npm - blockintel-gate-sdk - Versions diffs - 0.4.5 → 0.4.6 - Mend

blockintel-gate-sdk 0.4.5 → 0.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.cjs CHANGED Viewed

@@ -1217,6 +1217,12 @@ async function handleSignCommand(command, originalClient, gateClient, options) {
     if (options.mode === "dry-run") {
       return await originalClient.send(new clientKms.SignCommand(command));
     }
+    const GATEWAY_STAGES = ["HARD_KMS_GATEWAY", "HARD_GCP_GATEWAY", "HARD_HSM_GATEWAY"];
+    const currentStage = gateClient.heartbeatManager?.getAdoptionStage?.();
+    if (currentStage && GATEWAY_STAGES.includes(currentStage)) {
+      emitMetric(options.metricsSink, "sign_success_total", labels);
+      return await signViaProxy(gateClient, decision, command, signerId);
+    }
     return await originalClient.send(new clientKms.SignCommand(command));
   } catch (error) {
     if (error instanceof BlockIntelBlockedError) {
@@ -1230,6 +1236,72 @@ async function handleSignCommand(command, originalClient, gateClient, options) {
     throw error;
   }
 }
+async function signViaProxy(gateClient, decision, command, signerId) {
+  const config = gateClient.config;
+  const baseUrl = config?.baseUrl || config?.controlPlaneUrl;
+  const tenantId = config?.tenantId;
+  if (!baseUrl || !tenantId) {
+    throw new Error("[Gate SDK] Cannot use signing proxy: baseUrl or tenantId not configured on GateClient");
+  }
+  const message = command.input?.Message ?? command.Message;
+  if (!message) {
+    throw new Error("[Gate SDK] SignCommand missing Message for proxy signing");
+  }
+  const messageBuffer = message instanceof Buffer ? message : Buffer.from(message);
+  const messageBase64 = messageBuffer.toString("base64");
+  const keyId = command.input?.KeyId ?? command.KeyId;
+  if (!keyId) {
+    throw new Error("[Gate SDK] SignCommand missing KeyId for proxy signing");
+  }
+  const signingAlgorithm = command.input?.SigningAlgorithm ?? command.SigningAlgorithm ?? "ECDSA_SHA_256";
+  const messageType = command.input?.MessageType ?? command.MessageType ?? "RAW";
+  const proxyUrl = `${baseUrl.replace("/defense", "")}/tenants/${tenantId}/defense/sign`;
+  const headers = {
+    "Content-Type": "application/json"
+  };
+  const authHeaders = gateClient.getAuthHeaders?.();
+  if (authHeaders) {
+    Object.assign(headers, authHeaders);
+  } else {
+    const auth = config?.auth;
+    if (auth?.mode === "api_key" && auth?.apiKey) {
+      headers["x-api-key"] = auth.apiKey;
+    }
+  }
+  const jwt = gateClient.jwt || gateClient.config?.jwt;
+  if (jwt) {
+    headers["Authorization"] = `Bearer ${jwt}`;
+  }
+  const response = await fetch(proxyUrl, {
+    method: "POST",
+    headers,
+    body: JSON.stringify({
+      requestId: decision.decisionId || decision.requestId,
+      decisionToken: decision.decisionToken,
+      keyId,
+      message: messageBase64,
+      signingAlgorithm,
+      messageType
+    })
+  });
+  if (!response.ok) {
+    const errorBody = await response.json().catch(() => ({}));
+    const code = errorBody?.error?.code || "SIGN_PROXY_FAILED";
+    const msg = errorBody?.error?.message || `Signing proxy returned ${response.status}`;
+    throw new Error(`[Gate SDK] ${code}: ${msg}`);
+  }
+  const result = await response.json();
+  const data = result?.data;
+  if (!data?.signature) {
+    throw new Error("[Gate SDK] Signing proxy returned no signature");
+  }
+  return {
+    Signature: Buffer.from(data.signature, "base64"),
+    KeyId: data.keyId || keyId,
+    SigningAlgorithm: data.signingAlgorithm || signingAlgorithm,
+    $metadata: { httpStatusCode: 200 }
+  };
+}
 // src/provenance/ProvenanceProvider.ts
 var ProvenanceProvider = class {