@contrast/agent-bundle 5.39.1 → 5.41.0

package/node_modules/@contrast/sec-obs/node_modules/@contrast/config/lib/options.js

@@ -1,836 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-
-// @ts-check
-
-'use strict';
-
-const os = require('os');
-const url = require('url');
-const path = require('path');
-const { Rule, primordials: { BufferFrom, BufferPrototypeToString, StringPrototypeReplace, StringPrototypeReplaceAll, StringPrototypeSplit, StringPrototypeToLowerCase, StringPrototypeToUpperCase, JSONParse } } = require('@contrast/common');
-const { ConfigSource: { DEFAULT_VALUE } } = require('./common');
-
-/**
- * Takes strings "true"|"t" or "false"|"f" (case insensitive) and return the appropriate boolean.
- * @param {boolean | string} value passed arg; never undefined or the function isn't called
- * @return {boolean | undefined}
- */
-function castBoolean(value) {
-  const type = typeof value;
-  if (type !== 'string' && type !== 'boolean') {
-    return;
-  }
-  value = StringPrototypeToLowerCase.call(value.toString());
-  return value === 'true' || value === 't'
-    ? true
-    : value === 'false' || value === 'f'
-      ? false
-      : undefined;
-}
-
-/**
- * Takes string path and resolves absolute path based on current working dir
- *
- * @param {string} value passed arg; never undefined or the function isn't called
- * @return {string | undefined} absolute path resolve from process.cwd()
- */
-function toAbsolutePath(value) {
-  return value ? path.resolve(process.cwd(), String(value)) : undefined;
-}
-
-function clearBaseCase(val) {
-  const type = typeof val;
-  return (type === 'string' && val === '') || (type === 'number' && isNaN(val))
-    ? undefined
-    : val;
-}
-
-const split = (val) => {
-  if (val === '') return [];
-  if (val === undefined) return val;
-  return StringPrototypeSplit.call(val, ',');
-};
-
-const uppercase = (val = '') => clearBaseCase(`${StringPrototypeToUpperCase.call(val)}`);
-const lowercase = (val = '') => clearBaseCase(`${StringPrototypeToLowerCase.call(val)}`);
-const parseNum = (val) => {
-  const float = parseFloat(val);
-  return clearBaseCase(Math.ceil(float));
-};
-
-/**
- * Sets up the agent config. All options include a name and a description.
- * Where the setting is not a boolean, they include args as well.
- *
- * The module currently houses all new common config settings.
- *
- * Other settings include:
- * - fn: a function to run on the original value (eg type coercion or sanitizing). Returns undefined if it can't do anything with the value it is given.
- * - enum: validation of whether type matches enumerated value
- *
- * NOTE: I'm not sure if validation should also be specified and handled here.
- *
- * TODO: add defaults to all new options
- *
- * TODO: add mapping for TeamServer FeatureSet analogues where they differ
- *
- * @type {import('.').ConfigOption[]}
- */
-const options = [
-  {
-    name: 'enable',
-    arg: '[true]',
-    default: true,
-    fn: castBoolean,
-    desc: 'Set to `false` to disable Contrast agent.',
-  },
-  // api
-  {
-    name: 'api.enable',
-    arg: '[false]',
-    default: true,
-    fn: castBoolean,
-    desc: 'Set to `false` to disable Contrast UI communication.',
-  },
-  {
-    name: 'api.url',
-    arg: '<url>',
-    default: 'https://app.contrastsecurity.com/Contrast',
-    // The old json spec used to expect that the url would not end in /Contrast
-    // Common config expects this to be there. So, we need to do a bit of massaging
-    // to make sure our reporter gets a consistent URL one way or the other.
-    fn: (value) => {
-      if (value === undefined) {
-        return;
-      }
-
-      value = String(value);
-      let uri;
-      try {
-        uri = new url.URL(value);
-      } catch (e) {
-        // the url customer provided is invalid, return null and this will eventually
-        // fail when trying to talk to TS
-        return null;
-      }
-
-      if (uri.pathname) {
-        // kill trailling /
-        uri.pathname = StringPrototypeReplace.call(uri.pathname, /\/+$/, '');
-
-        if (!uri.pathname.endsWith('Contrast')) {
-          uri.pathname += 'Contrast';
-        }
-
-        return url.format(uri);
-      }
-      return value;
-    },
-    desc: 'Set the URL for the Contrast UI.',
-  },
-  {
-    name: 'api.api_key',
-    arg: '<key>',
-    desc: 'Set the API key needed to communicate with the Contrast UI.',
-  },
-  {
-    name: 'api.service_key',
-    arg: '<key>',
-    desc: 'Set the service key needed to communicate with the Contrast UI. It is used to calculate the Authorization header.',
-  },
-  {
-    name: 'api.user_name',
-    arg: '<name>',
-    desc: 'Set the user name used to communicate with the Contrast UI. It is used to calculate the Authorization header.',
-  },
-  {
-    name: 'api.token',
-    arg: '<token>',
-    desc: 'base64 encoded JSON object containing the `url`, `api_key`, `service_key`, and `user_name` config options, allowing them all to be set in a single variable.',
-    fn(value, cfg, source) {
-      try {
-        // parse the base64 encoded value
-        const parsed = JSONParse(BufferPrototypeToString.call(BufferFrom(value, 'base64'), 'utf8'));
-        // set the top level `api` keys only if they aren't already present.
-        // since this value comes after the others, they should be set first if present in the config file or environment.
-        ['url', 'api_key', 'service_key', 'user_name'].forEach(key => {
-          const canonicalName = `api.${key}`;
-          const existingSource = cfg.getEffectiveSource(canonicalName);
-          if (existingSource !== DEFAULT_VALUE) {
-            cfg._logs.push({
-              level: 'warn',
-              msg: 'Using configured value for `%s` (set by %s) instead of `api.token`.',
-              args: [canonicalName, existingSource]
-            });
-          } else {
-            cfg.setValue(canonicalName, parsed[key], source);
-          }
-        });
-        return value;
-      } catch {
-        return null;
-      }
-    }
-  },
-  // api.certificate
-  {
-    name: 'api.certificate.enable',
-    desc: 'If set to `false`, the agent will ignore the certificate configuration in this section.',
-    arg: '[false]',
-    default: true,
-  },
-  {
-    name: 'api.certificate.ca_file',
-    description: 'Set the absolute or relative path to a CA for communication with the Contrast UI using a self-signed certificate.',
-    arg: '<path>',
-    fn: toAbsolutePath,
-  },
-  {
-    name: 'api.certificate.cert_file',
-    description: 'Set the absolute or relative path to the Certificate PEM file for communication with the Contrast UI.',
-    arg: '<path>',
-    fn: toAbsolutePath,
-  },
-  {
-    name: 'api.certificate.key_file',
-    description: 'Set the absolute or relative path to the Key PEM file for communication with the Contrast UI.',
-    arg: '<path>',
-    fn: toAbsolutePath,
-  },
-  {
-    name: 'api.certificate.ignore_cert_errors',
-    description: 'When set to `true`, the agent ignores certificate verification errors when the agent communicates with the Contrast UI.',
-    arg: '[true]',
-    default: false,
-  },
-  // api.proxy
-  {
-    name: 'api.proxy.enable',
-    arg: '[true]',
-    default: false,
-    desc: "Set value to `true` for the agent to communicate with the Contrast web interface over a proxy. Set value to `false` if you don't want to use the proxy.",
-  },
-  {
-    name: 'api.proxy.url',
-    arg: '<url>',
-    desc: 'Set the URL for your Proxy Server. The URL form is `scheme://host:port`.',
-  },
-  // agent
-  {
-    name: 'agent.stack_trace_limit',
-    arg: '<limit>',
-    default: 10,
-    fn: parseNum,
-    desc: 'Set to limit the length of Error stack traces to a specified number. Larger limits will improve accuracy but increase memory usage.',
-  },
-  {
-    name: 'agent.stack_trace_filters',
-    arg: '<list,of,filters>',
-    default: 'agent-,@contrast,node-agent',
-    fn: split,
-    desc: 'Comma-separated list of patterns to ignore within stack traces.',
-  },
-  // agent.diagnostics
-  {
-    name: 'agent.diagnostics.enable',
-    arg: '[false]',
-    default: true,
-    fn: castBoolean,
-    desc: 'Set to `false` to disable agent diagnostics.',
-  },
-  {
-    name: 'agent.diagnostics.report_path',
-    arg: '<path>',
-    default: '.',
-    fn: toAbsolutePath,
-    desc: "Set the directory in which to write diagnostic files. Defaults to the application's current working directory.",
-  },
-  // agent.route_coverage
-  {
-    name: 'agent.route_coverage.enable',
-    arg: '[false]',
-    default: true,
-    fn: castBoolean,
-    desc: 'Set to `false` for the agent to not send route-based coverage data to the Contrast UI.',
-  },
-  // agent.reporters
-  // NOTE: Java has a `reporting` node--use that?
-  {
-    name: 'agent.reporters.file',
-    arg: '<path>',
-    desc: 'path indicating where to report all agent findings',
-  },
-  // agent.heap_dump
-  {
-    name: 'agent.heap_dump.enable',
-    arg: '[true]',
-    fn: castBoolean,
-    default: false,
-    desc: 'Set to \'true\' for the agent to automatically take heap dumps of the instrumented application.',
-  },
-  {
-    name: 'agent.heap_dump.path',
-    arg: '<path>',
-    default: 'contrast_heap_dumps',
-    desc: "Set the location to which to save the heap dump files. If relative, the path is determined based on the process' working directory.",
-  },
-  {
-    name: 'agent.heap_dump.delay_ms',
-    arg: '<time>',
-    default: 10000,
-    desc: 'Set the amount of time to wait, in milliseconds, after agent startup to begin taking heap dumps.',
-  },
-  {
-    name: 'agent.heap_dump.window_ms',
-    arg: '<number>',
-    default: 10000,
-    desc: 'Set the amount of time to wait, in milliseconds, between each heap dump.',
-  },
-  {
-    name: 'agent.heap_dump.count',
-    arg: '<number>',
-    default: 5,
-    desc: 'Set the number of heap dumps to take before disabling this feature.',
-  },
-
-  // agent.polling
-  {
-    name: 'agent.polling.app_activity_ms',
-    arg: '<ms>',
-    default: 5000,
-    fn: parseNum,
-    desc: 'Set the frequency with which the agent sends application activity to the Contrast UI.',
-  },
-  {
-    name: 'agent.polling.app_settings_ms',
-    arg: '<ms>',
-    default: 30000,
-    fn: parseNum,
-    desc: 'Set the frequency with which the agent sends application settings polls to the Contrast UI.',
-  },
-  {
-    name: 'agent.polling.app_update_ms',
-    arg: '<ms>',
-    default: 5000,
-    fn: parseNum,
-    desc: 'Set the the frequency with which the agent sends application updates to the Contrast UI.',
-  },
-  {
-    name: 'agent.polling.server_settings_ms',
-    arg: '<ms>',
-    default: 30000,
-    fn: parseNum,
-    desc: 'Set the frequency with which the agent sends server settings polls to the Contrast UI.',
-  },
-  // agent.logger
-  {
-    name: 'agent.logger.path',
-    arg: '<path>',
-    default: 'contrast.log',
-    fn: toAbsolutePath,
-    desc: `Enable diagnostic logging by setting a path to a log file. While diagnostic logging hurts performance, it generates useful information for debugging Contrast. The value set here is the location to which the agent saves log output. If no log file exists at this location, the agent creates a file.
-Example - \`/opt/Contrast/contrast.log\` creates a log in the \`/opt/Contrast\` directory, and rotates it automatically as needed.`,
-  },
-  {
-    name: 'agent.logger.level',
-    arg: '<level>',
-    enum: ['error', 'warn', 'info', 'debug', 'trace'],
-    default: 'info',
-    fn: lowercase,
-    desc: 'Set the the log output level. Valid options are `ERROR`, `WARN`, `INFO`, `DEBUG`, and `TRACE`.',
-  },
-  {
-    name: 'agent.logger.append',
-    arg: '[false]',
-    default: true,
-    fn: castBoolean,
-    desc: 'Set to `false` for the agent to always create a new log file instead of appending and rolling.',
-  },
-  {
-    name: 'agent.logger.stdout',
-    arg: '[false]',
-    default: true,
-    fn: castBoolean,
-    desc: 'Set to `false` to suppress log output to `stdout`.',
-  },
-  // agent.security_logger
-  {
-    name: 'agent.security_logger.path',
-    arg: '<path>',
-    default: 'security.log',
-    fn: toAbsolutePath,
-    desc: 'Set the file to which the agent logs security events.',
-  },
-  {
-    name: 'agent.security_logger.level',
-    arg: '<level>',
-    enum: ['error', 'warn', 'info', 'debug', 'trace'],
-    default: 'error',
-    fn: lowercase,
-    desc: 'Set the log level for security logging. Valid options are `ERROR`, `WARN`, `INFO`, `DEBUG`, and `TRACE`.',
-  },
-  {
-    name: 'agent.security_logger.stdout',
-    arg: '[false]',
-    default: false,
-    fn: castBoolean,
-    desc: 'Set to `true` to log output to `stdout` as well as the configured file.',
-  },
-  // agent.security_logger.syslog
-  {
-    name: 'agent.security_logger.syslog.enable',
-    arg: '[true]',
-    default: false,
-    fn: castBoolean,
-    desc: 'Set to `true` to enable Syslog logging.',
-  },
-  {
-    name: 'agent.security_logger.syslog.ip',
-    arg: '<ip>',
-    default: '127.0.0.1',
-    desc: 'Set the IP address of the Syslog server to which the agent should send messages.',
-  },
-  {
-    name: 'agent.security_logger.syslog.port',
-    arg: '<port>',
-    default: 514,
-    fn: parseNum,
-    desc: 'Set the port of the Syslog server to which the agent should send messages.',
-  },
-  {
-    name: 'agent.security_logger.syslog.facility',
-    arg: '<facility>',
-    enum: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23],
-    default: 19,
-    fn: parseNum,
-    desc: 'Set the facility code of the messages the agent sends to Syslog.',
-  },
-  {
-    name: 'agent.security_logger.syslog.severity_exploited',
-    arg: '<level>',
-    enum: ['alert', 'critical', 'error', 'warning', 'notice', 'info', 'debug'],
-    default: 'alert',
-    fn: lowercase,
-    desc: 'Set the log level of Exploited attacks. Value options are `ALERT`, `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.',
-  },
-  {
-    name: 'agent.security_logger.syslog.severity_blocked',
-    arg: '<level>',
-    enum: ['alert', 'critical', 'error', 'warning', 'notice', 'info', 'debug'],
-    default: 'notice',
-    fn: lowercase,
-    desc: 'Set the log level of Blocked attacks. Value options are `ALERT`, `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.',
-  },
-  {
-    name: 'agent.security_logger.syslog.severity_blocked_perimiter',
-    arg: '<level>',
-    enum: ['alert', 'critical', 'error', 'warning', 'notice', 'info', 'debug'],
-    default: 'notice',
-    fn: lowercase,
-    desc: 'Set the log level of Blocked At Perimeter attacks. Value options are `ALERT`, `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.',
-  },
-  {
-    name: 'agent.security_logger.syslog.severity_probed',
-    arg: '<level>',
-    enum: ['alert', 'critical', 'error', 'warning', 'notice', 'info', 'debug'],
-    default: 'warning',
-    fn: lowercase,
-    desc: 'Set the log level of Probed attacks. Value options are `ALERT`, `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.',
-  },
-  {
-    name: 'agent.security_logger.syslog.severity_suspicious',
-    arg: '<level>',
-    enum: ['alert', 'critical', 'error', 'warning', 'notice', 'info', 'debug'],
-    default: 'warning',
-    fn: lowercase,
-    desc: 'Set the log level of Suspicious attacks. Value options are `ALERT`, `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.',
-  },
-  // agent.node
-  {
-    name: 'agent.node.app_root',
-    arg: '<path>',
-    default: process.cwd(),
-    desc: "Set the directory containing the application's `package.json` file.",
-  },
-  {
-    // SEE NODE-2886
-    name: 'agent.node.cmd_ignore_list',
-    arg: '<commands>',
-    default: '',
-    fn: (arg) => StringPrototypeSplit.call(arg, ',').filter((v) => v),
-    desc: 'comma-separated list of commands that will not startup the agent if agent is required; npm* will ignore all npm executables but not your application\'s scripts'
-  },
-  {
-    // SEE NODE-2886
-    name: 'agent.node.exclusive_entrypoint',
-    arg: '<entrypoint.js>',
-    desc: 'an entrypoint for an application that, when specified, will prevent the agent instrumenting on anything else'
-  },
-  {
-    name: 'agent.node.rewrite.enable',
-    arg: '[false]',
-    default: true,
-    fn: castBoolean,
-    desc: 'Set to `false` to disable source code rewriting. Not recommended.',
-  },
-  {
-    name: 'agent.node.rewrite.cache.enable',
-    arg: '[false]',
-    default: true,
-    fn: castBoolean,
-    desc: 'Set to `false` to disable caching rewritten source code files.',
-  },
-  {
-    name: 'agent.node.rewrite.cache.path',
-    arg: '<path>',
-    default: '.contrast',
-    fn: toAbsolutePath,
-    desc: "Set the directory in which to cache rewritten source code files. Defaults to `.contrast/` in the application's current working directory.",
-  },
-  {
-    name: 'agent.node.rewrite.minify',
-    arg: '[false]',
-    default: true,
-    fn: castBoolean,
-    desc: 'Set to `false` to disable minification of rewritten source code files.'
-  },
-  {
-    name: 'agent.node.source_maps.enable',
-    arg: '[false]',
-    default: true,
-    fn: castBoolean,
-    desc: 'Set to `false` to disable source map generation when rewriting.',
-  },
-  // agent.node.library_usage.reporting
-  {
-    name: 'agent.node.library_usage.reporting.enable',
-    arg: '[false]',
-    default: true,
-    fn: castBoolean,
-    desc: 'Set to `false` to disable enhanced library usage features, i.e. scanning for composition of dependencies, reporting library usage.',
-  },
-  {
-    name: 'agent.node.library_usage.reporting.interval_ms',
-    arg: '<num>',
-    fn: parseNum,
-    default: 100,
-    desc: 'Set the interval (in milliseconds) for collecting code events for library usage.',
-  },
-  {
-    name: 'agent.node.metrics.enable',
-    arg: '[false]',
-    default: true,
-    fn: castBoolean,
-    desc: 'Set to `false` to disable response latency metrics recording.'
-  },
-  {
-    name: 'agent.node.metrics.warn_ms',
-    arg: '<num>',
-    default: 5000,
-    fn: parseNum,
-    desc: 'Set the response duration (in milliseconds) after which we will warn that a request has been hanging.'
-  },
-  {
-    name: 'agent.node.npm_path',
-    arg: '<path>',
-    default: 'npm',
-    desc: 'Set the full path of the npm executable, used for library analysis',
-  },
-  // inventory
-  {
-    name: 'inventory.analyze_libraries',
-    arg: '[false]',
-    default: true,
-    fn: castBoolean,
-    desc: 'Set to `false` to disable library analysis.',
-  },
-  {
-    name: 'inventory.gather_metadata_via',
-    arg: '<provider>',
-    enum: ['AWS', 'Azure', 'GCP'],
-    desc: 'Specifies the cloud provider from which the agent should gather metadata (such as resource identifiers). Options are `AWS`, `Azure`, or `GCP`'
-  },
-  // assess
-  {
-    name: 'assess.enable',
-    arg: '[true]',
-    default: false,
-    fn: castBoolean,
-    desc: 'Include this property to determine if the Assess feature should be enabled. If this property is not present, the decision is delegated to the Contrast UI.',
-  },
-  {
-    name: 'assess.probabilistic_sampling.enable',
-    arg: '[true]',
-    default: false,
-    fn: castBoolean,
-    desc: 'Set to true to enable sampling of requests for dataflow and other Assess features',
-  },
-  {
-    name: 'assess.probabilistic_sampling.baseline',
-    arg: '<baseline>',
-    default: 5,
-    fn: parseNum,
-    desc: 'This property indicates the number of requests to analyze in each window before sampling begins.',
-  },
-  {
-    // effective based on local config and 'assess.sampling' TeamServer DTM
-    name: 'assess.probabilistic_sampling.base_probability',
-    arg: '<probability>',
-    /** @param {string} val */
-    fn: (val) => {
-      const p = parseFloat(val);
-      if (p >= 0 && p <= 1) return p;
-
-      if (val && val != 'undefined') {
-        throw new Error('Invalid option: assess.probabilistic_sampling.base_probability', {
-          cause: `${val} is not not in interval 0 <= p <= 1. value as float: ${p}`
-        });
-      }
-    },
-    default: 0.05,
-    desc: 'A value p within the range [0, 1]. Each request will share same probability p of being sampled.',
-  },
-  {
-    name: 'assess.probabilistic_sampling.window_ms',
-    arg: '<window_ms>',
-    default: 180_000,
-    fn: parseNum,
-    desc: 'This property indicates the duration for which a sample set is valid.',
-  },
-  {
-    name: 'assess.probabilistic_sampling.event_detail',
-    arg: '<level>',
-    default: 'FULL',
-    fn: (value) => {
-      if (!value) return undefined;
-      value = String(value).toUpperCase();
-      const valids = new Set(['FULL', 'MINIMAL']);
-      if (valids.has(value)) {
-        return value;
-      }
-      throw new Error(`Invalid option assess.probabilistic_sampling.event_detail: value must be one of ${Array.from(valids)}`);
-    },
-    desc: 'Control the values captured by Assess vulnerability events. FULL captures more context by stringifying all values involved in dataflow activity which can add performance overhead. MINIMAL can improve performance by only capturing type name for non-string event values. FULL is the default.',
-  },
-  {
-    name: 'assess.probabilistic_sampling.route_monitor.enable',
-    arg: '[true]',
-    default: true,
-    fn: castBoolean,
-    desc: 'The agent will keep track of which routes have been analyzed and skip analysis if the route was recently sampled.',
-  },
-  {
-    name: 'assess.probabilistic_sampling.route_monitor.ttl_ms',
-    arg: '<number>',
-    default: 1_800_000,
-    fn: parseNum,
-    desc: 'Limits individual route analysis to once per this value. Defaults to 1_800_000ms (30 minutes).',
-  },
-  {
-    name: 'assess.tags',
-    arg: '<tags>',
-    desc: `Apply a list of labels to vulnerabilities and preflight messages. Labels must be formatted as a comma-delimited list.
-Example - \`label1, label2, label3\``,
-  },
-  {
-    name: 'assess.stacktraces',
-    arg: '<level>',
-    enum: ['ALL', 'SOME', 'SINK', 'NONE'],
-    default: 'ALL',
-    fn: uppercase,
-    desc: 'Select the level of collected stacktraces. ALL - for all assess events, SOME - for Source and Sink events, SINK - for Sink events, NONE - no stacktraces collected',
-  },
-  {
-    name: 'assess.max_context_source_events',
-    arg: '<limit>',
-    default: 150,
-    fn: parseNum,
-    desc: 'Set the maximum number of untrusted data flows to observe per request.',
-  },
-  {
-    name: 'assess.max_propagation_events',
-    arg: '<limit>',
-    default: 500,
-    fn: parseNum,
-    desc: 'Set the maximum number of untrusted data flow propagations to observe per request.',
-  },
-  {
-    name: 'assess.safe_positives.enable',
-    arg: '[false]',
-    default: false,
-    fn: castBoolean,
-    desc: 'enable detection and reporting of findings regarding safe security practices, aka safe positives. ' +
-      'these results will be written to the location described by the `agent.reporters.file` option.',
-  },
-  {
-    name: 'assess.trust_custom_validators',
-    arg: '<trust-custom-validators>',
-    default: false,
-    fn: castBoolean,
-    desc: 'Set to `true` to trust incoming strings when they pass custom validators (Mongoose, Joi, validator, fastify-static).',
-  },
-  // protect
-  {
-    name: 'protect.enable',
-    arg: '[true]',
-    default: false,
-    fn: castBoolean,
-    desc: 'Include this property to determine if the Protect feature should be enabled. If this property is not present, the decision is delegated to the Contrast UI.',
-  },
-  {
-    name: 'protect.probe_analysis.enable',
-    arg: '[false]',
-    default: true,
-    fn: castBoolean,
-    desc: 'Set to `false` to disable probe analysis.',
-  },
-  {
-    name: 'protect.rules.disabled_rules',
-    arg: '<list,of,rules>',
-    default: '',
-    fn: split,
-    desc: 'Define a list of Protect rules to disable in the agent. The rules must be formatted as a comma-delimited list.',
-  },
-  ...Object.values(Rule)
-    .filter((ruleId) => ![Rule.BOT_BLOCKER, Rule.IP_DENYLIST, Rule.VIRTUAL_PATCH].includes(ruleId))
-    .map((ruleId) => ({
-      name: `protect.rules.${ruleId}.mode`,
-      arg: '<mode>',
-      default: 'off',
-      enum: ['monitor', 'block', 'block_at_perimeter', 'off'],
-      desc: 'Set the mode of the rule. Value options are `monitor`, `block`, `block_at_perimeter`, or `off`.',
-    })),
-  // observability
-  {
-    name: 'observe.enable',
-    arg: '[true]',
-    default: false, // TODO: Default true when MVP is done
-    fn: castBoolean,
-    desc: 'Lightweight and low overhead observation mode for the agent.',
-  },
-  {
-    name: 'observe.periodic_export_interval_ms',
-    arg: '[true]',
-    default: 60000,
-    fn: parseNum,
-    desc: 'Interval the metrics are flushed to the upstream collector.',
-  },
-  // application
-  {
-    name: 'application.name',
-    arg: '<name>',
-    desc: 'Override the reported application name.',
-  },
-  {
-    name: 'application.path',
-    arg: '<path>',
-    default: '/',
-    desc: 'Override the reported application path.',
-  },
-  {
-    name: 'application.group',
-    arg: '<group>',
-    desc: 'Add the name of the application group with which this application should be associated in the Contrast UI.',
-  },
-  {
-    name: 'application.code',
-    arg: '<code>',
-    desc: 'Add the application code this application should use in the Contrast UI.'
-  },
-  {
-    name: 'application.version',
-    arg: '<version>',
-    desc: 'Override the reported application version.',
-  },
-  {
-    name: 'application.tags',
-    arg: '<tags>',
-    desc: 'Apply labels to an application. Labels must be formatted as a comma-delimited list. Example - `label1,label2,label3`'
-  },
-  {
-    name: 'application.metadata',
-    arg: '<metadata>',
-    desc: 'Define a set of `key=value` pairs (which conforms to RFC 2253) for specifying user-defined metadata associated with the application. The set must be formatted as a comma-delimited list of `key=value` pairs. Example - `business-unit=accounting, office=Baltimore`',
-  },
-  {
-    name: 'application.session_id',
-    arg: '<session_id>',
-    desc: 'Provide the ID of a session which already exists in the Contrast UI. Vulnerabilities discovered by the agent are associated with this session. If an invalid ID is supplied, the agent will be disabled. This option and `application.session_metadata` are mutually exclusive; if both are set, the agent will be disabled.',
-  },
-  {
-    name: 'application.session_metadata',
-    arg: '<session_metadata>',
-    desc: 'Provide metadata which is used to create a new session ID in the Contrast UI. Vulnerabilities discovered by the agent are associated with this new session. This value should be formatted as `key=value` pairs (conforming to RFC 2253). Available key names for this configuration are branchName, buildNumber, commitHash, committer, gitTag, repository, testRun, and version. This option and `application.session_id` are mutually exclusive; if both are set the agent will be disabled.',
-  },
-  // server
-  {
-    name: 'server.name',
-    arg: '<name>',
-    default: os.hostname(),
-    desc: 'Override the reported server name. Defaults to the operating system hostname.',
-  },
-  {
-    name: 'server.type',
-    arg: '<type>',
-    default: `Node.js ${process.version}`,
-    desc: 'Override the reported server type.',
-  },
-  {
-    name: 'server.environment',
-    arg: '<environment>',
-    /** @param {string} val */
-    fn: (val) => {
-      if (!val) return val;
-
-      const valid = new Set(['QA', 'PRODUCTION', 'DEVELOPMENT']);
-      const normalized = uppercase(val);
-      if (!valid.has(normalized)) {
-        throw new Error(`Invalid option: server.environment must be one of ${Array.from(valid)}`);
-      }
-
-      return normalized;
-    },
-    desc: `Set the environment directly to override the default set by the Contrast UI. This allows the user to configure the environment dynamically at startup rather than manually updating the Server in the Contrast UI themselves afterwards.
-Valid values include \`QA\`, \`PRODUCTION\` and \`DEVELOPMENT\`. For example, \`PRODUCTION\` registers this Server as running in a \`PRODUCTION\` environment, regardless of the organization's default environment in the Contrast UI.`,
-  },
-  {
-    name: 'server.tags',
-    arg: '<tags>',
-    desc: `Apply a list of labels to the server. Labels must be formatted as a comma-delimited list.
-Example - \`label1, label2, label3\``,
-  },
-  {
-    // NOTE: not in common config, and the desc here doesn't really make sense.
-    name: 'server.version',
-    arg: '<version>',
-    desc: "override the reported server version (if different from 'version' field in the application's package.json)",
-  },
-  {
-    name: 'server.discover_cloud_resource',
-    arg: '[false]',
-    default: true,
-    fn: castBoolean,
-    desc: 'Set to `false` to disable detection of cloud provider metadata such as resource identifiers.'
-  },
-].map((opt) => {
-  let env = StringPrototypeReplaceAll.call(StringPrototypeToUpperCase.call(opt.name), '.', '__');
-  env = StringPrototypeReplaceAll.call(env, '-', '_');
-  return Object.assign(opt, { env: `CONTRAST__${env}` });
-});
-
-module.exports = options;
-module.exports.clearBaseCase = clearBaseCase;
-module.exports.castBoolean = castBoolean;