npm - @dotsetlabs/tollgate - Versions diffs - 0.1.0 - Mend

@dotsetlabs/tollgate 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (215) hide show

package/LICENSE +21 -0
package/README.md +885 -0
package/dist/analyzers/filesystem.d.ts +26 -0
package/dist/analyzers/filesystem.d.ts.map +1 -0
package/dist/analyzers/filesystem.js +284 -0
package/dist/analyzers/filesystem.js.map +1 -0
package/dist/analyzers/http.d.ts +90 -0
package/dist/analyzers/http.d.ts.map +1 -0
package/dist/analyzers/http.js +433 -0
package/dist/analyzers/http.js.map +1 -0
package/dist/analyzers/index.d.ts +101 -0
package/dist/analyzers/index.d.ts.map +1 -0
package/dist/analyzers/index.js +342 -0
package/dist/analyzers/index.js.map +1 -0
package/dist/analyzers/loader.d.ts +114 -0
package/dist/analyzers/loader.d.ts.map +1 -0
package/dist/analyzers/loader.js +184 -0
package/dist/analyzers/loader.js.map +1 -0
package/dist/analyzers/prompt-injection.d.ts +95 -0
package/dist/analyzers/prompt-injection.d.ts.map +1 -0
package/dist/analyzers/prompt-injection.js +725 -0
package/dist/analyzers/prompt-injection.js.map +1 -0
package/dist/analyzers/sdk.d.ts +230 -0
package/dist/analyzers/sdk.d.ts.map +1 -0
package/dist/analyzers/sdk.js +283 -0
package/dist/analyzers/sdk.js.map +1 -0
package/dist/analyzers/shell.d.ts +20 -0
package/dist/analyzers/shell.d.ts.map +1 -0
package/dist/analyzers/shell.js +297 -0
package/dist/analyzers/shell.js.map +1 -0
package/dist/analyzers/sql.d.ts +37 -0
package/dist/analyzers/sql.d.ts.map +1 -0
package/dist/analyzers/sql.js +455 -0
package/dist/analyzers/sql.js.map +1 -0
package/dist/analyzers/types.d.ts +117 -0
package/dist/analyzers/types.d.ts.map +1 -0
package/dist/analyzers/types.js +46 -0
package/dist/analyzers/types.js.map +1 -0
package/dist/approval/interactive.d.ts +72 -0
package/dist/approval/interactive.d.ts.map +1 -0
package/dist/approval/interactive.js +550 -0
package/dist/approval/interactive.js.map +1 -0
package/dist/approval/terminal.d.ts +59 -0
package/dist/approval/terminal.d.ts.map +1 -0
package/dist/approval/terminal.js +238 -0
package/dist/approval/terminal.js.map +1 -0
package/dist/approval/types.d.ts +66 -0
package/dist/approval/types.d.ts.map +1 -0
package/dist/approval/types.js +2 -0
package/dist/approval/types.js.map +1 -0
package/dist/audit/exporter.d.ts +138 -0
package/dist/audit/exporter.d.ts.map +1 -0
package/dist/audit/exporter.js +366 -0
package/dist/audit/exporter.js.map +1 -0
package/dist/audit/logger.d.ts +156 -0
package/dist/audit/logger.d.ts.map +1 -0
package/dist/audit/logger.js +406 -0
package/dist/audit/logger.js.map +1 -0
package/dist/audit/redaction.d.ts +110 -0
package/dist/audit/redaction.d.ts.map +1 -0
package/dist/audit/redaction.js +307 -0
package/dist/audit/redaction.js.map +1 -0
package/dist/audit/schema.d.ts +76 -0
package/dist/audit/schema.d.ts.map +1 -0
package/dist/audit/schema.js +122 -0
package/dist/audit/schema.js.map +1 -0
package/dist/cli/commands/doctor.d.ts +34 -0
package/dist/cli/commands/doctor.d.ts.map +1 -0
package/dist/cli/commands/doctor.js +431 -0
package/dist/cli/commands/doctor.js.map +1 -0
package/dist/cli/commands/export.d.ts +18 -0
package/dist/cli/commands/export.d.ts.map +1 -0
package/dist/cli/commands/export.js +63 -0
package/dist/cli/commands/export.js.map +1 -0
package/dist/cli/commands/init.d.ts +12 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/init.js +102 -0
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/logs.d.ts +11 -0
package/dist/cli/commands/logs.d.ts.map +1 -0
package/dist/cli/commands/logs.js +60 -0
package/dist/cli/commands/logs.js.map +1 -0
package/dist/cli/commands/scan.d.ts +29 -0
package/dist/cli/commands/scan.d.ts.map +1 -0
package/dist/cli/commands/scan.js +251 -0
package/dist/cli/commands/scan.js.map +1 -0
package/dist/cli/commands/serve.d.ts +26 -0
package/dist/cli/commands/serve.d.ts.map +1 -0
package/dist/cli/commands/serve.js +424 -0
package/dist/cli/commands/serve.js.map +1 -0
package/dist/cli/commands/start.d.ts +20 -0
package/dist/cli/commands/start.d.ts.map +1 -0
package/dist/cli/commands/start.js +82 -0
package/dist/cli/commands/start.js.map +1 -0
package/dist/cli/commands/stats.d.ts +10 -0
package/dist/cli/commands/stats.d.ts.map +1 -0
package/dist/cli/commands/stats.js +42 -0
package/dist/cli/commands/stats.js.map +1 -0
package/dist/cli/commands/templates.d.ts +26 -0
package/dist/cli/commands/templates.d.ts.map +1 -0
package/dist/cli/commands/templates.js +221 -0
package/dist/cli/commands/templates.js.map +1 -0
package/dist/cli/commands/validate.d.ts +12 -0
package/dist/cli/commands/validate.d.ts.map +1 -0
package/dist/cli/commands/validate.js +107 -0
package/dist/cli/commands/validate.js.map +1 -0
package/dist/cli/commands/wrap.d.ts +19 -0
package/dist/cli/commands/wrap.d.ts.map +1 -0
package/dist/cli/commands/wrap.js +59 -0
package/dist/cli/commands/wrap.js.map +1 -0
package/dist/cli/index.d.ts +17 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +202 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/ui.d.ts +139 -0
package/dist/cli/ui.d.ts.map +1 -0
package/dist/cli/ui.js +271 -0
package/dist/cli/ui.js.map +1 -0
package/dist/constants.d.ts +33 -0
package/dist/constants.d.ts.map +1 -0
package/dist/constants.js +54 -0
package/dist/constants.js.map +1 -0
package/dist/errors.d.ts +28 -0
package/dist/errors.d.ts.map +1 -0
package/dist/errors.js +37 -0
package/dist/errors.js.map +1 -0
package/dist/index.d.ts +49 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +82 -0
package/dist/index.js.map +1 -0
package/dist/orchestrator/index.d.ts +11 -0
package/dist/orchestrator/index.d.ts.map +1 -0
package/dist/orchestrator/index.js +10 -0
package/dist/orchestrator/index.js.map +1 -0
package/dist/orchestrator/manager.d.ts +127 -0
package/dist/orchestrator/manager.d.ts.map +1 -0
package/dist/orchestrator/manager.js +498 -0
package/dist/orchestrator/manager.js.map +1 -0
package/dist/orchestrator/types.d.ts +141 -0
package/dist/orchestrator/types.d.ts.map +1 -0
package/dist/orchestrator/types.js +9 -0
package/dist/orchestrator/types.js.map +1 -0
package/dist/policy/engine.d.ts +55 -0
package/dist/policy/engine.d.ts.map +1 -0
package/dist/policy/engine.js +288 -0
package/dist/policy/engine.js.map +1 -0
package/dist/policy/natural-language.d.ts +141 -0
package/dist/policy/natural-language.d.ts.map +1 -0
package/dist/policy/natural-language.js +552 -0
package/dist/policy/natural-language.js.map +1 -0
package/dist/policy/parser.d.ts +141 -0
package/dist/policy/parser.d.ts.map +1 -0
package/dist/policy/parser.js +314 -0
package/dist/policy/parser.js.map +1 -0
package/dist/policy/types.d.ts +428 -0
package/dist/policy/types.d.ts.map +1 -0
package/dist/policy/types.js +32 -0
package/dist/policy/types.js.map +1 -0
package/dist/policy/validator.d.ts +72 -0
package/dist/policy/validator.d.ts.map +1 -0
package/dist/policy/validator.js +453 -0
package/dist/policy/validator.js.map +1 -0
package/dist/proxy/bridge.d.ts +84 -0
package/dist/proxy/bridge.d.ts.map +1 -0
package/dist/proxy/bridge.js +217 -0
package/dist/proxy/bridge.js.map +1 -0
package/dist/proxy/client.d.ts +130 -0
package/dist/proxy/client.d.ts.map +1 -0
package/dist/proxy/client.js +290 -0
package/dist/proxy/client.js.map +1 -0
package/dist/proxy/server.d.ts +111 -0
package/dist/proxy/server.d.ts.map +1 -0
package/dist/proxy/server.js +444 -0
package/dist/proxy/server.js.map +1 -0
package/dist/scanner.d.ts +91 -0
package/dist/scanner.d.ts.map +1 -0
package/dist/scanner.js +373 -0
package/dist/scanner.js.map +1 -0
package/dist/session/index.d.ts +32 -0
package/dist/session/index.d.ts.map +1 -0
package/dist/session/index.js +31 -0
package/dist/session/index.js.map +1 -0
package/dist/session/manager.d.ts +166 -0
package/dist/session/manager.d.ts.map +1 -0
package/dist/session/manager.js +454 -0
package/dist/session/manager.js.map +1 -0
package/dist/session/sqlite-store.d.ts +54 -0
package/dist/session/sqlite-store.d.ts.map +1 -0
package/dist/session/sqlite-store.js +209 -0
package/dist/session/sqlite-store.js.map +1 -0
package/dist/session/types.d.ts +179 -0
package/dist/session/types.d.ts.map +1 -0
package/dist/session/types.js +38 -0
package/dist/session/types.js.map +1 -0
package/dist/templates.d.ts +64 -0
package/dist/templates.d.ts.map +1 -0
package/dist/templates.js +451 -0
package/dist/templates.js.map +1 -0
package/dist/utils/config.d.ts +57 -0
package/dist/utils/config.d.ts.map +1 -0
package/dist/utils/config.js +104 -0
package/dist/utils/config.js.map +1 -0
package/dist/utils/errors.d.ts +18 -0
package/dist/utils/errors.d.ts.map +1 -0
package/dist/utils/errors.js +35 -0
package/dist/utils/errors.js.map +1 -0
package/dist/utils/logger.d.ts +144 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +300 -0
package/dist/utils/logger.js.map +1 -0
package/dist/wizard.d.ts +68 -0
package/dist/wizard.d.ts.map +1 -0
package/dist/wizard.js +395 -0
package/dist/wizard.js.map +1 -0
package/package.json +99 -0

package/dist/audit/logger.js ADDED Viewed

@@ -0,0 +1,406 @@
+/**
+ * Audit Logger for Tollgate
+ *
+ * Logs all tool invocations and session grants to SQLite database
+ * for compliance, debugging, and analytics.
+ *
+ * Features:
+ * - Schema versioning with automatic migrations
+ * - PII redaction for compliance (GDPR, SOC2)
+ * - Enhanced metadata for security analysis
+ */
+import Database from 'better-sqlite3';
+import { existsSync, mkdirSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { v4 as uuidv4 } from 'uuid';
+import { getDataDir } from '../utils/config.js';
+import { AUDIT_SCHEMA, SCHEMA_VERSION, } from './schema.js';
+import { PiiRedactor } from './redaction.js';
+/**
+ * AuditLogger records all tool calls and session grants to SQLite.
+ *
+ * Uses WAL mode for concurrent access and prepared statements for performance.
+ *
+ * @example
+ * ```typescript
+ * const logger = new AuditLogger();
+ *
+ * // Log a tool call attempt
+ * const id = logger.logAttempt(context, decision);
+ *
+ * // Later, log the result
+ * logger.logResult(id, 'approved', 'success', undefined, 150);
+ *
+ * // Log a session grant
+ * logger.logSessionGrant(grant);
+ * ```
+ */
+export class AuditLogger {
+    // ---------------------------------------------------------------------------
+    // Private State
+    // ---------------------------------------------------------------------------
+    db;
+    insertToolCallStmt;
+    updateToolCallStmt;
+    insertSessionGrantStmt;
+    updateSessionGrantUsageStmt;
+    redactor;
+    enableRedaction;
+    storeRawArgs;
+    // ---------------------------------------------------------------------------
+    // Constructor
+    // ---------------------------------------------------------------------------
+    constructor(optionsOrPath) {
+        // Handle both old (string path) and new (options object) signatures
+        const options = typeof optionsOrPath === 'string'
+            ? { dbPath: optionsOrPath }
+            : optionsOrPath ?? {};
+        const path = options.dbPath ?? join(getDataDir(), 'audit.db');
+        this.enableRedaction = options.enableRedaction ?? true;
+        // By default, don't store raw args for compliance (GDPR, SOC2, HIPAA)
+        this.storeRawArgs = options.storeRawArgs ?? false;
+        this.redactor = this.enableRedaction
+            ? new PiiRedactor(options.redactionOptions)
+            : null;
+        // Ensure directory exists
+        const dir = dirname(path);
+        if (!existsSync(dir)) {
+            mkdirSync(dir, { recursive: true });
+        }
+        this.db = new Database(path);
+        this.db.pragma('journal_mode = WAL');
+        // Initialize schema with migrations
+        this.initializeSchema();
+        // Prepared statements for tool calls (updated for new schema)
+        this.insertToolCallStmt = this.db.prepare(`
+      INSERT INTO tool_calls (
+        id, server, tool, args, args_redacted, policy_decision, policy_rule,
+        policy_reason, analyzer, risk_level, session_grant_id, correlation_id, client_id
+      )
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+        this.updateToolCallStmt = this.db.prepare(`
+      UPDATE tool_calls
+      SET user_decision = ?, result = ?, error_message = ?, duration_ms = ?
+      WHERE id = ?
+    `);
+        // Prepared statements for session grants
+        this.insertSessionGrantStmt = this.db.prepare(`
+      INSERT INTO session_grants (id, expires_at, server, scope, scope_value, tool, granted_by, original_request_id)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+        this.updateSessionGrantUsageStmt = this.db.prepare(`
+      UPDATE session_grants SET usage_count = usage_count + 1 WHERE id = ?
+    `);
+    }
+    // ---------------------------------------------------------------------------
+    // Schema Management
+    // ---------------------------------------------------------------------------
+    /**
+     * Initializes the database schema with version tracking and migrations.
+     */
+    initializeSchema() {
+        // Check if this is a fresh database
+        const tableExists = this.db
+            .prepare("SELECT name FROM sqlite_master WHERE type='table' AND name='tool_calls'")
+            .get();
+        if (!tableExists) {
+            // Fresh database - use current schema
+            this.db.exec(AUDIT_SCHEMA);
+            this.db
+                .prepare('INSERT OR REPLACE INTO schema_version (version) VALUES (?)')
+                .run(SCHEMA_VERSION);
+            return;
+        }
+        // Check if schema_version table exists
+        const versionTableExists = this.db
+            .prepare("SELECT name FROM sqlite_master WHERE type='table' AND name='schema_version'")
+            .get();
+        let currentVersion = 1;
+        if (versionTableExists) {
+            const row = this.db
+                .prepare('SELECT MAX(version) as version FROM schema_version')
+                .get();
+            currentVersion = row?.version ?? 1;
+        }
+        else {
+            // Create version table for legacy databases
+            this.db.exec(`
+        CREATE TABLE IF NOT EXISTS schema_version (
+          version INTEGER PRIMARY KEY,
+          applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
+        );
+        INSERT INTO schema_version (version) VALUES (1);
+      `);
+        }
+        // Apply migrations
+        if (currentVersion < 2) {
+            this.applyMigrationV2();
+        }
+    }
+    /**
+     * Applies migration to version 2 (compliance fields).
+     */
+    applyMigrationV2() {
+        // Check if columns already exist (idempotent migration)
+        const columnInfo = this.db
+            .prepare("PRAGMA table_info(tool_calls)")
+            .all();
+        const existingColumns = new Set(columnInfo.map((c) => c.name));
+        const newColumns = [
+            { name: 'args_redacted', sql: 'ALTER TABLE tool_calls ADD COLUMN args_redacted TEXT' },
+            { name: 'policy_reason', sql: 'ALTER TABLE tool_calls ADD COLUMN policy_reason TEXT' },
+            { name: 'analyzer', sql: 'ALTER TABLE tool_calls ADD COLUMN analyzer TEXT' },
+            { name: 'risk_level', sql: 'ALTER TABLE tool_calls ADD COLUMN risk_level TEXT' },
+            { name: 'correlation_id', sql: 'ALTER TABLE tool_calls ADD COLUMN correlation_id TEXT' },
+            { name: 'client_id', sql: 'ALTER TABLE tool_calls ADD COLUMN client_id TEXT' },
+        ];
+        for (const col of newColumns) {
+            if (!existingColumns.has(col.name)) {
+                this.db.exec(col.sql);
+            }
+        }
+        // Add new indexes (CREATE INDEX IF NOT EXISTS is safe to run)
+        this.db.exec(`
+      CREATE INDEX IF NOT EXISTS idx_tool_calls_risk_level ON tool_calls(risk_level);
+      CREATE INDEX IF NOT EXISTS idx_tool_calls_correlation ON tool_calls(correlation_id);
+    `);
+        // Update version
+        this.db
+            .prepare('INSERT OR REPLACE INTO schema_version (version) VALUES (?)')
+            .run(2);
+    }
+    // ---------------------------------------------------------------------------
+    // Tool Call Logging
+    // ---------------------------------------------------------------------------
+    /**
+     * Logs a tool call attempt.
+     *
+     * @param context - The tool call context
+     * @param decision - The policy decision
+     * @param sessionGrantId - ID of session grant that authorized this call (if any)
+     * @param metadata - Additional metadata for the audit record
+     * @returns The generated audit record ID
+     */
+    logAttempt(context, decision, sessionGrantId, metadata) {
+        const id = uuidv4();
+        // By default, only store redacted args for compliance.
+        // Raw args are only stored if explicitly enabled (storeRawArgs: true).
+        let argsToStore = null;
+        let argsRedacted = null;
+        if (this.redactor) {
+            // Always generate redacted version when redaction is enabled
+            argsRedacted = this.redactor.redactObject(context.args);
+        }
+        if (this.storeRawArgs) {
+            // Only store raw args if explicitly enabled (non-compliant mode)
+            argsToStore = JSON.stringify(context.args);
+        }
+        else if (argsRedacted) {
+            // Store redacted version in the args column (compliant mode)
+            argsToStore = argsRedacted;
+        }
+        else {
+            // Redaction disabled, but also not storing raw - store as JSON
+            // This shouldn't normally happen, but handle it safely
+            argsToStore = JSON.stringify(context.args);
+        }
+        // Extract analysis metadata if available
+        const analyzer = decision.analysis?.analyzer ?? null;
+        const riskLevel = decision.analysis?.risk ?? null;
+        this.insertToolCallStmt.run(id, context.server, context.tool, argsToStore, argsRedacted, decision.action, decision.matchedRule ?? null, decision.reason ?? null, analyzer, riskLevel, sessionGrantId ?? null, metadata?.correlationId ?? null, metadata?.clientId ?? null);
+        return id;
+    }
+    /**
+     * Updates a tool call record with the final result.
+     *
+     * @param id - The audit record ID from logAttempt
+     * @param userDecision - The user's approval decision (if prompted)
+     * @param result - Whether the tool call succeeded or failed
+     * @param errorMessage - Error message (if result is 'error')
+     * @param durationMs - Total duration of the tool call
+     */
+    logResult(id, userDecision, result, errorMessage, durationMs) {
+        this.updateToolCallStmt.run(userDecision, result, errorMessage ?? null, durationMs ?? null, id);
+    }
+    // ---------------------------------------------------------------------------
+    // Session Grant Logging
+    // ---------------------------------------------------------------------------
+    /**
+     * Logs a new session grant.
+     *
+     * @param grant - The session grant to log
+     */
+    logSessionGrant(grant) {
+        this.insertSessionGrantStmt.run(grant.id, grant.expiresAt?.toISOString() ?? null, grant.server, grant.scope, grant.scopeValue ?? null, grant.tool ?? null, grant.grantedBy, grant.originalRequestId ?? null);
+    }
+    /**
+     * Increments the usage count for a session grant.
+     *
+     * @param grantId - The session grant ID
+     */
+    logSessionGrantUsage(grantId) {
+        this.updateSessionGrantUsageStmt.run(grantId);
+    }
+    /**
+     * Marks a session grant as revoked.
+     *
+     * @param grantId - The session grant ID
+     * @param revokedBy - Who revoked it (e.g., 'user', 'timeout', 'policy')
+     */
+    revokeSessionGrant(grantId, revokedBy) {
+        const stmt = this.db.prepare(`
+      UPDATE session_grants
+      SET revoked_at = datetime('now'), revoked_by = ?
+      WHERE id = ?
+    `);
+        stmt.run(revokedBy, grantId);
+    }
+    // ---------------------------------------------------------------------------
+    // Query Methods
+    // ---------------------------------------------------------------------------
+    /**
+     * Gets recent tool calls with optional filtering.
+     */
+    getRecentCalls(limitOrOptions = 50) {
+        // Handle both old (number) and new (options) signatures
+        const options = typeof limitOrOptions === 'number'
+            ? { limit: limitOrOptions }
+            : limitOrOptions;
+        const limit = options.limit ?? 50;
+        const conditions = [];
+        const params = [];
+        if (options.server) {
+            conditions.push('server = ?');
+            params.push(options.server);
+        }
+        if (options.since) {
+            conditions.push('timestamp >= ?');
+            params.push(options.since.toISOString());
+        }
+        if (options.until) {
+            conditions.push('timestamp <= ?');
+            params.push(options.until.toISOString());
+        }
+        if (options.riskLevel) {
+            conditions.push('risk_level = ?');
+            params.push(options.riskLevel);
+        }
+        const whereClause = conditions.length > 0
+            ? `WHERE ${conditions.join(' AND ')}`
+            : '';
+        const stmt = this.db.prepare(`
+      SELECT * FROM tool_calls
+      ${whereClause}
+      ORDER BY timestamp DESC
+      LIMIT ?
+    `);
+        params.push(limit);
+        const rows = stmt.all(...params);
+        return rows.map((row) => ({
+            id: row.id,
+            timestamp: new Date(row.timestamp),
+            server: row.server,
+            tool: row.tool,
+            // Use redacted args if requested and available
+            args: options.includeRedacted && row.args_redacted
+                ? JSON.parse(row.args_redacted)
+                : JSON.parse(row.args),
+            argsRedacted: row.args_redacted ?? undefined,
+            policyDecision: row.policy_decision,
+            policyRule: row.policy_rule ?? undefined,
+            policyReason: row.policy_reason ?? undefined,
+            analyzer: row.analyzer ?? undefined,
+            riskLevel: row.risk_level,
+            userDecision: row.user_decision,
+            result: row.result,
+            errorMessage: row.error_message ?? undefined,
+            durationMs: row.duration_ms ?? undefined,
+            sessionGrantId: row.session_grant_id ?? undefined,
+            correlationId: row.correlation_id ?? undefined,
+            clientId: row.client_id ?? undefined,
+        }));
+    }
+    /**
+     * Gets active session grants for a server.
+     *
+     * @param server - Server name to filter by (optional)
+     * @returns Array of active grants
+     */
+    getActiveSessionGrants(server) {
+        const sql = server
+            ? `SELECT * FROM session_grants WHERE server = ? AND revoked_at IS NULL AND (expires_at IS NULL OR expires_at > datetime('now')) ORDER BY created_at DESC`
+            : `SELECT * FROM session_grants WHERE revoked_at IS NULL AND (expires_at IS NULL OR expires_at > datetime('now')) ORDER BY created_at DESC`;
+        const stmt = this.db.prepare(sql);
+        const rows = (server ? stmt.all(server) : stmt.all());
+        return rows.map((row) => ({
+            id: row.id,
+            createdAt: new Date(row.created_at),
+            expiresAt: row.expires_at ? new Date(row.expires_at) : null,
+            server: row.server,
+            scope: row.scope,
+            scopeValue: row.scope_value ?? undefined,
+            tool: row.tool ?? undefined,
+            grantedBy: row.granted_by,
+            originalRequestId: row.original_request_id ?? undefined,
+            usageCount: row.usage_count,
+            revokedAt: row.revoked_at ? new Date(row.revoked_at) : undefined,
+            revokedBy: row.revoked_by ?? undefined,
+        }));
+    }
+    // ---------------------------------------------------------------------------
+    // Statistics
+    // ---------------------------------------------------------------------------
+    /**
+     * Gets aggregate statistics for tool calls.
+     */
+    getStats() {
+        const stmt = this.db.prepare(`
+      SELECT
+        COUNT(*) as total,
+        SUM(CASE WHEN policy_decision = 'allow' THEN 1 ELSE 0 END) as allowed,
+        SUM(CASE WHEN policy_decision = 'deny' OR user_decision = 'denied' OR user_decision = 'timeout' THEN 1 ELSE 0 END) as denied,
+        SUM(CASE WHEN policy_decision = 'prompt' THEN 1 ELSE 0 END) as prompted,
+        SUM(CASE WHEN session_grant_id IS NOT NULL THEN 1 ELSE 0 END) as session_authorized
+      FROM tool_calls
+    `);
+        const result = stmt.get();
+        return {
+            total: result.total,
+            allowed: result.allowed,
+            denied: result.denied,
+            prompted: result.prompted,
+            sessionAuthorized: result.session_authorized,
+        };
+    }
+    /**
+     * Gets session grant statistics.
+     */
+    getSessionStats() {
+        const stmt = this.db.prepare(`
+      SELECT
+        COUNT(*) as total,
+        SUM(CASE WHEN revoked_at IS NULL AND (expires_at IS NULL OR expires_at > datetime('now')) THEN 1 ELSE 0 END) as active,
+        SUM(CASE WHEN revoked_at IS NULL AND expires_at IS NOT NULL AND expires_at <= datetime('now') THEN 1 ELSE 0 END) as expired,
+        SUM(CASE WHEN revoked_at IS NOT NULL THEN 1 ELSE 0 END) as revoked,
+        COALESCE(SUM(usage_count), 0) as total_usage
+      FROM session_grants
+    `);
+        const result = stmt.get();
+        return {
+            totalGrants: result.total,
+            activeGrants: result.active,
+            expiredGrants: result.expired,
+            revokedGrants: result.revoked,
+            totalUsage: result.total_usage,
+        };
+    }
+    // ---------------------------------------------------------------------------
+    // Lifecycle
+    // ---------------------------------------------------------------------------
+    /** Closes the database connection. */
+    close() {
+        this.db.close();
+    }
+}
+//# sourceMappingURL=logger.js.map

package/dist/audit/logger.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/audit/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AACtC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAChD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AACpC,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EACL,YAAY,EACZ,cAAc,GAIf,MAAM,aAAa,CAAC;AAIrB,OAAO,EAAE,WAAW,EAAyB,MAAM,gBAAgB,CAAC;AA0BpE;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,OAAO,WAAW;IACtB,8EAA8E;IAC9E,gBAAgB;IAChB,8EAA8E;IAEtE,EAAE,CAAoB;IACtB,kBAAkB,CAAqB;IACvC,kBAAkB,CAAqB;IACvC,sBAAsB,CAAqB;IAC3C,2BAA2B,CAAqB;IAChD,QAAQ,CAAqB;IAC7B,eAAe,CAAU;IACzB,YAAY,CAAU;IAE9B,8EAA8E;IAC9E,cAAc;IACd,8EAA8E;IAE9E,YAAY,aAA2C;QACrD,oEAAoE;QACpE,MAAM,OAAO,GACX,OAAO,aAAa,KAAK,QAAQ;YAC/B,CAAC,CAAC,EAAE,MAAM,EAAE,aAAa,EAAE;YAC3B,CAAC,CAAC,aAAa,IAAI,EAAE,CAAC;QAE1B,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC,UAAU,EAAE,EAAE,UAAU,CAAC,CAAC;QAC9D,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,IAAI,CAAC;QACvD,sEAAsE;QACtE,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,KAAK,CAAC;QAClD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,eAAe;YAClC,CAAC,CAAC,IAAI,WAAW,CAAC,OAAO,CAAC,gBAAgB,CAAC;YAC3C,CAAC,CAAC,IAAI,CAAC;QAET,0BAA0B;QAC1B,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;QAED,IAAI,CAAC,EAAE,GAAG,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC7B,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QAErC,oCAAoC;QACpC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAExB,8DAA8D;QAC9D,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;KAMzC,CAAC,CAAC;QAEH,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;KAIzC,CAAC,CAAC;QAEH,yCAAyC;QACzC,IAAI,CAAC,sBAAsB,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;KAG7C,CAAC,CAAC;QAEH,IAAI,CAAC,2BAA2B,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;KAElD,CAAC,CAAC;IACL,CAAC;IAED,8EAA8E;IAC9E,oBAAoB;IACpB,8EAA8E;IAE9E;;OAEG;IACK,gBAAgB;QACtB,oCAAoC;QACpC,MAAM,WAAW,GAAG,IAAI,CAAC,EAAE;aACxB,OAAO,CAAC,yEAAyE,CAAC;aAClF,GAAG,EAAE,CAAC;QAET,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,sCAAsC;YACtC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC3B,IAAI,CAAC,EAAE;iBACJ,OAAO,CAAC,4DAA4D,CAAC;iBACrE,GAAG,CAAC,cAAc,CAAC,CAAC;YACvB,OAAO;QACT,CAAC;QAED,uCAAuC;QACvC,MAAM,kBAAkB,GAAG,IAAI,CAAC,EAAE;aAC/B,OAAO,CAAC,6EAA6E,CAAC;aACtF,GAAG,EAAE,CAAC;QAET,IAAI,cAAc,GAAG,CAAC,CAAC;QACvB,IAAI,kBAAkB,EAAE,CAAC;YACvB,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;iBAChB,OAAO,CAAC,oDAAoD,CAAC;iBAC7D,GAAG,EAAqC,CAAC;YAC5C,cAAc,GAAG,GAAG,EAAE,OAAO,IAAI,CAAC,CAAC;QACrC,CAAC;aAAM,CAAC;YACN,4CAA4C;YAC5C,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC;;;;;;OAMZ,CAAC,CAAC;QACL,CAAC;QAED,mBAAmB;QACnB,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;YACvB,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC;IAED;;OAEG;IACK,gBAAgB;QACtB,wDAAwD;QACxD,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE;aACvB,OAAO,CAAC,+BAA+B,CAAC;aACxC,GAAG,EAA6B,CAAC;QACpC,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QAE/D,MAAM,UAAU,GAAG;YACjB,EAAE,IAAI,EAAE,eAAe,EAAE,GAAG,EAAE,sDAAsD,EAAE;YACtF,EAAE,IAAI,EAAE,eAAe,EAAE,GAAG,EAAE,sDAAsD,EAAE;YACtF,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,iDAAiD,EAAE;YAC5E,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,EAAE,mDAAmD,EAAE;YAChF,EAAE,IAAI,EAAE,gBAAgB,EAAE,GAAG,EAAE,uDAAuD,EAAE;YACxF,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE,kDAAkD,EAAE;SAC/E,CAAC;QAEF,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC7B,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC;;;KAGZ,CAAC,CAAC;QAEH,iBAAiB;QACjB,IAAI,CAAC,EAAE;aACJ,OAAO,CAAC,4DAA4D,CAAC;aACrE,GAAG,CAAC,CAAC,CAAC,CAAC;IACZ,CAAC;IAED,8EAA8E;IAC9E,oBAAoB;IACpB,8EAA8E;IAE9E;;;;;;;;OAQG;IACH,UAAU,CACR,OAAwB,EACxB,QAAwB,EACxB,cAAuB,EACvB,QAGC;QAED,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;QAEpB,uDAAuD;QACvD,uEAAuE;QACvE,IAAI,WAAW,GAAkB,IAAI,CAAC;QACtC,IAAI,YAAY,GAAkB,IAAI,CAAC;QAEvC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,6DAA6D;YAC7D,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,iEAAiE;YACjE,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7C,CAAC;aAAM,IAAI,YAAY,EAAE,CAAC;YACxB,6DAA6D;YAC7D,WAAW,GAAG,YAAY,CAAC;QAC7B,CAAC;aAAM,CAAC;YACN,+DAA+D;YAC/D,uDAAuD;YACvD,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7C,CAAC;QAED,yCAAyC;QACzC,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,EAAE,QAAQ,IAAI,IAAI,CAAC;QACrD,MAAM,SAAS,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,IAAI,IAAI,CAAC;QAElD,IAAI,CAAC,kBAAkB,CAAC,GAAG,CACzB,EAAE,EACF,OAAO,CAAC,MAAM,EACd,OAAO,CAAC,IAAI,EACZ,WAAW,EACX,YAAY,EACZ,QAAQ,CAAC,MAAM,EACf,QAAQ,CAAC,WAAW,IAAI,IAAI,EAC5B,QAAQ,CAAC,MAAM,IAAI,IAAI,EACvB,QAAQ,EACR,SAAS,EACT,cAAc,IAAI,IAAI,EACtB,QAAQ,EAAE,aAAa,IAAI,IAAI,EAC/B,QAAQ,EAAE,QAAQ,IAAI,IAAI,CAC3B,CAAC;QAEF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED;;;;;;;;OAQG;IACH,SAAS,CACP,EAAU,EACV,YAAmC,EACnC,MAA2B,EAC3B,YAAqB,EACrB,UAAmB;QAEnB,IAAI,CAAC,kBAAkB,CAAC,GAAG,CACzB,YAAY,EACZ,MAAM,EACN,YAAY,IAAI,IAAI,EACpB,UAAU,IAAI,IAAI,EAClB,EAAE,CACH,CAAC;IACJ,CAAC;IAED,8EAA8E;IAC9E,wBAAwB;IACxB,8EAA8E;IAE9E;;;;OAIG;IACH,eAAe,CAAC,KAAmB;QACjC,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAC7B,KAAK,CAAC,EAAE,EACR,KAAK,CAAC,SAAS,EAAE,WAAW,EAAE,IAAI,IAAI,EACtC,KAAK,CAAC,MAAM,EACZ,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,UAAU,IAAI,IAAI,EACxB,KAAK,CAAC,IAAI,IAAI,IAAI,EAClB,KAAK,CAAC,SAAS,EACf,KAAK,CAAC,iBAAiB,IAAI,IAAI,CAChC,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,oBAAoB,CAAC,OAAe;QAClC,IAAI,CAAC,2BAA2B,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAChD,CAAC;IAED;;;;;OAKG;IACH,kBAAkB,CAAC,OAAe,EAAE,SAAiB;QACnD,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;KAI5B,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAC/B,CAAC;IAED,8EAA8E;IAC9E,gBAAgB;IAChB,8EAA8E;IAE9E;;OAEG;IACH,cAAc,CACZ,iBAOI,EAAE;QAEN,wDAAwD;QACxD,MAAM,OAAO,GAAG,OAAO,cAAc,KAAK,QAAQ;YAChD,CAAC,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE;YAC3B,CAAC,CAAC,cAAc,CAAC;QAEnB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;QAClC,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,MAAM,MAAM,GAAc,EAAE,CAAC;QAE7B,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;QAC3C,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;QAC3C,CAAC;QAED,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACtB,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACjC,CAAC;QAED,MAAM,WAAW,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC;YACvC,CAAC,CAAC,SAAS,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;YACrC,CAAC,CAAC,EAAE,CAAC;QAEP,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;QAEzB,WAAW;;;KAGd,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAEnB,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,CAmB7B,CAAC;QAEH,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YACxB,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YAClC,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,+CAA+C;YAC/C,IAAI,EAAE,OAAO,CAAC,eAAe,IAAI,GAAG,CAAC,aAAa;gBAChD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,CAA4B;gBAC1D,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAA4B;YACnD,YAAY,EAAE,GAAG,CAAC,aAAa,IAAI,SAAS;YAC5C,cAAc,EAAE,GAAG,CAAC,eAA8C;YAClE,UAAU,EAAE,GAAG,CAAC,WAAW,IAAI,SAAS;YACxC,YAAY,EAAE,GAAG,CAAC,aAAa,IAAI,SAAS;YAC5C,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,SAAS;YACnC,SAAS,EAAE,GAAG,CAAC,UAAmC;YAClD,YAAY,EAAE,GAAG,CAAC,aAAsC;YACxD,MAAM,EAAE,GAAG,CAAC,MAAyC;YACrD,YAAY,EAAE,GAAG,CAAC,aAAa,IAAI,SAAS;YAC5C,UAAU,EAAE,GAAG,CAAC,WAAW,IAAI,SAAS;YACxC,cAAc,EAAE,GAAG,CAAC,gBAAgB,IAAI,SAAS;YACjD,aAAa,EAAE,GAAG,CAAC,cAAc,IAAI,SAAS;YAC9C,QAAQ,EAAE,GAAG,CAAC,SAAS,IAAI,SAAS;SACrC,CAAC,CAAC,CAAC;IACN,CAAC;IAED;;;;;OAKG;IACH,sBAAsB,CAAC,MAAe;QACpC,MAAM,GAAG,GAAG,MAAM;YAChB,CAAC,CAAC,wJAAwJ;YAC1J,CAAC,CAAC,yIAAyI,CAAC;QAE9I,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAClC,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAalD,CAAC;QAEH,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YACxB,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;YACnC,SAAS,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI;YAC3D,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,KAAK,EAAE,GAAG,CAAC,KAAgD;YAC3D,UAAU,EAAE,GAAG,CAAC,WAAW,IAAI,SAAS;YACxC,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,SAAS;YAC3B,SAAS,EAAE,GAAG,CAAC,UAA4C;YAC3D,iBAAiB,EAAE,GAAG,CAAC,mBAAmB,IAAI,SAAS;YACvD,UAAU,EAAE,GAAG,CAAC,WAAW;YAC3B,SAAS,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS;YAChE,SAAS,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS;SACvC,CAAC,CAAC,CAAC;IACN,CAAC;IAED,8EAA8E;IAC9E,aAAa;IACb,8EAA8E;IAE9E;;OAEG;IACH,QAAQ;QAON,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;;;KAQ5B,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAMtB,CAAC;QAEF,OAAO;YACL,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,iBAAiB,EAAE,MAAM,CAAC,kBAAkB;SAC7C,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,eAAe;QAOb,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;;;KAQ5B,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAMtB,CAAC;QAEF,OAAO;YACL,WAAW,EAAE,MAAM,CAAC,KAAK;YACzB,YAAY,EAAE,MAAM,CAAC,MAAM;YAC3B,aAAa,EAAE,MAAM,CAAC,OAAO;YAC7B,aAAa,EAAE,MAAM,CAAC,OAAO;YAC7B,UAAU,EAAE,MAAM,CAAC,WAAW;SAC/B,CAAC;IACJ,CAAC;IAED,8EAA8E;IAC9E,YAAY;IACZ,8EAA8E;IAE9E,sCAAsC;IACtC,KAAK;QACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;CACF"}

package/dist/audit/redaction.d.ts ADDED Viewed

@@ -0,0 +1,110 @@
+/**
+ * PII Redaction Module for Tollgate
+ *
+ * Detects and masks sensitive information in audit logs to comply with
+ * data protection regulations (GDPR, CCPA, SOC2).
+ *
+ * Supported patterns:
+ * - Passwords and secrets
+ * - API keys and tokens
+ * - Credit card numbers
+ * - Social Security Numbers (SSN)
+ * - Email addresses
+ * - Phone numbers
+ * - IP addresses (optional)
+ * - Private keys and certificates
+ *
+ * @example
+ * ```typescript
+ * import { redactPii, createRedactor } from './redaction.js';
+ *
+ * // Quick redaction with defaults
+ * const redacted = redactPii('password=secret123');
+ * // Returns: 'password=[REDACTED]'
+ *
+ * // Custom redactor with options
+ * const redactor = createRedactor({ redactEmails: true, redactIPs: true });
+ * const result = redactor.redact({ email: 'user@example.com' });
+ * ```
+ */
+/**
+ * Configuration options for the PII redactor.
+ */
+export interface RedactionOptions {
+    /** Redact email addresses (default: true) */
+    redactEmails?: boolean;
+    /** Redact IP addresses (default: false - often needed for security) */
+    redactIPs?: boolean;
+    /** Redact phone numbers (default: true) */
+    redactPhones?: boolean;
+    /** Custom patterns to redact */
+    customPatterns?: RegExp[];
+    /** Replacement string (default: '[REDACTED]') */
+    replacement?: string;
+}
+/**
+ * PII Redactor class for detecting and masking sensitive data.
+ */
+export declare class PiiRedactor {
+    private options;
+    private patterns;
+    constructor(options?: RedactionOptions);
+    /**
+     * Builds the list of patterns to apply based on options.
+     */
+    private buildPatternList;
+    /**
+     * Redacts sensitive data from a string.
+     *
+     * @param input - The string to redact
+     * @returns The redacted string
+     */
+    redactString(input: string): string;
+    /**
+     * Redacts sensitive data from an object by converting to JSON and back.
+     *
+     * @param input - The object to redact
+     * @returns The redacted object as a JSON string
+     */
+    redactObject(input: Record<string, unknown>): string;
+    /**
+     * Checks if a string contains potentially sensitive data.
+     *
+     * @param input - The string to check
+     * @returns True if sensitive data was detected
+     */
+    containsSensitiveData(input: string): boolean;
+    /**
+     * Returns the list of pattern names being applied.
+     */
+    getActivePatterns(): string[];
+}
+/**
+ * Creates a new PII redactor with the specified options.
+ *
+ * @param options - Redaction options
+ * @returns A configured PiiRedactor instance
+ */
+export declare function createRedactor(options?: RedactionOptions): PiiRedactor;
+/**
+ * Redacts PII from a string using default settings.
+ *
+ * @param input - The string to redact
+ * @returns The redacted string
+ */
+export declare function redactPii(input: string): string;
+/**
+ * Redacts PII from an object and returns a JSON string.
+ *
+ * @param input - The object to redact
+ * @returns The redacted JSON string
+ */
+export declare function redactPiiFromObject(input: Record<string, unknown>): string;
+/**
+ * Checks if a string contains potentially sensitive data.
+ *
+ * @param input - The string to check
+ * @returns True if sensitive data was detected
+ */
+export declare function containsPii(input: string): boolean;
+//# sourceMappingURL=redaction.d.ts.map

package/dist/audit/redaction.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"redaction.d.ts","sourceRoot":"","sources":["../../src/audit/redaction.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,6CAA6C;IAC7C,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,uEAAuE;IACvE,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,2CAA2C;IAC3C,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,gCAAgC;IAChC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,iDAAiD;IACjD,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAiKD;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,OAAO,CAA6B;IAC5C,OAAO,CAAC,QAAQ,CAAqB;gBAEzB,OAAO,GAAE,gBAAqB;IAK1C;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA4BxB;;;;;OAKG;IACH,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IA2BnC;;;;;OAKG;IACH,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM;IAKpD;;;;;OAKG;IACH,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAU7C;;OAEG;IACH,iBAAiB,IAAI,MAAM,EAAE;CAG9B;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,OAAO,GAAE,gBAAqB,GAAG,WAAW,CAE1E;AAOD;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAE1E;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAElD"}