blockintel-gate-sdk 0.3.9 → 0.4.0

package/README.md

@@ -408,11 +408,27 @@ The SDK includes a **Heartbeat Manager** that automatically acquires and refresh
 
 ### How It Works
 
-1. **Automatic Token Acquisition**: The SDK automatically starts a background heartbeat refresher when the `GateClient` is initialized. This continuously sends heartbeats to the Control Plane, keeping the signer status active in the UI.
-2. **Token Refresh**: Heartbeat tokens are refreshed every 10 seconds (configurable via `heartbeatRefreshIntervalSeconds`) to maintain a valid token
-3. **Signing Enforcement**: Before any `evaluate()` call, the SDK checks for a valid heartbeat token. If missing or expired, it throws `HEARTBEAT_MISSING` error
-4. **Token Inclusion**: The heartbeat token is automatically included in the `signingContext` of every evaluation request
-5. **No Manual Scripts Needed**: The SDK handles all heartbeat management automatically - no need for separate heartbeat scripts
+1. **Per-Signer Token Cache**: The heartbeat manager maintains a `Map<signerId, SignerHeartbeatEntry>` so each signer gets its own cached token, refresh timer, and backoff state. Switching between signers never invalidates other signers' tokens.
+2. **Automatic Token Acquisition**: When `getTokenForSigner(signerId)` is called, the manager returns the cached token immediately if valid, or acquires a new one on demand. The initial default signer is pre-warmed on `start()`.
+3. **Per-Signer Refresh**: Each signer entry has its own background `setTimeout` timer that refreshes the token before expiry (default every 10 seconds + jitter + backoff on failure).
+4. **LRU Eviction**: When the number of concurrent signer entries exceeds `maxSigners` (default: 20), the least-recently-used entry is evicted.
+5. **Idle TTL Eviction**: A background timer (every 60s) evicts signer entries not used within `signerIdleTtlMs` (default: 5 minutes).
+6. **Local Rate Limiting**: Per-signer guard prevents re-requesting within `localRateLimitMs` (default: 2.1s) to avoid hammering the Control Plane.
+7. **Token Inclusion**: The heartbeat token is automatically included in the `signingContext` of every evaluation request.
+
+### Multi-Signer Support
+
+Trading desks running 3+ bot profiles no longer experience `HEARTBEAT_MISSING` errors when switching signers. Each signer's token is cached independently:
+
+```typescript
+// KMS wrapper automatically uses the correct signer from KeyId
+const protectedKms = gate.wrapKmsClient(kmsClient);
+
+// These calls use independent heartbeat tokens — no cross-invalidation
+await protectedKms.sign({ KeyId: 'alias/bot-1', Message: tx1, ... });
+await protectedKms.sign({ KeyId: 'alias/bot-2', Message: tx2, ... });
+await protectedKms.sign({ KeyId: 'alias/bot-1', Message: tx3, ... }); // cache hit
+```
 
 ### Configuration
 
@@ -426,8 +442,11 @@ const gate = new GateClient({
   // Heartbeat manager uses baseUrl to infer Control Plane URL
   // Or explicitly set controlPlaneUrl if different
   controlPlaneUrl: 'https://control-plane.blockintelai.com',  // Optional
-  signerId: 'my-signer-id',  // Optional: signerId for heartbeat (if known upfront)
+  signerId: 'my-signer-id',  // Optional: default signerId for heartbeat (if known upfront)
   heartbeatRefreshIntervalSeconds: 10,  // Optional: heartbeat refresh interval (default: 10s)
+  maxSigners: 20,             // Optional: max concurrent signer entries (default: 20)
+  signerIdleTtlMs: 300000,    // Optional: evict idle signers after this many ms (default: 5 min)
+  localRateLimitMs: 2100,     // Optional: min ms between acquire attempts per signer (default: 2.1s)
 });
 ```
 
@@ -458,23 +477,17 @@ try {
 
 ### Heartbeat Manager API
 
-The heartbeat manager is internal to the SDK, but you can access it if needed:
+The primary API is `getTokenForSigner()`, which handles cache lookup, on-demand acquisition, and waiting:
 
 ```typescript
-// Check if heartbeat is valid
-const isValid = gate.heartbeatManager.isValid();
-
-// Get current heartbeat token (if valid)
-const token = gate.heartbeatManager.getToken();
-
-// Update signer ID (called automatically when signer is known)
-gate.heartbeatManager.updateSignerId('new-signer-id');
+// Get token for a specific signer
+const token = await gate.heartbeatManager.getTokenForSigner('my-signer-id', 2000);
 
-// Stop heartbeat refresher (e.g., on shutdown)
+// Stop heartbeat manager and clean up all timers (e.g., on shutdown)
 gate.heartbeatManager.stop();
 ```
 
-**Note**: The heartbeat manager automatically updates the `signerId` when using the KMS wrapper, so manual updates are typically not needed.
+**Note**: The KMS wrapper automatically calls `getTokenForSigner()` with the correct signer ID extracted from `KeyId`, so manual token management is typically not needed.
 
 ## Secret Rotation
 

package/dist/{contracts-KKk945Ox.d.cts → contracts-Dxb9vt_M.d.cts}

@@ -169,6 +169,18 @@ interface DefenseEvaluateResponseV2 {
      * Gate mode used for this evaluation
      */
     mode?: GateMode;
+    /**
+     * Gate receipt (when HARD_KMS_GATEWAY (or HARD_KMS_ATTESTED, deprecated) or receipt requested). Required for KMS signing in receipt-required mode.
+     */
+    receipt?: Record<string, unknown>;
+    /**
+     * Decision hash from receipt (SHA256 of canonical receipt payload). Used for receipt-required KMS flow.
+     */
+    decisionHash?: string;
+    /**
+     * Receipt signature (HS256:base64). Used for receipt-required KMS flow.
+     */
+    receiptSignature?: string;
     /**
      * Metadata (evaluation latency, simulation, policy hash for pinning)
      */

package/dist/{contracts-KKk945Ox.d.ts → contracts-Dxb9vt_M.d.ts}

@@ -169,6 +169,18 @@ interface DefenseEvaluateResponseV2 {
      * Gate mode used for this evaluation
      */
     mode?: GateMode;
+    /**
+     * Gate receipt (when HARD_KMS_GATEWAY (or HARD_KMS_ATTESTED, deprecated) or receipt requested). Required for KMS signing in receipt-required mode.
+     */
+    receipt?: Record<string, unknown>;
+    /**
+     * Decision hash from receipt (SHA256 of canonical receipt payload). Used for receipt-required KMS flow.
+     */
+    decisionHash?: string;
+    /**
+     * Receipt signature (HS256:base64). Used for receipt-required KMS flow.
+     */
+    receiptSignature?: string;
     /**
      * Metadata (evaluation latency, simulation, policy hash for pinning)
      */

package/dist/index.cjs

@@ -1047,13 +1047,21 @@ function computeTxDigest(binding) {
   return crypto.createHash("sha256").update(canonical, "utf8").digest("hex");
 }
 
+// src/metrics/GateMetricsSink.ts
+var noOpMetricsSink = {
+  emit() {
+  }
+};
+
 // src/kms/wrapAwsSdkV3KmsClient.ts
 function wrapKmsClient(kmsClient, gateClient, options = {}) {
   const defaultOptions = {
     mode: options.mode || "enforce",
+    requireReceiptForSign: options.requireReceiptForSign ?? false,
     onDecision: options.onDecision || (() => {
     }),
-    extractTxIntent: options.extractTxIntent || defaultExtractTxIntent
+    extractTxIntent: options.extractTxIntent || defaultExtractTxIntent,
+    metricsSink: options.metricsSink ?? noOpMetricsSink
   };
   const wrapped = new Proxy(kmsClient, {
     get(target, prop, receiver) {
@@ -1094,12 +1102,39 @@ function defaultExtractTxIntent(command) {
     // Backward compatibility
   };
 }
+function buildMetricLabels(gateClient, command, signerId, txIntent) {
+  const config = gateClient.config;
+  const keyId = command.input?.KeyId ?? command.KeyId;
+  return {
+    tenantId: config?.tenantId,
+    signerId: signerId || void 0,
+    adoptionStage: config?.adoptionStage ?? process.env.GATE_ADOPTION_STAGE,
+    env: config?.env ?? process.env.GATE_ENV ?? process.env.NODE_ENV,
+    chain: txIntent.chainId != null ? String(txIntent.chainId) : txIntent.networkFamily,
+    kmsKeyId: keyId,
+    region: process.env.AWS_REGION
+  };
+}
+function emitMetric(sink, name, labels) {
+  const event = { name, labels, timestampMs: Date.now() };
+  try {
+    const result = sink.emit(event);
+    if (result && typeof result.catch === "function") {
+      result.catch(() => {
+      });
+    }
+  } catch {
+  }
+}
 async function handleSignCommand(command, originalClient, gateClient, options) {
   const txIntent = options.extractTxIntent(command);
   const signerId = command.input?.KeyId ?? command.KeyId ?? "unknown";
-  gateClient.heartbeatManager.updateSignerId(signerId);
-  const heartbeatToken = gateClient.heartbeatManager.getToken();
-  if (!heartbeatToken) {
+  const labels = buildMetricLabels(gateClient, command, signerId, txIntent);
+  emitMetric(options.metricsSink, "sign_attempt_total", labels);
+  let heartbeatToken;
+  try {
+    heartbeatToken = await gateClient.heartbeatManager.getTokenForSigner(signerId, 2e3);
+  } catch {
     throw new BlockIntelBlockedError(
       "HEARTBEAT_MISSING",
       void 0,
@@ -1123,6 +1158,28 @@ async function handleSignCommand(command, originalClient, gateClient, options) {
       // Type assertion - txIntent may have extra fields
       signingContext
     });
+    if (decision.decision === "ALLOW" && options.requireReceiptForSign) {
+      const hasReceipt2 = decision.receipt != null || decision.decisionHash != null && decision.receiptSignature != null;
+      if (!hasReceipt2) {
+        emitMetric(options.metricsSink, "sign_blocked_missing_receipt_total", labels);
+        options.onDecision("BLOCK", {
+          error: new BlockIntelBlockedError(
+            "RECEIPT_REQUIRED",
+            decision.decisionId,
+            decision.correlationId,
+            void 0
+          ),
+          signerId,
+          command
+        });
+        throw new BlockIntelBlockedError(
+          "RECEIPT_REQUIRED",
+          decision.decisionId,
+          decision.correlationId,
+          void 0
+        );
+      }
+    }
     if (decision.decision === "ALLOW" && gateClient.getRequireDecisionToken() && decision.txDigest != null) {
       const binding = buildTxBindingObject(
         txIntent,
@@ -1151,6 +1208,11 @@ async function handleSignCommand(command, originalClient, gateClient, options) {
         );
       }
     }
+    const hasReceipt = decision.receipt != null || decision.decisionHash != null && decision.receiptSignature != null;
+    if (hasReceipt) {
+      emitMetric(options.metricsSink, "sign_success_with_receipt_total", labels);
+    }
+    emitMetric(options.metricsSink, "sign_success_total", labels);
     options.onDecision("ALLOW", { decision, signerId, command });
     if (options.mode === "dry-run") {
       return await originalClient.send(new clientKms.SignCommand(command));
@@ -1211,7 +1273,7 @@ var ProvenanceProvider = class {
 var HeartbeatManager = class {
   httpClient;
   tenantId;
-  signerId;
+  defaultSignerId;
   environment;
   baseRefreshIntervalSeconds;
   clientInstanceId;
@@ -1220,22 +1282,27 @@ var HeartbeatManager = class {
   // SDK version for tracking
   apiKey;
   // x-gate-heartbeat-key for Control Plane auth
-  currentToken = null;
-  refreshTimer = null;
+  signerEntries = /* @__PURE__ */ new Map();
+  evictionTimer = null;
   started = false;
-  consecutiveFailures = 0;
   maxBackoffSeconds = 30;
   // Maximum backoff interval
+  maxSigners;
+  signerIdleTtlMs;
+  localRateLimitMs;
   constructor(options) {
     this.httpClient = options.httpClient;
     this.tenantId = options.tenantId;
-    this.signerId = options.signerId;
+    this.defaultSignerId = options.signerId;
     this.environment = options.environment ?? "prod";
     this.baseRefreshIntervalSeconds = options.refreshIntervalSeconds ?? 10;
     this.apiKey = options.apiKey;
     this.clientInstanceId = options.clientInstanceId || uuid.v4();
     this.sdkVersion = options.sdkVersion || "1.0.0";
     this.apiKey = options.apiKey;
+    this.maxSigners = options.maxSigners ?? 20;
+    this.signerIdleTtlMs = options.signerIdleTtlMs ?? 3e5;
+    this.localRateLimitMs = options.localRateLimitMs ?? 2100;
   }
   /**
    * Start background heartbeat refresher.
@@ -1246,46 +1313,56 @@ var HeartbeatManager = class {
       return;
     }
     this.started = true;
-    this.acquireHeartbeat().catch((error) => {
+    this.startEvictionTimer();
+    this.getTokenForSigner(this.defaultSignerId, 0).catch((error) => {
       console.error("[HEARTBEAT] Failed to acquire initial heartbeat:", error instanceof Error ? error.message : error);
     });
-    this.scheduleNextRefresh();
+  }
+  startEvictionTimer() {
+    if (this.evictionTimer) clearInterval(this.evictionTimer);
+    this.evictionTimer = setInterval(() => {
+      const now = Date.now();
+      for (const [signerId, entry] of this.signerEntries) {
+        if (now - entry.lastUsedMs > this.signerIdleTtlMs) {
+          if (entry.refreshTimer) clearTimeout(entry.refreshTimer);
+          this.signerEntries.delete(signerId);
+        }
+      }
+    }, 6e4);
   }
   /**
-   * Schedule next refresh with jitter and backoff
+   * Schedule next refresh with jitter and backoff for a specific signer
    */
-  scheduleNextRefresh() {
-    if (!this.started) {
+  scheduleRefreshForSigner(signerId, entry) {
+    if (!this.started || !this.signerEntries.has(signerId)) {
       return;
     }
+    if (entry.refreshTimer) {
+      clearTimeout(entry.refreshTimer);
+      entry.refreshTimer = null;
+    }
     const baseInterval = this.baseRefreshIntervalSeconds * 1e3;
     const jitter = Math.random() * 2e3;
-    const backoff = this.calculateBackoff();
+    const backoff = Math.min(
+      Math.pow(2, entry.consecutiveFailures) * 1e3,
+      this.maxBackoffSeconds * 1e3
+    );
     const interval = baseInterval + jitter + backoff;
-    this.refreshTimer = setTimeout(() => {
-      this.acquireHeartbeat().then(() => {
-        this.consecutiveFailures = 0;
-        this.scheduleNextRefresh();
+    entry.refreshTimer = setTimeout(() => {
+      if (!this.signerEntries.has(signerId)) return;
+      entry.acquiring = true;
+      entry.acquirePromise = this.acquireHeartbeatForSigner(signerId, entry).then(() => {
+        this.scheduleRefreshForSigner(signerId, entry);
       }).catch((error) => {
-        this.consecutiveFailures++;
-        console.error("[HEARTBEAT] Refresh failed (will retry):", error);
-        this.scheduleNextRefresh();
+        entry.consecutiveFailures++;
+        console.error(`[HEARTBEAT] Refresh failed for signer ${signerId} (will retry):`, error.message || error);
+        this.scheduleRefreshForSigner(signerId, entry);
+      }).finally(() => {
+        entry.acquiring = false;
+        entry.acquirePromise = null;
       });
     }, interval);
   }
-  /**
-   * Calculate exponential backoff (capped at maxBackoffSeconds)
-   */
-  calculateBackoff() {
-    if (this.consecutiveFailures === 0) {
-      return 0;
-    }
-    const backoffSeconds = Math.min(
-      Math.pow(2, this.consecutiveFailures) * 1e3,
-      this.maxBackoffSeconds * 1e3
-    );
-    return backoffSeconds;
-  }
   /**
    * Stop background heartbeat refresher
    */
@@ -1294,45 +1371,153 @@ var HeartbeatManager = class {
       return;
     }
     this.started = false;
-    if (this.refreshTimer) {
-      clearTimeout(this.refreshTimer);
-      this.refreshTimer = null;
+    if (this.evictionTimer) {
+      clearInterval(this.evictionTimer);
+      this.evictionTimer = null;
+    }
+    for (const [signerId, entry] of this.signerEntries) {
+      if (entry.refreshTimer) {
+        clearTimeout(entry.refreshTimer);
+        entry.refreshTimer = null;
+      }
     }
+    this.signerEntries.clear();
   }
   /**
-   * Get current heartbeat token if valid
+   * Get current heartbeat token if valid for the default signer
+   * @deprecated Use getTokenForSigner() instead.
    */
   getToken() {
-    if (!this.currentToken) {
-      return null;
+    const entry = this.signerEntries.get(this.defaultSignerId);
+    if (entry && entry.token && entry.token.expiresAt > Math.floor(Date.now() / 1e3) + 2) {
+      entry.lastUsedMs = Date.now();
+      return entry.token.token;
     }
-    const now = Math.floor(Date.now() / 1e3);
-    if (this.currentToken.expiresAt <= now + 2) {
-      return null;
-    }
-    return this.currentToken.token;
+    return null;
   }
   /**
-   * Check if current heartbeat token is valid
+   * Check if current heartbeat token is valid for the default signer
+   * @deprecated Use getTokenForSigner() instead.
    */
   isValid() {
     return this.getToken() !== null;
   }
   /**
-   * Update signer ID (called when signer is known)
+   * Update signer ID (called when signer is known).
+   * @deprecated Use getTokenForSigner() — signerId changes are handled automatically by the per-signer cache.
    */
   updateSignerId(signerId) {
-    if (this.signerId !== signerId) {
-      this.signerId = signerId;
-      this.currentToken = null;
+    this.defaultSignerId = signerId;
+  }
+  /**
+   * Get a valid heartbeat token for a specific signer.
+   * Returns immediately if a cached valid token exists.
+   * If no token, triggers acquisition and returns a Promise that resolves
+   * when the token is available (or rejects after maxWaitMs).
+   */
+  async getTokenForSigner(signerId, maxWaitMs = 2e3) {
+    if (!this.started) {
+      throw new GateError("HEARTBEAT_MISSING" /* HEARTBEAT_MISSING */, "HeartbeatManager not started");
     }
+    const startTime = Date.now();
+    let entry = this.signerEntries.get(signerId);
+    const now = Date.now();
+    const getValidToken = (e) => {
+      if (e.token && e.token.expiresAt > Math.floor(Date.now() / 1e3) + 2) {
+        return e.token.token;
+      }
+      return null;
+    };
+    if (entry) {
+      entry.lastUsedMs = now;
+      const t2 = getValidToken(entry);
+      if (t2) return t2;
+    } else {
+      if (this.signerEntries.size >= this.maxSigners) {
+        let oldestSignerId = null;
+        let oldestUsedMs = Infinity;
+        for (const [sId, e] of this.signerEntries) {
+          if (e.lastUsedMs < oldestUsedMs) {
+            oldestUsedMs = e.lastUsedMs;
+            oldestSignerId = sId;
+          }
+        }
+        if (oldestSignerId) {
+          const oldestEntry = this.signerEntries.get(oldestSignerId);
+          if (oldestEntry?.refreshTimer) clearTimeout(oldestEntry.refreshTimer);
+          this.signerEntries.delete(oldestSignerId);
+        }
+      }
+      entry = {
+        token: null,
+        refreshTimer: null,
+        consecutiveFailures: 0,
+        lastAcquireAttemptMs: 0,
+        lastUsedMs: now,
+        acquiring: false,
+        acquirePromise: null
+      };
+      this.signerEntries.set(signerId, entry);
+    }
+    if (entry.acquiring && entry.acquirePromise) {
+      const remainingWait = Math.max(0, maxWaitMs - (Date.now() - startTime));
+      try {
+        await Promise.race([
+          entry.acquirePromise,
+          new Promise((_, reject) => setTimeout(() => reject(new Error("timeout")), remainingWait))
+        ]);
+      } catch (e) {
+      }
+      const t2 = getValidToken(entry);
+      if (t2) return t2;
+    }
+    const timeSinceLastAttempt = Date.now() - entry.lastAcquireAttemptMs;
+    let timeToWaitBeforeFetch = 0;
+    if (timeSinceLastAttempt < this.localRateLimitMs) {
+      timeToWaitBeforeFetch = this.localRateLimitMs - timeSinceLastAttempt;
+    }
+    const remainingWait2 = Math.max(0, maxWaitMs - (Date.now() - startTime));
+    if (timeToWaitBeforeFetch >= remainingWait2) {
+      throw new GateError(
+        "HEARTBEAT_MISSING" /* HEARTBEAT_MISSING */,
+        "Signing blocked: Heartbeat token is missing or expired. Gate must be alive and enforcing policy."
+      );
+    }
+    if (timeToWaitBeforeFetch > 0) {
+      await new Promise((resolve) => setTimeout(resolve, timeToWaitBeforeFetch));
+    }
+    if (!entry.acquiring) {
+      entry.acquiring = true;
+      entry.acquirePromise = this.acquireHeartbeatForSigner(signerId, entry).finally(() => {
+        if (entry) {
+          entry.acquiring = false;
+          entry.acquirePromise = null;
+        }
+      });
+    }
+    const remainingWait3 = Math.max(0, maxWaitMs - (Date.now() - startTime));
+    try {
+      if (entry.acquirePromise) {
+        await Promise.race([
+          entry.acquirePromise,
+          new Promise((_, reject) => setTimeout(() => reject(new Error("timeout")), remainingWait3))
+        ]);
+      }
+    } catch (e) {
+    }
+    const t = getValidToken(entry);
+    if (t) return t;
+    throw new GateError(
+      "HEARTBEAT_MISSING" /* HEARTBEAT_MISSING */,
+      "Signing blocked: Heartbeat token is missing or expired. Gate must be alive and enforcing policy."
+    );
   }
   /**
-   * Acquire a new heartbeat token from Control Plane
+   * Acquire a new heartbeat token from Control Plane for a specific signer
    * NEVER logs token value (security)
    * Requires x-gate-heartbeat-key header (apiKey) for authentication.
    */
-  async acquireHeartbeat() {
+  async acquireHeartbeatForSigner(signerId, entry) {
     if (!this.apiKey || this.apiKey.length === 0) {
       throw new GateError(
         "UNAUTHORIZED" /* UNAUTHORIZED */,
@@ -1340,6 +1525,7 @@ var HeartbeatManager = class {
         {}
       );
     }
+    entry.lastAcquireAttemptMs = Date.now();
     try {
       const response = await this.httpClient.request({
         method: "POST",
@@ -1349,12 +1535,15 @@ var HeartbeatManager = class {
         },
         body: {
           tenantId: this.tenantId,
-          signerId: this.signerId,
+          signerId,
           environment: this.environment,
           clientInstanceId: this.clientInstanceId,
           sdkVersion: this.sdkVersion
         }
       });
+      if (!this.signerEntries.has(signerId)) {
+        return;
+      }
       if (response.success && response.data) {
         const token = response.data.heartbeatToken;
         const expiresAt = response.data.expiresAt;
@@ -1364,18 +1553,23 @@ var HeartbeatManager = class {
             "Invalid heartbeat response: missing token or expiresAt"
           );
         }
-        this.currentToken = {
+        entry.token = {
           token,
           expiresAt,
           jti: response.data.jti,
           policyHash: response.data.policyHash
         };
+        entry.consecutiveFailures = 0;
         console.log("[HEARTBEAT] Acquired heartbeat token", {
           expiresAt,
+          signerId,
           jti: response.data.jti,
           policyHash: response.data.policyHash?.substring(0, 8) + "..."
           // DO NOT log token value
         });
+        if (!entry.refreshTimer) {
+          this.scheduleRefreshForSigner(signerId, entry);
+        }
       } else {
         const error = response.error || {};
         throw new GateError(
@@ -1384,7 +1578,7 @@ var HeartbeatManager = class {
         );
       }
     } catch (error) {
-      console.error("[HEARTBEAT] Failed to acquire heartbeat:", error.message || error);
+      console.error(`[HEARTBEAT] Failed to acquire heartbeat for signer ${signerId}:`, error.message || error);
       throw error;
     }
   }
@@ -1641,6 +1835,7 @@ var IamPermissionRiskChecker = class {
 };
 
 // src/client/GateClient.ts
+var DEFAULT_SIGNER_ID = "gate-sdk-client";
 var GateClient = class {
   config;
   httpClient;
@@ -1715,7 +1910,7 @@ var GateClient = class {
         // 5s timeout for heartbeat
         userAgent: config.userAgent
       });
-      const initialSignerId = config.signerId ?? "trading-bot-signer";
+      const initialSignerId = config.signerId ?? DEFAULT_SIGNER_ID;
       this.heartbeatManager = new HeartbeatManager({
         httpClient: heartbeatHttpClient,
         tenantId: config.tenantId,
@@ -1790,26 +1985,10 @@ var GateClient = class {
     const requestMode = req.mode || this.mode;
     const requireToken = this.getRequireDecisionToken();
     const executeRequest = async () => {
-      if (!this.config.local && this.heartbeatManager && req.signingContext?.signerId) {
-        this.heartbeatManager.updateSignerId(req.signingContext.signerId);
-      }
       let heartbeatToken = null;
       if (!this.config.local && this.heartbeatManager) {
-        heartbeatToken = this.heartbeatManager.getToken();
-        if (!heartbeatToken) {
-          const maxWaitMs = 2e3;
-          const startTime2 = Date.now();
-          while (!heartbeatToken && Date.now() - startTime2 < maxWaitMs) {
-            await new Promise((resolve) => setTimeout(resolve, 50));
-            heartbeatToken = this.heartbeatManager.getToken();
-          }
-        }
-        if (!heartbeatToken) {
-          throw new GateError(
-            "HEARTBEAT_MISSING" /* HEARTBEAT_MISSING */,
-            "Signing blocked: Heartbeat token is missing or expired. Gate must be alive and enforcing policy."
-          );
-        }
+        const effectiveSignerId2 = req.signingContext?.signerId ?? req.signingContext?.actorPrincipal ?? DEFAULT_SIGNER_ID;
+        heartbeatToken = await this.heartbeatManager.getTokenForSigner(effectiveSignerId2, 2e3);
       }
       const txIntent = { ...req.txIntent };
       if (txIntent.to && !txIntent.toAddress) {
@@ -1822,10 +2001,11 @@ var GateClient = class {
       if (txIntent.from && !txIntent.fromAddress) {
         delete txIntent.from;
       }
+      const effectiveSignerId = req.signingContext?.signerId ?? req.signingContext?.actorPrincipal ?? DEFAULT_SIGNER_ID;
       const signingContext = {
         ...req.signingContext,
-        actorPrincipal: req.signingContext?.actorPrincipal ?? req.signingContext?.signerId ?? "gate-sdk-client",
-        signerId: req.signingContext?.signerId ?? req.signingContext?.actorPrincipal ?? "gate-sdk-client"
+        actorPrincipal: req.signingContext?.actorPrincipal ?? req.signingContext?.signerId ?? DEFAULT_SIGNER_ID,
+        signerId: effectiveSignerId
       };
       if (heartbeatToken) {
         signingContext.heartbeatToken = heartbeatToken;
@@ -1942,6 +2122,9 @@ var GateClient = class {
         enforced: responseData.enforced ?? requestMode === "ENFORCE",
         shadowWouldBlock: responseData.shadow_would_block ?? responseData.shadowWouldBlock ?? false,
         mode: responseData.mode ?? requestMode,
+        receipt: responseData.receipt,
+        decisionHash: responseData.decision_hash ?? responseData.decisionHash,
+        receiptSignature: responseData.receipt_signature ?? responseData.receiptSignature,
         ...simulationData ? {
           simulation: {
             willRevert: simulationData.willRevert ?? simulationData.will_revert ?? false,
@@ -3035,6 +3218,7 @@ exports.buildTxBindingObject = buildTxBindingObject;
 exports.computeTxDigest = computeTxDigest;
 exports.createGateClient = createGateClient;
 exports.default = GateClient;
+exports.noOpMetricsSink = noOpMetricsSink;
 exports.wrapKmsClient = wrapKmsClient;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map