@mondaydotcomorg/atp-providers 0.17.14

package/__tests__/token-expiration.test.ts

@@ -0,0 +1,308 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import type { AuthProvider, UserCredentialData } from '@mondaydotcomorg/atp-protocol';
+
+// Test implementation that mimics production behavior
+class TestAuthProvider implements AuthProvider {
+	name = 'test';
+	private userCredentials = new Map<string, Map<string, UserCredentialData>>();
+
+	async getCredential(key: string): Promise<string | null> {
+		return null;
+	}
+
+	async setCredential(key: string, value: string): Promise<void> {}
+
+	async deleteCredential(key: string): Promise<void> {}
+
+	async getUserCredential(userId: string, provider: string): Promise<UserCredentialData | null> {
+		const userMap = this.userCredentials.get(userId);
+		const creds = userMap?.get(provider);
+
+		if (!creds) {
+			return null;
+		}
+
+		// Check if token has expired
+		if (creds.expiresAt && creds.expiresAt < Date.now()) {
+			// In production, would attempt to refresh here
+			return null;
+		}
+
+		return creds;
+	}
+
+	async setUserCredential(
+		userId: string,
+		provider: string,
+		data: UserCredentialData
+	): Promise<void> {
+		if (!this.userCredentials.has(userId)) {
+			this.userCredentials.set(userId, new Map());
+		}
+		this.userCredentials.get(userId)!.set(provider, data);
+	}
+
+	async deleteUserCredential(userId: string, provider: string): Promise<void> {
+		this.userCredentials.get(userId)?.delete(provider);
+	}
+
+	async listUserProviders(userId: string): Promise<string[]> {
+		const userMap = this.userCredentials.get(userId);
+		return userMap ? Array.from(userMap.keys()) : [];
+	}
+}
+
+describe('Token Expiration Handling', () => {
+	let authProvider: TestAuthProvider;
+
+	beforeEach(() => {
+		authProvider = new TestAuthProvider();
+	});
+
+	describe('getUserCredential with expired token', () => {
+		it('should return null for expired token', async () => {
+			const userId = 'user123';
+			const provider = 'github';
+
+			// Store credential with expired token
+			const expiredTime = Date.now() - 3600000; // 1 hour ago
+			await authProvider.setUserCredential(userId, provider, {
+				token: 'gho_expired_token',
+				scopes: ['repo'],
+				expiresAt: expiredTime,
+			});
+
+			// Should return null due to expiration
+			const result = await authProvider.getUserCredential(userId, provider);
+
+			expect(result).toBeNull();
+		});
+
+		it('should return credential for non-expired token', async () => {
+			const userId = 'user123';
+			const provider = 'github';
+
+			// Store credential with valid token
+			const futureTime = Date.now() + 3600000; // 1 hour from now
+			const credentials: UserCredentialData = {
+				token: 'gho_valid_token',
+				scopes: ['repo'],
+				expiresAt: futureTime,
+			};
+
+			await authProvider.setUserCredential(userId, provider, credentials);
+
+			// Should return the credential
+			const result = await authProvider.getUserCredential(userId, provider);
+
+			expect(result).toEqual(credentials);
+		});
+
+		it('should return credential when no expiration time set', async () => {
+			const userId = 'user123';
+			const provider = 'github';
+
+			// Store credential without expiration
+			const credentials: UserCredentialData = {
+				token: 'gho_no_expiry_token',
+				scopes: ['repo'],
+			};
+
+			await authProvider.setUserCredential(userId, provider, credentials);
+
+			// Should return the credential
+			const result = await authProvider.getUserCredential(userId, provider);
+
+			expect(result).toEqual(credentials);
+		});
+
+		it('should handle token that expires right at current time', async () => {
+			const userId = 'user123';
+			const provider = 'github';
+
+			// Store credential that expires exactly now
+			const nowTime = Date.now();
+			await authProvider.setUserCredential(userId, provider, {
+				token: 'gho_expires_now_token',
+				scopes: ['repo'],
+				expiresAt: nowTime - 1, // Expires 1ms in the past to ensure it's expired
+			});
+
+			// Should return null (expired)
+			const result = await authProvider.getUserCredential(userId, provider);
+
+			expect(result).toBeNull();
+		});
+	});
+
+	describe('Token refresh scenarios', () => {
+		it('should store refresh token when provided', async () => {
+			const userId = 'user123';
+			const provider = 'google';
+
+			const credentials: UserCredentialData = {
+				token: 'ya29.access_token',
+				refreshToken: 'refresh_token_here',
+				scopes: ['calendar'],
+				expiresAt: Date.now() + 3600000,
+			};
+
+			await authProvider.setUserCredential(userId, provider, credentials);
+
+			const result = await authProvider.getUserCredential(userId, provider);
+
+			expect(result?.refreshToken).toBe('refresh_token_here');
+		});
+
+		it('should handle credentials without refresh token', async () => {
+			const userId = 'user123';
+			const provider = 'github';
+
+			const credentials: UserCredentialData = {
+				token: 'gho_token',
+				scopes: ['repo'],
+				expiresAt: Date.now() + 3600000,
+			};
+
+			await authProvider.setUserCredential(userId, provider, credentials);
+
+			const result = await authProvider.getUserCredential(userId, provider);
+
+			expect(result?.refreshToken).toBeUndefined();
+		});
+	});
+
+	describe('Multiple users with different expiration times', () => {
+		it('should handle different expiration times for different users', async () => {
+			const provider = 'github';
+
+			// User 1: expired token
+			await authProvider.setUserCredential('user1', provider, {
+				token: 'token1',
+				scopes: ['repo'],
+				expiresAt: Date.now() - 1000, // Expired
+			});
+
+			// User 2: valid token
+			await authProvider.setUserCredential('user2', provider, {
+				token: 'token2',
+				scopes: ['repo'],
+				expiresAt: Date.now() + 3600000, // Valid
+			});
+
+			const user1Creds = await authProvider.getUserCredential('user1', provider);
+			const user2Creds = await authProvider.getUserCredential('user2', provider);
+
+			expect(user1Creds).toBeNull(); // Expired
+			expect(user2Creds).not.toBeNull(); // Valid
+			expect(user2Creds?.token).toBe('token2');
+		});
+
+		it('should handle same user with multiple providers at different expiration states', async () => {
+			const userId = 'user123';
+
+			// GitHub: expired
+			await authProvider.setUserCredential(userId, 'github', {
+				token: 'github_token',
+				scopes: ['repo'],
+				expiresAt: Date.now() - 1000,
+			});
+
+			// Google: valid
+			await authProvider.setUserCredential(userId, 'google', {
+				token: 'google_token',
+				scopes: ['calendar'],
+				expiresAt: Date.now() + 3600000,
+			});
+
+			const githubCreds = await authProvider.getUserCredential(userId, 'github');
+			const googleCreds = await authProvider.getUserCredential(userId, 'google');
+
+			expect(githubCreds).toBeNull();
+			expect(googleCreds).not.toBeNull();
+			expect(googleCreds?.token).toBe('google_token');
+		});
+	});
+
+	describe('Token metadata handling', () => {
+		it('should preserve metadata with expired tokens', async () => {
+			const userId = 'user123';
+			const provider = 'github';
+
+			await authProvider.setUserCredential(userId, provider, {
+				token: 'token',
+				scopes: ['repo'],
+				expiresAt: Date.now() + 3600000,
+				metadata: {
+					username: 'octocat',
+					userId: 'github_123',
+				},
+			});
+
+			const result = await authProvider.getUserCredential(userId, provider);
+
+			expect(result?.metadata).toEqual({
+				username: 'octocat',
+				userId: 'github_123',
+			});
+		});
+
+		it('should handle credentials with complex metadata', async () => {
+			const userId = 'user123';
+			const provider = 'microsoft';
+
+			const complexMetadata = {
+				tenantId: 'tenant-id',
+				objectId: 'object-id',
+				permissions: ['User.Read', 'Mail.Send'],
+				nested: {
+					data: {
+						value: 123,
+					},
+				},
+			};
+
+			await authProvider.setUserCredential(userId, provider, {
+				token: 'token',
+				scopes: ['User.Read'],
+				expiresAt: Date.now() + 3600000,
+				metadata: complexMetadata,
+			});
+
+			const result = await authProvider.getUserCredential(userId, provider);
+
+			expect(result?.metadata).toEqual(complexMetadata);
+		});
+	});
+
+	describe('Scope management', () => {
+		it('should handle empty scopes array', async () => {
+			const userId = 'user123';
+			const provider = 'github';
+
+			await authProvider.setUserCredential(userId, provider, {
+				token: 'token',
+				scopes: [],
+				expiresAt: Date.now() + 3600000,
+			});
+
+			const result = await authProvider.getUserCredential(userId, provider);
+
+			expect(result?.scopes).toEqual([]);
+		});
+
+		it('should handle undefined scopes', async () => {
+			const userId = 'user123';
+			const provider = 'github';
+
+			await authProvider.setUserCredential(userId, provider, {
+				token: 'token',
+				expiresAt: Date.now() + 3600000,
+			});
+
+			const result = await authProvider.getUserCredential(userId, provider);
+
+			expect(result?.scopes).toBeUndefined();
+		});
+	});
+});

package/dist/audit/jsonl.d.ts

@@ -0,0 +1,29 @@
+import type { AuditEvent, AuditFilter, AuditSink } from '@mondaydotcomorg/atp-protocol';
+/**
+ * JSONL (JSON Lines) audit sink
+ * Writes audit events to a file, one JSON object per line
+ * Simple, append-only, easy to parse with standard tools
+ */
+export declare class JSONLAuditSink implements AuditSink {
+    name: string;
+    private filePath;
+    private sanitizeSecrets;
+    private buffer;
+    private flushInterval;
+    private batchSize;
+    constructor(options: {
+        filePath: string;
+        sanitizeSecrets?: boolean;
+        batchSize?: number;
+        flushIntervalMs?: number;
+    });
+    write(event: AuditEvent): Promise<void>;
+    writeBatch(events: AuditEvent[]): Promise<void>;
+    query(filter: AuditFilter): Promise<AuditEvent[]>;
+    disconnect(): Promise<void>;
+    private flush;
+    private sanitizeEvent;
+    private sanitizeString;
+    private sanitizeObject;
+}
+//# sourceMappingURL=jsonl.d.ts.map

package/dist/audit/jsonl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jsonl.d.ts","sourceRoot":"","sources":["../../src/audit/jsonl.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,+BAA+B,CAAC;AAKxF;;;;GAIG;AACH,qBAAa,cAAe,YAAW,SAAS;IAC/C,IAAI,SAAW;IACf,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,eAAe,CAAU;IACjC,OAAO,CAAC,MAAM,CAAoB;IAClC,OAAO,CAAC,aAAa,CAA+B;IACpD,OAAO,CAAC,SAAS,CAAS;gBAEd,OAAO,EAAE;QACpB,QAAQ,EAAE,MAAM,CAAC;QACjB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,eAAe,CAAC,EAAE,MAAM,CAAC;KACzB;IAuBK,KAAK,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IAYvC,UAAU,CAAC,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAa/C,KAAK,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAqCjD,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;YAUnB,KAAK;IAOnB,OAAO,CAAC,aAAa;IAiBrB,OAAO,CAAC,cAAc;IAoBtB,OAAO,CAAC,cAAc;CA0BtB"}

package/dist/audit/jsonl.js

@@ -0,0 +1,163 @@
+import { appendFile, readFile, mkdir } from 'node:fs/promises';
+import { existsSync } from 'node:fs';
+import { dirname } from 'node:path';
+/**
+ * JSONL (JSON Lines) audit sink
+ * Writes audit events to a file, one JSON object per line
+ * Simple, append-only, easy to parse with standard tools
+ */
+export class JSONLAuditSink {
+    name = 'jsonl';
+    filePath;
+    sanitizeSecrets;
+    buffer = [];
+    flushInterval = null;
+    batchSize;
+    constructor(options) {
+        this.filePath = options.filePath;
+        this.sanitizeSecrets = options.sanitizeSecrets ?? true;
+        this.batchSize = options.batchSize || 10;
+        const dir = dirname(this.filePath);
+        if (!existsSync(dir)) {
+            mkdir(dir, { recursive: true }).catch((err) => {
+                console.error(`Failed to create audit directory: ${err.message}`);
+            });
+        }
+        if (options.flushIntervalMs) {
+            this.flushInterval = setInterval(() => {
+                if (this.buffer.length > 0) {
+                    this.flush().catch((err) => {
+                        console.error(`Failed to flush audit buffer: ${err.message}`);
+                    });
+                }
+            }, options.flushIntervalMs);
+        }
+    }
+    async write(event) {
+        const sanitized = this.sanitizeSecrets ? this.sanitizeEvent(event) : event;
+        const line = JSON.stringify(sanitized) + '\n';
+        try {
+            await appendFile(this.filePath, line, 'utf8');
+        }
+        catch (error) {
+            console.error(`Failed to write audit event: ${error.message}`);
+            throw error;
+        }
+    }
+    async writeBatch(events) {
+        const sanitized = this.sanitizeSecrets ? events.map((e) => this.sanitizeEvent(e)) : events;
+        const lines = sanitized.map((e) => JSON.stringify(e)).join('\n') + '\n';
+        try {
+            await appendFile(this.filePath, lines, 'utf8');
+        }
+        catch (error) {
+            console.error(`Failed to write audit batch: ${error.message}`);
+            throw error;
+        }
+    }
+    async query(filter) {
+        try {
+            const content = await readFile(this.filePath, 'utf8');
+            const lines = content.split('\n').filter((line) => line.trim());
+            const events = lines.map((line) => JSON.parse(line));
+            return events
+                .filter((event) => {
+                if (filter.clientId && event.clientId !== filter.clientId)
+                    return false;
+                if (filter.userId && event.userId !== filter.userId)
+                    return false;
+                if (filter.from && event.timestamp < filter.from)
+                    return false;
+                if (filter.to && event.timestamp > filter.to)
+                    return false;
+                if (filter.resource && event.resource !== filter.resource)
+                    return false;
+                if (filter.eventType) {
+                    const types = Array.isArray(filter.eventType) ? filter.eventType : [filter.eventType];
+                    if (!types.includes(event.eventType))
+                        return false;
+                }
+                if (filter.status) {
+                    const statuses = Array.isArray(filter.status) ? filter.status : [filter.status];
+                    if (!statuses.includes(event.status))
+                        return false;
+                }
+                if (filter.minRiskScore && (event.riskScore || 0) < filter.minRiskScore)
+                    return false;
+                return true;
+            })
+                .slice(filter.offset || 0, (filter.offset || 0) + (filter.limit || 100));
+        }
+        catch (error) {
+            if (error.code === 'ENOENT') {
+                return [];
+            }
+            throw error;
+        }
+    }
+    async disconnect() {
+        if (this.flushInterval) {
+            clearInterval(this.flushInterval);
+        }
+        if (this.buffer.length > 0) {
+            await this.flush();
+        }
+    }
+    async flush() {
+        if (this.buffer.length === 0)
+            return;
+        await this.writeBatch([...this.buffer]);
+        this.buffer = [];
+    }
+    sanitizeEvent(event) {
+        const sanitized = { ...event };
+        if (sanitized.code) {
+            sanitized.code = this.sanitizeString(sanitized.code);
+        }
+        if (sanitized.input) {
+            sanitized.input = this.sanitizeObject(sanitized.input);
+        }
+        if (sanitized.output) {
+            sanitized.output = this.sanitizeObject(sanitized.output);
+        }
+        return sanitized;
+    }
+    sanitizeString(str) {
+        const patterns = [
+            /api[_-]?key/gi,
+            /secret/gi,
+            /token/gi,
+            /password/gi,
+            /bearer/gi,
+            /authorization/gi,
+        ];
+        for (const pattern of patterns) {
+            str = str.replace(new RegExp(`(${pattern.source})\\s*[:=]\\s*['\"]?([^'\"\\s]+)`, 'gi'), '$1: [REDACTED]');
+        }
+        return str;
+    }
+    sanitizeObject(obj) {
+        if (typeof obj !== 'object' || obj === null) {
+            return obj;
+        }
+        if (Array.isArray(obj)) {
+            return obj.map((item) => this.sanitizeObject(item));
+        }
+        const sanitized = {};
+        const secretPatterns = ['key', 'secret', 'token', 'password', 'bearer', 'auth'];
+        for (const [key, value] of Object.entries(obj)) {
+            const lowerKey = key.toLowerCase();
+            if (secretPatterns.some((pattern) => lowerKey.includes(pattern))) {
+                sanitized[key] = '[REDACTED]';
+            }
+            else if (typeof value === 'object') {
+                sanitized[key] = this.sanitizeObject(value);
+            }
+            else {
+                sanitized[key] = value;
+            }
+        }
+        return sanitized;
+    }
+}
+//# sourceMappingURL=jsonl.js.map

package/dist/audit/jsonl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jsonl.js","sourceRoot":"","sources":["../../src/audit/jsonl.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC;;;;GAIG;AACH,MAAM,OAAO,cAAc;IAC1B,IAAI,GAAG,OAAO,CAAC;IACP,QAAQ,CAAS;IACjB,eAAe,CAAU;IACzB,MAAM,GAAiB,EAAE,CAAC;IAC1B,aAAa,GAA0B,IAAI,CAAC;IAC5C,SAAS,CAAS;IAE1B,YAAY,OAKX;QACA,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACjC,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,IAAI,CAAC;QACvD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QAEzC,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACtB,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBAC7C,OAAO,CAAC,KAAK,CAAC,qCAAqC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACnE,CAAC,CAAC,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;YAC7B,IAAI,CAAC,aAAa,GAAG,WAAW,CAAC,GAAG,EAAE;gBACrC,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC5B,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;wBAC1B,OAAO,CAAC,KAAK,CAAC,iCAAiC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;oBAC/D,CAAC,CAAC,CAAC;gBACJ,CAAC;YACF,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;QAC7B,CAAC;IACF,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,KAAiB;QAC5B,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QAC3E,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;QAE9C,IAAI,CAAC;YACJ,MAAM,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;QAC/C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,KAAK,CAAC,gCAAiC,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;YAC1E,MAAM,KAAK,CAAC;QACb,CAAC;IACF,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,MAAoB;QACpC,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;QAE3F,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;QAExE,IAAI,CAAC;YACJ,MAAM,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,KAAK,CAAC,gCAAiC,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;YAC1E,MAAM,KAAK,CAAC;QACb,CAAC;IACF,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,MAAmB;QAC9B,IAAI,CAAC;YACJ,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACtD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YAChE,MAAM,MAAM,GAAiB,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;YAEnE,OAAO,MAAM;iBACX,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;gBACjB,IAAI,MAAM,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ;oBAAE,OAAO,KAAK,CAAC;gBACxE,IAAI,MAAM,CAAC,MAAM,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;oBAAE,OAAO,KAAK,CAAC;gBAClE,IAAI,MAAM,CAAC,IAAI,IAAI,KAAK,CAAC,SAAS,GAAG,MAAM,CAAC,IAAI;oBAAE,OAAO,KAAK,CAAC;gBAC/D,IAAI,MAAM,CAAC,EAAE,IAAI,KAAK,CAAC,SAAS,GAAG,MAAM,CAAC,EAAE;oBAAE,OAAO,KAAK,CAAC;gBAC3D,IAAI,MAAM,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ;oBAAE,OAAO,KAAK,CAAC;gBAExE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;oBACtB,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;oBACtF,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC;wBAAE,OAAO,KAAK,CAAC;gBACpD,CAAC;gBAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;oBACnB,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;oBAChF,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC;wBAAE,OAAO,KAAK,CAAC;gBACpD,CAAC;gBAED,IAAI,MAAM,CAAC,YAAY,IAAI,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,CAAC,GAAG,MAAM,CAAC,YAAY;oBAAE,OAAO,KAAK,CAAC;gBAEtF,OAAO,IAAI,CAAC;YACb,CAAC,CAAC;iBACD,KAAK,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,GAAG,CAAC,CAAC,CAAC;QAC3E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACxD,OAAO,EAAE,CAAC;YACX,CAAC;YACD,MAAM,KAAK,CAAC;QACb,CAAC;IACF,CAAC;IAED,KAAK,CAAC,UAAU;QACf,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACnC,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QACpB,CAAC;IACF,CAAC;IAEO,KAAK,CAAC,KAAK;QAClB,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAErC,MAAM,IAAI,CAAC,UAAU,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QACxC,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC;IAClB,CAAC;IAEO,aAAa,CAAC,KAAiB;QACtC,MAAM,SAAS,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC;QAE/B,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YACpB,SAAS,CAAC,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC;YACrB,SAAS,CAAC,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACxD,CAAC;QACD,IAAI,SAAS,CAAC,MAAM,EAAE,CAAC;YACtB,SAAS,CAAC,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAC1D,CAAC;QAED,OAAO,SAAS,CAAC;IAClB,CAAC;IAEO,cAAc,CAAC,GAAW;QACjC,MAAM,QAAQ,GAAG;YAChB,eAAe;YACf,UAAU;YACV,SAAS;YACT,YAAY;YACZ,UAAU;YACV,iBAAiB;SACjB,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAChC,GAAG,GAAG,GAAG,CAAC,OAAO,CAChB,IAAI,MAAM,CAAC,IAAI,OAAO,CAAC,MAAM,iCAAiC,EAAE,IAAI,CAAC,EACrE,gBAAgB,CAChB,CAAC;QACH,CAAC;QAED,OAAO,GAAG,CAAC;IACZ,CAAC;IAEO,cAAc,CAAC,GAAY;QAClC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YAC7C,OAAO,GAAG,CAAC;QACZ,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,SAAS,GAA4B,EAAE,CAAC;QAC9C,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QAEhF,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAChD,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAEnC,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBAClE,SAAS,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;YAC/B,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACtC,SAAS,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;YAC7C,CAAC;iBAAM,CAAC;gBACP,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACxB,CAAC;QACF,CAAC;QAED,OAAO,SAAS,CAAC;IAClB,CAAC;CACD"}

package/dist/audit/opentelemetry.d.ts

@@ -0,0 +1,23 @@
+import type { AuditSink, AuditEvent } from '@mondaydotcomorg/atp-protocol';
+/**
+ * OpenTelemetry-based audit sink
+ * Provides industry-standard observability with distributed tracing and metrics
+ */
+export declare class OpenTelemetryAuditSink implements AuditSink {
+    name: string;
+    private tracer;
+    private meter;
+    private executionCounter;
+    private toolCallCounter;
+    private llmCallCounter;
+    private approvalCounter;
+    private executionDuration;
+    private toolDuration;
+    write(event: AuditEvent): Promise<void>;
+    writeBatch(events: AuditEvent[]): Promise<void>;
+    private buildAttributes;
+    private handleEvent;
+    private recordMetrics;
+    private flattenObject;
+}
+//# sourceMappingURL=opentelemetry.d.ts.map

package/dist/audit/opentelemetry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"opentelemetry.d.ts","sourceRoot":"","sources":["../../src/audit/opentelemetry.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAY3E;;;GAGG;AACH,qBAAa,sBAAuB,YAAW,SAAS;IACvD,IAAI,SAAmB;IACvB,OAAO,CAAC,MAAM,CAAqC;IACnD,OAAO,CAAC,KAAK,CAAqC;IAElD,OAAO,CAAC,gBAAgB,CAGtB;IAEF,OAAO,CAAC,eAAe,CAGrB;IAEF,OAAO,CAAC,cAAc,CAGpB;IAEF,OAAO,CAAC,eAAe,CAGrB;IAEF,OAAO,CAAC,iBAAiB,CAGvB;IAEF,OAAO,CAAC,YAAY,CAGlB;IAEI,KAAK,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IAsBvC,UAAU,CAAC,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAIrD,OAAO,CAAC,eAAe;IAiDvB,OAAO,CAAC,WAAW;IA8EnB,OAAO,CAAC,aAAa;IA6DrB,OAAO,CAAC,aAAa;CAmBrB"}