@develler/remediation-agent 1.0.2

package/dist/commands/connect.d.ts

@@ -0,0 +1,17 @@
+#!/usr/bin/env node
+/**
+ * npx remediation-connect
+ *
+ * Performs the initial handshake with the SaaS, stores the returned
+ * client_id, raw token, and channel configuration in
+ * .remediation-connection.json at the project root.
+ *
+ * Safe to re-run — overwrites any existing connection file.
+ *
+ * Usage:
+ *   REMEDIATION_SAAS_URL=https://saas.example.com \
+ *   REMEDIATION_CONNECTION_KEY=<key from dashboard> \
+ *   npx remediation-connect
+ */
+export {};
+//# sourceMappingURL=connect.d.ts.map

package/dist/commands/connect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"connect.d.ts","sourceRoot":"","sources":["../../src/commands/connect.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;GAaG"}

package/dist/commands/connect.js

@@ -0,0 +1,138 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * npx remediation-connect
+ *
+ * Performs the initial handshake with the SaaS, stores the returned
+ * client_id, raw token, and channel configuration in
+ * .remediation-connection.json at the project root.
+ *
+ * Safe to re-run — overwrites any existing connection file.
+ *
+ * Usage:
+ *   REMEDIATION_SAAS_URL=https://saas.example.com \
+ *   REMEDIATION_CONNECTION_KEY=<key from dashboard> \
+ *   npx remediation-connect
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const axios_1 = __importDefault(require("axios"));
+const fs_1 = require("fs");
+const path_1 = require("path");
+const CONNECTION_FILE = (0, path_1.join)(process.cwd(), '.remediation-connection.json');
+async function main() {
+    const saasUrl = (process.env['REMEDIATION_SAAS_URL'] ?? '').replace(/\/+$/, '');
+    const connectionKey = process.env['REMEDIATION_CONNECTION_KEY'] ?? '';
+    const webhookUrl = process.env['REMEDIATION_WEBHOOK_URL'] ?? null;
+    if (!saasUrl || !connectionKey) {
+        console.error('ERROR: REMEDIATION_SAAS_URL and REMEDIATION_CONNECTION_KEY must both be set.');
+        process.exit(1);
+    }
+    console.log(`Connecting to: ${saasUrl}`);
+    const payload = {
+        connection_key: connectionKey,
+        site_url: process.env['APP_URL'] ?? `http://localhost:${process.env['PORT'] ?? 3000}`,
+        site_name: process.env['APP_NAME'] ?? null,
+        language_runtime: 'node',
+        runtime_version: process.version,
+        framework: process.env['REMEDIATION_FRAMEWORK'] ?? 'express',
+        framework_version: process.env['REMEDIATION_FRAMEWORK_VERSION'] ?? null,
+        agent_version: process.env['npm_package_version'] ?? null,
+        environment: (process.env['NODE_ENV'] ?? 'production'),
+        capabilities: {
+            mode_a_ast: false,
+            mode_b_interceptor: true,
+            redis_available: await checkRedis(),
+            git_access: false,
+        },
+        webhook_url: webhookUrl,
+    };
+    let response;
+    try {
+        const result = await axios_1.default.post(`${saasUrl}/api/remediation/v1/handshake`, payload, { timeout: 15000 });
+        response = result.data;
+    }
+    catch (err) {
+        const message = axios_1.default.isAxiosError(err)
+            ? `HTTP ${err.response?.status ?? 'timeout'}: ${JSON.stringify(err.response?.data)}`
+            : String(err);
+        console.error(`ERROR: Connection request failed — ${message}`);
+        process.exit(1);
+    }
+    if (response.status !== 'accepted') {
+        console.error('ERROR: SaaS rejected the handshake. Check your REMEDIATION_CONNECTION_KEY.');
+        process.exit(1);
+    }
+    const config = {
+        client_id: response.client_id,
+        token: response.token,
+        saas_url: saasUrl,
+        channel_type: response.instruction_channel.type,
+        poll_url: response.instruction_channel.poll_url,
+        poll_interval_seconds: response.instruction_channel.poll_interval_seconds,
+        connected_at: new Date().toISOString(),
+    };
+    (0, fs_1.writeFileSync)(CONNECTION_FILE, JSON.stringify(config, null, 2), { mode: 0o600 });
+    console.log(`Connected successfully.`);
+    console.log(`  client_id : ${config.client_id}`);
+    console.log(`  channel   : ${config.channel_type}`);
+    console.log(`  config    : ${CONNECTION_FILE}`);
+    console.log('');
+    console.log('Add .remediation-connection.json to your .gitignore.');
+}
+async function checkRedis() {
+    const redisUrl = process.env['REDIS_URL'] ?? process.env['REMEDIATION_REDIS_URL'] ?? null;
+    if (!redisUrl)
+        return false;
+    try {
+        const { default: Redis } = await Promise.resolve().then(() => __importStar(require('ioredis')));
+        const client = new Redis(redisUrl, { lazyConnect: true, connectTimeout: 3000 });
+        await client.connect();
+        await client.ping();
+        await client.disconnect();
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+main().catch((err) => {
+    console.error('Unexpected error:', err);
+    process.exit(1);
+});
+//# sourceMappingURL=connect.js.map

package/dist/commands/connect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connect.js","sourceRoot":"","sources":["../../src/commands/connect.ts"],"names":[],"mappings":";;AACA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,kDAA0B;AAC1B,2BAA+C;AAC/C,+BAA4B;AAG5B,MAAM,eAAe,GAAG,IAAA,WAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,8BAA8B,CAAC,CAAC;AAE5E,KAAK,UAAU,IAAI;IACjB,MAAM,OAAO,GAAS,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,IAAU,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC5F,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,IAAM,EAAE,CAAC;IACxE,MAAM,UAAU,GAAM,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,IAAS,IAAI,CAAC;IAE1E,IAAI,CAAC,OAAO,IAAI,CAAC,aAAa,EAAE,CAAC;QAC/B,OAAO,CAAC,KAAK,CAAC,8EAA8E,CAAC,CAAC;QAC9F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,kBAAkB,OAAO,EAAE,CAAC,CAAC;IAEzC,MAAM,OAAO,GAAqB;QAChC,cAAc,EAAK,aAAa;QAChC,QAAQ,EAAW,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,oBAAoB,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE;QAC9F,SAAS,EAAU,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,IAAI;QAClD,gBAAgB,EAAG,MAAM;QACzB,eAAe,EAAI,OAAO,CAAC,OAAO;QAClC,SAAS,EAAU,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,SAAS;QACpE,iBAAiB,EAAE,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,IAAI,IAAI;QACvE,aAAa,EAAM,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,IAAI;QAC7D,WAAW,EAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,YAAY,CAAuC;QAClG,YAAY,EAAE;YACZ,UAAU,EAAU,KAAK;YACzB,kBAAkB,EAAE,IAAI;YACxB,eAAe,EAAK,MAAM,UAAU,EAAE;YACtC,UAAU,EAAU,KAAK;SAC1B;QACD,WAAW,EAAE,UAAU;KACxB,CAAC;IAEF,IAAI,QAA2B,CAAC;IAEhC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,eAAK,CAAC,IAAI,CAC7B,GAAG,OAAO,+BAA+B,EACzC,OAAO,EACP,EAAE,OAAO,EAAE,KAAK,EAAE,CACnB,CAAC;QACF,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC;IACzB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,eAAK,CAAC,YAAY,CAAC,GAAG,CAAC;YACrC,CAAC,CAAC,QAAQ,GAAG,CAAC,QAAQ,EAAE,MAAM,IAAI,SAAS,KAAK,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE;YACpF,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,sCAAsC,OAAO,EAAE,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;QACnC,OAAO,CAAC,KAAK,CAAC,4EAA4E,CAAC,CAAC;QAC5F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,MAAM,GAAqB;QAC/B,SAAS,EAAa,QAAQ,CAAC,SAAS;QACxC,KAAK,EAAiB,QAAQ,CAAC,KAAK;QACpC,QAAQ,EAAc,OAAO;QAC7B,YAAY,EAAU,QAAQ,CAAC,mBAAmB,CAAC,IAAI;QACvD,QAAQ,EAAc,QAAQ,CAAC,mBAAmB,CAAC,QAAQ;QAC3D,qBAAqB,EAAE,QAAQ,CAAC,mBAAmB,CAAC,qBAAqB;QACzE,YAAY,EAAU,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KAC/C,CAAC;IAEF,IAAA,kBAAa,EAAC,eAAe,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEjF,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;IACvC,OAAO,CAAC,GAAG,CAAC,iBAAiB,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IACjD,OAAO,CAAC,GAAG,CAAC,iBAAiB,MAAM,CAAC,YAAY,EAAE,CAAC,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,iBAAiB,eAAe,EAAE,CAAC,CAAC;IAChD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;AACtE,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,IAAI,CAAC;IAC1F,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,wDAAa,SAAS,GAAC,CAAC;QACnD,MAAM,MAAM,GAAG,IAAI,KAAK,CAAC,QAAQ,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;QAChF,MAAM,MAAM,CAAC,OAAO,EAAE,CAAC;QACvB,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;QACpB,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC;IACxC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/contracts/agentConnection.d.ts

@@ -0,0 +1,28 @@
+import type { WireEnvelope } from '../types/wireProtocol.js';
+import type { InstructionCollection, RuntimeInstruction } from '../types/instructions.js';
+export interface AgentConnectionInterface {
+    /**
+     * Verify HMAC-SHA256 envelope signature plus replay-attack guards.
+     * Uses crypto.timingSafeEqual. Throws SignatureError | ReplayError on failure.
+     */
+    verifyEnvelope(raw: unknown): Promise<WireEnvelope>;
+    /**
+     * Persist a verified RuntimeInstruction to the Redis instruction cache.
+     * TTL derived from instruction.expiresAt - Date.now()/1000.
+     */
+    cacheInstruction(instruction: RuntimeInstruction): Promise<void>;
+    /**
+     * Return all currently active (non-expired) RuntimeInstructions from cache.
+     * Must complete in <1ms on a local Redis socket. Never does I/O to SaaS.
+     */
+    getActiveInstructions(): Promise<InstructionCollection>;
+    /**
+     * POST acknowledgement to the SaaS for a delivered instruction.
+     */
+    acknowledgeInstruction(instructionId: string): Promise<void>;
+    /**
+     * Poll the SaaS pending-instructions endpoint (used when channel = 'polling').
+     */
+    pollPendingInstructions(): Promise<InstructionCollection>;
+}
+//# sourceMappingURL=agentConnection.d.ts.map

package/dist/contracts/agentConnection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agentConnection.d.ts","sourceRoot":"","sources":["../../src/contracts/agentConnection.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,KAAK,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAE1F,MAAM,WAAW,wBAAwB;IACvC;;;OAGG;IACH,cAAc,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IAEpD;;;OAGG;IACH,gBAAgB,CAAC,WAAW,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjE;;;OAGG;IACH,qBAAqB,IAAI,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAExD;;OAEG;IACH,sBAAsB,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE7D;;OAEG;IACH,uBAAuB,IAAI,OAAO,CAAC,qBAAqB,CAAC,CAAC;CAC3D"}

package/dist/contracts/agentConnection.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=agentConnection.js.map

package/dist/contracts/agentConnection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agentConnection.js","sourceRoot":"","sources":["../../src/contracts/agentConnection.ts"],"names":[],"mappings":""}

package/dist/contracts/lifecycleInterceptor.d.ts

@@ -0,0 +1,22 @@
+import type { Request, Response } from 'express';
+import type { MaskRule } from '../types/instructions.js';
+export interface LifecycleInterceptorInterface {
+    /**
+     * Hook into the inbound HTTP request.
+     * Returns true if the request should continue, false if it was blocked.
+     * Must never throw.
+     */
+    interceptRequest(req: Request, res: Response): Promise<boolean>;
+    /**
+     * Apply PII masking rules to a data structure.
+     * Operates on a deep clone — never mutates the original.
+     */
+    applyMaskingRules(data: unknown, maskRules: MaskRule[]): unknown;
+    /** Returns true when the circuit breaker is open (all interception bypassed). */
+    isCircuitBreakerOpen(): Promise<boolean>;
+    /** Trip the circuit breaker on Redis failure or unhandled exception. */
+    tripCircuitBreaker(reason: Error): Promise<void>;
+    /** Reset the circuit breaker manually. Also auto-resets via Redis TTL. */
+    resetCircuitBreaker(): Promise<void>;
+}
+//# sourceMappingURL=lifecycleInterceptor.d.ts.map

package/dist/contracts/lifecycleInterceptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lifecycleInterceptor.d.ts","sourceRoot":"","sources":["../../src/contracts/lifecycleInterceptor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACjD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AAEzD,MAAM,WAAW,6BAA6B;IAC5C;;;;OAIG;IACH,gBAAgB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEhE;;;OAGG;IACH,iBAAiB,CAAC,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAEjE,iFAAiF;IACjF,oBAAoB,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAEzC,wEAAwE;IACxE,kBAAkB,CAAC,MAAM,EAAE,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjD,0EAA0E;IAC1E,mBAAmB,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACtC"}

package/dist/contracts/lifecycleInterceptor.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=lifecycleInterceptor.js.map

package/dist/contracts/lifecycleInterceptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"lifecycleInterceptor.js","sourceRoot":"","sources":["../../src/contracts/lifecycleInterceptor.ts"],"names":[],"mappings":""}

package/dist/controllers/extractionController.d.ts

@@ -0,0 +1,12 @@
+import type { ConnectionConfig } from '../types/wireProtocol.js';
+/**
+ * Handles extraction_request envelopes dispatched from the SaaS.
+ *
+ * Runs AST extraction for each target synchronously within the webhook
+ * handler (Express async), then POSTs the results back to the SaaS callback URL.
+ *
+ * For large extraction jobs, this can be deferred to a worker thread or
+ * a background queue — the callback pattern means the SaaS is not blocked.
+ */
+export declare function handleExtractionRequest(payload: Record<string, unknown>, config: ConnectionConfig): Promise<void>;
+//# sourceMappingURL=extractionController.d.ts.map

package/dist/controllers/extractionController.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"extractionController.d.ts","sourceRoot":"","sources":["../../src/controllers/extractionController.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAGjE;;;;;;;;GAQG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,IAAI,CAAC,CAgDf"}

package/dist/controllers/extractionController.js

@@ -0,0 +1,91 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleExtractionRequest = handleExtractionRequest;
+const axios_1 = __importDefault(require("axios"));
+const path = __importStar(require("path"));
+const AstExtractorService_js_1 = require("../services/AstExtractorService.js");
+const extraction_js_1 = require("../types/extraction.js");
+const logger_js_1 = require("../logger.js");
+/**
+ * Handles extraction_request envelopes dispatched from the SaaS.
+ *
+ * Runs AST extraction for each target synchronously within the webhook
+ * handler (Express async), then POSTs the results back to the SaaS callback URL.
+ *
+ * For large extraction jobs, this can be deferred to a worker thread or
+ * a background queue — the callback pattern means the SaaS is not blocked.
+ */
+async function handleExtractionRequest(payload, config) {
+    const request = (0, extraction_js_1.parseExtractionRequestPayload)(payload);
+    const extractor = new AstExtractorService_js_1.AstExtractorService();
+    const results = [];
+    for (const target of request.targets) {
+        // Resolve relative file paths from the process working directory.
+        const absolutePath = path.resolve(process.cwd(), target.filePath);
+        const result = extractor.extract(absolutePath, target);
+        if (result === null) {
+            logger_js_1.logger.warn('AstExtractor: symbol not found.', {
+                file: target.filePath,
+                symbol: target.symbolName,
+            });
+            continue;
+        }
+        results.push(result);
+    }
+    if (results.length === 0) {
+        logger_js_1.logger.error('ProcessExtraction: no results extracted.', {
+            extraction_id: request.extraction_id,
+        });
+        return;
+    }
+    const callbackUrl = config.saas_url.replace(/\/$/, '') + request.callback_url;
+    await axios_1.default.post(callbackUrl, { results }, {
+        headers: {
+            'X-Remediation-Client-Id': config.client_id,
+            'X-Remediation-Token': config.token,
+            'Content-Type': 'application/json',
+        },
+        timeout: 30_000,
+    });
+    logger_js_1.logger.info('Extraction results posted to SaaS.', {
+        extraction_id: request.extraction_id,
+        count: results.length,
+    });
+}
+//# sourceMappingURL=extractionController.js.map

package/dist/controllers/extractionController.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"extractionController.js","sourceRoot":"","sources":["../../src/controllers/extractionController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiBA,0DAmDC;AAnED,kDAA0B;AAC1B,2CAA6B;AAC7B,+EAAyE;AACzE,0DAA8F;AAE9F,4CAAsC;AAEtC;;;;;;;;GAQG;AACI,KAAK,UAAU,uBAAuB,CAC3C,OAAgC,EAChC,MAAwB;IAExB,MAAM,OAAO,GAAG,IAAA,6CAA6B,EAAC,OAAO,CAAC,CAAC;IAEvD,MAAM,SAAS,GAAG,IAAI,4CAAmB,EAAE,CAAC;IAC5C,MAAM,OAAO,GAAuB,EAAE,CAAC;IAEvC,KAAK,MAAM,MAAM,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACrC,kEAAkE;QAClE,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QAClE,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QAEvD,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,kBAAM,CAAC,IAAI,CAAC,iCAAiC,EAAE;gBAC7C,IAAI,EAAI,MAAM,CAAC,QAAQ;gBACvB,MAAM,EAAE,MAAM,CAAC,UAAU;aAC1B,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvB,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,kBAAM,CAAC,KAAK,CAAC,0CAA0C,EAAE;YACvD,aAAa,EAAE,OAAO,CAAC,aAAa;SACrC,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,OAAO,CAAC,YAAY,CAAC;IAE9E,MAAM,eAAK,CAAC,IAAI,CACd,WAAW,EACX,EAAE,OAAO,EAAE,EACX;QACE,OAAO,EAAE;YACP,yBAAyB,EAAE,MAAM,CAAC,SAAS;YAC3C,qBAAqB,EAAM,MAAM,CAAC,KAAK;YACvC,cAAc,EAAa,kBAAkB;SAC9C;QACD,OAAO,EAAE,MAAM;KAChB,CACF,CAAC;IAEF,kBAAM,CAAC,IAAI,CAAC,oCAAoC,EAAE;QAChD,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,KAAK,EAAU,OAAO,CAAC,MAAM;KAC9B,CAAC,CAAC;AACL,CAAC"}

package/dist/controllers/webhookController.d.ts

@@ -0,0 +1,16 @@
+import type { Router } from 'express';
+import type { AgentConnectionInterface } from '../contracts/agentConnection.js';
+import type { ConnectionConfig } from '../types/wireProtocol.js';
+/**
+ * Receives signed envelopes pushed by the SaaS.
+ *
+ * POST {webhook_path}
+ *
+ * Supported message_types:
+ *   runtime_instruction  → cache and ack immediately
+ *   extraction_request   → run AST extraction and POST results back to SaaS
+ *
+ * Any HMAC/replay verification failure returns generic 400 — no oracle detail.
+ */
+export declare function registerWebhookRoute(router: Router, connection: AgentConnectionInterface, config: ConnectionConfig, webhookPath: string, enabled: boolean): void;
+//# sourceMappingURL=webhookController.d.ts.map

package/dist/controllers/webhookController.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhookController.d.ts","sourceRoot":"","sources":["../../src/controllers/webhookController.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAqB,MAAM,EAAE,MAAM,SAAS,CAAC;AACzD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,iCAAiC,CAAC;AAChF,OAAO,KAAK,EAAE,gBAAgB,EAAiC,MAAM,0BAA0B,CAAC;AAOhG;;;;;;;;;;GAUG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,wBAAwB,EACpC,MAAM,EAAE,gBAAgB,EACxB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,OAAO,GACf,IAAI,CAiEN"}

package/dist/controllers/webhookController.js

@@ -0,0 +1,74 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerWebhookRoute = registerWebhookRoute;
+const instructions_js_1 = require("../types/instructions.js");
+const SignatureError_js_1 = require("../exceptions/SignatureError.js");
+const ReplayError_js_1 = require("../exceptions/ReplayError.js");
+const extractionController_js_1 = require("./extractionController.js");
+const logger_js_1 = require("../logger.js");
+/**
+ * Receives signed envelopes pushed by the SaaS.
+ *
+ * POST {webhook_path}
+ *
+ * Supported message_types:
+ *   runtime_instruction  → cache and ack immediately
+ *   extraction_request   → run AST extraction and POST results back to SaaS
+ *
+ * Any HMAC/replay verification failure returns generic 400 — no oracle detail.
+ */
+function registerWebhookRoute(router, connection, config, webhookPath, enabled) {
+    if (!enabled)
+        return;
+    router.post(webhookPath, async (req, res) => {
+        const raw = req.body;
+        let envelope;
+        try {
+            envelope = await connection.verifyEnvelope(raw);
+        }
+        catch (err) {
+            if (err instanceof SignatureError_js_1.SignatureError || err instanceof ReplayError_js_1.ReplayError) {
+                logger_js_1.logger.warn('RemediationEngine: webhook verification failed.', {
+                    error: err.message,
+                    name: err.name,
+                });
+                res.status(400).json({ error: 'Bad request.' });
+                return;
+            }
+            logger_js_1.logger.error('RemediationEngine: webhook error.', {
+                error: err instanceof Error ? err.message : String(err),
+            });
+            res.status(500).json({ error: 'Internal error.' });
+            return;
+        }
+        const messageType = String(envelope['message_type'] ?? '');
+        try {
+            if (messageType === 'runtime_instruction') {
+                const instruction = instructions_js_1.RuntimeInstruction.fromWirePayload(envelope.payload);
+                await connection.cacheInstruction(instruction);
+                await connection.acknowledgeInstruction(instruction.instructionId);
+                res.status(200).json({ status: 'accepted' });
+                return;
+            }
+            if (messageType === 'extraction_request') {
+                // Respond immediately — extraction runs async so the SaaS webhook
+                // call does not time out waiting for the AST pass to complete.
+                res.status(202).json({ status: 'queued' });
+                void (0, extractionController_js_1.handleExtractionRequest)(envelope.payload, config).catch((err) => {
+                    logger_js_1.logger.error('RemediationEngine: extraction failed.', {
+                        error: err instanceof Error ? err.message : String(err),
+                    });
+                });
+                return;
+            }
+            res.status(400).json({ error: 'Unknown message_type.' });
+        }
+        catch (err) {
+            logger_js_1.logger.error('RemediationEngine: webhook processing error.', {
+                error: err instanceof Error ? err.message : String(err),
+            });
+            res.status(500).json({ error: 'Internal error.' });
+        }
+    });
+}
+//# sourceMappingURL=webhookController.js.map

package/dist/controllers/webhookController.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhookController.js","sourceRoot":"","sources":["../../src/controllers/webhookController.ts"],"names":[],"mappings":";;AAoBA,oDAuEC;AAxFD,8DAA8D;AAC9D,uEAAiE;AACjE,iEAA2D;AAC3D,uEAAoE;AACpE,4CAAsC;AAEtC;;;;;;;;;;GAUG;AACH,SAAgB,oBAAoB,CAClC,MAAc,EACd,UAAoC,EACpC,MAAwB,EACxB,WAAmB,EACnB,OAAgB;IAEhB,IAAI,CAAC,OAAO;QAAE,OAAO;IAErB,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAiB,EAAE;QAC5E,MAAM,GAAG,GAAY,GAAG,CAAC,IAAI,CAAC;QAE9B,IAAI,QAAyE,CAAC;QAE9E,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,UAAU,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,kCAAc,IAAI,GAAG,YAAY,4BAAW,EAAE,CAAC;gBAChE,kBAAM,CAAC,IAAI,CAAC,iDAAiD,EAAE;oBAC7D,KAAK,EAAE,GAAG,CAAC,OAAO;oBAClB,IAAI,EAAG,GAAG,CAAC,IAAI;iBAChB,CAAC,CAAC;gBACH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;gBAChD,OAAO;YACT,CAAC;YAED,kBAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE;gBAChD,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC,CAAC;YACH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,CAAE,QAA+C,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC;QAEnG,IAAI,CAAC;YACH,IAAI,WAAW,KAAK,qBAAqB,EAAE,CAAC;gBAC1C,MAAM,WAAW,GAAG,oCAAkB,CAAC,eAAe,CACpD,QAAQ,CAAC,OAAwC,CAClD,CAAC;gBACF,MAAM,UAAU,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;gBAC/C,MAAM,UAAU,CAAC,sBAAsB,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;gBACnE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;gBAC7C,OAAO;YACT,CAAC;YAED,IAAI,WAAW,KAAK,oBAAoB,EAAE,CAAC;gBACzC,kEAAkE;gBAClE,+DAA+D;gBAC/D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;gBAE3C,KAAK,IAAA,iDAAuB,EAC1B,QAAQ,CAAC,OAAkC,EAC3C,MAAM,CACP,CAAC,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;oBACvB,kBAAM,CAAC,KAAK,CAAC,uCAAuC,EAAE;wBACpD,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;qBACxD,CAAC,CAAC;gBACL,CAAC,CAAC,CAAC;gBAEH,OAAO;YACT,CAAC;YAED,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QAC3D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,kBAAM,CAAC,KAAK,CAAC,8CAA8C,EAAE;gBAC3D,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC,CAAC;YACH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;QACrD,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/exceptions/ReplayError.d.ts

@@ -0,0 +1,4 @@
+export declare class ReplayError extends Error {
+    constructor(message: string);
+}
+//# sourceMappingURL=ReplayError.d.ts.map

package/dist/exceptions/ReplayError.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ReplayError.d.ts","sourceRoot":"","sources":["../../src/exceptions/ReplayError.ts"],"names":[],"mappings":"AAAA,qBAAa,WAAY,SAAQ,KAAK;gBACxB,OAAO,EAAE,MAAM;CAI5B"}

package/dist/exceptions/ReplayError.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ReplayError = void 0;
+class ReplayError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ReplayError';
+    }
+}
+exports.ReplayError = ReplayError;
+//# sourceMappingURL=ReplayError.js.map

package/dist/exceptions/ReplayError.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ReplayError.js","sourceRoot":"","sources":["../../src/exceptions/ReplayError.ts"],"names":[],"mappings":";;;AAAA,MAAa,WAAY,SAAQ,KAAK;IACpC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;CACF;AALD,kCAKC"}

package/dist/exceptions/SignatureError.d.ts

@@ -0,0 +1,4 @@
+export declare class SignatureError extends Error {
+    constructor(message: string);
+}
+//# sourceMappingURL=SignatureError.d.ts.map

package/dist/exceptions/SignatureError.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SignatureError.d.ts","sourceRoot":"","sources":["../../src/exceptions/SignatureError.ts"],"names":[],"mappings":"AAAA,qBAAa,cAAe,SAAQ,KAAK;gBAC3B,OAAO,EAAE,MAAM;CAI5B"}

package/dist/exceptions/SignatureError.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SignatureError = void 0;
+class SignatureError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'SignatureError';
+    }
+}
+exports.SignatureError = SignatureError;
+//# sourceMappingURL=SignatureError.js.map

package/dist/exceptions/SignatureError.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SignatureError.js","sourceRoot":"","sources":["../../src/exceptions/SignatureError.ts"],"names":[],"mappings":";;;AAAA,MAAa,cAAe,SAAQ,KAAK;IACvC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AALD,wCAKC"}

package/dist/index.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Develler — Node.js/Express Agent
+ *
+ * Public API. Import and call createRemediationMiddleware() in your Express app:
+ *
+ *   import { createRemediationMiddleware } from 'develler-remediation-agent';
+ *
+ *   const remediation = await createRemediationMiddleware();
+ *   app.use(remediation.handler());
+ *
+ *   // Optional: mount the webhook receiver so the SaaS can push instructions.
+ *   app.use(remediation.webhookRouter());
+ */
+import { Router, type RequestHandler } from 'express';
+import type { ConnectionConfig } from './types/wireProtocol.js';
+export type { ConnectionConfig } from './types/wireProtocol.js';
+export type { AgentConnectionInterface } from './contracts/agentConnection.js';
+export type { LifecycleInterceptorInterface } from './contracts/lifecycleInterceptor.js';
+export { MaskRule, RuntimeInstruction, InstructionCollection } from './types/instructions.js';
+export { SignatureError } from './exceptions/SignatureError.js';
+export { ReplayError } from './exceptions/ReplayError.js';
+export { MaskingEngine } from './services/MaskingEngine.js';
+export { AstExtractorService } from './services/AstExtractorService.js';
+export type { ExtractionTarget, ExtractionResult, ExtractionRequestPayload } from './types/extraction.js';
+export interface RemediationConfig {
+    /** URL of the Redis instance. Defaults to REDIS_URL env var. */
+    readonly redisUrl?: string;
+    /** Connection config object. If omitted, reads .remediation-connection.json. */
+    readonly connection?: ConnectionConfig;
+    /** Disable the interceptor entirely (useful for local dev). Default: true. */
+    readonly enabled?: boolean;
+    /** Circuit breaker open duration in seconds. Default: 60. */
+    readonly cbTtlSeconds?: number;
+    /** Path the SaaS will POST instructions to. Default: /api/remediation/v1/webhook */
+    readonly webhookPath?: string;
+    /** Set false to skip registering the webhook route. Default: true. */
+    readonly webhookEnabled?: boolean;
+}
+export interface RemediationAgent {
+    /** Express RequestHandler — register with app.use(). */
+    handler(): RequestHandler;
+    /** Express Router with the webhook POST endpoint — register with app.use(). */
+    webhookRouter(): Router;
+    /** Reset the circuit breaker manually. */
+    resetCircuitBreaker(): Promise<void>;
+}
+export declare function createRemediationMiddleware(cfg?: RemediationConfig): Promise<RemediationAgent>;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,MAAM,EAAE,KAAK,cAAc,EAAE,MAAM,SAAS,CAAC;AAUtD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAS,yBAAyB,CAAC;AAGnE,YAAY,EAAE,gBAAgB,EAAE,MAAqC,yBAAyB,CAAC;AAC/F,YAAY,EAAE,wBAAwB,EAAE,MAA6B,gCAAgC,CAAC;AACtG,YAAY,EAAE,6BAA6B,EAAE,MAAwB,qCAAqC,CAAC;AAC3G,OAAO,EAAE,QAAQ,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,MAAO,yBAAyB,CAAC;AAC/F,OAAO,EAAE,cAAc,EAAE,MAA6C,gCAAgC,CAAC;AACvG,OAAO,EAAE,WAAW,EAAE,MAA+C,6BAA6B,CAAC;AACnG,OAAO,EAAE,aAAa,EAAE,MAA6C,6BAA6B,CAAC;AACnG,OAAO,EAAE,mBAAmB,EAAE,MAAuC,mCAAmC,CAAC;AACzG,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,MAAM,uBAAuB,CAAC;AAM1G,MAAM,WAAW,iBAAiB;IAChC,gEAAgE;IAChE,QAAQ,CAAC,QAAQ,CAAC,EAAQ,MAAM,CAAC;IACjC,gFAAgF;IAChF,QAAQ,CAAC,UAAU,CAAC,EAAM,gBAAgB,CAAC;IAC3C,8EAA8E;IAC9E,QAAQ,CAAC,OAAO,CAAC,EAAS,OAAO,CAAC;IAClC,6DAA6D;IAC7D,QAAQ,CAAC,YAAY,CAAC,EAAI,MAAM,CAAC;IACjC,oFAAoF;IACpF,QAAQ,CAAC,WAAW,CAAC,EAAK,MAAM,CAAC;IACjC,sEAAsE;IACtE,QAAQ,CAAC,cAAc,CAAC,EAAE,OAAO,CAAC;CACnC;AAMD,MAAM,WAAW,gBAAgB;IAC/B,wDAAwD;IACxD,OAAO,IAAI,cAAc,CAAC;IAC1B,+EAA+E;IAC/E,aAAa,IAAI,MAAM,CAAC;IACxB,0CAA0C;IAC1C,mBAAmB,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACtC;AAMD,wBAAsB,2BAA2B,CAC/C,GAAG,GAAE,iBAAsB,GAC1B,OAAO,CAAC,gBAAgB,CAAC,CA+B3B"}