vesant-sdk 1.5.0 → 1.6.0

package/dist/compliance/index.mjs

@@ -222,7 +222,7 @@ function createConsoleLogger() {
 }
 
 // src/core/version.ts
-var SDK_VERSION = "1.5.0";
+var SDK_VERSION = "1.6.0";
 
 // src/shared/browser-utils.ts
 function generateUUID() {
@@ -510,6 +510,8 @@ var BaseClient = class {
           return new VesantError(message, "FORBIDDEN", 403);
         case 404:
           return new VesantError(message, "NOT_FOUND", 404);
+        case 409:
+          return new VesantError(message, "DUPLICATE_PROFILE", 409);
         case 429: {
           const retryAfter = data.retry_after || data.retryAfter;
           return new RateLimitError(retryAfter);
@@ -1436,17 +1438,34 @@ var ComplianceClient = class {
     const startTime = Date.now();
     this.validateRegistrationRequest(request);
     let geoVerification = null;
+    let cipherTextResult;
     try {
       if (this.config.debug) {
         this.logger.debug("Starting registration verification", { customerId: request.customerId });
       }
-      geoVerification = await this.geoClient.verifyIP({
-        ip_address: request.ipAddress,
-        user_id: request.customerId,
-        event_type: "registration",
-        device_fingerprint: request.deviceFingerprint
-      }, requestOptions);
-      const blockReasons = this.evaluateRegistrationBlock(geoVerification);
+      const customerData = request.cipherText ? {
+        full_name: request.fullName,
+        email: request.emailAddress,
+        phone: request.phoneNumber,
+        date_of_birth: request.dateOfBirth
+      } : void 0;
+      [cipherTextResult, geoVerification] = await Promise.all([
+        this.executeCipherTextValidation(
+          request.cipherText,
+          request.customerId,
+          "registration",
+          request.ipAddress,
+          customerData,
+          requestOptions
+        ),
+        this.geoClient.verifyIP({
+          ip_address: request.ipAddress,
+          user_id: request.customerId,
+          event_type: "registration",
+          device_fingerprint: request.deviceFingerprint
+        }, requestOptions)
+      ]);
+      const blockReasons = this.evaluateRegistrationBlock(geoVerification, cipherTextResult);
       if (blockReasons.length > 0) {
         if (this.config.debug) {
           this.logger.debug("Registration blocked at geo stage", { blockReasons });
@@ -1458,7 +1477,8 @@ var ComplianceClient = class {
           requiresKYC: false,
           requiresEDD: false,
           blockReasons,
-          processingTime: Date.now() - startTime
+          processingTime: Date.now() - startTime,
+          cipherTextValidation: cipherTextResult
         };
       }
       const profile = await this.riskClient.createProfile({
@@ -1493,7 +1513,8 @@ var ComplianceClient = class {
         requiresKYC,
         requiresEDD,
         blockReasons: [],
-        processingTime: Date.now() - startTime
+        processingTime: Date.now() - startTime,
+        cipherTextValidation: cipherTextResult
       };
     } catch (error) {
       if (this.config.debug) {
@@ -1521,7 +1542,7 @@ var ComplianceClient = class {
    * @param geoVerification - Geolocation verification result
    * @returns Array of block reasons (empty if allowed)
    */
-  evaluateRegistrationBlock(geoVerification) {
+  evaluateRegistrationBlock(geoVerification, cipherTextResult) {
     const blockReasons = [];
     if (geoVerification.is_blocked) {
       blockReasons.push(...geoVerification.risk_reasons);
@@ -1555,6 +1576,20 @@ var ComplianceClient = class {
         blockReasons.push("critical_risk_level");
       }
     }
+    if (cipherTextResult) {
+      if (!cipherTextResult.valid) {
+        blockReasons.push("ciphertext_validation_failed");
+      }
+      if (cipherTextResult.risk?.is_blocked) {
+        blockReasons.push(...cipherTextResult.risk.block_reasons || []);
+      }
+      if (cipherTextResult.risk?.location_mismatch) {
+        blockReasons.push("gps_ip_location_mismatch");
+      }
+    }
+    if (geoVerification.gps_required && !cipherTextResult) {
+      blockReasons.push("gps_verification_required");
+    }
     return [...new Set(blockReasons)];
   }
   /**
@@ -1685,7 +1720,15 @@ var ComplianceClient = class {
       if (this.config.debug) {
         this.logger.debug("Starting login verification", { customerId: request.customerId });
       }
-      const [geoVerification, profileResult] = await Promise.all([
+      const [cipherTextResult, geoVerification, profileResult] = await Promise.all([
+        this.executeCipherTextValidation(
+          request.cipherText,
+          request.customerId,
+          "login",
+          request.ipAddress,
+          void 0,
+          requestOptions
+        ),
         this.geoClient.verifyIP({
           ip_address: request.ipAddress,
           user_id: request.customerId,
@@ -1694,10 +1737,23 @@ var ComplianceClient = class {
         }, requestOptions),
         this.riskClient.getProfile(request.customerId, requestOptions).catch(() => null)
       ]);
+      const loginBlockReasons = this.getBlockReasons(geoVerification, profileResult || {}, cipherTextResult);
+      const isBlocked = !geoVerification.is_compliant || geoVerification.is_blocked || !!cipherTextResult?.risk?.is_blocked || cipherTextResult?.valid === false || geoVerification.gps_required && !cipherTextResult;
+      if (isBlocked && !profileResult) {
+        return {
+          allowed: false,
+          geolocation: geoVerification,
+          profile: null,
+          requiresStepUp: false,
+          blockReasons: loginBlockReasons,
+          processingTime: Date.now() - startTime,
+          cipherTextValidation: cipherTextResult
+        };
+      }
       let profile;
       if (profileResult) {
         profile = profileResult;
-        if (this.shouldUpdateProfile(profile, geoVerification.location.city)) {
+        if (!isBlocked && this.shouldUpdateProfile(profile, geoVerification.location.city)) {
           profile = await this.riskClient.updateProfile(profile.id, {
             last_recorded_activity: (/* @__PURE__ */ new Date()).toISOString(),
             location: `${geoVerification.location.city}, ${geoVerification.location.country}`,
@@ -1710,15 +1766,15 @@ var ComplianceClient = class {
         }
         profile = await this.createProfileFromGeo(request.customerId, geoVerification);
       }
-      const isAllowed = geoVerification.is_compliant && !geoVerification.is_blocked && profile.customer_status !== "suspended";
-      const requiresStepUp = geoVerification.risk_level === "high" || geoVerification.risk_level === "critical";
+      const requiresStepUp = geoVerification.risk_level === "high" || geoVerification.risk_level === "critical" || cipherTextResult?.risk?.location_mismatch === true;
       return {
-        allowed: isAllowed,
+        allowed: !isBlocked && profile.customer_status !== "suspended",
         geolocation: geoVerification,
         profile,
         requiresStepUp,
-        blockReasons: this.getBlockReasons(geoVerification, profile),
-        processingTime: Date.now() - startTime
+        blockReasons: isBlocked || profile.customer_status === "suspended" ? this.getBlockReasons(geoVerification, profile, cipherTextResult) : [],
+        processingTime: Date.now() - startTime,
+        cipherTextValidation: cipherTextResult
       };
     } catch (error) {
       throw new ComplianceError("Login verification failed", error instanceof Error ? error.message : void 0);
@@ -1765,27 +1821,55 @@ var ComplianceClient = class {
           currency: request.currency
         });
       }
-      const [geoVerification, profile] = await Promise.all([
+      const [cipherTextResult, geoVerification, profileResult] = await Promise.all([
+        this.executeCipherTextValidation(
+          request.cipherText,
+          request.customerId,
+          "transaction",
+          request.ipAddress,
+          void 0,
+          requestOptions
+        ),
         this.geoClient.verifyIP({
           ip_address: request.ipAddress,
           user_id: request.customerId,
           event_type: "transaction",
           device_fingerprint: request.deviceFingerprint
         }, requestOptions),
-        this.riskClient.getProfile(request.customerId, requestOptions)
+        this.riskClient.getProfile(request.customerId, requestOptions).catch(() => null)
       ]);
+      const geoBlocked = !geoVerification.is_compliant || geoVerification.is_blocked || !!cipherTextResult?.risk?.is_blocked || cipherTextResult?.valid === false || geoVerification.gps_required && !cipherTextResult;
+      if (geoBlocked && !profileResult) {
+        return {
+          allowed: false,
+          geolocation: geoVerification,
+          profile: null,
+          transactionRisk: { score: 0, level: "low", factors: [], allowed: false, requiresManualReview: false },
+          requiresApproval: false,
+          blockReasons: this.getTransactionBlockReasons(
+            geoVerification,
+            { score: 0, level: "low", factors: [], allowed: false, requiresManualReview: false },
+            true,
+            cipherTextResult
+          ),
+          processingTime: Date.now() - startTime,
+          cipherTextValidation: cipherTextResult
+        };
+      }
+      const profile = profileResult;
       const transactionRisk = this.calculateTransactionRisk(
         request.amount,
         request.currency,
         geoVerification,
-        profile
+        profile,
+        cipherTextResult
       );
       const jurisdictionAllowed = this.checkJurisdictionLimits(
         request.amount,
         request.currency,
         geoVerification.jurisdiction
       );
-      const isAllowed = geoVerification.is_compliant && !geoVerification.is_blocked && jurisdictionAllowed && transactionRisk.allowed;
+      const isAllowed = !geoBlocked && jurisdictionAllowed && transactionRisk.allowed && profile.customer_status !== "suspended";
       return {
         allowed: isAllowed,
         geolocation: geoVerification,
@@ -1795,9 +1879,11 @@ var ComplianceClient = class {
         blockReasons: this.getTransactionBlockReasons(
           geoVerification,
           transactionRisk,
-          jurisdictionAllowed
+          jurisdictionAllowed,
+          cipherTextResult
         ),
-        processingTime: Date.now() - startTime
+        processingTime: Date.now() - startTime,
+        cipherTextValidation: cipherTextResult
       };
     } catch (error) {
       throw new ComplianceError("Transaction verification failed", error instanceof Error ? error.message : void 0);
@@ -1812,12 +1898,22 @@ var ComplianceClient = class {
   async verifyEvent(request, requestOptions) {
     const startTime = Date.now();
     this.validateEventRequest(request);
-    const geoVerification = await this.geoClient.verifyIP({
-      ip_address: request.ipAddress,
-      user_id: request.customerId,
-      event_type: request.eventType,
-      device_fingerprint: request.deviceFingerprint
-    }, requestOptions);
+    const [cipherTextResult, geoVerification] = await Promise.all([
+      this.executeCipherTextValidation(
+        request.cipherText,
+        request.customerId,
+        request.eventType,
+        request.ipAddress,
+        void 0,
+        requestOptions
+      ),
+      this.geoClient.verifyIP({
+        ip_address: request.ipAddress,
+        user_id: request.customerId,
+        event_type: request.eventType,
+        device_fingerprint: request.deviceFingerprint
+      }, requestOptions)
+    ]);
     if (this.config.autoCreateProfiles) {
       try {
         const profile = await this.riskClient.getProfile(request.customerId, requestOptions);
@@ -1830,11 +1926,26 @@ var ComplianceClient = class {
         }
       }
     }
+    const cipherTextBlocked = cipherTextResult ? !cipherTextResult.valid || cipherTextResult.risk?.is_blocked === true : false;
+    const blockReasons = [...geoVerification.risk_reasons];
+    if (cipherTextResult) {
+      if (!cipherTextResult.valid) {
+        blockReasons.push("ciphertext_validation_failed");
+      }
+      if (cipherTextResult.risk?.is_blocked) {
+        blockReasons.push(...cipherTextResult.risk.block_reasons || []);
+      }
+    }
+    const gpsBlocked = geoVerification.gps_required && !cipherTextResult;
+    if (gpsBlocked) {
+      blockReasons.push("gps_verification_required");
+    }
     return {
-      allowed: geoVerification.is_compliant && !geoVerification.is_blocked,
+      allowed: geoVerification.is_compliant && !geoVerification.is_blocked && !cipherTextBlocked && !gpsBlocked,
       geolocation: geoVerification,
-      blockReasons: geoVerification.risk_reasons,
-      processingTime: Date.now() - startTime
+      blockReasons: [...new Set(blockReasons)],
+      processingTime: Date.now() - startTime,
+      cipherTextValidation: cipherTextResult
     };
   }
   // ============================================================================
@@ -1863,7 +1974,29 @@ var ComplianceClient = class {
       kyc_status: "pending"
     });
   }
-  calculateTransactionRisk(amount, currency, geoVerification, profile) {
+  /**
+   * Execute cipherText validation with graceful degradation.
+   * Returns undefined if cipherText is not provided or validation fails.
+   */
+  async executeCipherTextValidation(cipherText, userId, eventType, ipAddress, customerData, requestOptions) {
+    if (!cipherText) return void 0;
+    try {
+      return await this.geoClient.validateCipherText(
+        cipherText,
+        userId,
+        eventType,
+        ipAddress,
+        customerData,
+        requestOptions
+      );
+    } catch (err) {
+      this.logger.warn("CipherText validation failed, proceeding with IP-only", {
+        error: err instanceof Error ? err.message : "Unknown error"
+      });
+      return void 0;
+    }
+  }
+  calculateTransactionRisk(amount, currency, geoVerification, profile, cipherTextResult) {
     if (!this._currencyRatesCustomized && !this._currencyRatesWarned) {
       this._currencyRatesWarned = true;
       this.logger.warn(
@@ -1896,6 +2029,15 @@ var ComplianceClient = class {
       riskScore += 50;
       factors.push("account_suspended");
     }
+    if (cipherTextResult) {
+      if (cipherTextResult.risk?.location_mismatch) {
+        riskScore += 20;
+        factors.push("gps_ip_location_mismatch");
+      }
+      if (cipherTextResult.risk?.score) {
+        riskScore += cipherTextResult.risk.score * 0.2;
+      }
+    }
     return {
       score: Math.min(riskScore, 100),
       level: this.getRiskLevel(riskScore),
@@ -1921,7 +2063,7 @@ var ComplianceClient = class {
     if (score >= 40) return "medium";
     return "low";
   }
-  getBlockReasons(geoVerification, profile) {
+  getBlockReasons(geoVerification, profile, cipherTextResult) {
     const reasons = [];
     if (geoVerification.is_blocked) {
       reasons.push(...geoVerification.risk_reasons);
@@ -1932,9 +2074,20 @@ var ComplianceClient = class {
     if (profile.has_sanctions) {
       reasons.push("sanctions_match");
     }
-    return reasons;
+    if (cipherTextResult) {
+      if (!cipherTextResult.valid) {
+        reasons.push("ciphertext_validation_failed");
+      }
+      if (cipherTextResult.risk?.is_blocked) {
+        reasons.push(...cipherTextResult.risk.block_reasons || []);
+      }
+    }
+    if (geoVerification.gps_required && !cipherTextResult) {
+      reasons.push("gps_verification_required");
+    }
+    return [...new Set(reasons)];
   }
-  getTransactionBlockReasons(geoVerification, transactionRisk, jurisdictionAllowed) {
+  getTransactionBlockReasons(geoVerification, transactionRisk, jurisdictionAllowed, cipherTextResult) {
     const reasons = [];
     if (!geoVerification.is_compliant) {
       reasons.push("non_compliant_jurisdiction");
@@ -1945,7 +2098,18 @@ var ComplianceClient = class {
     if (!transactionRisk.allowed) {
       reasons.push(...transactionRisk.factors);
     }
-    return reasons;
+    if (cipherTextResult) {
+      if (!cipherTextResult.valid) {
+        reasons.push("ciphertext_validation_failed");
+      }
+      if (cipherTextResult.risk?.is_blocked) {
+        reasons.push(...cipherTextResult.risk.block_reasons || []);
+      }
+    }
+    if (geoVerification.gps_required && !cipherTextResult) {
+      reasons.push("gps_verification_required");
+    }
+    return [...new Set(reasons)];
   }
   // ============================================================================
   // Location Request Methods