@aion0/bastion 0.1.7

package/dist/plugins/adapter.js

@@ -0,0 +1,116 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.toProxyRequest = toProxyRequest;
+exports.toProxyResponseFromIntercept = toProxyResponseFromIntercept;
+exports.toProxyResponseFromComplete = toProxyResponseFromComplete;
+exports.adaptPlugin = adaptPlugin;
+const logger_js_1 = require("../utils/logger.js");
+const log = (0, logger_js_1.createLogger)('plugin-adapter');
+/** Convert internal RequestContext to public ProxyRequest (strip internal flags) */
+function toProxyRequest(ctx) {
+    return {
+        id: ctx.id,
+        provider: ctx.provider,
+        model: ctx.model,
+        method: ctx.method,
+        path: ctx.path,
+        headers: Object.freeze({ ...ctx.headers }),
+        body: ctx.body,
+        parsedBody: Object.freeze({ ...ctx.parsedBody }),
+        isStreaming: ctx.isStreaming,
+        sessionId: ctx.sessionId,
+    };
+}
+/** Convert internal ResponseInterceptContext to public ProxyResponse (no usage/latency available) */
+function toProxyResponseFromIntercept(ctx) {
+    return {
+        request: toProxyRequest(ctx.request),
+        statusCode: ctx.statusCode,
+        headers: Object.freeze({}),
+        body: ctx.body,
+        parsedBody: ctx.parsedBody ? Object.freeze({ ...ctx.parsedBody }) : null,
+        isStreaming: ctx.isStreaming,
+    };
+}
+/** Convert internal ResponseCompleteContext to public ProxyResponse (with usage/latency) */
+function toProxyResponseFromComplete(ctx) {
+    return {
+        request: toProxyRequest(ctx.request),
+        statusCode: ctx.statusCode,
+        headers: Object.freeze({}),
+        body: ctx.body,
+        parsedBody: ctx.parsedBody ? Object.freeze({ ...ctx.parsedBody }) : null,
+        isStreaming: ctx.isStreaming,
+        usage: ctx.usage ? { inputTokens: ctx.usage.inputTokens, outputTokens: ctx.usage.outputTokens } : undefined,
+        latencyMs: ctx.latencyMs,
+    };
+}
+/** Persist PluginResult.events to DB */
+function persistEvents(pluginName, requestId, result, repo) {
+    if (!result?.events?.length)
+        return;
+    for (const event of result.events) {
+        try {
+            repo.insertEvent(pluginName, requestId, event);
+        }
+        catch (err) {
+            log.warn('Failed to persist plugin event', { plugin: pluginName, error: err.message });
+        }
+    }
+}
+/** Convert public PluginResult to internal PluginRequestResult */
+function toPluginRequestResult(result) {
+    if (!result)
+        return {};
+    if (result.action === 'block') {
+        return { blocked: { reason: `Blocked by plugin` } };
+    }
+    return {};
+}
+/** Convert public PluginResult to internal PluginResponseResult */
+function toPluginResponseResult(result) {
+    if (!result)
+        return {};
+    if (result.action === 'block') {
+        return { blocked: { reason: `Blocked by plugin` } };
+    }
+    return {};
+}
+/** Adapt an external BastionPlugin to the internal Plugin interface */
+function adaptPlugin(external, priority, repo, packageName) {
+    const plugin = {
+        name: external.name,
+        priority,
+        version: external.version,
+        apiVersion: external.apiVersion,
+        source: 'external',
+        packageName,
+    };
+    if (external.onRequest) {
+        const originalOnRequest = external.onRequest.bind(external);
+        plugin.onRequest = async (ctx) => {
+            const proxyReq = toProxyRequest(ctx);
+            const result = await originalOnRequest(proxyReq);
+            persistEvents(external.name, ctx.id, result, repo);
+            return toPluginRequestResult(result);
+        };
+    }
+    if (external.onResponse) {
+        const originalOnResponse = external.onResponse.bind(external);
+        plugin.onResponse = async (ctx) => {
+            const proxyRes = toProxyResponseFromIntercept(ctx);
+            const result = await originalOnResponse(proxyRes);
+            persistEvents(external.name, ctx.request.id, result, repo);
+            return toPluginResponseResult(result);
+        };
+    }
+    if (external.onResponseComplete) {
+        const originalOnResponseComplete = external.onResponseComplete.bind(external);
+        plugin.onResponseComplete = async (ctx) => {
+            const proxyRes = toProxyResponseFromComplete(ctx);
+            await originalOnResponseComplete(proxyRes);
+        };
+    }
+    return plugin;
+}
+//# sourceMappingURL=adapter.js.map

package/dist/plugins/adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.js","sourceRoot":"","sources":["../../src/plugins/adapter.ts"],"names":[],"mappings":";;AAQA,wCAaC;AAGD,oEASC;AAGD,kEAWC;AAsCD,kCA4CC;AA9HD,kDAAkD;AAElD,MAAM,GAAG,GAAG,IAAA,wBAAY,EAAC,gBAAgB,CAAC,CAAC;AAE3C,oFAAoF;AACpF,SAAgB,cAAc,CAAC,GAAmB;IAChD,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;QAC1C,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC;QAChD,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,SAAS,EAAE,GAAG,CAAC,SAAS;KACzB,CAAC;AACJ,CAAC;AAED,qGAAqG;AACrG,SAAgB,4BAA4B,CAAC,GAA6B;IACxE,OAAO;QACL,OAAO,EAAE,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC;QACpC,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI;QACxE,WAAW,EAAE,GAAG,CAAC,WAAW;KAC7B,CAAC;AACJ,CAAC;AAED,4FAA4F;AAC5F,SAAgB,2BAA2B,CAAC,GAA4B;IACtE,OAAO;QACL,OAAO,EAAE,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC;QACpC,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI;QACxE,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,YAAY,EAAE,GAAG,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,SAAS;QAC3G,SAAS,EAAE,GAAG,CAAC,SAAS;KACzB,CAAC;AACJ,CAAC;AAED,wCAAwC;AACxC,SAAS,aAAa,CACpB,UAAkB,EAClB,SAAwB,EACxB,MAA2B,EAC3B,IAA4B;IAE5B,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM;QAAE,OAAO;IACpC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClC,IAAI,CAAC;YACH,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,IAAI,CAAC,gCAAgC,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACpG,CAAC;IACH,CAAC;AACH,CAAC;AAED,kEAAkE;AAClE,SAAS,qBAAqB,CAAC,MAA2B;IACxD,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IACvB,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QAC9B,OAAO,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,mBAAmB,EAAE,EAAE,CAAC;IACtD,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,mEAAmE;AACnE,SAAS,sBAAsB,CAAC,MAA2B;IACzD,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IACvB,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QAC9B,OAAO,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,mBAAmB,EAAE,EAAE,CAAC;IACtD,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,uEAAuE;AACvE,SAAgB,WAAW,CACzB,QAAuB,EACvB,QAAgB,EAChB,IAA4B,EAC5B,WAAoB;IAEpB,MAAM,MAAM,GAAW;QACrB,IAAI,EAAE,QAAQ,CAAC,IAAI;QACnB,QAAQ;QACR,OAAO,EAAE,QAAQ,CAAC,OAAO;QACzB,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,MAAM,EAAE,UAAU;QAClB,WAAW;KACZ,CAAC;IAEF,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;QACvB,MAAM,iBAAiB,GAAG,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5D,MAAM,CAAC,SAAS,GAAG,KAAK,EAAE,GAAmB,EAAE,EAAE;YAC/C,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;YACrC,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YACjD,aAAa,CAAC,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;YACnD,OAAO,qBAAqB,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;QACxB,MAAM,kBAAkB,GAAG,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9D,MAAM,CAAC,UAAU,GAAG,KAAK,EAAE,GAA6B,EAAE,EAAE;YAC1D,MAAM,QAAQ,GAAG,4BAA4B,CAAC,GAAG,CAAC,CAAC;YACnD,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YAClD,aAAa,CAAC,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;YAC3D,OAAO,sBAAsB,CAAC,MAAM,CAAC,CAAC;QACxC,CAAC,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,CAAC,kBAAkB,EAAE,CAAC;QAChC,MAAM,0BAA0B,GAAG,QAAQ,CAAC,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9E,MAAM,CAAC,kBAAkB,GAAG,KAAK,EAAE,GAA4B,EAAE,EAAE;YACjE,MAAM,QAAQ,GAAG,2BAA2B,CAAC,GAAG,CAAC,CAAC;YAClD,MAAM,0BAA0B,CAAC,QAAQ,CAAC,CAAC;QAC7C,CAAC,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/plugins/builtin/audit-logger.d.ts

@@ -0,0 +1,9 @@
+import type { Plugin } from '../types.js';
+import type Database from 'better-sqlite3';
+export interface AuditLoggerConfig {
+    rawData: boolean;
+    rawMaxBytes: number;
+    summaryMaxBytes: number;
+}
+export declare function createAuditLoggerPlugin(db: Database.Database, config: AuditLoggerConfig): Plugin;
+//# sourceMappingURL=audit-logger.d.ts.map

package/dist/plugins/builtin/audit-logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logger.d.ts","sourceRoot":"","sources":["../../../src/plugins/builtin/audit-logger.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAgE,MAAM,aAAa,CAAC;AAIxG,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAI3C,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,wBAAgB,uBAAuB,CAAC,EAAE,EAAE,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,iBAAiB,GAAG,MAAM,CAiDhG"}

package/dist/plugins/builtin/audit-logger.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuditLoggerPlugin = createAuditLoggerPlugin;
+const audit_log_js_1 = require("../../storage/repositories/audit-log.js");
+const classify_js_1 = require("../../proxy/providers/classify.js");
+const logger_js_1 = require("../../utils/logger.js");
+const log = (0, logger_js_1.createLogger)('audit-plugin');
+function createAuditLoggerPlugin(db, config) {
+    const auditRepo = new audit_log_js_1.AuditLogRepository(db);
+    // Store request bodies temporarily until response is complete
+    const pendingRequests = new Map();
+    return {
+        name: 'audit-logger',
+        priority: 25,
+        version: '1.0.0',
+        apiVersion: 2,
+        async onRequest(context) {
+            // Capture request body for later storage
+            pendingRequests.set(context.id, context.body);
+        },
+        async onResponseComplete(context) {
+            const requestBody = pendingRequests.get(context.request.id) ?? '';
+            pendingRequests.delete(context.request.id);
+            // Skip high-frequency polling requests — unless DLP flagged sensitive data
+            if ((0, classify_js_1.isPollingRequest)(context.request.provider, context.request.path) && !context.request.dlpHit)
+                return;
+            try {
+                // Avoid duplicates — DLP auto-audit may have already stored this request
+                if (auditRepo.hasEntry(context.request.id))
+                    return;
+                // Read flags set by upstream plugins during onRequest/onResponse/onResponseComplete
+                const dlpHit = Boolean(context.request.dlpHit);
+                const toolGuardHit = Boolean(context.request.toolGuardHit);
+                auditRepo.insert({
+                    id: crypto.randomUUID(),
+                    request_id: context.request.id,
+                    requestBody,
+                    responseBody: context.body,
+                    dlpHit,
+                    toolGuardHit,
+                    rawData: config.rawData,
+                    rawMaxBytes: config.rawMaxBytes,
+                    summaryMaxBytes: config.summaryMaxBytes,
+                });
+                log.debug('Audit entry stored', { requestId: context.request.id });
+            }
+            catch (err) {
+                log.warn('Failed to store audit entry', { error: err.message });
+            }
+        },
+    };
+}
+//# sourceMappingURL=audit-logger.js.map

package/dist/plugins/builtin/audit-logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logger.js","sourceRoot":"","sources":["../../../src/plugins/builtin/audit-logger.ts"],"names":[],"mappings":";;AAcA,0DAiDC;AA9DD,0EAA6E;AAC7E,mEAAqE;AACrE,qDAAqD;AAGrD,MAAM,GAAG,GAAG,IAAA,wBAAY,EAAC,cAAc,CAAC,CAAC;AAQzC,SAAgB,uBAAuB,CAAC,EAAqB,EAAE,MAAyB;IACtF,MAAM,SAAS,GAAG,IAAI,iCAAkB,CAAC,EAAE,CAAC,CAAC;IAE7C,8DAA8D;IAC9D,MAAM,eAAe,GAAG,IAAI,GAAG,EAAkB,CAAC;IAElD,OAAO;QACL,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,EAAE;QACZ,OAAO,EAAE,OAAO;QAChB,UAAU,EAAE,CAAC;QAEb,KAAK,CAAC,SAAS,CAAC,OAAuB;YACrC,yCAAyC;YACzC,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QAChD,CAAC;QAED,KAAK,CAAC,kBAAkB,CAAC,OAAgC;YACvD,MAAM,WAAW,GAAG,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;YAClE,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YAE3C,2EAA2E;YAC3E,IAAI,IAAA,8BAAgB,EAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM;gBAAE,OAAO;YAExG,IAAI,CAAC;gBACH,yEAAyE;gBACzE,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;oBAAE,OAAO;gBAEnD,oFAAoF;gBACpF,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;gBAC/C,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;gBAE3D,SAAS,CAAC,MAAM,CAAC;oBACf,EAAE,EAAE,MAAM,CAAC,UAAU,EAAE;oBACvB,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,EAAE;oBAC9B,WAAW;oBACX,YAAY,EAAE,OAAO,CAAC,IAAI;oBAC1B,MAAM;oBACN,YAAY;oBACZ,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,WAAW,EAAE,MAAM,CAAC,WAAW;oBAC/B,eAAe,EAAE,MAAM,CAAC,eAAe;iBACxC,CAAC,CAAC;gBACH,GAAG,CAAC,KAAK,CAAC,oBAAoB,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;YACrE,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC,6BAA6B,EAAE,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YAC7E,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/plugins/builtin/dlp-scanner.d.ts

@@ -0,0 +1,19 @@
+import type { Plugin } from '../types.js';
+import type { DlpAction } from '../../dlp/actions.js';
+import { type AiValidatorConfig } from '../../dlp/ai-validator.js';
+import type Database from 'better-sqlite3';
+export interface DlpScannerConfig {
+    action: DlpAction;
+    patterns: string[];
+    remotePatterns?: {
+        url: string;
+        branch: string;
+        syncOnStart: boolean;
+        syncIntervalMinutes: number;
+    };
+    aiValidation?: AiValidatorConfig;
+    /** Live getter for action — when provided, overrides static `action` field */
+    getAction?: () => DlpAction;
+}
+export declare function createDlpScannerPlugin(db: Database.Database, config: DlpScannerConfig): Plugin;
+//# sourceMappingURL=dlp-scanner.d.ts.map

package/dist/plugins/builtin/dlp-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dlp-scanner.d.ts","sourceRoot":"","sources":["../../../src/plugins/builtin/dlp-scanner.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,MAAM,EAMP,MAAM,aAAa,CAAC;AAErB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAItD,OAAO,EAAe,KAAK,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAShF,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAM3C,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,cAAc,CAAC,EAAE;QACf,GAAG,EAAE,MAAM,CAAC;QACZ,MAAM,EAAE,MAAM,CAAC;QACf,WAAW,EAAE,OAAO,CAAC;QACrB,mBAAmB,EAAE,MAAM,CAAC;KAC7B,CAAC;IACF,YAAY,CAAC,EAAE,iBAAiB,CAAC;IACjC,8EAA8E;IAC9E,SAAS,CAAC,EAAE,MAAM,SAAS,CAAC;CAC7B;AAiBD,wBAAgB,sBAAsB,CAAC,EAAE,EAAE,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,gBAAgB,GAAG,MAAM,CA+Q9F"}

package/dist/plugins/builtin/dlp-scanner.js

@@ -0,0 +1,284 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createDlpScannerPlugin = createDlpScannerPlugin;
+const engine_js_1 = require("../../dlp/engine.js");
+const dlp_events_js_1 = require("../../storage/repositories/dlp-events.js");
+const dlp_patterns_js_1 = require("../../storage/repositories/dlp-patterns.js");
+const audit_log_js_1 = require("../../storage/repositories/audit-log.js");
+const ai_validator_js_1 = require("../../dlp/ai-validator.js");
+const high_confidence_js_1 = require("../../dlp/patterns/high-confidence.js");
+const validated_js_1 = require("../../dlp/patterns/validated.js");
+const context_aware_js_1 = require("../../dlp/patterns/context-aware.js");
+const prompt_injection_js_1 = require("../../dlp/patterns/prompt-injection.js");
+const remote_sync_js_1 = require("../../dlp/remote-sync.js");
+const message_cache_js_1 = require("../../dlp/message-cache.js");
+const classify_js_1 = require("../../proxy/providers/classify.js");
+const logger_js_1 = require("../../utils/logger.js");
+const log = (0, logger_js_1.createLogger)('dlp-plugin');
+const SNIPPET_CONTEXT = 25; // chars of context on each side of match
+/**
+ * Extract a context snippet around the first match in the text.
+ * Returns up to 50 chars of context centered on the match.
+ */
+function extractSnippet(text, match) {
+    const idx = text.indexOf(match);
+    if (idx === -1)
+        return match.slice(0, 50);
+    const start = Math.max(0, idx - SNIPPET_CONTEXT);
+    const end = Math.min(text.length, idx + match.length + SNIPPET_CONTEXT);
+    let snippet = text.slice(start, end);
+    if (start > 0)
+        snippet = '...' + snippet;
+    if (end < text.length)
+        snippet = snippet + '...';
+    return snippet;
+}
+function createDlpScannerPlugin(db, config) {
+    const dlpRepo = new dlp_events_js_1.DlpEventsRepository(db);
+    const patternsRepo = new dlp_patterns_js_1.DlpPatternsRepository(db);
+    const auditRepo = new audit_log_js_1.AuditLogRepository(db);
+    const getAction = () => config.getAction ? config.getAction() : config.action;
+    // AI validation — optional, default off
+    const aiValidator = config.aiValidation
+        ? new ai_validator_js_1.AiValidator(config.aiValidation)
+        : null;
+    // Message-level DLP cache — avoids re-scanning repeated conversation history
+    const messageCache = new message_cache_js_1.DlpMessageCache();
+    // Seed built-in patterns from the 3 pattern files
+    const allBuiltins = [
+        ...high_confidence_js_1.highConfidencePatterns,
+        ...validated_js_1.validatedPatterns,
+        ...context_aware_js_1.contextAwarePatterns,
+        ...prompt_injection_js_1.promptInjectionPatterns,
+    ];
+    patternsRepo.seedBuiltins(allBuiltins, config.patterns);
+    // Sync remote patterns from signature repo (if configured)
+    if (config.remotePatterns?.url) {
+        if (config.remotePatterns.syncOnStart !== false) {
+            try {
+                (0, remote_sync_js_1.syncRemotePatterns)(config.remotePatterns, patternsRepo, config.patterns);
+            }
+            catch (err) {
+                log.warn('Remote pattern sync failed on startup', { error: err.message });
+            }
+        }
+        if (config.remotePatterns.syncIntervalMinutes > 0) {
+            (0, remote_sync_js_1.startPeriodicSync)(config.remotePatterns, patternsRepo, config.patterns);
+        }
+    }
+    return {
+        name: 'dlp-scanner',
+        priority: 20,
+        version: '1.0.0',
+        apiVersion: 2,
+        // ── Request-side: scan outgoing requests to LLM ──
+        async onRequest(context) {
+            // GET/HEAD have no meaningful request body to scan
+            if (context.method === 'GET' || context.method === 'HEAD')
+                return;
+            const patterns = patternsRepo.getEnabled();
+            const result = messageCache.scanWithCache(context.body, context.parsedBody, patterns, getAction());
+            if (result.findings.length === 0)
+                return;
+            // AI validation: only validate NEW findings (cached ones were already validated)
+            if (aiValidator?.ready && result.newFindings.length > 0) {
+                result.newFindings = await aiValidator.validate(result.newFindings, context.body);
+                // Rebuild combined findings
+                result.findings = [...result.newFindings, ...result.cachedFindings];
+                if (result.findings.length === 0)
+                    return;
+            }
+            // Record DLP events — only for NEW findings to avoid duplicate records
+            for (const finding of result.newFindings) {
+                const firstMatch = finding.matches[0] ?? '';
+                const originalSnippet = extractSnippet(context.body, firstMatch);
+                let redactedSnippet = null;
+                if (result.action === 'redact' && result.redactedBody) {
+                    const redactedTag = `[${finding.patternName.toUpperCase()}_REDACTED]`;
+                    redactedSnippet = extractSnippet(result.redactedBody, redactedTag);
+                }
+                dlpRepo.insert({
+                    id: crypto.randomUUID(),
+                    request_id: context.id,
+                    pattern_name: finding.patternName,
+                    pattern_category: finding.patternCategory,
+                    action: result.action,
+                    match_count: finding.matchCount,
+                    original_snippet: originalSnippet,
+                    redacted_snippet: redactedSnippet,
+                });
+            }
+            log.info('DLP findings', {
+                requestId: context.id,
+                action: result.action,
+                newFindings: result.newFindings.map((f) => f.patternName),
+                cachedFindings: result.cachedFindings.map((f) => f.patternName),
+                totalFindings: result.findings.length,
+            });
+            // Set DLP flags on context for downstream plugins (audit-logger, metrics-collector)
+            // Only count new findings for dlpHit to avoid noise in audit logs
+            context.dlpHit = result.newFindings.length > 0;
+            context.dlpAction = result.action;
+            context.dlpFindings = result.newFindings.length;
+            // Auto-audit on DLP hit — only for new findings
+            if (result.action === 'block') {
+                const allPatterns = result.findings.map((f) => f.patternName).join(', ');
+                const blockReason = `Request blocked: sensitive data detected (${allPatterns})`;
+                if (result.newFindings.length > 0) {
+                    try {
+                        auditRepo.insert({
+                            id: crypto.randomUUID(),
+                            request_id: context.id,
+                            requestBody: context.body,
+                            responseBody: JSON.stringify({ error: blockReason }),
+                            dlpHit: true,
+                        });
+                    }
+                    catch (err) {
+                        log.warn('Failed to write DLP auto-audit for blocked request', { error: err.message });
+                    }
+                }
+                else {
+                    log.info('DLP block from cached findings only (no new audit entry)', {
+                        requestId: context.id,
+                        cachedFindings: result.cachedFindings.map((f) => f.patternName),
+                    });
+                }
+                return { blocked: { reason: blockReason } };
+            }
+            if (result.action === 'redact' && result.redactedBody) {
+                if (result.newFindings.length === 0) {
+                    log.info('DLP redaction from cached findings only (no new DLP events)', {
+                        requestId: context.id,
+                        cachedFindings: result.cachedFindings.map((f) => f.patternName),
+                    });
+                }
+                return { modifiedBody: result.redactedBody };
+            }
+        },
+        // ── Response-side: scan LLM response BEFORE sending to client (non-streaming only) ──
+        async onResponse(context) {
+            if (context.isStreaming)
+                return; // streaming handled in onResponseComplete (post-send)
+            const patterns = patternsRepo.getEnabled();
+            const result = (0, engine_js_1.scanText)(context.body, patterns, getAction());
+            if (result.findings.length === 0)
+                return;
+            // AI validation on response findings
+            if (aiValidator?.ready) {
+                result.findings = await aiValidator.validate(result.findings, context.body);
+                if (result.findings.length === 0)
+                    return;
+            }
+            // Record response-side DLP events
+            for (const finding of result.findings) {
+                const firstMatch = finding.matches[0] ?? '';
+                const originalSnippet = extractSnippet(context.body, firstMatch);
+                let redactedSnippet = null;
+                if (result.action === 'redact' && result.redactedBody) {
+                    const redactedTag = `[${finding.patternName.toUpperCase()}_REDACTED]`;
+                    redactedSnippet = extractSnippet(result.redactedBody, redactedTag);
+                }
+                dlpRepo.insert({
+                    id: crypto.randomUUID(),
+                    request_id: context.request.id,
+                    pattern_name: finding.patternName,
+                    pattern_category: finding.patternCategory,
+                    action: result.action,
+                    match_count: finding.matchCount,
+                    original_snippet: originalSnippet,
+                    redacted_snippet: redactedSnippet,
+                    direction: 'response',
+                });
+            }
+            log.info('DLP response findings', {
+                requestId: context.request.id,
+                direction: 'response',
+                action: result.action,
+                findings: result.findings.map((f) => f.patternName),
+            });
+            // Set DLP flags on context for downstream plugins (audit-logger reads these)
+            context.request.dlpHit = true;
+            context.request.dlpAction = result.action;
+            context.request.dlpFindings = (context.request.dlpFindings ?? 0) + result.findings.length;
+            // Apply action: block or redact the response
+            if (result.action === 'block') {
+                // Polling responses: return empty result instead of 403 to keep client connected
+                if ((0, classify_js_1.isPollingRequest)(context.request.provider, context.request.path)) {
+                    log.warn('DLP blocked polling response, returning empty result', {
+                        requestId: context.request.id,
+                        findings: result.findings.map((f) => f.patternName),
+                    });
+                    return { modifiedBody: JSON.stringify({ ok: true, result: [] }) };
+                }
+                return {
+                    blocked: {
+                        reason: `Response blocked: sensitive data detected (${result.findings.map((f) => f.patternName).join(', ')})`,
+                    },
+                };
+            }
+            if (result.action === 'redact' && result.redactedBody) {
+                return { modifiedBody: result.redactedBody };
+            }
+            // 'warn' and 'pass' — let through without modification
+        },
+        // ── Post-send: streaming response detection (can't block, but record + audit) ──
+        async onResponseComplete(context) {
+            if (!context.isStreaming)
+                return;
+            // Skip DLP scanning for very large streaming bodies (data already sent, can only warn)
+            if (context.body.length > 1024 * 1024) {
+                log.debug('Skipping DLP scan for large streaming response', {
+                    requestId: context.request.id,
+                    bodyLength: context.body.length,
+                });
+                return;
+            }
+            const patterns = patternsRepo.getEnabled();
+            const responseResult = (0, engine_js_1.scanText)(context.body, patterns, 'warn');
+            if (responseResult.findings.length === 0)
+                return;
+            if (aiValidator?.ready) {
+                responseResult.findings = await aiValidator.validate(responseResult.findings, context.body);
+                if (responseResult.findings.length === 0)
+                    return;
+            }
+            for (const finding of responseResult.findings) {
+                const firstMatch = finding.matches[0] ?? '';
+                dlpRepo.insert({
+                    id: crypto.randomUUID(),
+                    request_id: context.request.id,
+                    pattern_name: finding.patternName,
+                    pattern_category: finding.patternCategory,
+                    action: 'warn',
+                    match_count: finding.matchCount,
+                    original_snippet: extractSnippet(context.body, firstMatch),
+                    redacted_snippet: null,
+                    direction: 'response',
+                });
+            }
+            log.info('DLP streaming response findings (post-send)', {
+                requestId: context.request.id,
+                findings: responseResult.findings.map((f) => f.patternName),
+            });
+            try {
+                if (!auditRepo.hasEntry(context.request.id)) {
+                    auditRepo.insert({
+                        id: crypto.randomUUID(),
+                        request_id: context.request.id,
+                        requestBody: context.request.body,
+                        responseBody: context.body,
+                        dlpHit: true,
+                    });
+                }
+                else {
+                    auditRepo.markDlpHit(context.request.id);
+                }
+            }
+            catch (err) {
+                log.warn('Failed to write DLP streaming response auto-audit', { error: err.message });
+            }
+        },
+    };
+}
+//# sourceMappingURL=dlp-scanner.js.map

package/dist/plugins/builtin/dlp-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dlp-scanner.js","sourceRoot":"","sources":["../../../src/plugins/builtin/dlp-scanner.ts"],"names":[],"mappings":";;AAyDA,wDA+QC;AAhUD,mDAAgE;AAEhE,4EAA+E;AAC/E,gFAAmF;AACnF,0EAA6E;AAC7E,+DAAgF;AAChF,8EAA+E;AAC/E,kEAAoE;AACpE,0EAA2E;AAC3E,gFAAiF;AACjF,6DAAiF;AACjF,iEAAmF;AACnF,mEAAqE;AACrE,qDAAqD;AAGrD,MAAM,GAAG,GAAG,IAAA,wBAAY,EAAC,YAAY,CAAC,CAAC;AAEvC,MAAM,eAAe,GAAG,EAAE,CAAC,CAAC,yCAAyC;AAgBrE;;;GAGG;AACH,SAAS,cAAc,CAAC,IAAY,EAAE,KAAa;IACjD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAChC,IAAI,GAAG,KAAK,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,eAAe,CAAC,CAAC;IACjD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,KAAK,CAAC,MAAM,GAAG,eAAe,CAAC,CAAC;IACxE,IAAI,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACrC,IAAI,KAAK,GAAG,CAAC;QAAE,OAAO,GAAG,KAAK,GAAG,OAAO,CAAC;IACzC,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM;QAAE,OAAO,GAAG,OAAO,GAAG,KAAK,CAAC;IACjD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAgB,sBAAsB,CAAC,EAAqB,EAAE,MAAwB;IACpF,MAAM,OAAO,GAAG,IAAI,mCAAmB,CAAC,EAAE,CAAC,CAAC;IAC5C,MAAM,YAAY,GAAG,IAAI,uCAAqB,CAAC,EAAE,CAAC,CAAC;IACnD,MAAM,SAAS,GAAG,IAAI,iCAAkB,CAAC,EAAE,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,GAAc,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC;IAEzF,wCAAwC;IACxC,MAAM,WAAW,GAAG,MAAM,CAAC,YAAY;QACrC,CAAC,CAAC,IAAI,6BAAW,CAAC,MAAM,CAAC,YAAY,CAAC;QACtC,CAAC,CAAC,IAAI,CAAC;IAET,6EAA6E;IAC7E,MAAM,YAAY,GAAG,IAAI,kCAAe,EAAE,CAAC;IAE3C,kDAAkD;IAClD,MAAM,WAAW,GAAiB;QAChC,GAAG,2CAAsB;QACzB,GAAG,gCAAiB;QACpB,GAAG,uCAAoB;QACvB,GAAG,6CAAuB;KAC3B,CAAC;IACF,YAAY,CAAC,YAAY,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAExD,2DAA2D;IAC3D,IAAI,MAAM,CAAC,cAAc,EAAE,GAAG,EAAE,CAAC;QAC/B,IAAI,MAAM,CAAC,cAAc,CAAC,WAAW,KAAK,KAAK,EAAE,CAAC;YAChD,IAAI,CAAC;gBACH,IAAA,mCAAkB,EAAC,MAAM,CAAC,cAAc,EAAE,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC3E,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC,uCAAuC,EAAE,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YACvF,CAAC;QACH,CAAC;QACD,IAAI,MAAM,CAAC,cAAc,CAAC,mBAAmB,GAAG,CAAC,EAAE,CAAC;YAClD,IAAA,kCAAiB,EAAC,MAAM,CAAC,cAAc,EAAE,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAED,OAAO;QACL,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,EAAE;QACZ,OAAO,EAAE,OAAO;QAChB,UAAU,EAAE,CAAC;QAEb,oDAAoD;QACpD,KAAK,CAAC,SAAS,CAAC,OAAuB;YACrC,mDAAmD;YACnD,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM;gBAAE,OAAO;YAElE,MAAM,QAAQ,GAAG,YAAY,CAAC,UAAU,EAAE,CAAC;YAC3C,MAAM,MAAM,GAAoB,YAAY,CAAC,aAAa,CACxD,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,CACxD,CAAC;YAEF,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO;YAEzC,iFAAiF;YACjF,IAAI,WAAW,EAAE,KAAK,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxD,MAAM,CAAC,WAAW,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;gBAClF,4BAA4B;gBAC5B,MAAM,CAAC,QAAQ,GAAG,CAAC,GAAG,MAAM,CAAC,WAAW,EAAE,GAAG,MAAM,CAAC,cAAc,CAAC,CAAC;gBACpE,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO;YAC3C,CAAC;YAED,uEAAuE;YACvE,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;gBACzC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC5C,MAAM,eAAe,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;gBAEjE,IAAI,eAAe,GAAkB,IAAI,CAAC;gBAC1C,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;oBACtD,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,WAAW,CAAC,WAAW,EAAE,YAAY,CAAC;oBACtE,eAAe,GAAG,cAAc,CAAC,MAAM,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;gBACrE,CAAC;gBAED,OAAO,CAAC,MAAM,CAAC;oBACb,EAAE,EAAE,MAAM,CAAC,UAAU,EAAE;oBACvB,UAAU,EAAE,OAAO,CAAC,EAAE;oBACtB,YAAY,EAAE,OAAO,CAAC,WAAW;oBACjC,gBAAgB,EAAE,OAAO,CAAC,eAAe;oBACzC,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,WAAW,EAAE,OAAO,CAAC,UAAU;oBAC/B,gBAAgB,EAAE,eAAe;oBACjC,gBAAgB,EAAE,eAAe;iBAClC,CAAC,CAAC;YACL,CAAC;YAED,GAAG,CAAC,IAAI,CAAC,cAAc,EAAE;gBACvB,SAAS,EAAE,OAAO,CAAC,EAAE;gBACrB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;gBACzD,cAAc,EAAE,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;gBAC/D,aAAa,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM;aACtC,CAAC,CAAC;YAEH,oFAAoF;YACpF,kEAAkE;YAClE,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC;YAC/C,OAAO,CAAC,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;YAClC,OAAO,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC;YAEhD,gDAAgD;YAChD,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;gBAC9B,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACzE,MAAM,WAAW,GAAG,6CAA6C,WAAW,GAAG,CAAC;gBAEhF,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAClC,IAAI,CAAC;wBACH,SAAS,CAAC,MAAM,CAAC;4BACf,EAAE,EAAE,MAAM,CAAC,UAAU,EAAE;4BACvB,UAAU,EAAE,OAAO,CAAC,EAAE;4BACtB,WAAW,EAAE,OAAO,CAAC,IAAI;4BACzB,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC;4BACpD,MAAM,EAAE,IAAI;yBACb,CAAC,CAAC;oBACL,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,GAAG,CAAC,IAAI,CAAC,oDAAoD,EAAE,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;oBACpG,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,GAAG,CAAC,IAAI,CAAC,0DAA0D,EAAE;wBACnE,SAAS,EAAE,OAAO,CAAC,EAAE;wBACrB,cAAc,EAAE,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;qBAChE,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,EAAE,CAAC;YAC9C,CAAC;YAED,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;gBACtD,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACpC,GAAG,CAAC,IAAI,CAAC,6DAA6D,EAAE;wBACtE,SAAS,EAAE,OAAO,CAAC,EAAE;wBACrB,cAAc,EAAE,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;qBAChE,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO,EAAE,YAAY,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,uFAAuF;QACvF,KAAK,CAAC,UAAU,CAAC,OAAiC;YAChD,IAAI,OAAO,CAAC,WAAW;gBAAE,OAAO,CAAC,sDAAsD;YAEvF,MAAM,QAAQ,GAAG,YAAY,CAAC,UAAU,EAAE,CAAC;YAC3C,MAAM,MAAM,GAAG,IAAA,oBAAQ,EAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC;YAE7D,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO;YAEzC,qCAAqC;YACrC,IAAI,WAAW,EAAE,KAAK,EAAE,CAAC;gBACvB,MAAM,CAAC,QAAQ,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;gBAC5E,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO;YAC3C,CAAC;YAED,kCAAkC;YAClC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACtC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC5C,MAAM,eAAe,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;gBAEjE,IAAI,eAAe,GAAkB,IAAI,CAAC;gBAC1C,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;oBACtD,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,WAAW,CAAC,WAAW,EAAE,YAAY,CAAC;oBACtE,eAAe,GAAG,cAAc,CAAC,MAAM,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;gBACrE,CAAC;gBAED,OAAO,CAAC,MAAM,CAAC;oBACb,EAAE,EAAE,MAAM,CAAC,UAAU,EAAE;oBACvB,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,EAAE;oBAC9B,YAAY,EAAE,OAAO,CAAC,WAAW;oBACjC,gBAAgB,EAAE,OAAO,CAAC,eAAe;oBACzC,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,WAAW,EAAE,OAAO,CAAC,UAAU;oBAC/B,gBAAgB,EAAE,eAAe;oBACjC,gBAAgB,EAAE,eAAe;oBACjC,SAAS,EAAE,UAAU;iBACtB,CAAC,CAAC;YACL,CAAC;YAED,GAAG,CAAC,IAAI,CAAC,uBAAuB,EAAE;gBAChC,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,EAAE;gBAC7B,SAAS,EAAE,UAAU;gBACrB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;aACpD,CAAC,CAAC;YAEH,6EAA6E;YAC7E,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;YAC9B,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;YAC1C,OAAO,CAAC,OAAO,CAAC,WAAW,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,IAAI,CAAC,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;YAE1F,6CAA6C;YAC7C,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;gBAC9B,iFAAiF;gBACjF,IAAI,IAAA,8BAAgB,EAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrE,GAAG,CAAC,IAAI,CAAC,sDAAsD,EAAE;wBAC/D,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,EAAE;wBAC7B,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;qBACpD,CAAC,CAAC;oBACH,OAAO,EAAE,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC;gBACpE,CAAC;gBACD,OAAO;oBACL,OAAO,EAAE;wBACP,MAAM,EAAE,8CAA8C,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;qBAC9G;iBACF,CAAC;YACJ,CAAC;YAED,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;gBACtD,OAAO,EAAE,YAAY,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC;YAC/C,CAAC;YAED,uDAAuD;QACzD,CAAC;QAED,kFAAkF;QAClF,KAAK,CAAC,kBAAkB,CAAC,OAAgC;YACvD,IAAI,CAAC,OAAO,CAAC,WAAW;gBAAE,OAAO;YAEjC,uFAAuF;YACvF,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC;gBACtC,GAAG,CAAC,KAAK,CAAC,gDAAgD,EAAE;oBAC1D,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,EAAE;oBAC7B,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM;iBAChC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,MAAM,QAAQ,GAAG,YAAY,CAAC,UAAU,EAAE,CAAC;YAC3C,MAAM,cAAc,GAAG,IAAA,oBAAQ,EAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;YAChE,IAAI,cAAc,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO;YAEjD,IAAI,WAAW,EAAE,KAAK,EAAE,CAAC;gBACvB,cAAc,CAAC,QAAQ,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;gBAC5F,IAAI,cAAc,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO;YACnD,CAAC;YAED,KAAK,MAAM,OAAO,IAAI,cAAc,CAAC,QAAQ,EAAE,CAAC;gBAC9C,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC5C,OAAO,CAAC,MAAM,CAAC;oBACb,EAAE,EAAE,MAAM,CAAC,UAAU,EAAE;oBACvB,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,EAAE;oBAC9B,YAAY,EAAE,OAAO,CAAC,WAAW;oBACjC,gBAAgB,EAAE,OAAO,CAAC,eAAe;oBACzC,MAAM,EAAE,MAAM;oBACd,WAAW,EAAE,OAAO,CAAC,UAAU;oBAC/B,gBAAgB,EAAE,cAAc,CAAC,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC;oBAC1D,gBAAgB,EAAE,IAAI;oBACtB,SAAS,EAAE,UAAU;iBACtB,CAAC,CAAC;YACL,CAAC;YAED,GAAG,CAAC,IAAI,CAAC,6CAA6C,EAAE;gBACtD,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,EAAE;gBAC7B,QAAQ,EAAE,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;aAC5D,CAAC,CAAC;YAEH,IAAI,CAAC;gBACH,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC;oBAC5C,SAAS,CAAC,MAAM,CAAC;wBACf,EAAE,EAAE,MAAM,CAAC,UAAU,EAAE;wBACvB,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,EAAE;wBAC9B,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI;wBACjC,YAAY,EAAE,OAAO,CAAC,IAAI;wBAC1B,MAAM,EAAE,IAAI;qBACb,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;gBAC3C,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC,mDAAmD,EAAE,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YACnG,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/plugins/builtin/metrics-collector.d.ts

@@ -0,0 +1,4 @@
+import type { Plugin } from '../types.js';
+import type Database from 'better-sqlite3';
+export declare function createMetricsCollectorPlugin(db: Database.Database): Plugin;
+//# sourceMappingURL=metrics-collector.d.ts.map

package/dist/plugins/builtin/metrics-collector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"metrics-collector.d.ts","sourceRoot":"","sources":["../../../src/plugins/builtin/metrics-collector.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAA2B,MAAM,aAAa,CAAC;AAMnE,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAyC3C,wBAAgB,4BAA4B,CAAC,EAAE,EAAE,QAAQ,CAAC,QAAQ,GAAG,MAAM,CAgE1E"}

package/dist/plugins/builtin/metrics-collector.js

@@ -0,0 +1,111 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createMetricsCollectorPlugin = createMetricsCollectorPlugin;
+const collector_js_1 = require("../../metrics/collector.js");
+const requests_js_1 = require("../../storage/repositories/requests.js");
+const sessions_js_1 = require("../../storage/repositories/sessions.js");
+const classify_js_1 = require("../../proxy/providers/classify.js");
+const logger_js_1 = require("../../utils/logger.js");
+const node_path_1 = require("node:path");
+const log = (0, logger_js_1.createLogger)('metrics-plugin');
+/**
+ * Extract project path from the request body's system prompt.
+ * Claude Code includes "Primary working directory: /path/to/project" in system prompts.
+ */
+function extractProjectPath(parsedBody) {
+    let systemText = '';
+    if (typeof parsedBody.system === 'string') {
+        systemText = parsedBody.system;
+    }
+    else if (Array.isArray(parsedBody.system)) {
+        for (const block of parsedBody.system) {
+            if (typeof block === 'string')
+                systemText += block;
+            else if (block?.type === 'text' && typeof block.text === 'string')
+                systemText += block.text;
+        }
+    }
+    // Also check first user message for system-reminder style content
+    if (!systemText && Array.isArray(parsedBody.messages)) {
+        const first = parsedBody.messages[0];
+        if (first?.role === 'user') {
+            const content = first.content;
+            if (typeof content === 'string')
+                systemText = content;
+            else if (Array.isArray(content)) {
+                for (const block of content) {
+                    if (typeof block === 'string')
+                        systemText += block;
+                    else if (block?.type === 'text' && typeof block.text === 'string')
+                        systemText += block.text;
+                }
+            }
+        }
+    }
+    const match = systemText.match(/Primary working directory:\s*([^\n]+)/);
+    if (match)
+        return match[1].trim();
+    return null;
+}
+function createMetricsCollectorPlugin(db) {
+    const requestsRepo = new requests_js_1.RequestsRepository(db);
+    const sessionsRepo = new sessions_js_1.SessionsRepository(db);
+    return {
+        name: 'metrics-collector',
+        priority: 10,
+        version: '1.0.0',
+        apiVersion: 2,
+        async onResponseComplete(context) {
+            // Skip high-frequency polling requests (e.g., Telegram getUpdates)
+            if ((0, classify_js_1.isPollingRequest)(context.request.provider, context.request.path))
+                return;
+            const metrics = (0, collector_js_1.extractMetrics)(context);
+            const sessionId = context.request.sessionId ?? null;
+            requestsRepo.insert({
+                id: context.request.id,
+                provider: context.request.provider,
+                model: context.request.model,
+                method: context.request.method,
+                path: context.request.path,
+                status_code: context.statusCode,
+                input_tokens: metrics.inputTokens,
+                output_tokens: metrics.outputTokens,
+                cache_creation_tokens: metrics.cacheCreationTokens,
+                cache_read_tokens: metrics.cacheReadTokens,
+                cost_usd: metrics.costUsd,
+                latency_ms: metrics.latencyMs,
+                cached: 0,
+                dlp_action: context.request.dlpAction ?? null,
+                dlp_findings: context.request.dlpFindings ?? 0,
+                session_id: sessionId,
+                api_key_hash: context.request.apiKeyHash ?? null,
+            });
+            // Persist session metadata with client info
+            if (sessionId) {
+                try {
+                    const projectPath = extractProjectPath(context.request.parsedBody);
+                    let label = projectPath ? (0, node_path_1.basename)(projectPath) : null;
+                    // Fallback label: use provider:model so sessions are identifiable
+                    if (!label) {
+                        const provider = context.request.provider;
+                        const model = context.request.model;
+                        label = model && model !== provider ? `${provider}:${model}` : provider;
+                    }
+                    const source = context.request.sessionSource ?? 'auto';
+                    sessionsRepo.upsert(sessionId, { label: label ?? undefined, source, projectPath: projectPath ?? undefined });
+                }
+                catch (err) {
+                    log.debug('Failed to upsert session', { error: err.message });
+                }
+            }
+            log.debug('Recorded request metrics', {
+                id: context.request.id,
+                model: context.request.model,
+                cost: metrics.costUsd.toFixed(6),
+                latency: metrics.latencyMs,
+                sessionId,
+            });
+        },
+    };
+}
+//# sourceMappingURL=metrics-collector.js.map