C_CloseSession(this.session);
+        } catch {
+        }
+      }
+      if (this.pkcs11) {
+        try {
+          this.pkcs11.C_Finalize();
+        } catch {
+        }
+        try {
+          this.pkcs11.close();
+        } catch {
+        }
+      }
+    } finally {
+      this.pkcs11 = null;
+      this.session = null;
+    }
+  }
+};
+
+// src/signer/GenericHsmSigner.ts
+var GenericHsmSigner = class {
+  config;
+  session = null;
+  constructor(config) {
+    this.config = config;
+  }
+  getName() {
+    return "Generic HSM (PKCS#11)";
+  }
+  isAvailable() {
+    return !!this.config.pkcs11LibraryPath && !!this.config.pin;
+  }
+  async sign(request) {
+    if (!this.session) {
+      this.session = this.config.pkcs11Session ?? await this.initializePkcs11Session();
+    }
+    const keyIdMatch = request.keyId.match(/^hsm:\/\/(.+)$/);
+    if (!keyIdMatch) {
+      throw new Error(
+        "Invalid HSM keyId format. Expected: hsm://keyHandle (hex-encoded) or hsm://keyLabel"
+      );
+    }
+    const keyHandle = Buffer.from(keyIdMatch[1], "hex");
+    const mechanism = this.mapAlgorithmToMechanism(
+      request.algorithm ?? "ECDSA_SHA_256"
+    );
+    const message = request.message instanceof Buffer ? request.message : Buffer.from(request.message);
+    const signature = await this.session.sign(keyHandle, mechanism, message);
+    return {
+      signature,
+      keyId: request.keyId,
+      algorithm: request.algorithm ?? "ECDSA_SHA_256"
+    };
+  }
+  async initializePkcs11Session() {
+    const session = new Pkcs11SessionImpl();
+    await session.initialize(this.config.pkcs11LibraryPath, this.config.pin, {
+      slotId: this.config.slotId
+    });
+    return session;
+  }
+  mapAlgorithmToMechanism(algorithm) {
+    switch (algorithm) {
+      case "ECDSA_SHA_256":
+        return "CKM_ECDSA_SHA256";
+      case "RSASSA_PKCS1_V1_5_SHA_256":
+        return "CKM_RSA_PKCS";
+      default:
+        throw new Error(`Unsupported algorithm for HSM: ${algorithm}`);
+    }
+  }
+  /** Release the PKCS#11 session. Call when done to free resources. */
+  async close() {
+    if (this.session) {
+      await this.session.close();
+      this.session = null;
+    }
+  }
+};
 
-export { BlockIntelAuthError, BlockIntelBlockedError, BlockIntelStepUpRequiredError, BlockIntelUnavailableError, Gate, GateClient, GateError, GateErrorCode, HeartbeatManager, ProvenanceProvider, StepUpNotConfiguredError, buildTxBindingObject, computeTxDigest, createGateClient, GateClient as default, wrapKmsClient };
+export { AwsKmsSigner, BlockIntelAuthError, BlockIntelBlockedError, BlockIntelStepUpRequiredError, BlockIntelUnavailableError, FireblocksSigner, Gate, GateClient, GateError, GateErrorCode, GcpKmsSigner, GenericHsmSigner, HeartbeatManager, ProvenanceProvider, StepUpNotConfiguredError, VaultSigner, buildTxBindingObject, computeTxDigest, createGateClient, GateClient as default, wrapKmsClient };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map