galileo-generated 0.2.6 → 0.2.8

package/.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-    ".": "0.2.6"
+    ".": "0.2.8"
 }

package/dist/commonjs/hooks/cert-management.d.ts

@@ -0,0 +1,73 @@
+import type { SDKInitHook } from './types.js';
+import type { SDKOptions } from '../lib/config.js';
+/**
+ * SDK initialization hook that configures TLS/SSL certificates for all SDK HTTP requests.
+ *
+ * This hook reads certificate configuration from GalileoConfig and applies it by creating
+ * a custom undici Agent as the fetch dispatcher. Only runs on Node.js >= 20.18.1 with undici available.
+ *
+ * Configuration sources (environment variables resolved via GalileoConfig):
+ * - GALILEO_CA_CERT_PATH or GALILEO_CA_CERT_CONTENT: Custom CA certificate(s) for server verification
+ * - GALILEO_CLIENT_CERT_PATH + GALILEO_CLIENT_KEY_PATH: Client certificate and key for mutual TLS (both required)
+ * - GALILEO_REJECT_UNAUTHORIZED: Control whether to accept self-signed/unauthorized certificates
+ *   (also falls back to NODE_TLS_REJECT_UNAUTHORIZED if GALILEO_REJECT_UNAUTHORIZED not set)
+ * - SSL_CERT_FILE: Python httpx-style CA cert file (supported for compatibility)
+ *
+ * Implementation details:
+ * - Skips gracefully on browsers, Deno, or Node.js without undici support
+ * - Returns original opts if no certificate configuration is present
+ * - Validates mutual TLS: requires both clientCertPath and clientKeyPath; fails if only one is set
+ * - Only creates undici Agent if there's meaningful TLS customization (avoids unnecessary overhead)
+ * - Wraps fetch with a custom dispatcher to apply the TLS configuration to all SDK requests
+ *
+ * @implements {SDKInitHook}
+ */
+export declare class CertManagementHook implements SDKInitHook {
+    /**
+     * Initializes SDK options with TLS certificate configuration.
+     *
+     * Reads certificate config from GalileoConfig, creates an undici Agent if needed,
+     * and augments the HTTPClient (if present) with a beforeRequest hook that injects
+     * the TLS dispatcher. This approach preserves any custom HTTPClient and its hooks
+     * while layering TLS configuration on top.
+     *
+     * @param opts - The original SDK options
+     * @returns Enhanced SDKOptions with TLS configuration applied, or original opts otherwise
+     */
+    sdkInit(opts: SDKOptions): SDKOptions;
+    /**
+     * Warns if the current Node.js version may not support Request.dispatcher.
+     *
+     * Request.dispatcher is a Node.js-specific extension for undici integration.
+     * It's supported on Node.js >= 20.18.1. On older versions, the dispatcher
+     * property will be silently ignored, and TLS certificates may not be applied.
+     *
+     * See: https://nodejs.org/docs/latest/api/fetch.html#fetchinit-options
+     */
+    private warnIfDispatcherUnsupported;
+    /**
+     * Extracts the Node.js version from process.versions.
+     *
+     * @returns Version string (e.g., "20.10.0") or null if not detectable
+     */
+    private getNodeVersion;
+    /**
+     * Checks if a Node.js version is >= 20.18.1 (minimum for Request.dispatcher support).
+     *
+     * @param versionStr - Version string (e.g., "20.10.0", "21.0.0")
+     * @returns true if version >= 20.18.1, false otherwise
+     */
+    private isNodeVersionSupported;
+    /**
+     * Safely reads a certificate/key file from disk with error reporting.
+     *
+     * Checks file existence before reading to provide clear warning messages.
+     * Returns null if file doesn't exist or read fails; logs a warning in either case.
+     *
+     * @param filePath - Absolute or relative path to the certificate/key file
+     * @param fileType - Human-readable description for error messages (e.g., "CA certificate", "Client cert", "Client key")
+     * @returns File content as UTF-8 string, or null if file doesn't exist or read fails
+     */
+    private readFileWarning;
+}
+//# sourceMappingURL=cert-management.d.ts.map

package/dist/commonjs/hooks/cert-management.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cert-management.d.ts","sourceRoot":"","sources":["../../../src/hooks/cert-management.ts"],"names":[],"mappings":"AAsBA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC9C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAuBnD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,kBAAmB,YAAW,WAAW;IACpD;;;;;;;;;;OAUG;IACH,OAAO,CAAC,IAAI,EAAE,UAAU,GAAG,UAAU;IA0GrC;;;;;;;;OAQG;IACH,OAAO,CAAC,2BAA2B;IAqBnC;;;;OAIG;IACH,OAAO,CAAC,cAAc;IAetB;;;;;OAKG;IACH,OAAO,CAAC,sBAAsB;IA4B9B;;;;;;;;;OASG;IACH,OAAO,CAAC,eAAe;CAOxB"}

package/dist/commonjs/hooks/cert-management.js

@@ -0,0 +1,258 @@
+"use strict";
+/*
+ * Certificate management SDK init hook: configures TLS/SSL for fetch API using undici Agent.
+ *
+ * Reads certificate configuration from GalileoConfig singleton and applies it to all SDK HTTP requests.
+ * Supports custom CA certificates, client certificates (mutual TLS), and certificate validation controls.
+ *
+ * Configuration sources (via GalileoConfig):
+ * - GALILEO_CA_CERT_PATH / GALILEO_CA_CERT_CONTENT: Custom CA certificate(s)
+ * - GALILEO_CLIENT_CERT_PATH + GALILEO_CLIENT_KEY_PATH: Client certificate and key for mTLS
+ * - GALILEO_REJECT_UNAUTHORIZED / NODE_TLS_REJECT_UNAUTHORIZED: Control certificate validation
+ * - SSL_CERT_FILE: Python httpx compatibility (treated as CA certificate)
+ * - NODE_EXTRA_CA_CERTS: Node.js native support for appending to default CA list (works without this hook)
+ *
+ * ⚠️  REQUIRES Node.js >= 20.18.1 for undici dispatcher support in fetch API.
+ * ⚠️  Gracefully skips on older Node.js versions or non-Node.js runtimes (browser, Deno).
+ * ⚠️  Only creates undici Agent if meaningful TLS customization is detected (prevents unnecessary overhead).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CertManagementHook = void 0;
+const fs_1 = require("fs");
+const http_js_1 = require("../lib/http.js");
+const galileo_config_js_1 = require("../lib/galileo-config.js");
+const runtime_js_1 = require("../lib/runtime.js");
+const sdk_logger_js_1 = require("../lib/sdk-logger.js");
+const sdkLogger = (0, sdk_logger_js_1.getSdkLogger)();
+let CertAgent;
+try {
+    // Using synchronous require to support both ESM and CommonJS contexts
+    CertAgent = require('undici').Agent;
+}
+catch (error) {
+    sdkLogger.warn(`[TLS] Failed to import undici: ${error}`);
+}
+/**
+ * SDK initialization hook that configures TLS/SSL certificates for all SDK HTTP requests.
+ *
+ * This hook reads certificate configuration from GalileoConfig and applies it by creating
+ * a custom undici Agent as the fetch dispatcher. Only runs on Node.js >= 20.18.1 with undici available.
+ *
+ * Configuration sources (environment variables resolved via GalileoConfig):
+ * - GALILEO_CA_CERT_PATH or GALILEO_CA_CERT_CONTENT: Custom CA certificate(s) for server verification
+ * - GALILEO_CLIENT_CERT_PATH + GALILEO_CLIENT_KEY_PATH: Client certificate and key for mutual TLS (both required)
+ * - GALILEO_REJECT_UNAUTHORIZED: Control whether to accept self-signed/unauthorized certificates
+ *   (also falls back to NODE_TLS_REJECT_UNAUTHORIZED if GALILEO_REJECT_UNAUTHORIZED not set)
+ * - SSL_CERT_FILE: Python httpx-style CA cert file (supported for compatibility)
+ *
+ * Implementation details:
+ * - Skips gracefully on browsers, Deno, or Node.js without undici support
+ * - Returns original opts if no certificate configuration is present
+ * - Validates mutual TLS: requires both clientCertPath and clientKeyPath; fails if only one is set
+ * - Only creates undici Agent if there's meaningful TLS customization (avoids unnecessary overhead)
+ * - Wraps fetch with a custom dispatcher to apply the TLS configuration to all SDK requests
+ *
+ * @implements {SDKInitHook}
+ */
+class CertManagementHook {
+    /**
+     * Initializes SDK options with TLS certificate configuration.
+     *
+     * Reads certificate config from GalileoConfig, creates an undici Agent if needed,
+     * and augments the HTTPClient (if present) with a beforeRequest hook that injects
+     * the TLS dispatcher. This approach preserves any custom HTTPClient and its hooks
+     * while layering TLS configuration on top.
+     *
+     * @param opts - The original SDK options
+     * @returns Enhanced SDKOptions with TLS configuration applied, or original opts otherwise
+     */
+    sdkInit(opts) {
+        if (!(0, runtime_js_1.isNodeLike)() || !CertAgent) {
+            return opts;
+        }
+        // Get certificate configuration from GalileoConfig singleton
+        const cert = galileo_config_js_1.GalileoConfig.get().getCertConfig();
+        if (!cert) {
+            return opts;
+        }
+        try {
+            // Determine CA certificate source (prefer direct content over file path)
+            let ca;
+            if (cert.caCertContent) {
+                // CA provided directly as string (GALILEO_CA_CERT_CONTENT)
+                ca = cert.caCertContent;
+            }
+            else if (cert.caCertPath) {
+                // CA certificate path provided (GALILEO_CA_CERT_PATH); read file from disk
+                ca = this.readFileWarning(cert.caCertPath, 'CA certificate');
+                if (!ca)
+                    return opts;
+            }
+            // Build undici Agent connect options (TLS settings passed to undici's socket connector)
+            const connectOptions = {};
+            if (ca) {
+                connectOptions.ca = ca;
+            }
+            // Validate mutual TLS: both cert and key must be configured together (all-or-nothing)
+            if ((cert.clientCertPath || cert.clientKeyPath) && !(cert.clientCertPath && cert.clientKeyPath)) {
+                sdkLogger.error('[TLS] Mutual TLS requires both GALILEO_CLIENT_CERT_PATH and GALILEO_CLIENT_KEY_PATH to be set');
+                return opts;
+            }
+            // Load client certificate (mutual TLS) if provided
+            const clientCert = cert.clientCertPath ? this.readFileWarning(cert.clientCertPath, 'Client cert') : null;
+            if (cert.clientCertPath && !clientCert)
+                return opts;
+            if (clientCert)
+                connectOptions.cert = clientCert;
+            // Load client key (mutual TLS) if provided
+            const clientKey = cert.clientKeyPath ? this.readFileWarning(cert.clientKeyPath, 'Client key') : null;
+            if (cert.clientKeyPath && !clientKey)
+                return opts;
+            if (clientKey)
+                connectOptions.key = clientKey;
+            // Apply certificate validation setting (whether to accept self-signed/unauthorized certs)
+            if (cert.rejectUnauthorized !== undefined)
+                connectOptions.rejectUnauthorized = cert.rejectUnauthorized;
+            // Guard: Only create undici Agent if there's meaningful TLS customization
+            // This avoids unnecessary overhead when only rejectUnauthorized=true (default behavior)
+            const hasCertCustomization = Boolean(connectOptions.ca || connectOptions.cert || connectOptions.key || connectOptions.rejectUnauthorized === false);
+            if (!hasCertCustomization) {
+                return opts;
+            }
+            // Create undici Agent with the configured TLS settings (singleton, reused for all requests)
+            const agent = new CertAgent({
+                connect: connectOptions
+            });
+            // Get or create HTTPClient to augment
+            const httpClient = opts.httpClient || new http_js_1.HTTPClient();
+            // Warn if this runtime may not support Request.dispatcher (Node.js < 20.18.1)
+            this.warnIfDispatcherUnsupported();
+            // Add a beforeRequest hook that injects the TLS dispatcher into requests.
+            // This hook attaches the pre-created agent to the request, applying TLS configuration
+            // while preserving any user-registered hooks (which execute before this one).
+            // 
+            // The dispatcher option is a Node.js-specific extension for undici integration.
+            // Supported on Node.js >= 20.18.1 with undici available.
+            // On older runtimes or non-Node.js environments, the dispatcher will be silently ignored
+            // (Request constructor doesn't throw on unknown properties, just ignores them).
+            // See: https://nodejs.org/docs/latest/api/fetch.html#fetchinit-options
+            httpClient.addHook('beforeRequest', (req) => {
+                // Create a new Request with the TLS dispatcher injected.
+                // The hook receives a cloned request, so the body is readable and safe to transfer.
+                return new Request(req.url, {
+                    method: req.method,
+                    headers: req.headers,
+                    body: req.body,
+                    // @ts-expect-error - dispatcher is Node.js-specific undici extension, not in standard fetch spec
+                    dispatcher: agent
+                });
+            });
+            return {
+                ...opts,
+                httpClient: httpClient
+            };
+        }
+        catch (error) {
+            sdkLogger.error(`[TLS] Failed to configure custom certificates: ${error}`);
+            return opts;
+        }
+    }
+    /**
+     * Warns if the current Node.js version may not support Request.dispatcher.
+     *
+     * Request.dispatcher is a Node.js-specific extension for undici integration.
+     * It's supported on Node.js >= 20.18.1. On older versions, the dispatcher
+     * property will be silently ignored, and TLS certificates may not be applied.
+     *
+     * See: https://nodejs.org/docs/latest/api/fetch.html#fetchinit-options
+     */
+    warnIfDispatcherUnsupported() {
+        // Only check on Node.js-like environments; skip on browser/Deno
+        if (!(0, runtime_js_1.isNodeLike)()) {
+            return; // Non-Node.js runtimes don't support dispatcher anyway (expected)
+        }
+        try {
+            const nodeVersion = this.getNodeVersion();
+            if (nodeVersion && !this.isNodeVersionSupported(nodeVersion)) {
+                sdkLogger.warn(`[TLS] Node.js ${nodeVersion} detected. Request.dispatcher (required for TLS support) ` +
+                    `is available from Node.js 20.18.1+. Upgrade Node.js to ensure certificates are applied. ` +
+                    `See: https://nodejs.org/docs/latest/api/fetch.html#fetchinit-options`);
+            }
+        }
+        catch (error) {
+            // If version detection fails, silently skip the warning
+            // (version detection is best-effort for user convenience)
+        }
+    }
+    /**
+     * Extracts the Node.js version from process.versions.
+     *
+     * @returns Version string (e.g., "20.10.0") or null if not detectable
+     */
+    getNodeVersion() {
+        try {
+            const proc = globalThis.process;
+            if (proc?.versions?.node) {
+                return proc.versions.node;
+            }
+        }
+        catch {
+            // Ignore errors; version detection is non-critical
+        }
+        return null;
+    }
+    /**
+     * Checks if a Node.js version is >= 20.18.1 (minimum for Request.dispatcher support).
+     *
+     * @param versionStr - Version string (e.g., "20.10.0", "21.0.0")
+     * @returns true if version >= 20.18.1, false otherwise
+     */
+    isNodeVersionSupported(versionStr) {
+        try {
+            // Handle empty or obviously invalid strings early
+            if (!versionStr || typeof versionStr !== 'string') {
+                return true; // Can't parse, assume supported (optimistic)
+            }
+            const parts = versionStr.split('.').map(v => parseInt(v, 10));
+            const major = parts[0];
+            const minor = parts[1] ?? 0;
+            const patch = parts[2] ?? 0;
+            // If major version couldn't be parsed (NaN or undefined), assume supported
+            if (major === undefined || Number.isNaN(major))
+                return true;
+            // Need: major > 20 OR (major === 20 AND minor > 18) OR (major === 20 AND minor === 18 AND patch >= 1)
+            if (major > 20)
+                return true;
+            if (major === 20) {
+                if (minor > 18)
+                    return true;
+                if (minor === 18 && patch >= 1)
+                    return true;
+            }
+            return false;
+        }
+        catch {
+            // If any parsing error occurs, assume version is supported (optimistic)
+            return true;
+        }
+    }
+    /**
+     * Safely reads a certificate/key file from disk with error reporting.
+     *
+     * Checks file existence before reading to provide clear warning messages.
+     * Returns null if file doesn't exist or read fails; logs a warning in either case.
+     *
+     * @param filePath - Absolute or relative path to the certificate/key file
+     * @param fileType - Human-readable description for error messages (e.g., "CA certificate", "Client cert", "Client key")
+     * @returns File content as UTF-8 string, or null if file doesn't exist or read fails
+     */
+    readFileWarning(filePath, fileType) {
+        if (!(0, fs_1.existsSync)(filePath)) {
+            sdkLogger.warn(`[TLS] ${fileType} file not found: ${filePath}`);
+            return null;
+        }
+        return (0, fs_1.readFileSync)(filePath, 'utf-8');
+    }
+}
+exports.CertManagementHook = CertManagementHook;
+//# sourceMappingURL=cert-management.js.map

package/dist/commonjs/hooks/cert-management.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cert-management.js","sourceRoot":"","sources":["../../../src/hooks/cert-management.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;GAgBG;;;AAEH,2BAA8C;AAC9C,4CAA4C;AAC5C,gEAAyD;AACzD,kDAA+C;AAG/C,wDAAoD;AACpD,MAAM,SAAS,GAAG,IAAA,4BAAY,GAAE,CAAC;AAWjC,IAAI,SAAuC,CAAC;AAE5C,IAAI,CAAC;IACH,sEAAsE;IACtE,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC;AACtC,CAAC;AAAC,OAAO,KAAK,EAAE,CAAC;IACf,SAAS,CAAC,IAAI,CAAC,kCAAkC,KAAK,EAAE,CAAC,CAAC;AAC5D,CAAC;AAGD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAa,kBAAkB;IAC7B;;;;;;;;;;OAUG;IACH,OAAO,CAAC,IAAgB;QACtB,IAAI,CAAC,IAAA,uBAAU,GAAE,IAAI,CAAC,SAAS,EAAE,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,6DAA6D;QAC7D,MAAM,IAAI,GAAG,iCAAa,CAAC,GAAG,EAAE,CAAC,aAAa,EAAE,CAAC;QACjD,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,yEAAyE;YACzE,IAAI,EAA6B,CAAC;YAElC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;gBACvB,2DAA2D;gBAC3D,EAAE,GAAG,IAAI,CAAC,aAAa,CAAC;YAC1B,CAAC;iBAAM,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC3B,2EAA2E;gBAC3E,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;gBAC7D,IAAI,CAAC,EAAE;oBAAE,OAAO,IAAI,CAAC;YACvB,CAAC;YAED,wFAAwF;YACxF,MAAM,cAAc,GAKhB,EAAE,CAAC;YAEP,IAAI,EAAE,EAAE,CAAC;gBACP,cAAc,CAAC,EAAE,GAAG,EAAE,CAAC;YACzB,CAAC;YAED,sFAAsF;YACtF,IAAI,CAAC,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;gBAChG,SAAS,CAAC,KAAK,CAAC,+FAA+F,CAAC,CAAC;gBACjH,OAAO,IAAI,CAAC;YACd,CAAC;YAED,mDAAmD;YACnD,MAAM,UAAU,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACzG,IAAI,IAAI,CAAC,cAAc,IAAI,CAAC,UAAU;gBAAE,OAAO,IAAI,CAAC;YACpD,IAAI,UAAU;gBAAE,cAAc,CAAC,IAAI,GAAG,UAAU,CAAC;YAEjD,2CAA2C;YAC3C,MAAM,SAAS,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACrG,IAAI,IAAI,CAAC,aAAa,IAAI,CAAC,SAAS;gBAAE,OAAO,IAAI,CAAC;YAClD,IAAI,SAAS;gBAAE,cAAc,CAAC,GAAG,GAAG,SAAS,CAAC;YAE9C,0FAA0F;YAC1F,IAAI,IAAI,CAAC,kBAAkB,KAAK,SAAS;gBACvC,cAAc,CAAC,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,CAAC;YAE9D,0EAA0E;YAC1E,wFAAwF;YACxF,MAAM,oBAAoB,GAAG,OAAO,CAAC,cAAc,CAAC,EAAE,IAAI,cAAc,CAAC,IAAI,IAAI,cAAc,CAAC,GAAG,IAAI,cAAc,CAAC,kBAAkB,KAAK,KAAK,CAAC,CAAC;YACpJ,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBAC1B,OAAO,IAAI,CAAC;YACd,CAAC;YAED,4FAA4F;YAC5F,MAAM,KAAK,GAAG,IAAI,SAAS,CAAC;gBAC1B,OAAO,EAAE,cAAc;aACxB,CAAC,CAAC;YAEH,sCAAsC;YACtC,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,IAAI,oBAAU,EAAE,CAAC;YAEvD,8EAA8E;YAC9E,IAAI,CAAC,2BAA2B,EAAE,CAAC;YAEnC,0EAA0E;YAC1E,sFAAsF;YACtF,8EAA8E;YAC9E,GAAG;YACH,gFAAgF;YAChF,yDAAyD;YACzD,yFAAyF;YACzF,gFAAgF;YAChF,uEAAuE;YACvE,UAAU,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC,GAAY,EAAW,EAAE;gBAC5D,yDAAyD;gBACzD,oFAAoF;gBACpF,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE;oBAC1B,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,iGAAiG;oBACjG,UAAU,EAAE,KAAK;iBAClB,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,OAAO;gBACL,GAAG,IAAI;gBACP,UAAU,EAAE,UAAU;aACvB,CAAC;QAEJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,SAAS,CAAC,KAAK,CAAC,kDAAkD,KAAK,EAAE,CAAC,CAAC;YAC3E,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACK,2BAA2B;QACjC,gEAAgE;QAChE,IAAI,CAAC,IAAA,uBAAU,GAAE,EAAE,CAAC;YAClB,OAAO,CAAC,kEAAkE;QAC5E,CAAC;QAED,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;YAC1C,IAAI,WAAW,IAAI,CAAC,IAAI,CAAC,sBAAsB,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC7D,SAAS,CAAC,IAAI,CACZ,iBAAiB,WAAW,2DAA2D;oBACvF,0FAA0F;oBAC1F,sEAAsE,CACvE,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,wDAAwD;YACxD,0DAA0D;QAC5D,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,cAAc;QACpB,IAAI,CAAC;YACH,MAAM,IAAI,GAAI,UAEZ,CAAC,OAAO,CAAC;YAEX,IAAI,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;gBACzB,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAC5B,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACK,sBAAsB,CAAC,UAAkB;QAC/C,IAAI,CAAC;YACH,kDAAkD;YAClD,IAAI,CAAC,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;gBAClD,OAAO,IAAI,CAAC,CAAC,6CAA6C;YAC5D,CAAC;YAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;YAC9D,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACvB,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAC5B,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAE5B,2EAA2E;YAC3E,IAAI,KAAK,KAAK,SAAS,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAE5D,sGAAsG;YACtG,IAAI,KAAK,GAAG,EAAE;gBAAE,OAAO,IAAI,CAAC;YAC5B,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;gBACjB,IAAI,KAAK,GAAG,EAAE;oBAAE,OAAO,IAAI,CAAC;gBAC5B,IAAI,KAAK,KAAK,EAAE,IAAI,KAAK,IAAI,CAAC;oBAAE,OAAO,IAAI,CAAC;YAC9C,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,MAAM,CAAC;YACP,wEAAwE;YACxE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;;;;;OASG;IACK,eAAe,CAAC,QAAgB,EAAE,QAAgB;QACxD,IAAI,CAAC,IAAA,eAAU,EAAC,QAAQ,CAAC,EAAE,CAAC;YAC1B,SAAS,CAAC,IAAI,CAAC,SAAS,QAAQ,oBAAoB,QAAQ,EAAE,CAAC,CAAC;YAChE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAA,iBAAY,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACzC,CAAC;CACF;AA3ND,gDA2NC"}

package/dist/commonjs/hooks/error-cleaner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"error-cleaner.d.ts","sourceRoot":"","sources":["../../../src/hooks/error-cleaner.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEpE;;GAEG;AACH,qBAAa,gBAAiB,YAAW,cAAc;IAChD,UAAU,CACf,OAAO,EAAE,iBAAiB,EAC1B,QAAQ,EAAE,QAAQ,GAAG,IAAI,EACzB,KAAK,EAAE,OAAO,GACZ,OAAO,CAAC;QAAE,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC;CA8DzD"}
+{"version":3,"file":"error-cleaner.d.ts","sourceRoot":"","sources":["../../../src/hooks/error-cleaner.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEpE;;GAEG;AACH,qBAAa,gBAAiB,YAAW,cAAc;IAChD,UAAU,CACf,OAAO,EAAE,iBAAiB,EAC1B,QAAQ,EAAE,QAAQ,GAAG,IAAI,EACzB,KAAK,EAAE,OAAO,GACZ,OAAO,CAAC;QAAE,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC;CAuDzD"}

package/dist/commonjs/hooks/error-cleaner.js

@@ -8,10 +8,6 @@ const custom_errors_js_1 = require("../types/custom-errors.js");
 class ErrorCleanerHook {
     async afterError(hookCtx, response, error) {
         void hookCtx;
-        console.log("#####################################################");
-        console.log("eRROR CLEANER HOOK - ERROR:", error);
-        console.log("eRROR CLEANER HOOK - RESPONSE:", response);
-        console.log("eRROR CLEANER HOOK - HOOK CTX:", hookCtx);
         try {
             if (!response)
                 return { response, error };

package/dist/commonjs/hooks/error-cleaner.js.map

@@ -1 +1 @@
-{"version":3,"file":"error-cleaner.js","sourceRoot":"","sources":["../../../src/hooks/error-cleaner.ts"],"names":[],"mappings":";;;AAAA,gEAMmC;AAGnC;;GAEG;AACH,MAAa,gBAAgB;IAC5B,KAAK,CAAC,UAAU,CACf,OAA0B,EAC1B,QAAyB,EACzB,KAAc;QAEd,KAAK,OAAO,CAAC;QAGX,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;QACrE,OAAO,CAAC,GAAG,CAAC,6BAA6B,EAAE,KAAK,CAAC,CAAC;QAClD,OAAO,CAAC,GAAG,CAAC,gCAAgC,EAAE,QAAQ,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,gCAAgC,EAAE,OAAO,CAAC,CAAC;QAGzD,IAAG,CAAC;YACH,IAAI,CAAC,QAAQ;gBAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;YAE1C,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,CAAC;YAC/C,IAAI,CAAC,QAAQ;gBAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;YAE1C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAClC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;YAEhF,MAAM,UAAU,GAAG,IAA+B,CAAC;YACnD,IAAI,gBAAgB,IAAI,UAAU,EAAE,CAAC;gBACpC,MAAM,aAAa,GAAG,UAAU,CAAC,gBAAgB,CAAC,CAAC;gBACnD,IAAI,IAAA,gDAA6B,EAAC,aAAa,CAAC,EAAE,CAAC;oBAClD,OAAO;wBACN,QAAQ;wBACR,KAAK,EAAE,IAAI,kCAAe,CAAC,aAAa,CAAC;qBACzC,CAAC;gBACH,CAAC;gBAED,OAAO;oBACN,QAAQ;oBACR,KAAK,EAAE,IAAI,KAAK,CAAC,iDAA8B,CAAC;iBAChD,CAAC;YACH,CAAC;YAED,IAAI,QAAQ,IAAI,UAAU,EAAE,CAAC;gBAC5B,MAAM,aAAa,GAClB,IAAA,wCAAqB,EAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,IAAI,wCAAqB,CAAC;gBACtE,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC;gBAEnC,IAAI,UAAU,EAAE,CAAC;oBAChB,OAAO;wBACN,QAAQ;wBACR,KAAK,EAAE,IAAI,KAAK,CACf,0EAA0E,UAAU,iBAAiB,aAAa,EAAE,CACpH;qBACD,CAAC;gBACH,CAAC;gBAED,OAAO;oBACN,QAAQ;oBACR,KAAK,EAAE,IAAI,KAAK,CACf,oCAAoC,aAAa,EAAE,CACnD;iBACD,CAAC;YACH,CAAC;YAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;QAAA,OAAM,KAAK,EAAC,CAAC;YACb,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;IACF,CAAC;CACD;AAnED,4CAmEC"}
+{"version":3,"file":"error-cleaner.js","sourceRoot":"","sources":["../../../src/hooks/error-cleaner.ts"],"names":[],"mappings":";;;AAAA,gEAMmC;AAGnC;;GAEG;AACH,MAAa,gBAAgB;IAC5B,KAAK,CAAC,UAAU,CACf,OAA0B,EAC1B,QAAyB,EACzB,KAAc;QAEd,KAAK,OAAO,CAAC;QAEb,IAAG,CAAC;YACH,IAAI,CAAC,QAAQ;gBAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;YAE1C,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,CAAC;YAC/C,IAAI,CAAC,QAAQ;gBAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;YAE1C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAClC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;YAEhF,MAAM,UAAU,GAAG,IAA+B,CAAC;YACnD,IAAI,gBAAgB,IAAI,UAAU,EAAE,CAAC;gBACpC,MAAM,aAAa,GAAG,UAAU,CAAC,gBAAgB,CAAC,CAAC;gBACnD,IAAI,IAAA,gDAA6B,EAAC,aAAa,CAAC,EAAE,CAAC;oBAClD,OAAO;wBACN,QAAQ;wBACR,KAAK,EAAE,IAAI,kCAAe,CAAC,aAAa,CAAC;qBACzC,CAAC;gBACH,CAAC;gBAED,OAAO;oBACN,QAAQ;oBACR,KAAK,EAAE,IAAI,KAAK,CAAC,iDAA8B,CAAC;iBAChD,CAAC;YACH,CAAC;YAED,IAAI,QAAQ,IAAI,UAAU,EAAE,CAAC;gBAC5B,MAAM,aAAa,GAClB,IAAA,wCAAqB,EAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,IAAI,wCAAqB,CAAC;gBACtE,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC;gBAEnC,IAAI,UAAU,EAAE,CAAC;oBAChB,OAAO;wBACN,QAAQ;wBACR,KAAK,EAAE,IAAI,KAAK,CACf,0EAA0E,UAAU,iBAAiB,aAAa,EAAE,CACpH;qBACD,CAAC;gBACH,CAAC;gBAED,OAAO;oBACN,QAAQ;oBACR,KAAK,EAAE,IAAI,KAAK,CACf,oCAAoC,aAAa,EAAE,CACnD;iBACD,CAAC;YACH,CAAC;YAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;QAAA,OAAM,KAAK,EAAC,CAAC;YACb,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;IACF,CAAC;CACD;AA5DD,4CA4DC"}

package/dist/commonjs/hooks/registration.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"registration.d.ts","sourceRoot":"","sources":["../../../src/hooks/registration.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAQxC,wBAAgB,SAAS,CAAC,KAAK,EAAE,KAAK,QASrC"}
+{"version":3,"file":"registration.d.ts","sourceRoot":"","sources":["../../../src/hooks/registration.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAQxC,wBAAgB,SAAS,CAAC,KAAK,EAAE,KAAK,QAarC"}

package/dist/commonjs/hooks/registration.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.initHooks = initHooks;
+const cert_management_js_1 = require("./cert-management.js");
 const error_cleaner_js_1 = require("./error-cleaner.js");
 const token_management_js_1 = require("./token-management.js");
 /*
@@ -9,6 +10,9 @@ const token_management_js_1 = require("./token-management.js");
  * in this file or in separate files in the hooks folder.
  */
 function initHooks(hooks) {
+    // Register cert management (TLS with undici Agent)
+    const certHook = new cert_management_js_1.CertManagementHook();
+    hooks.registerSDKInitHook(certHook);
     // Register token management hooks
     const tokenHook = new token_management_js_1.TokenManagementHook();
     hooks.registerBeforeRequestHook(tokenHook);

package/dist/commonjs/hooks/registration.js.map

@@ -1 +1 @@
-{"version":3,"file":"registration.js","sourceRoot":"","sources":["../../../src/hooks/registration.ts"],"names":[],"mappings":";;AAUA,8BASC;AAnBD,yDAAsD;AACtD,+DAA4D;AAG5D;;;;GAIG;AAEH,SAAgB,SAAS,CAAC,KAAY;IACrC,kCAAkC;IAClC,MAAM,SAAS,GAAG,IAAI,yCAAmB,EAAE,CAAC;IAC5C,KAAK,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAC;IAC3C,KAAK,CAAC,wBAAwB,CAAC,SAAS,CAAC,CAAC;IAE1C,+BAA+B;IAC/B,MAAM,gBAAgB,GAAG,IAAI,mCAAgB,EAAE,CAAC;IAChD,KAAK,CAAC,sBAAsB,CAAC,gBAAgB,CAAC,CAAC;AAChD,CAAC"}
+{"version":3,"file":"registration.js","sourceRoot":"","sources":["../../../src/hooks/registration.ts"],"names":[],"mappings":";;AAWA,8BAaC;AAxBD,6DAA0D;AAC1D,yDAAsD;AACtD,+DAA4D;AAG5D;;;;GAIG;AAEH,SAAgB,SAAS,CAAC,KAAY;IACrC,mDAAmD;IACnD,MAAM,QAAQ,GAAG,IAAI,uCAAkB,EAAE,CAAC;IAC1C,KAAK,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IAEpC,kCAAkC;IAClC,MAAM,SAAS,GAAG,IAAI,yCAAmB,EAAE,CAAC;IAC5C,KAAK,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAC;IAC3C,KAAK,CAAC,wBAAwB,CAAC,SAAS,CAAC,CAAC;IAE1C,+BAA+B;IAC/B,MAAM,gBAAgB,GAAG,IAAI,mCAAgB,EAAE,CAAC;IAChD,KAAK,CAAC,sBAAsB,CAAC,gBAAgB,CAAC,CAAC;AAChD,CAAC"}

package/dist/commonjs/index.d.ts

@@ -1,5 +1,6 @@
 export * from "./lib/config.js";
 export * from "./lib/galileo-config.js";
+export * from "./lib/sdk-logger.js";
 export * as files from "./lib/files.js";
 export { HTTPClient } from "./lib/http.js";
 export type { Fetcher, HTTPClientOptions } from "./lib/http.js";

package/dist/commonjs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAIA,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,OAAO,KAAK,KAAK,MAAM,gBAAgB,CAAC;AACxC,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,YAAY,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAChE,cAAc,cAAc,CAAC;AAC7B,cAAc,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAIA,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,qBAAqB,CAAC;AACpC,OAAO,KAAK,KAAK,MAAM,gBAAgB,CAAC;AACxC,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,YAAY,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAChE,cAAc,cAAc,CAAC;AAC7B,cAAc,mBAAmB,CAAC"}

package/dist/commonjs/index.js

@@ -42,6 +42,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.HTTPClient = exports.files = void 0;
 __exportStar(require("./lib/config.js"), exports);
 __exportStar(require("./lib/galileo-config.js"), exports);
+__exportStar(require("./lib/sdk-logger.js"), exports);
 exports.files = __importStar(require("./lib/files.js"));
 var http_js_1 = require("./lib/http.js");
 Object.defineProperty(exports, "HTTPClient", { enumerable: true, get: function () { return http_js_1.HTTPClient; } });

package/dist/commonjs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,kDAAgC;AAChC,0DAAwC;AACxC,wDAAwC;AACxC,yCAA2C;AAAlC,qGAAA,UAAU,OAAA;AAEnB,+CAA6B;AAC7B,oDAAkC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,kDAAgC;AAChC,0DAAwC;AACxC,sDAAoC;AACpC,wDAAwC;AACxC,yCAA2C;AAAlC,qGAAA,UAAU,OAAA;AAEnB,+CAA6B;AAC7B,oDAAkC"}

package/dist/commonjs/lib/galileo-config.d.ts

@@ -1,5 +1,11 @@
+import type { LogLevel } from "../types/sdk-logger.types.js";
 /**
- * Configuration input for the Galileo SDK (URLs, auth, project, and log stream).
+ * Configuration input for the Galileo SDK.
+ *
+ * Includes URLs (console, API), authentication credentials (API key, username/password, SSO tokens),
+ * project/log stream identifiers, logging configuration, and TLS/certificate settings.
+ *
+ * All properties are optional; values resolve from environment variables or browser storage by default.
  */
 export type GalileoConfigInput = {
     consoleUrl?: string;
@@ -11,12 +17,25 @@ export type GalileoConfigInput = {
     ssoProvider?: string;
     jwtToken?: string;
     refreshToken?: string;
-    logLevel?: string | number;
+    logLevel?: LogLevel | undefined;
     projectName?: string;
     logStreamName?: string;
+    /** Path to CA certificate file. */
+    caCertPath?: string;
+    /** Direct CA certificate content. */
+    caCertContent?: string;
+    /** Client certificate path. */
+    clientCertPath?: string;
+    /** Client key path. */
+    clientKeyPath?: string;
+    /** Whether to reject unauthorized (e.g. self-signed) certificates. */
+    rejectUnauthorized?: boolean;
 };
 /**
- * Authentication credentials (API key, username/password, or SSO).
+ * Resolved authentication credentials extracted from config.
+ *
+ * Contains one or more of: API key, username/password pair, or SSO credentials.
+ * Returned by getAuthCredentials() method.
  */
 export type AuthCredentials = {
     apiKey?: string;
@@ -26,7 +45,28 @@ export type AuthCredentials = {
     ssoProvider?: string;
 };
 /**
- * Snapshot shape for base-entity compatibility: apiUrl, apiKey, login, and sso.
+ * TLS/certificate configuration for API requests.
+ *
+ * Supports custom CA certificates (via file path or direct content) and mutual TLS (mTLS)
+ * with client certificates and keys. Controls whether unauthorized (self-signed) certificates
+ * are accepted via rejectUnauthorized flag.
+ *
+ * Returned by getCertConfig() method or included in config snapshot.
+ */
+export type CertConfig = {
+    caCertPath?: string;
+    caCertContent?: string;
+    clientCertPath?: string;
+    clientKeyPath?: string;
+    rejectUnauthorized?: boolean;
+};
+/**
+ * Config snapshot for BaseEntity compatibility.
+ *
+ * Flattened representation of resolved configuration including API URL, API key, login credentials
+ * (username/password), SSO information (idToken/provider), and TLS certificate configuration.
+ *
+ * Used for entity authentication and API interactions.
  */
 export type GalileoConfigSnapshot = {
     apiUrl?: string;
@@ -39,7 +79,9 @@ export type GalileoConfigSnapshot = {
         idToken?: string;
         provider?: string;
     };
+    cert?: CertConfig;
 };
+export declare function isValidLogLevel(value: unknown): value is LogLevel;
 /**
  * Singleton configuration for the Galileo SDK (env-aware across Node, Deno, and browser).
  */
@@ -54,38 +96,87 @@ export declare class GalileoConfig {
     readonly ssoProvider: string | undefined;
     readonly jwtToken: string | undefined;
     readonly refreshToken: string | undefined;
-    readonly logLevel: string | number | undefined;
+    readonly logLevel: LogLevel | undefined;
     readonly projectName: string | undefined;
     readonly logStreamName: string | undefined;
+    readonly caCertPath: string | undefined;
+    readonly caCertContent: string | undefined;
+    readonly clientCertPath: string | undefined;
+    readonly clientKeyPath: string | undefined;
+    readonly rejectUnauthorized: boolean | undefined;
     private constructor();
     /**
-     * Returns a snapshot compatible with BaseEntity: apiUrl (resolved), apiKey, login, and sso.
-     * @returns The config snapshot for entity authentication and API URL.
+     * Returns a snapshot compatible with BaseEntity, including resolved apiUrl, apiKey, login, sso, and cert.
+     *
+     * - apiUrl is resolved from consoleUrl if not explicitly set
+     * - login contains username and/or password if present
+     * - sso contains idToken and/or provider if present
+     * - cert contains all configured TLS/certificate settings if any are present
+     *
+     * @returns The config snapshot for entity authentication and API configuration.
      */
     get snapshot(): GalileoConfigSnapshot;
     /**
-     * Returns the singleton config instance, merging environment and optional overrides.
+     * Returns the singleton config instance, resolving from environment and optional overrides.
+     *
+     * On first call (or when overrides are provided), resolves configuration from:
+     * 1. Environment variables or browser storage (via resolveFromEnvironment)
+     * 2. Constructor overrides (via merge)
+     *
+     * The instance is cached and reused on subsequent calls unless overrides are provided.
+     * To reset the singleton, call reset().
+     *
      * @param overrides - (Optional) Config values to merge over environment and defaults.
-     * @returns The GalileoConfig instance.
+     * @returns The GalileoConfig singleton instance.
      */
     static get(overrides?: GalileoConfigInput): GalileoConfig;
     /**
-     * Clears the singleton instance. Next get() will rebuild from environment and overrides.
+     * Clears the singleton instance.
+     *
+     * Next call to get() will rebuild the instance from environment variables or browser storage.
+     * Useful for testing or when configuration has changed and needs to be reloaded.
      */
     static reset(): void;
     /**
      * Returns the API base URL, resolved from consoleUrl or explicit apiUrl.
-     * @param projectType - (Optional) Project type used when neither apiUrl nor consoleUrl is set (e.g. "gen_ai").
+     *
+     * Resolution logic:
+     * 1. If apiUrl is set, return it as-is
+     * 2. If consoleUrl is set, derive apiUrl by replacing "app.galileo.ai" or "console" with "api"
+     * 3. For localhost consoleUrl, return "http://localhost:8088"
+     * 4. If neither consoleUrl nor apiUrl is set, use projectType default (e.g., "gen_ai" → "https://api.galileo.ai")
+     * 5. If no projectType and neither URL is set, throw an error
+     *
+     * @param projectType - (Optional) Default project type for API URL when neither apiUrl nor consoleUrl is set.
      * @returns The resolved API URL.
+     * @throws Error if apiUrl, consoleUrl, and projectType are all unset.
      */
     getApiUrl(projectType?: string): string;
     /**
-     * Returns the current auth credentials (API key, username/password, or SSO).
-     * @returns The AuthCredentials object with present values.
+     * Returns the current authentication credentials.
+     *
+     * Extracts and returns all present credentials: API key, username/password pair, and/or SSO tokens.
+     * Only populated fields are included in the returned object.
+     *
+     * @returns The AuthCredentials object with present credential values.
      */
     getAuthCredentials(): AuthCredentials;
     /**
-     * Logs a safe summary of the config to the console (passwords and tokens omitted).
+     * Returns TLS/certificate configuration for API requests.
+     *
+     * Extracts and returns all present certificate settings: CA certificate (path or content),
+     * client certificate and key (for mTLS), and rejectUnauthorized flag.
+     * Only populated fields are included in the returned object.
+     *
+     * @returns The CertConfig object with present values, or null if no certificate configuration is set.
+     */
+    getCertConfig(): CertConfig | null;
+    /**
+     * Logs a safe summary of the current configuration to the console.
+     *
+     * Omits sensitive values (passwords, API keys, SSO tokens) and instead logs boolean flags
+     * (hasApiKey, hasPassword, hasSsoIdToken) to indicate their presence without revealing content.
+     * Useful for debugging configuration issues in production environments.
      */
     logConfig(): void;
 }

package/dist/commonjs/lib/galileo-config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"galileo-config.d.ts","sourceRoot":"","sources":["../../../src/lib/galileo-config.ts"],"names":[],"mappings":"AAMA;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAClC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACjD,GAAG,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAC/C,CAAC;AAmOF;;GAEG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAA8B;IAErD,SAAgB,UAAU,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/C,SAAgB,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3C,SAAgB,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3C,SAAgB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7C,SAAgB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7C,SAAgB,UAAU,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/C,SAAgB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;IAChD,SAAgB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7C,SAAgB,YAAY,EAAE,MAAM,GAAG,SAAS,CAAC;IACjD,SAAgB,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;IACtD,SAAgB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;IAChD,SAAgB,aAAa,EAAE,MAAM,GAAG,SAAS,CAAC;IAElD,OAAO;IAeP;;;OAGG;IACH,IAAI,QAAQ,IAAI,qBAAqB,CA0BpC;IAED;;;;OAIG;WACW,GAAG,CAAC,SAAS,GAAE,kBAAuB,GAAG,aAAa;IAWpE;;OAEG;WACW,KAAK,IAAI,IAAI;IAI3B;;;;OAIG;IACI,SAAS,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM;IAI9C;;;OAGG;IACI,kBAAkB,IAAI,eAAe;IAc5C;;OAEG;IACI,SAAS,IAAI,IAAI;CAezB"}
+{"version":3,"file":"galileo-config.d.ts","sourceRoot":"","sources":["../../../src/lib/galileo-config.ts"],"names":[],"mappings":"AAyBA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAC;AAE7D;;;;;;;GAOG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,QAAQ,GAAG,SAAS,CAAC;IAChC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mCAAmC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qCAAqC;IACrC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,+BAA+B;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,uBAAuB;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,sEAAsE;IACtE,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B,CAAC;AAEF;;;;;GAKG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF;;;;;;;;GAQG;AACH,MAAM,MAAM,UAAU,GAAG;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAClC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACjD,GAAG,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;CACnB,CAAC;AA6CF,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,QAAQ,CAEjE;AAgQD;;GAEG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAA8B;IAErD,SAAgB,UAAU,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/C,SAAgB,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3C,SAAgB,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3C,SAAgB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7C,SAAgB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7C,SAAgB,UAAU,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/C,SAAgB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;IAChD,SAAgB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7C,SAAgB,YAAY,EAAE,MAAM,GAAG,SAAS,CAAC;IACjD,SAAgB,QAAQ,EAAE,QAAQ,GAAG,SAAS,CAAC;IAC/C,SAAgB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;IAChD,SAAgB,aAAa,EAAE,MAAM,GAAG,SAAS,CAAC;IAClD,SAAgB,UAAU,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/C,SAAgB,aAAa,EAAE,MAAM,GAAG,SAAS,CAAC;IAClD,SAAgB,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;IACnD,SAAgB,aAAa,EAAE,MAAM,GAAG,SAAS,CAAC;IAClD,SAAgB,kBAAkB,EAAE,OAAO,GAAG,SAAS,CAAC;IAExD,OAAO;IAoBP;;;;;;;;;OASG;IACH,IAAI,QAAQ,IAAI,qBAAqB,CA4BpC;IAED;;;;;;;;;;;;OAYG;WACW,GAAG,CAAC,SAAS,GAAE,kBAAuB,GAAG,aAAa;IAWpE;;;;;OAKG;WACW,KAAK,IAAI,IAAI;IAI3B;;;;;;;;;;;;;OAaG;IACI,SAAS,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM;IAI9C;;;;;;;OAOG;IACI,kBAAkB,IAAI,eAAe;IAc5C;;;;;;;;OAQG;IACI,aAAa,IAAI,UAAU,GAAG,IAAI;IAmBzC;;;;;;OAMG;IACI,SAAS,IAAI,IAAI;CAkBzB"}