npm - @dotsetlabs/tollgate - Versions diffs - 0.1.0 - Mend

@dotsetlabs/tollgate 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (215) hide show

package/LICENSE +21 -0
package/README.md +885 -0
package/dist/analyzers/filesystem.d.ts +26 -0
package/dist/analyzers/filesystem.d.ts.map +1 -0
package/dist/analyzers/filesystem.js +284 -0
package/dist/analyzers/filesystem.js.map +1 -0
package/dist/analyzers/http.d.ts +90 -0
package/dist/analyzers/http.d.ts.map +1 -0
package/dist/analyzers/http.js +433 -0
package/dist/analyzers/http.js.map +1 -0
package/dist/analyzers/index.d.ts +101 -0
package/dist/analyzers/index.d.ts.map +1 -0
package/dist/analyzers/index.js +342 -0
package/dist/analyzers/index.js.map +1 -0
package/dist/analyzers/loader.d.ts +114 -0
package/dist/analyzers/loader.d.ts.map +1 -0
package/dist/analyzers/loader.js +184 -0
package/dist/analyzers/loader.js.map +1 -0
package/dist/analyzers/prompt-injection.d.ts +95 -0
package/dist/analyzers/prompt-injection.d.ts.map +1 -0
package/dist/analyzers/prompt-injection.js +725 -0
package/dist/analyzers/prompt-injection.js.map +1 -0
package/dist/analyzers/sdk.d.ts +230 -0
package/dist/analyzers/sdk.d.ts.map +1 -0
package/dist/analyzers/sdk.js +283 -0
package/dist/analyzers/sdk.js.map +1 -0
package/dist/analyzers/shell.d.ts +20 -0
package/dist/analyzers/shell.d.ts.map +1 -0
package/dist/analyzers/shell.js +297 -0
package/dist/analyzers/shell.js.map +1 -0
package/dist/analyzers/sql.d.ts +37 -0
package/dist/analyzers/sql.d.ts.map +1 -0
package/dist/analyzers/sql.js +455 -0
package/dist/analyzers/sql.js.map +1 -0
package/dist/analyzers/types.d.ts +117 -0
package/dist/analyzers/types.d.ts.map +1 -0
package/dist/analyzers/types.js +46 -0
package/dist/analyzers/types.js.map +1 -0
package/dist/approval/interactive.d.ts +72 -0
package/dist/approval/interactive.d.ts.map +1 -0
package/dist/approval/interactive.js +550 -0
package/dist/approval/interactive.js.map +1 -0
package/dist/approval/terminal.d.ts +59 -0
package/dist/approval/terminal.d.ts.map +1 -0
package/dist/approval/terminal.js +238 -0
package/dist/approval/terminal.js.map +1 -0
package/dist/approval/types.d.ts +66 -0
package/dist/approval/types.d.ts.map +1 -0
package/dist/approval/types.js +2 -0
package/dist/approval/types.js.map +1 -0
package/dist/audit/exporter.d.ts +138 -0
package/dist/audit/exporter.d.ts.map +1 -0
package/dist/audit/exporter.js +366 -0
package/dist/audit/exporter.js.map +1 -0
package/dist/audit/logger.d.ts +156 -0
package/dist/audit/logger.d.ts.map +1 -0
package/dist/audit/logger.js +406 -0
package/dist/audit/logger.js.map +1 -0
package/dist/audit/redaction.d.ts +110 -0
package/dist/audit/redaction.d.ts.map +1 -0
package/dist/audit/redaction.js +307 -0
package/dist/audit/redaction.js.map +1 -0
package/dist/audit/schema.d.ts +76 -0
package/dist/audit/schema.d.ts.map +1 -0
package/dist/audit/schema.js +122 -0
package/dist/audit/schema.js.map +1 -0
package/dist/cli/commands/doctor.d.ts +34 -0
package/dist/cli/commands/doctor.d.ts.map +1 -0
package/dist/cli/commands/doctor.js +431 -0
package/dist/cli/commands/doctor.js.map +1 -0
package/dist/cli/commands/export.d.ts +18 -0
package/dist/cli/commands/export.d.ts.map +1 -0
package/dist/cli/commands/export.js +63 -0
package/dist/cli/commands/export.js.map +1 -0
package/dist/cli/commands/init.d.ts +12 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/init.js +102 -0
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/logs.d.ts +11 -0
package/dist/cli/commands/logs.d.ts.map +1 -0
package/dist/cli/commands/logs.js +60 -0
package/dist/cli/commands/logs.js.map +1 -0
package/dist/cli/commands/scan.d.ts +29 -0
package/dist/cli/commands/scan.d.ts.map +1 -0
package/dist/cli/commands/scan.js +251 -0
package/dist/cli/commands/scan.js.map +1 -0
package/dist/cli/commands/serve.d.ts +26 -0
package/dist/cli/commands/serve.d.ts.map +1 -0
package/dist/cli/commands/serve.js +424 -0
package/dist/cli/commands/serve.js.map +1 -0
package/dist/cli/commands/start.d.ts +20 -0
package/dist/cli/commands/start.d.ts.map +1 -0
package/dist/cli/commands/start.js +82 -0
package/dist/cli/commands/start.js.map +1 -0
package/dist/cli/commands/stats.d.ts +10 -0
package/dist/cli/commands/stats.d.ts.map +1 -0
package/dist/cli/commands/stats.js +42 -0
package/dist/cli/commands/stats.js.map +1 -0
package/dist/cli/commands/templates.d.ts +26 -0
package/dist/cli/commands/templates.d.ts.map +1 -0
package/dist/cli/commands/templates.js +221 -0
package/dist/cli/commands/templates.js.map +1 -0
package/dist/cli/commands/validate.d.ts +12 -0
package/dist/cli/commands/validate.d.ts.map +1 -0
package/dist/cli/commands/validate.js +107 -0
package/dist/cli/commands/validate.js.map +1 -0
package/dist/cli/commands/wrap.d.ts +19 -0
package/dist/cli/commands/wrap.d.ts.map +1 -0
package/dist/cli/commands/wrap.js +59 -0
package/dist/cli/commands/wrap.js.map +1 -0
package/dist/cli/index.d.ts +17 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +202 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/ui.d.ts +139 -0
package/dist/cli/ui.d.ts.map +1 -0
package/dist/cli/ui.js +271 -0
package/dist/cli/ui.js.map +1 -0
package/dist/constants.d.ts +33 -0
package/dist/constants.d.ts.map +1 -0
package/dist/constants.js +54 -0
package/dist/constants.js.map +1 -0
package/dist/errors.d.ts +28 -0
package/dist/errors.d.ts.map +1 -0
package/dist/errors.js +37 -0
package/dist/errors.js.map +1 -0
package/dist/index.d.ts +49 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +82 -0
package/dist/index.js.map +1 -0
package/dist/orchestrator/index.d.ts +11 -0
package/dist/orchestrator/index.d.ts.map +1 -0
package/dist/orchestrator/index.js +10 -0
package/dist/orchestrator/index.js.map +1 -0
package/dist/orchestrator/manager.d.ts +127 -0
package/dist/orchestrator/manager.d.ts.map +1 -0
package/dist/orchestrator/manager.js +498 -0
package/dist/orchestrator/manager.js.map +1 -0
package/dist/orchestrator/types.d.ts +141 -0
package/dist/orchestrator/types.d.ts.map +1 -0
package/dist/orchestrator/types.js +9 -0
package/dist/orchestrator/types.js.map +1 -0
package/dist/policy/engine.d.ts +55 -0
package/dist/policy/engine.d.ts.map +1 -0
package/dist/policy/engine.js +288 -0
package/dist/policy/engine.js.map +1 -0
package/dist/policy/natural-language.d.ts +141 -0
package/dist/policy/natural-language.d.ts.map +1 -0
package/dist/policy/natural-language.js +552 -0
package/dist/policy/natural-language.js.map +1 -0
package/dist/policy/parser.d.ts +141 -0
package/dist/policy/parser.d.ts.map +1 -0
package/dist/policy/parser.js +314 -0
package/dist/policy/parser.js.map +1 -0
package/dist/policy/types.d.ts +428 -0
package/dist/policy/types.d.ts.map +1 -0
package/dist/policy/types.js +32 -0
package/dist/policy/types.js.map +1 -0
package/dist/policy/validator.d.ts +72 -0
package/dist/policy/validator.d.ts.map +1 -0
package/dist/policy/validator.js +453 -0
package/dist/policy/validator.js.map +1 -0
package/dist/proxy/bridge.d.ts +84 -0
package/dist/proxy/bridge.d.ts.map +1 -0
package/dist/proxy/bridge.js +217 -0
package/dist/proxy/bridge.js.map +1 -0
package/dist/proxy/client.d.ts +130 -0
package/dist/proxy/client.d.ts.map +1 -0
package/dist/proxy/client.js +290 -0
package/dist/proxy/client.js.map +1 -0
package/dist/proxy/server.d.ts +111 -0
package/dist/proxy/server.d.ts.map +1 -0
package/dist/proxy/server.js +444 -0
package/dist/proxy/server.js.map +1 -0
package/dist/scanner.d.ts +91 -0
package/dist/scanner.d.ts.map +1 -0
package/dist/scanner.js +373 -0
package/dist/scanner.js.map +1 -0
package/dist/session/index.d.ts +32 -0
package/dist/session/index.d.ts.map +1 -0
package/dist/session/index.js +31 -0
package/dist/session/index.js.map +1 -0
package/dist/session/manager.d.ts +166 -0
package/dist/session/manager.d.ts.map +1 -0
package/dist/session/manager.js +454 -0
package/dist/session/manager.js.map +1 -0
package/dist/session/sqlite-store.d.ts +54 -0
package/dist/session/sqlite-store.d.ts.map +1 -0
package/dist/session/sqlite-store.js +209 -0
package/dist/session/sqlite-store.js.map +1 -0
package/dist/session/types.d.ts +179 -0
package/dist/session/types.d.ts.map +1 -0
package/dist/session/types.js +38 -0
package/dist/session/types.js.map +1 -0
package/dist/templates.d.ts +64 -0
package/dist/templates.d.ts.map +1 -0
package/dist/templates.js +451 -0
package/dist/templates.js.map +1 -0
package/dist/utils/config.d.ts +57 -0
package/dist/utils/config.d.ts.map +1 -0
package/dist/utils/config.js +104 -0
package/dist/utils/config.js.map +1 -0
package/dist/utils/errors.d.ts +18 -0
package/dist/utils/errors.d.ts.map +1 -0
package/dist/utils/errors.js +35 -0
package/dist/utils/errors.js.map +1 -0
package/dist/utils/logger.d.ts +144 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +300 -0
package/dist/utils/logger.js.map +1 -0
package/dist/wizard.d.ts +68 -0
package/dist/wizard.d.ts.map +1 -0
package/dist/wizard.js +395 -0
package/dist/wizard.js.map +1 -0
package/package.json +99 -0

package/dist/audit/redaction.js ADDED Viewed

@@ -0,0 +1,307 @@
+/**
+ * PII Redaction Module for Tollgate
+ *
+ * Detects and masks sensitive information in audit logs to comply with
+ * data protection regulations (GDPR, CCPA, SOC2).
+ *
+ * Supported patterns:
+ * - Passwords and secrets
+ * - API keys and tokens
+ * - Credit card numbers
+ * - Social Security Numbers (SSN)
+ * - Email addresses
+ * - Phone numbers
+ * - IP addresses (optional)
+ * - Private keys and certificates
+ *
+ * @example
+ * ```typescript
+ * import { redactPii, createRedactor } from './redaction.js';
+ *
+ * // Quick redaction with defaults
+ * const redacted = redactPii('password=secret123');
+ * // Returns: 'password=[REDACTED]'
+ *
+ * // Custom redactor with options
+ * const redactor = createRedactor({ redactEmails: true, redactIPs: true });
+ * const result = redactor.redact({ email: 'user@example.com' });
+ * ```
+ */
+/**
+ * Default redaction options.
+ */
+const DEFAULT_OPTIONS = {
+    redactEmails: true,
+    redactIPs: false,
+    redactPhones: true,
+    customPatterns: [],
+    replacement: '[REDACTED]',
+};
+/**
+ * Core patterns that are always applied.
+ * Each pattern uses a simple replacement approach for reliability.
+ */
+const CORE_PATTERNS = [
+    // Passwords in various formats (key=value or key: value)
+    {
+        name: 'password_field',
+        pattern: /(["']?password["']?\s*[:=]\s*["']?)([^"'\s,}]+)/gi,
+        description: 'Password field values',
+    },
+    {
+        name: 'passwd_field',
+        pattern: /(["']?passwd["']?\s*[:=]\s*["']?)([^"'\s,}]+)/gi,
+        description: 'Passwd field values',
+    },
+    {
+        name: 'secret_field',
+        pattern: /(["']?secret["']?\s*[:=]\s*["']?)([^"'\s,}]+)/gi,
+        description: 'Secret field values',
+    },
+    // API keys and tokens (key=value or key: value)
+    {
+        name: 'api_key',
+        pattern: /(["']?api[_-]?key["']?\s*[:=]\s*["']?)([A-Za-z0-9_-]{4,})/gi,
+        description: 'API keys',
+    },
+    {
+        name: 'access_token',
+        pattern: /(["']?access[_-]?token["']?\s*[:=]\s*["']?)([A-Za-z0-9_.-]{8,})/gi,
+        description: 'Access tokens',
+    },
+    {
+        name: 'auth_token',
+        pattern: /(["']?auth[_-]?token["']?\s*[:=]\s*["']?)([A-Za-z0-9_.-]{8,})/gi,
+        description: 'Auth tokens',
+    },
+    {
+        name: 'token_field',
+        pattern: /(["']?token["']?\s*[:=]\s*["']?)([A-Za-z0-9_.-]{4,})/gi,
+        description: 'Generic token fields',
+    },
+    {
+        name: 'bearer_token',
+        pattern: /(bearer\s+)([A-Za-z0-9_.-]+)/gi,
+        description: 'Bearer tokens',
+    },
+    {
+        name: 'jwt_token',
+        pattern: /eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*/g,
+        description: 'JWT tokens',
+    },
+    // AWS credentials
+    {
+        name: 'aws_access_key',
+        pattern: /AKIA[0-9A-Z]{16}/g,
+        description: 'AWS access key IDs',
+    },
+    {
+        name: 'aws_secret_key',
+        pattern: /(["']?aws[_-]?secret[_-]?(?:access[_-]?)?key["']?\s*[:=]\s*["']?)([A-Za-z0-9/+=]{40})/gi,
+        description: 'AWS secret keys',
+    },
+    // GitHub tokens (ghp_ for PAT, gho_ for OAuth)
+    {
+        name: 'github_token',
+        pattern: /ghp_[A-Za-z0-9]{20,}/g,
+        description: 'GitHub personal access tokens',
+    },
+    {
+        name: 'github_oauth',
+        pattern: /gho_[A-Za-z0-9]{20,}/g,
+        description: 'GitHub OAuth tokens',
+    },
+    // Private keys and certificates
+    {
+        name: 'private_key',
+        pattern: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----[\s\S]*?-----END\s+(?:RSA\s+)?PRIVATE\s+KEY-----/g,
+        description: 'Private keys',
+    },
+    {
+        name: 'certificate',
+        pattern: /-----BEGIN\s+CERTIFICATE-----[\s\S]*?-----END\s+CERTIFICATE-----/g,
+        description: 'Certificates',
+    },
+    // Credit card numbers (basic patterns)
+    {
+        name: 'credit_card',
+        pattern: /\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12})\b/g,
+        description: 'Credit card numbers',
+    },
+    // Social Security Numbers
+    {
+        name: 'ssn',
+        pattern: /\b\d{3}[-\s]?\d{2}[-\s]?\d{4}\b/g,
+        description: 'Social Security Numbers',
+    },
+    // Database connection strings with passwords (preserve structure)
+    {
+        name: 'connection_string',
+        pattern: /(:\/\/[^:]+:)([^@]+)(@)/g,
+        description: 'Database connection string credentials',
+    },
+];
+/**
+ * Optional patterns that can be enabled via configuration.
+ */
+const OPTIONAL_PATTERNS = {
+    email: {
+        name: 'email',
+        pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g,
+        description: 'Email addresses',
+    },
+    ipv4: {
+        name: 'ipv4',
+        pattern: /\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b/g,
+        description: 'IPv4 addresses',
+    },
+    ipv6: {
+        name: 'ipv6',
+        pattern: /\b(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\b/g,
+        description: 'IPv6 addresses',
+    },
+    phone: {
+        name: 'phone',
+        pattern: /\b(?:\+?1[-.\s]?)?\(?[0-9]{3}\)?[-.\s]?[0-9]{3}[-.\s]?[0-9]{4}\b/g,
+        description: 'Phone numbers',
+    },
+};
+/**
+ * PII Redactor class for detecting and masking sensitive data.
+ */
+export class PiiRedactor {
+    options;
+    patterns;
+    constructor(options = {}) {
+        this.options = { ...DEFAULT_OPTIONS, ...options };
+        this.patterns = this.buildPatternList();
+    }
+    /**
+     * Builds the list of patterns to apply based on options.
+     */
+    buildPatternList() {
+        const patterns = [...CORE_PATTERNS];
+        if (this.options.redactEmails) {
+            patterns.push(OPTIONAL_PATTERNS.email);
+        }
+        if (this.options.redactIPs) {
+            patterns.push(OPTIONAL_PATTERNS.ipv4);
+            patterns.push(OPTIONAL_PATTERNS.ipv6);
+        }
+        if (this.options.redactPhones) {
+            patterns.push(OPTIONAL_PATTERNS.phone);
+        }
+        // Add custom patterns
+        for (const pattern of this.options.customPatterns) {
+            patterns.push({
+                name: 'custom',
+                pattern,
+                description: 'Custom pattern',
+            });
+        }
+        return patterns;
+    }
+    /**
+     * Redacts sensitive data from a string.
+     *
+     * @param input - The string to redact
+     * @returns The redacted string
+     */
+    redactString(input) {
+        let result = input;
+        const replacement = this.options.replacement;
+        for (const { pattern, name } of this.patterns) {
+            // Reset regex state for global patterns
+            pattern.lastIndex = 0;
+            // Handle different pattern types based on their structure
+            if (name === 'connection_string') {
+                // Connection strings: preserve ://user: and @ parts
+                result = result.replace(pattern, `$1${replacement}$3`);
+            }
+            else if (name === 'jwt_token' || name === 'aws_access_key' ||
+                name === 'github_token' || name === 'github_oauth' ||
+                name === 'credit_card' || name === 'ssn' ||
+                name === 'private_key' || name === 'certificate') {
+                // Direct replacement patterns (no capture groups to preserve)
+                result = result.replace(pattern, replacement);
+            }
+            else {
+                // Field patterns: preserve the field name (first capture group)
+                result = result.replace(pattern, `$1${replacement}`);
+            }
+        }
+        return result;
+    }
+    /**
+     * Redacts sensitive data from an object by converting to JSON and back.
+     *
+     * @param input - The object to redact
+     * @returns The redacted object as a JSON string
+     */
+    redactObject(input) {
+        const jsonString = JSON.stringify(input, null, 2);
+        return this.redactString(jsonString);
+    }
+    /**
+     * Checks if a string contains potentially sensitive data.
+     *
+     * @param input - The string to check
+     * @returns True if sensitive data was detected
+     */
+    containsSensitiveData(input) {
+        for (const { pattern } of this.patterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(input)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Returns the list of pattern names being applied.
+     */
+    getActivePatterns() {
+        return this.patterns.map((p) => p.name);
+    }
+}
+/**
+ * Creates a new PII redactor with the specified options.
+ *
+ * @param options - Redaction options
+ * @returns A configured PiiRedactor instance
+ */
+export function createRedactor(options = {}) {
+    return new PiiRedactor(options);
+}
+/**
+ * Default redactor instance for quick usage.
+ */
+const defaultRedactor = new PiiRedactor();
+/**
+ * Redacts PII from a string using default settings.
+ *
+ * @param input - The string to redact
+ * @returns The redacted string
+ */
+export function redactPii(input) {
+    return defaultRedactor.redactString(input);
+}
+/**
+ * Redacts PII from an object and returns a JSON string.
+ *
+ * @param input - The object to redact
+ * @returns The redacted JSON string
+ */
+export function redactPiiFromObject(input) {
+    return defaultRedactor.redactObject(input);
+}
+/**
+ * Checks if a string contains potentially sensitive data.
+ *
+ * @param input - The string to check
+ * @returns True if sensitive data was detected
+ */
+export function containsPii(input) {
+    return defaultRedactor.containsSensitiveData(input);
+}
+//# sourceMappingURL=redaction.js.map

package/dist/audit/redaction.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"redaction.js","sourceRoot":"","sources":["../../src/audit/redaction.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAkBH;;GAEG;AACH,MAAM,eAAe,GAA+B;IAClD,YAAY,EAAE,IAAI;IAClB,SAAS,EAAE,KAAK;IAChB,YAAY,EAAE,IAAI;IAClB,cAAc,EAAE,EAAE;IAClB,WAAW,EAAE,YAAY;CAC1B,CAAC;AAYF;;;GAGG;AACH,MAAM,aAAa,GAAuB;IACxC,yDAAyD;IACzD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,mDAAmD;QAC5D,WAAW,EAAE,uBAAuB;KACrC;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,iDAAiD;QAC1D,WAAW,EAAE,qBAAqB;KACnC;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,iDAAiD;QAC1D,WAAW,EAAE,qBAAqB;KACnC;IAED,gDAAgD;IAChD;QACE,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,6DAA6D;QACtE,WAAW,EAAE,UAAU;KACxB;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,mEAAmE;QAC5E,WAAW,EAAE,eAAe;KAC7B;IACD;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,iEAAiE;QAC1E,WAAW,EAAE,aAAa;KAC3B;IACD;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,wDAAwD;QACjE,WAAW,EAAE,sBAAsB;KACpC;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,gCAAgC;QACzC,WAAW,EAAE,eAAe;KAC7B;IACD;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uDAAuD;QAChE,WAAW,EAAE,YAAY;KAC1B;IAED,kBAAkB;IAClB;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,mBAAmB;QAC5B,WAAW,EAAE,oBAAoB;KAClC;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,yFAAyF;QAClG,WAAW,EAAE,iBAAiB;KAC/B;IAED,+CAA+C;IAC/C;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,uBAAuB;QAChC,WAAW,EAAE,+BAA+B;KAC7C;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,uBAAuB;QAChC,WAAW,EAAE,qBAAqB;KACnC;IAED,gCAAgC;IAChC;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,6FAA6F;QACtG,WAAW,EAAE,cAAc;KAC5B;IACD;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,mEAAmE;QAC5E,WAAW,EAAE,cAAc;KAC5B;IAED,uCAAuC;IACvC;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,6FAA6F;QACtG,WAAW,EAAE,qBAAqB;KACnC;IAED,0BAA0B;IAC1B;QACE,IAAI,EAAE,KAAK;QACX,OAAO,EAAE,kCAAkC;QAC3C,WAAW,EAAE,yBAAyB;KACvC;IAED,kEAAkE;IAClE;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,0BAA0B;QACnC,WAAW,EAAE,wCAAwC;KACtD;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,iBAAiB,GAAqC;IAC1D,KAAK,EAAE;QACL,IAAI,EAAE,OAAO;QACb,OAAO,EAAE,sDAAsD;QAC/D,WAAW,EAAE,iBAAiB;KAC/B;IACD,IAAI,EAAE;QACJ,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,gGAAgG;QACzG,WAAW,EAAE,gBAAgB;KAC9B;IACD,IAAI,EAAE;QACJ,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,+CAA+C;QACxD,WAAW,EAAE,gBAAgB;KAC9B;IACD,KAAK,EAAE;QACL,IAAI,EAAE,OAAO;QACb,OAAO,EAAE,mEAAmE;QAC5E,WAAW,EAAE,eAAe;KAC7B;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,OAAO,WAAW;IACd,OAAO,CAA6B;IACpC,QAAQ,CAAqB;IAErC,YAAY,UAA4B,EAAE;QACxC,IAAI,CAAC,OAAO,GAAG,EAAE,GAAG,eAAe,EAAE,GAAG,OAAO,EAAE,CAAC;QAClD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;IAC1C,CAAC;IAED;;OAEG;IACK,gBAAgB;QACtB,MAAM,QAAQ,GAAG,CAAC,GAAG,aAAa,CAAC,CAAC;QAEpC,IAAI,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;YAC9B,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,KAAM,CAAC,CAAC;QAC1C,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;YAC3B,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAK,CAAC,CAAC;YACvC,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAK,CAAC,CAAC;QACzC,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;YAC9B,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,KAAM,CAAC,CAAC;QAC1C,CAAC;QAED,sBAAsB;QACtB,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;YAClD,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,QAAQ;gBACd,OAAO;gBACP,WAAW,EAAE,gBAAgB;aAC9B,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;;;OAKG;IACH,YAAY,CAAC,KAAa;QACxB,IAAI,MAAM,GAAG,KAAK,CAAC;QACnB,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC;QAE7C,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC9C,wCAAwC;YACxC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YAEtB,0DAA0D;YAC1D,IAAI,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACjC,oDAAoD;gBACpD,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,KAAK,WAAW,IAAI,CAAC,CAAC;YACzD,CAAC;iBAAM,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,gBAAgB;gBACjD,IAAI,KAAK,cAAc,IAAI,IAAI,KAAK,cAAc;gBAClD,IAAI,KAAK,aAAa,IAAI,IAAI,KAAK,KAAK;gBACxC,IAAI,KAAK,aAAa,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;gBAC5D,8DAA8D;gBAC9D,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;YAChD,CAAC;iBAAM,CAAC;gBACN,gEAAgE;gBAChE,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,KAAK,WAAW,EAAE,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;OAKG;IACH,YAAY,CAAC,KAA8B;QACzC,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAClD,OAAO,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;IACvC,CAAC;IAED;;;;;OAKG;IACH,qBAAqB,CAAC,KAAa;QACjC,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxB,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,iBAAiB;QACf,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC1C,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,UAA4B,EAAE;IAC3D,OAAO,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,eAAe,GAAG,IAAI,WAAW,EAAE,CAAC;AAE1C;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,OAAO,eAAe,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;AAC7C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAA8B;IAChE,OAAO,eAAe,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;AAC7C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,KAAa;IACvC,OAAO,eAAe,CAAC,qBAAqB,CAAC,KAAK,CAAC,CAAC;AACtD,CAAC"}

package/dist/audit/schema.d.ts ADDED Viewed

@@ -0,0 +1,76 @@
+/**
+ * Audit database schema for Tollgate
+ *
+ * Two main tables:
+ * - tool_calls: Records every tool invocation with policy and approval decisions
+ * - session_grants: Records session-based approval grants
+ *
+ * Schema version 2 adds:
+ * - Enhanced compliance fields (risk_level, analyzer, policy_reason)
+ * - PII redaction support (args_redacted)
+ * - Correlation and context tracking (correlation_id, client_id)
+ */
+/** Current schema version for migrations */
+export declare const SCHEMA_VERSION = 2;
+export declare const AUDIT_SCHEMA = "\n-- Schema version tracking\nCREATE TABLE IF NOT EXISTS schema_version (\n  version INTEGER PRIMARY KEY,\n  applied_at DATETIME DEFAULT CURRENT_TIMESTAMP\n);\n\n-- Tool calls table: records every tool invocation\nCREATE TABLE IF NOT EXISTS tool_calls (\n  id TEXT PRIMARY KEY,\n  timestamp DATETIME DEFAULT CURRENT_TIMESTAMP,\n  server TEXT NOT NULL,\n  tool TEXT NOT NULL,\n  args TEXT,\n  -- PII-redacted version of args for compliance\n  args_redacted TEXT,\n  policy_decision TEXT NOT NULL,\n  policy_rule TEXT,\n  -- Reason for the policy decision (for deny/prompt)\n  policy_reason TEXT,\n  -- Smart analysis metadata\n  analyzer TEXT,\n  risk_level TEXT,\n  user_decision TEXT,\n  result TEXT,\n  error_message TEXT,\n  duration_ms INTEGER,\n  -- Session grant that authorized this call (if any)\n  session_grant_id TEXT,\n  -- Correlation ID for linking related events\n  correlation_id TEXT,\n  -- Client identifier (for multi-client scenarios)\n  client_id TEXT,\n  FOREIGN KEY (session_grant_id) REFERENCES session_grants(id)\n);\n\nCREATE INDEX IF NOT EXISTS idx_tool_calls_timestamp ON tool_calls(timestamp);\nCREATE INDEX IF NOT EXISTS idx_tool_calls_server_tool ON tool_calls(server, tool);\nCREATE INDEX IF NOT EXISTS idx_tool_calls_policy_decision ON tool_calls(policy_decision);\nCREATE INDEX IF NOT EXISTS idx_tool_calls_session_grant ON tool_calls(session_grant_id);\nCREATE INDEX IF NOT EXISTS idx_tool_calls_risk_level ON tool_calls(risk_level);\nCREATE INDEX IF NOT EXISTS idx_tool_calls_correlation ON tool_calls(correlation_id);\n\n-- Session grants table: records time-bounded approval grants\nCREATE TABLE IF NOT EXISTS session_grants (\n  id TEXT PRIMARY KEY,\n  created_at DATETIME DEFAULT CURRENT_TIMESTAMP,\n  expires_at DATETIME,\n  server TEXT NOT NULL,\n  scope TEXT NOT NULL,\n  scope_value TEXT,\n  tool TEXT,\n  granted_by TEXT NOT NULL,\n  original_request_id TEXT,\n  usage_count INTEGER DEFAULT 0,\n  revoked_at DATETIME,\n  revoked_by TEXT\n);\n\nCREATE INDEX IF NOT EXISTS idx_session_grants_server ON session_grants(server);\nCREATE INDEX IF NOT EXISTS idx_session_grants_expires ON session_grants(expires_at);\nCREATE INDEX IF NOT EXISTS idx_session_grants_active ON session_grants(server, expires_at) WHERE revoked_at IS NULL;\n";
+/**
+ * Migration from version 1 to version 2.
+ * Adds compliance fields for enhanced audit logging.
+ */
+export declare const MIGRATION_V2 = "\n-- Add new columns for compliance (SQLite requires separate ALTER statements)\nALTER TABLE tool_calls ADD COLUMN args_redacted TEXT;\nALTER TABLE tool_calls ADD COLUMN policy_reason TEXT;\nALTER TABLE tool_calls ADD COLUMN analyzer TEXT;\nALTER TABLE tool_calls ADD COLUMN risk_level TEXT;\nALTER TABLE tool_calls ADD COLUMN correlation_id TEXT;\nALTER TABLE tool_calls ADD COLUMN client_id TEXT;\n\n-- Add new indexes\nCREATE INDEX IF NOT EXISTS idx_tool_calls_risk_level ON tool_calls(risk_level);\nCREATE INDEX IF NOT EXISTS idx_tool_calls_correlation ON tool_calls(correlation_id);\n";
+/**
+ * Migration to add session support to existing databases.
+ * Run this on upgrade from pre-session versions.
+ */
+export declare const SESSION_MIGRATION = "\n-- Add session_grant_id column if it doesn't exist\nALTER TABLE tool_calls ADD COLUMN session_grant_id TEXT REFERENCES session_grants(id);\n\n-- Create session_grants table if it doesn't exist\nCREATE TABLE IF NOT EXISTS session_grants (\n  id TEXT PRIMARY KEY,\n  created_at DATETIME DEFAULT CURRENT_TIMESTAMP,\n  expires_at DATETIME,\n  server TEXT NOT NULL,\n  scope TEXT NOT NULL,\n  scope_value TEXT,\n  tool TEXT,\n  granted_by TEXT NOT NULL,\n  original_request_id TEXT,\n  usage_count INTEGER DEFAULT 0,\n  revoked_at DATETIME,\n  revoked_by TEXT\n);\n\nCREATE INDEX IF NOT EXISTS idx_session_grants_server ON session_grants(server);\nCREATE INDEX IF NOT EXISTS idx_session_grants_expires ON session_grants(expires_at);\n";
+/** Risk level classification for audit records */
+export type RiskLevel = 'safe' | 'read' | 'write' | 'destructive' | 'dangerous';
+/**
+ * Record of a tool call in the audit log.
+ */
+export interface AuditRecord {
+    id: string;
+    timestamp: Date;
+    server: string;
+    tool: string;
+    /** Original arguments (may contain sensitive data) */
+    args: Record<string, unknown>;
+    /** PII-redacted version of args for compliance reporting */
+    argsRedacted?: string;
+    policyDecision: 'allow' | 'deny' | 'prompt';
+    policyRule?: string;
+    /** Reason for the policy decision */
+    policyReason?: string;
+    /** Analyzer used for smart decisions */
+    analyzer?: string;
+    /** Risk level from smart analysis */
+    riskLevel?: RiskLevel;
+    userDecision?: 'approved' | 'denied' | 'timeout' | null;
+    result?: 'success' | 'error';
+    errorMessage?: string;
+    durationMs?: number;
+    /** ID of the session grant that authorized this call */
+    sessionGrantId?: string;
+    /** Correlation ID for linking related events */
+    correlationId?: string;
+    /** Client identifier */
+    clientId?: string;
+}
+/**
+ * Record of a session grant in the audit log.
+ */
+export interface SessionGrantRecord {
+    id: string;
+    createdAt: Date;
+    expiresAt: Date | null;
+    server: string;
+    scope: 'exact' | 'tool' | 'server' | 'pattern';
+    scopeValue?: string;
+    tool?: string;
+    grantedBy: 'terminal' | 'webhook' | 'api';
+    originalRequestId?: string;
+    usageCount: number;
+    revokedAt?: Date;
+    revokedBy?: string;
+}
+//# sourceMappingURL=schema.d.ts.map

package/dist/audit/schema.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/audit/schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,4CAA4C;AAC5C,eAAO,MAAM,cAAc,IAAI,CAAC;AAEhC,eAAO,MAAM,YAAY,uuEA8DxB,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,YAAY,klBAYxB,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,iBAAiB,guBAsB7B,CAAC;AAEF,kDAAkD;AAClD,MAAM,MAAM,SAAS,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,aAAa,GAAG,WAAW,CAAC;AAEhF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,IAAI,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,4DAA4D;IAC5D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,OAAO,GAAG,MAAM,GAAG,QAAQ,CAAC;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qCAAqC;IACrC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,qCAAqC;IACrC,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,YAAY,CAAC,EAAE,UAAU,GAAG,QAAQ,GAAG,SAAS,GAAG,IAAI,CAAC;IACxD,MAAM,CAAC,EAAE,SAAS,GAAG,OAAO,CAAC;IAC7B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,wDAAwD;IACxD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wBAAwB;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,QAAQ,GAAG,SAAS,CAAC;IAC/C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,UAAU,GAAG,SAAS,GAAG,KAAK,CAAC;IAC1C,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB"}

package/dist/audit/schema.js ADDED Viewed

@@ -0,0 +1,122 @@
+/**
+ * Audit database schema for Tollgate
+ *
+ * Two main tables:
+ * - tool_calls: Records every tool invocation with policy and approval decisions
+ * - session_grants: Records session-based approval grants
+ *
+ * Schema version 2 adds:
+ * - Enhanced compliance fields (risk_level, analyzer, policy_reason)
+ * - PII redaction support (args_redacted)
+ * - Correlation and context tracking (correlation_id, client_id)
+ */
+/** Current schema version for migrations */
+export const SCHEMA_VERSION = 2;
+export const AUDIT_SCHEMA = `
+-- Schema version tracking
+CREATE TABLE IF NOT EXISTS schema_version (
+  version INTEGER PRIMARY KEY,
+  applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+-- Tool calls table: records every tool invocation
+CREATE TABLE IF NOT EXISTS tool_calls (
+  id TEXT PRIMARY KEY,
+  timestamp DATETIME DEFAULT CURRENT_TIMESTAMP,
+  server TEXT NOT NULL,
+  tool TEXT NOT NULL,
+  args TEXT,
+  -- PII-redacted version of args for compliance
+  args_redacted TEXT,
+  policy_decision TEXT NOT NULL,
+  policy_rule TEXT,
+  -- Reason for the policy decision (for deny/prompt)
+  policy_reason TEXT,
+  -- Smart analysis metadata
+  analyzer TEXT,
+  risk_level TEXT,
+  user_decision TEXT,
+  result TEXT,
+  error_message TEXT,
+  duration_ms INTEGER,
+  -- Session grant that authorized this call (if any)
+  session_grant_id TEXT,
+  -- Correlation ID for linking related events
+  correlation_id TEXT,
+  -- Client identifier (for multi-client scenarios)
+  client_id TEXT,
+  FOREIGN KEY (session_grant_id) REFERENCES session_grants(id)
+);
+CREATE INDEX IF NOT EXISTS idx_tool_calls_timestamp ON tool_calls(timestamp);
+CREATE INDEX IF NOT EXISTS idx_tool_calls_server_tool ON tool_calls(server, tool);
+CREATE INDEX IF NOT EXISTS idx_tool_calls_policy_decision ON tool_calls(policy_decision);
+CREATE INDEX IF NOT EXISTS idx_tool_calls_session_grant ON tool_calls(session_grant_id);
+CREATE INDEX IF NOT EXISTS idx_tool_calls_risk_level ON tool_calls(risk_level);
+CREATE INDEX IF NOT EXISTS idx_tool_calls_correlation ON tool_calls(correlation_id);
+-- Session grants table: records time-bounded approval grants
+CREATE TABLE IF NOT EXISTS session_grants (
+  id TEXT PRIMARY KEY,
+  created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+  expires_at DATETIME,
+  server TEXT NOT NULL,
+  scope TEXT NOT NULL,
+  scope_value TEXT,
+  tool TEXT,
+  granted_by TEXT NOT NULL,
+  original_request_id TEXT,
+  usage_count INTEGER DEFAULT 0,
+  revoked_at DATETIME,
+  revoked_by TEXT
+);
+CREATE INDEX IF NOT EXISTS idx_session_grants_server ON session_grants(server);
+CREATE INDEX IF NOT EXISTS idx_session_grants_expires ON session_grants(expires_at);
+CREATE INDEX IF NOT EXISTS idx_session_grants_active ON session_grants(server, expires_at) WHERE revoked_at IS NULL;
+`;
+/**
+ * Migration from version 1 to version 2.
+ * Adds compliance fields for enhanced audit logging.
+ */
+export const MIGRATION_V2 = `
+-- Add new columns for compliance (SQLite requires separate ALTER statements)
+ALTER TABLE tool_calls ADD COLUMN args_redacted TEXT;
+ALTER TABLE tool_calls ADD COLUMN policy_reason TEXT;
+ALTER TABLE tool_calls ADD COLUMN analyzer TEXT;
+ALTER TABLE tool_calls ADD COLUMN risk_level TEXT;
+ALTER TABLE tool_calls ADD COLUMN correlation_id TEXT;
+ALTER TABLE tool_calls ADD COLUMN client_id TEXT;
+-- Add new indexes
+CREATE INDEX IF NOT EXISTS idx_tool_calls_risk_level ON tool_calls(risk_level);
+CREATE INDEX IF NOT EXISTS idx_tool_calls_correlation ON tool_calls(correlation_id);
+`;
+/**
+ * Migration to add session support to existing databases.
+ * Run this on upgrade from pre-session versions.
+ */
+export const SESSION_MIGRATION = `
+-- Add session_grant_id column if it doesn't exist
+ALTER TABLE tool_calls ADD COLUMN session_grant_id TEXT REFERENCES session_grants(id);
+-- Create session_grants table if it doesn't exist
+CREATE TABLE IF NOT EXISTS session_grants (
+  id TEXT PRIMARY KEY,
+  created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+  expires_at DATETIME,
+  server TEXT NOT NULL,
+  scope TEXT NOT NULL,
+  scope_value TEXT,
+  tool TEXT,
+  granted_by TEXT NOT NULL,
+  original_request_id TEXT,
+  usage_count INTEGER DEFAULT 0,
+  revoked_at DATETIME,
+  revoked_by TEXT
+);
+CREATE INDEX IF NOT EXISTS idx_session_grants_server ON session_grants(server);
+CREATE INDEX IF NOT EXISTS idx_session_grants_expires ON session_grants(expires_at);
+`;
+//# sourceMappingURL=schema.js.map

package/dist/audit/schema.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/audit/schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,4CAA4C;AAC5C,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC;AAEhC,MAAM,CAAC,MAAM,YAAY,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA8D3B,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG;;;;;;;;;;;;CAY3B,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG;;;;;;;;;;;;;;;;;;;;;;CAsBhC,CAAC"}

package/dist/cli/commands/doctor.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+/**
+ * Tollgate Doctor Command
+ *
+ * Diagnostic command to verify configuration and environment before running.
+ * Checks configuration validity, environment variables, and system resources.
+ *
+ * Usage:
+ *   tollgate doctor                 - Run all diagnostics
+ *   tollgate doctor --config path   - Check specific config file
+ *   tollgate doctor --server name   - Check specific server only
+ */
+export interface DoctorOptions {
+    config?: string;
+    server?: string;
+    json?: boolean;
+    fix?: boolean;
+}
+export interface DiagnosticResult {
+    name: string;
+    status: 'pass' | 'warn' | 'fail';
+    message: string;
+    details?: string;
+    fixable?: boolean;
+}
+export interface DoctorReport {
+    timestamp: string;
+    configPath: string;
+    passed: number;
+    warnings: number;
+    failed: number;
+    results: DiagnosticResult[];
+}
+export declare function runDoctor(options: DoctorOptions): Promise<void>;
+//# sourceMappingURL=doctor.d.ts.map

package/dist/cli/commands/doctor.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/doctor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAiBH,MAAM,WAAW,aAAa;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,GAAG,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,WAAW,YAAY;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,gBAAgB,EAAE,CAAC;CAC/B;AAwVD,wBAAsB,SAAS,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAwDrE"}