@auxiora/webhooks 1.0.0

package/src/store.ts

@@ -0,0 +1,78 @@
+import * as fs from 'node:fs/promises';
+import * as path from 'node:path';
+import { getLogger } from '@auxiora/logger';
+import type { WebhookDefinition } from './types.js';
+
+const logger = getLogger('webhooks:store');
+
+export class WebhookStore {
+  private filePath: string;
+
+  constructor(filePath: string) {
+    this.filePath = filePath;
+  }
+
+  async save(webhook: WebhookDefinition): Promise<void> {
+    const webhooks = await this.readFile();
+    const existing = webhooks.find((w) => w.name === webhook.name && w.id !== webhook.id);
+    if (existing) {
+      throw new Error(`Webhook with name '${webhook.name}' already exists`);
+    }
+
+    const index = webhooks.findIndex((w) => w.id === webhook.id);
+    if (index >= 0) {
+      webhooks[index] = webhook;
+    } else {
+      webhooks.push(webhook);
+    }
+
+    await this.writeFile(webhooks);
+    logger.debug('Saved webhook', { id: webhook.id, name: webhook.name });
+  }
+
+  async get(id: string): Promise<WebhookDefinition | undefined> {
+    const webhooks = await this.readFile();
+    return webhooks.find((w) => w.id === id);
+  }
+
+  async getByName(name: string): Promise<WebhookDefinition | undefined> {
+    const webhooks = await this.readFile();
+    return webhooks.find((w) => w.name === name);
+  }
+
+  async getAll(): Promise<WebhookDefinition[]> {
+    return this.readFile();
+  }
+
+  async listEnabled(): Promise<WebhookDefinition[]> {
+    const webhooks = await this.readFile();
+    return webhooks.filter((w) => w.enabled);
+  }
+
+  async remove(id: string): Promise<boolean> {
+    const webhooks = await this.readFile();
+    const filtered = webhooks.filter((w) => w.id !== id);
+    if (filtered.length === webhooks.length) return false;
+    await this.writeFile(filtered);
+    logger.debug('Removed webhook', { id });
+    return true;
+  }
+
+  private async readFile(): Promise<WebhookDefinition[]> {
+    try {
+      const content = await fs.readFile(this.filePath, 'utf-8');
+      return JSON.parse(content) as WebhookDefinition[];
+    } catch (error) {
+      if ((error as NodeJS.ErrnoException).code === 'ENOENT') {
+        return [];
+      }
+      throw error;
+    }
+  }
+
+  private async writeFile(webhooks: WebhookDefinition[]): Promise<void> {
+    const dir = path.dirname(this.filePath);
+    await fs.mkdir(dir, { recursive: true });
+    await fs.writeFile(this.filePath, JSON.stringify(webhooks, null, 2), 'utf-8');
+  }
+}

package/src/types.ts

@@ -0,0 +1,25 @@
+export interface WebhookDefinition {
+  id: string;
+  name: string;
+  type: 'channel' | 'generic';
+  channelType?: string;
+  secret: string;
+  behaviorId?: string;
+  transform?: string;
+  enabled: boolean;
+  createdAt: string;
+}
+
+export interface WebhookConfig {
+  enabled: boolean;
+  basePath: string;
+  signatureHeader: string;
+  maxPayloadSize: number;
+}
+
+export const DEFAULT_WEBHOOK_CONFIG: WebhookConfig = {
+  enabled: false,
+  basePath: '/api/v1/webhooks',
+  signatureHeader: 'x-webhook-signature',
+  maxPayloadSize: 65536,
+};

package/src/verify.ts

@@ -0,0 +1,47 @@
+import * as crypto from 'node:crypto';
+
+/**
+ * Verify HMAC-SHA256 signature using timing-safe comparison.
+ * Handles optional "sha256=" prefix (GitHub style).
+ */
+export function verifyHmacSha256(body: Buffer, secret: string, signature: string): boolean {
+  if (!signature) return false;
+
+  const sig = signature.startsWith('sha256=') ? signature.slice(7) : signature;
+
+  let sigBuffer: Buffer;
+  try {
+    sigBuffer = Buffer.from(sig, 'hex');
+  } catch {
+    return false;
+  }
+
+  const expected = crypto.createHmac('sha256', secret).update(body).digest();
+
+  if (sigBuffer.length !== expected.length) return false;
+
+  return crypto.timingSafeEqual(sigBuffer, expected);
+}
+
+/**
+ * Verify Twilio webhook signature (HMAC-SHA1, base64).
+ * Twilio signs: URL + sorted(key+value pairs), HMAC-SHA1, base64.
+ */
+export function verifyTwilioSignature(
+  url: string,
+  params: Record<string, string>,
+  authToken: string,
+  signature: string
+): boolean {
+  if (!signature) return false;
+
+  const data = url + Object.keys(params).sort().reduce((acc, key) => acc + key + params[key], '');
+  const expected = crypto.createHmac('sha1', authToken).update(data).digest('base64');
+
+  const sigBuffer = Buffer.from(signature);
+  const expectedBuffer = Buffer.from(expected);
+
+  if (sigBuffer.length !== expectedBuffer.length) return false;
+
+  return crypto.timingSafeEqual(sigBuffer, expectedBuffer);
+}

package/src/webhook-manager.ts

@@ -0,0 +1,147 @@
+import * as crypto from 'node:crypto';
+import { getLogger } from '@auxiora/logger';
+import { audit } from '@auxiora/audit';
+import { WebhookStore } from './store.js';
+import type { WebhookDefinition, WebhookConfig } from './types.js';
+import { DEFAULT_WEBHOOK_CONFIG } from './types.js';
+import { verifyHmacSha256 } from './verify.js';
+
+const logger = getLogger('webhooks:manager');
+
+export interface WebhookManagerOptions {
+  storePath: string;
+  config?: WebhookConfig;
+  onBehaviorTrigger?: (behaviorId: string, payload: string) => Promise<{ success: boolean; error?: string }>;
+}
+
+export interface CreateWebhookOptions {
+  name: string;
+  type: 'channel' | 'generic';
+  secret: string;
+  channelType?: string;
+  behaviorId?: string;
+  enabled?: boolean;
+}
+
+export interface WebhookResult {
+  accepted: boolean;
+  status: number;
+  error?: string;
+}
+
+export class WebhookManager {
+  private store: WebhookStore;
+  private config: WebhookConfig;
+  private behaviorTrigger?: (behaviorId: string, payload: string) => Promise<{ success: boolean; error?: string }>;
+
+  constructor(options: WebhookManagerOptions) {
+    this.store = new WebhookStore(options.storePath);
+    this.config = options.config ?? DEFAULT_WEBHOOK_CONFIG;
+    this.behaviorTrigger = options.onBehaviorTrigger;
+  }
+
+  async create(options: CreateWebhookOptions): Promise<WebhookDefinition> {
+    const webhook: WebhookDefinition = {
+      id: crypto.randomUUID(),
+      name: options.name,
+      type: options.type,
+      secret: options.secret,
+      channelType: options.channelType,
+      behaviorId: options.behaviorId,
+      enabled: options.enabled ?? true,
+      createdAt: new Date().toISOString(),
+    };
+
+    await this.store.save(webhook);
+    void audit('webhook.created', { name: webhook.name, type: webhook.type });
+    logger.info('Webhook created', { id: webhook.id, name: webhook.name });
+    return webhook;
+  }
+
+  async list(): Promise<WebhookDefinition[]> {
+    return this.store.getAll();
+  }
+
+  async update(
+    id: string,
+    updates: Partial<Pick<WebhookDefinition, 'name' | 'enabled' | 'secret' | 'behaviorId'>>,
+  ): Promise<WebhookDefinition | null> {
+    const webhook = await this.store.get(id);
+    if (!webhook) return null;
+
+    const updated: WebhookDefinition = { ...webhook, ...updates };
+    await this.store.save(updated);
+    void audit('webhook.updated', { id, name: updated.name });
+    logger.info('Webhook updated', { id, name: updated.name });
+    return updated;
+  }
+
+  async delete(id: string): Promise<boolean> {
+    const webhook = await this.store.get(id);
+    const removed = await this.store.remove(id);
+    if (removed && webhook) {
+      void audit('webhook.deleted', { name: webhook.name });
+      logger.info('Webhook deleted', { id, name: webhook.name });
+    }
+    return removed;
+  }
+
+  async handleGenericWebhook(
+    name: string,
+    body: Buffer,
+    headers: Record<string, string>
+  ): Promise<WebhookResult> {
+    // Check payload size
+    if (body.length > this.config.maxPayloadSize) {
+      logger.warn('Webhook payload too large', { name, size: body.length });
+      return { accepted: false, status: 413, error: 'Payload too large' };
+    }
+
+    // Find webhook
+    const webhook = await this.store.getByName(name);
+    if (!webhook || !webhook.enabled) {
+      return { accepted: false, status: 404, error: 'Not found' };
+    }
+
+    // Verify signature
+    const signature = headers[this.config.signatureHeader] ?? '';
+    if (!verifyHmacSha256(body, webhook.secret, signature)) {
+      void audit('webhook.signature_failed', { name });
+      logger.warn('Webhook signature verification failed', { name });
+      return { accepted: false, status: 401, error: 'Unauthorized' };
+    }
+
+    void audit('webhook.received', {
+      name,
+      type: webhook.type,
+      payloadSize: body.length,
+    });
+
+    // Trigger behavior asynchronously
+    if (webhook.behaviorId && this.behaviorTrigger) {
+      const payload = body.toString('utf-8');
+      this.triggerBehavior(webhook.name, webhook.behaviorId, payload);
+    }
+
+    return { accepted: true, status: 202 };
+  }
+
+  private triggerBehavior(webhookName: string, behaviorId: string, payload: string): void {
+    if (!this.behaviorTrigger) return;
+
+    this.behaviorTrigger(behaviorId, payload)
+      .then(() => {
+        void audit('webhook.triggered', { name: webhookName, behaviorId });
+        logger.info('Webhook triggered behavior', { webhookName, behaviorId });
+      })
+      .catch((error) => {
+        const message = error instanceof Error ? error.message : String(error);
+        void audit('webhook.error', { name: webhookName, error: message });
+        logger.error('Webhook behavior trigger failed', { error: new Error(message), webhookName, behaviorId });
+      });
+  }
+
+  setBehaviorTrigger(trigger: (behaviorId: string, payload: string) => Promise<{ success: boolean; error?: string }>): void {
+    this.behaviorTrigger = trigger;
+  }
+}

package/tests/integration.test.ts

@@ -0,0 +1,83 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import * as fs from 'node:fs/promises';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import * as crypto from 'node:crypto';
+import { WebhookManager } from '../src/webhook-manager.js';
+import { DEFAULT_WEBHOOK_CONFIG } from '../src/types.js';
+
+describe('Webhook integration', () => {
+  let manager: WebhookManager;
+  let tmpDir: string;
+  let mockBehaviorTrigger: ReturnType<typeof vi.fn>;
+
+  beforeEach(async () => {
+    tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'webhook-int-'));
+    mockBehaviorTrigger = vi.fn().mockResolvedValue({ success: true });
+
+    manager = new WebhookManager({
+      storePath: path.join(tmpDir, 'webhooks.json'),
+      config: { ...DEFAULT_WEBHOOK_CONFIG, enabled: true },
+      onBehaviorTrigger: mockBehaviorTrigger,
+    });
+  });
+
+  afterEach(async () => {
+    await fs.rm(tmpDir, { recursive: true, force: true });
+  });
+
+  it('should handle full create → receive → trigger flow', async () => {
+    // 1. Create webhook
+    const secret = 'integration-test-secret';
+    const webhook = await manager.create({
+      name: 'github-push',
+      type: 'generic',
+      secret,
+      behaviorId: 'summarize-commits',
+    });
+    expect(webhook.name).toBe('github-push');
+
+    // 2. Simulate incoming webhook
+    const payload = JSON.stringify({ ref: 'refs/heads/main', commits: [{ message: 'fix bug' }] });
+    const body = Buffer.from(payload);
+    const signature = crypto.createHmac('sha256', secret).update(body).digest('hex');
+
+    const result = await manager.handleGenericWebhook('github-push', body, {
+      'x-webhook-signature': signature,
+    });
+
+    expect(result.accepted).toBe(true);
+    expect(result.status).toBe(202);
+
+    // 3. Wait for async behavior trigger
+    await new Promise((resolve) => setTimeout(resolve, 10));
+    expect(mockBehaviorTrigger).toHaveBeenCalledWith('summarize-commits', payload);
+  });
+
+  it('should reject webhook after deletion', async () => {
+    const secret = 'temp-secret';
+    const webhook = await manager.create({ name: 'temp', type: 'generic', secret });
+    await manager.delete(webhook.id);
+
+    const body = Buffer.from('{}');
+    const signature = crypto.createHmac('sha256', secret).update(body).digest('hex');
+
+    const result = await manager.handleGenericWebhook('temp', body, {
+      'x-webhook-signature': signature,
+    });
+
+    expect(result.accepted).toBe(false);
+    expect(result.status).toBe(404);
+  });
+
+  it('should handle signature failure with audit trail', async () => {
+    await manager.create({ name: 'secure', type: 'generic', secret: 'real-secret' });
+
+    const result = await manager.handleGenericWebhook('secure', Buffer.from('{}'), {
+      'x-webhook-signature': 'forged-signature',
+    });
+
+    expect(result.accepted).toBe(false);
+    expect(result.status).toBe(401);
+  });
+});

package/tests/store.test.ts

@@ -0,0 +1,69 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import * as fs from 'node:fs/promises';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import { WebhookStore } from '../src/store.js';
+import type { WebhookDefinition } from '../src/types.js';
+
+function makeWebhook(overrides: Partial<WebhookDefinition> = {}): WebhookDefinition {
+  return {
+    id: 'wh-1',
+    name: 'test-webhook',
+    type: 'generic',
+    secret: 'test-secret',
+    enabled: true,
+    createdAt: new Date().toISOString(),
+    ...overrides,
+  };
+}
+
+describe('WebhookStore', () => {
+  let store: WebhookStore;
+  let tmpDir: string;
+  let filePath: string;
+
+  beforeEach(async () => {
+    tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'webhook-store-'));
+    filePath = path.join(tmpDir, 'webhooks.json');
+    store = new WebhookStore(filePath);
+  });
+
+  afterEach(async () => {
+    await fs.rm(tmpDir, { recursive: true, force: true });
+  });
+
+  it('should save and retrieve a webhook', async () => {
+    const webhook = makeWebhook();
+    await store.save(webhook);
+    const result = await store.get('wh-1');
+    expect(result).toEqual(webhook);
+  });
+
+  it('should retrieve by name', async () => {
+    await store.save(makeWebhook());
+    const result = await store.getByName('test-webhook');
+    expect(result?.id).toBe('wh-1');
+  });
+
+  it('should reject duplicate names', async () => {
+    await store.save(makeWebhook());
+    await expect(
+      store.save(makeWebhook({ id: 'wh-2', name: 'test-webhook' }))
+    ).rejects.toThrow('already exists');
+  });
+
+  it('should remove a webhook', async () => {
+    await store.save(makeWebhook());
+    const removed = await store.remove('wh-1');
+    expect(removed).toBe(true);
+    expect(await store.get('wh-1')).toBeUndefined();
+  });
+
+  it('should list only enabled webhooks', async () => {
+    await store.save(makeWebhook({ id: 'wh-1', name: 'enabled', enabled: true }));
+    await store.save(makeWebhook({ id: 'wh-2', name: 'disabled', enabled: false }));
+    const enabled = await store.listEnabled();
+    expect(enabled).toHaveLength(1);
+    expect(enabled[0].name).toBe('enabled');
+  });
+});

package/tests/verify.test.ts

@@ -0,0 +1,60 @@
+import { describe, it, expect } from 'vitest';
+import * as crypto from 'node:crypto';
+import { verifyHmacSha256, verifyTwilioSignature } from '../src/verify.js';
+
+describe('verifyHmacSha256', () => {
+  const secret = 'my-webhook-secret';
+
+  it('should accept valid HMAC-SHA256 signature', () => {
+    const body = Buffer.from('{"event":"push"}');
+    const signature = crypto.createHmac('sha256', secret).update(body).digest('hex');
+    expect(verifyHmacSha256(body, secret, signature)).toBe(true);
+  });
+
+  it('should reject invalid signature', () => {
+    const body = Buffer.from('{"event":"push"}');
+    expect(verifyHmacSha256(body, secret, 'invalid-signature')).toBe(false);
+  });
+
+  it('should reject tampered body', () => {
+    const body = Buffer.from('{"event":"push"}');
+    const signature = crypto.createHmac('sha256', secret).update(body).digest('hex');
+    const tampered = Buffer.from('{"event":"hack"}');
+    expect(verifyHmacSha256(tampered, secret, signature)).toBe(false);
+  });
+
+  it('should handle sha256= prefix in signature', () => {
+    const body = Buffer.from('test');
+    const hash = crypto.createHmac('sha256', secret).update(body).digest('hex');
+    expect(verifyHmacSha256(body, secret, `sha256=${hash}`)).toBe(true);
+  });
+
+  it('should reject empty signature', () => {
+    const body = Buffer.from('test');
+    expect(verifyHmacSha256(body, secret, '')).toBe(false);
+  });
+});
+
+describe('verifyTwilioSignature', () => {
+  const authToken = 'twilio-auth-token';
+
+  it('should accept valid Twilio signature', () => {
+    const url = 'https://example.com/api/v1/webhooks/twilio';
+    const params: Record<string, string> = {
+      Body: 'Hello',
+      From: '+1234567890',
+      To: '+0987654321',
+    };
+
+    // Build expected signature the Twilio way:
+    // Sort params by key, concatenate key+value, append to URL, HMAC-SHA1, base64
+    const data = url + Object.keys(params).sort().reduce((acc, key) => acc + key + params[key], '');
+    const expected = crypto.createHmac('sha1', authToken).update(data).digest('base64');
+
+    expect(verifyTwilioSignature(url, params, authToken, expected)).toBe(true);
+  });
+
+  it('should reject invalid Twilio signature', () => {
+    expect(verifyTwilioSignature('https://example.com', {}, authToken, 'bad-sig')).toBe(false);
+  });
+});

package/tests/webhook-manager.test.ts

@@ -0,0 +1,159 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import * as fs from 'node:fs/promises';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import * as crypto from 'node:crypto';
+import { WebhookManager } from '../src/webhook-manager.js';
+import type { WebhookDefinition } from '../src/types.js';
+import { DEFAULT_WEBHOOK_CONFIG } from '../src/types.js';
+
+function makeWebhook(overrides: Partial<WebhookDefinition> = {}): WebhookDefinition {
+  return {
+    id: 'wh-1',
+    name: 'test-hook',
+    type: 'generic',
+    secret: 'test-secret-key',
+    behaviorId: 'beh-1',
+    enabled: true,
+    createdAt: new Date().toISOString(),
+    ...overrides,
+  };
+}
+
+describe('WebhookManager', () => {
+  let manager: WebhookManager;
+  let tmpDir: string;
+  let filePath: string;
+  let mockBehaviorTrigger: ReturnType<typeof vi.fn>;
+
+  beforeEach(async () => {
+    tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'webhook-mgr-'));
+    filePath = path.join(tmpDir, 'webhooks.json');
+    mockBehaviorTrigger = vi.fn().mockResolvedValue({ success: true });
+
+    manager = new WebhookManager({
+      storePath: filePath,
+      config: { ...DEFAULT_WEBHOOK_CONFIG, enabled: true },
+      onBehaviorTrigger: mockBehaviorTrigger,
+    });
+  });
+
+  afterEach(async () => {
+    await fs.rm(tmpDir, { recursive: true, force: true });
+  });
+
+  describe('webhook CRUD', () => {
+    it('should create a webhook', async () => {
+      const webhook = await manager.create({
+        name: 'github-push',
+        type: 'generic',
+        secret: 'my-secret',
+        behaviorId: 'beh-1',
+      });
+      expect(webhook.id).toBeDefined();
+      expect(webhook.name).toBe('github-push');
+      expect(webhook.enabled).toBe(true);
+    });
+
+    it('should list all webhooks', async () => {
+      await manager.create({ name: 'hook-1', type: 'generic', secret: 's1' });
+      await manager.create({ name: 'hook-2', type: 'generic', secret: 's2' });
+      const all = await manager.list();
+      expect(all).toHaveLength(2);
+    });
+
+    it('should update a webhook', async () => {
+      const wh = await manager.create({ name: 'original', type: 'generic', secret: 's' });
+      const updated = await manager.update(wh.id, { name: 'renamed', enabled: false });
+      expect(updated).not.toBeNull();
+      expect(updated!.name).toBe('renamed');
+      expect(updated!.enabled).toBe(false);
+
+      const all = await manager.list();
+      expect(all[0].name).toBe('renamed');
+    });
+
+    it('should return null when updating non-existent webhook', async () => {
+      const result = await manager.update('nonexistent', { name: 'test' });
+      expect(result).toBeNull();
+    });
+
+    it('should delete a webhook', async () => {
+      const wh = await manager.create({ name: 'to-delete', type: 'generic', secret: 's' });
+      const deleted = await manager.delete(wh.id);
+      expect(deleted).toBe(true);
+      const all = await manager.list();
+      expect(all).toHaveLength(0);
+    });
+  });
+
+  describe('generic webhook handling', () => {
+    it('should verify signature and trigger behavior', async () => {
+      const secret = 'my-secret';
+      await manager.create({ name: 'test', type: 'generic', secret, behaviorId: 'beh-1' });
+
+      const body = Buffer.from('{"event":"push"}');
+      const signature = crypto.createHmac('sha256', secret).update(body).digest('hex');
+
+      const result = await manager.handleGenericWebhook('test', body, {
+        'x-webhook-signature': signature,
+      });
+
+      expect(result.accepted).toBe(true);
+      expect(mockBehaviorTrigger).toHaveBeenCalledWith('beh-1', expect.stringContaining('push'));
+    });
+
+    it('should reject invalid signature', async () => {
+      await manager.create({ name: 'test', type: 'generic', secret: 'real-secret' });
+
+      const body = Buffer.from('{}');
+      const result = await manager.handleGenericWebhook('test', body, {
+        'x-webhook-signature': 'bad-sig',
+      });
+
+      expect(result.accepted).toBe(false);
+      expect(result.status).toBe(401);
+    });
+
+    it('should reject unknown webhook name', async () => {
+      const result = await manager.handleGenericWebhook('nonexistent', Buffer.from('{}'), {});
+      expect(result.accepted).toBe(false);
+      expect(result.status).toBe(404);
+    });
+
+    it('should reject disabled webhook', async () => {
+      const wh = await manager.create({ name: 'disabled', type: 'generic', secret: 's', enabled: false });
+
+      const result = await manager.handleGenericWebhook('disabled', Buffer.from('{}'), {});
+      expect(result.accepted).toBe(false);
+      expect(result.status).toBe(404);
+    });
+
+    it('should handle missing behavior gracefully', async () => {
+      mockBehaviorTrigger.mockRejectedValueOnce(new Error('Behavior not found'));
+      const secret = 'my-secret';
+      await manager.create({ name: 'orphan', type: 'generic', secret, behaviorId: 'missing' });
+
+      const body = Buffer.from('{}');
+      const signature = crypto.createHmac('sha256', secret).update(body).digest('hex');
+
+      const result = await manager.handleGenericWebhook('orphan', body, {
+        'x-webhook-signature': signature,
+      });
+
+      // Still accepted (202) — don't leak internal state
+      expect(result.accepted).toBe(true);
+    });
+  });
+
+  describe('payload size', () => {
+    it('should reject oversized payloads', async () => {
+      await manager.create({ name: 'test', type: 'generic', secret: 's' });
+      const oversized = Buffer.alloc(DEFAULT_WEBHOOK_CONFIG.maxPayloadSize + 1);
+
+      const result = await manager.handleGenericWebhook('test', oversized, {});
+      expect(result.accepted).toBe(false);
+      expect(result.status).toBe(413);
+    });
+  });
+});

package/tsconfig.json

@@ -0,0 +1,12 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "rootDir": "./src"
+  },
+  "include": ["src/**/*"],
+  "references": [
+    { "path": "../logger" },
+    { "path": "../audit" }
+  ]
+}