@datacules/agent-identity-audit 0.9.0 → 0.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +82 -0
- package/package.json +1 -1
package/README.md
ADDED
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
<p align="center">
|
|
2
|
+
<img src="../../assets/logo.svg" alt="Agent Identity — by Datacules LLC" width="360"/>
|
|
3
|
+
</p>
|
|
4
|
+
|
|
5
|
+
# `@datacules/agent-identity-audit`
|
|
6
|
+
|
|
7
|
+
Audit logger sinks for the agent-identity framework. Every `resolve()` call emits a structured `AuditLogEntry`; choose one sink or fan-out to multiple with `CompositeAuditLogger`.
|
|
8
|
+
|
|
9
|
+
## Install
|
|
10
|
+
|
|
11
|
+
```bash
|
|
12
|
+
npm install @datacules/agent-identity-audit
|
|
13
|
+
```
|
|
14
|
+
|
|
15
|
+
## Available sinks
|
|
16
|
+
|
|
17
|
+
| Sink | Description |
|
|
18
|
+
|------|-------------|
|
|
19
|
+
| `ConsoleAuditLogger` | Pretty-print to stdout — dev and testing |
|
|
20
|
+
| `WebhookAuditLogger` | HTTP POST with HMAC-SHA256 signature |
|
|
21
|
+
| `DatadogAuditLogger` | Sends to Datadog Log Management API |
|
|
22
|
+
| `SplunkAuditLogger` | Sends to Splunk HEC (HTTP Event Collector) |
|
|
23
|
+
| `CompositeAuditLogger` | Fan-out to multiple sinks simultaneously |
|
|
24
|
+
|
|
25
|
+
## Usage
|
|
26
|
+
|
|
27
|
+
```typescript
|
|
28
|
+
import {
|
|
29
|
+
ConsoleAuditLogger,
|
|
30
|
+
WebhookAuditLogger,
|
|
31
|
+
DatadogAuditLogger,
|
|
32
|
+
SplunkAuditLogger,
|
|
33
|
+
CompositeAuditLogger,
|
|
34
|
+
} from '@datacules/agent-identity-audit';
|
|
35
|
+
import { createRouter } from '@datacules/agent-identity';
|
|
36
|
+
|
|
37
|
+
// Single sink
|
|
38
|
+
const logger = new ConsoleAuditLogger();
|
|
39
|
+
|
|
40
|
+
// Fan-out to multiple sinks
|
|
41
|
+
const logger = new CompositeAuditLogger([
|
|
42
|
+
new ConsoleAuditLogger(),
|
|
43
|
+
new DatadogAuditLogger({ apiKey: process.env.DD_API_KEY! }),
|
|
44
|
+
new WebhookAuditLogger({
|
|
45
|
+
url: 'https://hooks.example.com/agent-audit',
|
|
46
|
+
secret: process.env.WEBHOOK_SECRET!,
|
|
47
|
+
}),
|
|
48
|
+
new SplunkAuditLogger({
|
|
49
|
+
hecEndpoint: 'https://splunk.example.com:8088/services/collector',
|
|
50
|
+
hecToken: process.env.SPLUNK_HEC_TOKEN!,
|
|
51
|
+
}),
|
|
52
|
+
]);
|
|
53
|
+
|
|
54
|
+
const router = createRouter(credentials, rules, logger);
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
## Audit log entry fields
|
|
58
|
+
|
|
59
|
+
Every entry includes:
|
|
60
|
+
|
|
61
|
+
```typescript
|
|
62
|
+
{
|
|
63
|
+
timestamp: string; // ISO 8601
|
|
64
|
+
traceId: string; // from AgentRequestContext
|
|
65
|
+
userId: string;
|
|
66
|
+
action: string; // 'read' | 'write' | 'credential.anomaly' | ...
|
|
67
|
+
resourceId: string;
|
|
68
|
+
resourceKind: string;
|
|
69
|
+
credentialId: string;
|
|
70
|
+
resolvedFor: string; // 'service' or userId
|
|
71
|
+
provider: string;
|
|
72
|
+
model: string;
|
|
73
|
+
}
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
## Tamper-evident chain
|
|
77
|
+
|
|
78
|
+
Wrap any sink with `HashChainAuditLogger` from `@datacules/agent-identity-compliance` to add SHA-256 hash-chain fields to every entry. See that package's README for details.
|
|
79
|
+
|
|
80
|
+
---
|
|
81
|
+
|
|
82
|
+
Part of the [agent-identity monorepo](https://github.com/hvrcharon1/agent-identity) by [Datacules LLC](https://datacules.com).
|
package/package.json
CHANGED