@ceon-oy/monitor-sdk 1.0.9 → 1.0.10

package/README.md

@@ -97,6 +97,10 @@ interface MonitorClientConfig {
   }[];
   excludePatterns?: string[];        // Glob patterns to exclude (e.g., '@types/*')
   autoAudit?: boolean;               // Enable automatic vulnerability scanning (default: false)
+  auditPaths?: {                     // Multiple directories for vulnerability scanning
+    path: string;                    // Directory path (e.g., '.', '../client')
+    environment: string;             // Environment label (e.g., 'server', 'client')
+  }[];
 }
 ```
 
@@ -227,6 +231,47 @@ With `autoAudit` enabled:
 
 Configure the scan interval in the Ceon Monitor dashboard under the project's Vulnerabilities page.
 
+#### Multi-Directory Vulnerability Auditing
+
+For projects with separate server and client directories (or monorepos), use `auditPaths` to scan multiple directories:
+
+```typescript
+const monitor = new MonitorClient({
+  apiKey: process.env.CEON_MONITOR_API_KEY!,
+  endpoint: 'https://monitor.example.com',
+  autoAudit: true,
+  auditPaths: [
+    { path: '.', environment: 'server' },
+    { path: '../client', environment: 'client' },
+  ],
+  // Also track dependencies from both
+  trackDependencies: true,
+  dependencySources: [
+    { path: './package.json', environment: 'server' },
+    { path: '../client/package.json', environment: 'client' },
+  ],
+});
+```
+
+With `auditPaths` configured:
+- Each directory is scanned independently using `npm audit`
+- Results are tagged with the environment label (e.g., 'server', 'client')
+- All vulnerabilities appear in a single project dashboard
+- Use the environment filter in the dashboard to view specific environments
+
+You can also manually trigger a multi-directory audit:
+
+```typescript
+const result = await monitor.auditMultiplePaths();
+if (result) {
+  console.log('Audit results by environment:');
+  for (const env of result.results) {
+    console.log(`  ${env.environment}: ${env.processed} vulnerabilities`);
+  }
+  console.log('Total:', result.totalSummary);
+}
+```
+
 #### Manual Scheduled Auditing
 
 If you prefer manual control over scheduling:
@@ -725,6 +770,10 @@ Checks for brute force attacks.
 
 Runs npm audit and sends results to the server.
 
+#### `auditMultiplePaths(): Promise<MultiAuditSummary | null>`
+
+Runs npm audit on all directories configured in `auditPaths` and returns a combined summary.
+
 #### `flush(): Promise<void>`
 
 Immediately sends all queued errors.
@@ -787,6 +836,22 @@ interface SecurityEvent {
   identifier?: string;
   metadata?: Record<string, unknown>;
 }
+
+interface AuditPath {
+  path: string;        // Directory path (e.g., '.', '../client')
+  environment: string; // Environment label (e.g., 'server', 'client')
+}
+
+interface MultiAuditSummary {
+  results: Array<{
+    environment: string;
+    scanId: string;
+    processed: number;
+    resolved: number;
+    summary: { critical: number; high: number; moderate: number; low: number; info: number };
+  }>;
+  totalSummary: { critical: number; high: number; moderate: number; low: number; info: number };
+}
 ```
 
 ## License

package/dist/index.d.mts

@@ -6,6 +6,12 @@ interface DependencySource {
     path: string;
     environment: string;
 }
+interface AuditPath {
+    /** Directory path to run npm audit in (e.g., '.', '../client') */
+    path: string;
+    /** Environment label for vulnerabilities from this path (e.g., 'server', 'client') */
+    environment: string;
+}
 interface MonitorClientConfig {
     /** API key for authentication (required, format: cm_xxx) */
     apiKey: string;
@@ -33,6 +39,8 @@ interface MonitorClientConfig {
     requestTimeoutMs?: number;
     /** Enable automatic vulnerability scanning based on server-configured interval (default: false) */
     autoAudit?: boolean;
+    /** Multiple directories to audit for vulnerabilities (runs npm audit in each) */
+    auditPaths?: AuditPath[];
 }
 interface TechnologyItem {
     name: string;
@@ -118,6 +126,28 @@ interface AuditSummary {
         info: number;
     };
 }
+interface MultiAuditSummary {
+    results: Array<{
+        environment: string;
+        scanId: string;
+        processed: number;
+        resolved: number;
+        summary: {
+            critical: number;
+            high: number;
+            moderate: number;
+            low: number;
+            info: number;
+        };
+    }>;
+    totalSummary: {
+        critical: number;
+        high: number;
+        moderate: number;
+        low: number;
+        info: number;
+    };
+}
 
 declare class MonitorClient {
     private apiKey;
@@ -132,6 +162,8 @@ declare class MonitorClient {
     private packageJsonPath?;
     private dependencySources?;
     private excludePatterns;
+    private compiledExcludePatterns;
+    private auditPaths?;
     private maxQueueSize;
     private maxRetries;
     private retryCount;
@@ -144,6 +176,15 @@ declare class MonitorClient {
     private lastKnownScanRequestedAt;
     private lastKnownTechScanRequestedAt;
     constructor(config: MonitorClientConfig);
+    /**
+     * Security: Validate and sanitize metadata to prevent oversized payloads
+     */
+    private sanitizeMetadata;
+    /**
+     * Security: Sanitize error response text to prevent sensitive data exposure
+     * Removes potential API keys, tokens, and limits response length
+     */
+    private sanitizeErrorResponse;
     captureError(error: Error, context?: ErrorContext): Promise<void>;
     captureMessage(message: string, severity?: Severity, context?: ErrorContext): Promise<void>;
     flush(): Promise<void>;
@@ -168,6 +209,7 @@ declare class MonitorClient {
     private setupAutoAudit;
     /**
      * Run a vulnerability scan and track the time it was run.
+     * Uses auditMultiplePaths() if auditPaths is configured, otherwise runs single audit.
      */
     private runScanAndTrackTime;
     /**
@@ -263,6 +305,16 @@ declare class MonitorClient {
         projectPath?: string;
         environment?: string;
     }): Promise<AuditSummary | null>;
+    /**
+     * Run npm audit on multiple directories and send results to the monitoring server.
+     * This is useful for monorepos or projects with separate client/server directories.
+     *
+     * Uses the auditPaths configuration to determine which directories to scan.
+     * Each path is scanned independently and results are tagged with their environment label.
+     *
+     * @returns Combined summary of all audit results
+     */
+    auditMultiplePaths(): Promise<MultiAuditSummary | null>;
     /**
      * Parse npm audit JSON output into vulnerability items
      */
@@ -271,4 +323,4 @@ declare class MonitorClient {
     private getRecommendation;
 }
 
-export { type AuditResult, type AuditSummary, type BruteForceDetectionResult, type DependencySource, type ErrorContext, type ErrorPayload, MonitorClient, type MonitorClientConfig, type SecurityCategory, type SecurityEventInput, type SecurityEventPayload, type SecuritySeverity, type Severity, type TechnologyItem, type TechnologyType, type VulnerabilityItem, type VulnerabilitySeverity };
+export { type AuditPath, type AuditResult, type AuditSummary, type BruteForceDetectionResult, type DependencySource, type ErrorContext, type ErrorPayload, MonitorClient, type MonitorClientConfig, type MultiAuditSummary, type SecurityCategory, type SecurityEventInput, type SecurityEventPayload, type SecuritySeverity, type Severity, type TechnologyItem, type TechnologyType, type VulnerabilityItem, type VulnerabilitySeverity };

package/dist/index.d.ts

@@ -6,6 +6,12 @@ interface DependencySource {
     path: string;
     environment: string;
 }
+interface AuditPath {
+    /** Directory path to run npm audit in (e.g., '.', '../client') */
+    path: string;
+    /** Environment label for vulnerabilities from this path (e.g., 'server', 'client') */
+    environment: string;
+}
 interface MonitorClientConfig {
     /** API key for authentication (required, format: cm_xxx) */
     apiKey: string;
@@ -33,6 +39,8 @@ interface MonitorClientConfig {
     requestTimeoutMs?: number;
     /** Enable automatic vulnerability scanning based on server-configured interval (default: false) */
     autoAudit?: boolean;
+    /** Multiple directories to audit for vulnerabilities (runs npm audit in each) */
+    auditPaths?: AuditPath[];
 }
 interface TechnologyItem {
     name: string;
@@ -118,6 +126,28 @@ interface AuditSummary {
         info: number;
     };
 }
+interface MultiAuditSummary {
+    results: Array<{
+        environment: string;
+        scanId: string;
+        processed: number;
+        resolved: number;
+        summary: {
+            critical: number;
+            high: number;
+            moderate: number;
+            low: number;
+            info: number;
+        };
+    }>;
+    totalSummary: {
+        critical: number;
+        high: number;
+        moderate: number;
+        low: number;
+        info: number;
+    };
+}
 
 declare class MonitorClient {
     private apiKey;
@@ -132,6 +162,8 @@ declare class MonitorClient {
     private packageJsonPath?;
     private dependencySources?;
     private excludePatterns;
+    private compiledExcludePatterns;
+    private auditPaths?;
     private maxQueueSize;
     private maxRetries;
     private retryCount;
@@ -144,6 +176,15 @@ declare class MonitorClient {
     private lastKnownScanRequestedAt;
     private lastKnownTechScanRequestedAt;
     constructor(config: MonitorClientConfig);
+    /**
+     * Security: Validate and sanitize metadata to prevent oversized payloads
+     */
+    private sanitizeMetadata;
+    /**
+     * Security: Sanitize error response text to prevent sensitive data exposure
+     * Removes potential API keys, tokens, and limits response length
+     */
+    private sanitizeErrorResponse;
     captureError(error: Error, context?: ErrorContext): Promise<void>;
     captureMessage(message: string, severity?: Severity, context?: ErrorContext): Promise<void>;
     flush(): Promise<void>;
@@ -168,6 +209,7 @@ declare class MonitorClient {
     private setupAutoAudit;
     /**
      * Run a vulnerability scan and track the time it was run.
+     * Uses auditMultiplePaths() if auditPaths is configured, otherwise runs single audit.
      */
     private runScanAndTrackTime;
     /**
@@ -263,6 +305,16 @@ declare class MonitorClient {
         projectPath?: string;
         environment?: string;
     }): Promise<AuditSummary | null>;
+    /**
+     * Run npm audit on multiple directories and send results to the monitoring server.
+     * This is useful for monorepos or projects with separate client/server directories.
+     *
+     * Uses the auditPaths configuration to determine which directories to scan.
+     * Each path is scanned independently and results are tagged with their environment label.
+     *
+     * @returns Combined summary of all audit results
+     */
+    auditMultiplePaths(): Promise<MultiAuditSummary | null>;
     /**
      * Parse npm audit JSON output into vulnerability items
      */
@@ -271,4 +323,4 @@ declare class MonitorClient {
     private getRecommendation;
 }
 
-export { type AuditResult, type AuditSummary, type BruteForceDetectionResult, type DependencySource, type ErrorContext, type ErrorPayload, MonitorClient, type MonitorClientConfig, type SecurityCategory, type SecurityEventInput, type SecurityEventPayload, type SecuritySeverity, type Severity, type TechnologyItem, type TechnologyType, type VulnerabilityItem, type VulnerabilitySeverity };
+export { type AuditPath, type AuditResult, type AuditSummary, type BruteForceDetectionResult, type DependencySource, type ErrorContext, type ErrorPayload, MonitorClient, type MonitorClientConfig, type MultiAuditSummary, type SecurityCategory, type SecurityEventInput, type SecurityEventPayload, type SecuritySeverity, type Severity, type TechnologyItem, type TechnologyType, type VulnerabilityItem, type VulnerabilitySeverity };

package/dist/index.js

@@ -35,6 +35,25 @@ __export(index_exports, {
 module.exports = __toCommonJS(index_exports);
 
 // src/MonitorClient.ts
+var CONFIG_LIMITS = {
+  MAX_BATCH_SIZE: 1e3,
+  MAX_FLUSH_INTERVAL_MS: 3e5,
+  // 5 minutes
+  MAX_QUEUE_SIZE: 1e4,
+  MAX_RETRIES: 10,
+  MAX_REQUEST_TIMEOUT_MS: 6e4,
+  // 1 minute
+  MAX_METADATA_SIZE_BYTES: 65536,
+  // 64KB
+  MAX_RETRY_MAP_SIZE: 1e3,
+  // Prevent unbounded growth
+  AUDIT_MAX_BUFFER: 10 * 1024 * 1024,
+  // 10MB
+  AUDIT_TIMEOUT_MS: 6e4,
+  // 60 seconds
+  SETTINGS_POLL_INTERVAL_MS: 5 * 60 * 1e3
+  // 5 minutes
+};
 var MonitorClient = class {
   constructor(config) {
     this.queue = [];
@@ -73,14 +92,14 @@ var MonitorClient = class {
     this.apiKey = config.apiKey;
     this.endpoint = config.endpoint.replace(/\/$/, "");
     this.environment = config.environment || "production";
-    this.batchSize = Math.max(1, config.batchSize || 10);
-    this.flushIntervalMs = Math.max(1e3, config.flushIntervalMs || 5e3);
+    this.batchSize = Math.min(CONFIG_LIMITS.MAX_BATCH_SIZE, Math.max(1, config.batchSize || 10));
+    this.flushIntervalMs = Math.min(CONFIG_LIMITS.MAX_FLUSH_INTERVAL_MS, Math.max(1e3, config.flushIntervalMs || 5e3));
     this.trackDependencies = config.trackDependencies || false;
     this.packageJsonPath = config.packageJsonPath;
     this.dependencySources = config.dependencySources;
-    this.maxQueueSize = config.maxQueueSize || 1e3;
-    this.maxRetries = config.maxRetries || 3;
-    this.requestTimeoutMs = config.requestTimeoutMs || 1e4;
+    this.maxQueueSize = Math.min(CONFIG_LIMITS.MAX_QUEUE_SIZE, config.maxQueueSize || 1e3);
+    this.maxRetries = Math.min(CONFIG_LIMITS.MAX_RETRIES, config.maxRetries || 3);
+    this.requestTimeoutMs = Math.min(CONFIG_LIMITS.MAX_REQUEST_TIMEOUT_MS, config.requestTimeoutMs || 1e4);
     const defaultExcludePatterns = [
       "@types/*",
       "eslint*",
@@ -91,7 +110,12 @@ var MonitorClient = class {
       "@typescript-eslint/*"
     ];
     this.excludePatterns = config.excludePatterns || defaultExcludePatterns;
+    this.compiledExcludePatterns = this.excludePatterns.map((pattern) => {
+      const regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+      return new RegExp(`^${regexPattern}$`);
+    });
     this.autoAudit = config.autoAudit || false;
+    this.auditPaths = config.auditPaths;
     this.startFlushTimer();
     if (this.trackDependencies) {
       this.syncDependencies().catch((err) => {
@@ -104,6 +128,36 @@ var MonitorClient = class {
       });
     }
   }
+  /**
+   * Security: Validate and sanitize metadata to prevent oversized payloads
+   */
+  sanitizeMetadata(metadata) {
+    if (!metadata) return void 0;
+    try {
+      const jsonStr = JSON.stringify(metadata);
+      if (jsonStr.length > CONFIG_LIMITS.MAX_METADATA_SIZE_BYTES) {
+        console.warn(`[MonitorClient] Metadata exceeds size limit (${CONFIG_LIMITS.MAX_METADATA_SIZE_BYTES} bytes), truncating`);
+        return { _truncated: true, _originalSize: jsonStr.length };
+      }
+      return metadata;
+    } catch {
+      console.warn("[MonitorClient] Metadata contains non-serializable data, skipping");
+      return { _error: "non-serializable" };
+    }
+  }
+  /**
+   * Security: Sanitize error response text to prevent sensitive data exposure
+   * Removes potential API keys, tokens, and limits response length
+   */
+  sanitizeErrorResponse(errorText) {
+    if (!errorText) return "";
+    const maxLength = 500;
+    let sanitized = errorText.length > maxLength ? errorText.substring(0, maxLength) + "..." : errorText;
+    sanitized = sanitized.replace(/cm_[a-zA-Z0-9_-]+/g, "[REDACTED]");
+    sanitized = sanitized.replace(/Bearer\s+[a-zA-Z0-9_.-]+/gi, "Bearer [REDACTED]");
+    sanitized = sanitized.replace(/authorization['":\s]+[a-zA-Z0-9_.-]+/gi, "authorization: [REDACTED]");
+    return sanitized;
+  }
   async captureError(error, context) {
     if (this.isClosed) return;
     const payload = {
@@ -117,7 +171,7 @@ var MonitorClient = class {
       userAgent: context?.userAgent,
       ip: context?.ip,
       requestId: context?.requestId,
-      metadata: context?.metadata
+      metadata: this.sanitizeMetadata(context?.metadata)
     };
     this.enqueue(payload);
   }
@@ -133,7 +187,7 @@ var MonitorClient = class {
       userAgent: context?.userAgent,
       ip: context?.ip,
       requestId: context?.requestId,
-      metadata: context?.metadata
+      metadata: this.sanitizeMetadata(context?.metadata)
     };
     this.enqueue(payload);
   }
@@ -157,6 +211,12 @@ var MonitorClient = class {
         const key = this.getErrorKey(error);
         const retries = this.retryCount.get(key) || 0;
         if (retries < this.maxRetries) {
+          if (this.retryCount.size >= CONFIG_LIMITS.MAX_RETRY_MAP_SIZE) {
+            const keysToRemove = Array.from(this.retryCount.keys()).slice(0, Math.ceil(CONFIG_LIMITS.MAX_RETRY_MAP_SIZE * 0.1));
+            for (const oldKey of keysToRemove) {
+              this.retryCount.delete(oldKey);
+            }
+          }
           this.retryCount.set(key, retries + 1);
           if (this.queue.length < this.maxQueueSize) {
             this.queue.push(error);
@@ -241,20 +301,29 @@ var MonitorClient = class {
       await this.runScanAndTrackTime();
       const intervalMs = intervalHours * 60 * 60 * 1e3;
       this.auditIntervalTimer = setInterval(() => {
-        this.runScanAndTrackTime();
+        this.runScanAndTrackTime().catch((err) => {
+          console.error("[MonitorClient] Auto audit scan failed:", err);
+        });
       }, intervalMs);
     }
     console.log("[MonitorClient] Polling for scan requests enabled (every 5 minutes)");
     this.settingsPollingTimer = setInterval(() => {
-      this.checkForScanRequest();
-    }, 5 * 60 * 1e3);
+      this.checkForScanRequest().catch((err) => {
+        console.error("[MonitorClient] Scan request check failed:", err);
+      });
+    }, CONFIG_LIMITS.SETTINGS_POLL_INTERVAL_MS);
   }
   /**
    * Run a vulnerability scan and track the time it was run.
+   * Uses auditMultiplePaths() if auditPaths is configured, otherwise runs single audit.
    */
   async runScanAndTrackTime() {
     try {
-      await this.auditDependencies();
+      if (this.auditPaths && this.auditPaths.length > 0) {
+        await this.auditMultiplePaths();
+      } else {
+        await this.auditDependencies();
+      }
       this.lastScanTime = /* @__PURE__ */ new Date();
     } catch (err) {
       console.error("[MonitorClient] Vulnerability scan failed:", err instanceof Error ? err.message : String(err));
@@ -294,7 +363,9 @@ var MonitorClient = class {
     }
     this.queue.push(payload);
     if (this.queue.length >= this.batchSize) {
-      this.flush();
+      this.flush().catch((err) => {
+        console.error("[MonitorClient] Flush failed:", err);
+      });
     }
   }
   /**
@@ -329,7 +400,7 @@ var MonitorClient = class {
     });
     if (!response.ok) {
       const errorText = await response.text().catch(() => "");
-      throw new Error(`HTTP ${response.status}${errorText ? `: ${errorText}` : ""}`);
+      throw new Error(`HTTP ${response.status}${errorText ? `: ${this.sanitizeErrorResponse(errorText)}` : ""}`);
     }
   }
   async sendBatch(errors) {
@@ -343,12 +414,14 @@ var MonitorClient = class {
     });
     if (!response.ok) {
       const errorText = await response.text().catch(() => "");
-      throw new Error(`HTTP ${response.status}${errorText ? `: ${errorText}` : ""}`);
+      throw new Error(`HTTP ${response.status}${errorText ? `: ${this.sanitizeErrorResponse(errorText)}` : ""}`);
     }
   }
   startFlushTimer() {
     this.flushTimer = setInterval(() => {
-      this.flush();
+      this.flush().catch((err) => {
+        console.error("[MonitorClient] Scheduled flush failed:", err);
+      });
     }, this.flushIntervalMs);
   }
   stopFlushTimer() {
@@ -411,6 +484,16 @@ var MonitorClient = class {
       if (!fs.existsSync(normalizedPath)) {
         return [];
       }
+      try {
+        const realPath = fs.realpathSync(normalizedPath);
+        const realBase = fs.realpathSync(normalizedBase);
+        if (!path.isAbsolute(packagePath) && !realPath.startsWith(realBase)) {
+          console.warn("[MonitorClient] Symlink points outside allowed directory:", packagePath);
+          return [];
+        }
+      } catch {
+        return [];
+      }
       const packageJson = JSON.parse(fs.readFileSync(normalizedPath, "utf-8"));
       const technologies = [];
       const deps = {
@@ -434,9 +517,8 @@ var MonitorClient = class {
     }
   }
   shouldExclude(packageName) {
-    for (const pattern of this.excludePatterns) {
-      const regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
-      if (new RegExp(`^${regexPattern}$`).test(packageName)) {
+    for (const regex of this.compiledExcludePatterns) {
+      if (regex.test(packageName)) {
         return true;
       }
     }
@@ -459,7 +541,7 @@ var MonitorClient = class {
     });
     if (!response.ok) {
       const errorText = await response.text().catch(() => "");
-      throw new Error(`HTTP ${response.status}${errorText ? `: ${errorText}` : ""}`);
+      throw new Error(`HTTP ${response.status}${errorText ? `: ${this.sanitizeErrorResponse(errorText)}` : ""}`);
     }
   }
   /**
@@ -470,6 +552,7 @@ var MonitorClient = class {
     if (this.isClosed) return {};
     const payload = {
       ...input,
+      metadata: this.sanitizeMetadata(input.metadata),
       environment: this.environment
     };
     const response = await this.fetchWithTimeout(`${this.endpoint}/api/v1/security`, {
@@ -482,7 +565,7 @@ var MonitorClient = class {
     });
     if (!response.ok) {
       const errorText = await response.text().catch(() => "");
-      throw new Error(`HTTP ${response.status}${errorText ? `: ${errorText}` : ""}`);
+      throw new Error(`HTTP ${response.status}${errorText ? `: ${this.sanitizeErrorResponse(errorText)}` : ""}`);
     }
     const result = await response.json();
     return { warning: result.warning };
@@ -561,7 +644,7 @@ var MonitorClient = class {
     });
     if (!response.ok) {
       const errorText = await response.text().catch(() => "");
-      throw new Error(`HTTP ${response.status}${errorText ? `: ${errorText}` : ""}`);
+      throw new Error(`HTTP ${response.status}${errorText ? `: ${this.sanitizeErrorResponse(errorText)}` : ""}`);
     }
     const result = await response.json();
     return result.data;
@@ -602,6 +685,12 @@ var MonitorClient = class {
         return null;
       }
       projectPath = path.resolve(projectPath);
+      try {
+        projectPath = fs.realpathSync(projectPath);
+      } catch {
+        console.error("[MonitorClient] projectPath does not exist or is inaccessible");
+        return null;
+      }
       try {
         const stats = fs.statSync(projectPath);
         if (!stats.isDirectory()) {
@@ -612,21 +701,19 @@ var MonitorClient = class {
         console.error("[MonitorClient] projectPath does not exist");
         return null;
       }
-      const packageJsonPath = path.join(projectPath, "package.json");
-      if (!fs.existsSync(packageJsonPath)) {
-        console.error("[MonitorClient] No package.json found in projectPath");
-        return null;
-      }
       let auditOutput;
       try {
+        const packageJsonPath = path.join(projectPath, "package.json");
+        if (!fs.existsSync(packageJsonPath)) {
+          console.error("[MonitorClient] No package.json found in projectPath");
+          return null;
+        }
         auditOutput = execSync("npm audit --json", {
           cwd: projectPath,
           encoding: "utf-8",
           stdio: ["pipe", "pipe", "pipe"],
-          maxBuffer: 10 * 1024 * 1024,
-          // 10MB buffer for large outputs
-          timeout: 6e4
-          // 60 second timeout
+          maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER,
+          timeout: CONFIG_LIMITS.AUDIT_TIMEOUT_MS
         });
       } catch (err) {
         const execError = err;
@@ -668,6 +755,63 @@ var MonitorClient = class {
       return null;
     }
   }
+  /**
+   * Run npm audit on multiple directories and send results to the monitoring server.
+   * This is useful for monorepos or projects with separate client/server directories.
+   *
+   * Uses the auditPaths configuration to determine which directories to scan.
+   * Each path is scanned independently and results are tagged with their environment label.
+   *
+   * @returns Combined summary of all audit results
+   */
+  async auditMultiplePaths() {
+    if (!this.auditPaths || this.auditPaths.length === 0) {
+      console.warn("[MonitorClient] No auditPaths configured");
+      return null;
+    }
+    const results = [];
+    const totalSummary = {
+      critical: 0,
+      high: 0,
+      moderate: 0,
+      low: 0,
+      info: 0
+    };
+    for (const auditPath of this.auditPaths) {
+      console.log(`[MonitorClient] Auditing ${auditPath.environment} at ${auditPath.path}`);
+      try {
+        const summary = await this.auditDependencies({
+          projectPath: auditPath.path,
+          environment: auditPath.environment
+        });
+        if (summary) {
+          results.push({
+            environment: auditPath.environment,
+            scanId: summary.scanId,
+            processed: summary.processed,
+            resolved: summary.resolved,
+            summary: summary.summary
+          });
+          totalSummary.critical += summary.summary.critical;
+          totalSummary.high += summary.summary.high;
+          totalSummary.moderate += summary.summary.moderate;
+          totalSummary.low += summary.summary.low;
+          totalSummary.info += summary.summary.info;
+        }
+      } catch (err) {
+        console.error(`[MonitorClient] Failed to audit ${auditPath.environment}:`, err instanceof Error ? err.message : String(err));
+      }
+    }
+    if (results.length === 0) {
+      console.warn("[MonitorClient] No audit results collected from any path");
+      return null;
+    }
+    console.log(`[MonitorClient] Multi-path audit complete: ${results.length} paths scanned`);
+    return {
+      results,
+      totalSummary
+    };
+  }
   /**
    * Parse npm audit JSON output into vulnerability items
    */
@@ -677,6 +821,9 @@ var MonitorClient = class {
       return vulnerabilities;
     }
     for (const [packageName, vuln] of Object.entries(auditData.vulnerabilities)) {
+      if (!vuln.via || !Array.isArray(vuln.via)) {
+        continue;
+      }
       const viaDetails = vuln.via.find(
         (v) => typeof v === "object" && "title" in v
       );

package/dist/index.mjs

@@ -1,4 +1,23 @@
 // src/MonitorClient.ts
+var CONFIG_LIMITS = {
+  MAX_BATCH_SIZE: 1e3,
+  MAX_FLUSH_INTERVAL_MS: 3e5,
+  // 5 minutes
+  MAX_QUEUE_SIZE: 1e4,
+  MAX_RETRIES: 10,
+  MAX_REQUEST_TIMEOUT_MS: 6e4,
+  // 1 minute
+  MAX_METADATA_SIZE_BYTES: 65536,
+  // 64KB
+  MAX_RETRY_MAP_SIZE: 1e3,
+  // Prevent unbounded growth
+  AUDIT_MAX_BUFFER: 10 * 1024 * 1024,
+  // 10MB
+  AUDIT_TIMEOUT_MS: 6e4,
+  // 60 seconds
+  SETTINGS_POLL_INTERVAL_MS: 5 * 60 * 1e3
+  // 5 minutes
+};
 var MonitorClient = class {
   constructor(config) {
     this.queue = [];
@@ -37,14 +56,14 @@ var MonitorClient = class {
     this.apiKey = config.apiKey;
     this.endpoint = config.endpoint.replace(/\/$/, "");
     this.environment = config.environment || "production";
-    this.batchSize = Math.max(1, config.batchSize || 10);
-    this.flushIntervalMs = Math.max(1e3, config.flushIntervalMs || 5e3);
+    this.batchSize = Math.min(CONFIG_LIMITS.MAX_BATCH_SIZE, Math.max(1, config.batchSize || 10));
+    this.flushIntervalMs = Math.min(CONFIG_LIMITS.MAX_FLUSH_INTERVAL_MS, Math.max(1e3, config.flushIntervalMs || 5e3));
     this.trackDependencies = config.trackDependencies || false;
     this.packageJsonPath = config.packageJsonPath;
     this.dependencySources = config.dependencySources;
-    this.maxQueueSize = config.maxQueueSize || 1e3;
-    this.maxRetries = config.maxRetries || 3;
-    this.requestTimeoutMs = config.requestTimeoutMs || 1e4;
+    this.maxQueueSize = Math.min(CONFIG_LIMITS.MAX_QUEUE_SIZE, config.maxQueueSize || 1e3);
+    this.maxRetries = Math.min(CONFIG_LIMITS.MAX_RETRIES, config.maxRetries || 3);
+    this.requestTimeoutMs = Math.min(CONFIG_LIMITS.MAX_REQUEST_TIMEOUT_MS, config.requestTimeoutMs || 1e4);
     const defaultExcludePatterns = [
       "@types/*",
       "eslint*",
@@ -55,7 +74,12 @@ var MonitorClient = class {
       "@typescript-eslint/*"
     ];
     this.excludePatterns = config.excludePatterns || defaultExcludePatterns;
+    this.compiledExcludePatterns = this.excludePatterns.map((pattern) => {
+      const regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+      return new RegExp(`^${regexPattern}$`);
+    });
     this.autoAudit = config.autoAudit || false;
+    this.auditPaths = config.auditPaths;
     this.startFlushTimer();
     if (this.trackDependencies) {
       this.syncDependencies().catch((err) => {
@@ -68,6 +92,36 @@ var MonitorClient = class {
       });
     }
   }
+  /**
+   * Security: Validate and sanitize metadata to prevent oversized payloads
+   */
+  sanitizeMetadata(metadata) {
+    if (!metadata) return void 0;
+    try {
+      const jsonStr = JSON.stringify(metadata);
+      if (jsonStr.length > CONFIG_LIMITS.MAX_METADATA_SIZE_BYTES) {
+        console.warn(`[MonitorClient] Metadata exceeds size limit (${CONFIG_LIMITS.MAX_METADATA_SIZE_BYTES} bytes), truncating`);
+        return { _truncated: true, _originalSize: jsonStr.length };
+      }
+      return metadata;
+    } catch {
+      console.warn("[MonitorClient] Metadata contains non-serializable data, skipping");
+      return { _error: "non-serializable" };
+    }
+  }
+  /**
+   * Security: Sanitize error response text to prevent sensitive data exposure
+   * Removes potential API keys, tokens, and limits response length
+   */
+  sanitizeErrorResponse(errorText) {
+    if (!errorText) return "";
+    const maxLength = 500;
+    let sanitized = errorText.length > maxLength ? errorText.substring(0, maxLength) + "..." : errorText;
+    sanitized = sanitized.replace(/cm_[a-zA-Z0-9_-]+/g, "[REDACTED]");
+    sanitized = sanitized.replace(/Bearer\s+[a-zA-Z0-9_.-]+/gi, "Bearer [REDACTED]");
+    sanitized = sanitized.replace(/authorization['":\s]+[a-zA-Z0-9_.-]+/gi, "authorization: [REDACTED]");
+    return sanitized;
+  }
   async captureError(error, context) {
     if (this.isClosed) return;
     const payload = {
@@ -81,7 +135,7 @@ var MonitorClient = class {
       userAgent: context?.userAgent,
       ip: context?.ip,
       requestId: context?.requestId,
-      metadata: context?.metadata
+      metadata: this.sanitizeMetadata(context?.metadata)
     };
     this.enqueue(payload);
   }
@@ -97,7 +151,7 @@ var MonitorClient = class {
       userAgent: context?.userAgent,
       ip: context?.ip,
       requestId: context?.requestId,
-      metadata: context?.metadata
+      metadata: this.sanitizeMetadata(context?.metadata)
     };
     this.enqueue(payload);
   }
@@ -121,6 +175,12 @@ var MonitorClient = class {
         const key = this.getErrorKey(error);
         const retries = this.retryCount.get(key) || 0;
         if (retries < this.maxRetries) {
+          if (this.retryCount.size >= CONFIG_LIMITS.MAX_RETRY_MAP_SIZE) {
+            const keysToRemove = Array.from(this.retryCount.keys()).slice(0, Math.ceil(CONFIG_LIMITS.MAX_RETRY_MAP_SIZE * 0.1));
+            for (const oldKey of keysToRemove) {
+              this.retryCount.delete(oldKey);
+            }
+          }
           this.retryCount.set(key, retries + 1);
           if (this.queue.length < this.maxQueueSize) {
             this.queue.push(error);
@@ -205,20 +265,29 @@ var MonitorClient = class {
       await this.runScanAndTrackTime();
       const intervalMs = intervalHours * 60 * 60 * 1e3;
       this.auditIntervalTimer = setInterval(() => {
-        this.runScanAndTrackTime();
+        this.runScanAndTrackTime().catch((err) => {
+          console.error("[MonitorClient] Auto audit scan failed:", err);
+        });
       }, intervalMs);
     }
     console.log("[MonitorClient] Polling for scan requests enabled (every 5 minutes)");
     this.settingsPollingTimer = setInterval(() => {
-      this.checkForScanRequest();
-    }, 5 * 60 * 1e3);
+      this.checkForScanRequest().catch((err) => {
+        console.error("[MonitorClient] Scan request check failed:", err);
+      });
+    }, CONFIG_LIMITS.SETTINGS_POLL_INTERVAL_MS);
   }
   /**
    * Run a vulnerability scan and track the time it was run.
+   * Uses auditMultiplePaths() if auditPaths is configured, otherwise runs single audit.
    */
   async runScanAndTrackTime() {
     try {
-      await this.auditDependencies();
+      if (this.auditPaths && this.auditPaths.length > 0) {
+        await this.auditMultiplePaths();
+      } else {
+        await this.auditDependencies();
+      }
       this.lastScanTime = /* @__PURE__ */ new Date();
     } catch (err) {
       console.error("[MonitorClient] Vulnerability scan failed:", err instanceof Error ? err.message : String(err));
@@ -258,7 +327,9 @@ var MonitorClient = class {
     }
     this.queue.push(payload);
     if (this.queue.length >= this.batchSize) {
-      this.flush();
+      this.flush().catch((err) => {
+        console.error("[MonitorClient] Flush failed:", err);
+      });
     }
   }
   /**
@@ -293,7 +364,7 @@ var MonitorClient = class {
     });
     if (!response.ok) {
       const errorText = await response.text().catch(() => "");
-      throw new Error(`HTTP ${response.status}${errorText ? `: ${errorText}` : ""}`);
+      throw new Error(`HTTP ${response.status}${errorText ? `: ${this.sanitizeErrorResponse(errorText)}` : ""}`);
     }
   }
   async sendBatch(errors) {
@@ -307,12 +378,14 @@ var MonitorClient = class {
     });
     if (!response.ok) {
       const errorText = await response.text().catch(() => "");
-      throw new Error(`HTTP ${response.status}${errorText ? `: ${errorText}` : ""}`);
+      throw new Error(`HTTP ${response.status}${errorText ? `: ${this.sanitizeErrorResponse(errorText)}` : ""}`);
     }
   }
   startFlushTimer() {
     this.flushTimer = setInterval(() => {
-      this.flush();
+      this.flush().catch((err) => {
+        console.error("[MonitorClient] Scheduled flush failed:", err);
+      });
     }, this.flushIntervalMs);
   }
   stopFlushTimer() {
@@ -375,6 +448,16 @@ var MonitorClient = class {
       if (!fs.existsSync(normalizedPath)) {
         return [];
       }
+      try {
+        const realPath = fs.realpathSync(normalizedPath);
+        const realBase = fs.realpathSync(normalizedBase);
+        if (!path.isAbsolute(packagePath) && !realPath.startsWith(realBase)) {
+          console.warn("[MonitorClient] Symlink points outside allowed directory:", packagePath);
+          return [];
+        }
+      } catch {
+        return [];
+      }
       const packageJson = JSON.parse(fs.readFileSync(normalizedPath, "utf-8"));
       const technologies = [];
       const deps = {
@@ -398,9 +481,8 @@ var MonitorClient = class {
     }
   }
   shouldExclude(packageName) {
-    for (const pattern of this.excludePatterns) {
-      const regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
-      if (new RegExp(`^${regexPattern}$`).test(packageName)) {
+    for (const regex of this.compiledExcludePatterns) {
+      if (regex.test(packageName)) {
         return true;
       }
     }
@@ -423,7 +505,7 @@ var MonitorClient = class {
     });
     if (!response.ok) {
       const errorText = await response.text().catch(() => "");
-      throw new Error(`HTTP ${response.status}${errorText ? `: ${errorText}` : ""}`);
+      throw new Error(`HTTP ${response.status}${errorText ? `: ${this.sanitizeErrorResponse(errorText)}` : ""}`);
     }
   }
   /**
@@ -434,6 +516,7 @@ var MonitorClient = class {
     if (this.isClosed) return {};
     const payload = {
       ...input,
+      metadata: this.sanitizeMetadata(input.metadata),
       environment: this.environment
     };
     const response = await this.fetchWithTimeout(`${this.endpoint}/api/v1/security`, {
@@ -446,7 +529,7 @@ var MonitorClient = class {
     });
     if (!response.ok) {
       const errorText = await response.text().catch(() => "");
-      throw new Error(`HTTP ${response.status}${errorText ? `: ${errorText}` : ""}`);
+      throw new Error(`HTTP ${response.status}${errorText ? `: ${this.sanitizeErrorResponse(errorText)}` : ""}`);
     }
     const result = await response.json();
     return { warning: result.warning };
@@ -525,7 +608,7 @@ var MonitorClient = class {
     });
     if (!response.ok) {
       const errorText = await response.text().catch(() => "");
-      throw new Error(`HTTP ${response.status}${errorText ? `: ${errorText}` : ""}`);
+      throw new Error(`HTTP ${response.status}${errorText ? `: ${this.sanitizeErrorResponse(errorText)}` : ""}`);
     }
     const result = await response.json();
     return result.data;
@@ -566,6 +649,12 @@ var MonitorClient = class {
         return null;
       }
       projectPath = path.resolve(projectPath);
+      try {
+        projectPath = fs.realpathSync(projectPath);
+      } catch {
+        console.error("[MonitorClient] projectPath does not exist or is inaccessible");
+        return null;
+      }
       try {
         const stats = fs.statSync(projectPath);
         if (!stats.isDirectory()) {
@@ -576,21 +665,19 @@ var MonitorClient = class {
         console.error("[MonitorClient] projectPath does not exist");
         return null;
       }
-      const packageJsonPath = path.join(projectPath, "package.json");
-      if (!fs.existsSync(packageJsonPath)) {
-        console.error("[MonitorClient] No package.json found in projectPath");
-        return null;
-      }
       let auditOutput;
       try {
+        const packageJsonPath = path.join(projectPath, "package.json");
+        if (!fs.existsSync(packageJsonPath)) {
+          console.error("[MonitorClient] No package.json found in projectPath");
+          return null;
+        }
         auditOutput = execSync("npm audit --json", {
           cwd: projectPath,
           encoding: "utf-8",
           stdio: ["pipe", "pipe", "pipe"],
-          maxBuffer: 10 * 1024 * 1024,
-          // 10MB buffer for large outputs
-          timeout: 6e4
-          // 60 second timeout
+          maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER,
+          timeout: CONFIG_LIMITS.AUDIT_TIMEOUT_MS
         });
       } catch (err) {
         const execError = err;
@@ -632,6 +719,63 @@ var MonitorClient = class {
       return null;
     }
   }
+  /**
+   * Run npm audit on multiple directories and send results to the monitoring server.
+   * This is useful for monorepos or projects with separate client/server directories.
+   *
+   * Uses the auditPaths configuration to determine which directories to scan.
+   * Each path is scanned independently and results are tagged with their environment label.
+   *
+   * @returns Combined summary of all audit results
+   */
+  async auditMultiplePaths() {
+    if (!this.auditPaths || this.auditPaths.length === 0) {
+      console.warn("[MonitorClient] No auditPaths configured");
+      return null;
+    }
+    const results = [];
+    const totalSummary = {
+      critical: 0,
+      high: 0,
+      moderate: 0,
+      low: 0,
+      info: 0
+    };
+    for (const auditPath of this.auditPaths) {
+      console.log(`[MonitorClient] Auditing ${auditPath.environment} at ${auditPath.path}`);
+      try {
+        const summary = await this.auditDependencies({
+          projectPath: auditPath.path,
+          environment: auditPath.environment
+        });
+        if (summary) {
+          results.push({
+            environment: auditPath.environment,
+            scanId: summary.scanId,
+            processed: summary.processed,
+            resolved: summary.resolved,
+            summary: summary.summary
+          });
+          totalSummary.critical += summary.summary.critical;
+          totalSummary.high += summary.summary.high;
+          totalSummary.moderate += summary.summary.moderate;
+          totalSummary.low += summary.summary.low;
+          totalSummary.info += summary.summary.info;
+        }
+      } catch (err) {
+        console.error(`[MonitorClient] Failed to audit ${auditPath.environment}:`, err instanceof Error ? err.message : String(err));
+      }
+    }
+    if (results.length === 0) {
+      console.warn("[MonitorClient] No audit results collected from any path");
+      return null;
+    }
+    console.log(`[MonitorClient] Multi-path audit complete: ${results.length} paths scanned`);
+    return {
+      results,
+      totalSummary
+    };
+  }
   /**
    * Parse npm audit JSON output into vulnerability items
    */
@@ -641,6 +785,9 @@ var MonitorClient = class {
       return vulnerabilities;
     }
     for (const [packageName, vuln] of Object.entries(auditData.vulnerabilities)) {
+      if (!vuln.via || !Array.isArray(vuln.via)) {
+        continue;
+      }
       const viaDetails = vuln.via.find(
         (v) => typeof v === "object" && "title" in v
       );

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ceon-oy/monitor-sdk",
-  "version": "1.0.9",
+  "version": "1.0.10",
   "description": "Client SDK for Ceon Monitor - Error tracking, health monitoring, security events, and vulnerability scanning",
   "author": "Ceon",
   "license": "MIT",