npm - @kaitranntt/ccs - Versions diffs - 7.77.1-dev.9 → 7.78.0-dev.1 - Mend

@kaitranntt/ccs 7.77.1-dev.9 → 7.78.0-dev.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (211) hide show

package/dist/cliproxy/auth/oauth-trace/index.js ADDED Viewed

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.REDACTED_PLACEHOLDER = exports.redactBearer = exports.redactJsonShallow = exports.redactUrl = exports.redactString = exports.createOAuthTraceRecorder = exports.OAuthTracePhase = void 0;
+var trace_events_1 = require("./trace-events");
+Object.defineProperty(exports, "OAuthTracePhase", { enumerable: true, get: function () { return trace_events_1.OAuthTracePhase; } });
+var trace_recorder_1 = require("./trace-recorder");
+Object.defineProperty(exports, "createOAuthTraceRecorder", { enumerable: true, get: function () { return trace_recorder_1.createOAuthTraceRecorder; } });
+var redactor_1 = require("./redactor");
+Object.defineProperty(exports, "redactString", { enumerable: true, get: function () { return redactor_1.redactString; } });
+Object.defineProperty(exports, "redactUrl", { enumerable: true, get: function () { return redactor_1.redactUrl; } });
+Object.defineProperty(exports, "redactJsonShallow", { enumerable: true, get: function () { return redactor_1.redactJsonShallow; } });
+Object.defineProperty(exports, "redactBearer", { enumerable: true, get: function () { return redactor_1.redactBearer; } });
+Object.defineProperty(exports, "REDACTED_PLACEHOLDER", { enumerable: true, get: function () { return redactor_1.REDACTED_PLACEHOLDER; } });
+//# sourceMappingURL=index.js.map

package/dist/cliproxy/auth/oauth-trace/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/index.ts"],"names":[],"mappings":";;;AAAA,+CAA4F;AAAnF,+GAAA,eAAe,OAAA;AACxB,mDAI0B;AAHxB,0HAAA,wBAAwB,OAAA;AAI1B,uCAMoB;AALlB,wGAAA,YAAY,OAAA;AACZ,qGAAA,SAAS,OAAA;AACT,6GAAA,iBAAiB,OAAA;AACjB,wGAAA,YAAY,OAAA;AACZ,gHAAA,oBAAoB,OAAA"}

package/dist/cliproxy/auth/oauth-trace/redactor.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * OAuth secret redactor — single choke point.
+ *
+ * Every value reaching any sink passes through these helpers first.
+ * Adding a new sensitive key here is the only place it has to change.
+ *
+ * DEFERRED: per-event syscall throttling; fsync / file-size cap on file sink.
+ */
+/** Redact sensitive query-param values inside any string. Idempotent. */
+export declare function redactString(s: string): string;
+/** Redact a parsed URL by name; returns redacted href or original on parse error. */
+export declare function redactUrl(u: string): string;
+/**
+ * Shallow-redact a plain object. Returns a new object; original is not mutated.
+ * Arrays are recursed so token arrays (e.g. `{tokens:[{access_token:'AT'}]}`)
+ * do not bypass redaction.
+ */
+export declare function redactJsonShallow(input: Record<string, unknown>): Record<string, unknown>;
+/** Redact an Authorization header value. */
+export declare function redactBearer(header: string): string;
+export declare const REDACTED_PLACEHOLDER = "***REDACTED***";
+//# sourceMappingURL=redactor.d.ts.map

package/dist/cliproxy/auth/oauth-trace/redactor.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"redactor.d.ts","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/redactor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAmCH,yEAAyE;AACzE,wBAAgB,YAAY,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAK9C;AAED,qFAAqF;AACrF,wBAAgB,SAAS,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAiC3C;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAoBzF;AAED,4CAA4C;AAC5C,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEnD;AAED,eAAO,MAAM,oBAAoB,mBAAW,CAAC"}

package/dist/cliproxy/auth/oauth-trace/redactor.js ADDED Viewed

@@ -0,0 +1,112 @@
+"use strict";
+/**
+ * OAuth secret redactor — single choke point.
+ *
+ * Every value reaching any sink passes through these helpers first.
+ * Adding a new sensitive key here is the only place it has to change.
+ *
+ * DEFERRED: per-event syscall throttling; fsync / file-size cap on file sink.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.REDACTED_PLACEHOLDER = exports.redactBearer = exports.redactJsonShallow = exports.redactUrl = exports.redactString = void 0;
+const SENSITIVE_QUERY_KEYS = [
+    'code',
+    'state',
+    'access_token',
+    'refresh_token',
+    'id_token',
+    'client_secret',
+    'authorization',
+    // PKCE / device-flow / assertion keys
+    'code_verifier',
+    'device_code',
+    'assertion',
+    'subject_token',
+];
+const SENSITIVE_OBJECT_KEYS = new Set(SENSITIVE_QUERY_KEYS.map((k) => k.toLowerCase()).concat(['authorization', 'bearer', 'token']));
+const REDACTED = '***REDACTED***';
+/**
+ * Matches sensitive keys in query strings, fragments, and standard params.
+ * Lookbehind covers: `?`, `&`, `#`, and `&#` (fragment-then-amp) delimiters.
+ * Keys are decoded before matching to catch URL-encoded bypass attempts.
+ */
+const QUERY_PARAM_REGEX = new RegExp(`(?<=[?&#])(${SENSITIVE_QUERY_KEYS.join('|')})=[^&#\\s]+`, 'gi');
+const BEARER_REGEX = /Bearer\s+[A-Za-z0-9._\-~+/=]+/gi;
+/** Redact sensitive query-param values inside any string. Idempotent. */
+function redactString(s) {
+    if (!s)
+        return s;
+    return s
+        .replace(QUERY_PARAM_REGEX, (_full, key) => `${key}=${REDACTED}`)
+        .replace(BEARER_REGEX, `Bearer ${REDACTED}`);
+}
+exports.redactString = redactString;
+/** Redact a parsed URL by name; returns redacted href or original on parse error. */
+function redactUrl(u) {
+    try {
+        const url = new URL(u);
+        // Redact query params — URL parser already decoded keys, compare decoded.
+        for (const key of SENSITIVE_QUERY_KEYS) {
+            if (url.searchParams.has(key))
+                url.searchParams.set(key, REDACTED);
+        }
+        // Also catch URL-encoded key names that URL.searchParams may not normalise
+        // (e.g. `?%63%6F%64%65=SECRET`). Decode all keys and re-check.
+        for (const [rawKey, rawVal] of [...url.searchParams.entries()]) {
+            const decoded = decodeURIComponent(rawKey).toLowerCase();
+            if ((SENSITIVE_OBJECT_KEYS.has(decoded) || SENSITIVE_QUERY_KEYS.includes(decoded)) &&
+                rawVal !== REDACTED) {
+                url.searchParams.set(rawKey, REDACTED);
+            }
+        }
+        // Redact fragment — strip leading `#`, prepend `?` so QUERY_PARAM_REGEX
+        // matches the first param (lookbehind requires `?`, `&`, or `#`).
+        if (url.hash) {
+            const bare = url.hash.slice(1); // remove leading '#'
+            const fakeQuery = `?${bare}`;
+            const redacted = redactString(fakeQuery);
+            url.hash = redacted.slice(1); // put back without the fake '?'
+        }
+        return url.toString();
+    }
+    catch {
+        return redactString(u);
+    }
+}
+exports.redactUrl = redactUrl;
+/**
+ * Shallow-redact a plain object. Returns a new object; original is not mutated.
+ * Arrays are recursed so token arrays (e.g. `{tokens:[{access_token:'AT'}]}`)
+ * do not bypass redaction.
+ */
+function redactJsonShallow(input) {
+    const out = {};
+    for (const [key, value] of Object.entries(input)) {
+        if (SENSITIVE_OBJECT_KEYS.has(key.toLowerCase())) {
+            out[key] = REDACTED;
+        }
+        else if (typeof value === 'string') {
+            out[key] = redactString(value);
+        }
+        else if (Array.isArray(value)) {
+            out[key] = value.map((item) => item && typeof item === 'object' && !Array.isArray(item)
+                ? redactJsonShallow(item)
+                : item);
+        }
+        else if (value && typeof value === 'object') {
+            out[key] = redactJsonShallow(value);
+        }
+        else {
+            out[key] = value;
+        }
+    }
+    return out;
+}
+exports.redactJsonShallow = redactJsonShallow;
+/** Redact an Authorization header value. */
+function redactBearer(header) {
+    return header.replace(BEARER_REGEX, `Bearer ${REDACTED}`);
+}
+exports.redactBearer = redactBearer;
+exports.REDACTED_PLACEHOLDER = REDACTED;
+//# sourceMappingURL=redactor.js.map

package/dist/cliproxy/auth/oauth-trace/redactor.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"redactor.js","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/redactor.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAEH,MAAM,oBAAoB,GAAG;IAC3B,MAAM;IACN,OAAO;IACP,cAAc;IACd,eAAe;IACf,UAAU;IACV,eAAe;IACf,eAAe;IACf,sCAAsC;IACtC,eAAe;IACf,aAAa;IACb,WAAW;IACX,eAAe;CACP,CAAC;AAEX,MAAM,qBAAqB,GAAG,IAAI,GAAG,CACnC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,eAAe,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,CAC9F,CAAC;AAEF,MAAM,QAAQ,GAAG,gBAAgB,CAAC;AAElC;;;;GAIG;AACH,MAAM,iBAAiB,GAAG,IAAI,MAAM,CAClC,cAAc,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,EACzD,IAAI,CACL,CAAC;AAEF,MAAM,YAAY,GAAG,iCAAiC,CAAC;AAEvD,yEAAyE;AACzE,SAAgB,YAAY,CAAC,CAAS;IACpC,IAAI,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC;IACjB,OAAO,CAAC;SACL,OAAO,CAAC,iBAAiB,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,QAAQ,EAAE,CAAC;SAChE,OAAO,CAAC,YAAY,EAAE,UAAU,QAAQ,EAAE,CAAC,CAAC;AACjD,CAAC;AALD,oCAKC;AAED,qFAAqF;AACrF,SAAgB,SAAS,CAAC,CAAS;IACjC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC;QAEvB,0EAA0E;QAC1E,KAAK,MAAM,GAAG,IAAI,oBAAoB,EAAE,CAAC;YACvC,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACrE,CAAC;QACD,2EAA2E;QAC3E,+DAA+D;QAC/D,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YAC/D,MAAM,OAAO,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;YACzD,IACE,CAAC,qBAAqB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,oBAAoB,CAAC,QAAQ,CAAC,OAAgB,CAAC,CAAC;gBACvF,MAAM,KAAK,QAAQ,EACnB,CAAC;gBACD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;QAED,wEAAwE;QACxE,kEAAkE;QAClE,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YACb,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,qBAAqB;YACrD,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;YAC7B,MAAM,QAAQ,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;YACzC,GAAG,CAAC,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,gCAAgC;QAChE,CAAC;QAED,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;AACH,CAAC;AAjCD,8BAiCC;AAED;;;;GAIG;AACH,SAAgB,iBAAiB,CAAC,KAA8B;IAC9D,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACjD,IAAI,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YACjD,GAAG,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC;QACtB,CAAC;aAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrC,GAAG,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC;aAAM,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAC5B,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;gBACtD,CAAC,CAAC,iBAAiB,CAAC,IAA+B,CAAC;gBACpD,CAAC,CAAC,IAAI,CACT,CAAC;QACJ,CAAC;aAAM,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9C,GAAG,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,KAAgC,CAAC,CAAC;QACjE,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACnB,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AApBD,8CAoBC;AAED,4CAA4C;AAC5C,SAAgB,YAAY,CAAC,MAAc;IACzC,OAAO,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,UAAU,QAAQ,EAAE,CAAC,CAAC;AAC5D,CAAC;AAFD,oCAEC;AAEY,QAAA,oBAAoB,GAAG,QAAQ,CAAC"}

package/dist/cliproxy/auth/oauth-trace/sink-file.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { OAuthTraceSink } from './trace-events';
+/**
+ * Append-mode JSONL file sink. Off by default; enabled when callers pass an instance.
+ *
+ * - File path: `${dir}/oauth-YYYYMMDD.log` (date from `now()` per write call).
+ * - Permissions: dir 0o700, file 0o600 (user-only). World-readable would leak machine info.
+ * - Failure-tolerant: if write fails (disk full, perm denied), logs once to stderr and
+ *   keeps dropping events silently — sink must never throw out of `write()`.
+ */
+export interface FileSinkOptions {
+    dir: string;
+    /** Test seam — defaults to `() => new Date()`. */
+    now?: () => Date;
+    /** Test seam — error notifier (defaults to one-shot stderr write). */
+    onError?: (msg: string) => void;
+}
+export declare function createFileSink(options: FileSinkOptions): OAuthTraceSink;
+//# sourceMappingURL=sink-file.d.ts.map

package/dist/cliproxy/auth/oauth-trace/sink-file.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sink-file.d.ts","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/sink-file.ts"],"names":[],"mappings":"AAEA,OAAO,EAAmB,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEjE;;;;;;;GAOG;AACH,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,kDAAkD;IAClD,GAAG,CAAC,EAAE,MAAM,IAAI,CAAC;IACjB,sEAAsE;IACtE,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CACjC;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,eAAe,GAAG,cAAc,CA+DvE"}

package/dist/cliproxy/auth/oauth-trace/sink-file.js ADDED Viewed

@@ -0,0 +1,90 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createFileSink = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+function createFileSink(options) {
+    const now = options.now ?? (() => new Date());
+    let warned = false;
+    const onError = options.onError ??
+        ((msg) => {
+            if (!warned) {
+                warned = true;
+                process.stderr.write(`[oauth-trace] file sink disabled: ${msg}\n`);
+            }
+        });
+    let cachedDate = null;
+    function ensureDir() {
+        fs.mkdirSync(options.dir, { recursive: true, mode: 0o700 });
+    }
+    function dateStr(d) {
+        const yyyy = d.getFullYear().toString().padStart(4, '0');
+        const mm = (d.getMonth() + 1).toString().padStart(2, '0');
+        const dd = d.getDate().toString().padStart(2, '0');
+        return `${yyyy}${mm}${dd}`;
+    }
+    function pathForToday() {
+        const ds = dateStr(now());
+        cachedDate = ds;
+        return path.join(options.dir, `oauth-${ds}.log`);
+    }
+    function appendOne(event) {
+        const file = pathForToday();
+        const line = JSON.stringify(event) + '\n';
+        let fd = null;
+        try {
+            ensureDir();
+            fd = fs.openSync(file, 'a', 0o600);
+            fs.writeSync(fd, line);
+        }
+        finally {
+            if (fd !== null) {
+                try {
+                    fs.closeSync(fd);
+                }
+                catch {
+                    // ignore
+                }
+            }
+        }
+    }
+    return {
+        write(event) {
+            try {
+                appendOne(event);
+            }
+            catch (err) {
+                onError(err.message);
+            }
+        },
+        async flush() {
+            // appendSync paths are flushed per-write; no buffer to drain.
+            void cachedDate;
+        },
+    };
+}
+exports.createFileSink = createFileSink;
+//# sourceMappingURL=sink-file.js.map

package/dist/cliproxy/auth/oauth-trace/sink-file.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sink-file.js","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/sink-file.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAmB7B,SAAgB,cAAc,CAAC,OAAwB;IACrD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAC9C,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,MAAM,OAAO,GACX,OAAO,CAAC,OAAO;QACf,CAAC,CAAC,GAAW,EAAE,EAAE;YACf,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,GAAG,IAAI,CAAC;gBACd,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,GAAG,IAAI,CAAC,CAAC;YACrE,CAAC;QACH,CAAC,CAAC,CAAC;IAEL,IAAI,UAAU,GAAkB,IAAI,CAAC;IAErC,SAAS,SAAS;QAChB,EAAE,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,SAAS,OAAO,CAAC,CAAO;QACtB,MAAM,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACzD,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAC1D,MAAM,EAAE,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACnD,OAAO,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC;IAC7B,CAAC;IAED,SAAS,YAAY;QACnB,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QAC1B,UAAU,GAAG,EAAE,CAAC;QAChB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC;IAED,SAAS,SAAS,CAAC,KAAsB;QACvC,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;QAC1C,IAAI,EAAE,GAAkB,IAAI,CAAC;QAC7B,IAAI,CAAC;YACH,SAAS,EAAE,CAAC;YACZ,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YACnC,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QACzB,CAAC;gBAAS,CAAC;YACT,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;gBAChB,IAAI,CAAC;oBACH,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBACnB,CAAC;gBAAC,MAAM,CAAC;oBACP,SAAS;gBACX,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK,CAAC,KAAK;YACT,IAAI,CAAC;gBACH,SAAS,CAAC,KAAK,CAAC,CAAC;YACnB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAE,GAAa,CAAC,OAAO,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;QACD,KAAK,CAAC,KAAK;YACT,8DAA8D;YAC9D,KAAK,UAAU,CAAC;QAClB,CAAC;KACF,CAAC;AACJ,CAAC;AA/DD,wCA+DC"}

package/dist/cliproxy/auth/oauth-trace/sink-memory.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import { OAuthTraceEvent, OAuthTraceSink } from './trace-events';
+/** Default ring-buffer capacity. Keeps latest N events; oldest are dropped. */
+export declare const MEMORY_SINK_MAX_EVENTS = 1000;
+/**
+ * In-memory ring buffer sink. Used for diagnose-failure analysis after a flow ends.
+ * Caps at MAX_EVENTS to bound memory; oldest are dropped when full.
+ * `droppedCount` tracks how many events were discarded so callers know data loss occurred.
+ */
+export declare function createMemorySink(maxEvents?: number): OAuthTraceSink & {
+    snapshot(): OAuthTraceEvent[];
+    droppedCount(): number;
+};
+//# sourceMappingURL=sink-memory.d.ts.map

package/dist/cliproxy/auth/oauth-trace/sink-memory.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"sink-memory.d.ts","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/sink-memory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEjE,+EAA+E;AAC/E,eAAO,MAAM,sBAAsB,OAAO,CAAC;AAE3C;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,SAAS,SAAyB,GACjC,cAAc,GAAG;IAAE,QAAQ,IAAI,eAAe,EAAE,CAAC;IAAC,YAAY,IAAI,MAAM,CAAA;CAAE,CAkB5E"}

package/dist/cliproxy/auth/oauth-trace/sink-memory.js ADDED Viewed

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createMemorySink = exports.MEMORY_SINK_MAX_EVENTS = void 0;
+/** Default ring-buffer capacity. Keeps latest N events; oldest are dropped. */
+exports.MEMORY_SINK_MAX_EVENTS = 1000;
+/**
+ * In-memory ring buffer sink. Used for diagnose-failure analysis after a flow ends.
+ * Caps at MAX_EVENTS to bound memory; oldest are dropped when full.
+ * `droppedCount` tracks how many events were discarded so callers know data loss occurred.
+ */
+function createMemorySink(maxEvents = exports.MEMORY_SINK_MAX_EVENTS) {
+    const events = [];
+    let dropped = 0;
+    return {
+        write(event) {
+            if (events.length >= maxEvents) {
+                events.shift();
+                dropped++;
+            }
+            events.push(event);
+        },
+        snapshot() {
+            return events.slice();
+        },
+        droppedCount() {
+            return dropped;
+        },
+    };
+}
+exports.createMemorySink = createMemorySink;
+//# sourceMappingURL=sink-memory.js.map

package/dist/cliproxy/auth/oauth-trace/sink-memory.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sink-memory.js","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/sink-memory.ts"],"names":[],"mappings":";;;AAEA,+EAA+E;AAClE,QAAA,sBAAsB,GAAG,IAAI,CAAC;AAE3C;;;;GAIG;AACH,SAAgB,gBAAgB,CAC9B,SAAS,GAAG,8BAAsB;IAElC,MAAM,MAAM,GAAsB,EAAE,CAAC;IACrC,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,OAAO;QACL,KAAK,CAAC,KAAK;YACT,IAAI,MAAM,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC;gBAC/B,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,OAAO,EAAE,CAAC;YACZ,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;QACD,QAAQ;YACN,OAAO,MAAM,CAAC,KAAK,EAAE,CAAC;QACxB,CAAC;QACD,YAAY;YACV,OAAO,OAAO,CAAC;QACjB,CAAC;KACF,CAAC;AACJ,CAAC;AApBD,4CAoBC"}

package/dist/cliproxy/auth/oauth-trace/sink-verbose-stdout.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { OAuthTraceSink } from './trace-events';
+/**
+ * Verbose stdout sink. Writes one ASCII line per event when verbose=true.
+ * Format: `[oauth-trace] +{elapsedMs}ms {phase} {key=val ...}`
+ * No emojis (CCS terminal rule). Goes to stderr to avoid mingling with normal stdout.
+ */
+export declare function createVerboseStdoutSink(opts: {
+    enabled: boolean;
+    out?: (line: string) => void;
+}): OAuthTraceSink;
+//# sourceMappingURL=sink-verbose-stdout.d.ts.map

package/dist/cliproxy/auth/oauth-trace/sink-verbose-stdout.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"sink-verbose-stdout.d.ts","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/sink-verbose-stdout.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEhD;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE;IAC5C,OAAO,EAAE,OAAO,CAAC;IACjB,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;CAC9B,GAAG,cAAc,CAoBjB"}

package/dist/cliproxy/auth/oauth-trace/sink-verbose-stdout.js ADDED Viewed

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createVerboseStdoutSink = void 0;
+/**
+ * Verbose stdout sink. Writes one ASCII line per event when verbose=true.
+ * Format: `[oauth-trace] +{elapsedMs}ms {phase} {key=val ...}`
+ * No emojis (CCS terminal rule). Goes to stderr to avoid mingling with normal stdout.
+ */
+function createVerboseStdoutSink(opts) {
+    const out = opts.out ?? ((line) => process.stderr.write(line + '\n'));
+    return {
+        write(event) {
+            if (!opts.enabled)
+                return;
+            const parts = [];
+            parts.push(`[oauth-trace] +${event.elapsedMs}ms ${event.phase}`);
+            if (event.data) {
+                for (const [k, v] of Object.entries(event.data)) {
+                    if (v === undefined)
+                        continue;
+                    parts.push(`${k}=${formatValue(v)}`);
+                }
+            }
+            if (event.error) {
+                parts.push(`error_code=${event.error.code ?? 'unknown'}`);
+                parts.push(`error_msg="${event.error.message.replace(/"/g, "'")}"`);
+            }
+            out(parts.join(' '));
+        },
+    };
+}
+exports.createVerboseStdoutSink = createVerboseStdoutSink;
+function formatValue(v) {
+    if (v === null)
+        return 'null';
+    if (typeof v === 'string')
+        return v.includes(' ') ? `"${v.replace(/"/g, "'")}"` : v;
+    if (typeof v === 'number' || typeof v === 'boolean')
+        return String(v);
+    try {
+        return JSON.stringify(v);
+    }
+    catch {
+        return '[unserializable]';
+    }
+}
+//# sourceMappingURL=sink-verbose-stdout.js.map

package/dist/cliproxy/auth/oauth-trace/sink-verbose-stdout.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sink-verbose-stdout.js","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/sink-verbose-stdout.ts"],"names":[],"mappings":";;;AAEA;;;;GAIG;AACH,SAAgB,uBAAuB,CAAC,IAGvC;IACC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,IAAY,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC;IAC9E,OAAO;QACL,KAAK,CAAC,KAAK;YACT,IAAI,CAAC,IAAI,CAAC,OAAO;gBAAE,OAAO;YAC1B,MAAM,KAAK,GAAa,EAAE,CAAC;YAC3B,KAAK,CAAC,IAAI,CAAC,kBAAkB,KAAK,CAAC,SAAS,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACjE,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;gBACf,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;oBAChD,IAAI,CAAC,KAAK,SAAS;wBAAE,SAAS;oBAC9B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACvC,CAAC;YACH,CAAC;YACD,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;gBAChB,KAAK,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC,KAAK,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC,CAAC;gBAC1D,KAAK,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;YACtE,CAAC;YACD,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACvB,CAAC;KACF,CAAC;AACJ,CAAC;AAvBD,0DAuBC;AAED,SAAS,WAAW,CAAC,CAAU;IAC7B,IAAI,CAAC,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAC9B,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACpF,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,SAAS;QAAE,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;IACtE,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,kBAAkB,CAAC;IAC5B,CAAC;AACH,CAAC"}

package/dist/cliproxy/auth/oauth-trace/trace-events.d.ts ADDED Viewed

@@ -0,0 +1,51 @@
+/**
+ * OAuth trace event taxonomy.
+ *
+ * Single source of truth for phase IDs that flow through the OAuth pipeline.
+ * Additive only — never remove or renumber.
+ */
+export declare enum OAuthTracePhase {
+    PreflightStart = "preflight.start",
+    PreflightOk = "preflight.ok",
+    PreflightPortBlocked = "preflight.port_blocked",
+    BinarySpawn = "binary.spawn",
+    BinaryStdout = "binary.stdout",
+    BinaryStderr = "binary.stderr",
+    BinaryExit = "binary.exit",
+    AuthUrlDisplayed = "auth.url_displayed",
+    BrowserOpened = "browser.opened",
+    CallbackObservedHeuristic = "callback.observed_heuristic",
+    PasteCallbackPrompted = "paste.prompted",
+    PasteCallbackReceived = "paste.received",
+    PasteCallbackInvalid = "paste.invalid",
+    PasteCallbackSubmitted = "paste.submitted",
+    TokenExchangePending = "token.exchange_pending",
+    TokenFileAppeared = "token.file_appeared",
+    TokenFileMissing = "token.file_missing",
+    ProjectSelectionPrompted = "project.selection_prompted",
+    ProjectSelectionResolved = "project.selection_resolved",
+    AgyResponsibilityPrompted = "agy.responsibility_prompted",
+    AgyResponsibilityResolved = "agy.responsibility_resolved",
+    Timeout = "timeout",
+    Cancelled = "cancelled",
+    Error = "error"
+}
+/** A single OAuth trace event. `data` MUST be redacted before construction. */
+export interface OAuthTraceEvent {
+    sessionId: string;
+    provider: string;
+    phase: OAuthTracePhase;
+    ts: number;
+    elapsedMs: number;
+    data?: Record<string, unknown>;
+    error?: {
+        code?: string;
+        message: string;
+    };
+}
+/** Sink interface — accept events that have already been redacted. */
+export interface OAuthTraceSink {
+    write(event: OAuthTraceEvent): void;
+    flush?(): Promise<void>;
+}
+//# sourceMappingURL=trace-events.d.ts.map

package/dist/cliproxy/auth/oauth-trace/trace-events.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"trace-events.d.ts","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/trace-events.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,oBAAY,eAAe;IAEzB,cAAc,oBAAoB;IAClC,WAAW,iBAAiB;IAC5B,oBAAoB,2BAA2B;IAG/C,WAAW,iBAAiB;IAC5B,YAAY,kBAAkB;IAC9B,YAAY,kBAAkB;IAC9B,UAAU,gBAAgB;IAG1B,gBAAgB,uBAAuB;IACvC,aAAa,mBAAmB;IAChC,yBAAyB,gCAAgC;IAGzD,qBAAqB,mBAAmB;IACxC,qBAAqB,mBAAmB;IACxC,oBAAoB,kBAAkB;IACtC,sBAAsB,oBAAoB;IAG1C,oBAAoB,2BAA2B;IAC/C,iBAAiB,wBAAwB;IACzC,gBAAgB,uBAAuB;IAGvC,wBAAwB,+BAA+B;IACvD,wBAAwB,+BAA+B;IACvD,yBAAyB,gCAAgC;IACzD,yBAAyB,gCAAgC;IAGzD,OAAO,YAAY;IACnB,SAAS,cAAc;IACvB,KAAK,UAAU;CAChB;AAED,+EAA+E;AAC/E,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,eAAe,CAAC;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,KAAK,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CAC5C;AAED,sEAAsE;AACtE,MAAM,WAAW,cAAc;IAC7B,KAAK,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI,CAAC;IACpC,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACzB"}

package/dist/cliproxy/auth/oauth-trace/trace-events.js ADDED Viewed

@@ -0,0 +1,44 @@
+"use strict";
+/**
+ * OAuth trace event taxonomy.
+ *
+ * Single source of truth for phase IDs that flow through the OAuth pipeline.
+ * Additive only — never remove or renumber.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthTracePhase = void 0;
+var OAuthTracePhase;
+(function (OAuthTracePhase) {
+    // Pre-flight
+    OAuthTracePhase["PreflightStart"] = "preflight.start";
+    OAuthTracePhase["PreflightOk"] = "preflight.ok";
+    OAuthTracePhase["PreflightPortBlocked"] = "preflight.port_blocked";
+    // Binary process lifecycle (CLIProxyAPI Go binary)
+    OAuthTracePhase["BinarySpawn"] = "binary.spawn";
+    OAuthTracePhase["BinaryStdout"] = "binary.stdout";
+    OAuthTracePhase["BinaryStderr"] = "binary.stderr";
+    OAuthTracePhase["BinaryExit"] = "binary.exit";
+    // Browser / URL flow (Authorization Code)
+    OAuthTracePhase["AuthUrlDisplayed"] = "auth.url_displayed";
+    OAuthTracePhase["BrowserOpened"] = "browser.opened";
+    OAuthTracePhase["CallbackObservedHeuristic"] = "callback.observed_heuristic";
+    // Paste-callback (CCS-owned end-to-end)
+    OAuthTracePhase["PasteCallbackPrompted"] = "paste.prompted";
+    OAuthTracePhase["PasteCallbackReceived"] = "paste.received";
+    OAuthTracePhase["PasteCallbackInvalid"] = "paste.invalid";
+    OAuthTracePhase["PasteCallbackSubmitted"] = "paste.submitted";
+    // Token exchange + persistence
+    OAuthTracePhase["TokenExchangePending"] = "token.exchange_pending";
+    OAuthTracePhase["TokenFileAppeared"] = "token.file_appeared";
+    OAuthTracePhase["TokenFileMissing"] = "token.file_missing";
+    // Provider-specific gates (Phase 4/5 extend)
+    OAuthTracePhase["ProjectSelectionPrompted"] = "project.selection_prompted";
+    OAuthTracePhase["ProjectSelectionResolved"] = "project.selection_resolved";
+    OAuthTracePhase["AgyResponsibilityPrompted"] = "agy.responsibility_prompted";
+    OAuthTracePhase["AgyResponsibilityResolved"] = "agy.responsibility_resolved";
+    // Terminal states
+    OAuthTracePhase["Timeout"] = "timeout";
+    OAuthTracePhase["Cancelled"] = "cancelled";
+    OAuthTracePhase["Error"] = "error";
+})(OAuthTracePhase || (exports.OAuthTracePhase = OAuthTracePhase = {}));
+//# sourceMappingURL=trace-events.js.map

package/dist/cliproxy/auth/oauth-trace/trace-events.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"trace-events.js","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/trace-events.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAEH,IAAY,eAsCX;AAtCD,WAAY,eAAe;IACzB,aAAa;IACb,qDAAkC,CAAA;IAClC,+CAA4B,CAAA;IAC5B,kEAA+C,CAAA;IAE/C,mDAAmD;IACnD,+CAA4B,CAAA;IAC5B,iDAA8B,CAAA;IAC9B,iDAA8B,CAAA;IAC9B,6CAA0B,CAAA;IAE1B,0CAA0C;IAC1C,0DAAuC,CAAA;IACvC,mDAAgC,CAAA;IAChC,4EAAyD,CAAA;IAEzD,wCAAwC;IACxC,2DAAwC,CAAA;IACxC,2DAAwC,CAAA;IACxC,yDAAsC,CAAA;IACtC,6DAA0C,CAAA;IAE1C,+BAA+B;IAC/B,kEAA+C,CAAA;IAC/C,4DAAyC,CAAA;IACzC,0DAAuC,CAAA;IAEvC,6CAA6C;IAC7C,0EAAuD,CAAA;IACvD,0EAAuD,CAAA;IACvD,4EAAyD,CAAA;IACzD,4EAAyD,CAAA;IAEzD,kBAAkB;IAClB,sCAAmB,CAAA;IACnB,0CAAuB,CAAA;IACvB,kCAAe,CAAA;AACjB,CAAC,EAtCW,eAAe,+BAAf,eAAe,QAsC1B"}

package/dist/cliproxy/auth/oauth-trace/trace-recorder.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import { OAuthTraceEvent, OAuthTracePhase, OAuthTraceSink } from './trace-events';
+export interface OAuthTraceRecorder {
+    record(phase: OAuthTracePhase, data?: Record<string, unknown>, error?: {
+        code?: string;
+        message: string;
+    } | Error): void;
+    snapshot(): OAuthTraceEvent[];
+    summary(): {
+        totalMs: number;
+        phaseCounts: Record<string, number>;
+        lastPhase?: OAuthTracePhase;
+    };
+    flush(): Promise<void>;
+}
+export interface OAuthTraceRecorderOptions {
+    sessionId: string;
+    provider: string;
+    verbose: boolean;
+    fileSink?: OAuthTraceSink;
+    /** Test seam — defaults to `Date.now`. */
+    now?: () => number;
+    /** Test seam — override verbose sink output channel. */
+    verboseOut?: (line: string) => void;
+}
+/**
+ * Create a per-attempt recorder. Always wires:
+ *  - memory sink (read via `snapshot()`)
+ *  - verbose stdout sink (no-op when verbose=false)
+ *  - optional file sink (Phase 8)
+ *
+ * All event data passes through the redactor before reaching any sink.
+ */
+export declare function createOAuthTraceRecorder(options: OAuthTraceRecorderOptions): OAuthTraceRecorder;
+//# sourceMappingURL=trace-recorder.d.ts.map

package/dist/cliproxy/auth/oauth-trace/trace-recorder.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"trace-recorder.d.ts","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/trace-recorder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAKlF,MAAM,WAAW,kBAAkB;IACjC,MAAM,CACJ,KAAK,EAAE,eAAe,EACtB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC9B,KAAK,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,GAAG,KAAK,GACjD,IAAI,CAAC;IACR,QAAQ,IAAI,eAAe,EAAE,CAAC;IAC9B,OAAO,IAAI;QACT,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACpC,SAAS,CAAC,EAAE,eAAe,CAAC;KAC7B,CAAC;IACF,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB;AAED,MAAM,WAAW,yBAAyB;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,0CAA0C;IAC1C,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IACnB,wDAAwD;IACxD,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;CACrC;AAED;;;;;;;GAOG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,yBAAyB,GAAG,kBAAkB,CAmE/F"}

package/dist/cliproxy/auth/oauth-trace/trace-recorder.js ADDED Viewed

@@ -0,0 +1,83 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createOAuthTraceRecorder = void 0;
+const sink_memory_1 = require("./sink-memory");
+const sink_verbose_stdout_1 = require("./sink-verbose-stdout");
+const redactor_1 = require("./redactor");
+/**
+ * Create a per-attempt recorder. Always wires:
+ *  - memory sink (read via `snapshot()`)
+ *  - verbose stdout sink (no-op when verbose=false)
+ *  - optional file sink (Phase 8)
+ *
+ * All event data passes through the redactor before reaching any sink.
+ */
+function createOAuthTraceRecorder(options) {
+    const now = options.now ?? Date.now;
+    const start = now();
+    const memory = (0, sink_memory_1.createMemorySink)();
+    const verbose = (0, sink_verbose_stdout_1.createVerboseStdoutSink)({ enabled: options.verbose, out: options.verboseOut });
+    const sinks = [memory, verbose];
+    if (options.fileSink)
+        sinks.push(options.fileSink);
+    const phaseCounts = {};
+    let lastPhase;
+    function toErrorObj(err) {
+        if (!err)
+            return undefined;
+        if (err instanceof Error) {
+            return { message: err.message };
+        }
+        return { code: err.code, message: err.message };
+    }
+    return {
+        record(phase, data, error) {
+            const ts = now();
+            const elapsedMs = ts - start;
+            const redacted = data ? (0, redactor_1.redactJsonShallow)(data) : undefined;
+            const event = {
+                sessionId: options.sessionId,
+                provider: options.provider,
+                phase,
+                ts,
+                elapsedMs,
+                data: redacted,
+                error: toErrorObj(error),
+            };
+            phaseCounts[phase] = (phaseCounts[phase] ?? 0) + 1;
+            lastPhase = phase;
+            for (const sink of sinks) {
+                try {
+                    sink.write(event);
+                }
+                catch {
+                    // Sinks must never throw out — drop on failure.
+                }
+            }
+        },
+        snapshot() {
+            return memory.snapshot();
+        },
+        summary() {
+            return {
+                totalMs: now() - start,
+                phaseCounts: { ...phaseCounts },
+                lastPhase,
+            };
+        },
+        async flush() {
+            for (const sink of sinks) {
+                if (sink.flush) {
+                    try {
+                        await sink.flush();
+                    }
+                    catch {
+                        // ignore
+                    }
+                }
+            }
+        },
+    };
+}
+exports.createOAuthTraceRecorder = createOAuthTraceRecorder;
+//# sourceMappingURL=trace-recorder.js.map

package/dist/cliproxy/auth/oauth-trace/trace-recorder.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"trace-recorder.js","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/trace-recorder.ts"],"names":[],"mappings":";;;AACA,+CAAiD;AACjD,+DAAgE;AAChE,yCAA+C;AA4B/C;;;;;;;GAOG;AACH,SAAgB,wBAAwB,CAAC,OAAkC;IACzE,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC;IACpC,MAAM,KAAK,GAAG,GAAG,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,IAAA,8BAAgB,GAAE,CAAC;IAClC,MAAM,OAAO,GAAG,IAAA,6CAAuB,EAAC,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IAC/F,MAAM,KAAK,GAAqB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClD,IAAI,OAAO,CAAC,QAAQ;QAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEnD,MAAM,WAAW,GAA2B,EAAE,CAAC;IAC/C,IAAI,SAAsC,CAAC;IAE3C,SAAS,UAAU,CACjB,GAA2D;QAE3D,IAAI,CAAC,GAAG;YAAE,OAAO,SAAS,CAAC;QAC3B,IAAI,GAAG,YAAY,KAAK,EAAE,CAAC;YACzB,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC;QAClC,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC;IAClD,CAAC;IAED,OAAO;QACL,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,KAAK;YACvB,MAAM,EAAE,GAAG,GAAG,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,EAAE,GAAG,KAAK,CAAC;YAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,IAAA,4BAAiB,EAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5D,MAAM,KAAK,GAAoB;gBAC7B,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,KAAK;gBACL,EAAE;gBACF,SAAS;gBACT,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC;aACzB,CAAC;YACF,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACnD,SAAS,GAAG,KAAK,CAAC;YAClB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,CAAC;oBACH,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBACpB,CAAC;gBAAC,MAAM,CAAC;oBACP,gDAAgD;gBAClD,CAAC;YACH,CAAC;QACH,CAAC;QACD,QAAQ;YACN,OAAO,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO;YACL,OAAO;gBACL,OAAO,EAAE,GAAG,EAAE,GAAG,KAAK;gBACtB,WAAW,EAAE,EAAE,GAAG,WAAW,EAAE;gBAC/B,SAAS;aACV,CAAC;QACJ,CAAC;QACD,KAAK,CAAC,KAAK;YACT,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;oBACf,IAAI,CAAC;wBACH,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;oBACrB,CAAC;oBAAC,MAAM,CAAC;wBACP,SAAS;oBACX,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAnED,4DAmEC"}