@dotsetlabs/tollgate 0.1.0

package/dist/session/manager.js

@@ -0,0 +1,454 @@
+/**
+ * Session Manager for Tollgate
+ *
+ * Manages session-based approvals, allowing users to grant time-bounded
+ * permissions that reduce approval fatigue while maintaining security.
+ *
+ * @example
+ * ```typescript
+ * const manager = new SessionManager();
+ *
+ * // Create a grant when user approves with session option
+ * const grant = manager.createGrant({
+ *   context: { server: 'postgres', tool: 'query', args: {}, timestamp: new Date() },
+ *   scope: 'tool',
+ *   duration: '5min',
+ *   grantedBy: 'terminal',
+ * });
+ *
+ * // Check if a future call is covered
+ * const result = manager.checkGrant({
+ *   server: 'postgres',
+ *   tool: 'query',
+ *   args: { sql: 'SELECT * FROM users' },
+ *   timestamp: new Date(),
+ * });
+ *
+ * if (result.granted) {
+ *   // Skip prompting, forward directly
+ * }
+ * ```
+ */
+import { minimatch } from 'minimatch';
+import { v4 as uuidv4 } from 'uuid';
+import { sessionLogger as logger } from '../utils/logger.js';
+import { durationToTtlSeconds } from './types.js';
+/**
+ * Simple async mutex for thread-safety in async operations.
+ * Ensures only one operation can modify grants at a time.
+ */
+class AsyncMutex {
+    locked = false;
+    queue = [];
+    async acquire() {
+        if (!this.locked) {
+            this.locked = true;
+            return;
+        }
+        return new Promise((resolve) => {
+            this.queue.push(resolve);
+        });
+    }
+    release() {
+        const next = this.queue.shift();
+        if (next) {
+            next();
+        }
+        else {
+            this.locked = false;
+        }
+    }
+}
+/**
+ * In-memory session store implementation.
+ *
+ * Grants are stored in memory and lost on restart.
+ * For persistence, use SqliteSessionStore (see session/sqlite-store.ts).
+ */
+export class InMemorySessionStore {
+    grants = new Map();
+    set(grant) {
+        this.grants.set(grant.id, grant);
+    }
+    get(id) {
+        return this.grants.get(id);
+    }
+    findMatching(context) {
+        const now = new Date();
+        const matches = [];
+        for (const grant of this.grants.values()) {
+            // Skip expired grants
+            if (grant.expiresAt && grant.expiresAt < now) {
+                continue;
+            }
+            // Must match server
+            if (grant.server !== context.server) {
+                continue;
+            }
+            matches.push(grant);
+        }
+        return matches;
+    }
+    delete(id) {
+        return this.grants.delete(id);
+    }
+    pruneExpired() {
+        const now = new Date();
+        let pruned = 0;
+        for (const [id, grant] of this.grants) {
+            if (grant.expiresAt && grant.expiresAt < now) {
+                this.grants.delete(id);
+                pruned++;
+            }
+        }
+        return pruned;
+    }
+    getAll() {
+        return Array.from(this.grants.values());
+    }
+    clear() {
+        this.grants.clear();
+    }
+    getStats() {
+        const now = new Date();
+        const fiveMinutesFromNow = new Date(now.getTime() + 5 * 60 * 1000);
+        const stats = {
+            activeGrants: 0,
+            grantsByScope: { exact: 0, tool: 0, server: 0, pattern: 0 },
+            totalUsage: 0,
+            expiringSoon: 0,
+        };
+        for (const grant of this.grants.values()) {
+            // Skip expired
+            if (grant.expiresAt && grant.expiresAt < now) {
+                continue;
+            }
+            stats.activeGrants++;
+            stats.grantsByScope[grant.scope]++;
+            stats.totalUsage += grant.usageCount;
+            if (grant.expiresAt && grant.expiresAt < fiveMinutesFromNow) {
+                stats.expiringSoon++;
+            }
+        }
+        return stats;
+    }
+}
+/**
+ * SessionManager handles creation, checking, and lifecycle of session grants.
+ *
+ * Thread-safe and designed for concurrent access from the proxy server.
+ */
+export class SessionManager {
+    store;
+    pruneInterval = null;
+    mutex = new AsyncMutex();
+    /**
+     * Request deduplication cache to prevent double-counting for the same request.
+     * Maps requestId -> grantId for recently processed requests.
+     * Entries are cleared after 5 seconds to prevent memory leaks.
+     */
+    recentRequests = new Map();
+    REQUEST_CACHE_TTL_MS = 5000;
+    /**
+     * Creates a new SessionManager.
+     *
+     * @param store - Session store backend (defaults to in-memory)
+     * @param autoPrune - Whether to automatically prune expired grants (default: true)
+     * @param pruneIntervalMs - How often to prune (default: 60 seconds)
+     */
+    constructor(store, autoPrune = true, pruneIntervalMs = 60_000) {
+        this.store = store ?? new InMemorySessionStore();
+        if (autoPrune) {
+            this.pruneInterval = setInterval(() => {
+                try {
+                    this.store.pruneExpired();
+                    this.pruneRecentRequests();
+                }
+                catch (error) {
+                    // Log prune errors but don't crash
+                    logger.error('Prune error', {
+                        error: error instanceof Error ? error.message : String(error),
+                    });
+                }
+            }, pruneIntervalMs);
+            // Don't keep the process alive just for pruning
+            this.pruneInterval.unref();
+        }
+    }
+    /**
+     * Clean up old entries from the request deduplication cache.
+     */
+    pruneRecentRequests() {
+        const now = Date.now();
+        for (const [requestId, entry] of this.recentRequests) {
+            if (now - entry.timestamp > this.REQUEST_CACHE_TTL_MS) {
+                this.recentRequests.delete(requestId);
+            }
+        }
+    }
+    /**
+     * Creates a new session grant based on an approved tool call.
+     *
+     * @param input - Grant creation parameters
+     * @returns The created grant
+     *
+     * @example
+     * ```typescript
+     * const grant = manager.createGrant({
+     *   context: { server: 'postgres', tool: 'query', args: {}, timestamp: new Date() },
+     *   scope: 'tool',
+     *   duration: '5min',
+     *   grantedBy: 'terminal',
+     * });
+     * ```
+     */
+    createGrant(input) {
+        const { context, scope, duration, grantedBy, pattern, originalRequestId } = input;
+        const ttlSeconds = durationToTtlSeconds(duration);
+        const now = new Date();
+        // Calculate expiry
+        let expiresAt = null;
+        if (ttlSeconds > 0) {
+            expiresAt = new Date(now.getTime() + ttlSeconds * 1000);
+        }
+        else if (ttlSeconds === 0) {
+            // 'once' - grant expires immediately (used for audit only)
+            expiresAt = now;
+        }
+        // ttlSeconds === -1 means 'session' - no expiry
+        // Build scope value
+        let scopeValue;
+        let tool;
+        switch (scope) {
+            case 'exact':
+                scopeValue = JSON.stringify(context.args);
+                tool = context.tool;
+                break;
+            case 'tool':
+                tool = context.tool;
+                break;
+            case 'pattern':
+                scopeValue = pattern;
+                break;
+            case 'server':
+                // No additional value needed
+                break;
+        }
+        const grant = {
+            id: uuidv4(),
+            createdAt: now,
+            expiresAt,
+            server: context.server,
+            scope,
+            scopeValue,
+            tool,
+            grantedBy,
+            usageCount: 0,
+            originalRequestId,
+        };
+        this.store.set(grant);
+        return grant;
+    }
+    /**
+     * Checks if a tool call is covered by an existing session grant.
+     *
+     * Returns the most specific matching grant if multiple exist.
+     * Order of specificity: exact > tool > pattern > server
+     *
+     * @param context - The tool call to check
+     * @param requestId - Optional request ID for deduplication (prevents double-counting on retry)
+     * @returns Check result with grant details if matched
+     *
+     * @example
+     * ```typescript
+     * const result = manager.checkGrant({
+     *   server: 'postgres',
+     *   tool: 'query',
+     *   args: { sql: 'SELECT * FROM users' },
+     *   timestamp: new Date(),
+     * }, 'req-123');
+     *
+     * if (result.granted) {
+     *   console.log(`Authorized by session grant ${result.grant.id}`);
+     * }
+     * ```
+     */
+    checkGrant(context, requestId) {
+        // Check deduplication cache first - if this request was already processed,
+        // return the cached grant without incrementing usage count again
+        if (requestId) {
+            const cached = this.recentRequests.get(requestId);
+            if (cached) {
+                const grant = this.store.get(cached.grantId);
+                if (grant && (!grant.expiresAt || grant.expiresAt > new Date())) {
+                    logger.debug('Returning cached grant for duplicate request', { requestId, grantId: cached.grantId });
+                    return { granted: true, grant };
+                }
+                // Cached grant expired or deleted - remove from cache
+                this.recentRequests.delete(requestId);
+            }
+        }
+        const candidates = this.store.findMatching(context);
+        if (candidates.length === 0) {
+            return { granted: false, reason: 'no_grant' };
+        }
+        // Find the best matching grant (most specific first)
+        const scopePriority = {
+            exact: 4,
+            tool: 3,
+            pattern: 2,
+            server: 1,
+        };
+        // Sort by specificity (highest first)
+        const sorted = candidates.sort((a, b) => scopePriority[b.scope] - scopePriority[a.scope]);
+        for (const grant of sorted) {
+            if (this.grantMatchesContext(grant, context)) {
+                // Re-validate expiry right before granting to prevent race condition
+                // where grant expires between initial check and use
+                const now = new Date();
+                if (grant.expiresAt && grant.expiresAt <= now) {
+                    // Grant expired during processing - skip it
+                    continue;
+                }
+                // Increment usage count and persist the update
+                const updatedGrant = { ...grant, usageCount: grant.usageCount + 1 };
+                this.store.set(updatedGrant);
+                // Cache the request ID to prevent double-counting on retry
+                if (requestId) {
+                    this.recentRequests.set(requestId, { grantId: grant.id, timestamp: Date.now() });
+                }
+                return { granted: true, grant: updatedGrant };
+            }
+        }
+        return { granted: false, reason: 'scope_mismatch' };
+    }
+    /**
+     * Checks if a specific grant matches a tool call context.
+     */
+    grantMatchesContext(grant, context) {
+        // Server must always match (already filtered in findMatching)
+        if (grant.server !== context.server) {
+            return false;
+        }
+        switch (grant.scope) {
+            case 'exact':
+                // Must match tool AND args exactly
+                return (grant.tool === context.tool &&
+                    grant.scopeValue === JSON.stringify(context.args));
+            case 'tool':
+                // Must match tool name
+                return grant.tool === context.tool;
+            case 'pattern':
+                // Must match glob pattern
+                if (!grant.scopeValue)
+                    return false;
+                return minimatch(context.tool, grant.scopeValue);
+            case 'server':
+                // Server already matches, any tool is covered
+                return true;
+        }
+    }
+    /**
+     * Revokes a session grant by ID.
+     *
+     * @param id - Grant ID to revoke
+     * @returns true if grant was found and revoked
+     */
+    revokeGrant(id) {
+        return this.store.delete(id);
+    }
+    /**
+     * Revokes all grants for a specific server.
+     *
+     * @param server - Server name
+     * @returns Number of grants revoked
+     */
+    revokeByServer(server) {
+        const grants = this.store.getAll().filter((g) => g.server === server);
+        let revoked = 0;
+        for (const grant of grants) {
+            if (this.store.delete(grant.id)) {
+                revoked++;
+            }
+        }
+        return revoked;
+    }
+    /**
+     * Revokes all session grants.
+     */
+    revokeAll() {
+        this.store.clear();
+    }
+    /**
+     * Gets all active (non-expired) grants.
+     */
+    getActiveGrants() {
+        const now = new Date();
+        return this.store.getAll().filter((g) => !g.expiresAt || g.expiresAt > now);
+    }
+    /**
+     * Gets session statistics.
+     */
+    getStats() {
+        return this.store.getStats();
+    }
+    /**
+     * Manually trigger expired grant cleanup.
+     *
+     * @returns Number of grants pruned
+     */
+    pruneExpired() {
+        return this.store.pruneExpired();
+    }
+    /**
+     * Formats a grant for display in terminal or logs.
+     */
+    formatGrant(grant) {
+        const parts = [];
+        // Server and scope
+        parts.push(`${grant.server}`);
+        switch (grant.scope) {
+            case 'exact':
+                parts.push(`:${grant.tool}[exact]`);
+                break;
+            case 'tool':
+                parts.push(`:${grant.tool}`);
+                break;
+            case 'pattern':
+                parts.push(`:${grant.scopeValue}`);
+                break;
+            case 'server':
+                parts.push(':*');
+                break;
+        }
+        // Expiry
+        if (grant.expiresAt) {
+            const remaining = grant.expiresAt.getTime() - Date.now();
+            if (remaining > 0) {
+                const minutes = Math.ceil(remaining / 60000);
+                parts.push(` (${minutes}m remaining)`);
+            }
+            else {
+                parts.push(' (expired)');
+            }
+        }
+        else {
+            parts.push(' (session)');
+        }
+        // Usage
+        if (grant.usageCount > 0) {
+            parts.push(` [used ${grant.usageCount}x]`);
+        }
+        return parts.join('');
+    }
+    /**
+     * Cleans up resources. Call when shutting down.
+     */
+    close() {
+        if (this.pruneInterval) {
+            clearInterval(this.pruneInterval);
+            this.pruneInterval = null;
+        }
+    }
+}
+//# sourceMappingURL=manager.js.map

package/dist/session/manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manager.js","sourceRoot":"","sources":["../../src/session/manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,EAAE,aAAa,IAAI,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAS7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAElD;;;GAGG;AACH,MAAM,UAAU;IACN,MAAM,GAAG,KAAK,CAAC;IACf,KAAK,GAAsB,EAAE,CAAC;IAEtC,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;YACnB,OAAO;QACT,CAAC;QAED,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;YACnC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC3B,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QAChC,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,EAAE,CAAC;QACT,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACtB,CAAC;IACH,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,OAAO,oBAAoB;IACvB,MAAM,GAA8B,IAAI,GAAG,EAAE,CAAC;IAEtD,GAAG,CAAC,KAAmB;QACrB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IACnC,CAAC;IAED,GAAG,CAAC,EAAU;QACZ,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC7B,CAAC;IAED,YAAY,CAAC,OAAwB;QACnC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,OAAO,GAAmB,EAAE,CAAC;QAEnC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC;YACzC,sBAAsB;YACtB,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;gBAC7C,SAAS;YACX,CAAC;YAED,oBAAoB;YACpB,IAAI,KAAK,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC;gBACpC,SAAS;YACX,CAAC;YAED,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,MAAM,CAAC,EAAU;QACf,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAChC,CAAC;IAED,YAAY;QACV,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,MAAM,GAAG,CAAC,CAAC;QAEf,KAAK,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACtC,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;gBAC7C,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBACvB,MAAM,EAAE,CAAC;YACX,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM;QACJ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK;QACH,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;IAED,QAAQ;QACN,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,kBAAkB,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAEnE,MAAM,KAAK,GAAiB;YAC1B,YAAY,EAAE,CAAC;YACf,aAAa,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE;YAC3D,UAAU,EAAE,CAAC;YACb,YAAY,EAAE,CAAC;SAChB,CAAC;QAEF,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC;YACzC,eAAe;YACf,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;gBAC7C,SAAS;YACX,CAAC;YAED,KAAK,CAAC,YAAY,EAAE,CAAC;YACrB,KAAK,CAAC,aAAa,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACnC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,UAAU,CAAC;YAErC,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,GAAG,kBAAkB,EAAE,CAAC;gBAC5D,KAAK,CAAC,YAAY,EAAE,CAAC;YACvB,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,OAAO,cAAc;IACR,KAAK,CAAe;IAC7B,aAAa,GAA0C,IAAI,CAAC;IACnD,KAAK,GAAG,IAAI,UAAU,EAAE,CAAC;IAC1C;;;;OAIG;IACc,cAAc,GAAG,IAAI,GAAG,EAAkD,CAAC;IAC3E,oBAAoB,GAAG,IAAI,CAAC;IAE7C;;;;;;OAMG;IACH,YACE,KAAoB,EACpB,YAAqB,IAAI,EACzB,kBAA0B,MAAM;QAEhC,IAAI,CAAC,KAAK,GAAG,KAAK,IAAI,IAAI,oBAAoB,EAAE,CAAC;QAEjD,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,aAAa,GAAG,WAAW,CAAC,GAAG,EAAE;gBACpC,IAAI,CAAC;oBACH,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;oBAC1B,IAAI,CAAC,mBAAmB,EAAE,CAAC;gBAC7B,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,mCAAmC;oBACnC,MAAM,CAAC,KAAK,CAAC,aAAa,EAAE;wBAC1B,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;qBAC9D,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,EAAE,eAAe,CAAC,CAAC;YAEpB,gDAAgD;YAChD,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;QAC7B,CAAC;IACH,CAAC;IAED;;OAEG;IACK,mBAAmB;QACzB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACrD,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBACtD,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH,WAAW,CAAC,KAA8B;QACxC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,iBAAiB,EAAE,GAAG,KAAK,CAAC;QAElF,MAAM,UAAU,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC;QAClD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAEvB,mBAAmB;QACnB,IAAI,SAAS,GAAgB,IAAI,CAAC;QAClC,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;YACnB,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,UAAU,GAAG,IAAI,CAAC,CAAC;QAC1D,CAAC;aAAM,IAAI,UAAU,KAAK,CAAC,EAAE,CAAC;YAC5B,2DAA2D;YAC3D,SAAS,GAAG,GAAG,CAAC;QAClB,CAAC;QACD,gDAAgD;QAEhD,oBAAoB;QACpB,IAAI,UAA8B,CAAC;QACnC,IAAI,IAAwB,CAAC;QAE7B,QAAQ,KAAK,EAAE,CAAC;YACd,KAAK,OAAO;gBACV,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAC1C,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;gBACpB,MAAM;YACR,KAAK,MAAM;gBACT,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;gBACpB,MAAM;YACR,KAAK,SAAS;gBACZ,UAAU,GAAG,OAAO,CAAC;gBACrB,MAAM;YACR,KAAK,QAAQ;gBACX,6BAA6B;gBAC7B,MAAM;QACV,CAAC;QAED,MAAM,KAAK,GAAiB;YAC1B,EAAE,EAAE,MAAM,EAAE;YACZ,SAAS,EAAE,GAAG;YACd,SAAS;YACT,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK;YACL,UAAU;YACV,IAAI;YACJ,SAAS;YACT,UAAU,EAAE,CAAC;YACb,iBAAiB;SAClB,CAAC;QAEF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAEtB,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,UAAU,CAAC,OAAwB,EAAE,SAAkB;QACrD,2EAA2E;QAC3E,iEAAiE;QACjE,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBAC7C,IAAI,KAAK,IAAI,CAAC,CAAC,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,EAAE,CAAC;oBAChE,MAAM,CAAC,KAAK,CAAC,8CAA8C,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;oBACrG,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;gBAClC,CAAC;gBACD,sDAAsD;gBACtD,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAEpD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;QAChD,CAAC;QAED,qDAAqD;QACrD,MAAM,aAAa,GAAiC;YAClD,KAAK,EAAE,CAAC;YACR,IAAI,EAAE,CAAC;YACP,OAAO,EAAE,CAAC;YACV,MAAM,EAAE,CAAC;SACV,CAAC;QAEF,sCAAsC;QACtC,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAC5B,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,CAC1D,CAAC;QAEF,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC;gBAC7C,qEAAqE;gBACrE,oDAAoD;gBACpD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,IAAI,GAAG,EAAE,CAAC;oBAC9C,4CAA4C;oBAC5C,SAAS;gBACX,CAAC;gBAED,+CAA+C;gBAC/C,MAAM,YAAY,GAAG,EAAE,GAAG,KAAK,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,GAAG,CAAC,EAAE,CAAC;gBACpE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;gBAE7B,2DAA2D;gBAC3D,IAAI,SAAS,EAAE,CAAC;oBACd,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBACnF,CAAC;gBAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;YAChD,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IACtD,CAAC;IAED;;OAEG;IACK,mBAAmB,CACzB,KAAmB,EACnB,OAAwB;QAExB,8DAA8D;QAC9D,IAAI,KAAK,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC;YACpC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,QAAQ,KAAK,CAAC,KAAK,EAAE,CAAC;YACpB,KAAK,OAAO;gBACV,mCAAmC;gBACnC,OAAO,CACL,KAAK,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI;oBAC3B,KAAK,CAAC,UAAU,KAAK,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAClD,CAAC;YAEJ,KAAK,MAAM;gBACT,uBAAuB;gBACvB,OAAO,KAAK,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC;YAErC,KAAK,SAAS;gBACZ,0BAA0B;gBAC1B,IAAI,CAAC,KAAK,CAAC,UAAU;oBAAE,OAAO,KAAK,CAAC;gBACpC,OAAO,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC;YAEnD,KAAK,QAAQ;gBACX,8CAA8C;gBAC9C,OAAO,IAAI,CAAC;QAChB,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,WAAW,CAAC,EAAU;QACpB,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC/B,CAAC;IAED;;;;;OAKG;IACH,cAAc,CAAC,MAAc;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;QACtE,IAAI,OAAO,GAAG,CAAC,CAAC;QAEhB,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC;gBAChC,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,SAAS;QACP,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,eAAe;QACb,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,MAAM,CAC/B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,SAAS,GAAG,GAAG,CACzC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;IAC/B,CAAC;IAED;;;;OAIG;IACH,YAAY;QACV,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,KAAmB;QAC7B,MAAM,KAAK,GAAa,EAAE,CAAC;QAE3B,mBAAmB;QACnB,KAAK,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAE9B,QAAQ,KAAK,CAAC,KAAK,EAAE,CAAC;YACpB,KAAK,OAAO;gBACV,KAAK,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,IAAI,SAAS,CAAC,CAAC;gBACpC,MAAM;YACR,KAAK,MAAM;gBACT,KAAK,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC7B,MAAM;YACR,KAAK,SAAS;gBACZ,KAAK,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC;gBACnC,MAAM;YACR,KAAK,QAAQ;gBACX,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACjB,MAAM;QACV,CAAC;QAED,SAAS;QACT,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;YACpB,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACzD,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;gBAClB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC,CAAC;gBAC7C,KAAK,CAAC,IAAI,CAAC,KAAK,OAAO,cAAc,CAAC,CAAC;YACzC,CAAC;iBAAM,CAAC;gBACN,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;aAAM,CAAC;YACN,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3B,CAAC;QAED,QAAQ;QACR,IAAI,KAAK,CAAC,UAAU,GAAG,CAAC,EAAE,CAAC;YACzB,KAAK,CAAC,IAAI,CAAC,UAAU,KAAK,CAAC,UAAU,IAAI,CAAC,CAAC;QAC7C,CAAC;QAED,OAAO,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YAClC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;QAC5B,CAAC;IACH,CAAC;CACF"}

package/dist/session/sqlite-store.d.ts

@@ -0,0 +1,54 @@
+/**
+ * SQLite-backed Session Store for Tollgate
+ *
+ * Provides persistent session storage that survives process restarts.
+ * Uses the same database as the audit logger for consistency.
+ *
+ * @example
+ * ```typescript
+ * import { SqliteSessionStore } from './sqlite-store.js';
+ * import { SessionManager } from './manager.js';
+ *
+ * const store = new SqliteSessionStore('./data/sessions.db');
+ * const manager = new SessionManager(store);
+ *
+ * // Sessions now persist across restarts
+ * ```
+ */
+import type { ToolCallContext } from '../policy/types.js';
+import type { SessionGrant, SessionStats, SessionStore } from './types.js';
+/**
+ * SQLite-backed session store for persistent session grants.
+ *
+ * Features:
+ * - Sessions survive process restarts
+ * - Automatic cleanup of expired grants
+ * - Thread-safe via SQLite's locking
+ */
+export declare class SqliteSessionStore implements SessionStore {
+    private db;
+    private insertStmt;
+    private getStmt;
+    private deleteStmt;
+    private updateUsageStmt;
+    constructor(dbPath: string);
+    set(grant: SessionGrant): void;
+    get(id: string): SessionGrant | undefined;
+    findMatching(context: ToolCallContext): SessionGrant[];
+    delete(id: string): boolean;
+    pruneExpired(): number;
+    getAll(): SessionGrant[];
+    clear(): void;
+    getStats(): SessionStats;
+    /**
+     * Increment usage count for a grant.
+     * Called when a grant is used to authorize a tool call.
+     */
+    incrementUsage(id: string): void;
+    /**
+     * Close the database connection.
+     */
+    close(): void;
+    private rowToGrant;
+}
+//# sourceMappingURL=sqlite-store.d.ts.map

package/dist/session/sqlite-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sqlite-store.d.ts","sourceRoot":"","sources":["../../src/session/sqlite-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAKH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,KAAK,EAAE,YAAY,EAAgB,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AA6BzF;;;;;;;GAOG;AACH,qBAAa,kBAAmB,YAAW,YAAY;IACrD,OAAO,CAAC,EAAE,CAAoB;IAC9B,OAAO,CAAC,UAAU,CAAqB;IACvC,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,UAAU,CAAqB;IACvC,OAAO,CAAC,eAAe,CAAqB;gBAEhC,MAAM,EAAE,MAAM;IAqC1B,GAAG,CAAC,KAAK,EAAE,YAAY,GAAG,IAAI;IAe9B,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS;IAczC,YAAY,CAAC,OAAO,EAAE,eAAe,GAAG,YAAY,EAAE;IAsBtD,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAK3B,YAAY,IAAI,MAAM;IAUtB,MAAM,IAAI,YAAY,EAAE;IAMxB,KAAK,IAAI,IAAI;IAIb,QAAQ,IAAI,YAAY;IA4CxB;;;OAGG;IACH,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;IAIhC;;OAEG;IACH,KAAK,IAAI,IAAI;IAQb,OAAO,CAAC,UAAU;CAcnB"}