npm - @decentnetwork/lan - Versions diffs - 0.1.44 → 0.1.45 - Mend

@decentnetwork/lan 0.1.44 → 0.1.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/acl/audit.d.ts CHANGED Viewed

@@ -8,7 +8,13 @@ export declare class AuditLog {
     private logger;
     private buffer;
     private bufferLimit;
-    constructor(filePath: string);
+    private maxBytes;
+    private keepFiles;
+    private curBytes;
+    constructor(filePath: string, opts?: {
+        maxBytes?: number;
+        keepFiles?: number;
+    });
     /**
      * Log an access attempt (allowed or denied)
      */
@@ -67,4 +73,11 @@ export declare class AuditLog {
      */
     readSince(timestamp: number): AuditEntry[];
     private write;
+    /**
+     * Size-based rotation: audit.log -> audit.log.1 -> ... -> audit.log.N,
+     * dropping the oldest. Bounds total on-disk audit data to
+     * maxBytes * (keepFiles + 1). Best-effort — a failure here must never
+     * break the daemon, so errors are logged and writing continues.
+     */
+    private rotate;
 }

package/dist/acl/audit.js CHANGED Viewed

@@ -2,20 +2,40 @@
  * Audit logger for ACL decisions and connection events
  * Append-only JSONL file format
  */
-import { appendFileSync, readFileSync, mkdirSync, existsSync } from "fs";
+import { appendFileSync, readFileSync, mkdirSync, existsSync, statSync, renameSync, rmSync, } from "fs";
 import { dirname } from "path";
 import { Logger } from "../utils/logger.js";
+// Defaults chosen so a busy exit (proxy_open/proxy_close per CONNECT — can
+// be hundreds/sec for HLS video) can never fill the disk: at most
+// maxBytes * (keepFiles + 1) on disk (~200 MB by default), oldest dropped.
+const DEFAULT_MAX_BYTES = 50 * 1024 * 1024; // rotate when the live file passes 50 MB
+const DEFAULT_KEEP_FILES = 3; // audit.log.1 .. audit.log.3
 export class AuditLog {
     filePath;
     logger;
     buffer = [];
     bufferLimit = 100; // Keep last N entries in memory for fast reads
-    constructor(filePath) {
+    maxBytes;
+    keepFiles;
+    curBytes = 0; // running size of the live file (avoids stat() per write)
+    constructor(filePath, opts) {
         this.filePath = filePath;
         this.logger = new Logger({ prefix: "AuditLog" });
+        this.maxBytes = opts?.maxBytes ?? DEFAULT_MAX_BYTES;
+        this.keepFiles = opts?.keepFiles ?? DEFAULT_KEEP_FILES;
         // Ensure parent dir exists
         const dir = dirname(filePath);
         mkdirSync(dir, { recursive: true });
+        // Seed the byte counter from any existing file so a daemon that
+        // restarts onto an already-large log rotates promptly instead of
+        // letting it grow further.
+        try {
+            if (existsSync(this.filePath))
+                this.curBytes = statSync(this.filePath).size;
+        }
+        catch {
+            this.curBytes = 0;
+        }
     }
     /**
      * Log an access attempt (allowed or denied)
@@ -134,11 +154,48 @@ export class AuditLog {
             this.buffer = this.buffer.slice(-this.bufferLimit);
         }
         // Append to file (JSONL)
+        const line = JSON.stringify(entry) + "\n";
         try {
-            appendFileSync(this.filePath, JSON.stringify(entry) + "\n", "utf-8");
+            // Rotate BEFORE the write that would push us over the cap, so the
+            // live file never exceeds maxBytes by more than one line.
+            if (this.curBytes + Buffer.byteLength(line) > this.maxBytes) {
+                this.rotate();
+            }
+            appendFileSync(this.filePath, line, "utf-8");
+            this.curBytes += Buffer.byteLength(line);
         }
         catch (error) {
             this.logger.error(`Failed to write audit entry: ${error}`);
         }
     }
+    /**
+     * Size-based rotation: audit.log -> audit.log.1 -> ... -> audit.log.N,
+     * dropping the oldest. Bounds total on-disk audit data to
+     * maxBytes * (keepFiles + 1). Best-effort — a failure here must never
+     * break the daemon, so errors are logged and writing continues.
+     */
+    rotate() {
+        try {
+            // Drop the oldest, then shift each backup up by one.
+            const oldest = `${this.filePath}.${this.keepFiles}`;
+            if (existsSync(oldest))
+                rmSync(oldest, { force: true });
+            for (let i = this.keepFiles - 1; i >= 1; i--) {
+                const src = `${this.filePath}.${i}`;
+                if (existsSync(src))
+                    renameSync(src, `${this.filePath}.${i + 1}`);
+            }
+            if (existsSync(this.filePath))
+                renameSync(this.filePath, `${this.filePath}.1`);
+            this.curBytes = 0;
+            this.logger.info(`Rotated audit log (cap ${Math.round(this.maxBytes / 1048576)} MB, keep ${this.keepFiles})`);
+        }
+        catch (error) {
+            // Couldn't rotate (permissions, races). Don't let the file grow
+            // unbounded: reset the counter so we retry on the next write, but
+            // keep the daemon running.
+            this.logger.error(`Audit log rotation failed: ${error}`);
+            this.curBytes = 0;
+        }
+    }
 }

package/dist/daemon/server.js CHANGED Viewed

@@ -551,12 +551,19 @@ export class DaemonServer {
                             allowHosts: this.config.proxy.allowHosts ?? [],
                             allowConnectPorts: this.config.proxy.allowConnectPorts,
                             resolvePeerName: (srcIp) => this.ipam.resolveIp(srcIp)?.name,
-                            onTunnelOpen: ({ src, srcName, target }) => {
-                                this.auditLog.logProxyOpen({ srcIp: src, srcName, target });
-                            },
-                            onTunnelClose: ({ src, srcName, target, bytesTransferred }) => {
-                                this.auditLog.logProxyClose({ srcIp: src, srcName, target, bytesTransferred });
-                            },
+                            // Per-tunnel audit is opt-in: on a busy exit it floods the
+                            // log (the 13 GB audit.log bug). Off by default; ACL and
+                            // connect events are still always audited.
+                            onTunnelOpen: this.config.proxy.auditTunnels
+                                ? ({ src, srcName, target }) => {
+                                    this.auditLog.logProxyOpen({ srcIp: src, srcName, target });
+                                }
+                                : undefined,
+                            onTunnelClose: this.config.proxy.auditTunnels
+                                ? ({ src, srcName, target, bytesTransferred }) => {
+                                    this.auditLog.logProxyClose({ srcIp: src, srcName, target, bytesTransferred });
+                                }
+                                : undefined,
                         });
                         await this.connectProxy.start();
                         this.logger.info(`Proxy listening on ${tunIp}:${this.config.proxy.port}`);

package/dist/types.d.ts CHANGED Viewed

@@ -129,6 +129,7 @@ export interface ProxyConfig {
     port: number;
     allowHosts?: string[];
     allowConnectPorts?: number[];
+    auditTunnels?: boolean;
 }
 export interface FriendsConfig {
     /** When true (default), the running daemon auto-accepts incoming

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@decentnetwork/lan",
-  "version": "0.1.44",
+  "version": "0.1.45",
   "description": "Private virtual LAN for self-hosted services and AI agents, built on Elastos Carrier. NAT-traversal, name service, ACL, all over a peer-to-peer mesh — no public IP required.",
   "type": "module",
   "main": "./dist/index.js",