@aurora-foundation/obsidian-next 0.4.7 → 0.4.9

package/dist/chunk-JTWSK277.js

@@ -0,0 +1,676 @@
+import {
+  config
+} from "./chunk-7MMY74WO.js";
+import {
+  settings
+} from "./chunk-EPG5V5OO.js";
+
+// src/core/auditLog.ts
+import fs from "fs/promises";
+import path from "path";
+import os from "os";
+
+// src/core/redactor.ts
+var BUILTIN_RULES = [
+  // Email addresses
+  {
+    name: "email",
+    pattern: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
+    replacement: "[REDACTED:email]",
+    enabled: true,
+    description: "Email addresses"
+  },
+  // Phone numbers (various formats) - must have separators to avoid false positives
+  {
+    name: "phone",
+    pattern: /(\+?1[-.\s])?\(?\d{3}\)?[-.\s]\d{3,4}[-.\s]\d{4}\b/g,
+    replacement: "[REDACTED:phone]",
+    enabled: true,
+    description: "Phone numbers (US format with separators)"
+  },
+  // Social Security Numbers
+  {
+    name: "ssn",
+    pattern: /\b\d{3}[-\s]?\d{2}[-\s]?\d{4}\b/g,
+    replacement: "[REDACTED:ssn]",
+    enabled: true,
+    description: "Social Security Numbers"
+  },
+  // Credit card numbers (basic patterns)
+  {
+    name: "credit-card",
+    pattern: /\b(?:4\d{3}|5[1-5]\d{2}|6(?:011|5\d{2})|3[47]\d{2})[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b/g,
+    replacement: "[REDACTED:credit-card]",
+    enabled: true,
+    description: "Credit card numbers"
+  },
+  // AWS Access Keys
+  {
+    name: "aws-access-key",
+    pattern: /\b(AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}\b/g,
+    replacement: "[REDACTED:aws-key]",
+    enabled: true,
+    description: "AWS access key IDs"
+  },
+  // AWS Secret Keys (40 char base64-like)
+  {
+    name: "aws-secret-key",
+    pattern: /\b[A-Za-z0-9/+=]{40}\b/g,
+    replacement: (match) => {
+      if (/[A-Z]/.test(match) && /[a-z]/.test(match) && /[/+=]/.test(match)) {
+        return "[REDACTED:aws-secret]";
+      }
+      return match;
+    },
+    enabled: true,
+    description: "AWS secret access keys"
+  },
+  // Anthropic API Keys
+  {
+    name: "anthropic-key",
+    pattern: /\bsk-ant-[a-zA-Z0-9-_]{20,}/g,
+    replacement: "[REDACTED:anthropic-key]",
+    enabled: true,
+    description: "Anthropic API keys"
+  },
+  // OpenAI API Keys (start with sk- but not sk-ant-, may contain hyphens)
+  {
+    name: "openai-key",
+    pattern: /sk-(?!ant)[a-zA-Z0-9-]{20,}/g,
+    replacement: "[REDACTED:openai-key]",
+    enabled: true,
+    description: "OpenAI API keys"
+  },
+  // Generic API keys (common patterns)
+  {
+    name: "api-key-generic",
+    pattern: /\b(api[_-]?key|apikey|api[_-]?secret|api[_-]?token)\s*[=:]\s*['"]?([a-zA-Z0-9_-]{20,})['"]?/gi,
+    replacement: (match) => {
+      const keyName = match.split(/[=:]/)[0].trim();
+      return `${keyName}=[REDACTED:api-key]`;
+    },
+    enabled: true,
+    description: "Generic API keys in config"
+  },
+  // Passwords in config files (various naming conventions)
+  {
+    name: "password-config",
+    pattern: /\b([A-Z_]*(?:PASSWORD|PASSWD|PWD|SECRET)[A-Z_]*)\s*[=:]\s*['"]?([^'"\s\n]{4,})['"]?/gi,
+    replacement: (match) => {
+      const keyName = match.split(/[=:]/)[0].trim();
+      return `${keyName}=[REDACTED:password]`;
+    },
+    enabled: true,
+    description: "Passwords in configuration"
+  },
+  // Private keys (PEM format)
+  {
+    name: "private-key",
+    pattern: /-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----[\s\S]*?-----END\s+(RSA\s+)?PRIVATE\s+KEY-----/g,
+    replacement: "[REDACTED:private-key]",
+    enabled: true,
+    description: "PEM private keys"
+  },
+  // JWT tokens
+  {
+    name: "jwt",
+    pattern: /\beyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/g,
+    replacement: "[REDACTED:jwt]",
+    enabled: true,
+    description: "JWT tokens"
+  },
+  // GitHub tokens (various prefixes)
+  {
+    name: "github-token",
+    pattern: /(ghp|gho|ghu|ghs|ghr)_[a-zA-Z0-9]{20,}/g,
+    replacement: "[REDACTED:github-token]",
+    enabled: true,
+    description: "GitHub tokens"
+  },
+  // Stripe keys
+  {
+    name: "stripe-key",
+    pattern: /\b(sk|pk)_(test|live)_[a-zA-Z0-9]{24,}/g,
+    replacement: "[REDACTED:stripe-key]",
+    enabled: true,
+    description: "Stripe API keys"
+  },
+  // IP addresses (private networks only by default)
+  {
+    name: "private-ip",
+    pattern: /\b(10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})\b/g,
+    replacement: "[REDACTED:private-ip]",
+    enabled: false,
+    // Disabled by default - may cause issues with code
+    description: "Private IP addresses"
+  },
+  // GitHub Fine-grained Personal Access Tokens (newer format)
+  {
+    name: "github-fine-grained-pat",
+    pattern: /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/g,
+    replacement: "[REDACTED:github-pat]",
+    enabled: true,
+    description: "GitHub fine-grained personal access tokens"
+  },
+  // Slack tokens (various types)
+  {
+    name: "slack-token",
+    pattern: /xox[baprs]-[a-zA-Z0-9-]{10,}/g,
+    replacement: "[REDACTED:slack-token]",
+    enabled: true,
+    description: "Slack API tokens"
+  },
+  // Discord tokens
+  {
+    name: "discord-token",
+    pattern: /[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27}/g,
+    replacement: "[REDACTED:discord-token]",
+    enabled: true,
+    description: "Discord bot tokens"
+  },
+  // Google API keys
+  {
+    name: "google-api-key",
+    pattern: /AIza[0-9A-Za-z\\-_]{35}/g,
+    replacement: "[REDACTED:google-api-key]",
+    enabled: true,
+    description: "Google API keys"
+  },
+  // Twilio keys
+  {
+    name: "twilio-key",
+    pattern: /SK[a-f0-9]{32}/g,
+    replacement: "[REDACTED:twilio-key]",
+    enabled: true,
+    description: "Twilio API keys"
+  },
+  // SendGrid keys
+  {
+    name: "sendgrid-key",
+    pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/g,
+    replacement: "[REDACTED:sendgrid-key]",
+    enabled: true,
+    description: "SendGrid API keys"
+  },
+  // NPM tokens
+  {
+    name: "npm-token",
+    pattern: /npm_[a-zA-Z0-9]{36}/g,
+    replacement: "[REDACTED:npm-token]",
+    enabled: true,
+    description: "NPM access tokens"
+  },
+  // PyPI tokens
+  {
+    name: "pypi-token",
+    pattern: /pypi-[a-zA-Z0-9_-]{100,}/g,
+    replacement: "[REDACTED:pypi-token]",
+    enabled: true,
+    description: "PyPI API tokens"
+  },
+  // Database connection strings
+  {
+    name: "db-connection-string",
+    pattern: /(mongodb(\+srv)?|postgres(ql)?|mysql|redis):\/\/[^\s'"]+/gi,
+    replacement: "[REDACTED:db-connection-string]",
+    enabled: true,
+    description: "Database connection strings"
+  },
+  // Bearer tokens in headers
+  {
+    name: "bearer-token",
+    pattern: /Bearer\s+[a-zA-Z0-9_-]{20,}/gi,
+    replacement: "Bearer [REDACTED:bearer-token]",
+    enabled: true,
+    description: "Bearer authentication tokens"
+  },
+  // Basic auth in URLs
+  {
+    name: "basic-auth-url",
+    pattern: /:\/\/[^:]+:[^@]+@/g,
+    replacement: "://[REDACTED:credentials]@",
+    enabled: true,
+    description: "Basic auth credentials in URLs"
+  }
+];
+var Redactor = class {
+  rules = [...BUILTIN_RULES];
+  enabled = true;
+  allowlist = /* @__PURE__ */ new Set();
+  /**
+   * Enable or disable redaction globally
+   */
+  setEnabled(enabled) {
+    this.enabled = enabled;
+  }
+  /**
+   * Check if redaction is enabled
+   */
+  isEnabled() {
+    return this.enabled;
+  }
+  /**
+   * Enable or disable a specific rule
+   */
+  setRuleEnabled(ruleName, enabled) {
+    const rule = this.rules.find((r) => r.name === ruleName);
+    if (rule) {
+      rule.enabled = enabled;
+    }
+  }
+  /**
+   * Add a pattern to the allowlist (won't be redacted)
+   */
+  addToAllowlist(pattern) {
+    this.allowlist.add(pattern);
+  }
+  /**
+   * Remove a pattern from the allowlist
+   */
+  removeFromAllowlist(pattern) {
+    this.allowlist.delete(pattern);
+  }
+  /**
+   * Add a custom redaction rule
+   */
+  addRule(rule) {
+    this.rules.push(rule);
+  }
+  /**
+   * Get all available rules
+   */
+  getRules() {
+    return this.rules;
+  }
+  /**
+   * Redact sensitive information from text
+   */
+  redact(text) {
+    if (!this.enabled || !text) {
+      return { text, redactionCount: 0, redactedTypes: [] };
+    }
+    let result = text;
+    let totalRedactions = 0;
+    const redactedTypes = /* @__PURE__ */ new Set();
+    for (const rule of this.rules) {
+      if (!rule.enabled) continue;
+      rule.pattern.lastIndex = 0;
+      const matches = text.match(rule.pattern);
+      if (matches) {
+        for (const match of matches) {
+          if (this.allowlist.has(match)) continue;
+          const replacement = typeof rule.replacement === "function" ? rule.replacement(match) : rule.replacement;
+          if (replacement !== match) {
+            result = result.replace(match, replacement);
+            totalRedactions++;
+            redactedTypes.add(rule.name);
+          }
+        }
+      }
+    }
+    return {
+      text: result,
+      redactionCount: totalRedactions,
+      redactedTypes: Array.from(redactedTypes)
+    };
+  }
+  /**
+   * Redact tool output specifically (used before sending to LLM)
+   */
+  redactToolOutput(toolName, output) {
+    return this.redact(output);
+  }
+  /**
+   * Check if text contains any sensitive patterns
+   */
+  containsSensitiveData(text) {
+    if (!text) {
+      return { hasSensitive: false, types: [] };
+    }
+    const types = [];
+    for (const rule of this.rules) {
+      if (!rule.enabled) continue;
+      rule.pattern.lastIndex = 0;
+      if (rule.pattern.test(text)) {
+        types.push(rule.name);
+      }
+    }
+    return { hasSensitive: types.length > 0, types };
+  }
+  /**
+   * Get statistics about what would be redacted
+   */
+  analyze(text) {
+    const stats = [];
+    for (const rule of this.rules) {
+      if (!rule.enabled) continue;
+      rule.pattern.lastIndex = 0;
+      const matches = text.match(rule.pattern) || [];
+      if (matches.length > 0) {
+        stats.push({
+          ruleName: rule.name,
+          count: matches.length,
+          // Only show first 3 examples, partially masked
+          examples: matches.slice(0, 3).map(
+            (m) => m.length > 10 ? m.slice(0, 5) + "..." + m.slice(-3) : "***"
+          )
+        });
+      }
+    }
+    return stats;
+  }
+};
+var redactor = new Redactor();
+
+// src/core/auditLog.ts
+var LOG_DIR = ".obsidian-next";
+var LOG_FILE = "audit.log";
+var MAX_LOG_SIZE = 10 * 1024 * 1024;
+var AuditLogger = class {
+  logPath;
+  sessionId;
+  enabled = true;
+  writeQueue = [];
+  isWriting = false;
+  constructor() {
+    this.logPath = path.join(os.homedir(), LOG_DIR, LOG_FILE);
+    this.sessionId = `sess_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
+  }
+  /**
+   * Initialize the audit logger
+   */
+  async init() {
+    const s = await settings.load();
+    this.enabled = s.security?.auditLogging ?? true;
+    if (!this.enabled) return;
+    const dir = path.dirname(this.logPath);
+    await fs.mkdir(dir, { recursive: true });
+    await this.rotateIfNeeded();
+    const cfg = await config.load();
+    await this.log({
+      eventType: "session_start",
+      success: true,
+      metadata: {
+        cwd: cfg.workspaceRoot,
+        pid: process.pid,
+        nodeVersion: process.version
+      }
+    });
+  }
+  /**
+   * Set the session ID (called from agent)
+   */
+  setSessionId(sessionId) {
+    this.sessionId = sessionId;
+  }
+  /**
+   * Enable or disable logging
+   */
+  setEnabled(enabled) {
+    this.enabled = enabled;
+  }
+  /**
+   * Log a command execution
+   */
+  async logCommand(command, success, reason) {
+    await this.log({
+      eventType: success ? "command_executed" : "command_blocked",
+      tool: "bash",
+      command: redactor.redact(command).text,
+      success,
+      reason
+    });
+  }
+  /**
+   * Log a file operation
+   */
+  async logFileOperation(operation, filePath, success, reason) {
+    const eventMap = {
+      read: "file_read",
+      write: "file_write",
+      edit: "file_edit",
+      delete: "file_delete"
+    };
+    await this.log({
+      eventType: eventMap[operation],
+      filePath,
+      success,
+      reason
+    });
+  }
+  /**
+   * Log an approval decision
+   */
+  async logApproval(status, command, reason) {
+    const eventMap = {
+      requested: "approval_requested",
+      granted: "approval_granted",
+      denied: "approval_denied",
+      timeout: "approval_timeout"
+    };
+    await this.log({
+      eventType: eventMap[status],
+      command,
+      success: status === "granted",
+      reason
+    });
+  }
+  /**
+   * Log a security violation
+   */
+  async logSecurityViolation(command, reason) {
+    await this.log({
+      eventType: "security_violation",
+      command,
+      success: false,
+      reason
+    });
+  }
+  /**
+   * Log a system event
+   */
+  async logSystemEvent(event, metadata) {
+    await this.log({
+      eventType: "security_violation",
+      // Mapping generic system events to generic log type for now, or add new type
+      command: event,
+      success: false,
+      // Usually error events
+      reason: JSON.stringify(metadata)
+    });
+  }
+  /**
+   * Log PII redaction
+   */
+  async logRedaction(count, types) {
+    await this.log({
+      eventType: "pii_redacted",
+      success: true,
+      metadata: { count, types }
+    });
+  }
+  /**
+   * Core logging function
+   */
+  async log(entry) {
+    if (!this.enabled) return;
+    const fullEntry = {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      sessionId: this.sessionId,
+      ...entry
+    };
+    this.writeQueue.push(fullEntry);
+    if (!this.isWriting) {
+      await this.processQueue();
+    }
+  }
+  /**
+   * Process the write queue
+   */
+  async processQueue() {
+    if (this.isWriting || this.writeQueue.length === 0) return;
+    this.isWriting = true;
+    try {
+      const entries = [...this.writeQueue];
+      this.writeQueue = [];
+      const lines = entries.map((e) => JSON.stringify(e)).join("\n") + "\n";
+      await fs.appendFile(this.logPath, lines, { encoding: "utf-8", mode: 384 });
+    } catch (error) {
+    } finally {
+      this.isWriting = false;
+      if (this.writeQueue.length > 0) {
+        setImmediate(() => this.processQueue());
+      }
+    }
+  }
+  /**
+   * Rotate log file if too large
+   */
+  async rotateIfNeeded() {
+    try {
+      const stats = await fs.stat(this.logPath);
+      if (stats.size >= MAX_LOG_SIZE) {
+        const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+        const rotatedPath = this.logPath.replace(".log", `.${timestamp}.log`);
+        await fs.rename(this.logPath, rotatedPath);
+        await this.cleanupOldLogs();
+      }
+    } catch {
+    }
+  }
+  /**
+   * Clean up old rotated log files
+   */
+  async cleanupOldLogs() {
+    try {
+      const dir = path.dirname(this.logPath);
+      const files = await fs.readdir(dir);
+      const auditLogs = files.filter((f) => f.startsWith("audit.") && f.endsWith(".log") && f !== "audit.log").sort().reverse();
+      for (const file of auditLogs.slice(5)) {
+        await fs.unlink(path.join(dir, file));
+      }
+    } catch {
+    }
+  }
+  /**
+   * Get recent audit entries formatted for display
+   */
+  async getRecentActivities(count = 50) {
+    const entries = await this.getRecentEntries(count);
+    return entries.map((entry) => {
+      let content = "";
+      let color = "white";
+      switch (entry.eventType) {
+        case "command_executed":
+          content = `CMD: ${entry.command || "unknown command"}`;
+          color = "blue";
+          break;
+        case "command_blocked":
+        case "command_denied":
+        case "security_violation":
+          content = `SECURITY: ${entry.reason || entry.command || "security event"}`;
+          color = "red";
+          break;
+        case "approval_requested":
+          content = `APPROVAL: Requested for "${entry.command || "action"}"`;
+          color = "yellow";
+          break;
+        case "approval_granted":
+          content = `APPROVAL: Granted for "${entry.command || "action"}"`;
+          color = "green";
+          break;
+        case "approval_denied":
+          content = `APPROVAL: Denied for "${entry.command || "action"}"`;
+          color = "red";
+          break;
+        case "file_read":
+          content = `FILE: Read ${entry.filePath}`;
+          color = "cyan";
+          break;
+        case "file_write":
+          content = `FILE: Wrote ${entry.filePath}`;
+          color = "magenta";
+          break;
+        case "file_edit":
+          content = `FILE: Edited ${entry.filePath}`;
+          color = "magentaBright";
+          break;
+        case "file_delete":
+          content = `FILE: Deleted ${entry.filePath}`;
+          color = "redBright";
+          break;
+        case "session_start":
+          content = `SESSION: Started`;
+          color = "green";
+          break;
+        case "session_end":
+          content = `SESSION: Ended`;
+          color = "gray";
+          break;
+        case "pii_redacted":
+          content = `SECURITY: PII Redacted (${entry.metadata?.count || 0} items)`;
+          color = "yellow";
+          break;
+        default:
+          content = `EVENT: ${entry.eventType}`;
+          break;
+      }
+      if (entry.filePath && entry.filePath.length > 50) {
+        content = content.replace(entry.filePath, `...${entry.filePath.slice(-47)}`);
+      }
+      return {
+        timestamp: new Date(entry.timestamp).toLocaleTimeString(),
+        content,
+        color
+      };
+    }).reverse();
+  }
+  /**
+   * Get recent audit entries
+   */
+  async getRecentEntries(count = 100) {
+    try {
+      const content = await fs.readFile(this.logPath, "utf-8");
+      const lines = content.trim().split("\n").filter((l) => l);
+      const entries = lines.slice(-count).map((line) => {
+        try {
+          return JSON.parse(line);
+        } catch {
+          return null;
+        }
+      }).filter((e) => e !== null);
+      return entries;
+    } catch {
+      return [];
+    }
+  }
+  /**
+   * Search audit log by event type or command
+   */
+  async search(query) {
+    const entries = await this.getRecentEntries(1e3);
+    return entries.filter((e) => {
+      if (query.eventType && e.eventType !== query.eventType) return false;
+      if (query.command && (!e.command || !e.command.includes(query.command))) return false;
+      if (query.since && new Date(e.timestamp) < query.since) return false;
+      return true;
+    });
+  }
+  /**
+   * Log session end (call on shutdown)
+   */
+  async close() {
+    if (!this.enabled) return;
+    await this.log({
+      eventType: "session_end",
+      success: true
+    });
+    await this.processQueue();
+  }
+};
+var auditLog = new AuditLogger();
+
+export {
+  redactor,
+  auditLog
+};