@lobu/core 6.1.1 → 7.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/__tests__/agent-policy-harden.test.d.ts +11 -0
- package/dist/__tests__/agent-policy-harden.test.d.ts.map +1 -0
- package/dist/__tests__/agent-policy-harden.test.js +216 -0
- package/dist/__tests__/agent-policy-harden.test.js.map +1 -0
- package/dist/__tests__/agent-store.test.d.ts +8 -0
- package/dist/__tests__/agent-store.test.d.ts.map +1 -0
- package/dist/__tests__/agent-store.test.js +38 -0
- package/dist/__tests__/agent-store.test.js.map +1 -0
- package/dist/__tests__/command-registry.test.d.ts +8 -0
- package/dist/__tests__/command-registry.test.d.ts.map +1 -0
- package/dist/__tests__/command-registry.test.js +188 -0
- package/dist/__tests__/command-registry.test.js.map +1 -0
- package/dist/__tests__/encryption-key-validation.test.d.ts +2 -0
- package/dist/__tests__/encryption-key-validation.test.d.ts.map +1 -0
- package/dist/__tests__/encryption-key-validation.test.js +61 -0
- package/dist/__tests__/encryption-key-validation.test.js.map +1 -0
- package/dist/__tests__/encryption.test.js +2 -0
- package/dist/__tests__/encryption.test.js.map +1 -1
- package/dist/__tests__/errors.test.js +0 -36
- package/dist/__tests__/errors.test.js.map +1 -1
- package/dist/__tests__/guardrails-harden.test.d.ts +16 -0
- package/dist/__tests__/guardrails-harden.test.d.ts.map +1 -0
- package/dist/__tests__/guardrails-harden.test.js +328 -0
- package/dist/__tests__/guardrails-harden.test.js.map +1 -0
- package/dist/__tests__/instruction-provider.test.d.ts +8 -0
- package/dist/__tests__/instruction-provider.test.d.ts.map +1 -0
- package/dist/__tests__/instruction-provider.test.js +129 -0
- package/dist/__tests__/instruction-provider.test.js.map +1 -0
- package/dist/__tests__/lobu-toml-schema-harden.test.d.ts +10 -0
- package/dist/__tests__/lobu-toml-schema-harden.test.d.ts.map +1 -0
- package/dist/__tests__/lobu-toml-schema-harden.test.js +722 -0
- package/dist/__tests__/lobu-toml-schema-harden.test.js.map +1 -0
- package/dist/__tests__/lobu-toml-schema.test.js +40 -5
- package/dist/__tests__/lobu-toml-schema.test.js.map +1 -1
- package/dist/__tests__/network-domains.test.d.ts +9 -0
- package/dist/__tests__/network-domains.test.d.ts.map +1 -0
- package/dist/__tests__/network-domains.test.js +97 -0
- package/dist/__tests__/network-domains.test.js.map +1 -0
- package/dist/__tests__/sanitize.test.js +36 -5
- package/dist/__tests__/sanitize.test.js.map +1 -1
- package/dist/__tests__/utils-env.test.d.ts +8 -0
- package/dist/__tests__/utils-env.test.d.ts.map +1 -0
- package/dist/__tests__/utils-env.test.js +125 -0
- package/dist/__tests__/utils-env.test.js.map +1 -0
- package/dist/__tests__/utils-json.test.d.ts +8 -0
- package/dist/__tests__/utils-json.test.d.ts.map +1 -0
- package/dist/__tests__/utils-json.test.js +114 -0
- package/dist/__tests__/utils-json.test.js.map +1 -0
- package/dist/__tests__/utils-urls.test.d.ts +7 -0
- package/dist/__tests__/utils-urls.test.d.ts.map +1 -0
- package/dist/__tests__/utils-urls.test.js +37 -0
- package/dist/__tests__/utils-urls.test.js.map +1 -0
- package/dist/__tests__/worker-auth.test.js +32 -0
- package/dist/__tests__/worker-auth.test.js.map +1 -1
- package/dist/agent-policy.d.ts.map +1 -1
- package/dist/agent-policy.js +2 -5
- package/dist/agent-policy.js.map +1 -1
- package/dist/agent-store.d.ts +14 -0
- package/dist/agent-store.d.ts.map +1 -1
- package/dist/agent-store.js.map +1 -1
- package/dist/capabilities.d.ts +12 -0
- package/dist/capabilities.d.ts.map +1 -0
- package/dist/capabilities.js +85 -0
- package/dist/capabilities.js.map +1 -0
- package/dist/command-registry.d.ts +4 -0
- package/dist/command-registry.d.ts.map +1 -1
- package/dist/command-registry.js +11 -1
- package/dist/command-registry.js.map +1 -1
- package/dist/errors.d.ts +2 -40
- package/dist/errors.d.ts.map +1 -1
- package/dist/errors.js +17 -72
- package/dist/errors.js.map +1 -1
- package/dist/index.d.ts +1 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -0
- package/dist/index.js.map +1 -1
- package/dist/lobu-toml-schema.d.ts +23 -8
- package/dist/lobu-toml-schema.d.ts.map +1 -1
- package/dist/lobu-toml-schema.js +31 -5
- package/dist/lobu-toml-schema.js.map +1 -1
- package/dist/logger.d.ts +0 -1
- package/dist/logger.d.ts.map +1 -1
- package/dist/logger.js +4 -7
- package/dist/logger.js.map +1 -1
- package/dist/modules.d.ts.map +1 -1
- package/dist/modules.js +8 -12
- package/dist/modules.js.map +1 -1
- package/dist/utils/encryption.d.ts +2 -0
- package/dist/utils/encryption.d.ts.map +1 -1
- package/dist/utils/encryption.js +41 -11
- package/dist/utils/encryption.js.map +1 -1
- package/dist/utils/json.d.ts +1 -6
- package/dist/utils/json.d.ts.map +1 -1
- package/dist/utils/json.js +5 -23
- package/dist/utils/json.js.map +1 -1
- package/dist/utils/retry.d.ts.map +1 -1
- package/dist/utils/retry.js +29 -5
- package/dist/utils/retry.js.map +1 -1
- package/dist/utils/sanitize.d.ts +0 -24
- package/dist/utils/sanitize.d.ts.map +1 -1
- package/dist/utils/sanitize.js +61 -29
- package/dist/utils/sanitize.js.map +1 -1
- package/dist/worker/auth.d.ts +13 -5
- package/dist/worker/auth.d.ts.map +1 -1
- package/dist/worker/auth.js +45 -28
- package/dist/worker/auth.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../src/utils/encryption.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../src/utils/encryption.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyEA,0BAUC;AAKD,0BAcC;AAGD,8EAEC;AA3GD,oDAAsC;AAEtC,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC,2BAA2B;AAEjD;;;;;GAKG;AACH,6EAA6E;AAC7E,uEAAuE;AACvE,8EAA8E;AAC9E,IAAI,SAA6B,CAAC;AAElC,SAAS,gBAAgB;IACvB,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC;IAChC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,EAAE,CAAC;IAC7C,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CACb,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,wEAAwE;IACxE,4EAA4E;IAC5E,wDAAwD;IACxD,IAAI,wBAAwB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAChD,IAAI,YAAY,CAAC,MAAM,KAAK,EAAE,IAAI,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,GAAG,EAAE,CAAC;YAC1E,SAAS,GAAG,YAAY,CAAC;YACzB,OAAO,YAAY,CAAC;QACtB,CAAC;IACH,CAAC;IAED,4EAA4E;IAC5E,8EAA8E;IAC9E,yEAAyE;IACzE,gDAAgD;IAChD,IAAI,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACjC,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;QACpD,IACE,aAAa,CAAC,MAAM,KAAK,EAAE;YAC3B,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC,KAAK,GAAG,EAC3C,CAAC;YACD,SAAS,GAAG,aAAa,CAAC;YAC1B,OAAO,aAAa,CAAC;QACvB,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,iEAAiE;IACjE,IAAI,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QACvD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC1C,IACE,SAAS,CAAC,MAAM,KAAK,EAAE;YACvB,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,WAAW,EAAE,EAC/C,CAAC;YACD,SAAS,GAAG,SAAS,CAAC;YACtB,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,MAAM,IAAI,KAAK,CACb,wEAAwE;QACtE,8EAA8E,CACjF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,OAAO,CAAC,IAAY;IAClC,MAAM,aAAa,GAAG,gBAAgB,EAAE,CAAC;IACzC,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,aAAa,EAAE,EAAE,CAAC,CAAC;IACvE,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC;QAC3B,MAAM,CAAC,KAAK,EAAE;KACf,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACrF,CAAC;AAED;;GAEG;AACH,SAAgB,OAAO,CAAC,IAAY;IAClC,MAAM,aAAa,GAAG,gBAAgB,EAAE,CAAC;IACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IACpE,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,CAAC;IACzC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,CAAC;IAC1C,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,aAAa,EAAE,EAAE,CAAC,CAAC;IAC3E,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,QAAQ,CAAC,MAAM,CAAC,aAAa,CAAC;QAC9B,QAAQ,CAAC,KAAK,EAAE;KACjB,CAAC,CAAC;IACH,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED,yFAAyF;AACzF,SAAgB,iCAAiC;IAC/C,SAAS,GAAG,SAAS,CAAC;AACxB,CAAC"}
|
package/dist/utils/json.d.ts
CHANGED
|
@@ -3,11 +3,6 @@
|
|
|
3
3
|
* Returns null on parse failure instead of throwing
|
|
4
4
|
*/
|
|
5
5
|
export declare function safeJsonParse<T = unknown>(data: string, fallback?: T | null): T | null;
|
|
6
|
-
/**
|
|
7
|
-
* Safely stringify value to JSON
|
|
8
|
-
* Returns null on stringify failure instead of throwing
|
|
9
|
-
*/
|
|
10
|
-
export declare function safeJsonStringify(value: unknown): string | null;
|
|
11
6
|
/**
|
|
12
7
|
* Round-trip a value through JSON serialization to convert bigint values
|
|
13
8
|
* to plain numbers or strings. Useful for REST API responses where the value
|
|
@@ -16,7 +11,7 @@ export declare function safeJsonStringify(value: unknown): string | null;
|
|
|
16
11
|
export declare function toJsonSafe<T>(value: T): T;
|
|
17
12
|
/**
|
|
18
13
|
* Parse a value that may be a JSON-encoded object (e.g. a jsonb column returned
|
|
19
|
-
* as a string) into a plain object.
|
|
14
|
+
* as a string) into a plain object. Returns `{}` when the input is falsy,
|
|
20
15
|
* not valid JSON, or not a plain object.
|
|
21
16
|
*/
|
|
22
17
|
export declare function parseJsonObject(value: unknown): Record<string, unknown>;
|
package/dist/utils/json.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"json.d.ts","sourceRoot":"","sources":["../../src/utils/json.ts"],"names":[],"mappings":"AAIA;;;GAGG;AACH,wBAAgB,aAAa,CAAC,CAAC,GAAG,OAAO,EACvC,IAAI,EAAE,MAAM,EACZ,QAAQ,GAAE,CAAC,GAAG,IAAW,GACxB,CAAC,GAAG,IAAI,CAUV;
|
|
1
|
+
{"version":3,"file":"json.d.ts","sourceRoot":"","sources":["../../src/utils/json.ts"],"names":[],"mappings":"AAIA;;;GAGG;AACH,wBAAgB,aAAa,CAAC,CAAC,GAAG,OAAO,EACvC,IAAI,EAAE,MAAM,EACZ,QAAQ,GAAE,CAAC,GAAG,IAAW,GACxB,CAAC,GAAG,IAAI,CAUV;AAgBD;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,CAAC,CAEzC;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAavE"}
|
package/dist/utils/json.js
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.safeJsonParse = safeJsonParse;
|
|
4
|
-
exports.safeJsonStringify = safeJsonStringify;
|
|
5
4
|
exports.toJsonSafe = toJsonSafe;
|
|
6
5
|
exports.parseJsonObject = parseJsonObject;
|
|
7
6
|
const logger_1 = require("../logger");
|
|
@@ -22,21 +21,6 @@ function safeJsonParse(data, fallback = null) {
|
|
|
22
21
|
return fallback;
|
|
23
22
|
}
|
|
24
23
|
}
|
|
25
|
-
/**
|
|
26
|
-
* Safely stringify value to JSON
|
|
27
|
-
* Returns null on stringify failure instead of throwing
|
|
28
|
-
*/
|
|
29
|
-
function safeJsonStringify(value) {
|
|
30
|
-
try {
|
|
31
|
-
return JSON.stringify(value);
|
|
32
|
-
}
|
|
33
|
-
catch (error) {
|
|
34
|
-
logger.error("JSON stringify failed", {
|
|
35
|
-
error: error instanceof Error ? error.message : String(error),
|
|
36
|
-
});
|
|
37
|
-
return null;
|
|
38
|
-
}
|
|
39
|
-
}
|
|
40
24
|
/**
|
|
41
25
|
* Stringify a value to JSON, converting bigint values to numbers (when safe)
|
|
42
26
|
* or strings. Use this when serializing query results that may contain bigint columns.
|
|
@@ -60,25 +44,23 @@ function toJsonSafe(value) {
|
|
|
60
44
|
}
|
|
61
45
|
/**
|
|
62
46
|
* Parse a value that may be a JSON-encoded object (e.g. a jsonb column returned
|
|
63
|
-
* as a string) into a plain object.
|
|
47
|
+
* as a string) into a plain object. Returns `{}` when the input is falsy,
|
|
64
48
|
* not valid JSON, or not a plain object.
|
|
65
49
|
*/
|
|
66
50
|
function parseJsonObject(value) {
|
|
67
51
|
if (!value)
|
|
68
52
|
return {};
|
|
53
|
+
let parsed = value;
|
|
69
54
|
if (typeof value === "string") {
|
|
70
55
|
try {
|
|
71
|
-
|
|
72
|
-
return parsed && typeof parsed === "object" && !Array.isArray(parsed)
|
|
73
|
-
? parsed
|
|
74
|
-
: {};
|
|
56
|
+
parsed = JSON.parse(value);
|
|
75
57
|
}
|
|
76
58
|
catch {
|
|
77
59
|
return {};
|
|
78
60
|
}
|
|
79
61
|
}
|
|
80
|
-
return typeof
|
|
81
|
-
?
|
|
62
|
+
return parsed && typeof parsed === "object" && !Array.isArray(parsed)
|
|
63
|
+
? parsed
|
|
82
64
|
: {};
|
|
83
65
|
}
|
|
84
66
|
//# sourceMappingURL=json.js.map
|
package/dist/utils/json.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"json.js","sourceRoot":"","sources":["../../src/utils/json.ts"],"names":[],"mappings":";;AAQA,sCAaC;
|
|
1
|
+
{"version":3,"file":"json.js","sourceRoot":"","sources":["../../src/utils/json.ts"],"names":[],"mappings":";;AAQA,sCAaC;AAqBD,gCAEC;AAOD,0CAaC;AAhED,sCAAyC;AAEzC,MAAM,MAAM,GAAG,IAAA,qBAAY,EAAC,YAAY,CAAC,CAAC;AAE1C;;;GAGG;AACH,SAAgB,aAAa,CAC3B,IAAY,EACZ,WAAqB,IAAI;IAEzB,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAM,CAAC;IAC/B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,mBAAmB,EAAE;YAChC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;YAC7D,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;SACpC,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAAC,KAAc;IACzC,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,SAAS,EAAE,EAAE;QAC/C,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;YAClC,MAAM,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;YAClC,OAAO,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;QACxE,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,SAAgB,UAAU,CAAI,KAAQ;IACpC,OAAO,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAM,CAAC;AACrD,CAAC;AAED;;;;GAIG;AACH,SAAgB,eAAe,CAAC,KAAc;IAC5C,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC;IACtB,IAAI,MAAM,GAAY,KAAK,CAAC;IAC5B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IACD,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QACnE,CAAC,CAAE,MAAkC;QACrC,CAAC,CAAC,EAAE,CAAC;AACT,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"retry.d.ts","sourceRoot":"","sources":["../../src/utils/retry.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,YAAY;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,aAAa,GAAG,QAAQ,CAAC;IACpC;;;;;;OAMG;IACH,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;IAC1B;;;;OAIG;IACH,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC;IACzD,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;CACnD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,gBAAgB,CAAC,CAAC,EACtC,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,EACpB,OAAO,GAAE,YAAiB,GACzB,OAAO,CAAC,CAAC,CAAC,
|
|
1
|
+
{"version":3,"file":"retry.d.ts","sourceRoot":"","sources":["../../src/utils/retry.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,YAAY;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,aAAa,GAAG,QAAQ,CAAC;IACpC;;;;;;OAMG;IACH,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;IAC1B;;;;OAIG;IACH,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC;IACzD,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;CACnD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,gBAAgB,CAAC,CAAC,EACtC,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,EACpB,OAAO,GAAE,YAAiB,GACzB,OAAO,CAAC,CAAC,CAAC,CAuFZ"}
|
package/dist/utils/retry.js
CHANGED
|
@@ -38,9 +38,24 @@ async function retryWithBackoff(fn, options = {}) {
|
|
|
38
38
|
}
|
|
39
39
|
catch (error) {
|
|
40
40
|
lastError = error;
|
|
41
|
-
// Allow caller to abort on non-retryable errors.
|
|
42
|
-
|
|
43
|
-
|
|
41
|
+
// Allow caller to abort on non-retryable errors. A buggy predicate that
|
|
42
|
+
// throws must not mask the real error or skip remaining retries — log and
|
|
43
|
+
// fall back to the default (retry).
|
|
44
|
+
if (shouldRetry) {
|
|
45
|
+
let allowRetry = true;
|
|
46
|
+
try {
|
|
47
|
+
allowRetry = shouldRetry(lastError, attempt + 1);
|
|
48
|
+
}
|
|
49
|
+
catch (predicateError) {
|
|
50
|
+
logger.warn("shouldRetry predicate threw; defaulting to retry", {
|
|
51
|
+
error: predicateError instanceof Error
|
|
52
|
+
? predicateError.message
|
|
53
|
+
: String(predicateError),
|
|
54
|
+
});
|
|
55
|
+
}
|
|
56
|
+
if (!allowRetry) {
|
|
57
|
+
throw lastError;
|
|
58
|
+
}
|
|
44
59
|
}
|
|
45
60
|
if (attempt < maxRetries) {
|
|
46
61
|
// Calculate base delay based on strategy
|
|
@@ -63,9 +78,18 @@ async function retryWithBackoff(fn, options = {}) {
|
|
|
63
78
|
else {
|
|
64
79
|
finalDelay = delay;
|
|
65
80
|
}
|
|
66
|
-
// Notify caller of retry
|
|
81
|
+
// Notify caller of retry — isolate a throwing callback.
|
|
67
82
|
if (onRetry) {
|
|
68
|
-
|
|
83
|
+
try {
|
|
84
|
+
onRetry(attempt + 1, lastError);
|
|
85
|
+
}
|
|
86
|
+
catch (callbackError) {
|
|
87
|
+
logger.warn("onRetry callback threw", {
|
|
88
|
+
error: callbackError instanceof Error
|
|
89
|
+
? callbackError.message
|
|
90
|
+
: String(callbackError),
|
|
91
|
+
});
|
|
92
|
+
}
|
|
69
93
|
}
|
|
70
94
|
else {
|
|
71
95
|
logger.warn(`Retry attempt ${attempt + 1}/${maxRetries} after ${Math.round(finalDelay)}ms`, { error: lastError.message });
|
package/dist/utils/retry.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"retry.js","sourceRoot":"","sources":["../../src/utils/retry.ts"],"names":[],"mappings":";;AAqDA,
|
|
1
|
+
{"version":3,"file":"retry.js","sourceRoot":"","sources":["../../src/utils/retry.ts"],"names":[],"mappings":";;AAqDA,4CA0FC;AA/ID,sCAAyC;AAEzC,MAAM,MAAM,GAAG,IAAA,qBAAY,EAAC,OAAO,CAAC,CAAC;AAyBrC;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACI,KAAK,UAAU,gBAAgB,CACpC,EAAoB,EACpB,UAAwB,EAAE;IAE1B,MAAM,EACJ,UAAU,GAAG,CAAC,EACd,SAAS,GAAG,IAAI,EAChB,QAAQ,EACR,QAAQ,GAAG,aAAa,EACxB,MAAM,GAAG,KAAK,EACd,WAAW,EACX,OAAO,GACR,GAAG,OAAO,CAAC;IAEZ,IAAI,SAA4B,CAAC;IAEjC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,UAAU,EAAE,OAAO,EAAE,EAAE,CAAC;QACvD,IAAI,CAAC;YACH,OAAO,MAAM,EAAE,EAAE,CAAC;QACpB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,SAAS,GAAG,KAAc,CAAC;YAE3B,wEAAwE;YACxE,0EAA0E;YAC1E,oCAAoC;YACpC,IAAI,WAAW,EAAE,CAAC;gBAChB,IAAI,UAAU,GAAG,IAAI,CAAC;gBACtB,IAAI,CAAC;oBACH,UAAU,GAAG,WAAW,CAAC,SAAS,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;gBACnD,CAAC;gBAAC,OAAO,cAAc,EAAE,CAAC;oBACxB,MAAM,CAAC,IAAI,CAAC,kDAAkD,EAAE;wBAC9D,KAAK,EACH,cAAc,YAAY,KAAK;4BAC7B,CAAC,CAAC,cAAc,CAAC,OAAO;4BACxB,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC;qBAC7B,CAAC,CAAC;gBACL,CAAC;gBACD,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,SAAS,CAAC;gBAClB,CAAC;YACH,CAAC;YAED,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;gBACzB,yCAAyC;gBACzC,IAAI,KAAK,GACP,QAAQ,KAAK,aAAa;oBACxB,CAAC,CAAC,SAAS,GAAG,CAAC,IAAI,OAAO;oBAC1B,CAAC,CAAC,SAAS,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;gBAEhC,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;oBAC3B,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;gBACpC,CAAC;gBAED,eAAe;gBACf,IAAI,UAAkB,CAAC;gBACvB,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;oBACtB,uEAAuE;oBACvE,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;gBAC3C,CAAC;qBAAM,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;oBAC3B,6BAA6B;oBAC7B,UAAU,GAAG,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC;gBAC5C,CAAC;qBAAM,CAAC;oBACN,UAAU,GAAG,KAAK,CAAC;gBACrB,CAAC;gBAED,wDAAwD;gBACxD,IAAI,OAAO,EAAE,CAAC;oBACZ,IAAI,CAAC;wBACH,OAAO,CAAC,OAAO,GAAG,CAAC,EAAE,SAAS,CAAC,CAAC;oBAClC,CAAC;oBAAC,OAAO,aAAa,EAAE,CAAC;wBACvB,MAAM,CAAC,IAAI,CAAC,wBAAwB,EAAE;4BACpC,KAAK,EACH,aAAa,YAAY,KAAK;gCAC5B,CAAC,CAAC,aAAa,CAAC,OAAO;gCACvB,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC;yBAC5B,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CACT,iBAAiB,OAAO,GAAG,CAAC,IAAI,UAAU,UAAU,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,EAC9E,EAAE,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,CAC7B,CAAC;gBACJ,CAAC;gBAED,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC;YAClE,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,SAAS,CAAC;AAClB,CAAC"}
|
package/dist/utils/sanitize.d.ts
CHANGED
|
@@ -27,30 +27,6 @@ export declare function sanitizeFilename(filename: string, maxLength?: number):
|
|
|
27
27
|
* ```
|
|
28
28
|
*/
|
|
29
29
|
export declare function sanitizeConversationId(conversationId: string): string;
|
|
30
|
-
/**
|
|
31
|
-
* Sanitize sensitive data from objects before logging
|
|
32
|
-
* Redacts API keys, tokens, and other credentials
|
|
33
|
-
*
|
|
34
|
-
* @param obj - Object to sanitize
|
|
35
|
-
* @param sensitiveKeys - Additional sensitive key names to redact
|
|
36
|
-
* @returns Sanitized object safe for logging
|
|
37
|
-
*
|
|
38
|
-
* @example
|
|
39
|
-
* ```typescript
|
|
40
|
-
* const config = {
|
|
41
|
-
* apiKey: "secret-key-123",
|
|
42
|
-
* timeout: 5000,
|
|
43
|
-
* env: { TOKEN: "bearer-xyz" }
|
|
44
|
-
* };
|
|
45
|
-
*
|
|
46
|
-
* sanitizeForLogging(config)
|
|
47
|
-
* // {
|
|
48
|
-
* // apiKey: "[REDACTED:14]",
|
|
49
|
-
* // timeout: 5000,
|
|
50
|
-
* // env: { TOKEN: "[REDACTED:10]" }
|
|
51
|
-
* // }
|
|
52
|
-
* ```
|
|
53
|
-
*/
|
|
54
30
|
export declare function sanitizeForLogging(obj: any, additionalSensitiveKeys?: string[]): any;
|
|
55
31
|
/**
|
|
56
32
|
* Strip entries with sensitive keys (exact-match) and drop undefined values.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/utils/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,SAAS,GAAE,MAAY,GACtB,MAAM,CAiBR;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAErE;
|
|
1
|
+
{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/utils/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,SAAS,GAAE,MAAY,GACtB,MAAM,CAiBR;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAErE;AAiGD,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,GAAG,EACR,uBAAuB,GAAE,MAAM,EAAO,GACrC,GAAG,CAML;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,QAAQ,CACtB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,EACvC,aAAa,EAAE,SAAS,MAAM,EAAE,GAC/B,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAWxB"}
|
package/dist/utils/sanitize.js
CHANGED
|
@@ -72,43 +72,75 @@ function sanitizeConversationId(conversationId) {
|
|
|
72
72
|
* // }
|
|
73
73
|
* ```
|
|
74
74
|
*/
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
75
|
+
// Compiled once: substring-matches the default sensitive key names (case-insensitive).
|
|
76
|
+
// Equivalent to `.some(k => lowerKey.includes(k))` over the old array, but a single
|
|
77
|
+
// regex test per key instead of an N-way array scan.
|
|
78
|
+
const DEFAULT_SENSITIVE_KEY_RE = /(anthropic_api_key|api_?key|token|password|secret|authorization|bearer|credentials|private_?key)/i;
|
|
79
|
+
const MAX_SANITIZE_DEPTH = 8;
|
|
80
|
+
function isSensitiveKey(lowerKey, additionalLowered) {
|
|
81
|
+
if (DEFAULT_SENSITIVE_KEY_RE.test(lowerKey))
|
|
82
|
+
return true;
|
|
83
|
+
for (const k of additionalLowered) {
|
|
84
|
+
if (lowerKey.includes(k))
|
|
85
|
+
return true;
|
|
78
86
|
}
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
87
|
+
return false;
|
|
88
|
+
}
|
|
89
|
+
function sanitizeInner(obj, additionalLowered, depth, seen) {
|
|
90
|
+
if (!obj || typeof obj !== "object")
|
|
91
|
+
return obj;
|
|
92
|
+
if (depth >= MAX_SANITIZE_DEPTH)
|
|
93
|
+
return obj;
|
|
94
|
+
// Cycle guard: object graphs with back-references (Express req/res, error
|
|
95
|
+
// .cause chains, ORM rows) would otherwise recurse forever. Depth cap above
|
|
96
|
+
// already bounds stack depth, but returning "[Circular]" gives a more useful
|
|
97
|
+
// log line and avoids cloning the same subtree N times for a graph with
|
|
98
|
+
// multiple paths to the same node.
|
|
99
|
+
if (seen.has(obj))
|
|
100
|
+
return "[Circular]";
|
|
101
|
+
seen.add(obj);
|
|
93
102
|
const sanitized = Array.isArray(obj) ? [...obj] : { ...obj };
|
|
94
|
-
for (const key
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
103
|
+
for (const key of Object.keys(sanitized)) {
|
|
104
|
+
// Drop `__proto__` / `constructor` / `prototype` keys entirely instead of
|
|
105
|
+
// reassigning — assignment via `sanitized[key] = ...` on a freshly-spread
|
|
106
|
+
// object normally creates an own data property and does not pollute
|
|
107
|
+
// Object.prototype, but consumers that later `Object.assign(target,
|
|
108
|
+
// sanitized)` would re-trigger the setter. Easier to never propagate
|
|
109
|
+
// these keys through a logging helper.
|
|
110
|
+
if (key === "__proto__" || key === "constructor" || key === "prototype") {
|
|
111
|
+
delete sanitized[key];
|
|
112
|
+
continue;
|
|
100
113
|
}
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
114
|
+
const value = sanitized[key];
|
|
115
|
+
const sensitive = isSensitiveKey(key.toLowerCase(), additionalLowered);
|
|
116
|
+
if (sensitive) {
|
|
117
|
+
// Redact regardless of value type. The previous version only redacted
|
|
118
|
+
// strings, so `{ token: 12345 }`, `{ credentials: { raw: "…" } }`, or
|
|
119
|
+
// a Buffer/Uint8Array under a sensitive key sailed through.
|
|
120
|
+
if (typeof value === "string") {
|
|
121
|
+
sanitized[key] = `[REDACTED:${value.length}]`;
|
|
122
|
+
}
|
|
123
|
+
else if (value === null || value === undefined) {
|
|
124
|
+
sanitized[key] = value;
|
|
125
|
+
}
|
|
126
|
+
else {
|
|
127
|
+
sanitized[key] = "[REDACTED]";
|
|
128
|
+
}
|
|
129
|
+
continue;
|
|
104
130
|
}
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
sanitized[key] = sanitizeForLogging(sanitized[key], additionalSensitiveKeys);
|
|
131
|
+
if (value && typeof value === "object") {
|
|
132
|
+
sanitized[key] = sanitizeInner(value, additionalLowered, depth + 1, seen);
|
|
108
133
|
}
|
|
109
134
|
}
|
|
110
135
|
return sanitized;
|
|
111
136
|
}
|
|
137
|
+
function sanitizeForLogging(obj, additionalSensitiveKeys = []) {
|
|
138
|
+
if (!obj || typeof obj !== "object") {
|
|
139
|
+
return obj;
|
|
140
|
+
}
|
|
141
|
+
const additionalLowered = additionalSensitiveKeys.map((k) => k.toLowerCase());
|
|
142
|
+
return sanitizeInner(obj, additionalLowered, 0, new WeakSet());
|
|
143
|
+
}
|
|
112
144
|
/**
|
|
113
145
|
* Strip entries with sensitive keys (exact-match) and drop undefined values.
|
|
114
146
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/utils/sanitize.ts"],"names":[],"mappings":";;AAcA,4CAoBC;AAeD,wDAEC;
|
|
1
|
+
{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/utils/sanitize.ts"],"names":[],"mappings":";;AAcA,4CAoBC;AAeD,wDAEC;AAiGD,gDASC;AAmBD,4BAcC;AA9LD;;;;;;;;;;;;;GAaG;AACH,SAAgB,gBAAgB,CAC9B,QAAgB,EAChB,YAAoB,GAAG;IAEvB,uCAAuC;IACvC,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAElD,mDAAmD;IACnD,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;IAEtD,uDAAuD;IACvD,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IAEnE,kDAAkD;IAClD,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,wBAAwB;IACxB,OAAO,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACvE,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAgB,sBAAsB,CAAC,cAAsB;IAC3D,OAAO,cAAc,CAAC,OAAO,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,uFAAuF;AACvF,oFAAoF;AACpF,qDAAqD;AACrD,MAAM,wBAAwB,GAC5B,mGAAmG,CAAC;AAEtG,MAAM,kBAAkB,GAAG,CAAC,CAAC;AAE7B,SAAS,cAAc,CACrB,QAAgB,EAChB,iBAAoC;IAEpC,IAAI,wBAAwB,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACzD,KAAK,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC;QAClC,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IACxC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CACpB,GAAQ,EACR,iBAAoC,EACpC,KAAa,EACb,IAAqB;IAErB,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IAChD,IAAI,KAAK,IAAI,kBAAkB;QAAE,OAAO,GAAG,CAAC;IAC5C,0EAA0E;IAC1E,4EAA4E;IAC5E,6EAA6E;IAC7E,wEAAwE;IACxE,mCAAmC;IACnC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAa,CAAC;QAAE,OAAO,YAAY,CAAC;IACjD,IAAI,CAAC,GAAG,CAAC,GAAa,CAAC,CAAC;IAExB,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,EAAE,CAAC;IAE7D,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QACzC,0EAA0E;QAC1E,0EAA0E;QAC1E,oEAAoE;QACpE,oEAAoE;QACpE,qEAAqE;QACrE,uCAAuC;QACvC,IAAI,GAAG,KAAK,WAAW,IAAI,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;YACxE,OAAQ,SAAqC,CAAC,GAAG,CAAC,CAAC;YACnD,SAAS;QACX,CAAC;QACD,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,iBAAiB,CAAC,CAAC;QACvE,IAAI,SAAS,EAAE,CAAC;YACd,sEAAsE;YACtE,sEAAsE;YACtE,4DAA4D;YAC5D,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,SAAS,CAAC,GAAG,CAAC,GAAG,aAAa,KAAK,CAAC,MAAM,GAAG,CAAC;YAChD,CAAC;iBAAM,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACjD,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACzB,CAAC;iBAAM,CAAC;gBACN,SAAS,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;YAChC,CAAC;YACD,SAAS;QACX,CAAC;QACD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACvC,SAAS,CAAC,GAAG,CAAC,GAAG,aAAa,CAAC,KAAK,EAAE,iBAAiB,EAAE,KAAK,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAgB,kBAAkB,CAChC,GAAQ,EACR,0BAAoC,EAAE;IAEtC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,OAAO,GAAG,CAAC;IACb,CAAC;IACD,MAAM,iBAAiB,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAC9E,OAAO,aAAa,CAAC,GAAG,EAAE,iBAAiB,EAAE,CAAC,EAAE,IAAI,OAAO,EAAE,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,QAAQ,CACtB,GAAuC,EACvC,aAAgC;IAEhC,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAC5C,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;IAEvC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,IAAI,KAAK,KAAK,SAAS;YAAE,SAAS;QAClC,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QAC/B,QAAQ,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACxB,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
package/dist/worker/auth.d.ts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* Worker authentication using encrypted conversation ID
|
|
3
|
-
* Token format: encrypted(
|
|
2
|
+
* Worker authentication using encrypted conversation ID.
|
|
3
|
+
* Token format: encrypted(JSON payload of thread metadata).
|
|
4
4
|
*/
|
|
5
5
|
export interface WorkerTokenData {
|
|
6
6
|
userId: string;
|
|
@@ -8,20 +8,28 @@ export interface WorkerTokenData {
|
|
|
8
8
|
channelId: string;
|
|
9
9
|
teamId?: string;
|
|
10
10
|
agentId?: string;
|
|
11
|
+
/**
|
|
12
|
+
* Owning organization of the agent the token was minted for. Used by the
|
|
13
|
+
* HTTP proxy to scope per-tenant caches (e.g. egress-judge verdict cache)
|
|
14
|
+
* so org A's decisions can never satisfy org B's requests. Optional only
|
|
15
|
+
* because some internal/preflight call sites mint tokens before the owning
|
|
16
|
+
* org has been resolved; production agent runs always set it.
|
|
17
|
+
*/
|
|
18
|
+
organizationId?: string;
|
|
11
19
|
connectionId?: string;
|
|
12
20
|
deploymentName: string;
|
|
13
21
|
timestamp: number;
|
|
14
22
|
platform?: string;
|
|
15
23
|
sessionKey?: string;
|
|
16
24
|
traceId?: string;
|
|
25
|
+
/** Unique token ID — enables targeted revocation. */
|
|
26
|
+
jti?: string;
|
|
17
27
|
}
|
|
18
|
-
/**
|
|
19
|
-
* Generate a worker authentication token by encrypting thread metadata
|
|
20
|
-
*/
|
|
21
28
|
export declare function generateWorkerToken(userId: string, conversationId: string, deploymentName: string, options: {
|
|
22
29
|
channelId: string;
|
|
23
30
|
teamId?: string;
|
|
24
31
|
agentId?: string;
|
|
32
|
+
organizationId?: string;
|
|
25
33
|
connectionId?: string;
|
|
26
34
|
platform?: string;
|
|
27
35
|
sessionKey?: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/worker/auth.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/worker/auth.ts"],"names":[],"mappings":"AAMA;;;GAGG;AAEH,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,MAAM,EACtB,cAAc,EAAE,MAAM,EACtB,OAAO,EAAE;IACP,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GACA,MAAM,CAsBR;AAaD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAmEvE"}
|
package/dist/worker/auth.js
CHANGED
|
@@ -2,64 +2,81 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.generateWorkerToken = generateWorkerToken;
|
|
4
4
|
exports.verifyWorkerToken = verifyWorkerToken;
|
|
5
|
+
const node_crypto_1 = require("node:crypto");
|
|
5
6
|
const logger_1 = require("../logger");
|
|
6
7
|
const encryption_1 = require("../utils/encryption");
|
|
7
8
|
const logger = (0, logger_1.createLogger)("worker-auth");
|
|
8
|
-
/**
|
|
9
|
-
* Generate a worker authentication token by encrypting thread metadata
|
|
10
|
-
*/
|
|
11
9
|
function generateWorkerToken(userId, conversationId, deploymentName, options) {
|
|
12
|
-
// Validate required fields
|
|
13
10
|
if (!options.channelId) {
|
|
14
11
|
throw new Error("channelId is required for worker token generation");
|
|
15
12
|
}
|
|
16
|
-
const timestamp = Date.now();
|
|
17
13
|
const payload = {
|
|
18
14
|
userId,
|
|
19
15
|
conversationId,
|
|
20
16
|
channelId: options.channelId,
|
|
21
|
-
teamId: options.teamId,
|
|
22
|
-
agentId: options.agentId,
|
|
17
|
+
teamId: options.teamId,
|
|
18
|
+
agentId: options.agentId,
|
|
19
|
+
organizationId: options.organizationId,
|
|
23
20
|
connectionId: options.connectionId,
|
|
24
21
|
deploymentName,
|
|
25
|
-
timestamp,
|
|
22
|
+
timestamp: Date.now(),
|
|
26
23
|
platform: options.platform,
|
|
27
24
|
sessionKey: options.sessionKey,
|
|
28
|
-
traceId: options.traceId,
|
|
25
|
+
traceId: options.traceId,
|
|
26
|
+
jti: (0, node_crypto_1.randomUUID)(),
|
|
29
27
|
};
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
28
|
+
return (0, encryption_1.encrypt)(JSON.stringify(payload));
|
|
29
|
+
}
|
|
30
|
+
function parsePositiveIntEnv(name, fallback, allowZero = false) {
|
|
31
|
+
const raw = parseInt(process.env[name] ?? "", 10);
|
|
32
|
+
if (Number.isNaN(raw))
|
|
33
|
+
return fallback;
|
|
34
|
+
if (allowZero ? raw < 0 : raw <= 0)
|
|
35
|
+
return fallback;
|
|
36
|
+
return raw;
|
|
33
37
|
}
|
|
34
38
|
/**
|
|
35
39
|
* Verify and decrypt a worker authentication token
|
|
36
40
|
*/
|
|
37
41
|
function verifyWorkerToken(token) {
|
|
38
42
|
try {
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
+
const parsed = JSON.parse((0, encryption_1.decrypt)(token));
|
|
44
|
+
// Decrypted plaintext is attacker-influenced — `as` would coerce `null`,
|
|
45
|
+
// an array, a string, or a number into `WorkerTokenData` and let
|
|
46
|
+
// downstream consumers TypeError off undefined fields. Validate shape
|
|
47
|
+
// before treating it as a payload.
|
|
48
|
+
if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
|
|
49
|
+
logger.error("Worker token rejected: payload is not a plain object");
|
|
50
|
+
return null;
|
|
51
|
+
}
|
|
52
|
+
const data = parsed;
|
|
53
|
+
if (typeof data.conversationId !== "string" ||
|
|
54
|
+
!data.conversationId ||
|
|
55
|
+
typeof data.userId !== "string" ||
|
|
43
56
|
!data.userId ||
|
|
57
|
+
typeof data.deploymentName !== "string" ||
|
|
44
58
|
!data.deploymentName ||
|
|
59
|
+
typeof data.timestamp !== "number" ||
|
|
45
60
|
!data.timestamp) {
|
|
46
|
-
logger.error("Worker token rejected: missing required fields");
|
|
61
|
+
logger.error("Worker token rejected: missing or wrongly-typed required fields");
|
|
47
62
|
return null;
|
|
48
63
|
}
|
|
49
|
-
//
|
|
50
|
-
//
|
|
51
|
-
//
|
|
52
|
-
//
|
|
53
|
-
//
|
|
54
|
-
const
|
|
55
|
-
const
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
const skewMs = 30 * 1000;
|
|
59
|
-
if (Date.now() - data.timestamp > ttl + skewMs) {
|
|
64
|
+
// Default TTL 2h (was 24h — a leaked token had no revocation path for a
|
|
65
|
+
// full day). Override via WORKER_TOKEN_TTL_MS. Clock-skew tolerance via
|
|
66
|
+
// WORKER_TOKEN_CLOCK_SKEW_MS. Tokens timestamped further in the future
|
|
67
|
+
// than the skew are rejected too — otherwise forward drift would grant
|
|
68
|
+
// an unbounded validity window.
|
|
69
|
+
const ttl = parsePositiveIntEnv("WORKER_TOKEN_TTL_MS", 2 * 60 * 60 * 1000);
|
|
70
|
+
const skewMs = parsePositiveIntEnv("WORKER_TOKEN_CLOCK_SKEW_MS", 30 * 1000, true);
|
|
71
|
+
const age = Date.now() - data.timestamp;
|
|
72
|
+
if (age > ttl + skewMs) {
|
|
60
73
|
logger.error("Worker token rejected: expired");
|
|
61
74
|
return null;
|
|
62
75
|
}
|
|
76
|
+
if (-age > skewMs) {
|
|
77
|
+
logger.error("Worker token rejected: timestamp in the future");
|
|
78
|
+
return null;
|
|
79
|
+
}
|
|
63
80
|
return data;
|
|
64
81
|
}
|
|
65
82
|
catch (error) {
|
package/dist/worker/auth.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/worker/auth.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/worker/auth.ts"],"names":[],"mappings":";;AAmCA,kDAoCC;AAgBD,8CAmEC;AA1JD,6CAAyC;AACzC,sCAAyC;AACzC,oDAAuD;AAEvD,MAAM,MAAM,GAAG,IAAA,qBAAY,EAAC,aAAa,CAAC,CAAC;AA+B3C,SAAgB,mBAAmB,CACjC,MAAc,EACd,cAAsB,EACtB,cAAsB,EACtB,OASC;IAED,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,OAAO,GAAoB;QAC/B,MAAM;QACN,cAAc;QACd,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,cAAc;QACd,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,GAAG,EAAE,IAAA,wBAAU,GAAE;KAClB,CAAC;IAEF,OAAO,IAAA,oBAAO,EAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED,SAAS,mBAAmB,CAC1B,IAAY,EACZ,QAAgB,EAChB,SAAS,GAAG,KAAK;IAEjB,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;IAClD,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC;QAAE,OAAO,QAAQ,CAAC;IACvC,IAAI,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAC;IACpD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,KAAa;IAC7C,IAAI,CAAC;QACH,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,IAAA,oBAAO,EAAC,KAAK,CAAC,CAAC,CAAC;QAEnD,yEAAyE;QACzE,iEAAiE;QACjE,sEAAsE;QACtE,mCAAmC;QACnC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;YACrE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,IAAI,GAAG,MAAyB,CAAC;QAEvC,IACE,OAAO,IAAI,CAAC,cAAc,KAAK,QAAQ;YACvC,CAAC,IAAI,CAAC,cAAc;YACpB,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ;YAC/B,CAAC,IAAI,CAAC,MAAM;YACZ,OAAO,IAAI,CAAC,cAAc,KAAK,QAAQ;YACvC,CAAC,IAAI,CAAC,cAAc;YACpB,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ;YAClC,CAAC,IAAI,CAAC,SAAS,EACf,CAAC;YACD,MAAM,CAAC,KAAK,CACV,iEAAiE,CAClE,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,wEAAwE;QACxE,wEAAwE;QACxE,uEAAuE;QACvE,uEAAuE;QACvE,gCAAgC;QAChC,MAAM,GAAG,GAAG,mBAAmB,CAAC,qBAAqB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC3E,MAAM,MAAM,GAAG,mBAAmB,CAChC,4BAA4B,EAC5B,EAAE,GAAG,IAAI,EACT,IAAI,CACL,CAAC;QACF,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC;QACxC,IAAI,GAAG,GAAG,GAAG,GAAG,MAAM,EAAE,CAAC;YACvB,MAAM,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;YAC/C,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC,GAAG,GAAG,MAAM,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,kEAAkE;QAClE,wEAAwE;QACxE,sEAAsE;QACtE,MAAM,CAAC,KAAK,CACV;YACE,GAAG,EACD,KAAK,YAAY,KAAK;gBACpB,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE;gBAC9C,CAAC,CAAC,KAAK;SACZ,EACD,uBAAuB,CACxB,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}
|