kontext-sdk 0.2.0 → 0.2.5

package/dist/index.js

@@ -1,8 +1,8 @@
 'use strict';
 
 var crypto$1 = require('crypto');
-var fs2 = require('fs');
-var path2 = require('path');
+var fs3 = require('fs');
+var path3 = require('path');
 
 function _interopNamespace(e) {
   if (e && e.__esModule) return e;
@@ -22,8 +22,8 @@ function _interopNamespace(e) {
   return Object.freeze(n);
 }
 
-var fs2__namespace = /*#__PURE__*/_interopNamespace(fs2);
-var path2__namespace = /*#__PURE__*/_interopNamespace(path2);
+var fs3__namespace = /*#__PURE__*/_interopNamespace(fs3);
+var path3__namespace = /*#__PURE__*/_interopNamespace(path3);
 
 // src/types.ts
 var KontextErrorCode = /* @__PURE__ */ ((KontextErrorCode2) => {
@@ -51,6 +51,8 @@ var KontextError = class extends Error {
 };
 
 // src/store.ts
+var DEFAULT_MAX_ENTRIES = 1e4;
+var EVICTION_RATIO = 0.1;
 var STORAGE_KEYS = {
   actions: "kontext:actions",
   transactions: "kontext:transactions",
@@ -63,6 +65,10 @@ var KontextStore = class {
   tasks = /* @__PURE__ */ new Map();
   anomalies = [];
   storageAdapter = null;
+  maxEntries;
+  constructor(maxEntries = DEFAULT_MAX_ENTRIES) {
+    this.maxEntries = maxEntries;
+  }
   /**
    * Attach a storage adapter for persistence.
    *
@@ -86,14 +92,15 @@ var KontextStore = class {
    */
   async flush() {
     if (!this.storageAdapter) return;
+    const actionsSnapshot = [...this.actions];
+    const transactionsSnapshot = [...this.transactions];
+    const tasksSnapshot = Array.from(this.tasks.entries());
+    const anomaliesSnapshot = [...this.anomalies];
     await Promise.all([
-      this.storageAdapter.save(STORAGE_KEYS.actions, this.actions),
-      this.storageAdapter.save(STORAGE_KEYS.transactions, this.transactions),
-      this.storageAdapter.save(
-        STORAGE_KEYS.tasks,
-        Array.from(this.tasks.entries())
-      ),
-      this.storageAdapter.save(STORAGE_KEYS.anomalies, this.anomalies)
+      this.storageAdapter.save(STORAGE_KEYS.actions, actionsSnapshot),
+      this.storageAdapter.save(STORAGE_KEYS.transactions, transactionsSnapshot),
+      this.storageAdapter.save(STORAGE_KEYS.tasks, tasksSnapshot),
+      this.storageAdapter.save(STORAGE_KEYS.anomalies, anomaliesSnapshot)
     ]);
   }
   /**
@@ -125,9 +132,12 @@ var KontextStore = class {
   // --------------------------------------------------------------------------
   // Actions
   // --------------------------------------------------------------------------
-  /** Append an action log entry. */
+  /** Append an action log entry. Evicts oldest 10% when maxEntries is exceeded. */
   addAction(action) {
     this.actions.push(action);
+    if (this.actions.length > this.maxEntries) {
+      this.actions.splice(0, Math.ceil(this.maxEntries * EVICTION_RATIO));
+    }
   }
   /** Retrieve all action log entries. */
   getActions() {
@@ -144,9 +154,12 @@ var KontextStore = class {
   // --------------------------------------------------------------------------
   // Transactions
   // --------------------------------------------------------------------------
-  /** Append a transaction record. */
+  /** Append a transaction record. Evicts oldest 10% when maxEntries is exceeded. */
   addTransaction(tx) {
     this.transactions.push(tx);
+    if (this.transactions.length > this.maxEntries) {
+      this.transactions.splice(0, Math.ceil(this.maxEntries * EVICTION_RATIO));
+    }
   }
   /** Retrieve all transaction records. */
   getTransactions() {
@@ -194,9 +207,12 @@ var KontextStore = class {
   // --------------------------------------------------------------------------
   // Anomalies
   // --------------------------------------------------------------------------
-  /** Append an anomaly event. */
+  /** Append an anomaly event. Evicts oldest 10% when maxEntries is exceeded. */
   addAnomaly(anomaly) {
     this.anomalies.push(anomaly);
+    if (this.anomalies.length > this.maxEntries) {
+      this.anomalies.splice(0, Math.ceil(this.maxEntries * EVICTION_RATIO));
+    }
   }
   /** Retrieve all anomaly events. */
   getAnomalies() {
@@ -397,7 +413,8 @@ var DigestChain = class {
    */
   getPrecisionTimestamp() {
     const hrtime = process.hrtime.bigint();
-    const microseconds = Number((hrtime - this.hrtimeBase) % 1000000n);
+    const delta = hrtime >= this.hrtimeBase ? hrtime - this.hrtimeBase : 0n;
+    const microseconds = Number(delta % 1000000n);
     return {
       iso: (/* @__PURE__ */ new Date()).toISOString(),
       hrtime,
@@ -492,6 +509,12 @@ function toCsv(records) {
 function clamp(value, min, max) {
   return Math.min(Math.max(value, min), max);
 }
+var LOG_LEVEL_SEVERITY = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3
+};
 var ActionLogger = class {
   config;
   store;
@@ -501,6 +524,7 @@ var ActionLogger = class {
   batchSize;
   flushIntervalMs;
   isCloudMode;
+  logLevel;
   constructor(config, store) {
     this.config = config;
     this.store = store;
@@ -508,6 +532,7 @@ var ActionLogger = class {
     this.batchSize = config.batchSize ?? 50;
     this.flushIntervalMs = config.flushIntervalMs ?? 5e3;
     this.isCloudMode = !!config.apiKey;
+    this.logLevel = config.logLevel ?? (config.debug ? "debug" : "warn");
     this.flushTimer = setInterval(() => {
       void this.flush();
     }, this.flushIntervalMs);
@@ -550,9 +575,7 @@ var ActionLogger = class {
     if (this.batch.length >= this.batchSize) {
       await this.flush();
     }
-    if (this.config.debug) {
-      this.debugLog("Action logged", action);
-    }
+    this.emitLog("debug", "Action logged", action);
     return action;
   }
   /**
@@ -604,9 +627,7 @@ var ActionLogger = class {
     if (this.batch.length >= this.batchSize) {
       await this.flush();
     }
-    if (this.config.debug) {
-      this.debugLog("Transaction logged", record);
-    }
+    this.emitLog("debug", "Transaction logged", record);
     return record;
   }
   /**
@@ -708,21 +729,19 @@ var ActionLogger = class {
   }
   flushToFile(actions) {
     const outputDir = this.config.localOutputDir ?? ".kontext";
-    const logDir = path2__namespace.join(outputDir, "logs");
+    const logDir = path3__namespace.join(outputDir, "logs");
     try {
-      fs2__namespace.mkdirSync(logDir, { recursive: true });
+      fs3__namespace.mkdirSync(logDir, { recursive: true });
       const filename = `actions-${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}.jsonl`;
-      const filePath = path2__namespace.join(logDir, filename);
+      const filePath = path3__namespace.join(logDir, filename);
       const lines = actions.map((a) => JSON.stringify(a)).join("\n") + "\n";
-      fs2__namespace.appendFileSync(filePath, lines, "utf-8");
+      fs3__namespace.appendFileSync(filePath, lines, "utf-8");
     } catch (error) {
-      if (this.config.debug) {
-        this.debugLog("Failed to write log file", { error });
-      }
+      this.emitLog("warn", "Failed to write log file", { error });
     }
   }
   async flushToApi(actions) {
-    const apiUrl = this.config.apiUrl ?? "https://kontext-api-421314897784.us-central1.run.app";
+    const apiUrl = this.config.apiUrl ?? process.env["KONTEXT_API_URL"] ?? "https://api.kontext.so";
     try {
       const response = await fetch(`${apiUrl}/v1/actions`, {
         method: "POST",
@@ -742,15 +761,35 @@ var ActionLogger = class {
       }
     } catch (error) {
       if (error instanceof KontextError) throw error;
-      if (this.config.debug) {
-        this.debugLog("API flush failed, falling back to local file", { error });
-      }
+      this.emitLog("warn", "API flush failed, falling back to local file", { error });
       this.flushToFile(actions);
     }
   }
-  debugLog(message, data) {
+  /**
+   * Emit a log message at the specified severity level.
+   * Only outputs if the message level meets or exceeds the configured logLevel.
+   */
+  emitLog(level, message, data) {
+    if (LOG_LEVEL_SEVERITY[level] < LOG_LEVEL_SEVERITY[this.logLevel]) {
+      return;
+    }
     const timestamp = now();
-    console.debug(`[Kontext ${timestamp}] ${message}`, data ? JSON.stringify(data, null, 2) : "");
+    const formatted = `[Kontext ${timestamp}] ${message}`;
+    const payload = data ? JSON.stringify(data, null, 2) : "";
+    switch (level) {
+      case "debug":
+        console.debug(formatted, payload);
+        break;
+      case "info":
+        console.info(formatted, payload);
+        break;
+      case "warn":
+        console.warn(formatted, payload);
+        break;
+      case "error":
+        console.error(formatted, payload);
+        break;
+    }
   }
 };
 
@@ -1478,6 +1517,18 @@ var AuditExporter = class {
 };
 
 // src/trust.ts
+var TRUST_LEVEL_VERIFIED = 90;
+var TRUST_LEVEL_HIGH = 70;
+var TRUST_LEVEL_MEDIUM = 50;
+var TRUST_LEVEL_LOW = 30;
+var RISK_FLAG_THRESHOLD = 60;
+var RISK_BLOCK_THRESHOLD = 80;
+var RISK_REVIEW_THRESHOLD = 50;
+var WEIGHT_HISTORY = 0.15;
+var WEIGHT_TASK_COMPLETION = 0.25;
+var WEIGHT_ANOMALY = 0.25;
+var WEIGHT_TX_CONSISTENCY = 0.2;
+var WEIGHT_COMPLIANCE = 0.15;
 var TrustScorer = class {
   config;
   store;
@@ -1536,8 +1587,8 @@ var TrustScorer = class {
     const totalScore = factors.reduce((sum, f) => sum + f.score, 0);
     const riskScore = clamp(Math.round(totalScore / Math.max(factors.length, 1)), 0, 100);
     const riskLevel = this.riskScoreToLevel(riskScore);
-    const flagged = riskScore >= 60;
-    const recommendation = riskScore >= 80 ? "block" : riskScore >= 50 ? "review" : "approve";
+    const flagged = riskScore >= RISK_FLAG_THRESHOLD;
+    const recommendation = riskScore >= RISK_BLOCK_THRESHOLD ? "block" : riskScore >= RISK_REVIEW_THRESHOLD ? "review" : "approve";
     return {
       txHash: tx.txHash,
       riskScore,
@@ -1552,17 +1603,34 @@ var TrustScorer = class {
   // Agent trust factor computation
   // --------------------------------------------------------------------------
   computeAgentFactors(agentId) {
-    const factors = [];
-    factors.push(this.computeHistoryDepthFactor(agentId));
-    factors.push(this.computeTaskCompletionFactor(agentId));
-    factors.push(this.computeAnomalyFrequencyFactor(agentId));
-    factors.push(this.computeTransactionConsistencyFactor(agentId));
-    factors.push(this.computeComplianceAdherenceFactor(agentId));
-    return factors;
+    const data = {
+      actions: this.store.getActionsByAgent(agentId),
+      transactions: this.store.getTransactionsByAgent(agentId),
+      tasks: this.store.queryTasks((t) => t.agentId === agentId),
+      anomalies: this.store.queryAnomalies((a) => a.agentId === agentId)
+    };
+    return [
+      this.computeHistoryDepthFactor(data),
+      this.computeTaskCompletionFactor(data),
+      this.computeAnomalyFrequencyFactor(data),
+      this.computeTransactionConsistencyFactor(data),
+      this.computeComplianceAdherenceFactor(data)
+    ];
   }
-  computeHistoryDepthFactor(agentId) {
-    const actions = this.store.getActionsByAgent(agentId);
-    const count = actions.length;
+  /**
+   * History depth factor: more recorded actions = more data to assess trust.
+   *
+   * Scoring curve (step function, not linear) prevents gaming by spamming
+   * low-value actions — crossing each tier requires meaningfully more history:
+   * - 0 actions → 10 (minimal trust, new agent)
+   * - 1-4 → 30 (some activity but too little to draw conclusions)
+   * - 5-19 → 50 (neutral, moderate activity)
+   * - 20-49 → 70 (established agent with reasonable track record)
+   * - 50-99 → 85 (well-established agent)
+   * - 100+ → 95 (capped below 100 because history alone doesn't guarantee trust)
+   */
+  computeHistoryDepthFactor(data) {
+    const count = data.actions.length;
     let score;
     if (count === 0) score = 10;
     else if (count < 5) score = 30;
@@ -1573,44 +1641,65 @@ var TrustScorer = class {
     return {
       name: "history_depth",
       score,
-      weight: 0.15,
+      weight: WEIGHT_HISTORY,
       description: `Agent has ${count} recorded actions`
     };
   }
-  computeTaskCompletionFactor(agentId) {
-    const tasks = this.store.queryTasks((t) => t.agentId === agentId);
-    const totalTasks = tasks.length;
+  /**
+   * Task completion factor: agents that confirm tasks build trust, failures erode it.
+   *
+   * Formula: score = (completionRate * 100) - (failureRate * 30)
+   * - The 30x failure penalty means each failure costs 3x more than a confirmation gains.
+   *   This asymmetry reflects real-world trust: it takes many good actions to build trust
+   *   but only a few failures to lose it.
+   * - Returns 50 (neutral) when no tasks exist, avoiding penalizing new agents.
+   */
+  computeTaskCompletionFactor(data) {
+    const totalTasks = data.tasks.length;
     if (totalTasks === 0) {
       return {
         name: "task_completion",
         score: 50,
         // Neutral if no tasks
-        weight: 0.25,
+        weight: WEIGHT_TASK_COMPLETION,
         description: "No tasks recorded yet"
       };
     }
-    const confirmed = tasks.filter((t) => t.status === "confirmed").length;
-    const failed = tasks.filter((t) => t.status === "failed").length;
+    const confirmed = data.tasks.filter((t) => t.status === "confirmed").length;
+    const failed = data.tasks.filter((t) => t.status === "failed").length;
     const completionRate = confirmed / totalTasks;
     const failureRate = failed / totalTasks;
     const score = Math.round(completionRate * 100 - failureRate * 30);
     return {
       name: "task_completion",
       score: clamp(score, 0, 100),
-      weight: 0.25,
+      weight: WEIGHT_TASK_COMPLETION,
       description: `${confirmed}/${totalTasks} tasks confirmed (${Math.round(completionRate * 100)}% rate)`
     };
   }
-  computeAnomalyFrequencyFactor(agentId) {
-    const anomalies = this.store.queryAnomalies((a) => a.agentId === agentId);
-    const actions = this.store.getActionsByAgent(agentId);
-    const anomalyCount = anomalies.length;
-    const actionCount = actions.length;
+  /**
+   * Anomaly frequency factor: fewer anomalies relative to total actions = higher trust.
+   *
+   * Uses anomaly rate (anomalies / actions) with step-function scoring:
+   * - 0% → 100 (clean record)
+   * - <1% → 90 (near-perfect, occasional false positive acceptable)
+   * - <5% → 70 (some noise but generally clean)
+   * - <10% → 50 (neutral, warrants monitoring)
+   * - <25% → 30 (concerning pattern)
+   * - 25%+ → 10 (severe anomaly rate)
+   *
+   * Critical anomalies incur a -15 point penalty each, high anomalies -8 each.
+   * This severity weighting ensures a single critical anomaly (e.g., sanctions hit)
+   * has outsized impact compared to multiple low-severity anomalies.
+   */
+  computeAnomalyFrequencyFactor(data) {
+    const anomalyCount = data.anomalies.length;
+    const actionCount = data.actions.length;
     if (actionCount === 0) {
       return {
         name: "anomaly_frequency",
         score: 50,
-        weight: 0.25,
+        weight: WEIGHT_ANOMALY,
         description: "No actions recorded yet"
       };
     }
@@ -1622,23 +1711,37 @@ var TrustScorer = class {
     else if (anomalyRate < 0.1) score = 50;
     else if (anomalyRate < 0.25) score = 30;
     else score = 10;
-    const criticalCount = anomalies.filter((a) => a.severity === "critical").length;
-    const highCount = anomalies.filter((a) => a.severity === "high").length;
+    const criticalCount = data.anomalies.filter((a) => a.severity === "critical").length;
+    const highCount = data.anomalies.filter((a) => a.severity === "high").length;
     const penaltyFromSeverity = criticalCount * 15 + highCount * 8;
     return {
       name: "anomaly_frequency",
       score: clamp(score - penaltyFromSeverity, 0, 100),
-      weight: 0.25,
+      weight: WEIGHT_ANOMALY,
       description: `${anomalyCount} anomalies across ${actionCount} actions (${Math.round(anomalyRate * 100)}% rate)`
     };
   }
-  computeTransactionConsistencyFactor(agentId) {
-    const transactions = this.store.getTransactionsByAgent(agentId);
+  /**
+   * Transaction consistency factor: stable spending patterns indicate legitimate usage.
+   *
+   * Uses the coefficient of variation (CV = stdDev / mean) to measure amount regularity:
+   * - CV < 0.1 → 95 (extremely consistent, e.g., recurring payroll)
+   * - CV < 0.3 → 80 (fairly consistent with some variance)
+   * - CV < 0.5 → 65 (moderate variance, common for operational spending)
+   * - CV < 1.0 → 45 (high variance, warrants attention)
+   * - CV < 2.0 → 30 (very erratic, potential structuring)
+   * - CV 2.0+ → 15 (extreme variance, strong structuring indicator)
+   *
+   * Also penalizes -15 points when >80% of destinations are unique with >5 txs,
+   * which is a common money-laundering pattern (spray-and-pray distribution).
+   */
+  computeTransactionConsistencyFactor(data) {
+    const transactions = data.transactions;
     if (transactions.length < 2) {
       return {
         name: "transaction_consistency",
         score: 50,
-        weight: 0.2,
+        weight: WEIGHT_TX_CONSISTENCY,
         description: "Insufficient transaction history for consistency analysis"
       };
     }
@@ -1647,7 +1750,7 @@ var TrustScorer = class {
       return {
         name: "transaction_consistency",
         score: 50,
-        weight: 0.2,
+        weight: WEIGHT_TX_CONSISTENCY,
         description: "Insufficient valid amounts for consistency analysis"
       };
     }
@@ -1670,13 +1773,25 @@ var TrustScorer = class {
     return {
       name: "transaction_consistency",
       score: clamp(score, 0, 100),
-      weight: 0.2,
+      weight: WEIGHT_TX_CONSISTENCY,
       description: `CV=${cv.toFixed(2)}, ${destinations.size} unique destinations across ${transactions.length} transactions`
     };
   }
-  computeComplianceAdherenceFactor(agentId) {
-    const tasks = this.store.queryTasks((t) => t.agentId === agentId);
-    const transactions = this.store.getTransactionsByAgent(agentId);
+  /**
+   * Compliance adherence factor: agents that follow the task-confirm-evidence workflow
+   * demonstrate higher operational integrity.
+   *
+   * Scoring:
+   * - Base score: 50 (neutral)
+   * - +30 max for evidence rate (confirmedTasksWithEvidence / confirmedTasks)
+   * - +20 max for coverage rate (tasks / transactions, capped at 1.0)
+   *
+   * The rationale: tasks with evidence prove the agent completed auditable work.
+   * Coverage rate measures what fraction of financial activity has corresponding
+   * task tracking — higher coverage means better compliance discipline.
+   */
+  computeComplianceAdherenceFactor(data) {
+    const { tasks, transactions } = data;
     const confirmedTasks = tasks.filter((t) => t.status === "confirmed");
     const tasksWithEvidence = confirmedTasks.filter(
       (t) => t.providedEvidence !== null && Object.keys(t.providedEvidence).length > 0
@@ -1693,7 +1808,7 @@ var TrustScorer = class {
     return {
       name: "compliance_adherence",
       score: clamp(score, 0, 100),
-      weight: 0.15,
+      weight: WEIGHT_COMPLIANCE,
       description: `${tasksWithEvidence.length} tasks with evidence, ${transactions.length} total transactions`
     };
   }
@@ -1709,6 +1824,20 @@ var TrustScorer = class {
     factors.push(this.computeRoundAmountRisk(tx));
     return factors;
   }
+  /**
+   * Amount risk: higher transaction amounts carry inherently higher risk.
+   *
+   * Tiers are aligned with common fintech thresholds:
+   * - <$100: near-zero risk (5), micro-transactions
+   * - <$1K: low risk (15), typical consumer spending
+   * - <$10K: moderate (30), approaches CTR reporting thresholds
+   * - <$50K: elevated (55), large business transactions
+   * - <$100K: high (75), requires enhanced due diligence
+   * - $100K+: very high (95), institutional-scale transfers
+   *
+   * Additional +20 penalty when amount exceeds 5x the agent's historical average,
+   * detecting sudden spending spikes that could indicate account compromise.
+   */
   computeAmountRisk(tx) {
     const amount = parseAmount(tx.amount);
     if (isNaN(amount)) {
@@ -1787,6 +1916,21 @@ var TrustScorer = class {
       description: `Agent anomaly rate: ${Math.round(anomalyRate * 100)}%`
     };
   }
+  /**
+   * Round amount risk: round numbers are a structuring indicator in AML heuristics.
+   *
+   * Money launderers often transact in round amounts (e.g., $10,000 exactly) or
+   * just under regulatory thresholds (e.g., $9,500 to avoid $10K CTR filing).
+   *
+   * Scoring:
+   * - Non-round amounts: 5 (baseline, most legitimate transactions)
+   * - Multiples of $1,000: 15 (mildly suspicious)
+   * - Multiples of $10,000: 25 (more suspicious)
+   * - Amounts $9,000-$10,000: +20 penalty (classic structuring band)
+   *
+   * This factor alone rarely triggers flagging — it contributes to the composite
+   * risk score alongside amount, frequency, and destination analysis.
+   */
   computeRoundAmountRisk(tx) {
     const amount = parseAmount(tx.amount);
     if (isNaN(amount)) {
@@ -1809,15 +1953,15 @@ var TrustScorer = class {
   // Scoring helpers
   // --------------------------------------------------------------------------
   scoreToLevel(score) {
-    if (score >= 90) return "verified";
-    if (score >= 70) return "high";
-    if (score >= 50) return "medium";
-    if (score >= 30) return "low";
+    if (score >= TRUST_LEVEL_VERIFIED) return "verified";
+    if (score >= TRUST_LEVEL_HIGH) return "high";
+    if (score >= TRUST_LEVEL_MEDIUM) return "medium";
+    if (score >= TRUST_LEVEL_LOW) return "low";
     return "untrusted";
   }
   riskScoreToLevel(score) {
-    if (score >= 80) return "critical";
-    if (score >= 60) return "high";
+    if (score >= RISK_BLOCK_THRESHOLD) return "critical";
+    if (score >= RISK_FLAG_THRESHOLD) return "high";
     if (score >= 35) return "medium";
     return "low";
   }
@@ -2185,13 +2329,1106 @@ var AnomalyDetector = class {
       try {
         cb(anomaly);
       } catch (error) {
-        if (this.config.debug) {
-          console.debug("[Kontext] Anomaly callback error:", error);
+        console.warn(
+          `[Kontext] Anomaly callback error for ${anomaly.type} (${anomaly.id}):`,
+          error instanceof Error ? error.message : error
+        );
+      }
+    }
+  }
+};
+
+// src/integrations/ofac-sanctions.ts
+var SANCTIONED_ADDRESS_DATABASE = [
+  // -------------------------------------------------------------------------
+  // Lazarus Group / DPRK (North Korea) -- SDN Active
+  // -------------------------------------------------------------------------
+  {
+    address: "0x098B716B8Aaf21512996dC57EB0615e2383E2f96",
+    lists: ["SDN"],
+    entityName: "Lazarus Group",
+    entityType: "GROUP",
+    dateAdded: "2022-04-14",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "Ronin Bridge hack - primary address"
+  },
+  {
+    address: "0xa0e1c89Ef1a489c9C7dE96311eD5Ce5D32c20E4B",
+    lists: ["SDN"],
+    entityName: "Lazarus Group",
+    entityType: "GROUP",
+    dateAdded: "2022-04-14",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "Ronin Bridge hack - associated address"
+  },
+  {
+    address: "0x3Cffd56B47B7b41c56258D9C7731ABaDc360E460",
+    lists: ["SDN"],
+    entityName: "Lazarus Group",
+    entityType: "GROUP",
+    dateAdded: "2022-04-14",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "Ronin Bridge hack - associated address"
+  },
+  {
+    address: "0x53b6936513e738f44FB50d2b9476730C0Ab3Bfc1",
+    lists: ["SDN"],
+    entityName: "Lazarus Group",
+    entityType: "GROUP",
+    dateAdded: "2022-04-14",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "Ronin Bridge hack - associated address"
+  },
+  {
+    address: "0x4F47Bc496083C727c5fbe3CE9CDf2B0f6496270c",
+    lists: ["SDN"],
+    entityName: "Lazarus Group",
+    entityType: "GROUP",
+    dateAdded: "2023-08-22",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "Harmony Horizon bridge hack - associated address"
+  },
+  {
+    address: "0x0836222F2B2B24A3F36f98668Ed8F0B38D1a872f",
+    lists: ["SDN"],
+    entityName: "Lazarus Group",
+    entityType: "GROUP",
+    dateAdded: "2023-08-22",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "Additional Lazarus-attributed address"
+  },
+  // -------------------------------------------------------------------------
+  // Roman Semenov (Tornado Cash developer) -- SDN Active
+  // Remains personally sanctioned even after Tornado Cash delisting
+  // -------------------------------------------------------------------------
+  {
+    address: "0xdcbEfFBECcE100cCE9E4b153C4e15cB885643193",
+    lists: ["SDN"],
+    entityName: "Roman Semenov",
+    entityType: "INDIVIDUAL",
+    dateAdded: "2022-08-08",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "Tornado Cash developer - personal wallet"
+  },
+  {
+    address: "0x931546D9e66836AbF687d2bc64B30407bAc8C568",
+    lists: ["SDN"],
+    entityName: "Roman Semenov",
+    entityType: "INDIVIDUAL",
+    dateAdded: "2022-08-08",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "Tornado Cash developer - personal wallet"
+  },
+  {
+    address: "0x43fa21d92141BA9db43052492E0DeEE5aa5f0A93",
+    lists: ["SDN"],
+    entityName: "Roman Semenov",
+    entityType: "INDIVIDUAL",
+    dateAdded: "2022-08-08",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "Tornado Cash developer - personal wallet"
+  },
+  // -------------------------------------------------------------------------
+  // Garantex exchange -- SDN Active
+  // -------------------------------------------------------------------------
+  {
+    address: "0x6F1cA141A28907F78Ebaa64f83E4AE6038d3cbe7",
+    lists: ["SDN"],
+    entityName: "Garantex",
+    entityType: "EXCHANGE",
+    dateAdded: "2022-04-05",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "Russia-based exchange sanctioned for facilitating ransomware payments"
+  },
+  {
+    address: "0x2f389cE8bD8ff92De3402FFCe4691d17fC4f6535",
+    lists: ["SDN"],
+    entityName: "Garantex",
+    entityType: "EXCHANGE",
+    dateAdded: "2022-04-05",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "Garantex hot wallet"
+  },
+  {
+    address: "0x19Aa5Fe80D33a56D56c78e82eA5E50E5d80b4Dff",
+    lists: ["SDN"],
+    entityName: "Garantex",
+    entityType: "EXCHANGE",
+    dateAdded: "2022-04-05",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "Garantex operational address"
+  },
+  // -------------------------------------------------------------------------
+  // Blender.io -- SDN Active
+  // -------------------------------------------------------------------------
+  {
+    address: "0x23773E65ed146A459791799d01336DB287f25334",
+    lists: ["SDN"],
+    entityName: "Blender.io",
+    entityType: "MIXER",
+    dateAdded: "2022-05-06",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "First mixer sanctioned by OFAC - used by Lazarus Group"
+  },
+  // -------------------------------------------------------------------------
+  // Sinbad.io -- SDN Active
+  // -------------------------------------------------------------------------
+  {
+    address: "0x722122dF12D4e14e13Ac3b6895a86e84145b6967",
+    lists: ["SDN"],
+    entityName: "Sinbad.io",
+    entityType: "MIXER",
+    dateAdded: "2023-11-29",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "Mixer sanctioned for North Korean money laundering. (Note: this address is commonly associated with Tornado Cash but was re-designated under Sinbad.io)"
+  },
+  // -------------------------------------------------------------------------
+  // Tornado Cash smart contracts -- DELISTED (March 21, 2025)
+  // Retained for risk scoring; interaction with formerly sanctioned
+  // infrastructure is still a compliance risk indicator.
+  // -------------------------------------------------------------------------
+  {
+    address: "0xd90e2f925DA726b50C4Ed8D0Fb90Ad053324F31b",
+    lists: ["DELISTED"],
+    entityName: "Tornado Cash",
+    entityType: "PROTOCOL",
+    dateAdded: "2022-08-08",
+    dateRemoved: "2025-03-21",
+    chains: ["ethereum"],
+    notes: "Tornado Cash 1 ETH pool - DELISTED per Fifth Circuit ruling"
+  },
+  {
+    address: "0xd96f2B1c14Db8458374d9Aca76E26c3D18364307",
+    lists: ["DELISTED"],
+    entityName: "Tornado Cash",
+    entityType: "PROTOCOL",
+    dateAdded: "2022-08-08",
+    dateRemoved: "2025-03-21",
+    chains: ["ethereum"],
+    notes: "Tornado Cash 10 ETH pool - DELISTED"
+  },
+  {
+    address: "0x4736dCf1b7A3d580672CcE6E7c65cd5cc9cFBfA9",
+    lists: ["DELISTED"],
+    entityName: "Tornado Cash",
+    entityType: "PROTOCOL",
+    dateAdded: "2022-08-08",
+    dateRemoved: "2025-03-21",
+    chains: ["ethereum"],
+    notes: "Tornado Cash pool contract - DELISTED"
+  },
+  {
+    address: "0xDD4c48C0B24039969fC16D1cdF626eaB821d3384",
+    lists: ["DELISTED"],
+    entityName: "Tornado Cash",
+    entityType: "PROTOCOL",
+    dateAdded: "2022-08-08",
+    dateRemoved: "2025-03-21",
+    chains: ["ethereum"],
+    notes: "Tornado Cash 100 ETH pool - DELISTED"
+  },
+  {
+    address: "0xd4B88Df4D29F5CedD6857912842cff3b20C8Cfa3",
+    lists: ["DELISTED"],
+    entityName: "Tornado Cash",
+    entityType: "PROTOCOL",
+    dateAdded: "2022-08-08",
+    dateRemoved: "2025-03-21",
+    chains: ["ethereum"],
+    notes: "Tornado Cash 100 DAI pool - DELISTED"
+  },
+  {
+    address: "0x910Cbd523D972eb0a6f4cAe4618aD62622b39DbF",
+    lists: ["DELISTED"],
+    entityName: "Tornado Cash",
+    entityType: "PROTOCOL",
+    dateAdded: "2022-08-08",
+    dateRemoved: "2025-03-21",
+    chains: ["ethereum"],
+    notes: "Tornado Cash 10000 DAI pool - DELISTED"
+  },
+  {
+    address: "0xA160cdAB225685dA1d56aa342Ad8841c3b53f291",
+    lists: ["DELISTED"],
+    entityName: "Tornado Cash",
+    entityType: "PROTOCOL",
+    dateAdded: "2022-08-08",
+    dateRemoved: "2025-03-21",
+    chains: ["ethereum"],
+    notes: "Tornado Cash 100000 DAI pool - DELISTED"
+  },
+  {
+    address: "0xFD8610d20aA15b7B2E3Be39B396a1bC3516c7144",
+    lists: ["DELISTED"],
+    entityName: "Tornado Cash",
+    entityType: "PROTOCOL",
+    dateAdded: "2022-08-08",
+    dateRemoved: "2025-03-21",
+    chains: ["ethereum"],
+    notes: "Tornado Cash 1000 USDC pool - DELISTED"
+  },
+  {
+    address: "0xF60dD140cFf0706bAE9Cd734Ac3683731B816EeD",
+    lists: ["DELISTED"],
+    entityName: "Tornado Cash",
+    entityType: "PROTOCOL",
+    dateAdded: "2022-11-08",
+    dateRemoved: "2025-03-21",
+    chains: ["ethereum"],
+    notes: "Tornado Cash - added November 2022 update - DELISTED"
+  },
+  {
+    address: "0x22aaA7720ddd5388A3c0A3333430953C68f1849b",
+    lists: ["DELISTED"],
+    entityName: "Tornado Cash",
+    entityType: "PROTOCOL",
+    dateAdded: "2022-08-08",
+    dateRemoved: "2025-03-21",
+    chains: ["ethereum"],
+    notes: "Tornado Cash - DELISTED"
+  },
+  {
+    address: "0xBA214C1c1928a32Bffe790263E38B4Af9bFCD659",
+    lists: ["DELISTED"],
+    entityName: "Tornado Cash",
+    entityType: "PROTOCOL",
+    dateAdded: "2022-08-08",
+    dateRemoved: "2025-03-21",
+    chains: ["ethereum"],
+    notes: "Tornado Cash - DELISTED"
+  },
+  {
+    address: "0xb1C8094B234DcE6e03f10a5b673c1d8C69739A00",
+    lists: ["DELISTED"],
+    entityName: "Tornado Cash",
+    entityType: "PROTOCOL",
+    dateAdded: "2022-08-08",
+    dateRemoved: "2025-03-21",
+    chains: ["ethereum"],
+    notes: "Tornado Cash - DELISTED"
+  },
+  {
+    address: "0x527653eA119F3E6a1F5BD18fbF4714081D7B31ce",
+    lists: ["DELISTED"],
+    entityName: "Tornado Cash",
+    entityType: "PROTOCOL",
+    dateAdded: "2022-08-08",
+    dateRemoved: "2025-03-21",
+    chains: ["ethereum"],
+    notes: "Tornado Cash - DELISTED"
+  },
+  {
+    address: "0x58E8dCC13BE9780fC42E8723D8EaD4CF46943dF2",
+    lists: ["DELISTED"],
+    entityName: "Tornado Cash",
+    entityType: "PROTOCOL",
+    dateAdded: "2022-08-08",
+    dateRemoved: "2025-03-21",
+    chains: ["ethereum"],
+    notes: "Tornado Cash Router - DELISTED"
+  },
+  {
+    address: "0x8589427373D6D84E98730D7795D8f6f8731FDA16",
+    lists: ["DELISTED"],
+    entityName: "Tornado Cash",
+    entityType: "PROTOCOL",
+    dateAdded: "2022-08-08",
+    dateRemoved: "2025-03-21",
+    chains: ["ethereum"],
+    notes: "Tornado Cash - DELISTED"
+  },
+  // -------------------------------------------------------------------------
+  // Zedcex / Zedxion -- SDN Active (IRGC-linked)
+  // First-ever designation of an IRGC-linked digital asset exchange (2024)
+  // -------------------------------------------------------------------------
+  {
+    address: "0xaeAAc358560e11f52454D997AAFF2c5731B6f8a6",
+    lists: ["SDN"],
+    entityName: "Zedcex Exchange",
+    entityType: "EXCHANGE",
+    dateAdded: "2024-06-26",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "IRGC-linked digital asset exchange"
+  },
+  // -------------------------------------------------------------------------
+  // Additional known sanctioned addresses from SDN list
+  // -------------------------------------------------------------------------
+  {
+    address: "0x7F367cC41522cE07553e823bf3be79A889DEbe1B",
+    lists: ["SDN"],
+    entityName: "DPRK IT Workers",
+    entityType: "GROUP",
+    dateAdded: "2023-05-23",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "North Korean IT worker network generating revenue for WMD programs"
+  },
+  {
+    address: "0x01e2919679362dFBC9ee1644Ba9C6da6D6245BB1",
+    lists: ["SDN"],
+    entityName: "DPRK Cyber Operations",
+    entityType: "GROUP",
+    dateAdded: "2023-04-24",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "DPRK-attributed cyber theft proceeds"
+  },
+  {
+    address: "0xc455f7fd3e0e12afd51fba5c106909934d8a0e4a",
+    lists: ["SDN"],
+    entityName: "DPRK Cyber Operations",
+    entityType: "GROUP",
+    dateAdded: "2023-08-22",
+    dateRemoved: null,
+    chains: ["ethereum"],
+    notes: "Stake.com hack proceeds - DPRK attributed"
+  }
+];
+var SANCTIONED_JURISDICTIONS = [
+  {
+    code: "KP",
+    name: "North Korea (DPRK)",
+    sanctionsProgram: "North Korea Sanctions Regulations, 31 C.F.R. Part 510",
+    riskLevel: "BLOCKED",
+    comprehensive: true
+  },
+  {
+    code: "IR",
+    name: "Iran",
+    sanctionsProgram: "Iranian Transactions and Sanctions Regulations, 31 C.F.R. Part 560",
+    riskLevel: "BLOCKED",
+    comprehensive: true
+  },
+  {
+    code: "CU",
+    name: "Cuba",
+    sanctionsProgram: "Cuban Assets Control Regulations, 31 C.F.R. Part 515",
+    riskLevel: "BLOCKED",
+    comprehensive: true
+  },
+  {
+    code: "SY",
+    name: "Syria",
+    sanctionsProgram: "Syrian Sanctions Regulations, 31 C.F.R. Part 542",
+    riskLevel: "BLOCKED",
+    comprehensive: true
+  },
+  {
+    code: "RU_CRIMEA",
+    name: "Crimea Region of Ukraine (Russian-occupied)",
+    sanctionsProgram: "Ukraine-/Russia-Related Sanctions, E.O. 13685",
+    riskLevel: "BLOCKED",
+    comprehensive: true
+  },
+  {
+    code: "RU_DNR",
+    name: "Donetsk People's Republic (Russian-occupied Ukraine)",
+    sanctionsProgram: "Ukraine-/Russia-Related Sanctions, E.O. 14065",
+    riskLevel: "BLOCKED",
+    comprehensive: true
+  },
+  {
+    code: "RU_LNR",
+    name: "Luhansk People's Republic (Russian-occupied Ukraine)",
+    sanctionsProgram: "Ukraine-/Russia-Related Sanctions, E.O. 14065",
+    riskLevel: "BLOCKED",
+    comprehensive: true
+  },
+  {
+    code: "RU_ZAPORIZHZHIA",
+    name: "Zaporizhzhia Region (Russian-occupied Ukraine)",
+    sanctionsProgram: "Ukraine-/Russia-Related Sanctions, E.O. 14065",
+    riskLevel: "BLOCKED",
+    comprehensive: true
+  },
+  {
+    code: "RU_KHERSON",
+    name: "Kherson Region (Russian-occupied Ukraine)",
+    sanctionsProgram: "Ukraine-/Russia-Related Sanctions, E.O. 14065",
+    riskLevel: "BLOCKED",
+    comprehensive: true
+  },
+  {
+    code: "BY",
+    name: "Belarus",
+    sanctionsProgram: "Belarus Sanctions Regulations, 31 C.F.R. Part 548",
+    riskLevel: "HIGH",
+    comprehensive: false
+  },
+  {
+    code: "VE",
+    name: "Venezuela",
+    sanctionsProgram: "Venezuela Sanctions Regulations, 31 C.F.R. Part 591",
+    riskLevel: "HIGH",
+    comprehensive: false
+  },
+  {
+    code: "MM",
+    name: "Myanmar (Burma)",
+    sanctionsProgram: "Burmese Sanctions Regulations, 31 C.F.R. Part 525",
+    riskLevel: "MEDIUM",
+    comprehensive: false
+  },
+  {
+    code: "SD",
+    name: "Sudan",
+    sanctionsProgram: "Sudanese Sanctions Regulations, 31 C.F.R. Part 538",
+    riskLevel: "HIGH",
+    comprehensive: false
+  },
+  {
+    code: "SO",
+    name: "Somalia",
+    sanctionsProgram: "Somalia Sanctions Regulations, 31 C.F.R. Part 551",
+    riskLevel: "MEDIUM",
+    comprehensive: false
+  }
+];
+var SANCTIONED_ENTITIES = [
+  {
+    name: "Lazarus Group",
+    aliases: ["HIDDEN COBRA", "Guardians of Peace", "APT38", "Bluenoroff", "Stardust Chollima", "TEMP.Hermit"],
+    addresses: [
+      "0x098B716B8Aaf21512996dC57EB0615e2383E2f96",
+      "0xa0e1c89Ef1a489c9C7dE96311eD5Ce5D32c20E4B",
+      "0x3Cffd56B47B7b41c56258D9C7731ABaDc360E460",
+      "0x53b6936513e738f44FB50d2b9476730C0Ab3Bfc1",
+      "0x4F47Bc496083C727c5fbe3CE9CDf2B0f6496270c"
+    ],
+    list: "SDN"
+  },
+  {
+    name: "Roman Semenov",
+    aliases: ["Roman Storm", "Tornado Cash Developer"],
+    addresses: [
+      "0xdcbEfFBECcE100cCE9E4b153C4e15cB885643193",
+      "0x931546D9e66836AbF687d2bc64B30407bAc8C568",
+      "0x43fa21d92141BA9db43052492E0DeEE5aa5f0A93"
+    ],
+    list: "SDN"
+  },
+  {
+    name: "Garantex",
+    aliases: ["Garantex Exchange", "garantex.io", "GARANTEX EUROPE OU"],
+    addresses: [
+      "0x6F1cA141A28907F78Ebaa64f83E4AE6038d3cbe7",
+      "0x2f389cE8bD8ff92De3402FFCe4691d17fC4f6535",
+      "0x19Aa5Fe80D33a56D56c78e82eA5E50E5d80b4Dff"
+    ],
+    list: "SDN"
+  },
+  {
+    name: "Blender.io",
+    aliases: ["Blender", "Blender Mixer"],
+    addresses: ["0x23773E65ed146A459791799d01336DB287f25334"],
+    list: "SDN"
+  },
+  {
+    name: "Tornado Cash",
+    aliases: ["TornadoCash", "TC", "Tornado"],
+    addresses: [
+      "0xd90e2f925DA726b50C4Ed8D0Fb90Ad053324F31b",
+      "0xd96f2B1c14Db8458374d9Aca76E26c3D18364307",
+      "0x58E8dCC13BE9780fC42E8723D8EaD4CF46943dF2"
+    ],
+    list: "DELISTED"
+  },
+  {
+    name: "Zedcex Exchange",
+    aliases: ["Zedxion", "Zedcex"],
+    addresses: ["0xaeAAc358560e11f52454D997AAFF2c5731B6f8a6"],
+    list: "SDN"
+  }
+];
+var activeAddressSet = /* @__PURE__ */ new Set();
+var allAddressSet = /* @__PURE__ */ new Set();
+var addressToEntry = /* @__PURE__ */ new Map();
+function rebuildIndexes() {
+  activeAddressSet = /* @__PURE__ */ new Set();
+  allAddressSet = /* @__PURE__ */ new Set();
+  addressToEntry = /* @__PURE__ */ new Map();
+  for (const entry of SANCTIONED_ADDRESS_DATABASE) {
+    const lower = entry.address.toLowerCase();
+    allAddressSet.add(lower);
+    addressToEntry.set(lower, entry);
+    const isActive = entry.dateRemoved === null;
+    if (isActive) {
+      activeAddressSet.add(lower);
+    }
+  }
+}
+rebuildIndexes();
+var listMetadata = {
+  lastUpdated: "2025-03-21",
+  addressCount: SANCTIONED_ADDRESS_DATABASE.length,
+  entityCount: SANCTIONED_ENTITIES.length,
+  sourceUrl: "https://www.treasury.gov/ofac/downloads/sdnlist.txt",
+  version: "2025-03-21-initial"
+};
+var OFACSanctionsScreener = class {
+  // --------------------------------------------------------------------------
+  // Core Address Screening
+  // --------------------------------------------------------------------------
+  /**
+   * Check if an address is on an active sanctions list.
+   * Returns true only for currently sanctioned (non-delisted) addresses.
+   */
+  isActivelySanctioned(address) {
+    return activeAddressSet.has(address.toLowerCase());
+  }
+  /**
+   * Check if an address has ever appeared on any sanctions list,
+   * including those that have been delisted.
+   */
+  hasAnySanctionsHistory(address) {
+    return allAddressSet.has(address.toLowerCase());
+  }
+  /**
+   * Get the full entry for a sanctioned address.
+   */
+  getAddressEntry(address) {
+    return addressToEntry.get(address.toLowerCase());
+  }
+  /**
+   * Perform a comprehensive sanctions screening on an address.
+   * Checks against all lists, evaluates jurisdiction, and computes risk score.
+   */
+  screenAddress(address, context) {
+    const lower = address.toLowerCase();
+    const directMatches = [];
+    const jurisdictionFlags = [];
+    const patternFlags = [];
+    const ownershipFlags = [];
+    const recommendations = [];
+    let riskScore = 0;
+    const entry = addressToEntry.get(lower);
+    if (entry) {
+      const isActive = entry.dateRemoved === null;
+      directMatches.push({
+        matchedAddress: entry.address,
+        list: entry.lists[0],
+        entityName: entry.entityName,
+        entityType: entry.entityType,
+        confidence: 1,
+        active: isActive
+      });
+      if (isActive) {
+        riskScore = 100;
+        recommendations.push(
+          `BLOCK: Address ${address} is on the OFAC ${entry.lists.join(", ")} list as ${entry.entityName}. Transaction is prohibited under U.S. law.`
+        );
+      } else {
+        riskScore = Math.max(riskScore, 45);
+        recommendations.push(
+          `CAUTION: Address ${address} was previously sanctioned as ${entry.entityName} (${entry.lists.join(", ")}). Delisted on ${entry.dateRemoved}. Enhanced due diligence recommended.`
+        );
+      }
+    }
+    if (context?.counterpartyAddress) {
+      const cpLower = context.counterpartyAddress.toLowerCase();
+      const cpEntry = addressToEntry.get(cpLower);
+      if (cpEntry) {
+        const cpActive = cpEntry.dateRemoved === null;
+        directMatches.push({
+          matchedAddress: cpEntry.address,
+          list: cpEntry.lists[0],
+          entityName: cpEntry.entityName,
+          entityType: cpEntry.entityType,
+          confidence: 1,
+          active: cpActive
+        });
+        if (cpActive) {
+          riskScore = 100;
+          recommendations.push(
+            `BLOCK: Counterparty address ${context.counterpartyAddress} is on the OFAC ${cpEntry.lists.join(", ")} list as ${cpEntry.entityName}.`
+          );
+        } else {
+          riskScore = Math.max(riskScore, 45);
+          recommendations.push(
+            `CAUTION: Counterparty was previously sanctioned as ${cpEntry.entityName}.`
+          );
+        }
+      }
+    }
+    if (context?.jurisdiction) {
+      const jurisdictionInfo = SANCTIONED_JURISDICTIONS.find(
+        (j) => j.code === context.jurisdiction
+      );
+      if (jurisdictionInfo) {
+        jurisdictionFlags.push({
+          jurisdiction: jurisdictionInfo.code,
+          name: jurisdictionInfo.name,
+          reason: `Transaction involves ${jurisdictionInfo.name}, sanctioned under ${jurisdictionInfo.sanctionsProgram}`,
+          riskLevel: jurisdictionInfo.riskLevel
+        });
+        if (jurisdictionInfo.comprehensive) {
+          riskScore = 100;
+          recommendations.push(
+            `BLOCK: Transaction involves comprehensively sanctioned jurisdiction: ${jurisdictionInfo.name}. All transactions are prohibited under ${jurisdictionInfo.sanctionsProgram}.`
+          );
+        } else {
+          riskScore = Math.max(riskScore, 70);
+          recommendations.push(
+            `REVIEW: Transaction involves partially sanctioned jurisdiction: ${jurisdictionInfo.name}. Enhanced screening required per ${jurisdictionInfo.sanctionsProgram}.`
+          );
+        }
+      }
+    }
+    let riskLevel;
+    if (riskScore >= 100) {
+      riskLevel = "BLOCKED";
+    } else if (riskScore >= 70) {
+      riskLevel = "SEVERE";
+    } else if (riskScore >= 50) {
+      riskLevel = "HIGH";
+    } else if (riskScore >= 30) {
+      riskLevel = "MEDIUM";
+    } else if (riskScore > 0) {
+      riskLevel = "LOW";
+    } else {
+      riskLevel = "NONE";
+    }
+    const sanctioned = directMatches.some((m) => m.active);
+    if (recommendations.length === 0) {
+      recommendations.push("Address passed all sanctions screening checks.");
+    }
+    return {
+      sanctioned,
+      riskLevel,
+      riskScore: Math.min(riskScore, 100),
+      address,
+      directMatches,
+      jurisdictionFlags,
+      patternFlags,
+      ownershipFlags,
+      screenedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      listsChecked: ["SDN", "SSI", "CONSOLIDATED", "DELISTED"],
+      recommendations
+    };
+  }
+  // --------------------------------------------------------------------------
+  // Jurisdictional Screening
+  // --------------------------------------------------------------------------
+  /**
+   * Screen a jurisdiction for sanctions.
+   */
+  screenJurisdiction(code) {
+    const info = SANCTIONED_JURISDICTIONS.find(
+      (j) => j.code === code || j.name.toLowerCase().includes(code.toLowerCase())
+    );
+    if (!info) return null;
+    return {
+      jurisdiction: info.code,
+      name: info.name,
+      reason: `Sanctioned under ${info.sanctionsProgram}`,
+      riskLevel: info.riskLevel
+    };
+  }
+  /**
+   * Get all sanctioned jurisdictions.
+   */
+  getSanctionedJurisdictions() {
+    return [...SANCTIONED_JURISDICTIONS];
+  }
+  /**
+   * Check if a jurisdiction has comprehensive sanctions (all transactions blocked).
+   */
+  isComprehensiveSanctions(code) {
+    const info = SANCTIONED_JURISDICTIONS.find((j) => j.code === code);
+    return info?.comprehensive ?? false;
+  }
+  // --------------------------------------------------------------------------
+  // Fuzzy Entity Name Matching
+  // --------------------------------------------------------------------------
+  /**
+   * Search for sanctioned entities by name with fuzzy matching.
+   * Uses normalized Levenshtein distance and alias matching.
+   *
+   * @param query - Name to search for
+   * @param threshold - Minimum similarity score (0-1, default 0.6)
+   * @returns Matching entities sorted by relevance
+   */
+  searchEntityName(query, threshold = 0.6) {
+    const queryLower = query.toLowerCase().trim();
+    const results = [];
+    for (const entity of SANCTIONED_ENTITIES) {
+      const nameSim = computeSimilarity(queryLower, entity.name.toLowerCase());
+      if (nameSim >= threshold) {
+        results.push({ entity, similarity: nameSim, matchedOn: entity.name });
+        continue;
+      }
+      let bestAliasSim = 0;
+      let bestAlias = "";
+      for (const alias of entity.aliases) {
+        const aliasSim = computeSimilarity(queryLower, alias.toLowerCase());
+        if (aliasSim > bestAliasSim) {
+          bestAliasSim = aliasSim;
+          bestAlias = alias;
+        }
+      }
+      if (bestAliasSim >= threshold) {
+        results.push({ entity, similarity: bestAliasSim, matchedOn: bestAlias });
+        continue;
+      }
+      const allNames = [entity.name, ...entity.aliases];
+      for (const name of allNames) {
+        if (name.toLowerCase().includes(queryLower) || queryLower.includes(name.toLowerCase())) {
+          results.push({ entity, similarity: 0.8, matchedOn: name });
+          break;
+        }
+      }
+    }
+    results.sort((a, b) => b.similarity - a.similarity);
+    return results;
+  }
+  // --------------------------------------------------------------------------
+  // 50% Rule Screening
+  // --------------------------------------------------------------------------
+  /**
+   * Check if an entity may be subject to the OFAC 50% Rule.
+   *
+   * Under the 50% Rule, entities owned 50% or more (individually or in
+   * aggregate) by one or more sanctioned persons are themselves blocked,
+   * even if not explicitly named on the SDN list.
+   *
+   * This method checks a provided ownership structure against known
+   * sanctioned entities.
+   *
+   * @param ownershipEntries - Array of { ownerName, ownershipPercentage } objects
+   * @returns Array of OwnershipFlag for any sanctioned owners
+   */
+  checkFiftyPercentRule(entityName, ownershipEntries) {
+    const flags = [];
+    let totalSanctionedOwnership = 0;
+    for (const owner of ownershipEntries) {
+      const matches = this.searchEntityName(owner.ownerName, 0.7);
+      if (matches.length > 0) {
+        totalSanctionedOwnership += owner.ownershipPercentage;
+        flags.push({
+          entityName,
+          sanctionedParent: matches[0].entity.name,
+          ownershipPercentage: owner.ownershipPercentage,
+          source: `Fuzzy match on "${owner.ownerName}" -> "${matches[0].matchedOn}" (${Math.round(matches[0].similarity * 100)}% match)`
+        });
+      }
+    }
+    if (totalSanctionedOwnership >= 50 && flags.length > 0) {
+      flags.push({
+        entityName,
+        sanctionedParent: `Aggregate sanctioned ownership: ${totalSanctionedOwnership}%`,
+        ownershipPercentage: totalSanctionedOwnership,
+        source: "OFAC 50% Rule: Entity is considered blocked due to aggregate sanctioned ownership >= 50%"
+      });
+    }
+    return flags;
+  }
+  // --------------------------------------------------------------------------
+  // Transaction Pattern Analysis
+  // --------------------------------------------------------------------------
+  /**
+   * Analyze a set of transactions for patterns associated with sanctions evasion.
+   *
+   * Detects:
+   * - Mixing/tumbling indicators (interaction with known mixers)
+   * - Chain-hopping patterns (rapid cross-chain movements)
+   * - Structuring (amounts just below reporting thresholds)
+   * - Rapid fund movement through intermediaries
+   * - Peeling chain patterns
+   */
+  analyzeTransactionPatterns(transactions) {
+    const flags = [];
+    if (transactions.length === 0) return flags;
+    const mixerFlag = this.detectMixingPattern(transactions);
+    if (mixerFlag) flags.push(mixerFlag);
+    const chainHopFlag = this.detectChainHopping(transactions);
+    if (chainHopFlag) flags.push(chainHopFlag);
+    const structuringFlag = this.detectStructuring(transactions);
+    if (structuringFlag) flags.push(structuringFlag);
+    const rapidFlag = this.detectRapidMovement(transactions);
+    if (rapidFlag) flags.push(rapidFlag);
+    const peelingFlag = this.detectPeelingChain(transactions);
+    if (peelingFlag) flags.push(peelingFlag);
+    return flags;
+  }
+  detectMixingPattern(txs) {
+    const evidence = [];
+    for (const tx of txs) {
+      const fromEntry = addressToEntry.get(tx.from.toLowerCase());
+      const toEntry = addressToEntry.get(tx.to.toLowerCase());
+      if (fromEntry?.entityType === "MIXER") {
+        evidence.push(`Received funds from known mixer: ${fromEntry.entityName} (tx: ${tx.txHash})`);
+      }
+      if (toEntry?.entityType === "MIXER") {
+        evidence.push(`Sent funds to known mixer: ${toEntry.entityName} (tx: ${tx.txHash})`);
+      }
+    }
+    if (evidence.length > 0) {
+      return {
+        pattern: "MIXING",
+        description: "Transaction history includes interaction with known mixing/tumbling services",
+        severity: "HIGH",
+        evidence
+      };
+    }
+    return null;
+  }
+  detectChainHopping(txs) {
+    const chainTimestamps = /* @__PURE__ */ new Map();
+    for (const tx of txs) {
+      const timestamps = chainTimestamps.get(tx.chain) ?? [];
+      timestamps.push(new Date(tx.timestamp).getTime());
+      chainTimestamps.set(tx.chain, timestamps);
+    }
+    if (chainTimestamps.size < 2) return null;
+    const allTimestamps = [];
+    for (const [chain, times] of chainTimestamps) {
+      for (const time of times) {
+        allTimestamps.push({ chain, time });
+      }
+    }
+    allTimestamps.sort((a, b) => a.time - b.time);
+    const evidence = [];
+    const RAPID_WINDOW_MS = 10 * 60 * 1e3;
+    for (let i = 1; i < allTimestamps.length; i++) {
+      const prev = allTimestamps[i - 1];
+      const curr = allTimestamps[i];
+      if (prev && curr && prev.chain !== curr.chain) {
+        const gap = curr.time - prev.time;
+        if (gap < RAPID_WINDOW_MS) {
+          evidence.push(
+            `Cross-chain hop: ${prev.chain} -> ${curr.chain} within ${Math.round(gap / 1e3)}s`
+          );
+        }
+      }
+    }
+    if (evidence.length >= 2) {
+      return {
+        pattern: "CHAIN_HOPPING",
+        description: "Rapid cross-chain fund movements detected, a pattern associated with sanctions evasion",
+        severity: "MEDIUM",
+        evidence
+      };
+    }
+    return null;
+  }
+  detectStructuring(txs) {
+    const REPORTING_THRESHOLD2 = 1e4;
+    const STRUCTURING_BAND_LOW = REPORTING_THRESHOLD2 * 0.8;
+    const STRUCTURING_BAND_HIGH = REPORTING_THRESHOLD2;
+    const structuredTxs = txs.filter(
+      (tx) => tx.amount >= STRUCTURING_BAND_LOW && tx.amount < STRUCTURING_BAND_HIGH
+    );
+    if (structuredTxs.length >= 3) {
+      const evidence = structuredTxs.map(
+        (tx) => `$${tx.amount.toFixed(2)} on ${tx.chain} (tx: ${tx.txHash})`
+      );
+      return {
+        pattern: "STRUCTURING",
+        description: `${structuredTxs.length} transactions clustered just below the $${REPORTING_THRESHOLD2} reporting threshold, a pattern consistent with structuring`,
+        severity: "HIGH",
+        evidence
+      };
+    }
+    return null;
+  }
+  detectRapidMovement(txs) {
+    const sorted = [...txs].sort(
+      (a, b) => new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()
+    );
+    const RAPID_THRESHOLD_MS = 60 * 1e3;
+    const evidence = [];
+    for (let i = 1; i < sorted.length; i++) {
+      const prev = sorted[i - 1];
+      const curr = sorted[i];
+      if (prev && curr) {
+        const gap = new Date(curr.timestamp).getTime() - new Date(prev.timestamp).getTime();
+        if (gap < RAPID_THRESHOLD_MS && gap >= 0) {
+          evidence.push(
+            `${curr.from} -> ${curr.to}: $${curr.amount} within ${Math.round(gap / 1e3)}s of previous tx`
+          );
+        }
+      }
+    }
+    if (evidence.length >= 3) {
+      return {
+        pattern: "RAPID_MOVEMENT",
+        description: "Rapid succession of fund movements detected, consistent with layering/obfuscation",
+        severity: "MEDIUM",
+        evidence
+      };
+    }
+    return null;
+  }
+  detectPeelingChain(txs) {
+    const sorted = [...txs].sort(
+      (a, b) => new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()
+    );
+    const evidence = [];
+    let consecutiveDecreases = 0;
+    for (let i = 1; i < sorted.length; i++) {
+      const prev = sorted[i - 1];
+      const curr = sorted[i];
+      if (!prev || !curr) continue;
+      if (curr.amount < prev.amount && curr.amount > 0) {
+        const peeled = prev.amount - curr.amount;
+        if (peeled < prev.amount * 0.3) {
+          consecutiveDecreases++;
+          evidence.push(
+            `Peel: $${prev.amount.toFixed(2)} -> $${curr.amount.toFixed(2)} (peeled $${peeled.toFixed(2)})`
+          );
         }
+      } else {
+        consecutiveDecreases = 0;
+      }
+    }
+    if (consecutiveDecreases >= 3) {
+      return {
+        pattern: "PEELING_CHAIN",
+        description: "Peeling chain pattern detected: sequential transactions with decreasing amounts to different addresses",
+        severity: "MEDIUM",
+        evidence
+      };
+    }
+    return null;
+  }
+  // --------------------------------------------------------------------------
+  // Sanctions List Management
+  // --------------------------------------------------------------------------
+  /**
+   * Add new sanctioned addresses to the database at runtime.
+   * Returns the count of newly added addresses.
+   */
+  addAddresses(entries) {
+    let added = 0;
+    for (const entry of entries) {
+      const lower = entry.address.toLowerCase();
+      if (!allAddressSet.has(lower)) {
+        SANCTIONED_ADDRESS_DATABASE.push(entry);
+        added++;
       }
     }
+    if (added > 0) {
+      rebuildIndexes();
+      listMetadata = {
+        ...listMetadata,
+        lastUpdated: (/* @__PURE__ */ new Date()).toISOString(),
+        addressCount: SANCTIONED_ADDRESS_DATABASE.length,
+        version: `runtime-update-${Date.now()}`
+      };
+    }
+    return added;
+  }
+  /**
+   * Add new entity names for fuzzy matching.
+   */
+  addEntities(entities) {
+    let added = 0;
+    for (const entity of entities) {
+      const exists = SANCTIONED_ENTITIES.some(
+        (e) => e.name.toLowerCase() === entity.name.toLowerCase()
+      );
+      if (!exists) {
+        SANCTIONED_ENTITIES.push(entity);
+        added++;
+      }
+    }
+    if (added > 0) {
+      listMetadata = {
+        ...listMetadata,
+        lastUpdated: (/* @__PURE__ */ new Date()).toISOString(),
+        entityCount: SANCTIONED_ENTITIES.length,
+        version: `runtime-entity-update-${Date.now()}`
+      };
+    }
+    return added;
+  }
+  /**
+   * Get current sanctions list metadata.
+   */
+  getListMetadata() {
+    return { ...listMetadata };
+  }
+  /**
+   * Get all active sanctioned addresses (non-delisted).
+   */
+  getActiveSanctionedAddresses() {
+    return [...activeAddressSet];
+  }
+  /**
+   * Get all sanctioned addresses including delisted.
+   */
+  getAllAddresses() {
+    return [...allAddressSet];
+  }
+  /**
+   * Get the count of active sanctioned addresses.
+   */
+  getActiveAddressCount() {
+    return activeAddressSet.size;
+  }
+  /**
+   * Get the count of all addresses (including delisted).
+   */
+  getTotalAddressCount() {
+    return allAddressSet.size;
+  }
+  /**
+   * Get all entity names in the database.
+   */
+  getEntities() {
+    return [...SANCTIONED_ENTITIES];
   }
 };
+function computeSimilarity(a, b) {
+  if (a === b) return 1;
+  if (a.length === 0 || b.length === 0) return 0;
+  const maxLen = Math.max(a.length, b.length);
+  const distance = levenshteinDistance(a, b);
+  return 1 - distance / maxLen;
+}
+function levenshteinDistance(a, b) {
+  const m = a.length;
+  const n = b.length;
+  const prev = new Array(n + 1);
+  const curr = new Array(n + 1);
+  for (let j = 0; j <= n; j++) {
+    prev[j] = j;
+  }
+  for (let i = 1; i <= m; i++) {
+    curr[0] = i;
+    for (let j = 1; j <= n; j++) {
+      const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+      curr[j] = Math.min(
+        (prev[j] ?? 0) + 1,
+        // deletion
+        (curr[j - 1] ?? 0) + 1,
+        // insertion
+        (prev[j - 1] ?? 0) + cost
+        // substitution
+      );
+    }
+    for (let j = 0; j <= n; j++) {
+      prev[j] = curr[j] ?? 0;
+    }
+  }
+  return prev[n] ?? 0;
+}
+var ofacScreener = new OFACSanctionsScreener();
 
 // src/integrations/usdc.ts
 var USDC_CONTRACTS = {
@@ -2204,7 +3441,33 @@ var USDC_CONTRACTS = {
   arc: "0xa0c0000000000000000000000000000000000001"
 };
 var SANCTIONED_ADDRESSES = [
-  // Tornado Cash contracts (sanctioned August 2022)
+  // --- ACTIVELY SANCTIONED (SDN) ---
+  // Lazarus Group / DPRK (Ronin Bridge hack)
+  "0x098B716B8Aaf21512996dC57EB0615e2383E2f96",
+  "0xa0e1c89Ef1a489c9C7dE96311eD5Ce5D32c20E4B",
+  "0x3Cffd56B47B7b41c56258D9C7731ABaDc360E460",
+  "0x53b6936513e738f44FB50d2b9476730C0Ab3Bfc1",
+  // Lazarus Group - Harmony/Stake.com hacks
+  "0x4F47Bc496083C727c5fbe3CE9CDf2B0f6496270c",
+  "0x0836222F2B2B24A3F36f98668Ed8F0B38D1a872f",
+  // DPRK Cyber Operations
+  "0x7F367cC41522cE07553e823bf3be79A889DEbe1B",
+  "0x01e2919679362dFBC9ee1644Ba9C6da6D6245BB1",
+  "0xc455f7fd3e0e12afd51fba5c106909934d8a0e4a",
+  // Garantex exchange (sanctioned April 2022)
+  "0x6F1cA141A28907F78Ebaa64f83E4AE6038d3cbe7",
+  "0x2f389cE8bD8ff92De3402FFCe4691d17fC4f6535",
+  "0x19Aa5Fe80D33a56D56c78e82eA5E50E5d80b4Dff",
+  // Blender.io (sanctioned May 2022)
+  "0x23773E65ed146A459791799d01336DB287f25334",
+  // Roman Semenov (Tornado Cash developer - REMAINS sanctioned)
+  "0xdcbEfFBECcE100cCE9E4b153C4e15cB885643193",
+  "0x931546D9e66836AbF687d2bc64B30407bAc8C568",
+  "0x43fa21d92141BA9db43052492E0DeEE5aa5f0A93",
+  // Zedcex / Zedxion (IRGC-linked, sanctioned June 2024)
+  "0xaeAAc358560e11f52454D997AAFF2c5731B6f8a6",
+  // --- DELISTED (formerly sanctioned, retained for backward compat) ---
+  // Tornado Cash contracts (sanctioned Aug 2022, DELISTED March 21, 2025)
   "0xd90e2f925DA726b50C4Ed8D0Fb90Ad053324F31b",
   "0xd96f2B1c14Db8458374d9Aca76E26c3D18364307",
   "0x4736dCf1b7A3d580672CcE6E7c65cd5cc9cFBfA9",
@@ -2222,17 +3485,8 @@ var SANCTIONED_ADDRESSES = [
   // Tornado Cash Router
   "0x8589427373D6D84E98730D7795D8f6f8731FDA16",
   // Tornado Cash
-  "0x722122dF12D4e14e13Ac3b6895a86e84145b6967",
-  // Tornado Cash
-  // Lazarus Group / North Korea (Ronin Bridge hack)
-  "0x098B716B8Aaf21512996dC57EB0615e2383E2f96",
-  "0xa0e1c89Ef1a489c9C7dE96311eD5Ce5D32c20E4B",
-  "0x3Cffd56B47B7b41c56258D9C7731ABaDc360E460",
-  "0x53b6936513e738f44FB50d2b9476730C0Ab3Bfc1",
-  // Garantex exchange (sanctioned April 2022)
-  "0x6F1cA141A28907F78Ebaa64f83E4AE6038d3cbe7",
-  // Blender.io
-  "0x23773E65ed146A459791799d01336DB287f25334"
+  "0x722122dF12D4e14e13Ac3b6895a86e84145b6967"
+  // Tornado Cash / Sinbad.io
 ];
 var SANCTIONED_SET = new Set(
   SANCTIONED_ADDRESSES.map((addr) => addr.toLowerCase())
@@ -2354,6 +3608,72 @@ var UsdcCompliance = class _UsdcCompliance {
   static getSupportedChains() {
     return Object.keys(USDC_CONTRACTS);
   }
+  /**
+   * Add new sanctioned addresses at runtime.
+   * Normalizes all addresses to lowercase for consistent matching.
+   * Skips addresses that are already in the list.
+   *
+   * @param addresses - Array of Ethereum addresses to add
+   * @returns The count of newly added addresses (excluding duplicates)
+   */
+  static addSanctionedAddresses(addresses) {
+    let added = 0;
+    for (const addr of addresses) {
+      const lower = addr.toLowerCase();
+      if (!SANCTIONED_SET.has(lower)) {
+        SANCTIONED_ADDRESSES.push(addr);
+        SANCTIONED_SET.add(lower);
+        added++;
+      }
+    }
+    return added;
+  }
+  /**
+   * Replace the entire sanctioned addresses list at runtime.
+   * Clears existing entries and rebuilds from the provided array.
+   *
+   * @param addresses - The new complete list of sanctioned addresses
+   */
+  static replaceSanctionedAddresses(addresses) {
+    SANCTIONED_ADDRESSES.length = 0;
+    SANCTIONED_ADDRESSES.push(...addresses);
+    SANCTIONED_SET.clear();
+    for (const addr of addresses) {
+      SANCTIONED_SET.add(addr.toLowerCase());
+    }
+  }
+  /**
+   * Get the current number of addresses in the sanctions list.
+   *
+   * @returns The size of the current sanctions list
+   */
+  static getSanctionsListSize() {
+    return SANCTIONED_SET.size;
+  }
+  /**
+   * Perform comprehensive OFAC sanctions screening using the advanced
+   * OFACSanctionsScreener. This goes beyond simple address matching to
+   * include jurisdictional screening, delisted address detection, and
+   * entity metadata.
+   *
+   * @param address - The address to screen
+   * @param context - Optional context for enhanced screening
+   * @returns ComprehensiveSanctionsResult with full screening details
+   */
+  static screenComprehensive(address, context) {
+    return ofacScreener.screenAddress(address, context);
+  }
+  /**
+   * Check if an address is actively sanctioned (non-delisted).
+   * Unlike isSanctioned(), this excludes addresses that have been removed
+   * from the SDN list (e.g., Tornado Cash contracts post-March 2025).
+   *
+   * @param address - The address to check
+   * @returns true if the address is on an active sanctions list
+   */
+  static isActivelySanctioned(address) {
+    return ofacScreener.isActivelySanctioned(address);
+  }
   // --------------------------------------------------------------------------
   // Individual compliance checks
   // --------------------------------------------------------------------------
@@ -2493,6 +3813,648 @@ var UsdcCompliance = class _UsdcCompliance {
     return recommendations;
   }
 };
+
+// src/plans.ts
+var PLAN_LIMITS = {
+  free: 2e4,
+  pro: 1e5,
+  // per user/seat
+  enterprise: Infinity
+};
+var DEFAULT_WARNING_THRESHOLD = 0.8;
+var THROTTLE_INTERVAL = 100;
+var PlanManager = class _PlanManager {
+  tier;
+  seats;
+  eventCount;
+  billingPeriodStart;
+  warningThreshold;
+  warningEmitted = false;
+  limitEmitted = false;
+  eventsSinceLimitWarning = 0;
+  usageWarningCallbacks = [];
+  limitReachedCallbacks = [];
+  /** Custom upgrade URL, configurable via init */
+  upgradeUrl = "https://kontext.so/upgrade";
+  /** Enterprise contact URL */
+  enterpriseContactUrl = "https://cal.com/vinnaray";
+  constructor(tier = "free", billingPeriodStart, seats = 1) {
+    this.tier = tier;
+    this.seats = Math.max(1, Math.floor(seats));
+    this.eventCount = 0;
+    this.warningThreshold = DEFAULT_WARNING_THRESHOLD;
+    this.billingPeriodStart = billingPeriodStart ?? _PlanManager.defaultBillingPeriodStart();
+  }
+  /**
+   * Returns the 1st of the current month at midnight UTC.
+   */
+  static defaultBillingPeriodStart() {
+    const now2 = /* @__PURE__ */ new Date();
+    return new Date(Date.UTC(now2.getUTCFullYear(), now2.getUTCMonth(), 1));
+  }
+  // --------------------------------------------------------------------------
+  // Plan Info
+  // --------------------------------------------------------------------------
+  /** Get limits for a specific tier */
+  static getPlanLimits(tier) {
+    return { tier, eventLimit: PLAN_LIMITS[tier] };
+  }
+  /** Get the current plan tier */
+  getTier() {
+    return this.tier;
+  }
+  /** Get the event limit for the current plan (Pro is multiplied by seats) */
+  getLimit() {
+    const base = PLAN_LIMITS[this.tier];
+    if (base === Infinity) return Infinity;
+    if (this.tier === "pro") return base * this.seats;
+    return base;
+  }
+  /** Get the current number of seats */
+  getSeats() {
+    return this.seats;
+  }
+  /** Update the number of seats (e.g., after Stripe subscription update) */
+  setSeats(seats) {
+    this.seats = Math.max(1, Math.floor(seats));
+    this.warningEmitted = false;
+    this.limitEmitted = false;
+    this.eventsSinceLimitWarning = 0;
+  }
+  /** Get the current event count */
+  getEventCount() {
+    return this.eventCount;
+  }
+  /** Get the number of remaining events before the limit */
+  getRemainingEvents() {
+    const limit = this.getLimit();
+    if (limit === Infinity) return Infinity;
+    return Math.max(0, limit - this.eventCount);
+  }
+  /** Get the current usage as a percentage (0-100) */
+  getUsagePercentage() {
+    const limit = this.getLimit();
+    if (limit === Infinity) return 0;
+    return Math.min(100, this.eventCount / limit * 100);
+  }
+  /** Whether the event limit has been exceeded */
+  isLimitExceeded() {
+    const limit = this.getLimit();
+    if (limit === Infinity) return false;
+    return this.eventCount >= limit;
+  }
+  /** Get full usage object */
+  getUsage() {
+    return {
+      plan: this.tier,
+      seats: this.seats,
+      eventCount: this.eventCount,
+      limit: this.getLimit(),
+      remainingEvents: this.getRemainingEvents(),
+      usagePercentage: this.getUsagePercentage(),
+      limitExceeded: this.isLimitExceeded()
+    };
+  }
+  /** Get the billing period start date */
+  getBillingPeriodStart() {
+    return new Date(this.billingPeriodStart.getTime());
+  }
+  // --------------------------------------------------------------------------
+  // Plan Management
+  // --------------------------------------------------------------------------
+  /**
+   * Change the plan tier at runtime (e.g., after Stripe checkout succeeds).
+   * This resets limit-related warning state since the new tier has different limits.
+   */
+  setPlan(tier) {
+    this.tier = tier;
+    this.warningEmitted = false;
+    this.limitEmitted = false;
+    this.eventsSinceLimitWarning = 0;
+  }
+  /**
+   * Reset the event count for a new billing period.
+   * Updates the billing period start to the given date or 1st of current month.
+   */
+  resetBillingPeriod(newStart) {
+    this.eventCount = 0;
+    this.billingPeriodStart = newStart ?? _PlanManager.defaultBillingPeriodStart();
+    this.warningEmitted = false;
+    this.limitEmitted = false;
+    this.eventsSinceLimitWarning = 0;
+  }
+  /**
+   * Check if the billing period should be reset (i.e., current date is past
+   * the start of the next billing period). If so, auto-reset.
+   */
+  checkBillingPeriodReset() {
+    const now2 = /* @__PURE__ */ new Date();
+    const nextPeriodStart = new Date(
+      Date.UTC(
+        this.billingPeriodStart.getUTCFullYear(),
+        this.billingPeriodStart.getUTCMonth() + 1,
+        1
+      )
+    );
+    if (now2 >= nextPeriodStart) {
+      this.resetBillingPeriod(
+        new Date(Date.UTC(now2.getUTCFullYear(), now2.getUTCMonth(), 1))
+      );
+      return true;
+    }
+    return false;
+  }
+  // --------------------------------------------------------------------------
+  // Event Tracking
+  // --------------------------------------------------------------------------
+  /**
+   * Record an event and check thresholds.
+   * Returns true if the event limit has been exceeded (soft limit).
+   */
+  recordEvent() {
+    this.checkBillingPeriodReset();
+    this.eventCount++;
+    const limit = this.getLimit();
+    if (limit === Infinity) return false;
+    const usagePercentage = this.getUsagePercentage();
+    if (!this.warningEmitted && usagePercentage >= this.warningThreshold * 100) {
+      this.warningEmitted = true;
+      const event = this.createLimitEvent("warning");
+      for (const cb of this.usageWarningCallbacks) {
+        cb(event);
+      }
+    }
+    if (this.eventCount >= limit) {
+      if (!this.limitEmitted) {
+        this.limitEmitted = true;
+        this.eventsSinceLimitWarning = 0;
+        const event = this.createLimitEvent("limit_reached");
+        for (const cb of this.limitReachedCallbacks) {
+          cb(event);
+        }
+        this.logLimitMessage();
+      } else {
+        this.eventsSinceLimitWarning++;
+        if (this.eventsSinceLimitWarning >= THROTTLE_INTERVAL) {
+          this.eventsSinceLimitWarning = 0;
+          const event = this.createLimitEvent("limit_reached");
+          for (const cb of this.limitReachedCallbacks) {
+            cb(event);
+          }
+          this.logLimitMessage();
+        }
+      }
+      return true;
+    }
+    return false;
+  }
+  // --------------------------------------------------------------------------
+  // Callbacks
+  // --------------------------------------------------------------------------
+  /**
+   * Register a callback for the 80% usage warning.
+   * @returns Unsubscribe function
+   */
+  onUsageWarning(callback) {
+    this.usageWarningCallbacks.push(callback);
+    return () => {
+      const idx = this.usageWarningCallbacks.indexOf(callback);
+      if (idx >= 0) this.usageWarningCallbacks.splice(idx, 1);
+    };
+  }
+  /**
+   * Register a callback for the limit reached event.
+   * @returns Unsubscribe function
+   */
+  onLimitReached(callback) {
+    this.limitReachedCallbacks.push(callback);
+    return () => {
+      const idx = this.limitReachedCallbacks.indexOf(callback);
+      if (idx >= 0) this.limitReachedCallbacks.splice(idx, 1);
+    };
+  }
+  // --------------------------------------------------------------------------
+  // Persistence
+  // --------------------------------------------------------------------------
+  /** Serialize state for storage */
+  toJSON() {
+    return {
+      tier: this.tier,
+      seats: this.seats,
+      eventCount: this.eventCount,
+      billingPeriodStart: this.billingPeriodStart.toISOString()
+    };
+  }
+  /** Restore state from storage */
+  static fromJSON(data) {
+    const manager = new _PlanManager(data.tier, new Date(data.billingPeriodStart), data.seats ?? 1);
+    manager.eventCount = data.eventCount;
+    return manager;
+  }
+  /** Set the event count directly (for restoring from storage) */
+  setEventCount(count) {
+    this.eventCount = count;
+  }
+  // --------------------------------------------------------------------------
+  // Private
+  // --------------------------------------------------------------------------
+  createLimitEvent(type) {
+    const message = type === "warning" ? `You've used ${this.getUsagePercentage().toFixed(0)}% of your ${this.tier} plan event limit (${this.eventCount}/${this.getLimit()}).` : `You've reached the ${this.getLimit().toLocaleString()} event limit on the ${this.tier === "free" ? "Free" : "Pro"} plan.`;
+    return {
+      type,
+      plan: this.tier,
+      eventCount: this.eventCount,
+      limit: this.getLimit(),
+      usagePercentage: this.getUsagePercentage(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      message
+    };
+  }
+  logLimitMessage() {
+    if (this.tier === "free") {
+      console.warn(
+        `You've reached the 20,000 event limit on the Free plan. Upgrade to Pro for 100K events/user/mo and full compliance features \u2192 ${this.upgradeUrl}`
+      );
+    } else if (this.tier === "pro") {
+      const effectiveLimit = (1e5 * this.seats).toLocaleString();
+      console.warn(
+        `You've reached the ${effectiveLimit} event limit on Pro (${this.seats} seat${this.seats !== 1 ? "s" : ""}). Add seats or contact us for Enterprise pricing \u2192 ${this.enterpriseContactUrl}`
+      );
+    }
+  }
+};
+var NoopExporter = class {
+  async export(_events) {
+    return { success: true, exportedCount: 0 };
+  }
+  async flush() {
+  }
+  async shutdown() {
+  }
+};
+var ConsoleExporter = class {
+  prefix;
+  constructor(options) {
+    this.prefix = options?.prefix ?? "[Kontext Export]";
+  }
+  async export(events) {
+    for (const event of events) {
+      console.log(`${this.prefix} ${JSON.stringify(event)}`);
+    }
+    return { success: true, exportedCount: events.length };
+  }
+  async flush() {
+  }
+  async shutdown() {
+  }
+};
+var JsonFileExporter = class {
+  outputDir;
+  buffer = [];
+  bufferSize;
+  constructor(options) {
+    this.outputDir = path3__namespace.resolve(options?.outputDir ?? ".kontext/exports");
+    this.bufferSize = options?.bufferSize ?? 1;
+  }
+  async export(events) {
+    this.buffer.push(...events);
+    if (this.buffer.length >= this.bufferSize) {
+      await this.flush();
+    }
+    return { success: true, exportedCount: events.length };
+  }
+  async flush() {
+    if (this.buffer.length === 0) return;
+    const toWrite = [...this.buffer];
+    this.buffer = [];
+    try {
+      fs3__namespace.mkdirSync(this.outputDir, { recursive: true });
+      const date = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+      const filePath = path3__namespace.join(this.outputDir, `events-${date}.jsonl`);
+      const lines = toWrite.map((e) => JSON.stringify(e)).join("\n") + "\n";
+      fs3__namespace.appendFileSync(filePath, lines, "utf-8");
+    } catch (error) {
+      console.warn("[Kontext JsonFileExporter] Failed to write events:", error);
+    }
+  }
+  async shutdown() {
+    await this.flush();
+  }
+  /** Get the output directory path. */
+  getOutputDir() {
+    return this.outputDir;
+  }
+};
+var HttpExporter = class {
+  endpoint;
+  headers;
+  batchSize;
+  timeoutMs;
+  buffer = [];
+  constructor(options) {
+    this.endpoint = options.endpoint;
+    this.headers = {
+      "Content-Type": "application/json",
+      ...options.headers
+    };
+    this.batchSize = options.batchSize ?? 50;
+    this.timeoutMs = options.timeoutMs ?? 3e4;
+  }
+  async export(events) {
+    this.buffer.push(...events);
+    if (this.buffer.length >= this.batchSize) {
+      await this.flush();
+    }
+    return { success: true, exportedCount: events.length };
+  }
+  async flush() {
+    if (this.buffer.length === 0) return;
+    const toSend = [...this.buffer];
+    this.buffer = [];
+    try {
+      const response = await fetch(this.endpoint, {
+        method: "POST",
+        headers: this.headers,
+        body: JSON.stringify({ events: toSend }),
+        signal: AbortSignal.timeout(this.timeoutMs)
+      });
+      if (!response.ok) {
+        console.warn(
+          `[Kontext HttpExporter] Export failed with status ${response.status}`
+        );
+      }
+    } catch (error) {
+      console.warn("[Kontext HttpExporter] Export failed:", error);
+    }
+  }
+  async shutdown() {
+    await this.flush();
+  }
+};
+var KontextCloudExporter = class {
+  apiKey;
+  projectId;
+  apiUrl;
+  batchSize;
+  timeoutMs;
+  retryAttempts;
+  retryDelayMs;
+  buffer = [];
+  constructor(options) {
+    if (!options.apiKey) {
+      throw new Error("KontextCloudExporter requires an API key (Pro or Enterprise plan)");
+    }
+    this.apiKey = options.apiKey;
+    this.projectId = options.projectId;
+    this.apiUrl = options.apiUrl ?? "https://api.getkontext.com";
+    this.batchSize = options.batchSize ?? 100;
+    this.timeoutMs = options.timeoutMs ?? 3e4;
+    this.retryAttempts = options.retryAttempts ?? 3;
+    this.retryDelayMs = options.retryDelayMs ?? 1e3;
+  }
+  async export(events) {
+    this.buffer.push(...events);
+    if (this.buffer.length >= this.batchSize) {
+      await this.flush();
+    }
+    return { success: true, exportedCount: events.length };
+  }
+  async flush() {
+    if (this.buffer.length === 0) return;
+    const toSend = [...this.buffer];
+    this.buffer = [];
+    let lastError;
+    for (let attempt = 0; attempt < this.retryAttempts; attempt++) {
+      try {
+        const response = await fetch(`${this.apiUrl}/v1/ingest`, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${this.apiKey}`,
+            "X-Project-Id": this.projectId,
+            "X-SDK-Version": "0.1.0"
+          },
+          body: JSON.stringify({
+            events: toSend,
+            metadata: {
+              exportedAt: (/* @__PURE__ */ new Date()).toISOString(),
+              batchSize: toSend.length
+            }
+          }),
+          signal: AbortSignal.timeout(this.timeoutMs)
+        });
+        if (response.ok) {
+          return;
+        }
+        if (response.status >= 400 && response.status < 500) {
+          console.warn(
+            `[Kontext Cloud] Export rejected (${response.status}): ${await response.text()}`
+          );
+          return;
+        }
+        lastError = new Error(`HTTP ${response.status}`);
+      } catch (error) {
+        lastError = error;
+      }
+      if (attempt < this.retryAttempts - 1) {
+        await new Promise(
+          (resolve3) => setTimeout(resolve3, this.retryDelayMs * Math.pow(2, attempt))
+        );
+      }
+    }
+    console.warn(
+      `[Kontext Cloud] Export failed after ${this.retryAttempts} attempts:`,
+      lastError
+    );
+  }
+  async shutdown() {
+    await this.flush();
+  }
+};
+var MultiExporter = class {
+  exporters;
+  constructor(exporters) {
+    this.exporters = exporters;
+  }
+  async export(events) {
+    const results = await Promise.allSettled(
+      this.exporters.map((e) => e.export(events))
+    );
+    const failures = results.filter((r) => r.status === "rejected");
+    if (failures.length > 0) {
+      return {
+        success: false,
+        exportedCount: events.length,
+        error: `${failures.length}/${this.exporters.length} exporters failed`
+      };
+    }
+    return { success: true, exportedCount: events.length };
+  }
+  async flush() {
+    await Promise.allSettled(this.exporters.map((e) => e.flush()));
+  }
+  async shutdown() {
+    await Promise.allSettled(this.exporters.map((e) => e.shutdown()));
+  }
+};
+
+// src/feature-flags.ts
+var DEFAULT_CACHE_TTL_MS = 3e5;
+var FeatureFlagManager = class {
+  config;
+  cacheTtlMs;
+  defaultValue;
+  cache = /* @__PURE__ */ new Map();
+  refreshInFlight = false;
+  constructor(config) {
+    this.config = config;
+    this.cacheTtlMs = config.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS;
+    this.defaultValue = config.defaultValue ?? false;
+  }
+  // --------------------------------------------------------------------------
+  // Public API
+  // --------------------------------------------------------------------------
+  /**
+   * Initialize the manager by fetching all flags from Firestore.
+   * Call this once at startup to warm the cache.
+   */
+  async init() {
+    await this.refresh();
+  }
+  /**
+   * Check if a flag is enabled for the given environment and plan.
+   * Always synchronous — reads from cache.
+   * Triggers a background refresh when the cached entry is stale.
+   */
+  isEnabled(flagName, environment, plan) {
+    const env = environment ?? this.config.environment;
+    const tier = plan ?? this.config.plan;
+    const entry = this.cache.get(flagName);
+    if (!entry) {
+      this.triggerBackgroundRefresh();
+      return this.defaultValue;
+    }
+    if (Date.now() > entry.expiresAt) {
+      this.triggerBackgroundRefresh();
+    }
+    const envTargeting = entry.flag.targeting[env];
+    if (!envTargeting) return this.defaultValue;
+    return envTargeting[tier] ?? this.defaultValue;
+  }
+  /**
+   * Get a single flag by name (from cache).
+   */
+  getFlag(flagName) {
+    return this.cache.get(flagName)?.flag;
+  }
+  /**
+   * Get all cached flags.
+   */
+  getAllFlags() {
+    return Array.from(this.cache.values()).map((e) => e.flag);
+  }
+  /**
+   * Force-refresh all flags from Firestore.
+   */
+  async refresh() {
+    try {
+      const docs = await this.fetchAllFromFirestore();
+      const now2 = Date.now();
+      for (const doc of docs) {
+        const flag = parseFirestoreDocument(doc);
+        if (!flag) continue;
+        if (this.config.scope && flag.scope !== "all" && flag.scope !== this.config.scope) {
+          continue;
+        }
+        this.cache.set(flag.name, {
+          flag,
+          expiresAt: now2 + this.cacheTtlMs
+        });
+      }
+    } catch {
+    }
+  }
+  // --------------------------------------------------------------------------
+  // Firestore REST API
+  // --------------------------------------------------------------------------
+  get firestoreBaseUrl() {
+    return `https://firestore.googleapis.com/v1/projects/${this.config.gcpProjectId}/databases/(default)/documents`;
+  }
+  async fetchAllFromFirestore() {
+    const url = `${this.firestoreBaseUrl}/feature-flags`;
+    const headers = {};
+    if (this.config.accessToken) {
+      headers["Authorization"] = `Bearer ${this.config.accessToken}`;
+    }
+    const res = await fetch(url, { headers });
+    if (!res.ok) {
+      throw new Error(`Firestore fetch failed: ${res.status} ${res.statusText}`);
+    }
+    const body = await res.json();
+    return body.documents ?? [];
+  }
+  async fetchOneFromFirestore(flagName) {
+    const url = `${this.firestoreBaseUrl}/feature-flags/${flagName}`;
+    const headers = {};
+    if (this.config.accessToken) {
+      headers["Authorization"] = `Bearer ${this.config.accessToken}`;
+    }
+    const res = await fetch(url, { headers });
+    if (res.status === 404) return null;
+    if (!res.ok) {
+      throw new Error(`Firestore fetch failed: ${res.status} ${res.statusText}`);
+    }
+    return await res.json();
+  }
+  // --------------------------------------------------------------------------
+  // Background Refresh
+  // --------------------------------------------------------------------------
+  triggerBackgroundRefresh() {
+    if (this.refreshInFlight) return;
+    this.refreshInFlight = true;
+    this.refresh().finally(() => {
+      this.refreshInFlight = false;
+    });
+  }
+};
+function parseFirestoreDocument(doc) {
+  try {
+    const fields = doc.fields;
+    const name = extractDocumentId(doc.name);
+    const description = fields["description"]?.stringValue ?? "";
+    const scope = fields["scope"]?.stringValue ?? "all";
+    const createdBy = fields["createdBy"]?.stringValue ?? "";
+    const createdAt = fields["createdAt"]?.stringValue ?? doc.createTime;
+    const updatedAt = fields["updatedAt"]?.stringValue ?? doc.updateTime;
+    const targetingMap = fields["targeting"]?.mapValue?.fields;
+    if (!targetingMap) return null;
+    const targeting = parseTargeting(targetingMap);
+    if (!targeting) return null;
+    return { name, description, scope, targeting, createdAt, updatedAt, createdBy };
+  } catch {
+    return null;
+  }
+}
+function parseTargeting(fields) {
+  const dev = parsePlanTargeting(fields["development"]?.mapValue?.fields);
+  const staging = parsePlanTargeting(fields["staging"]?.mapValue?.fields);
+  const prod = parsePlanTargeting(fields["production"]?.mapValue?.fields);
+  if (!dev || !staging || !prod) return null;
+  return { development: dev, staging, production: prod };
+}
+function parsePlanTargeting(fields) {
+  if (!fields) return null;
+  return {
+    free: fields["free"]?.booleanValue ?? false,
+    pro: fields["pro"]?.booleanValue ?? false,
+    enterprise: fields["enterprise"]?.booleanValue ?? false
+  };
+}
+function extractDocumentId(resourceName) {
+  const parts = resourceName.split("/");
+  return parts[parts.length - 1] ?? resourceName;
+}
+var PLAN_STORAGE_KEY = "kontext:plan";
 var Kontext = class _Kontext {
   config;
   store;
@@ -2502,18 +4464,34 @@ var Kontext = class _Kontext {
   trustScorer;
   anomalyDetector;
   mode;
+  planManager;
+  exporter;
+  featureFlagManager;
   constructor(config) {
     this.config = config;
     this.mode = config.apiKey ? "cloud" : "local";
     this.store = new KontextStore();
+    if (config.metadataSchema && typeof config.metadataSchema.parse !== "function") {
+      throw new KontextError(
+        "INITIALIZATION_ERROR" /* INITIALIZATION_ERROR */,
+        "metadataSchema must have a parse() method"
+      );
+    }
     if (config.storage) {
       this.store.setStorageAdapter(config.storage);
     }
+    const planTier = config.plan ?? "free";
+    this.planManager = new PlanManager(planTier, void 0, config.seats ?? 1);
+    if (config.upgradeUrl) {
+      this.planManager.upgradeUrl = config.upgradeUrl;
+    }
+    this.exporter = config.exporter ?? new NoopExporter();
     this.logger = new ActionLogger(config, this.store);
     this.taskManager = new TaskManager(config, this.store);
     this.auditExporter = new AuditExporter(config, this.store);
     this.trustScorer = new TrustScorer(config, this.store);
     this.anomalyDetector = new AnomalyDetector(config, this.store);
+    this.featureFlagManager = config.featureFlags ? new FeatureFlagManager(config.featureFlags) : null;
   }
   /**
    * Initialize the Kontext SDK.
@@ -2585,6 +4563,24 @@ var Kontext = class _Kontext {
     };
   }
   // --------------------------------------------------------------------------
+  // Internal Helpers
+  // --------------------------------------------------------------------------
+  /**
+   * Validate metadata against the configured schema, if any.
+   * No-op when metadataSchema is not configured.
+   */
+  validateMetadata(metadata) {
+    if (!metadata || !this.config.metadataSchema) return;
+    try {
+      this.config.metadataSchema.parse(metadata);
+    } catch (err) {
+      throw new KontextError(
+        "VALIDATION_ERROR" /* VALIDATION_ERROR */,
+        `Metadata validation failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  // --------------------------------------------------------------------------
   // Action Logging
   // --------------------------------------------------------------------------
   /**
@@ -2594,10 +4590,17 @@ var Kontext = class _Kontext {
    * @returns The created action log entry
    */
   async log(input) {
+    this.validateMetadata(input.metadata);
     const action = await this.logger.log(input);
+    const limitExceeded = this.planManager.recordEvent();
+    if (limitExceeded) {
+      action.metadata = { ...action.metadata, limitExceeded: true };
+    }
     if (this.anomalyDetector.isEnabled()) {
       this.anomalyDetector.evaluateAction(action);
     }
+    this.exporter.export([action]).catch(() => {
+    });
     return action;
   }
   /**
@@ -2607,10 +4610,17 @@ var Kontext = class _Kontext {
    * @returns The created transaction record
    */
   async logTransaction(input) {
+    this.validateMetadata(input.metadata);
     const record = await this.logger.logTransaction(input);
+    const limitExceeded = this.planManager.recordEvent();
+    if (limitExceeded) {
+      record.metadata = { ...record.metadata, limitExceeded: true };
+    }
     if (this.anomalyDetector.isEnabled()) {
       this.anomalyDetector.evaluateTransaction(record);
     }
+    this.exporter.export([record]).catch(() => {
+    });
     return record;
   }
   /**
@@ -2629,6 +4639,7 @@ var Kontext = class _Kontext {
   async flush() {
     await this.logger.flush();
     await this.store.flush();
+    await this.exporter.flush();
   }
   /**
    * Restore state from the attached storage adapter.
@@ -2648,6 +4659,7 @@ var Kontext = class _Kontext {
    * @returns The created task
    */
   async createTask(input) {
+    this.validateMetadata(input.metadata);
     return this.taskManager.createTask(input);
   }
   /**
@@ -3033,13 +5045,110 @@ var Kontext = class _Kontext {
     };
     const hash = crypto$1.createHash("sha256");
     hash.update(JSON.stringify(certificateContent));
-    const signature = hash.digest("hex");
+    const contentHash = hash.digest("hex");
     return {
       ...certificateContent,
-      signature
+      contentHash
     };
   }
   // --------------------------------------------------------------------------
+  // Plan & Usage Metering
+  // --------------------------------------------------------------------------
+  /**
+   * Get current usage statistics for the plan.
+   *
+   * @returns Usage data including plan, event count, limits, and whether the limit is exceeded
+   */
+  getUsage() {
+    return this.planManager.getUsage();
+  }
+  /**
+   * Change the plan tier at runtime (e.g., after Stripe checkout succeeds).
+   *
+   * @param tier - The new plan tier
+   */
+  setPlan(tier) {
+    this.planManager.setPlan(tier);
+  }
+  /**
+   * Register a callback for when usage reaches 80% of the plan limit.
+   *
+   * @param callback - Function to call with the limit event
+   * @returns Unsubscribe function
+   */
+  onUsageWarning(callback) {
+    return this.planManager.onUsageWarning(callback);
+  }
+  /**
+   * Register a callback for when the plan event limit is reached.
+   *
+   * @param callback - Function to call with the limit event
+   * @returns Unsubscribe function
+   */
+  onLimitReached(callback) {
+    return this.planManager.onLimitReached(callback);
+  }
+  /**
+   * Get the URL for upgrading to the Pro plan.
+   *
+   * @returns The upgrade URL (configurable via init)
+   */
+  getUpgradeUrl() {
+    return this.planManager.upgradeUrl;
+  }
+  /**
+   * Get the URL for contacting the team about Enterprise pricing.
+   *
+   * @returns The enterprise contact URL
+   */
+  getEnterpriseContactUrl() {
+    return this.planManager.enterpriseContactUrl;
+  }
+  /**
+   * Persist plan metering state to the storage adapter.
+   * Call this alongside flush() to persist event counts across restarts.
+   */
+  async flushPlanState() {
+    const adapter = this.store.getStorageAdapter();
+    if (!adapter) return;
+    await adapter.save(PLAN_STORAGE_KEY, this.planManager.toJSON());
+  }
+  /**
+   * Restore plan metering state from the storage adapter.
+   * Call this after restore() to reload event counts.
+   */
+  async restorePlanState() {
+    const adapter = this.store.getStorageAdapter();
+    if (!adapter) return;
+    const data = await adapter.load(PLAN_STORAGE_KEY);
+    if (data && typeof data === "object" && data.tier && typeof data.eventCount === "number") {
+      this.planManager.setPlan(data.tier);
+      this.planManager.setEventCount(data.eventCount);
+      if (data.billingPeriodStart) {
+        this.planManager.resetBillingPeriod(new Date(data.billingPeriodStart));
+        this.planManager.setEventCount(data.eventCount);
+      }
+    }
+  }
+  // --------------------------------------------------------------------------
+  // Feature Flags
+  // --------------------------------------------------------------------------
+  /**
+   * Check if a feature flag is enabled for the current environment and plan.
+   * Returns `false` if feature flags are not configured.
+   * Always synchronous — reads from in-memory cache.
+   */
+  isFeatureEnabled(flagName, environment, plan) {
+    if (!this.featureFlagManager) return false;
+    return this.featureFlagManager.isEnabled(flagName, environment, plan);
+  }
+  /**
+   * Get the underlying FeatureFlagManager (or null if not configured).
+   */
+  getFeatureFlagManager() {
+    return this.featureFlagManager;
+  }
+  // --------------------------------------------------------------------------
   // Lifecycle
   // --------------------------------------------------------------------------
   /**
@@ -3047,6 +5156,7 @@ var Kontext = class _Kontext {
    */
   async destroy() {
     await this.logger.destroy();
+    await this.exporter.shutdown();
   }
 };
 var MemoryStorage = class {
@@ -3074,20 +5184,20 @@ var MemoryStorage = class {
 var FileStorage = class {
   baseDir;
   constructor(baseDir) {
-    this.baseDir = path2__namespace.resolve(baseDir);
+    this.baseDir = path3__namespace.resolve(baseDir);
   }
   async save(key, data) {
-    fs2__namespace.mkdirSync(this.baseDir, { recursive: true });
+    fs3__namespace.mkdirSync(this.baseDir, { recursive: true });
     const filePath = this.keyToPath(key);
-    const dir = path2__namespace.dirname(filePath);
-    fs2__namespace.mkdirSync(dir, { recursive: true });
-    fs2__namespace.writeFileSync(filePath, JSON.stringify(data, null, 2), "utf-8");
+    const dir = path3__namespace.dirname(filePath);
+    fs3__namespace.mkdirSync(dir, { recursive: true });
+    fs3__namespace.writeFileSync(filePath, JSON.stringify(data, null, 2), "utf-8");
   }
   async load(key) {
     const filePath = this.keyToPath(key);
-    if (!fs2__namespace.existsSync(filePath)) return null;
+    if (!fs3__namespace.existsSync(filePath)) return null;
     try {
-      const raw = fs2__namespace.readFileSync(filePath, "utf-8");
+      const raw = fs3__namespace.readFileSync(filePath, "utf-8");
       return JSON.parse(raw);
     } catch {
       return null;
@@ -3095,12 +5205,12 @@ var FileStorage = class {
   }
   async delete(key) {
     const filePath = this.keyToPath(key);
-    if (fs2__namespace.existsSync(filePath)) {
-      fs2__namespace.unlinkSync(filePath);
+    if (fs3__namespace.existsSync(filePath)) {
+      fs3__namespace.unlinkSync(filePath);
     }
   }
   async list(prefix) {
-    if (!fs2__namespace.existsSync(this.baseDir)) return [];
+    if (!fs3__namespace.existsSync(this.baseDir)) return [];
     return this.listRecursive(this.baseDir, prefix);
   }
   /** Get the base directory path. */
@@ -3112,18 +5222,18 @@ var FileStorage = class {
   // --------------------------------------------------------------------------
   keyToPath(key) {
     const safeName = key.replace(/[<>"|?*]/g, "_");
-    return path2__namespace.join(this.baseDir, `${safeName}.json`);
+    return path3__namespace.join(this.baseDir, `${safeName}.json`);
   }
   pathToKey(filePath) {
-    const relative2 = path2__namespace.relative(this.baseDir, filePath);
+    const relative2 = path3__namespace.relative(this.baseDir, filePath);
     return relative2.replace(/\.json$/, "");
   }
   listRecursive(dir, prefix) {
     const keys = [];
-    if (!fs2__namespace.existsSync(dir)) return keys;
-    const entries = fs2__namespace.readdirSync(dir, { withFileTypes: true });
+    if (!fs3__namespace.existsSync(dir)) return keys;
+    const entries = fs3__namespace.readdirSync(dir, { withFileTypes: true });
     for (const entry of entries) {
-      const fullPath = path2__namespace.join(dir, entry.name);
+      const fullPath = path3__namespace.join(dir, entry.name);
       if (entry.isDirectory()) {
         keys.push(...this.listRecursive(fullPath, prefix));
       } else if (entry.isFile() && entry.name.endsWith(".json")) {
@@ -3707,8 +5817,8 @@ var LiveCircleAdapter = class {
   constructor(apiKey) {
     this.apiKey = apiKey;
   }
-  async request(method, path3, body) {
-    const response = await fetch(`${this.baseUrl}${path3}`, {
+  async request(method, path4, body) {
+    const response = await fetch(`${this.baseUrl}${path4}`, {
       method,
       headers: {
         "Content-Type": "application/json",
@@ -4197,8 +6307,8 @@ var LiveComplianceAdapter = class {
   constructor(apiKey) {
     this.apiKey = apiKey;
   }
-  async request(method, path3, body) {
-    const response = await fetch(`${this.baseUrl}${path3}`, {
+  async request(method, path4, body) {
+    const response = await fetch(`${this.baseUrl}${path4}`, {
       method,
       headers: {
         "Content-Type": "application/json",
@@ -4565,8 +6675,8 @@ var LiveGasStationAdapter = class {
   constructor(apiKey) {
     this.apiKey = apiKey;
   }
-  async request(method, path3, body) {
-    const response = await fetch(`${this.baseUrl}${path3}`, {
+  async request(method, path4, body) {
+    const response = await fetch(`${this.baseUrl}${path4}`, {
       method,
       headers: {
         "Content-Type": "application/json",
@@ -4708,8 +6818,6 @@ var GasStationManager = class {
     return NATIVE_TOKENS[chain] ?? "ETH";
   }
 };
-
-// src/webhooks.ts
 var DEFAULT_RETRY_CONFIG = {
   maxRetries: 3,
   baseDelayMs: 1e3,
@@ -4774,15 +6882,25 @@ var WebhookManager = class {
   }
   /**
    * Get all registered webhooks.
+   * Secrets are redacted to prevent accidental exposure in logs or API responses.
    */
   getWebhooks() {
-    return Array.from(this.webhooks.values());
+    return Array.from(this.webhooks.values()).map((w) => ({
+      ...w,
+      secret: w.secret ? "***REDACTED***" : w.secret
+    }));
   }
   /**
    * Get a specific webhook by ID.
+   * The secret is redacted to prevent accidental exposure in logs or API responses.
    */
   getWebhook(webhookId) {
-    return this.webhooks.get(webhookId);
+    const webhook = this.webhooks.get(webhookId);
+    if (!webhook) return void 0;
+    return {
+      ...webhook,
+      secret: webhook.secret ? "***REDACTED***" : webhook.secret
+    };
   }
   /**
    * Get delivery results for a specific webhook or all webhooks.
@@ -4949,227 +7067,223 @@ var WebhookManager = class {
     };
   }
   async computeSignature(payload, secret) {
-    const { createHmac } = await import('crypto');
-    const hmac = createHmac("sha256", secret);
+    const hmac = crypto$1.createHmac("sha256", secret);
     hmac.update(JSON.stringify(payload));
     return hmac.digest("hex");
   }
   sleep(ms) {
-    return new Promise((resolve2) => setTimeout(resolve2, ms));
+    return new Promise((resolve3) => setTimeout(resolve3, ms));
+  }
+  /**
+   * Verify a webhook signature using constant-time comparison to prevent
+   * timing attacks. Use this in your webhook handler to validate incoming
+   * payloads from Kontext.
+   *
+   * @param payload - The raw JSON payload body (string)
+   * @param signature - The signature from the X-Kontext-Signature header
+   * @param secret - The webhook secret used during registration
+   * @returns Whether the signature is valid
+   *
+   * @example
+   * ```typescript
+   * const isValid = WebhookManager.verifySignature(
+   *   req.body, // raw JSON string
+   *   req.headers['x-kontext-signature'],
+   *   'my-webhook-secret',
+   * );
+   * if (!isValid) return res.status(401).send('Invalid signature');
+   * ```
+   */
+  static verifySignature(payload, signature, secret) {
+    const hmac = crypto$1.createHmac("sha256", secret);
+    hmac.update(payload);
+    const expected = hmac.digest("hex");
+    if (expected.length !== signature.length) {
+      return false;
+    }
+    return crypto$1.timingSafeEqual(Buffer.from(expected, "hex"), Buffer.from(signature, "hex"));
   }
 };
 
 // src/integrations/vercel-ai.ts
 function kontextMiddleware(kontext, options) {
-  const agentId = options?.agentId ?? "vercel-ai";
-  const logToolArgs = options?.logToolArgs ?? false;
-  const financialTools = options?.financialTools ?? [];
-  const defaultCurrency = options?.defaultCurrency ?? "USDC";
-  const trustThreshold = options?.trustThreshold;
-  const onBlocked = options?.onBlocked;
+  const cfg = {
+    agentId: options?.agentId ?? "vercel-ai",
+    logToolArgs: options?.logToolArgs ?? false,
+    financialTools: options?.financialTools ?? [],
+    defaultCurrency: options?.defaultCurrency ?? "USDC",
+    trustThreshold: options?.trustThreshold,
+    onBlocked: options?.onBlocked
+  };
   return {
-    /**
-     * Logs the AI request parameters before the model is invoked.
-     * Captures the operation type, model ID, tool count, and generation settings.
-     */
-    transformParams: async ({ params, type }) => {
-      const modelInfo = params["model"];
-      const tools = params["tools"];
-      await kontext.log({
-        type: `ai_${type}`,
-        description: `AI ${type} request to ${modelInfo?.modelId ?? "unknown"} model`,
-        agentId,
-        metadata: {
-          model: modelInfo?.modelId ?? "unknown",
-          toolCount: Array.isArray(tools) ? tools.length : 0,
-          maxTokens: params["maxTokens"] ?? null,
-          temperature: params["temperature"] ?? null,
-          operationType: type
-        }
-      });
-      return params;
-    },
-    /**
-     * Wraps synchronous generation (`generateText`, `generateObject`).
-     * After the model returns, logs every tool call individually and the
-     * overall response. For financial tools, automatically creates
-     * compliance-tracked transaction records.
-     */
-    wrapGenerate: async ({
-      doGenerate,
-      params
-    }) => {
-      const startTime = Date.now();
-      if (trustThreshold !== void 0) {
-        const trustScore = await kontext.getTrustScore(agentId);
-        if (trustScore.score < trustThreshold) {
-          await kontext.log({
-            type: "ai_blocked",
-            description: `AI generation blocked: agent trust score ${trustScore.score} below threshold ${trustThreshold}`,
-            agentId,
-            metadata: {
-              trustScore: trustScore.score,
-              trustLevel: trustScore.level,
-              threshold: trustThreshold
-            }
-          });
-          throw new Error(
-            `Kontext: AI generation blocked. Agent "${agentId}" trust score (${trustScore.score}) is below the required threshold (${trustThreshold}).`
-          );
-        }
-      }
-      const result = await doGenerate();
-      const duration = Date.now() - startTime;
-      const modelInfo = params["model"];
-      const toolCalls = result["toolCalls"];
-      if (toolCalls && toolCalls.length > 0) {
-        for (const toolCall of toolCalls) {
-          if (trustThreshold !== void 0 && financialTools.includes(toolCall.toolName)) {
-            const trustScore = await kontext.getTrustScore(agentId);
-            if (trustScore.score < trustThreshold) {
-              if (onBlocked) {
-                onBlocked({ toolName: toolCall.toolName, args: toolCall.args }, `Trust score ${trustScore.score} below threshold ${trustThreshold}`);
-              }
-              await kontext.log({
-                type: "ai_tool_blocked",
-                description: `Financial tool "${toolCall.toolName}" blocked: trust score ${trustScore.score} below threshold ${trustThreshold}`,
-                agentId,
-                metadata: {
-                  toolName: toolCall.toolName,
-                  trustScore: trustScore.score,
-                  threshold: trustThreshold
-                }
-              });
-              continue;
-            }
-          }
-          await kontext.log({
-            type: "ai_tool_call",
-            description: `Tool call: ${toolCall.toolName}`,
-            agentId,
-            metadata: {
-              toolName: toolCall.toolName,
-              args: logToolArgs ? toolCall.args : "[redacted]",
-              duration,
-              model: modelInfo?.modelId ?? "unknown"
-            }
+    transformParams: (ctx) => logTransformParams(kontext, cfg, ctx),
+    wrapGenerate: (ctx) => wrapGenerateWithAudit(kontext, cfg, ctx),
+    wrapStream: (ctx) => wrapStreamWithAudit(kontext, cfg, ctx)
+  };
+}
+async function logTransformParams(kontext, cfg, { params, type }) {
+  const modelInfo = params["model"];
+  const tools = params["tools"];
+  await kontext.log({
+    type: `ai_${type}`,
+    description: `AI ${type} request to ${modelInfo?.modelId ?? "unknown"} model`,
+    agentId: cfg.agentId,
+    metadata: {
+      model: modelInfo?.modelId ?? "unknown",
+      toolCount: Array.isArray(tools) ? tools.length : 0,
+      maxTokens: params["maxTokens"] ?? null,
+      temperature: params["temperature"] ?? null,
+      operationType: type
+    }
+  });
+  return params;
+}
+async function wrapGenerateWithAudit(kontext, cfg, { doGenerate, params }) {
+  const startTime = Date.now();
+  await enforceAgentTrustThreshold(kontext, cfg);
+  const result = await doGenerate();
+  const duration = Date.now() - startTime;
+  const modelId = extractModelId(params);
+  const toolCalls = result["toolCalls"];
+  if (toolCalls && toolCalls.length > 0) {
+    for (const toolCall of toolCalls) {
+      await processToolCall(kontext, cfg, toolCall, duration, modelId);
+    }
+  }
+  await logGenerateCompletion(kontext, cfg, result, duration, modelId, toolCalls?.length ?? 0);
+  return result;
+}
+async function wrapStreamWithAudit(kontext, cfg, { doStream, params }) {
+  const startTime = Date.now();
+  const modelId = extractModelId(params);
+  await kontext.log({
+    type: "ai_stream_start",
+    description: `AI stream started for model ${modelId}`,
+    agentId: cfg.agentId,
+    metadata: { model: modelId, operationType: "stream" }
+  });
+  const { stream, ...rest } = await doStream();
+  const toolCallsInStream = [];
+  const transformedStream = stream.pipeThrough(
+    new TransformStream({
+      transform(chunk, controller) {
+        controller.enqueue(chunk);
+        if (chunk["type"] === "tool-call") {
+          toolCallsInStream.push({
+            toolName: chunk["toolName"],
+            args: chunk["args"]
           });
-          if (financialTools.includes(toolCall.toolName)) {
-            const amount = extractAmount(toolCall.args);
-            if (amount !== null) {
-              await kontext.log({
-                type: "ai_financial_tool_call",
-                description: `Financial tool "${toolCall.toolName}" invoked with amount ${amount} ${defaultCurrency}`,
-                agentId,
-                metadata: {
-                  toolName: toolCall.toolName,
-                  amount: amount.toString(),
-                  currency: defaultCurrency,
-                  toolArgs: logToolArgs ? toolCall.args : "[redacted]"
-                }
-              });
-            }
-          }
         }
+      },
+      async flush() {
+        const duration = Date.now() - startTime;
+        await logStreamToolCalls(kontext, cfg, toolCallsInStream, duration, modelId);
+        await kontext.log({
+          type: "ai_stream_complete",
+          description: `AI stream completed in ${duration}ms with ${toolCallsInStream.length} tool call(s)`,
+          agentId: cfg.agentId,
+          metadata: { duration, toolCallCount: toolCallsInStream.length, model: modelId }
+        });
       }
-      const usage = result["usage"];
-      await kontext.log({
-        type: "ai_response",
-        description: `AI response completed in ${duration}ms`,
-        agentId,
-        metadata: {
-          duration,
-          toolCallCount: toolCalls?.length ?? 0,
-          finishReason: result["finishReason"] ?? "unknown",
-          promptTokens: usage?.promptTokens ?? null,
-          completionTokens: usage?.completionTokens ?? null,
-          totalTokens: usage?.totalTokens ?? null,
-          model: modelInfo?.modelId ?? "unknown"
-        }
-      });
-      return result;
-    },
-    /**
-     * Wraps streaming generation (`streamText`).
-     * Pipes the response stream through a transform that monitors for
-     * tool call chunks. On stream completion, logs the overall duration
-     * and any tool calls that occurred during the stream.
-     */
-    wrapStream: async ({
-      doStream,
-      params
-    }) => {
-      const startTime = Date.now();
-      const modelInfo = params["model"];
+    })
+  );
+  return { stream: transformedStream, ...rest };
+}
+function extractModelId(params) {
+  return params["model"]?.modelId ?? "unknown";
+}
+async function enforceAgentTrustThreshold(kontext, cfg) {
+  if (cfg.trustThreshold === void 0) return;
+  const trustScore = await kontext.getTrustScore(cfg.agentId);
+  if (trustScore.score < cfg.trustThreshold) {
+    await kontext.log({
+      type: "ai_blocked",
+      description: `AI generation blocked: agent trust score ${trustScore.score} below threshold ${cfg.trustThreshold}`,
+      agentId: cfg.agentId,
+      metadata: { trustScore: trustScore.score, trustLevel: trustScore.level, threshold: cfg.trustThreshold }
+    });
+    throw new Error(
+      `Kontext: AI generation blocked. Agent "${cfg.agentId}" trust score (${trustScore.score}) is below the required threshold (${cfg.trustThreshold}).`
+    );
+  }
+}
+async function processToolCall(kontext, cfg, toolCall, duration, modelId) {
+  if (cfg.trustThreshold !== void 0 && cfg.financialTools.includes(toolCall.toolName)) {
+    const trustScore = await kontext.getTrustScore(cfg.agentId);
+    if (trustScore.score < cfg.trustThreshold) {
+      cfg.onBlocked?.({ toolName: toolCall.toolName, args: toolCall.args }, `Trust score ${trustScore.score} below threshold ${cfg.trustThreshold}`);
       await kontext.log({
-        type: "ai_stream_start",
-        description: `AI stream started for model ${modelInfo?.modelId ?? "unknown"}`,
-        agentId,
-        metadata: {
-          model: modelInfo?.modelId ?? "unknown",
-          operationType: "stream"
-        }
+        type: "ai_tool_blocked",
+        description: `Financial tool "${toolCall.toolName}" blocked: trust score ${trustScore.score} below threshold ${cfg.trustThreshold}`,
+        agentId: cfg.agentId,
+        metadata: { toolName: toolCall.toolName, trustScore: trustScore.score, threshold: cfg.trustThreshold }
       });
-      const { stream, ...rest } = await doStream();
-      const toolCallsInStream = [];
-      const transformedStream = stream.pipeThrough(
-        new TransformStream({
-          transform(chunk, controller) {
-            controller.enqueue(chunk);
-            if (chunk["type"] === "tool-call") {
-              const toolName = chunk["toolName"];
-              const args = chunk["args"];
-              toolCallsInStream.push({ toolName, args });
-            }
-          },
-          async flush() {
-            const duration = Date.now() - startTime;
-            for (const toolCall of toolCallsInStream) {
-              await kontext.log({
-                type: "ai_tool_call",
-                description: `Tool call (stream): ${toolCall.toolName}`,
-                agentId,
-                metadata: {
-                  toolName: toolCall.toolName,
-                  args: logToolArgs ? toolCall.args : "[redacted]",
-                  duration,
-                  model: modelInfo?.modelId ?? "unknown",
-                  source: "stream"
-                }
-              });
-              if (financialTools.includes(toolCall.toolName)) {
-                const amount = extractAmount(toolCall.args);
-                if (amount !== null) {
-                  await kontext.log({
-                    type: "ai_financial_tool_call",
-                    description: `Financial tool "${toolCall.toolName}" invoked via stream with amount ${amount} ${defaultCurrency}`,
-                    agentId,
-                    metadata: {
-                      toolName: toolCall.toolName,
-                      amount: amount.toString(),
-                      currency: defaultCurrency,
-                      source: "stream"
-                    }
-                  });
-                }
-              }
-            }
-            await kontext.log({
-              type: "ai_stream_complete",
-              description: `AI stream completed in ${duration}ms with ${toolCallsInStream.length} tool call(s)`,
-              agentId,
-              metadata: {
-                duration,
-                toolCallCount: toolCallsInStream.length,
-                model: modelInfo?.modelId ?? "unknown"
-              }
-            });
-          }
-        })
-      );
-      return { stream: transformedStream, ...rest };
+      return;
     }
-  };
+  }
+  await kontext.log({
+    type: "ai_tool_call",
+    description: `Tool call: ${toolCall.toolName}`,
+    agentId: cfg.agentId,
+    metadata: {
+      toolName: toolCall.toolName,
+      args: cfg.logToolArgs ? toolCall.args : "[redacted]",
+      duration,
+      model: modelId
+    }
+  });
+  await logFinancialToolCall(kontext, cfg, toolCall);
+}
+async function logFinancialToolCall(kontext, cfg, toolCall, source) {
+  if (!cfg.financialTools.includes(toolCall.toolName)) return;
+  const amount = extractAmount(toolCall.args);
+  if (amount === null) return;
+  await kontext.log({
+    type: "ai_financial_tool_call",
+    description: `Financial tool "${toolCall.toolName}" invoked${source ? ` via ${source}` : ""} with amount ${amount} ${cfg.defaultCurrency}`,
+    agentId: cfg.agentId,
+    metadata: {
+      toolName: toolCall.toolName,
+      amount: amount.toString(),
+      currency: cfg.defaultCurrency,
+      ...cfg.logToolArgs ? { toolArgs: toolCall.args } : {},
+      ...source ? { source } : {}
+    }
+  });
+}
+async function logGenerateCompletion(kontext, cfg, result, duration, modelId, toolCallCount) {
+  const usage = result["usage"];
+  await kontext.log({
+    type: "ai_response",
+    description: `AI response completed in ${duration}ms`,
+    agentId: cfg.agentId,
+    metadata: {
+      duration,
+      toolCallCount,
+      finishReason: result["finishReason"] ?? "unknown",
+      promptTokens: usage?.promptTokens ?? null,
+      completionTokens: usage?.completionTokens ?? null,
+      totalTokens: usage?.totalTokens ?? null,
+      model: modelId
+    }
+  });
+}
+async function logStreamToolCalls(kontext, cfg, toolCalls, duration, modelId) {
+  for (const toolCall of toolCalls) {
+    await kontext.log({
+      type: "ai_tool_call",
+      description: `Tool call (stream): ${toolCall.toolName}`,
+      agentId: cfg.agentId,
+      metadata: {
+        toolName: toolCall.toolName,
+        args: cfg.logToolArgs ? toolCall.args : "[redacted]",
+        duration,
+        model: modelId,
+        source: "stream"
+      }
+    });
+    await logFinancialToolCall(kontext, cfg, toolCall, "stream");
+  }
 }
 function kontextWrapModel(model, kontext, options) {
   const middleware = kontextMiddleware(kontext, options);
@@ -5222,10 +7336,18 @@ function createKontextAI(model, input) {
   return { model: wrappedModel, kontext };
 }
 function withKontext(handler, options) {
+  const resolvedProjectId = options?.projectId ?? process.env["KONTEXT_PROJECT_ID"];
+  if (!resolvedProjectId) {
+    throw new Error("Kontext: projectId is required. Provide it via options or set KONTEXT_PROJECT_ID env var.");
+  }
+  const resolvedApiKey = options?.apiKey ?? process.env["KONTEXT_API_KEY"];
+  if (options?.apiKey !== void 0 && options.apiKey.trim() === "") {
+    throw new Error("Kontext: apiKey was provided but is empty.");
+  }
   const kontext = Kontext.init({
-    projectId: options?.projectId ?? process.env["KONTEXT_PROJECT_ID"] ?? "default",
+    projectId: resolvedProjectId,
     environment: options?.environment ?? (process.env["NODE_ENV"] === "production" ? "production" : "development"),
-    apiKey: options?.apiKey ?? process.env["KONTEXT_API_KEY"],
+    apiKey: resolvedApiKey,
     debug: options?.debug
   });
   const agentId = options?.agentId ?? "nextjs-route";
@@ -5323,22 +7445,408 @@ function generateRequestId() {
   return `req_${timestamp}-${random}`;
 }
 
+// src/integrations/cftc-compliance.ts
+var CFTCCompliance = class {
+  config;
+  collateralValuations = [];
+  segregationCalculations = [];
+  incidents = [];
+  constructor(config) {
+    this.config = {
+      minimumNonBtcEthHaircut: config?.minimumNonBtcEthHaircut ?? 0.2,
+      enableHaircutValidation: config?.enableHaircutValidation ?? true,
+      enableWeeklyReporting: config?.enableWeeklyReporting ?? false,
+      reportingStartDate: config?.reportingStartDate
+    };
+  }
+  // --------------------------------------------------------------------------
+  // Collateral Valuation
+  // --------------------------------------------------------------------------
+  /**
+   * Log a collateral valuation for a digital asset held as customer margin.
+   *
+   * Validates the haircut percentage against CFTC requirements when
+   * `enableHaircutValidation` is true (default).
+   *
+   * @param input - Collateral valuation data (id and timestamp are auto-generated if omitted)
+   * @returns The stored CollateralValuation record
+   * @throws Error if haircut validation fails for the given asset type
+   */
+  logCollateralValuation(input) {
+    if (this.config.enableHaircutValidation) {
+      const validation = this.validateHaircut(input.assetType, input.haircutPercentage);
+      if (!validation.valid) {
+        throw new Error(
+          `Haircut validation failed: ${validation.message}`
+        );
+      }
+    }
+    const valuation = {
+      id: input.id ?? generateId(),
+      timestamp: input.timestamp ?? now(),
+      accountClass: input.accountClass,
+      assetType: input.assetType,
+      assetSymbol: input.assetSymbol,
+      quantity: input.quantity,
+      marketValue: input.marketValue,
+      haircutPercentage: input.haircutPercentage,
+      haircutValue: input.haircutValue,
+      netValue: input.netValue,
+      valuationMethod: input.valuationMethod,
+      agentId: input.agentId,
+      ...input.dcoReference !== void 0 && { dcoReference: input.dcoReference },
+      ...input.metadata !== void 0 && { metadata: input.metadata }
+    };
+    this.collateralValuations.push(valuation);
+    return valuation;
+  }
+  // --------------------------------------------------------------------------
+  // Segregation Calculations
+  // --------------------------------------------------------------------------
+  /**
+   * Log a daily segregation calculation for a given account class.
+   *
+   * @param input - Segregation calculation data (id and timestamp are auto-generated if omitted)
+   * @returns The stored SegregationCalculation record
+   */
+  logSegregationCalculation(input) {
+    const calculation = {
+      id: input.id ?? generateId(),
+      timestamp: input.timestamp ?? now(),
+      accountClass: input.accountClass,
+      totalCustomerFunds: input.totalCustomerFunds,
+      requiredAmount: input.requiredAmount,
+      excessDeficit: input.excessDeficit,
+      digitalAssetBreakdown: input.digitalAssetBreakdown,
+      residualInterest: input.residualInterest,
+      agentId: input.agentId,
+      ...input.metadata !== void 0 && { metadata: input.metadata }
+    };
+    this.segregationCalculations.push(calculation);
+    return calculation;
+  }
+  // --------------------------------------------------------------------------
+  // Incident Reporting
+  // --------------------------------------------------------------------------
+  /**
+   * Log an incident (cybersecurity, operational, system failure, or disruption).
+   *
+   * @param input - Incident data (id and timestamp are auto-generated if omitted)
+   * @returns The stored IncidentReport record
+   */
+  logIncident(input) {
+    const incident = {
+      id: input.id ?? generateId(),
+      timestamp: input.timestamp ?? now(),
+      severity: input.severity,
+      incidentType: input.incidentType,
+      description: input.description,
+      affectedSystems: input.affectedSystems,
+      resolutionStatus: input.resolutionStatus,
+      agentId: input.agentId,
+      ...input.affectedCustomerCount !== void 0 && {
+        affectedCustomerCount: input.affectedCustomerCount
+      },
+      ...input.financialImpact !== void 0 && {
+        financialImpact: input.financialImpact
+      },
+      ...input.metadata !== void 0 && { metadata: input.metadata }
+    };
+    this.incidents.push(incident);
+    return incident;
+  }
+  // --------------------------------------------------------------------------
+  // Report Generation
+  // --------------------------------------------------------------------------
+  /**
+   * Generate a weekly digital asset report aggregating collateral valuations
+   * for a given account class and date range.
+   *
+   * @param accountClass - The CFTC account class to report on
+   * @param periodStart - Start of the reporting period
+   * @param periodEnd - End of the reporting period
+   * @returns DigitalAssetReport with aggregated positions
+   */
+  generateWeeklyDigitalAssetReport(accountClass, periodStart, periodEnd) {
+    const filtered = this.collateralValuations.filter((v) => {
+      const ts = new Date(v.timestamp);
+      return v.accountClass === accountClass && ts >= periodStart && ts <= periodEnd;
+    });
+    const aggregationMap = /* @__PURE__ */ new Map();
+    for (const v of filtered) {
+      const key = `${v.assetType}:${v.assetSymbol}`;
+      const existing = aggregationMap.get(key);
+      if (existing) {
+        existing.totalQuantity += v.quantity;
+        existing.totalMarketValue += v.marketValue;
+        existing.totalHaircutValue += v.haircutValue;
+        existing.totalNetValue += v.netValue;
+      } else {
+        aggregationMap.set(key, {
+          assetType: v.assetType,
+          assetSymbol: v.assetSymbol,
+          totalQuantity: v.quantity,
+          totalMarketValue: v.marketValue,
+          totalHaircutValue: v.haircutValue,
+          totalNetValue: v.netValue
+        });
+      }
+    }
+    const assets = Array.from(aggregationMap.values());
+    const totalMarketValue = assets.reduce((sum, a) => sum + a.totalMarketValue, 0);
+    const totalNetValue = assets.reduce((sum, a) => sum + a.totalNetValue, 0);
+    return {
+      id: generateId(),
+      reportDate: now().split("T")[0],
+      reportPeriodStart: periodStart.toISOString(),
+      reportPeriodEnd: periodEnd.toISOString(),
+      accountClass,
+      assets,
+      totalMarketValue,
+      totalNetValue,
+      generatedAt: now()
+    };
+  }
+  /**
+   * Get the most recent segregation calculation for a given account class
+   * and date.
+   *
+   * @param accountClass - The CFTC account class
+   * @param date - The date to retrieve the calculation for
+   * @returns The most recent SegregationCalculation for that day, or undefined
+   */
+  generateDailySegregationReport(accountClass, date) {
+    const dateStr = date.toISOString().split("T")[0];
+    const matching = this.segregationCalculations.filter((c) => {
+      const cDate = c.timestamp.split("T")[0];
+      return c.accountClass === accountClass && cDate === dateStr;
+    });
+    if (matching.length === 0) return void 0;
+    return matching[matching.length - 1];
+  }
+  // --------------------------------------------------------------------------
+  // Query Methods
+  // --------------------------------------------------------------------------
+  /**
+   * Query collateral valuations with optional filters.
+   *
+   * @param filters - Optional filter criteria
+   * @returns Array of matching CollateralValuation records
+   */
+  getCollateralValuations(filters) {
+    if (!filters) return [...this.collateralValuations];
+    return this.collateralValuations.filter((v) => {
+      if (filters.accountClass && v.accountClass !== filters.accountClass) return false;
+      if (filters.assetType && v.assetType !== filters.assetType) return false;
+      if (filters.startDate) {
+        const ts = new Date(v.timestamp);
+        if (ts < filters.startDate) return false;
+      }
+      if (filters.endDate) {
+        const ts = new Date(v.timestamp);
+        if (ts > filters.endDate) return false;
+      }
+      return true;
+    });
+  }
+  /**
+   * Query incident reports with optional filters.
+   *
+   * @param filters - Optional filter criteria
+   * @returns Array of matching IncidentReport records
+   */
+  getIncidents(filters) {
+    if (!filters) return [...this.incidents];
+    return this.incidents.filter((i) => {
+      if (filters.severity && i.severity !== filters.severity) return false;
+      if (filters.status && i.resolutionStatus !== filters.status) return false;
+      if (filters.startDate) {
+        const ts = new Date(i.timestamp);
+        if (ts < filters.startDate) return false;
+      }
+      if (filters.endDate) {
+        const ts = new Date(i.timestamp);
+        if (ts > filters.endDate) return false;
+      }
+      return true;
+    });
+  }
+  /**
+   * Query segregation calculations with optional filters.
+   *
+   * @param filters - Optional filter criteria
+   * @returns Array of matching SegregationCalculation records
+   */
+  getSegregationCalculations(filters) {
+    if (!filters) return [...this.segregationCalculations];
+    return this.segregationCalculations.filter((c) => {
+      if (filters.accountClass && c.accountClass !== filters.accountClass) return false;
+      if (filters.startDate) {
+        const ts = new Date(c.timestamp);
+        if (ts < filters.startDate) return false;
+      }
+      if (filters.endDate) {
+        const ts = new Date(c.timestamp);
+        if (ts > filters.endDate) return false;
+      }
+      return true;
+    });
+  }
+  // --------------------------------------------------------------------------
+  // Haircut Validation
+  // --------------------------------------------------------------------------
+  /**
+   * Validate a haircut percentage against CFTC Letter 26-05 requirements.
+   *
+   * Rules:
+   * - Payment stablecoins: no minimum haircut required
+   * - BTC / ETH: no minimum (deferred to DCO haircut schedule)
+   * - Other digital assets: minimum 20% haircut required
+   *
+   * @param assetType - The digital asset type
+   * @param haircutPercentage - The proposed haircut (0.0 - 1.0)
+   * @returns HaircutValidationResult with validity, minimum, and message
+   */
+  validateHaircut(assetType, haircutPercentage) {
+    switch (assetType) {
+      case "payment_stablecoin":
+        return {
+          valid: true,
+          minimumRequired: 0,
+          message: "Payment stablecoins have no mandatory minimum haircut per CFTC Letter 26-05."
+        };
+      case "btc":
+        return {
+          valid: true,
+          minimumRequired: 0,
+          message: "BTC haircut deferred to DCO schedule per CFTC Letter 26-05."
+        };
+      case "eth":
+        return {
+          valid: true,
+          minimumRequired: 0,
+          message: "ETH haircut deferred to DCO schedule per CFTC Letter 26-05."
+        };
+      case "other_digital_asset": {
+        const minimum = this.config.minimumNonBtcEthHaircut;
+        const valid = haircutPercentage >= minimum;
+        return {
+          valid,
+          minimumRequired: minimum,
+          message: valid ? `Haircut of ${(haircutPercentage * 100).toFixed(1)}% meets the minimum ${(minimum * 100).toFixed(1)}% requirement for other digital assets.` : `Haircut of ${(haircutPercentage * 100).toFixed(1)}% is below the minimum ${(minimum * 100).toFixed(1)}% required for other digital assets per CFTC Letter 26-05.`
+        };
+      }
+    }
+  }
+  // --------------------------------------------------------------------------
+  // Export
+  // --------------------------------------------------------------------------
+  /**
+   * Export CFTC compliance data in JSON or CSV format.
+   *
+   * @param options - Export options including format, report type, and filters
+   * @returns Formatted string (JSON or CSV)
+   */
+  exportCFTCReport(options) {
+    let data;
+    switch (options.reportType) {
+      case "weekly_digital_assets": {
+        const valuations = this.getCollateralValuations({
+          accountClass: options.accountClass,
+          startDate: options.startDate,
+          endDate: options.endDate
+        });
+        data = valuations.map((v) => ({
+          id: v.id,
+          timestamp: v.timestamp,
+          accountClass: v.accountClass,
+          assetType: v.assetType,
+          assetSymbol: v.assetSymbol,
+          quantity: v.quantity,
+          marketValue: v.marketValue,
+          haircutPercentage: v.haircutPercentage,
+          haircutValue: v.haircutValue,
+          netValue: v.netValue,
+          dcoReference: v.dcoReference ?? "",
+          valuationMethod: v.valuationMethod,
+          agentId: v.agentId
+        }));
+        break;
+      }
+      case "daily_segregation": {
+        const calculations = this.getSegregationCalculations({
+          accountClass: options.accountClass,
+          startDate: options.startDate,
+          endDate: options.endDate
+        });
+        data = calculations.map((c) => ({
+          id: c.id,
+          timestamp: c.timestamp,
+          accountClass: c.accountClass,
+          totalCustomerFunds: c.totalCustomerFunds,
+          requiredAmount: c.requiredAmount,
+          excessDeficit: c.excessDeficit,
+          digitalAssetBreakdown: JSON.stringify(c.digitalAssetBreakdown),
+          residualInterest: c.residualInterest,
+          agentId: c.agentId
+        }));
+        break;
+      }
+      case "incidents": {
+        const incidents = this.getIncidents({
+          startDate: options.startDate,
+          endDate: options.endDate
+        });
+        data = incidents.map((i) => ({
+          id: i.id,
+          timestamp: i.timestamp,
+          severity: i.severity,
+          incidentType: i.incidentType,
+          description: i.description,
+          affectedSystems: i.affectedSystems.join("; "),
+          affectedCustomerCount: i.affectedCustomerCount ?? "",
+          financialImpact: i.financialImpact ?? "",
+          resolutionStatus: i.resolutionStatus,
+          agentId: i.agentId
+        }));
+        break;
+      }
+    }
+    if (options.format === "json") {
+      return JSON.stringify(data, null, 2);
+    }
+    return toCsv(data);
+  }
+};
+
 exports.CCTPTransferManager = CCTPTransferManager;
+exports.CFTCCompliance = CFTCCompliance;
 exports.CircleComplianceEngine = CircleComplianceEngine;
 exports.CircleWalletManager = CircleWalletManager;
+exports.ConsoleExporter = ConsoleExporter;
 exports.DigestChain = DigestChain;
+exports.FeatureFlagManager = FeatureFlagManager;
 exports.FileStorage = FileStorage;
 exports.GasStationManager = GasStationManager;
+exports.HttpExporter = HttpExporter;
+exports.JsonFileExporter = JsonFileExporter;
 exports.Kontext = Kontext;
+exports.KontextCloudExporter = KontextCloudExporter;
 exports.KontextError = KontextError;
 exports.KontextErrorCode = KontextErrorCode;
 exports.MemoryStorage = MemoryStorage;
+exports.MultiExporter = MultiExporter;
+exports.NoopExporter = NoopExporter;
+exports.OFACSanctionsScreener = OFACSanctionsScreener;
+exports.PLAN_LIMITS = PLAN_LIMITS;
+exports.PlanManager = PlanManager;
 exports.UsdcCompliance = UsdcCompliance;
 exports.WebhookManager = WebhookManager;
 exports.createKontextAI = createKontextAI;
 exports.extractAmount = extractAmount;
 exports.kontextMiddleware = kontextMiddleware;
 exports.kontextWrapModel = kontextWrapModel;
+exports.ofacScreener = ofacScreener;
 exports.verifyExportedChain = verifyExportedChain;
 exports.withKontext = withKontext;
 //# sourceMappingURL=index.js.map