@dotsetlabs/tollgate 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +885 -0
- package/dist/analyzers/filesystem.d.ts +26 -0
- package/dist/analyzers/filesystem.d.ts.map +1 -0
- package/dist/analyzers/filesystem.js +284 -0
- package/dist/analyzers/filesystem.js.map +1 -0
- package/dist/analyzers/http.d.ts +90 -0
- package/dist/analyzers/http.d.ts.map +1 -0
- package/dist/analyzers/http.js +433 -0
- package/dist/analyzers/http.js.map +1 -0
- package/dist/analyzers/index.d.ts +101 -0
- package/dist/analyzers/index.d.ts.map +1 -0
- package/dist/analyzers/index.js +342 -0
- package/dist/analyzers/index.js.map +1 -0
- package/dist/analyzers/loader.d.ts +114 -0
- package/dist/analyzers/loader.d.ts.map +1 -0
- package/dist/analyzers/loader.js +184 -0
- package/dist/analyzers/loader.js.map +1 -0
- package/dist/analyzers/prompt-injection.d.ts +95 -0
- package/dist/analyzers/prompt-injection.d.ts.map +1 -0
- package/dist/analyzers/prompt-injection.js +725 -0
- package/dist/analyzers/prompt-injection.js.map +1 -0
- package/dist/analyzers/sdk.d.ts +230 -0
- package/dist/analyzers/sdk.d.ts.map +1 -0
- package/dist/analyzers/sdk.js +283 -0
- package/dist/analyzers/sdk.js.map +1 -0
- package/dist/analyzers/shell.d.ts +20 -0
- package/dist/analyzers/shell.d.ts.map +1 -0
- package/dist/analyzers/shell.js +297 -0
- package/dist/analyzers/shell.js.map +1 -0
- package/dist/analyzers/sql.d.ts +37 -0
- package/dist/analyzers/sql.d.ts.map +1 -0
- package/dist/analyzers/sql.js +455 -0
- package/dist/analyzers/sql.js.map +1 -0
- package/dist/analyzers/types.d.ts +117 -0
- package/dist/analyzers/types.d.ts.map +1 -0
- package/dist/analyzers/types.js +46 -0
- package/dist/analyzers/types.js.map +1 -0
- package/dist/approval/interactive.d.ts +72 -0
- package/dist/approval/interactive.d.ts.map +1 -0
- package/dist/approval/interactive.js +550 -0
- package/dist/approval/interactive.js.map +1 -0
- package/dist/approval/terminal.d.ts +59 -0
- package/dist/approval/terminal.d.ts.map +1 -0
- package/dist/approval/terminal.js +238 -0
- package/dist/approval/terminal.js.map +1 -0
- package/dist/approval/types.d.ts +66 -0
- package/dist/approval/types.d.ts.map +1 -0
- package/dist/approval/types.js +2 -0
- package/dist/approval/types.js.map +1 -0
- package/dist/audit/exporter.d.ts +138 -0
- package/dist/audit/exporter.d.ts.map +1 -0
- package/dist/audit/exporter.js +366 -0
- package/dist/audit/exporter.js.map +1 -0
- package/dist/audit/logger.d.ts +156 -0
- package/dist/audit/logger.d.ts.map +1 -0
- package/dist/audit/logger.js +406 -0
- package/dist/audit/logger.js.map +1 -0
- package/dist/audit/redaction.d.ts +110 -0
- package/dist/audit/redaction.d.ts.map +1 -0
- package/dist/audit/redaction.js +307 -0
- package/dist/audit/redaction.js.map +1 -0
- package/dist/audit/schema.d.ts +76 -0
- package/dist/audit/schema.d.ts.map +1 -0
- package/dist/audit/schema.js +122 -0
- package/dist/audit/schema.js.map +1 -0
- package/dist/cli/commands/doctor.d.ts +34 -0
- package/dist/cli/commands/doctor.d.ts.map +1 -0
- package/dist/cli/commands/doctor.js +431 -0
- package/dist/cli/commands/doctor.js.map +1 -0
- package/dist/cli/commands/export.d.ts +18 -0
- package/dist/cli/commands/export.d.ts.map +1 -0
- package/dist/cli/commands/export.js +63 -0
- package/dist/cli/commands/export.js.map +1 -0
- package/dist/cli/commands/init.d.ts +12 -0
- package/dist/cli/commands/init.d.ts.map +1 -0
- package/dist/cli/commands/init.js +102 -0
- package/dist/cli/commands/init.js.map +1 -0
- package/dist/cli/commands/logs.d.ts +11 -0
- package/dist/cli/commands/logs.d.ts.map +1 -0
- package/dist/cli/commands/logs.js +60 -0
- package/dist/cli/commands/logs.js.map +1 -0
- package/dist/cli/commands/scan.d.ts +29 -0
- package/dist/cli/commands/scan.d.ts.map +1 -0
- package/dist/cli/commands/scan.js +251 -0
- package/dist/cli/commands/scan.js.map +1 -0
- package/dist/cli/commands/serve.d.ts +26 -0
- package/dist/cli/commands/serve.d.ts.map +1 -0
- package/dist/cli/commands/serve.js +424 -0
- package/dist/cli/commands/serve.js.map +1 -0
- package/dist/cli/commands/start.d.ts +20 -0
- package/dist/cli/commands/start.d.ts.map +1 -0
- package/dist/cli/commands/start.js +82 -0
- package/dist/cli/commands/start.js.map +1 -0
- package/dist/cli/commands/stats.d.ts +10 -0
- package/dist/cli/commands/stats.d.ts.map +1 -0
- package/dist/cli/commands/stats.js +42 -0
- package/dist/cli/commands/stats.js.map +1 -0
- package/dist/cli/commands/templates.d.ts +26 -0
- package/dist/cli/commands/templates.d.ts.map +1 -0
- package/dist/cli/commands/templates.js +221 -0
- package/dist/cli/commands/templates.js.map +1 -0
- package/dist/cli/commands/validate.d.ts +12 -0
- package/dist/cli/commands/validate.d.ts.map +1 -0
- package/dist/cli/commands/validate.js +107 -0
- package/dist/cli/commands/validate.js.map +1 -0
- package/dist/cli/commands/wrap.d.ts +19 -0
- package/dist/cli/commands/wrap.d.ts.map +1 -0
- package/dist/cli/commands/wrap.js +59 -0
- package/dist/cli/commands/wrap.js.map +1 -0
- package/dist/cli/index.d.ts +17 -0
- package/dist/cli/index.d.ts.map +1 -0
- package/dist/cli/index.js +202 -0
- package/dist/cli/index.js.map +1 -0
- package/dist/cli/ui.d.ts +139 -0
- package/dist/cli/ui.d.ts.map +1 -0
- package/dist/cli/ui.js +271 -0
- package/dist/cli/ui.js.map +1 -0
- package/dist/constants.d.ts +33 -0
- package/dist/constants.d.ts.map +1 -0
- package/dist/constants.js +54 -0
- package/dist/constants.js.map +1 -0
- package/dist/errors.d.ts +28 -0
- package/dist/errors.d.ts.map +1 -0
- package/dist/errors.js +37 -0
- package/dist/errors.js.map +1 -0
- package/dist/index.d.ts +49 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +82 -0
- package/dist/index.js.map +1 -0
- package/dist/orchestrator/index.d.ts +11 -0
- package/dist/orchestrator/index.d.ts.map +1 -0
- package/dist/orchestrator/index.js +10 -0
- package/dist/orchestrator/index.js.map +1 -0
- package/dist/orchestrator/manager.d.ts +127 -0
- package/dist/orchestrator/manager.d.ts.map +1 -0
- package/dist/orchestrator/manager.js +498 -0
- package/dist/orchestrator/manager.js.map +1 -0
- package/dist/orchestrator/types.d.ts +141 -0
- package/dist/orchestrator/types.d.ts.map +1 -0
- package/dist/orchestrator/types.js +9 -0
- package/dist/orchestrator/types.js.map +1 -0
- package/dist/policy/engine.d.ts +55 -0
- package/dist/policy/engine.d.ts.map +1 -0
- package/dist/policy/engine.js +288 -0
- package/dist/policy/engine.js.map +1 -0
- package/dist/policy/natural-language.d.ts +141 -0
- package/dist/policy/natural-language.d.ts.map +1 -0
- package/dist/policy/natural-language.js +552 -0
- package/dist/policy/natural-language.js.map +1 -0
- package/dist/policy/parser.d.ts +141 -0
- package/dist/policy/parser.d.ts.map +1 -0
- package/dist/policy/parser.js +314 -0
- package/dist/policy/parser.js.map +1 -0
- package/dist/policy/types.d.ts +428 -0
- package/dist/policy/types.d.ts.map +1 -0
- package/dist/policy/types.js +32 -0
- package/dist/policy/types.js.map +1 -0
- package/dist/policy/validator.d.ts +72 -0
- package/dist/policy/validator.d.ts.map +1 -0
- package/dist/policy/validator.js +453 -0
- package/dist/policy/validator.js.map +1 -0
- package/dist/proxy/bridge.d.ts +84 -0
- package/dist/proxy/bridge.d.ts.map +1 -0
- package/dist/proxy/bridge.js +217 -0
- package/dist/proxy/bridge.js.map +1 -0
- package/dist/proxy/client.d.ts +130 -0
- package/dist/proxy/client.d.ts.map +1 -0
- package/dist/proxy/client.js +290 -0
- package/dist/proxy/client.js.map +1 -0
- package/dist/proxy/server.d.ts +111 -0
- package/dist/proxy/server.d.ts.map +1 -0
- package/dist/proxy/server.js +444 -0
- package/dist/proxy/server.js.map +1 -0
- package/dist/scanner.d.ts +91 -0
- package/dist/scanner.d.ts.map +1 -0
- package/dist/scanner.js +373 -0
- package/dist/scanner.js.map +1 -0
- package/dist/session/index.d.ts +32 -0
- package/dist/session/index.d.ts.map +1 -0
- package/dist/session/index.js +31 -0
- package/dist/session/index.js.map +1 -0
- package/dist/session/manager.d.ts +166 -0
- package/dist/session/manager.d.ts.map +1 -0
- package/dist/session/manager.js +454 -0
- package/dist/session/manager.js.map +1 -0
- package/dist/session/sqlite-store.d.ts +54 -0
- package/dist/session/sqlite-store.d.ts.map +1 -0
- package/dist/session/sqlite-store.js +209 -0
- package/dist/session/sqlite-store.js.map +1 -0
- package/dist/session/types.d.ts +179 -0
- package/dist/session/types.d.ts.map +1 -0
- package/dist/session/types.js +38 -0
- package/dist/session/types.js.map +1 -0
- package/dist/templates.d.ts +64 -0
- package/dist/templates.d.ts.map +1 -0
- package/dist/templates.js +451 -0
- package/dist/templates.js.map +1 -0
- package/dist/utils/config.d.ts +57 -0
- package/dist/utils/config.d.ts.map +1 -0
- package/dist/utils/config.js +104 -0
- package/dist/utils/config.js.map +1 -0
- package/dist/utils/errors.d.ts +18 -0
- package/dist/utils/errors.d.ts.map +1 -0
- package/dist/utils/errors.js +35 -0
- package/dist/utils/errors.js.map +1 -0
- package/dist/utils/logger.d.ts +144 -0
- package/dist/utils/logger.d.ts.map +1 -0
- package/dist/utils/logger.js +300 -0
- package/dist/utils/logger.js.map +1 -0
- package/dist/wizard.d.ts +68 -0
- package/dist/wizard.d.ts.map +1 -0
- package/dist/wizard.js +395 -0
- package/dist/wizard.js.map +1 -0
- package/package.json +99 -0
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Terminal-based approval handler for Tollgate
|
|
3
|
+
*
|
|
4
|
+
* Prompts users in the terminal for approval of tool calls,
|
|
5
|
+
* with support for session-based duration options.
|
|
6
|
+
*/
|
|
7
|
+
import type { ApprovalHandler, ApprovalRequest, ApprovalResponse } from './types.js';
|
|
8
|
+
/**
|
|
9
|
+
* Terminal approval handler that prompts users via stdin/stdout.
|
|
10
|
+
*
|
|
11
|
+
* Supports session-based approvals where users can approve for a duration:
|
|
12
|
+
* - `y` or `yes` - Approve once (no session grant)
|
|
13
|
+
* - `5` - Approve and grant for 5 minutes
|
|
14
|
+
* - `15` - Approve and grant for 15 minutes
|
|
15
|
+
* - `s` or `session` - Approve for the entire session
|
|
16
|
+
* - `n` or `no` - Deny
|
|
17
|
+
* - `d` - Show details (future feature)
|
|
18
|
+
*
|
|
19
|
+
* @example
|
|
20
|
+
* ```typescript
|
|
21
|
+
* const handler = new TerminalApprovalHandler(60000);
|
|
22
|
+
* const response = await handler.prompt(request);
|
|
23
|
+
*
|
|
24
|
+
* if (response.result === 'approved') {
|
|
25
|
+
* if (response.sessionGrant) {
|
|
26
|
+
* // User approved with a session duration
|
|
27
|
+
* console.log(`Granted for ${response.sessionGrant.duration}`);
|
|
28
|
+
* }
|
|
29
|
+
* }
|
|
30
|
+
* ```
|
|
31
|
+
*/
|
|
32
|
+
export declare class TerminalApprovalHandler implements ApprovalHandler {
|
|
33
|
+
private rl;
|
|
34
|
+
private timeoutMs;
|
|
35
|
+
constructor(timeoutMs?: number);
|
|
36
|
+
prompt(request: ApprovalRequest): Promise<ApprovalResponse>;
|
|
37
|
+
/**
|
|
38
|
+
* Prints the approval prompt to stderr (stdout is used by MCP).
|
|
39
|
+
*/
|
|
40
|
+
private printPrompt;
|
|
41
|
+
/**
|
|
42
|
+
* Formats risk level with appropriate color.
|
|
43
|
+
*/
|
|
44
|
+
private formatRisk;
|
|
45
|
+
/**
|
|
46
|
+
* Waits for user input with timeout.
|
|
47
|
+
*/
|
|
48
|
+
private waitForInput;
|
|
49
|
+
/**
|
|
50
|
+
* Parses user input into an approval result with optional session grant.
|
|
51
|
+
*/
|
|
52
|
+
private parseInput;
|
|
53
|
+
/**
|
|
54
|
+
* Checks if a duration is in the allowed list.
|
|
55
|
+
*/
|
|
56
|
+
private isValidDuration;
|
|
57
|
+
close(): void;
|
|
58
|
+
}
|
|
59
|
+
//# sourceMappingURL=terminal.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"terminal.d.ts","sourceRoot":"","sources":["../../src/approval/terminal.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EACV,eAAe,EACf,eAAe,EACf,gBAAgB,EAGjB,MAAM,YAAY,CAAC;AAapB;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,qBAAa,uBAAwB,YAAW,eAAe;IAC7D,OAAO,CAAC,EAAE,CAAmC;IAC7C,OAAO,CAAC,SAAS,CAAS;gBAEd,SAAS,GAAE,MAAoC;IAIrD,MAAM,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAiBjE;;OAEG;IACH,OAAO,CAAC,WAAW;IAgDnB;;OAEG;IACH,OAAO,CAAC,UAAU;IAiBlB;;OAEG;YACW,YAAY;IA2C1B;;OAEG;IACH,OAAO,CAAC,UAAU;IAsFlB;;OAEG;IACH,OAAO,CAAC,eAAe;IAOvB,KAAK,IAAI,IAAI;CAId"}
|
|
@@ -0,0 +1,238 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Terminal-based approval handler for Tollgate
|
|
3
|
+
*
|
|
4
|
+
* Prompts users in the terminal for approval of tool calls,
|
|
5
|
+
* with support for session-based duration options.
|
|
6
|
+
*/
|
|
7
|
+
import * as readline from 'node:readline';
|
|
8
|
+
import * as fs from 'node:fs';
|
|
9
|
+
import chalk from 'chalk';
|
|
10
|
+
import { DEFAULT_SESSION_CONFIG } from '../session/types.js';
|
|
11
|
+
import { approvalLogger as logger } from '../utils/logger.js';
|
|
12
|
+
import { DEFAULT_APPROVAL_TIMEOUT_MS } from '../constants.js';
|
|
13
|
+
/**
|
|
14
|
+
* Terminal approval handler that prompts users via stdin/stdout.
|
|
15
|
+
*
|
|
16
|
+
* Supports session-based approvals where users can approve for a duration:
|
|
17
|
+
* - `y` or `yes` - Approve once (no session grant)
|
|
18
|
+
* - `5` - Approve and grant for 5 minutes
|
|
19
|
+
* - `15` - Approve and grant for 15 minutes
|
|
20
|
+
* - `s` or `session` - Approve for the entire session
|
|
21
|
+
* - `n` or `no` - Deny
|
|
22
|
+
* - `d` - Show details (future feature)
|
|
23
|
+
*
|
|
24
|
+
* @example
|
|
25
|
+
* ```typescript
|
|
26
|
+
* const handler = new TerminalApprovalHandler(60000);
|
|
27
|
+
* const response = await handler.prompt(request);
|
|
28
|
+
*
|
|
29
|
+
* if (response.result === 'approved') {
|
|
30
|
+
* if (response.sessionGrant) {
|
|
31
|
+
* // User approved with a session duration
|
|
32
|
+
* console.log(`Granted for ${response.sessionGrant.duration}`);
|
|
33
|
+
* }
|
|
34
|
+
* }
|
|
35
|
+
* ```
|
|
36
|
+
*/
|
|
37
|
+
export class TerminalApprovalHandler {
|
|
38
|
+
rl = null;
|
|
39
|
+
timeoutMs;
|
|
40
|
+
constructor(timeoutMs = DEFAULT_APPROVAL_TIMEOUT_MS) {
|
|
41
|
+
this.timeoutMs = timeoutMs;
|
|
42
|
+
}
|
|
43
|
+
async prompt(request) {
|
|
44
|
+
const startTime = Date.now();
|
|
45
|
+
const sessionConfig = request.sessionConfig ?? DEFAULT_SESSION_CONFIG;
|
|
46
|
+
const allowRemember = sessionConfig.allowRemember ?? true;
|
|
47
|
+
this.printPrompt(request, allowRemember);
|
|
48
|
+
const inputResult = await this.waitForInput(allowRemember, sessionConfig);
|
|
49
|
+
return {
|
|
50
|
+
result: inputResult.result,
|
|
51
|
+
respondedAt: new Date(),
|
|
52
|
+
durationMs: Date.now() - startTime,
|
|
53
|
+
sessionGrant: inputResult.sessionGrant,
|
|
54
|
+
};
|
|
55
|
+
}
|
|
56
|
+
/**
|
|
57
|
+
* Prints the approval prompt to stderr (stdout is used by MCP).
|
|
58
|
+
*/
|
|
59
|
+
printPrompt(request, allowRemember) {
|
|
60
|
+
const { context, decision } = request;
|
|
61
|
+
console.error('');
|
|
62
|
+
console.error(chalk.yellow.bold('━'.repeat(60)));
|
|
63
|
+
console.error(chalk.yellow.bold(' TOLLGATE: Agent requesting action'));
|
|
64
|
+
console.error(chalk.yellow.bold('━'.repeat(60)));
|
|
65
|
+
console.error('');
|
|
66
|
+
console.error(` ${chalk.dim('Server:')} ${chalk.cyan(context.server)}`);
|
|
67
|
+
console.error(` ${chalk.dim('Tool:')} ${chalk.cyan(context.tool)}`);
|
|
68
|
+
console.error(` ${chalk.dim('Rule:')} ${chalk.dim(decision.matchedRule ?? 'default')}`);
|
|
69
|
+
// Show analysis info if available
|
|
70
|
+
if (decision.analysis) {
|
|
71
|
+
console.error(` ${chalk.dim('Risk:')} ${this.formatRisk(decision.analysis.risk)}`);
|
|
72
|
+
}
|
|
73
|
+
console.error('');
|
|
74
|
+
if (decision.message) {
|
|
75
|
+
console.error(` ${chalk.white(decision.message)}`);
|
|
76
|
+
console.error('');
|
|
77
|
+
}
|
|
78
|
+
const argsStr = JSON.stringify(context.args, null, 2);
|
|
79
|
+
if (argsStr !== '{}') {
|
|
80
|
+
console.error(` ${chalk.dim('Arguments:')}`);
|
|
81
|
+
for (const line of argsStr.split('\n')) {
|
|
82
|
+
console.error(` ${chalk.dim(line)}`);
|
|
83
|
+
}
|
|
84
|
+
console.error('');
|
|
85
|
+
}
|
|
86
|
+
console.error(chalk.yellow.bold('━'.repeat(60)));
|
|
87
|
+
// Show options based on whether session grants are allowed
|
|
88
|
+
if (allowRemember) {
|
|
89
|
+
console.error(` Allow? ${chalk.dim('[y]es once')} / ${chalk.green('[5]min')} / ${chalk.green('[15]min')} / ${chalk.green('[s]ession')} / ${chalk.red('[N]o')}`);
|
|
90
|
+
}
|
|
91
|
+
else {
|
|
92
|
+
console.error(` Allow this action? ${chalk.dim('[y]es / [N]o / [d]etails')}`);
|
|
93
|
+
}
|
|
94
|
+
console.error('');
|
|
95
|
+
}
|
|
96
|
+
/**
|
|
97
|
+
* Formats risk level with appropriate color.
|
|
98
|
+
*/
|
|
99
|
+
formatRisk(risk) {
|
|
100
|
+
switch (risk) {
|
|
101
|
+
case 'safe':
|
|
102
|
+
return chalk.green(risk);
|
|
103
|
+
case 'read':
|
|
104
|
+
return chalk.blue(risk);
|
|
105
|
+
case 'write':
|
|
106
|
+
return chalk.yellow(risk);
|
|
107
|
+
case 'destructive':
|
|
108
|
+
return chalk.red(risk);
|
|
109
|
+
case 'dangerous':
|
|
110
|
+
return chalk.bgRed.white(` ${risk} `);
|
|
111
|
+
default:
|
|
112
|
+
return risk;
|
|
113
|
+
}
|
|
114
|
+
}
|
|
115
|
+
/**
|
|
116
|
+
* Waits for user input with timeout.
|
|
117
|
+
*/
|
|
118
|
+
async waitForInput(allowRemember, sessionConfig) {
|
|
119
|
+
return new Promise((resolve) => {
|
|
120
|
+
// Create interface on /dev/tty to read from terminal even when stdin is piped
|
|
121
|
+
let input;
|
|
122
|
+
let output;
|
|
123
|
+
try {
|
|
124
|
+
// Try to open /dev/tty for direct terminal access
|
|
125
|
+
input = fs.createReadStream('/dev/tty');
|
|
126
|
+
output = fs.createWriteStream('/dev/tty');
|
|
127
|
+
}
|
|
128
|
+
catch {
|
|
129
|
+
// Fallback to stderr for prompts (stdin might be used by MCP)
|
|
130
|
+
input = process.stdin;
|
|
131
|
+
output = process.stderr;
|
|
132
|
+
}
|
|
133
|
+
this.rl = readline.createInterface({
|
|
134
|
+
input,
|
|
135
|
+
output,
|
|
136
|
+
terminal: true,
|
|
137
|
+
});
|
|
138
|
+
const timeout = setTimeout(() => {
|
|
139
|
+
logger.warn('Approval request timed out', { timeoutMs: this.timeoutMs });
|
|
140
|
+
process.stderr.write(chalk.red('\n Timeout - action denied\n'));
|
|
141
|
+
this.rl?.close();
|
|
142
|
+
resolve({ result: 'timeout' });
|
|
143
|
+
}, this.timeoutMs);
|
|
144
|
+
this.rl.question(' > ', (answer) => {
|
|
145
|
+
clearTimeout(timeout);
|
|
146
|
+
this.rl?.close();
|
|
147
|
+
const normalized = answer.trim().toLowerCase();
|
|
148
|
+
const result = this.parseInput(normalized, allowRemember, sessionConfig);
|
|
149
|
+
resolve(result);
|
|
150
|
+
});
|
|
151
|
+
});
|
|
152
|
+
}
|
|
153
|
+
/**
|
|
154
|
+
* Parses user input into an approval result with optional session grant.
|
|
155
|
+
*/
|
|
156
|
+
parseInput(input, allowRemember, sessionConfig) {
|
|
157
|
+
// Deny responses
|
|
158
|
+
if (input === 'n' || input === 'no' || input === '') {
|
|
159
|
+
console.error(chalk.red(' Denied'));
|
|
160
|
+
return { result: 'denied' };
|
|
161
|
+
}
|
|
162
|
+
// Details (not yet implemented)
|
|
163
|
+
if (input === 'd' || input === 'details') {
|
|
164
|
+
console.error(chalk.yellow(' Details requested - feature coming soon'));
|
|
165
|
+
console.error(chalk.red(' Denied'));
|
|
166
|
+
return { result: 'denied' };
|
|
167
|
+
}
|
|
168
|
+
// Simple approval (no session)
|
|
169
|
+
if (input === 'y' || input === 'yes') {
|
|
170
|
+
console.error(chalk.green(' Approved (once)'));
|
|
171
|
+
return { result: 'approved' };
|
|
172
|
+
}
|
|
173
|
+
// Session-based approvals (only if allowed)
|
|
174
|
+
if (allowRemember) {
|
|
175
|
+
const defaultScope = sessionConfig.defaultScope ?? 'tool';
|
|
176
|
+
const allowedDurations = sessionConfig.allowedDurations ?? ['once', '5min', '15min', 'session'];
|
|
177
|
+
// 5-minute grant
|
|
178
|
+
if ((input === '5' || input === '5min') && allowedDurations.includes('5min')) {
|
|
179
|
+
console.error(chalk.green(' Approved for 5 minutes'));
|
|
180
|
+
return {
|
|
181
|
+
result: 'approved',
|
|
182
|
+
sessionGrant: { scope: defaultScope, duration: '5min' },
|
|
183
|
+
};
|
|
184
|
+
}
|
|
185
|
+
// 15-minute grant
|
|
186
|
+
if ((input === '15' || input === '15min') && allowedDurations.includes('15min')) {
|
|
187
|
+
console.error(chalk.green(' Approved for 15 minutes'));
|
|
188
|
+
return {
|
|
189
|
+
result: 'approved',
|
|
190
|
+
sessionGrant: { scope: defaultScope, duration: '15min' },
|
|
191
|
+
};
|
|
192
|
+
}
|
|
193
|
+
// 30-minute grant
|
|
194
|
+
if ((input === '30' || input === '30min') && allowedDurations.includes('30min')) {
|
|
195
|
+
console.error(chalk.green(' Approved for 30 minutes'));
|
|
196
|
+
return {
|
|
197
|
+
result: 'approved',
|
|
198
|
+
sessionGrant: { scope: defaultScope, duration: '30min' },
|
|
199
|
+
};
|
|
200
|
+
}
|
|
201
|
+
// Session lifetime grant
|
|
202
|
+
if ((input === 's' || input === 'session') && allowedDurations.includes('session')) {
|
|
203
|
+
console.error(chalk.green(' Approved for session'));
|
|
204
|
+
return {
|
|
205
|
+
result: 'approved',
|
|
206
|
+
sessionGrant: { scope: defaultScope, duration: 'session' },
|
|
207
|
+
};
|
|
208
|
+
}
|
|
209
|
+
// Advanced: scope:duration format (e.g., "server:15min", "tool:session")
|
|
210
|
+
const advancedMatch = input.match(/^(exact|tool|server):(\d+min|session)$/);
|
|
211
|
+
if (advancedMatch) {
|
|
212
|
+
const scope = advancedMatch[1];
|
|
213
|
+
const duration = advancedMatch[2];
|
|
214
|
+
if (this.isValidDuration(duration, allowedDurations)) {
|
|
215
|
+
console.error(chalk.green(` Approved for ${duration} (scope: ${scope})`));
|
|
216
|
+
return {
|
|
217
|
+
result: 'approved',
|
|
218
|
+
sessionGrant: { scope, duration },
|
|
219
|
+
};
|
|
220
|
+
}
|
|
221
|
+
}
|
|
222
|
+
}
|
|
223
|
+
// Unrecognized input - treat as deny
|
|
224
|
+
console.error(chalk.red(` Unrecognized input "${input}" - denied`));
|
|
225
|
+
return { result: 'denied' };
|
|
226
|
+
}
|
|
227
|
+
/**
|
|
228
|
+
* Checks if a duration is in the allowed list.
|
|
229
|
+
*/
|
|
230
|
+
isValidDuration(duration, allowed) {
|
|
231
|
+
return allowed.includes(duration);
|
|
232
|
+
}
|
|
233
|
+
close() {
|
|
234
|
+
this.rl?.close();
|
|
235
|
+
this.rl = null;
|
|
236
|
+
}
|
|
237
|
+
}
|
|
238
|
+
//# sourceMappingURL=terminal.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"terminal.js","sourceRoot":"","sources":["../../src/approval/terminal.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,QAAQ,MAAM,eAAe,CAAC;AAC1C,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,MAAM,OAAO,CAAC;AAQ1B,OAAO,EAAE,sBAAsB,EAAkD,MAAM,qBAAqB,CAAC;AAC7G,OAAO,EAAE,cAAc,IAAI,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AAU9D;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,OAAO,uBAAuB;IAC1B,EAAE,GAA8B,IAAI,CAAC;IACrC,SAAS,CAAS;IAE1B,YAAY,YAAoB,2BAA2B;QACzD,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAwB;QACnC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,sBAAsB,CAAC;QACtE,MAAM,aAAa,GAAG,aAAa,CAAC,aAAa,IAAI,IAAI,CAAC;QAE1D,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAEzC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;QAE1E,OAAO;YACL,MAAM,EAAE,WAAW,CAAC,MAAM;YAC1B,WAAW,EAAE,IAAI,IAAI,EAAE;YACvB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAClC,YAAY,EAAE,WAAW,CAAC,YAAY;SACvC,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,OAAwB,EAAE,aAAsB;QAClE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAEtC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACjD,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC,CAAC;QACxE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACjD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAC1E,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACxE,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,IAAI,SAAS,CAAC,EAAE,CAAC,CAAC;QAE5F,kCAAkC;QAClC,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACzF,CAAC;QAED,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAElB,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YACpD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACpB,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACtD,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YACrB,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;YAC9C,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvC,OAAO,CAAC,KAAK,CAAC,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC1C,CAAC;YACD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACpB,CAAC;QAED,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAEjD,2DAA2D;QAC3D,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CACX,YAAY,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAClJ,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CACX,wBAAwB,KAAK,CAAC,GAAG,CAAC,0BAA0B,CAAC,EAAE,CAChE,CAAC;QACJ,CAAC;QACD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpB,CAAC;IAED;;OAEG;IACK,UAAU,CAAC,IAAY;QAC7B,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,MAAM;gBACT,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC3B,KAAK,MAAM;gBACT,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1B,KAAK,OAAO;gBACV,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC5B,KAAK,aAAa;gBAChB,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACzB,KAAK,WAAW;gBACd,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC;YACxC;gBACE,OAAO,IAAI,CAAC;QAChB,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,YAAY,CACxB,aAAsB,EACtB,aAAkC;QAElC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,8EAA8E;YAC9E,IAAI,KAA4B,CAAC;YACjC,IAAI,MAA6B,CAAC;YAElC,IAAI,CAAC;gBACH,kDAAkD;gBAClD,KAAK,GAAG,EAAE,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;gBACxC,MAAM,GAAG,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;YAC5C,CAAC;YAAC,MAAM,CAAC;gBACP,8DAA8D;gBAC9D,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;gBACtB,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;YAC1B,CAAC;YAED,IAAI,CAAC,EAAE,GAAG,QAAQ,CAAC,eAAe,CAAC;gBACjC,KAAK;gBACL,MAAM;gBACN,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YAEH,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC9B,MAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;gBACzE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC,CAAC;gBACjE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC;gBACjB,OAAO,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;YACjC,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;YAEnB,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,MAAM,EAAE,EAAE;gBAClC,YAAY,CAAC,OAAO,CAAC,CAAC;gBACtB,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC;gBAEjB,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;gBAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC;gBACzE,OAAO,CAAC,MAAM,CAAC,CAAC;YAClB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,UAAU,CAChB,KAAa,EACb,aAAsB,EACtB,aAAkC;QAElC,iBAAiB;QACjB,IAAI,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;YACpD,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;YACrC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;QAC9B,CAAC;QAED,gCAAgC;QAChC,IAAI,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACzC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,2CAA2C,CAAC,CAAC,CAAC;YACzE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;YACrC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;QAC9B,CAAC;QAED,+BAA+B;QAC/B,IAAI,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;YACrC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC,CAAC;YAChD,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;QAChC,CAAC;QAED,4CAA4C;QAC5C,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,YAAY,GAAG,aAAa,CAAC,YAAY,IAAI,MAAM,CAAC;YAC1D,MAAM,gBAAgB,GAAG,aAAa,CAAC,gBAAgB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;YAEhG,iBAAiB;YACjB,IAAI,CAAC,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,MAAM,CAAC,IAAI,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC7E,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC,CAAC;gBACvD,OAAO;oBACL,MAAM,EAAE,UAAU;oBAClB,YAAY,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE;iBACxD,CAAC;YACJ,CAAC;YAED,kBAAkB;YAClB,IAAI,CAAC,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,OAAO,CAAC,IAAI,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChF,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC,CAAC;gBACxD,OAAO;oBACL,MAAM,EAAE,UAAU;oBAClB,YAAY,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE;iBACzD,CAAC;YACJ,CAAC;YAED,kBAAkB;YAClB,IAAI,CAAC,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,OAAO,CAAC,IAAI,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChF,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC,CAAC;gBACxD,OAAO;oBACL,MAAM,EAAE,UAAU;oBAClB,YAAY,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE;iBACzD,CAAC;YACJ,CAAC;YAED,yBAAyB;YACzB,IAAI,CAAC,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,SAAS,CAAC,IAAI,gBAAgB,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBACnF,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC;gBACrD,OAAO;oBACL,MAAM,EAAE,UAAU;oBAClB,YAAY,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,QAAQ,EAAE,SAAS,EAAE;iBAC3D,CAAC;YACJ,CAAC;YAED,yEAAyE;YACzE,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;YAC5E,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,KAAK,GAAG,aAAa,CAAC,CAAC,CAAgC,CAAC;gBAC9D,MAAM,QAAQ,GAAG,aAAa,CAAC,CAAC,CAAoB,CAAC;gBAErD,IAAI,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,gBAAgB,CAAC,EAAE,CAAC;oBACrD,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,kBAAkB,QAAQ,YAAY,KAAK,GAAG,CAAC,CAAC,CAAC;oBAC3E,OAAO;wBACL,MAAM,EAAE,UAAU;wBAClB,YAAY,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE;qBAClC,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,qCAAqC;QACrC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,yBAAyB,KAAK,YAAY,CAAC,CAAC,CAAC;QACrE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IAC9B,CAAC;IAED;;OAEG;IACK,eAAe,CACrB,QAAyB,EACzB,OAA0B;QAE1B,OAAO,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACpC,CAAC;IAED,KAAK;QACH,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC;QACjB,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC;IACjB,CAAC;CACF"}
|
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
import type { ToolCallContext, PolicyDecision } from '../policy/types.js';
|
|
2
|
+
import type { SessionScope, SessionDuration, SessionPolicyConfig } from '../session/types.js';
|
|
3
|
+
export type ApprovalResult = 'approved' | 'denied' | 'timeout';
|
|
4
|
+
/**
|
|
5
|
+
* Request for user approval of a tool call.
|
|
6
|
+
*/
|
|
7
|
+
export interface ApprovalRequest {
|
|
8
|
+
/** Unique identifier for this approval request */
|
|
9
|
+
id: string;
|
|
10
|
+
/** Context of the tool call being approved */
|
|
11
|
+
context: ToolCallContext;
|
|
12
|
+
/** Policy decision that triggered this approval */
|
|
13
|
+
decision: PolicyDecision;
|
|
14
|
+
/** When the request was created */
|
|
15
|
+
timestamp: Date;
|
|
16
|
+
/**
|
|
17
|
+
* Session configuration from policy.
|
|
18
|
+
* Controls what duration options are shown to the user.
|
|
19
|
+
*/
|
|
20
|
+
sessionConfig?: SessionPolicyConfig;
|
|
21
|
+
}
|
|
22
|
+
/**
|
|
23
|
+
* Session grant information returned when user approves with a duration.
|
|
24
|
+
*/
|
|
25
|
+
export interface SessionGrantInfo {
|
|
26
|
+
/** Scope of the grant */
|
|
27
|
+
scope: SessionScope;
|
|
28
|
+
/** Duration of the grant */
|
|
29
|
+
duration: SessionDuration;
|
|
30
|
+
/** Pattern for 'pattern' scope */
|
|
31
|
+
pattern?: string;
|
|
32
|
+
}
|
|
33
|
+
/**
|
|
34
|
+
* Response from an approval handler.
|
|
35
|
+
*/
|
|
36
|
+
export interface ApprovalResponse {
|
|
37
|
+
/** The user's decision */
|
|
38
|
+
result: ApprovalResult;
|
|
39
|
+
/** When the user responded */
|
|
40
|
+
respondedAt: Date;
|
|
41
|
+
/** Time spent waiting for approval (ms) */
|
|
42
|
+
durationMs: number;
|
|
43
|
+
/**
|
|
44
|
+
* Session grant info if user approved with a duration.
|
|
45
|
+
* Undefined means single approval only (no session grant).
|
|
46
|
+
*/
|
|
47
|
+
sessionGrant?: SessionGrantInfo;
|
|
48
|
+
}
|
|
49
|
+
/**
|
|
50
|
+
* Interface for approval handlers.
|
|
51
|
+
* Implementations can use terminal, webhook, or other approval methods.
|
|
52
|
+
*/
|
|
53
|
+
export interface ApprovalHandler {
|
|
54
|
+
/**
|
|
55
|
+
* Prompts the user for approval.
|
|
56
|
+
*
|
|
57
|
+
* @param request - The approval request
|
|
58
|
+
* @returns Promise resolving to the user's response
|
|
59
|
+
*/
|
|
60
|
+
prompt(request: ApprovalRequest): Promise<ApprovalResponse>;
|
|
61
|
+
/**
|
|
62
|
+
* Closes any open resources (readline interfaces, etc).
|
|
63
|
+
*/
|
|
64
|
+
close(): void;
|
|
65
|
+
}
|
|
66
|
+
//# sourceMappingURL=types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/approval/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAC1E,OAAO,KAAK,EAAE,YAAY,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE9F,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,QAAQ,GAAG,SAAS,CAAC;AAE/D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,kDAAkD;IAClD,EAAE,EAAE,MAAM,CAAC;IAEX,8CAA8C;IAC9C,OAAO,EAAE,eAAe,CAAC;IAEzB,mDAAmD;IACnD,QAAQ,EAAE,cAAc,CAAC;IAEzB,mCAAmC;IACnC,SAAS,EAAE,IAAI,CAAC;IAEhB;;;OAGG;IACH,aAAa,CAAC,EAAE,mBAAmB,CAAC;CACrC;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,yBAAyB;IACzB,KAAK,EAAE,YAAY,CAAC;IAEpB,4BAA4B;IAC5B,QAAQ,EAAE,eAAe,CAAC;IAE1B,kCAAkC;IAClC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,0BAA0B;IAC1B,MAAM,EAAE,cAAc,CAAC;IAEvB,8BAA8B;IAC9B,WAAW,EAAE,IAAI,CAAC;IAElB,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,YAAY,CAAC,EAAE,gBAAgB,CAAC;CACjC;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B;;;;;OAKG;IACH,MAAM,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAE5D;;OAEG;IACH,KAAK,IAAI,IAAI,CAAC;CACf"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/approval/types.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,138 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Audit Export Module for Tollgate
|
|
3
|
+
*
|
|
4
|
+
* Exports audit records in various formats for compliance reporting,
|
|
5
|
+
* log aggregation, and SIEM integration.
|
|
6
|
+
*
|
|
7
|
+
* Supported formats:
|
|
8
|
+
* - JSON Lines (JSONL) - for log aggregation (Splunk, ELK, etc.)
|
|
9
|
+
* - CSV - for spreadsheet analysis
|
|
10
|
+
* - CEF (Common Event Format) - for SIEM systems
|
|
11
|
+
*
|
|
12
|
+
* @example
|
|
13
|
+
* ```typescript
|
|
14
|
+
* import { AuditExporter } from './exporter.js';
|
|
15
|
+
*
|
|
16
|
+
* const exporter = new AuditExporter(logger);
|
|
17
|
+
*
|
|
18
|
+
* // Export as JSON Lines
|
|
19
|
+
* const jsonl = exporter.exportJsonLines({ since: new Date('2024-01-01') });
|
|
20
|
+
*
|
|
21
|
+
* // Export as CSV
|
|
22
|
+
* const csv = exporter.exportCsv({ useRedacted: true });
|
|
23
|
+
*
|
|
24
|
+
* // Export as CEF for SIEM
|
|
25
|
+
* const cef = exporter.exportCef({ server: 'postgres' });
|
|
26
|
+
* ```
|
|
27
|
+
*/
|
|
28
|
+
import type { AuditLogger } from './logger.js';
|
|
29
|
+
import type { RiskLevel } from './schema.js';
|
|
30
|
+
/**
|
|
31
|
+
* Options for exporting audit records.
|
|
32
|
+
*/
|
|
33
|
+
export interface ExportOptions {
|
|
34
|
+
/** Only include records since this date */
|
|
35
|
+
since?: Date;
|
|
36
|
+
/** Only include records until this date */
|
|
37
|
+
until?: Date;
|
|
38
|
+
/** Filter by server name */
|
|
39
|
+
server?: string;
|
|
40
|
+
/** Filter by risk level */
|
|
41
|
+
riskLevel?: RiskLevel;
|
|
42
|
+
/** Maximum number of records to export (default: all) */
|
|
43
|
+
limit?: number;
|
|
44
|
+
/** Use PII-redacted args in export (default: true for compliance) */
|
|
45
|
+
useRedacted?: boolean;
|
|
46
|
+
/** Include session grants in export */
|
|
47
|
+
includeSessionGrants?: boolean;
|
|
48
|
+
}
|
|
49
|
+
/**
|
|
50
|
+
* Audit exporter for generating compliance reports.
|
|
51
|
+
*/
|
|
52
|
+
export declare class AuditExporter {
|
|
53
|
+
private logger;
|
|
54
|
+
constructor(logger: AuditLogger);
|
|
55
|
+
/**
|
|
56
|
+
* Exports audit records as JSON Lines (JSONL).
|
|
57
|
+
*
|
|
58
|
+
* Each line is a complete JSON object, suitable for log aggregation systems.
|
|
59
|
+
*
|
|
60
|
+
* @param options - Export options
|
|
61
|
+
* @returns JSONL string with one record per line
|
|
62
|
+
*/
|
|
63
|
+
exportJsonLines(options?: ExportOptions): string;
|
|
64
|
+
/**
|
|
65
|
+
* Exports audit records as CSV.
|
|
66
|
+
*
|
|
67
|
+
* @param options - Export options
|
|
68
|
+
* @returns CSV string with headers
|
|
69
|
+
*/
|
|
70
|
+
exportCsv(options?: ExportOptions): string;
|
|
71
|
+
/**
|
|
72
|
+
* Exports audit records in CEF (Common Event Format).
|
|
73
|
+
*
|
|
74
|
+
* CEF is widely supported by SIEM systems like Splunk, ArcSight, and QRadar.
|
|
75
|
+
*
|
|
76
|
+
* Format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
|
|
77
|
+
*
|
|
78
|
+
* @param options - Export options
|
|
79
|
+
* @returns CEF formatted string with one event per line
|
|
80
|
+
*/
|
|
81
|
+
exportCef(options?: ExportOptions): string;
|
|
82
|
+
/**
|
|
83
|
+
* Gets records based on export options.
|
|
84
|
+
*/
|
|
85
|
+
private getRecords;
|
|
86
|
+
/**
|
|
87
|
+
* Formats an audit record for JSON export.
|
|
88
|
+
*/
|
|
89
|
+
private formatRecordForExport;
|
|
90
|
+
/**
|
|
91
|
+
* Formats a session grant for JSON export.
|
|
92
|
+
*/
|
|
93
|
+
private formatGrantForExport;
|
|
94
|
+
/**
|
|
95
|
+
* Formats a CEF event from an audit record.
|
|
96
|
+
*
|
|
97
|
+
* CEF format: CEF:0|Vendor|Product|Version|SignatureID|Name|Severity|Extension
|
|
98
|
+
*/
|
|
99
|
+
private formatCefEvent;
|
|
100
|
+
/**
|
|
101
|
+
* Gets the CEF signature ID for a record.
|
|
102
|
+
*/
|
|
103
|
+
private getCefSignatureId;
|
|
104
|
+
/**
|
|
105
|
+
* Gets the CEF severity for a record.
|
|
106
|
+
*/
|
|
107
|
+
private getCefSeverity;
|
|
108
|
+
/**
|
|
109
|
+
* Gets CEF extension fields for a record.
|
|
110
|
+
*/
|
|
111
|
+
private getCefExtensions;
|
|
112
|
+
/**
|
|
113
|
+
* Escapes a value for CSV format.
|
|
114
|
+
*/
|
|
115
|
+
private escapeCsv;
|
|
116
|
+
/**
|
|
117
|
+
* Escapes a CEF header field (pipe and backslash).
|
|
118
|
+
*/
|
|
119
|
+
private escapeCef;
|
|
120
|
+
/**
|
|
121
|
+
* Escapes a CEF extension value (equals and newlines).
|
|
122
|
+
*/
|
|
123
|
+
private escapeCefValue;
|
|
124
|
+
}
|
|
125
|
+
/**
|
|
126
|
+
* Export format types.
|
|
127
|
+
*/
|
|
128
|
+
export type ExportFormat = 'json' | 'jsonl' | 'csv' | 'cef';
|
|
129
|
+
/**
|
|
130
|
+
* Creates an exporter and exports records in the specified format.
|
|
131
|
+
*
|
|
132
|
+
* @param logger - The audit logger to export from
|
|
133
|
+
* @param format - The export format
|
|
134
|
+
* @param options - Export options
|
|
135
|
+
* @returns Formatted export string
|
|
136
|
+
*/
|
|
137
|
+
export declare function exportAuditRecords(logger: AuditLogger, format: ExportFormat, options?: ExportOptions): string;
|
|
138
|
+
//# sourceMappingURL=exporter.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"exporter.d.ts","sourceRoot":"","sources":["../../src/audit/exporter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,KAAK,EAAmC,SAAS,EAAE,MAAM,aAAa,CAAC;AAE9E;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,2CAA2C;IAC3C,KAAK,CAAC,EAAE,IAAI,CAAC;IACb,2CAA2C;IAC3C,KAAK,CAAC,EAAE,IAAI,CAAC;IACb,4BAA4B;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,2BAA2B;IAC3B,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,yDAAyD;IACzD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,qEAAqE;IACrE,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,uCAAuC;IACvC,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAChC;AAiBD;;GAEG;AACH,qBAAa,aAAa;IACZ,OAAO,CAAC,MAAM;gBAAN,MAAM,EAAE,WAAW;IAEvC;;;;;;;OAOG;IACH,eAAe,CAAC,OAAO,GAAE,aAAkB,GAAG,MAAM;IAsBpD;;;;;OAKG;IACH,SAAS,CAAC,OAAO,GAAE,aAAkB,GAAG,MAAM;IA0D9C;;;;;;;;;OASG;IACH,SAAS,CAAC,OAAO,GAAE,aAAkB,GAAG,MAAM;IAa9C;;OAEG;IACH,OAAO,CAAC,UAAU;IAWlB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAsC7B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAmB5B;;;;OAIG;IACH,OAAO,CAAC,cAAc;IAuBtB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAYzB;;OAEG;IACH,OAAO,CAAC,cAAc;IAQtB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAiDxB;;OAEG;IACH,OAAO,CAAC,SAAS;IAOjB;;OAEG;IACH,OAAO,CAAC,SAAS;IAIjB;;OAEG;IACH,OAAO,CAAC,cAAc;CAOvB;AAED;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,OAAO,GAAG,KAAK,GAAG,KAAK,CAAC;AAE5D;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,YAAY,EACpB,OAAO,GAAE,aAAkB,GAC1B,MAAM,CA4BR"}
|