npm - blockintel-gate-sdk - Versions diffs - 0.4.4 → 0.4.6 - Mend

blockintel-gate-sdk 0.4.4 → 0.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/index.cjs CHANGED Viewed

@@ -1217,6 +1217,12 @@ async function handleSignCommand(command, originalClient, gateClient, options) {
     if (options.mode === "dry-run") {
       return await originalClient.send(new clientKms.SignCommand(command));
     }
+    const GATEWAY_STAGES = ["HARD_KMS_GATEWAY", "HARD_GCP_GATEWAY", "HARD_HSM_GATEWAY"];
+    const currentStage = gateClient.heartbeatManager?.getAdoptionStage?.();
+    if (currentStage && GATEWAY_STAGES.includes(currentStage)) {
+      emitMetric(options.metricsSink, "sign_success_total", labels);
+      return await signViaProxy(gateClient, decision, command, signerId);
+    }
     return await originalClient.send(new clientKms.SignCommand(command));
   } catch (error) {
     if (error instanceof BlockIntelBlockedError) {
@@ -1230,6 +1236,72 @@ async function handleSignCommand(command, originalClient, gateClient, options) {
     throw error;
   }
 }
+async function signViaProxy(gateClient, decision, command, signerId) {
+  const config = gateClient.config;
+  const baseUrl = config?.baseUrl || config?.controlPlaneUrl;
+  const tenantId = config?.tenantId;
+  if (!baseUrl || !tenantId) {
+    throw new Error("[Gate SDK] Cannot use signing proxy: baseUrl or tenantId not configured on GateClient");
+  }
+  const message = command.input?.Message ?? command.Message;
+  if (!message) {
+    throw new Error("[Gate SDK] SignCommand missing Message for proxy signing");
+  }
+  const messageBuffer = message instanceof Buffer ? message : Buffer.from(message);
+  const messageBase64 = messageBuffer.toString("base64");
+  const keyId = command.input?.KeyId ?? command.KeyId;
+  if (!keyId) {
+    throw new Error("[Gate SDK] SignCommand missing KeyId for proxy signing");
+  }
+  const signingAlgorithm = command.input?.SigningAlgorithm ?? command.SigningAlgorithm ?? "ECDSA_SHA_256";
+  const messageType = command.input?.MessageType ?? command.MessageType ?? "RAW";
+  const proxyUrl = `${baseUrl.replace("/defense", "")}/tenants/${tenantId}/defense/sign`;
+  const headers = {
+    "Content-Type": "application/json"
+  };
+  const authHeaders = gateClient.getAuthHeaders?.();
+  if (authHeaders) {
+    Object.assign(headers, authHeaders);
+  } else {
+    const auth = config?.auth;
+    if (auth?.mode === "api_key" && auth?.apiKey) {
+      headers["x-api-key"] = auth.apiKey;
+    }
+  }
+  const jwt = gateClient.jwt || gateClient.config?.jwt;
+  if (jwt) {
+    headers["Authorization"] = `Bearer ${jwt}`;
+  }
+  const response = await fetch(proxyUrl, {
+    method: "POST",
+    headers,
+    body: JSON.stringify({
+      requestId: decision.decisionId || decision.requestId,
+      decisionToken: decision.decisionToken,
+      keyId,
+      message: messageBase64,
+      signingAlgorithm,
+      messageType
+    })
+  });
+  if (!response.ok) {
+    const errorBody = await response.json().catch(() => ({}));
+    const code = errorBody?.error?.code || "SIGN_PROXY_FAILED";
+    const msg = errorBody?.error?.message || `Signing proxy returned ${response.status}`;
+    throw new Error(`[Gate SDK] ${code}: ${msg}`);
+  }
+  const result = await response.json();
+  const data = result?.data;
+  if (!data?.signature) {
+    throw new Error("[Gate SDK] Signing proxy returned no signature");
+  }
+  return {
+    Signature: Buffer.from(data.signature, "base64"),
+    KeyId: data.keyId || keyId,
+    SigningAlgorithm: data.signingAlgorithm || signingAlgorithm,
+    $metadata: { httpStatusCode: 200 }
+  };
+}
 // src/provenance/ProvenanceProvider.ts
 var ProvenanceProvider = class {
@@ -1287,6 +1359,8 @@ var HeartbeatManager = class {
   started = false;
   maxBackoffSeconds = 30;
   // Maximum backoff interval
+  /** Server's current adoption stage for this tenant (cached from heartbeat response) */
+  adoptionStage = null;
   maxSigners;
   signerIdleTtlMs;
   localRateLimitMs;
@@ -1560,6 +1634,9 @@ var HeartbeatManager = class {
           policyHash: response.data.policyHash
         };
         entry.consecutiveFailures = 0;
+        if (response.data.adoptionStage != null) {
+          this.adoptionStage = response.data.adoptionStage;
+        }
         console.log("[HEARTBEAT] Acquired heartbeat token", {
           expiresAt,
           signerId,
@@ -1588,6 +1665,14 @@ var HeartbeatManager = class {
   getClientInstanceId() {
     return this.clientInstanceId;
   }
+  /**
+   * Get the server's current adoption stage for this tenant.
+   * Populated after the first successful heartbeat response.
+   * Returns null if not yet received.
+   */
+  getAdoptionStage() {
+    return this.adoptionStage;
+  }
 };
 // src/security/IamPermissionRiskChecker.ts
@@ -1920,6 +2005,8 @@ var GateClient = class {
         apiKey: heartbeatApiKey
       });
       this.heartbeatManager.start();
+      this.checkAdoptionStageMismatch().catch(() => {
+      });
     }
     if (!config.local) {
       const enforcementMode = config.enforcementMode || "SOFT";
@@ -1965,9 +2052,38 @@ var GateClient = class {
       console.warn("[GATE CLIENT] Async IAM risk check warning:", error instanceof Error ? error.message : String(error));
     }
   }
+  /**
+   * Warn if the local SDK mode is SHADOW but the server's adoption stage is enforcing.
+   * Runs non-blocking after heartbeat startup; never throws.
+   */
+  async checkAdoptionStageMismatch() {
+    if (!this.heartbeatManager) return;
+    const signerId = this.config.signerId ?? DEFAULT_SIGNER_ID;
+    try {
+      await this.heartbeatManager.getTokenForSigner(signerId, 5e3);
+    } catch {
+      return;
+    }
+    const adoptionStage = this.heartbeatManager.getAdoptionStage();
+    if (!adoptionStage) return;
+    const ENFORCING_STAGES = [
+      "SOFT_ENFORCE",
+      "HARD_ENFORCE",
+      "PROVENANCE",
+      "HARD_KMS_GATEWAY",
+      "HARD_KMS_ATTESTED",
+      "HARD_KMS_ATTESTED_ENCLAVE",
+      "HARD_GCP_CONFIDENTIAL_VM"
+    ];
+    if (this.mode === "SHADOW" && ENFORCING_STAGES.includes(adoptionStage)) {
+      console.warn(
+        `[GATE SDK] Server adoption stage is ${adoptionStage} but SDK mode is SHADOW. Consider updating mode to 'ENFORCE' so your application handles blocks correctly. Until updated, the SDK will allow transactions the server would block.`
+      );
+    }
+  }
   /**
    * Evaluate a transaction defense request
-   *
+   *
    * Implements:
    * - Shadow Mode (SHADOW: monitor-only, ENFORCE: enforce decisions)
    * - Connection failure strategy (FAIL_OPEN vs FAIL_CLOSED)
@@ -2228,7 +2344,8 @@ var GateClient = class {
         }
       }
       if (result.decision === "BLOCK") {
-        if (requestMode === "SOFT_ENFORCE") {
+        const effectiveMode = result.mode ?? requestMode;
+        if (effectiveMode === "SOFT_ENFORCE") {
           console.warn("[SOFT ENFORCE] Policy violation detected - app can override", {
             requestId,
             reasonCodes: result.reasonCodes
@@ -2242,7 +2359,7 @@ var GateClient = class {
             warning: "Policy violation detected. Override at your own risk."
           };
         }
-        if (requestMode === "SHADOW") {
+        if (effectiveMode === "SHADOW") {
           console.warn("[GATE SHADOW MODE] Would have blocked transaction", {
             requestId,
             reasonCodes: result.reasonCodes,