@lobu/core 6.1.0 → 7.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/__tests__/agent-policy-harden.test.d.ts +11 -0
- package/dist/__tests__/agent-policy-harden.test.d.ts.map +1 -0
- package/dist/__tests__/agent-policy-harden.test.js +216 -0
- package/dist/__tests__/agent-policy-harden.test.js.map +1 -0
- package/dist/__tests__/agent-store.test.d.ts +8 -0
- package/dist/__tests__/agent-store.test.d.ts.map +1 -0
- package/dist/__tests__/agent-store.test.js +38 -0
- package/dist/__tests__/agent-store.test.js.map +1 -0
- package/dist/__tests__/command-registry.test.d.ts +8 -0
- package/dist/__tests__/command-registry.test.d.ts.map +1 -0
- package/dist/__tests__/command-registry.test.js +188 -0
- package/dist/__tests__/command-registry.test.js.map +1 -0
- package/dist/__tests__/encryption-key-validation.test.d.ts +2 -0
- package/dist/__tests__/encryption-key-validation.test.d.ts.map +1 -0
- package/dist/__tests__/encryption-key-validation.test.js +53 -0
- package/dist/__tests__/encryption-key-validation.test.js.map +1 -0
- package/dist/__tests__/encryption.test.js +2 -0
- package/dist/__tests__/encryption.test.js.map +1 -1
- package/dist/__tests__/errors.test.js +0 -36
- package/dist/__tests__/errors.test.js.map +1 -1
- package/dist/__tests__/guardrails-harden.test.d.ts +16 -0
- package/dist/__tests__/guardrails-harden.test.d.ts.map +1 -0
- package/dist/__tests__/guardrails-harden.test.js +328 -0
- package/dist/__tests__/guardrails-harden.test.js.map +1 -0
- package/dist/__tests__/instruction-provider.test.d.ts +8 -0
- package/dist/__tests__/instruction-provider.test.d.ts.map +1 -0
- package/dist/__tests__/instruction-provider.test.js +129 -0
- package/dist/__tests__/instruction-provider.test.js.map +1 -0
- package/dist/__tests__/lobu-toml-schema-harden.test.d.ts +10 -0
- package/dist/__tests__/lobu-toml-schema-harden.test.d.ts.map +1 -0
- package/dist/__tests__/lobu-toml-schema-harden.test.js +722 -0
- package/dist/__tests__/lobu-toml-schema-harden.test.js.map +1 -0
- package/dist/__tests__/lobu-toml-schema.test.js +40 -5
- package/dist/__tests__/lobu-toml-schema.test.js.map +1 -1
- package/dist/__tests__/network-domains.test.d.ts +9 -0
- package/dist/__tests__/network-domains.test.d.ts.map +1 -0
- package/dist/__tests__/network-domains.test.js +97 -0
- package/dist/__tests__/network-domains.test.js.map +1 -0
- package/dist/__tests__/sanitize.test.js +11 -0
- package/dist/__tests__/sanitize.test.js.map +1 -1
- package/dist/__tests__/utils-env.test.d.ts +8 -0
- package/dist/__tests__/utils-env.test.d.ts.map +1 -0
- package/dist/__tests__/utils-env.test.js +125 -0
- package/dist/__tests__/utils-env.test.js.map +1 -0
- package/dist/__tests__/utils-json.test.d.ts +8 -0
- package/dist/__tests__/utils-json.test.d.ts.map +1 -0
- package/dist/__tests__/utils-json.test.js +114 -0
- package/dist/__tests__/utils-json.test.js.map +1 -0
- package/dist/__tests__/utils-urls.test.d.ts +7 -0
- package/dist/__tests__/utils-urls.test.d.ts.map +1 -0
- package/dist/__tests__/utils-urls.test.js +37 -0
- package/dist/__tests__/utils-urls.test.js.map +1 -0
- package/dist/__tests__/worker-auth.test.js +8 -0
- package/dist/__tests__/worker-auth.test.js.map +1 -1
- package/dist/command-registry.d.ts +4 -0
- package/dist/command-registry.d.ts.map +1 -1
- package/dist/command-registry.js.map +1 -1
- package/dist/errors.d.ts +0 -19
- package/dist/errors.d.ts.map +1 -1
- package/dist/errors.js +1 -38
- package/dist/errors.js.map +1 -1
- package/dist/lobu-toml-schema.d.ts +23 -8
- package/dist/lobu-toml-schema.d.ts.map +1 -1
- package/dist/lobu-toml-schema.js +31 -5
- package/dist/lobu-toml-schema.js.map +1 -1
- package/dist/logger.js +4 -4
- package/dist/logger.js.map +1 -1
- package/dist/utils/encryption.d.ts +2 -0
- package/dist/utils/encryption.d.ts.map +1 -1
- package/dist/utils/encryption.js +29 -11
- package/dist/utils/encryption.js.map +1 -1
- package/dist/utils/json.d.ts +0 -5
- package/dist/utils/json.d.ts.map +1 -1
- package/dist/utils/json.js +0 -16
- package/dist/utils/json.js.map +1 -1
- package/dist/utils/retry.d.ts.map +1 -1
- package/dist/utils/retry.js +29 -5
- package/dist/utils/retry.js.map +1 -1
- package/dist/utils/sanitize.d.ts +0 -24
- package/dist/utils/sanitize.d.ts.map +1 -1
- package/dist/utils/sanitize.js +40 -29
- package/dist/utils/sanitize.js.map +1 -1
- package/dist/worker/auth.d.ts +1 -0
- package/dist/worker/auth.d.ts.map +1 -1
- package/dist/worker/auth.js +12 -1
- package/dist/worker/auth.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../src/utils/encryption.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../src/utils/encryption.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0DA,0BAUC;AAKD,0BAcC;AAGD,8EAEC;AA5FD,oDAAsC;AAEtC,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC,2BAA2B;AAEjD;;;;;GAKG;AACH,6EAA6E;AAC7E,uEAAuE;AACvE,8EAA8E;AAC9E,IAAI,SAA6B,CAAC;AAElC,SAAS,gBAAgB;IACvB,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC;IAChC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,EAAE,CAAC;IAC7C,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CACb,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,wEAAwE;IACxE,4EAA4E;IAC5E,wDAAwD;IACxD,IAAI,wBAAwB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAChD,IAAI,YAAY,CAAC,MAAM,KAAK,EAAE,IAAI,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,GAAG,EAAE,CAAC;YAC1E,SAAS,GAAG,YAAY,CAAC;YACzB,OAAO,YAAY,CAAC;QACtB,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,iEAAiE;IACjE,IAAI,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QACvD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC1C,IACE,SAAS,CAAC,MAAM,KAAK,EAAE;YACvB,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,WAAW,EAAE,EAC/C,CAAC;YACD,SAAS,GAAG,SAAS,CAAC;YACtB,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,MAAM,IAAI,KAAK,CACb,wEAAwE;QACtE,8EAA8E,CACjF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,OAAO,CAAC,IAAY;IAClC,MAAM,aAAa,GAAG,gBAAgB,EAAE,CAAC;IACzC,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,aAAa,EAAE,EAAE,CAAC,CAAC;IACvE,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC;QAC3B,MAAM,CAAC,KAAK,EAAE;KACf,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACrF,CAAC;AAED;;GAEG;AACH,SAAgB,OAAO,CAAC,IAAY;IAClC,MAAM,aAAa,GAAG,gBAAgB,EAAE,CAAC;IACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IACpE,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,CAAC;IACzC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,CAAC;IAC1C,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,aAAa,EAAE,EAAE,CAAC,CAAC;IAC3E,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,QAAQ,CAAC,MAAM,CAAC,aAAa,CAAC;QAC9B,QAAQ,CAAC,KAAK,EAAE;KACjB,CAAC,CAAC;IACH,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED,yFAAyF;AACzF,SAAgB,iCAAiC;IAC/C,SAAS,GAAG,SAAS,CAAC;AACxB,CAAC"}
|
package/dist/utils/json.d.ts
CHANGED
|
@@ -3,11 +3,6 @@
|
|
|
3
3
|
* Returns null on parse failure instead of throwing
|
|
4
4
|
*/
|
|
5
5
|
export declare function safeJsonParse<T = unknown>(data: string, fallback?: T | null): T | null;
|
|
6
|
-
/**
|
|
7
|
-
* Safely stringify value to JSON
|
|
8
|
-
* Returns null on stringify failure instead of throwing
|
|
9
|
-
*/
|
|
10
|
-
export declare function safeJsonStringify(value: unknown): string | null;
|
|
11
6
|
/**
|
|
12
7
|
* Round-trip a value through JSON serialization to convert bigint values
|
|
13
8
|
* to plain numbers or strings. Useful for REST API responses where the value
|
package/dist/utils/json.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"json.d.ts","sourceRoot":"","sources":["../../src/utils/json.ts"],"names":[],"mappings":"AAIA;;;GAGG;AACH,wBAAgB,aAAa,CAAC,CAAC,GAAG,OAAO,EACvC,IAAI,EAAE,MAAM,EACZ,QAAQ,GAAE,CAAC,GAAG,IAAW,GACxB,CAAC,GAAG,IAAI,CAUV;
|
|
1
|
+
{"version":3,"file":"json.d.ts","sourceRoot":"","sources":["../../src/utils/json.ts"],"names":[],"mappings":"AAIA;;;GAGG;AACH,wBAAgB,aAAa,CAAC,CAAC,GAAG,OAAO,EACvC,IAAI,EAAE,MAAM,EACZ,QAAQ,GAAE,CAAC,GAAG,IAAW,GACxB,CAAC,GAAG,IAAI,CAUV;AAgBD;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,CAAC,CAEzC;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAevE"}
|
package/dist/utils/json.js
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.safeJsonParse = safeJsonParse;
|
|
4
|
-
exports.safeJsonStringify = safeJsonStringify;
|
|
5
4
|
exports.toJsonSafe = toJsonSafe;
|
|
6
5
|
exports.parseJsonObject = parseJsonObject;
|
|
7
6
|
const logger_1 = require("../logger");
|
|
@@ -22,21 +21,6 @@ function safeJsonParse(data, fallback = null) {
|
|
|
22
21
|
return fallback;
|
|
23
22
|
}
|
|
24
23
|
}
|
|
25
|
-
/**
|
|
26
|
-
* Safely stringify value to JSON
|
|
27
|
-
* Returns null on stringify failure instead of throwing
|
|
28
|
-
*/
|
|
29
|
-
function safeJsonStringify(value) {
|
|
30
|
-
try {
|
|
31
|
-
return JSON.stringify(value);
|
|
32
|
-
}
|
|
33
|
-
catch (error) {
|
|
34
|
-
logger.error("JSON stringify failed", {
|
|
35
|
-
error: error instanceof Error ? error.message : String(error),
|
|
36
|
-
});
|
|
37
|
-
return null;
|
|
38
|
-
}
|
|
39
|
-
}
|
|
40
24
|
/**
|
|
41
25
|
* Stringify a value to JSON, converting bigint values to numbers (when safe)
|
|
42
26
|
* or strings. Use this when serializing query results that may contain bigint columns.
|
package/dist/utils/json.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"json.js","sourceRoot":"","sources":["../../src/utils/json.ts"],"names":[],"mappings":";;AAQA,sCAaC;
|
|
1
|
+
{"version":3,"file":"json.js","sourceRoot":"","sources":["../../src/utils/json.ts"],"names":[],"mappings":";;AAQA,sCAaC;AAqBD,gCAEC;AAOD,0CAeC;AAlED,sCAAyC;AAEzC,MAAM,MAAM,GAAG,IAAA,qBAAY,EAAC,YAAY,CAAC,CAAC;AAE1C;;;GAGG;AACH,SAAgB,aAAa,CAC3B,IAAY,EACZ,WAAqB,IAAI;IAEzB,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAM,CAAC;IAC/B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,mBAAmB,EAAE;YAChC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;YAC7D,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;SACpC,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAAC,KAAc;IACzC,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,SAAS,EAAE,EAAE;QAC/C,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;YAClC,MAAM,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;YAClC,OAAO,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;QACxE,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,SAAgB,UAAU,CAAI,KAAQ;IACpC,OAAO,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAM,CAAC;AACrD,CAAC;AAED;;;;GAIG;AACH,SAAgB,eAAe,CAAC,KAAc;IAC5C,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC;IACtB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YACjC,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;gBACnE,CAAC,CAAE,MAAkC;gBACrC,CAAC,CAAC,EAAE,CAAC;QACT,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IACD,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACvD,CAAC,CAAE,KAAiC;QACpC,CAAC,CAAC,EAAE,CAAC;AACT,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"retry.d.ts","sourceRoot":"","sources":["../../src/utils/retry.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,YAAY;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,aAAa,GAAG,QAAQ,CAAC;IACpC;;;;;;OAMG;IACH,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;IAC1B;;;;OAIG;IACH,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC;IACzD,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;CACnD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,gBAAgB,CAAC,CAAC,EACtC,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,EACpB,OAAO,GAAE,YAAiB,GACzB,OAAO,CAAC,CAAC,CAAC,
|
|
1
|
+
{"version":3,"file":"retry.d.ts","sourceRoot":"","sources":["../../src/utils/retry.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,YAAY;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,aAAa,GAAG,QAAQ,CAAC;IACpC;;;;;;OAMG;IACH,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;IAC1B;;;;OAIG;IACH,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC;IACzD,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;CACnD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,gBAAgB,CAAC,CAAC,EACtC,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,EACpB,OAAO,GAAE,YAAiB,GACzB,OAAO,CAAC,CAAC,CAAC,CAuFZ"}
|
package/dist/utils/retry.js
CHANGED
|
@@ -38,9 +38,24 @@ async function retryWithBackoff(fn, options = {}) {
|
|
|
38
38
|
}
|
|
39
39
|
catch (error) {
|
|
40
40
|
lastError = error;
|
|
41
|
-
// Allow caller to abort on non-retryable errors.
|
|
42
|
-
|
|
43
|
-
|
|
41
|
+
// Allow caller to abort on non-retryable errors. A buggy predicate that
|
|
42
|
+
// throws must not mask the real error or skip remaining retries — log and
|
|
43
|
+
// fall back to the default (retry).
|
|
44
|
+
if (shouldRetry) {
|
|
45
|
+
let allowRetry = true;
|
|
46
|
+
try {
|
|
47
|
+
allowRetry = shouldRetry(lastError, attempt + 1);
|
|
48
|
+
}
|
|
49
|
+
catch (predicateError) {
|
|
50
|
+
logger.warn("shouldRetry predicate threw; defaulting to retry", {
|
|
51
|
+
error: predicateError instanceof Error
|
|
52
|
+
? predicateError.message
|
|
53
|
+
: String(predicateError),
|
|
54
|
+
});
|
|
55
|
+
}
|
|
56
|
+
if (!allowRetry) {
|
|
57
|
+
throw lastError;
|
|
58
|
+
}
|
|
44
59
|
}
|
|
45
60
|
if (attempt < maxRetries) {
|
|
46
61
|
// Calculate base delay based on strategy
|
|
@@ -63,9 +78,18 @@ async function retryWithBackoff(fn, options = {}) {
|
|
|
63
78
|
else {
|
|
64
79
|
finalDelay = delay;
|
|
65
80
|
}
|
|
66
|
-
// Notify caller of retry
|
|
81
|
+
// Notify caller of retry — isolate a throwing callback.
|
|
67
82
|
if (onRetry) {
|
|
68
|
-
|
|
83
|
+
try {
|
|
84
|
+
onRetry(attempt + 1, lastError);
|
|
85
|
+
}
|
|
86
|
+
catch (callbackError) {
|
|
87
|
+
logger.warn("onRetry callback threw", {
|
|
88
|
+
error: callbackError instanceof Error
|
|
89
|
+
? callbackError.message
|
|
90
|
+
: String(callbackError),
|
|
91
|
+
});
|
|
92
|
+
}
|
|
69
93
|
}
|
|
70
94
|
else {
|
|
71
95
|
logger.warn(`Retry attempt ${attempt + 1}/${maxRetries} after ${Math.round(finalDelay)}ms`, { error: lastError.message });
|
package/dist/utils/retry.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"retry.js","sourceRoot":"","sources":["../../src/utils/retry.ts"],"names":[],"mappings":";;AAqDA,
|
|
1
|
+
{"version":3,"file":"retry.js","sourceRoot":"","sources":["../../src/utils/retry.ts"],"names":[],"mappings":";;AAqDA,4CA0FC;AA/ID,sCAAyC;AAEzC,MAAM,MAAM,GAAG,IAAA,qBAAY,EAAC,OAAO,CAAC,CAAC;AAyBrC;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACI,KAAK,UAAU,gBAAgB,CACpC,EAAoB,EACpB,UAAwB,EAAE;IAE1B,MAAM,EACJ,UAAU,GAAG,CAAC,EACd,SAAS,GAAG,IAAI,EAChB,QAAQ,EACR,QAAQ,GAAG,aAAa,EACxB,MAAM,GAAG,KAAK,EACd,WAAW,EACX,OAAO,GACR,GAAG,OAAO,CAAC;IAEZ,IAAI,SAA4B,CAAC;IAEjC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,UAAU,EAAE,OAAO,EAAE,EAAE,CAAC;QACvD,IAAI,CAAC;YACH,OAAO,MAAM,EAAE,EAAE,CAAC;QACpB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,SAAS,GAAG,KAAc,CAAC;YAE3B,wEAAwE;YACxE,0EAA0E;YAC1E,oCAAoC;YACpC,IAAI,WAAW,EAAE,CAAC;gBAChB,IAAI,UAAU,GAAG,IAAI,CAAC;gBACtB,IAAI,CAAC;oBACH,UAAU,GAAG,WAAW,CAAC,SAAS,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;gBACnD,CAAC;gBAAC,OAAO,cAAc,EAAE,CAAC;oBACxB,MAAM,CAAC,IAAI,CAAC,kDAAkD,EAAE;wBAC9D,KAAK,EACH,cAAc,YAAY,KAAK;4BAC7B,CAAC,CAAC,cAAc,CAAC,OAAO;4BACxB,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC;qBAC7B,CAAC,CAAC;gBACL,CAAC;gBACD,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,SAAS,CAAC;gBAClB,CAAC;YACH,CAAC;YAED,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;gBACzB,yCAAyC;gBACzC,IAAI,KAAK,GACP,QAAQ,KAAK,aAAa;oBACxB,CAAC,CAAC,SAAS,GAAG,CAAC,IAAI,OAAO;oBAC1B,CAAC,CAAC,SAAS,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;gBAEhC,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;oBAC3B,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;gBACpC,CAAC;gBAED,eAAe;gBACf,IAAI,UAAkB,CAAC;gBACvB,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;oBACtB,uEAAuE;oBACvE,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;gBAC3C,CAAC;qBAAM,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;oBAC3B,6BAA6B;oBAC7B,UAAU,GAAG,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC;gBAC5C,CAAC;qBAAM,CAAC;oBACN,UAAU,GAAG,KAAK,CAAC;gBACrB,CAAC;gBAED,wDAAwD;gBACxD,IAAI,OAAO,EAAE,CAAC;oBACZ,IAAI,CAAC;wBACH,OAAO,CAAC,OAAO,GAAG,CAAC,EAAE,SAAS,CAAC,CAAC;oBAClC,CAAC;oBAAC,OAAO,aAAa,EAAE,CAAC;wBACvB,MAAM,CAAC,IAAI,CAAC,wBAAwB,EAAE;4BACpC,KAAK,EACH,aAAa,YAAY,KAAK;gCAC5B,CAAC,CAAC,aAAa,CAAC,OAAO;gCACvB,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC;yBAC5B,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CACT,iBAAiB,OAAO,GAAG,CAAC,IAAI,UAAU,UAAU,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,EAC9E,EAAE,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,CAC7B,CAAC;gBACJ,CAAC;gBAED,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC;YAClE,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,SAAS,CAAC;AAClB,CAAC"}
|
package/dist/utils/sanitize.d.ts
CHANGED
|
@@ -27,30 +27,6 @@ export declare function sanitizeFilename(filename: string, maxLength?: number):
|
|
|
27
27
|
* ```
|
|
28
28
|
*/
|
|
29
29
|
export declare function sanitizeConversationId(conversationId: string): string;
|
|
30
|
-
/**
|
|
31
|
-
* Sanitize sensitive data from objects before logging
|
|
32
|
-
* Redacts API keys, tokens, and other credentials
|
|
33
|
-
*
|
|
34
|
-
* @param obj - Object to sanitize
|
|
35
|
-
* @param sensitiveKeys - Additional sensitive key names to redact
|
|
36
|
-
* @returns Sanitized object safe for logging
|
|
37
|
-
*
|
|
38
|
-
* @example
|
|
39
|
-
* ```typescript
|
|
40
|
-
* const config = {
|
|
41
|
-
* apiKey: "secret-key-123",
|
|
42
|
-
* timeout: 5000,
|
|
43
|
-
* env: { TOKEN: "bearer-xyz" }
|
|
44
|
-
* };
|
|
45
|
-
*
|
|
46
|
-
* sanitizeForLogging(config)
|
|
47
|
-
* // {
|
|
48
|
-
* // apiKey: "[REDACTED:14]",
|
|
49
|
-
* // timeout: 5000,
|
|
50
|
-
* // env: { TOKEN: "[REDACTED:10]" }
|
|
51
|
-
* // }
|
|
52
|
-
* ```
|
|
53
|
-
*/
|
|
54
30
|
export declare function sanitizeForLogging(obj: any, additionalSensitiveKeys?: string[]): any;
|
|
55
31
|
/**
|
|
56
32
|
* Strip entries with sensitive keys (exact-match) and drop undefined values.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/utils/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,SAAS,GAAE,MAAY,GACtB,MAAM,CAiBR;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAErE;
|
|
1
|
+
{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/utils/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,SAAS,GAAE,MAAY,GACtB,MAAM,CAiBR;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAErE;AA6ED,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,GAAG,EACR,uBAAuB,GAAE,MAAM,EAAO,GACrC,GAAG,CAML;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,QAAQ,CACtB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,EACvC,aAAa,EAAE,SAAS,MAAM,EAAE,GAC/B,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAWxB"}
|
package/dist/utils/sanitize.js
CHANGED
|
@@ -72,43 +72,54 @@ function sanitizeConversationId(conversationId) {
|
|
|
72
72
|
* // }
|
|
73
73
|
* ```
|
|
74
74
|
*/
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
75
|
+
// Compiled once: substring-matches the default sensitive key names (case-insensitive).
|
|
76
|
+
// Equivalent to `.some(k => lowerKey.includes(k))` over the old array, but a single
|
|
77
|
+
// regex test per key instead of an N-way array scan.
|
|
78
|
+
const DEFAULT_SENSITIVE_KEY_RE = /(anthropic_api_key|api_?key|token|password|secret|authorization|bearer|credentials|private_?key)/i;
|
|
79
|
+
const MAX_SANITIZE_DEPTH = 8;
|
|
80
|
+
function isSensitiveKey(lowerKey, additionalLowered) {
|
|
81
|
+
if (DEFAULT_SENSITIVE_KEY_RE.test(lowerKey))
|
|
82
|
+
return true;
|
|
83
|
+
for (const k of additionalLowered) {
|
|
84
|
+
if (lowerKey.includes(k))
|
|
85
|
+
return true;
|
|
78
86
|
}
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
87
|
+
return false;
|
|
88
|
+
}
|
|
89
|
+
function sanitizeInner(obj, additionalLowered, depth, seen) {
|
|
90
|
+
if (!obj || typeof obj !== "object")
|
|
91
|
+
return obj;
|
|
92
|
+
if (depth >= MAX_SANITIZE_DEPTH)
|
|
93
|
+
return obj;
|
|
94
|
+
// Cycle guard: object graphs with back-references (Express req/res, error
|
|
95
|
+
// .cause chains, ORM rows) would otherwise recurse forever. Depth cap above
|
|
96
|
+
// already bounds stack depth, but returning "[Circular]" gives a more useful
|
|
97
|
+
// log line and avoids cloning the same subtree N times for a graph with
|
|
98
|
+
// multiple paths to the same node.
|
|
99
|
+
if (seen.has(obj))
|
|
100
|
+
return "[Circular]";
|
|
101
|
+
seen.add(obj);
|
|
93
102
|
const sanitized = Array.isArray(obj) ? [...obj] : { ...obj };
|
|
94
103
|
for (const key in sanitized) {
|
|
95
|
-
const
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
104
|
+
const value = sanitized[key];
|
|
105
|
+
if (typeof value === "string") {
|
|
106
|
+
if (isSensitiveKey(key.toLowerCase(), additionalLowered)) {
|
|
107
|
+
sanitized[key] = `[REDACTED:${value.length}]`;
|
|
108
|
+
}
|
|
100
109
|
}
|
|
101
|
-
else if (
|
|
102
|
-
|
|
103
|
-
sanitized[key] = sanitizeForLogging(sanitized[key], additionalSensitiveKeys);
|
|
104
|
-
}
|
|
105
|
-
else if (typeof sanitized[key] === "object") {
|
|
106
|
-
// Recursively sanitize nested objects
|
|
107
|
-
sanitized[key] = sanitizeForLogging(sanitized[key], additionalSensitiveKeys);
|
|
110
|
+
else if (value && typeof value === "object") {
|
|
111
|
+
sanitized[key] = sanitizeInner(value, additionalLowered, depth + 1, seen);
|
|
108
112
|
}
|
|
109
113
|
}
|
|
110
114
|
return sanitized;
|
|
111
115
|
}
|
|
116
|
+
function sanitizeForLogging(obj, additionalSensitiveKeys = []) {
|
|
117
|
+
if (!obj || typeof obj !== "object") {
|
|
118
|
+
return obj;
|
|
119
|
+
}
|
|
120
|
+
const additionalLowered = additionalSensitiveKeys.map((k) => k.toLowerCase());
|
|
121
|
+
return sanitizeInner(obj, additionalLowered, 0, new WeakSet());
|
|
122
|
+
}
|
|
112
123
|
/**
|
|
113
124
|
* Strip entries with sensitive keys (exact-match) and drop undefined values.
|
|
114
125
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/utils/sanitize.ts"],"names":[],"mappings":";;AAcA,4CAoBC;AAeD,wDAEC;
|
|
1
|
+
{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/utils/sanitize.ts"],"names":[],"mappings":";;AAcA,4CAoBC;AAeD,wDAEC;AA6ED,gDASC;AAmBD,4BAcC;AA1KD;;;;;;;;;;;;;GAaG;AACH,SAAgB,gBAAgB,CAC9B,QAAgB,EAChB,YAAoB,GAAG;IAEvB,uCAAuC;IACvC,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAElD,mDAAmD;IACnD,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;IAEtD,uDAAuD;IACvD,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IAEnE,kDAAkD;IAClD,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,wBAAwB;IACxB,OAAO,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACvE,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAgB,sBAAsB,CAAC,cAAsB;IAC3D,OAAO,cAAc,CAAC,OAAO,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,uFAAuF;AACvF,oFAAoF;AACpF,qDAAqD;AACrD,MAAM,wBAAwB,GAC5B,mGAAmG,CAAC;AAEtG,MAAM,kBAAkB,GAAG,CAAC,CAAC;AAE7B,SAAS,cAAc,CACrB,QAAgB,EAChB,iBAAoC;IAEpC,IAAI,wBAAwB,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACzD,KAAK,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC;QAClC,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IACxC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CACpB,GAAQ,EACR,iBAAoC,EACpC,KAAa,EACb,IAAqB;IAErB,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IAChD,IAAI,KAAK,IAAI,kBAAkB;QAAE,OAAO,GAAG,CAAC;IAC5C,0EAA0E;IAC1E,4EAA4E;IAC5E,6EAA6E;IAC7E,wEAAwE;IACxE,mCAAmC;IACnC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAa,CAAC;QAAE,OAAO,YAAY,CAAC;IACjD,IAAI,CAAC,GAAG,CAAC,GAAa,CAAC,CAAC;IAExB,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,EAAE,CAAC;IAE7D,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,IAAI,cAAc,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,iBAAiB,CAAC,EAAE,CAAC;gBACzD,SAAS,CAAC,GAAG,CAAC,GAAG,aAAa,KAAK,CAAC,MAAM,GAAG,CAAC;YAChD,CAAC;QACH,CAAC;aAAM,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9C,SAAS,CAAC,GAAG,CAAC,GAAG,aAAa,CAAC,KAAK,EAAE,iBAAiB,EAAE,KAAK,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAgB,kBAAkB,CAChC,GAAQ,EACR,0BAAoC,EAAE;IAEtC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,OAAO,GAAG,CAAC;IACb,CAAC;IACD,MAAM,iBAAiB,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAC9E,OAAO,aAAa,CAAC,GAAG,EAAE,iBAAiB,EAAE,CAAC,EAAE,IAAI,OAAO,EAAE,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,QAAQ,CACtB,GAAuC,EACvC,aAAgC;IAEhC,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAC5C,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;IAEvC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,IAAI,KAAK,KAAK,SAAS;YAAE,SAAS;QAClC,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QAC/B,QAAQ,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACxB,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
package/dist/worker/auth.d.ts
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/worker/auth.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/worker/auth.ts"],"names":[],"mappings":"AAMA;;;GAGG;AAEH,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,MAAM,EACtB,cAAc,EAAE,MAAM,EACtB,OAAO,EAAE;IACP,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GACA,MAAM,CAyBR;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CA6DvE"}
|
package/dist/worker/auth.js
CHANGED
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.generateWorkerToken = generateWorkerToken;
|
|
4
4
|
exports.verifyWorkerToken = verifyWorkerToken;
|
|
5
|
+
const node_crypto_1 = require("node:crypto");
|
|
5
6
|
const logger_1 = require("../logger");
|
|
6
7
|
const encryption_1 = require("../utils/encryption");
|
|
7
8
|
const logger = (0, logger_1.createLogger)("worker-auth");
|
|
@@ -26,6 +27,7 @@ function generateWorkerToken(userId, conversationId, deploymentName, options) {
|
|
|
26
27
|
platform: options.platform,
|
|
27
28
|
sessionKey: options.sessionKey,
|
|
28
29
|
traceId: options.traceId, // Trace ID for observability
|
|
30
|
+
jti: (0, node_crypto_1.randomUUID)(), // Unique token ID for targeted revocation
|
|
29
31
|
};
|
|
30
32
|
// Encrypt the payload
|
|
31
33
|
const encrypted = (0, encryption_1.encrypt)(JSON.stringify(payload));
|
|
@@ -55,11 +57,20 @@ function verifyWorkerToken(token) {
|
|
|
55
57
|
const ttl = !Number.isNaN(parsedTtl) && parsedTtl > 0
|
|
56
58
|
? parsedTtl
|
|
57
59
|
: 2 * 60 * 60 * 1000;
|
|
58
|
-
|
|
60
|
+
// Clock-skew tolerance between gateway and worker; override with WORKER_TOKEN_CLOCK_SKEW_MS.
|
|
61
|
+
const parsedSkew = parseInt(process.env.WORKER_TOKEN_CLOCK_SKEW_MS ?? "", 10);
|
|
62
|
+
const skewMs = !Number.isNaN(parsedSkew) && parsedSkew >= 0 ? parsedSkew : 30 * 1000;
|
|
59
63
|
if (Date.now() - data.timestamp > ttl + skewMs) {
|
|
60
64
|
logger.error("Worker token rejected: expired");
|
|
61
65
|
return null;
|
|
62
66
|
}
|
|
67
|
+
// Also reject tokens whose timestamp is implausibly in the future — a
|
|
68
|
+
// forward skew larger than the tolerance would otherwise grant an
|
|
69
|
+
// effectively unbounded validity window.
|
|
70
|
+
if (data.timestamp - Date.now() > skewMs) {
|
|
71
|
+
logger.error("Worker token rejected: timestamp in the future");
|
|
72
|
+
return null;
|
|
73
|
+
}
|
|
63
74
|
return data;
|
|
64
75
|
}
|
|
65
76
|
catch (error) {
|
package/dist/worker/auth.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/worker/auth.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/worker/auth.ts"],"names":[],"mappings":";;AA6BA,kDAsCC;AAKD,8CA6DC;AArID,6CAAyC;AACzC,sCAAyC;AACzC,oDAAuD;AAEvD,MAAM,MAAM,GAAG,IAAA,qBAAY,EAAC,aAAa,CAAC,CAAC;AAsB3C;;GAEG;AACH,SAAgB,mBAAmB,CACjC,MAAc,EACd,cAAsB,EACtB,cAAsB,EACtB,OAQC;IAED,2BAA2B;IAC3B,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,OAAO,GAAoB;QAC/B,MAAM;QACN,cAAc;QACd,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,+BAA+B;QACvD,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,8CAA8C;QACxE,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,cAAc;QACd,SAAS;QACT,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,6BAA6B;QACvD,GAAG,EAAE,IAAA,wBAAU,GAAE,EAAE,0CAA0C;KAC9D,CAAC;IAEF,sBAAsB;IACtB,MAAM,SAAS,GAAG,IAAA,oBAAO,EAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IACnD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,KAAa;IAC7C,IAAI,CAAC;QACH,oBAAoB;QACpB,MAAM,SAAS,GAAG,IAAA,oBAAO,EAAC,KAAK,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAoB,CAAC;QAEtD,IACE,CAAC,IAAI,CAAC,cAAc;YACpB,CAAC,IAAI,CAAC,MAAM;YACZ,CAAC,IAAI,CAAC,cAAc;YACpB,CAAC,IAAI,CAAC,SAAS,EACf,CAAC;YACD,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,uEAAuE;QACvE,mEAAmE;QACnE,2EAA2E;QAC3E,yEAAyE;QACzE,yCAAyC;QACzC,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;QACtE,MAAM,GAAG,GACP,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,SAAS,GAAG,CAAC;YACvC,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACzB,6FAA6F;QAC7F,MAAM,UAAU,GAAG,QAAQ,CACzB,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,EAAE,EAC5C,EAAE,CACH,CAAC;QACF,MAAM,MAAM,GACV,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC;QACxE,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,GAAG,GAAG,GAAG,MAAM,EAAE,CAAC;YAC/C,MAAM,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;YAC/C,OAAO,IAAI,CAAC;QACd,CAAC;QACD,sEAAsE;QACtE,kEAAkE;QAClE,yCAAyC;QACzC,IAAI,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;YACzC,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,kEAAkE;QAClE,wEAAwE;QACxE,sEAAsE;QACtE,MAAM,CAAC,KAAK,CACV;YACE,GAAG,EACD,KAAK,YAAY,KAAK;gBACpB,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE;gBAC9C,CAAC,CAAC,KAAK;SACZ,EACD,uBAAuB,CACxB,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}
|