@juspay/neurolink 9.32.0 → 9.33.0

package/dist/client/proxy/requestLogger.js

@@ -1,207 +0,0 @@
-/**
- * Proxy Request Logger
- * Logs proxy request/response metadata to a rotating log file.
- * Useful for debugging and auditing proxy traffic.
- */
-import { join } from "path";
-import { homedir } from "os";
-import { logger } from "../utils/logger.js";
-import { chmodSync, existsSync, mkdirSync, readdirSync, statSync, unlinkSync, } from "fs";
-import { appendFile } from "fs/promises";
-let logDir = null;
-let logEnabled = false;
-/** Maximum body size to log (bytes). Larger bodies are truncated. */
-const MAX_BODY_LOG_SIZE = 32_768; // 32 KB
-/** Headers whose values must always be redacted. */
-const SENSITIVE_HEADER_NAMES = new Set([
-    "authorization",
-    "proxy-authorization",
-    "x-api-key",
-    "cookie",
-    "set-cookie",
-]);
-/** Pattern that matches header names likely to contain secrets. */
-const SENSITIVE_HEADER_PATTERN = /token|secret|key|password|credential/i;
-/** JSON keys whose values should be redacted in request/response bodies. */
-const SENSITIVE_BODY_KEYS = /("(?:password|access_token|refresh_token|api_key|apiKey|secret|authorization|token|credential|x-api-key)"\s*:\s*)"(?:[^"\\]|\\.)*"/gi;
-export function initRequestLogger(enabled = true) {
-    logEnabled = enabled;
-    if (!enabled) {
-        return;
-    }
-    try {
-        logDir = join(homedir(), ".neurolink", "logs");
-        if (!existsSync(logDir)) {
-            mkdirSync(logDir, { recursive: true, mode: 0o700 });
-        }
-        chmodSync(logDir, 0o700);
-    }
-    catch (err) {
-        logEnabled = false;
-        logDir = null;
-        logger.warn(`[proxy] Request logging disabled — failed to create log directory: ${err instanceof Error ? err.message : String(err)}`);
-    }
-}
-export async function logRequest(entry) {
-    if (!logEnabled || !logDir) {
-        return;
-    }
-    const logFile = join(logDir, `proxy-${new Date().toISOString().split("T")[0]}.jsonl`);
-    const line = JSON.stringify(entry) + "\n";
-    try {
-        await appendFile(logFile, line, { mode: 0o600 });
-    }
-    catch {
-        // Non-fatal — don't crash proxy for logging failures
-    }
-}
-export function getLogDir() {
-    return logDir;
-}
-/**
- * Redact sensitive header values in-place.
- */
-function redactHeaders(headers) {
-    if (!headers) {
-        return headers;
-    }
-    const redacted = {};
-    for (const [key, value] of Object.entries(headers)) {
-        const lower = key.toLowerCase();
-        if (SENSITIVE_HEADER_NAMES.has(lower) ||
-            SENSITIVE_HEADER_PATTERN.test(lower)) {
-            redacted[key] = "[REDACTED]";
-        }
-        else {
-            redacted[key] = value;
-        }
-    }
-    return redacted;
-}
-/**
- * Redact sensitive keys from a JSON body string and truncate if too large.
- */
-function redactBody(body) {
-    if (body === undefined || body === null) {
-        return body;
-    }
-    let str = typeof body === "string" ? body : JSON.stringify(body);
-    // Redact known sensitive JSON keys BEFORE truncating so that a mid-string
-    // slice cannot leave a partially exposed secret (the regex needs closing
-    // quotes to match).
-    str = str.replace(SENSITIVE_BODY_KEYS, '$1"[REDACTED]"');
-    if (str.length > MAX_BODY_LOG_SIZE) {
-        str =
-            str.slice(0, MAX_BODY_LOG_SIZE) +
-                `... [TRUNCATED from ${str.length} bytes]`;
-    }
-    return str;
-}
-/**
- * Log the FULL raw request and response for debugging.
- * Writes to a separate file: proxy-debug-YYYY-MM-DD.jsonl
- * Each entry has the complete request body and response body.
- *
- * Sensitive headers and body fields are redacted before writing.
- */
-export async function logFullRequestResponse(entry) {
-    if (!logEnabled || !logDir) {
-        return;
-    }
-    const sanitizedEntry = {
-        ...entry,
-        requestHeaders: redactHeaders(entry.requestHeaders),
-        requestBody: redactBody(entry.requestBody),
-        responseHeaders: redactHeaders(entry.responseHeaders),
-        responseBody: redactBody(entry.responseBody),
-    };
-    const logFile = join(logDir, `proxy-debug-${new Date().toISOString().split("T")[0]}.jsonl`);
-    const line = JSON.stringify(sanitizedEntry) + "\n";
-    try {
-        await appendFile(logFile, line, { mode: 0o600 });
-    }
-    catch {
-        // Non-fatal
-    }
-}
-/**
- * Log a mid-stream error that occurs after the initial 200 was sent.
- * These are invisible in normal request logs since the 200 was already recorded.
- */
-export async function logStreamError(entry) {
-    if (!logEnabled || !logDir) {
-        return;
-    }
-    const logFile = join(logDir, `proxy-${new Date().toISOString().split("T")[0]}.jsonl`);
-    const logEntry = {
-        ...entry,
-        responseStatus: 200,
-        errorType: "stream_error",
-        note: "mid-stream failure after initial 200",
-    };
-    try {
-        await appendFile(logFile, JSON.stringify(logEntry) + "\n", {
-            mode: 0o600,
-        });
-    }
-    catch {
-        // Non-fatal — don't crash proxy for logging failures
-    }
-}
-/**
- * Clean up old log files by age and total size.
- * - Deletes files older than maxAgeDays
- * - If remaining files exceed maxSizeMb, deletes oldest until under limit
- * Non-fatal — proxy keeps working even if cleanup fails.
- */
-export function cleanupLogs(maxAgeDays = 7, maxSizeMb = 500) {
-    if (!logDir || !existsSync(logDir)) {
-        return;
-    }
-    try {
-        const files = readdirSync(logDir)
-            .filter((f) => f.startsWith("proxy-") && f.endsWith(".jsonl"))
-            .map((f) => {
-            const filePath = join(logDir, f);
-            const stat = statSync(filePath);
-            return {
-                name: f,
-                path: filePath,
-                mtime: stat.mtimeMs,
-                size: stat.size,
-            };
-        })
-            .sort((a, b) => a.mtime - b.mtime); // oldest first
-        const cutoff = Date.now() - maxAgeDays * 24 * 60 * 60 * 1000;
-        let deletedCount = 0;
-        let freedBytes = 0;
-        // Pass 1: delete files older than maxAgeDays
-        const remaining = [];
-        for (const file of files) {
-            if (file.mtime < cutoff) {
-                unlinkSync(file.path);
-                deletedCount++;
-                freedBytes += file.size;
-            }
-            else {
-                remaining.push(file);
-            }
-        }
-        // Pass 2: if total size exceeds maxSizeMb, delete oldest until under limit
-        const maxBytes = maxSizeMb * 1024 * 1024;
-        let totalSize = remaining.reduce((sum, f) => sum + f.size, 0);
-        while (totalSize > maxBytes && remaining.length > 0) {
-            const oldest = remaining.shift();
-            unlinkSync(oldest.path);
-            totalSize -= oldest.size;
-            deletedCount++;
-            freedBytes += oldest.size;
-        }
-        if (deletedCount > 0) {
-            logger.info(`[proxy] log cleanup: deleted ${deletedCount} file(s), freed ${(freedBytes / 1024 / 1024).toFixed(1)} MB`);
-        }
-    }
-    catch {
-        // Non-fatal
-    }
-}

package/dist/client/proxy/tokenRefresh.js

@@ -1,124 +0,0 @@
-import { logger } from "../utils/logger.js";
-import { tokenStore } from "../auth/tokenStore.js";
-const REFRESH_URL = "https://api.anthropic.com/v1/oauth/token";
-const REFRESH_URL_FALLBACK = "https://console.anthropic.com/v1/oauth/token";
-const CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
-const BUFFER_MS = 60 * 60 * 1000;
-const USER_AGENT = "claude-cli/2.1.80 (external, cli)";
-export function needsRefresh(account) {
-    return !!(account.expiresAt &&
-        account.expiresAt <= Date.now() + BUFFER_MS &&
-        account.refreshToken);
-}
-export async function refreshToken(account) {
-    if (!account.refreshToken) {
-        return { success: false, error: "No refresh token available" };
-    }
-    const formBody = new URLSearchParams({
-        grant_type: "refresh_token",
-        refresh_token: account.refreshToken,
-        client_id: CLIENT_ID,
-    }).toString();
-    const headers = {
-        "Content-Type": "application/x-www-form-urlencoded",
-        "User-Agent": USER_AGENT,
-    };
-    const urls = [REFRESH_URL, REFRESH_URL_FALLBACK];
-    for (const url of urls) {
-        try {
-            const resp = await fetch(url, {
-                method: "POST",
-                headers,
-                body: formBody,
-                signal: AbortSignal.timeout(10_000),
-            });
-            if (!resp.ok) {
-                const errorBody = await resp.text();
-                logger.warn(`[token-refresh] failed for ${account.label} at ${url}`, {
-                    status: resp.status,
-                    error: errorBody.slice(0, 500),
-                });
-                // If primary URL returned a non-ok status, try fallback
-                if (url === REFRESH_URL) {
-                    continue;
-                }
-                return { success: false, error: errorBody, status: resp.status };
-            }
-            const data = (await resp.json());
-            const previousExpiresAt = account.expiresAt;
-            account.token = data.access_token;
-            account.expiresAt =
-                data.expires_in !== undefined
-                    ? Date.now() + data.expires_in * 1000
-                    : previousExpiresAt && previousExpiresAt > Date.now()
-                        ? previousExpiresAt
-                        : Date.now() + 55 * 60 * 1000;
-            if (data.refresh_token) {
-                account.refreshToken = data.refresh_token;
-            }
-            logger.debug(`[token-refresh] refreshed for ${account.label}`);
-            return { success: true };
-        }
-        catch (e) {
-            logger.warn(`[token-refresh] exception for ${account.label} at ${url}`, {
-                error: String(e),
-            });
-            // If primary URL threw, try fallback
-            if (url === REFRESH_URL) {
-                continue;
-            }
-            return { success: false, error: String(e) };
-        }
-    }
-    // Should not reach here, but guard against empty urls array
-    return { success: false, error: "No refresh URLs available" };
-}
-export async function persistTokens(target, account) {
-    if (typeof target !== "string" && "providerKey" in target) {
-        await persistTokenStoreAccount(target.providerKey, account);
-        return;
-    }
-    const credPath = typeof target === "string" ? target : target.credPath;
-    await persistLegacyCredentials(credPath, account);
-}
-async function persistLegacyCredentials(credPath, account) {
-    try {
-        const fs = await import("fs/promises");
-        const existing = JSON.parse(await fs.readFile(credPath, "utf8"));
-        existing.oauth = {
-            ...existing.oauth,
-            accessToken: account.token,
-            expiresAt: account.expiresAt,
-            refreshToken: account.refreshToken,
-        };
-        existing.updatedAt = Date.now();
-        const tmpPath = credPath + ".tmp";
-        await fs.writeFile(tmpPath, JSON.stringify(existing, null, 2), {
-            mode: 0o600,
-        });
-        await fs.rename(tmpPath, credPath);
-    }
-    catch (err) {
-        logger.warn("[token-refresh] Failed to persist legacy credentials", {
-            error: err instanceof Error ? err.message : String(err),
-        });
-    }
-}
-async function persistTokenStoreAccount(providerKey, account) {
-    try {
-        const existing = await tokenStore.loadTokens(providerKey);
-        const merged = {
-            accessToken: account.token,
-            refreshToken: account.refreshToken ?? existing?.refreshToken,
-            expiresAt: account.expiresAt ?? existing?.expiresAt ?? Date.now() + 55 * 60 * 1000,
-            tokenType: existing?.tokenType ?? "Bearer",
-            ...(existing?.scope ? { scope: existing.scope } : {}),
-        };
-        await tokenStore.saveTokens(providerKey, merged);
-    }
-    catch (err) {
-        logger.warn("[token-refresh] Failed to persist TokenStore credentials", {
-            error: err instanceof Error ? err.message : String(err),
-        });
-    }
-}

package/dist/client/proxy/usageStats.js

@@ -1,74 +0,0 @@
-/**
- * Proxy Usage Statistics
- * Tracks per-account request counts, token usage, and error rates.
- * In-memory only — resets on proxy restart.
- */
-const stats = {
-    startedAt: Date.now(),
-    totalRequests: 0,
-    totalSuccess: 0,
-    totalErrors: 0,
-    totalRateLimits: 0,
-    accounts: {},
-};
-export function recordRequest(accountLabel, accountType) {
-    ensureAccount(accountLabel, accountType).requestCount++;
-    ensureAccount(accountLabel, accountType).lastRequestAt = Date.now();
-}
-export function recordSuccess(accountLabel, accountType) {
-    stats.totalRequests++;
-    stats.totalSuccess++;
-    const acct = ensureAccount(accountLabel, accountType);
-    acct.successCount++;
-    acct.currentBackoffLevel = 0;
-}
-export function recordError(accountLabel, accountType, status) {
-    stats.totalRequests++;
-    stats.totalErrors++;
-    const acct = ensureAccount(accountLabel, accountType);
-    acct.errorCount++;
-    acct.lastErrorAt = Date.now();
-    if (status === 429) {
-        stats.totalRateLimits++;
-        acct.rateLimitCount++;
-    }
-}
-export function recordCooldown(accountLabel, accountType, cooldownUntil, backoffLevel) {
-    const acct = ensureAccount(accountLabel, accountType);
-    acct.coolingUntil = cooldownUntil;
-    acct.currentBackoffLevel = backoffLevel;
-}
-export function getStats() {
-    const accounts = {};
-    for (const [label, account] of Object.entries(stats.accounts)) {
-        accounts[label] = { ...account };
-    }
-    return { ...stats, accounts };
-}
-export function getAccountStats(label) {
-    const account = stats.accounts[label];
-    return account ? { ...account } : undefined;
-}
-export function resetStats() {
-    stats.startedAt = Date.now();
-    stats.totalRequests = 0;
-    stats.totalSuccess = 0;
-    stats.totalErrors = 0;
-    stats.totalRateLimits = 0;
-    stats.accounts = {};
-}
-function ensureAccount(label, type) {
-    if (!stats.accounts[label]) {
-        stats.accounts[label] = {
-            label,
-            type,
-            requestCount: 0,
-            successCount: 0,
-            errorCount: 0,
-            rateLimitCount: 0,
-            lastRequestAt: 0,
-            currentBackoffLevel: 0,
-        };
-    }
-    return stats.accounts[label];
-}

package/dist/client/proxy/utils/noProxyUtils.js

@@ -1,149 +0,0 @@
-/**
- * Shared NO_PROXY utility functions
- * Extracted from awsProxyIntegration.ts and proxyFetch.ts to eliminate duplication
- * Supports comprehensive NO_PROXY pattern matching including wildcards, domains, ports, and CIDR
- */
-import { logger } from "../../utils/logger.js";
-/**
- * Check if an IP address is within a CIDR range
- */
-function isIpInCIDR(ip, cidr) {
-    try {
-        const [cidrIp, prefixLength] = cidr.split("/");
-        const prefix = parseInt(prefixLength, 10);
-        if (isNaN(prefix) || prefix < 0 || prefix > 32) {
-            return false;
-        }
-        const ipToNumber = (ipStr) => {
-            const parts = ipStr.split(".").map(Number);
-            return (parts[0] << 24) + (parts[1] << 16) + (parts[2] << 8) + parts[3];
-        };
-        const ipNum = ipToNumber(ip);
-        const cidrIpNum = ipToNumber(cidrIp);
-        const mask = (-1 << (32 - prefix)) >>> 0;
-        return (ipNum & mask) === (cidrIpNum & mask);
-    }
-    catch {
-        return false;
-    }
-}
-/**
- * Comprehensive NO_PROXY bypass check supporting multiple pattern types
- *
- * Supported patterns:
- * - "*" - bypass all requests
- * - "example.com" - exact hostname match
- * - ".example.com" - domain suffix match (matches example.com and subdomains)
- * - "localhost:8080" - hostname with specific port
- * - "192.168.1.0/24" - CIDR notation for IP ranges
- *
- * @param targetUrl - The URL to check for proxy bypass
- * @param noProxyEnv - Optional NO_PROXY environment variable value (if not provided, reads from process.env)
- * @returns true if the URL should bypass proxy, false otherwise
- */
-export function shouldBypassProxy(targetUrl, noProxyEnv) {
-    const noProxy = noProxyEnv || process.env.NO_PROXY || process.env.no_proxy;
-    if (!noProxy) {
-        return false;
-    }
-    try {
-        const url = new URL(targetUrl);
-        const hostname = url.hostname.toLowerCase();
-        const port = url.port || (url.protocol === "https:" ? "443" : "80");
-        const patterns = noProxy
-            .split(",")
-            .map((p) => p.trim())
-            .filter(Boolean);
-        for (const pattern of patterns) {
-            const lowerPattern = pattern.toLowerCase();
-            // Wildcard match - bypass all
-            if (lowerPattern === "*") {
-                return true;
-            }
-            // Domain suffix match (.example.com)
-            if (lowerPattern.startsWith(".")) {
-                const suffix = lowerPattern.slice(1);
-                if (hostname.endsWith(suffix) || hostname === suffix) {
-                    return true;
-                }
-            }
-            // Port-specific match (hostname:port)
-            else if (lowerPattern.includes(":")) {
-                const [patternHost, patternPort] = lowerPattern.split(":");
-                if (hostname === patternHost && port === patternPort) {
-                    return true;
-                }
-            }
-            // CIDR notation (192.168.1.0/24) - only for IP addresses
-            else if (lowerPattern.includes("/")) {
-                // Only apply CIDR when target is an IP literal
-                if (/^\d{1,3}(\.\d{1,3}){3}$/.test(hostname) &&
-                    isIpInCIDR(hostname, lowerPattern)) {
-                    return true;
-                }
-            }
-            // Exact hostname match
-            else if (hostname === lowerPattern) {
-                return true;
-            }
-        }
-        return false;
-    }
-    catch (error) {
-        logger.warn("[Proxy] Error in NO_PROXY bypass logic", { targetUrl, error });
-        return false;
-    }
-}
-/**
- * Get the current NO_PROXY environment variable value
- * Checks both uppercase and lowercase variants
- */
-export function getNoProxyEnv() {
-    return process.env.NO_PROXY || process.env.no_proxy;
-}
-/**
- * Simple NO_PROXY bypass check with basic pattern support
- * Legacy function for backward compatibility with simpler use cases
- *
- * Supports:
- * - "*" - bypass all
- * - "example.com" - exact match
- * - ".example.com" - domain suffix match
- *
- * @param targetUrl - The URL to check
- * @param noProxyValue - The NO_PROXY value to check against
- * @returns true if should bypass proxy
- */
-export function shouldBypassProxySimple(targetUrl, noProxyValue) {
-    try {
-        const url = new URL(targetUrl);
-        const hostname = url.hostname.toLowerCase();
-        // Split NO_PROXY by comma and check each pattern
-        const patterns = noProxyValue.split(",").map((p) => p.trim().toLowerCase());
-        for (const pattern of patterns) {
-            if (!pattern) {
-                continue;
-            }
-            // Exact match
-            if (hostname === pattern) {
-                return true;
-            }
-            // Wildcard match (starts with .)
-            if (pattern.startsWith(".") && hostname.endsWith(pattern)) {
-                return true;
-            }
-            // Simple wildcard
-            if (pattern === "*") {
-                return true;
-            }
-        }
-        return false;
-    }
-    catch (error) {
-        logger.warn("[Proxy] Error in simple NO_PROXY bypass logic", {
-            targetUrl,
-            error,
-        });
-        return false;
-    }
-}