blockintel-gate-sdk 0.3.8 → 0.3.9

package/dist/index.d.cts

@@ -1,338 +1,7 @@
 import * as _aws_sdk_client_kms from '@aws-sdk/client-kms';
-import { SignCommandInput, KMSClient } from '@aws-sdk/client-kms';
-
-/**
- * Metrics Collector for SDK
- *
- * Collects counters and latency metrics for observability.
- */
-interface Metrics {
-    requestsTotal: number;
-    allowedTotal: number;
-    blockedTotal: number;
-    stepupTotal: number;
-    timeoutsTotal: number;
-    errorsTotal: number;
-    circuitBreakerOpenTotal: number;
-    wouldBlockTotal: number;
-    failOpenTotal: number;
-    latencyMs: number[];
-}
-type MetricsHook = (metrics: Metrics) => void | Promise<void>;
-/**
- * Metrics Collector
- */
-declare class MetricsCollector {
-    private requestsTotal;
-    private allowedTotal;
-    private blockedTotal;
-    private stepupTotal;
-    private timeoutsTotal;
-    private errorsTotal;
-    private circuitBreakerOpenTotal;
-    private wouldBlockTotal;
-    private failOpenTotal;
-    private latencyMs;
-    private readonly maxSamples;
-    private readonly hooks;
-    /**
-     * Record a request
-     */
-    recordRequest(decision: 'ALLOW' | 'BLOCK' | 'REQUIRE_STEP_UP' | 'WOULD_BLOCK' | 'FAIL_OPEN', latencyMs: number): void;
-    /**
-     * Record a timeout
-     */
-    recordTimeout(): void;
-    /**
-     * Record an error
-     */
-    recordError(): void;
-    /**
-     * Record circuit breaker open
-     */
-    recordCircuitBreakerOpen(): void;
-    /**
-     * Get current metrics snapshot
-     */
-    getMetrics(): Metrics;
-    /**
-     * Register a metrics hook (e.g., for Prometheus/OpenTelemetry export)
-     */
-    registerHook(hook: MetricsHook): void;
-    /**
-     * Emit metrics to all registered hooks
-     */
-    private emitMetrics;
-    /**
-     * Reset all metrics
-     */
-    reset(): void;
-}
-
-/**
- * BlockIntel Gate SDK - Type Contracts
- *
- * Type definitions for Gate Hot Path API v2 contracts.
- * Internal SDK uses camelCase; mapping to/from API snake_case is handled internally.
- */
-/**
- * Transaction intent structure for evaluate request
- */
-interface TransactionIntentV2 {
-    from: string;
-    to: string;
-    value?: string;
-    data?: string;
-    nonce?: number | string;
-    gasPrice?: string;
-    gasLimit?: string;
-    chainId?: number | string;
-    [key: string]: unknown;
-}
-/**
- * Signing context metadata
- */
-interface SigningContext {
-    signerId?: string;
-    source?: {
-        repo?: string;
-        workflow?: string;
-        environment?: string;
-        [key: string]: unknown;
-    };
-    wallet?: {
-        address: string;
-        type?: string;
-        [key: string]: unknown;
-    };
-    [key: string]: unknown;
-}
-/**
- * Defense evaluate request (v2)
- */
-interface DefenseEvaluateRequestV2 {
-    txIntent: TransactionIntentV2;
-    signingContext?: SigningContext;
-    requestId?: string;
-    timestampMs?: number;
-    /**
-     * Enable transaction simulation (optional, defaults to false)
-     *
-     * When true, Hot Path will simulate the transaction after static policy evaluation.
-     * Adds 300-800ms latency but provides additional security checks.
-     */
-    simulate?: boolean;
-}
-/**
- * Gate decision types
- */
-type GateDecision = 'ALLOW' | 'BLOCK' | 'REQUIRE_STEP_UP';
-/**
- * Step-up metadata in evaluate response
- */
-interface StepUpMetadata {
-    requestId: string;
-    ttlSeconds?: number;
-}
-/**
- * Defense evaluate response (v2)
- */
-interface DefenseEvaluateResponseV2 {
-    decision: GateDecision;
-    reasonCodes: string[];
-    policyVersion?: string;
-    correlationId?: string;
-    decisionId?: string;
-    stepUp?: StepUpMetadata;
-    /**
-     * Decision token (JWS HS256) binding decision to txDigest. Required in ENFORCE/HARD when requireDecisionToken.
-     */
-    decisionToken?: string;
-    /**
-     * Unix seconds when decision token expires.
-     */
-    expiresAt?: number;
-    /**
-     * SHA256(canonicalJson(txBinding)). Must match when signing.
-     */
-    txDigest?: string;
-    /**
-     * Whether the decision was enforced (false in SHADOW mode)
-     */
-    enforced?: boolean;
-    /**
-     * Whether shadow mode would have blocked (true if mode=SHADOW and decision=BLOCK)
-     */
-    shadowWouldBlock?: boolean;
-    /**
-     * Gate mode used for this evaluation
-     */
-    mode?: GateMode;
-    /**
-     * Metadata (evaluation latency, simulation, policy hash for pinning)
-     */
-    metadata?: {
-        evaluationLatencyMs?: number;
-        policyHash?: string;
-        snapshotVersion?: number;
-        [key: string]: unknown;
-    };
-}
-/**
- * Step-up status types
- */
-type GateStepUpStatus = 'PENDING' | 'APPROVED' | 'DENIED' | 'EXPIRED';
-/**
- * Step-up status response
- */
-interface StepUpStatusResponse {
-    status: GateStepUpStatus;
-    tenantId: string;
-    requestId: string;
-    decision?: string;
-    reasonCodes?: string[];
-    correlationId?: string;
-    expiresAtMs?: number;
-    ttl?: number;
-}
-/**
- * Final result from awaitStepUpDecision
- */
-interface StepUpFinalResult {
-    status: GateStepUpStatus;
-    requestId: string;
-    elapsedMs: number;
-    decision?: string;
-    reasonCodes?: string[];
-    correlationId?: string;
-}
-/**
- * Fail-safe mode for SDK (deprecated - use onConnectionFailure instead)
- */
-type FailSafeMode = 'ALLOW_ON_TIMEOUT' | 'BLOCK_ON_TIMEOUT' | 'BLOCK_ON_ANOMALY';
-/**
- * Gate Mode
- *
- * SHADOW: Evaluate and log, but always allow (monitor-only)
- * ENFORCE: Evaluate and enforce decisions (block if policy violation)
- */
-type GateMode = 'SHADOW' | 'ENFORCE';
-/**
- * Connection Failure Strategy
- *
- * FAIL_OPEN: Allow transaction if hotpath is unreachable
- * FAIL_CLOSED: Block transaction if hotpath is unreachable (security-first)
- */
-type ConnectionFailureStrategy = 'FAIL_OPEN' | 'FAIL_CLOSED';
-/**
- * Circuit breaker configuration
- */
-interface CircuitBreakerConfig$1 {
-    tripAfterConsecutiveFailures?: number;
-    coolDownMs?: number;
-}
-/**
- * SDK client configuration
- */
-interface GateClientConfig {
-    baseUrl: string;
-    tenantId: string;
-    auth: {
-        mode: 'hmac';
-        keyId: string;
-        secret: string;
-    } | {
-        mode: 'apiKey';
-        apiKey: string;
-    };
-    timeoutMs?: number;
-    userAgent?: string;
-    clockSkewMs?: number;
-    retries?: number;
-    failSafeMode?: FailSafeMode;
-    /**
-     * Gate mode (default: SHADOW for safety)
-     *
-     * SHADOW: Monitor-only - evaluate and log, but always allow
-     * ENFORCE: Enforce decisions - block if policy violation
-     */
-    mode?: GateMode;
-    /**
-     * Connection failure strategy (default: based on mode)
-     *
-     * FAIL_OPEN: Allow on connection failure (default in SHADOW mode)
-     * FAIL_CLOSED: Block on connection failure (default in ENFORCE mode)
-     */
-    onConnectionFailure?: ConnectionFailureStrategy;
-    circuitBreaker?: CircuitBreakerConfig$1;
-    enableStepUp?: boolean;
-    stepUp?: {
-        pollingIntervalMs?: number;
-        maxWaitMs?: number;
-        treatRequireStepUpAsBlockWhenDisabled?: boolean;
-    };
-    onMetrics?: (metrics: Metrics) => void | Promise<void>;
-    signerId?: string;
-    heartbeatRefreshIntervalSeconds?: number;
-    /** API key for Control Plane heartbeat endpoint (x-gate-heartbeat-key). Required when not local. Fallback: GATE_HEARTBEAT_KEY env. */
-    heartbeatApiKey?: string;
-    /** When true or GATE_SDK_DEBUG=1, log sanitized request/response (no secrets, no body values). */
-    debug?: boolean;
-    /**
-     * Break-glass token (optional, for emergency override)
-     *
-     * JWT token issued by Control Plane for time-bound policy bypass.
-     * Only valid if explicitly activated via break-glass endpoint.
-     */
-    breakglassToken?: string;
-    /**
-     * Local development mode - disables auth, heartbeat, and break-glass
-     * Set to true when using gate-local emulator
-     */
-    local?: boolean;
-    /**
-     * Enforcement mode (default: SOFT)
-     *
-     * SOFT: Warns if IAM permission risk detected, but allows initialization
-     * HARD: Blocks initialization if IAM permission risk detected (unless override set)
-     */
-    enforcementMode?: 'SOFT' | 'HARD';
-    /**
-     * Allow initialization even if IAM permission risk detected
-     *
-     * Default: false in HARD mode, true in SOFT mode
-     *
-     * WARNING: Setting to true in HARD mode defeats the purpose of hard enforcement.
-     * Only use during migration periods.
-     */
-    allowInsecureKmsSignPermission?: boolean;
-    /**
-     * Optional: Specific KMS key IDs to check for permission risk
-     * If not provided, checks for any kms:Sign permission
-     */
-    kmsKeyIds?: string[];
-    /**
-     * Require decision token before sign (default: true when mode=ENFORCE or enforcementMode=HARD).
-     * When true, evaluate() must return decisionToken/txDigest for ALLOW; sign path verifies digest match.
-     * Override with GATE_REQUIRE_DECISION_TOKEN env.
-     */
-    requireDecisionToken?: boolean;
-    /**
-     * Optional policy pinning: if set, evaluate response must have matching policyHash (from metadata).
-     * Mismatch → treat as BLOCK locally (do not call signer). Defense against Control Plane compromise.
-     */
-    expectedPolicyHash?: string;
-    /**
-     * Optional snapshot version pinning: if set, evaluate response must have matching snapshotVersion (from metadata).
-     * Mismatch → treat as BLOCK locally.
-     */
-    expectedSnapshotVersion?: number;
-    /**
-     * Optional: public key (PEM) to verify RS256 decision tokens. When set, ALLOW responses with decisionToken
-     * are signature-verified; invalid or wrong-key tokens are treated as BLOCK.
-     */
-    decisionTokenPublicKey?: string;
-}
+import { SignCommandInput, KMSClient, SigningAlgorithmSpec } from '@aws-sdk/client-kms';
+import { G as GateClientConfig, D as DefenseEvaluateRequestV2, a as DefenseEvaluateResponseV2, M as MetricsCollector, S as StepUpStatusResponse, b as StepUpFinalResult, c as SigningContext, A as AttestCompletedRequest, d as AttestCompletedResponse } from './contracts-KKk945Ox.cjs';
+export { E as EvaluationMode, e as GateDecision, f as GateMode, h as GateStepUpStatus, g as StepUpMetadata, T as TransactionIntentV2 } from './contracts-KKk945Ox.cjs';
 
 /**
  * Circuit Breaker for SDK
@@ -466,6 +135,77 @@ interface WrappedKmsClient extends KMSClient {
  */
 declare function wrapKmsClient(kmsClient: KMSClient, gateClient: GateClient, options?: WrapKmsClientOptions): WrappedKmsClient;
 
+/**
+ * Signer Backend Interface
+ *
+ * Abstract interface for cryptographic signing backends (AWS KMS, HashiCorp Vault, GCP KMS, etc.)
+ */
+interface SignRequest {
+    /**
+     * Key identifier (KMS key ID, Vault key name, GCP key name, etc.)
+     */
+    keyId: string;
+    /**
+     * Message to sign (raw bytes)
+     */
+    message: Buffer | Uint8Array;
+    /**
+     * Signing algorithm
+     * - AWS KMS: ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, RSASSA_PSS_SHA_256, etc.
+     * - Vault: ecdsa-sha2-256, ecdsa-sha2-384, ecdsa-sha2-512, rsa-sha2-256, etc.
+     * - GCP: EC_SIGN_P256_SHA256, EC_SIGN_P384_SHA384, RSA_SIGN_PSS_2048_SHA256, etc.
+     */
+    algorithm?: string;
+    /**
+     * Message type (RAW, DIGEST, etc.)
+     */
+    messageType?: string;
+    /**
+     * Additional backend-specific options
+     */
+    options?: Record<string, any>;
+}
+interface SignResponse {
+    /**
+     * Signature bytes
+     */
+    signature: Buffer | Uint8Array;
+    /**
+     * Key ID used for signing
+     */
+    keyId: string;
+    /**
+     * Signing algorithm used
+     */
+    algorithm: string;
+    /**
+     * Additional metadata
+     */
+    metadata?: Record<string, any>;
+}
+/**
+ * Signer Backend Interface
+ *
+ * All signing backends must implement this interface.
+ */
+interface SignerBackend {
+    /**
+     * Sign a message
+     *
+     * @param request Sign request
+     * @returns Sign response with signature
+     */
+    sign(request: SignRequest): Promise<SignResponse>;
+    /**
+     * Get backend name for logging
+     */
+    getName(): string;
+    /**
+     * Check if backend is available/configured
+     */
+    isAvailable(): boolean;
+}
+
 /**
  * Gate Client for Hot Path API
  */
@@ -534,6 +274,27 @@ declare class GateClient {
         maxWaitMs?: number;
         intervalMs?: number;
     }): Promise<StepUpFinalResult>;
+    /**
+     * Evaluate policy and sign in one call when decision is ALLOW.
+     * Convenience for: evaluate → if ALLOW then sign → return { decision, signature }.
+     */
+    evaluateAndSign(params: {
+        txIntent: DefenseEvaluateRequestV2['txIntent'];
+        signer: SignerBackend;
+        keyId: string;
+        message: Buffer | Uint8Array;
+        algorithm?: string;
+        signingContext?: SigningContext;
+    }): Promise<{
+        decision: DefenseEvaluateResponseV2;
+        signature?: SignResponse;
+    }>;
+    /**
+     * Attest a completed signature (post-sign). Use when you want zero latency impact on signing
+     * but still want an audit trail. Policy is evaluated against txIntent; returns ALLOW or
+     * POLICY_VIOLATION_DETECTED. Cannot be used for enforcement (signature already created).
+     */
+    attestCompleted(req: AttestCompletedRequest): Promise<AttestCompletedResponse>;
     /**
      * Wrap AWS SDK v3 KMS client to intercept SignCommand calls
      *
@@ -560,21 +321,26 @@ declare class GateClient {
 declare function createGateClient(config: GateClientConfig): GateClient;
 
 /**
- * Gate - Simplified API for Nexus-style injection
+ * Gate - Simplified API for Nexus-style injection and 5-line integration
  *
- * Provides a drop-in compatible API for code injected by Nexus:
- *   import { Gate } from "blockintel-gate-sdk";
- *   const gate = new Gate({ apiKey: process.env.BLOCKINTEL_API_KEY });
- *   const tx = await gate.guard(ctx, async () => wallet.sendTransaction({ ... }));
+ * - Gate.fromEnv(): Create a GateClient from env vars (GATE_BASE_URL, GATE_TENANT_ID,
+ *   GATE_API_KEY or GATE_KEY_ID+GATE_HMAC_SECRET, GATE_MODE). Enables true 5-line integration.
+ * - new Gate({ apiKey }): Passthrough guard for Nexus-injected code.
  *
- * In passthrough mode (no baseUrl/tenantId, or Nexus sandbox): executes the callback.
  * For full policy evaluation, use GateClient.evaluate() with tx params before sending.
  */
+
 declare class Gate {
     private readonly apiKey?;
     constructor(opts?: {
         apiKey?: string;
     });
+    /**
+     * Create a GateClient from environment variables (5-line integration).
+     *
+     * Reads: GATE_BASE_URL, GATE_TENANT_ID, GATE_API_KEY (or GATE_KEY_ID + GATE_HMAC_SECRET), GATE_MODE.
+     */
+    static fromEnv(overrides?: Partial<GateClientConfig>): GateClient;
     /**
      * Guard a signing operation. In passthrough mode, executes the callback.
      * For full Gate integration, use GateClient with evaluate() before sending.
@@ -888,4 +654,242 @@ declare function buildTxBindingObject(txIntent: {
  */
 declare function computeTxDigest(binding: TxBindingObject): string;
 
-export { BlockIntelAuthError, BlockIntelBlockedError, BlockIntelStepUpRequiredError, BlockIntelUnavailableError, type DefenseEvaluateRequestV2, type DefenseEvaluateResponseV2, Gate, GateClient, type GateClientConfig, type GateDecision, GateError, GateErrorCode, type GateStepUpStatus, HeartbeatManager, type HeartbeatToken, type Provenance, ProvenanceProvider, type SigningContext, type StepUpFinalResult, type StepUpMetadata, StepUpNotConfiguredError, type StepUpStatusResponse, type TransactionIntentV2, type TxBindingObject, type WrapKmsClientOptions, type WrappedKmsClient, buildTxBindingObject, computeTxDigest, createGateClient, GateClient as default, wrapKmsClient };
+/**
+ * AWS KMS Signer Backend
+ *
+ * Implements SignerBackend for AWS KMS using AWS SDK v3
+ */
+
+interface AwsKmsSignerConfig {
+    /**
+     * AWS KMS client instance
+     */
+    kmsClient: KMSClient;
+    /**
+     * Default signing algorithm (if not specified in request)
+     */
+    defaultAlgorithm?: SigningAlgorithmSpec;
+    /**
+     * Default message type (if not specified in request)
+     */
+    defaultMessageType?: 'RAW' | 'DIGEST';
+}
+/**
+ * AWS KMS Signer Backend
+ */
+declare class AwsKmsSigner implements SignerBackend {
+    private readonly config;
+    constructor(config: AwsKmsSignerConfig);
+    getName(): string;
+    isAvailable(): boolean;
+    sign(request: SignRequest): Promise<SignResponse>;
+    /**
+     * Map algorithm string to AWS KMS SigningAlgorithmSpec
+     */
+    private mapAlgorithm;
+}
+
+/**
+ * HashiCorp Vault Signer Backend
+ *
+ * Implements SignerBackend for HashiCorp Vault Transit Engine
+ */
+
+interface VaultSignerConfig {
+    /**
+     * Vault API base URL (e.g., 'https://vault.example.com:8200')
+     */
+    vaultUrl: string;
+    /**
+     * Vault authentication token
+     */
+    token?: string;
+    /**
+     * Vault AppRole authentication (alternative to token)
+     */
+    appRole?: {
+        roleId: string;
+        secretId: string;
+    };
+    /**
+     * Transit engine mount path (default: 'transit')
+     */
+    mountPath?: string;
+    /**
+     * Default signing algorithm (if not specified in request)
+     */
+    defaultAlgorithm?: string;
+    /**
+     * HTTP client options (timeout, etc.)
+     */
+    httpOptions?: {
+        timeout?: number;
+    };
+}
+/**
+ * HashiCorp Vault Signer Backend
+ */
+declare class VaultSigner implements SignerBackend {
+    private readonly config;
+    private authToken;
+    constructor(config: VaultSignerConfig);
+    getName(): string;
+    isAvailable(): boolean;
+    sign(request: SignRequest): Promise<SignResponse>;
+    /**
+     * Authenticate using AppRole
+     */
+    private authenticateAppRole;
+    /**
+     * Map algorithm string to Vault format
+     */
+    private mapAlgorithm;
+}
+
+/**
+ * Google Cloud KMS Signer Backend
+ *
+ * Implements SignerBackend for Google Cloud KMS
+ */
+
+interface GcpKmsSignerConfig {
+    /**
+     * GCP project ID
+     */
+    projectId: string;
+    /**
+     * GCP location (e.g., 'us-east1', 'global')
+     */
+    location: string;
+    /**
+     * Key ring name
+     */
+    keyRing: string;
+    /**
+     * Service account credentials (JSON key file content or path)
+     */
+    credentials?: string | {
+        client_email: string;
+        private_key: string;
+    };
+    /**
+     * Use workload identity (default: false)
+     * When true, uses GCP metadata service for authentication
+     */
+    useWorkloadIdentity?: boolean;
+    /**
+     * Default signing algorithm (if not specified in request)
+     */
+    defaultAlgorithm?: string;
+    /**
+     * HTTP client options (timeout, etc.)
+     */
+    httpOptions?: {
+        timeout?: number;
+    };
+}
+/**
+ * Google Cloud KMS Signer Backend
+ */
+declare class GcpKmsSigner implements SignerBackend {
+    private readonly config;
+    private accessToken;
+    private tokenExpiry;
+    constructor(config: GcpKmsSignerConfig);
+    getName(): string;
+    isAvailable(): boolean;
+    sign(request: SignRequest): Promise<SignResponse>;
+    /**
+     * Get GCP access token
+     */
+    private getAccessToken;
+    /**
+     * Map algorithm string to GCP format
+     */
+    private mapAlgorithm;
+}
+
+/**
+ * Fireblocks Signer Backend
+ *
+ * Implements SignerBackend for Fireblocks API.
+ * Key ID format: fireblocks://vaultAccountId/assetId
+ * Docs: https://developers.fireblocks.com/reference/post_transactions
+ */
+
+interface FireblocksSignerConfig {
+    /** Fireblocks API base URL (default: https://api.fireblocks.io) */
+    apiBaseUrl?: string;
+    /** Fireblocks API key (API User ID) */
+    apiKey: string;
+    /** Fireblocks API secret (private key PEM) */
+    apiSecret: string;
+    /** Default vault account ID (optional) */
+    vaultAccountId?: string;
+}
+declare class FireblocksSigner implements SignerBackend {
+    private readonly config;
+    private readonly apiBaseUrl;
+    constructor(config: FireblocksSignerConfig);
+    getName(): string;
+    isAvailable(): boolean;
+    sign(request: SignRequest): Promise<SignResponse>;
+    /**
+     * Create JWT for Fireblocks API (RS256, uri + bodyHash in payload).
+     */
+    private createAuthToken;
+    private pollTransaction;
+}
+
+/**
+ * PKCS#11 session implementation using pkcs11js.
+ *
+ * When the optional dependency `pkcs11js` is installed, this class loads the
+ * PKCS#11 library (e.g. SoftHSM2, Thales nShield, Utimaco, AWS CloudHSM),
+ * opens a session, and performs sign operations. Without pkcs11js, use a
+ * custom pkcs11Session in GenericHsmSigner or install: npm install pkcs11js
+ */
+interface Pkcs11SessionInitOptions {
+    /** Slot index (default 0). Use when multiple tokens are present. */
+    slotId?: number;
+}
+interface Pkcs11Session {
+    initialize(libraryPath: string, pin: string, options?: Pkcs11SessionInitOptions): Promise<void>;
+    sign(keyHandle: Buffer, mechanism: string, data: Buffer): Promise<Buffer>;
+    close(): Promise<void>;
+}
+
+/**
+ * Generic HSM Signer Backend (PKCS#11)
+ *
+ * Abstraction for on-prem HSMs via PKCS#11 (Thales nShield, Utimaco, AWS CloudHSM, etc.).
+ * Key ID format: hsm://<keyHandle> where keyHandle is hex-encoded.
+ *
+ * Requires a PKCS#11 session implementation. Use config.pkcs11Session for testing or
+ * a real adapter; otherwise Pkcs11SessionImpl throws until a PKCS#11 library is linked.
+ */
+
+interface GenericHsmSignerConfig {
+    /** PKCS#11 library path (e.g. /usr/lib/libCryptoki2_64.so for Thales) */
+    pkcs11LibraryPath: string;
+    /** HSM slot ID (optional) */
+    slotId?: number;
+    /** PIN / password */
+    pin: string;
+    /** Optional: custom PKCS#11 session (for testing or custom HSM adapters) */
+    pkcs11Session?: Pkcs11Session;
+}
+declare class GenericHsmSigner implements SignerBackend {
+    private readonly config;
+    private session;
+    constructor(config: GenericHsmSignerConfig);
+    getName(): string;
+    isAvailable(): boolean;
+    sign(request: SignRequest): Promise<SignResponse>;
+    private initializePkcs11Session;
+    private mapAlgorithmToMechanism;
+    /** Release the PKCS#11 session. Call when done to free resources. */
+    close(): Promise<void>;
+}
+
+export { AttestCompletedRequest, AttestCompletedResponse, AwsKmsSigner, BlockIntelAuthError, BlockIntelBlockedError, BlockIntelStepUpRequiredError, BlockIntelUnavailableError, DefenseEvaluateRequestV2, DefenseEvaluateResponseV2, FireblocksSigner, type FireblocksSignerConfig, Gate, GateClient, GateClientConfig, GateError, GateErrorCode, GcpKmsSigner, GenericHsmSigner, type GenericHsmSignerConfig, HeartbeatManager, type HeartbeatToken, type Pkcs11Session, type Provenance, ProvenanceProvider, type SignRequest, type SignResponse, type SignerBackend, SigningContext, StepUpFinalResult, StepUpNotConfiguredError, StepUpStatusResponse, type TxBindingObject, VaultSigner, type WrapKmsClientOptions, type WrappedKmsClient, buildTxBindingObject, computeTxDigest, createGateClient, GateClient as default, wrapKmsClient };