@mondaydotcomorg/atp-providers 0.17.14

package/dist/oauth/scope-checkers.d.ts

@@ -0,0 +1,61 @@
+import type { ScopeChecker, TokenInfo } from '@mondaydotcomorg/atp-protocol';
+/**
+ * Scope checker registry
+ * Manages scope checkers for different OAuth providers
+ */
+export declare class ScopeCheckerRegistry {
+    private checkers;
+    private scopeCache;
+    private cleanupInterval?;
+    private maxCacheSize;
+    private pendingChecks;
+    constructor();
+    /**
+     * Start periodic cache cleanup
+     */
+    private startCleanup;
+    /**
+     * Stop periodic cache cleanup (for testing or shutdown)
+     */
+    stopCleanup(): void;
+    /**
+     * Remove expired entries from cache
+     */
+    private cleanupExpiredCache;
+    /**
+     * Register a custom scope checker
+     */
+    register(checker: ScopeChecker): void;
+    /**
+     * Check if a scope checker is available for a provider
+     */
+    hasChecker(provider: string): boolean;
+    /**
+     * Get scope checker for a provider
+     */
+    getChecker(provider: string): ScopeChecker | undefined;
+    /**
+     * Check what scopes a token has (with caching and deduplication)
+     * @param provider - Provider name
+     * @param token - Access token
+     * @param cacheTTL - Cache TTL in seconds (default: 3600 = 1 hour)
+     */
+    checkScopes(provider: string, token: string, cacheTTL?: number): Promise<string[]>;
+    /**
+     * Validate if a token is still valid
+     */
+    validateToken(provider: string, token: string): Promise<boolean>;
+    /**
+     * Get complete token information
+     */
+    getTokenInfo(provider: string, token: string): Promise<TokenInfo>;
+    /**
+     * Clear cached scopes
+     */
+    clearCache(provider?: string): void;
+    /**
+     * Hash token for cache key (SHA-256, first 16 chars)
+     */
+    private hashToken;
+}
+//# sourceMappingURL=scope-checkers.d.ts.map

package/dist/oauth/scope-checkers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope-checkers.d.ts","sourceRoot":"","sources":["../../src/oauth/scope-checkers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,+BAA+B,CAAC;AAG7E;;;GAGG;AACH,qBAAa,oBAAoB;IAChC,OAAO,CAAC,QAAQ,CAAmC;IACnD,OAAO,CAAC,UAAU,CAA8D;IAChF,OAAO,CAAC,eAAe,CAAC,CAAiB;IACzC,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,aAAa,CAAwC;;IAM7D;;OAEG;IACH,OAAO,CAAC,YAAY;IAapB;;OAEG;IACH,WAAW,IAAI,IAAI;IAOnB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA+B3B;;OAEG;IACH,QAAQ,CAAC,OAAO,EAAE,YAAY,GAAG,IAAI;IAIrC;;OAEG;IACH,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAIrC;;OAEG;IACH,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS;IAItD;;;;;OAKG;IACG,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,SAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAqCtF;;OAEG;IACG,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAStE;;OAEG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAiBvE;;OAEG;IACH,UAAU,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI;IAYnC;;OAEG;IACH,OAAO,CAAC,SAAS;CAGjB"}

package/dist/oauth/scope-checkers.js

@@ -0,0 +1,166 @@
+import { createHash } from 'node:crypto';
+/**
+ * Scope checker registry
+ * Manages scope checkers for different OAuth providers
+ */
+export class ScopeCheckerRegistry {
+    checkers = new Map();
+    scopeCache = new Map();
+    cleanupInterval;
+    maxCacheSize = 10000;
+    pendingChecks = new Map();
+    constructor() {
+        this.startCleanup();
+    }
+    /**
+     * Start periodic cache cleanup
+     */
+    startCleanup() {
+        this.cleanupInterval = setInterval(() => {
+            this.cleanupExpiredCache();
+        }, 5 * 60 * 1000);
+        if (this.cleanupInterval.unref) {
+            this.cleanupInterval.unref();
+        }
+    }
+    /**
+     * Stop periodic cache cleanup (for testing or shutdown)
+     */
+    stopCleanup() {
+        if (this.cleanupInterval) {
+            clearInterval(this.cleanupInterval);
+            this.cleanupInterval = undefined;
+        }
+    }
+    /**
+     * Remove expired entries from cache
+     */
+    cleanupExpiredCache() {
+        const now = Date.now();
+        let cleaned = 0;
+        for (const [key, value] of this.scopeCache.entries()) {
+            if (value.expiresAt <= now) {
+                this.scopeCache.delete(key);
+                cleaned++;
+            }
+        }
+        if (this.scopeCache.size > this.maxCacheSize) {
+            const entriesToRemove = this.scopeCache.size - this.maxCacheSize;
+            const entries = Array.from(this.scopeCache.entries());
+            entries.sort((a, b) => a[1].expiresAt - b[1].expiresAt);
+            for (let i = 0; i < entriesToRemove; i++) {
+                const entry = entries[i];
+                if (entry) {
+                    this.scopeCache.delete(entry[0]);
+                    cleaned++;
+                }
+            }
+        }
+        if (cleaned > 0) {
+            console.debug(`Cleaned ${cleaned} expired/old scope cache entries`);
+        }
+    }
+    /**
+     * Register a custom scope checker
+     */
+    register(checker) {
+        this.checkers.set(checker.provider, checker);
+    }
+    /**
+     * Check if a scope checker is available for a provider
+     */
+    hasChecker(provider) {
+        return this.checkers.has(provider);
+    }
+    /**
+     * Get scope checker for a provider
+     */
+    getChecker(provider) {
+        return this.checkers.get(provider);
+    }
+    /**
+     * Check what scopes a token has (with caching and deduplication)
+     * @param provider - Provider name
+     * @param token - Access token
+     * @param cacheTTL - Cache TTL in seconds (default: 3600 = 1 hour)
+     */
+    async checkScopes(provider, token, cacheTTL = 3600) {
+        const cacheKey = `${provider}:${this.hashToken(token)}`;
+        const cached = this.scopeCache.get(cacheKey);
+        if (cached && cached.expiresAt > Date.now()) {
+            return cached.scopes;
+        }
+        const pending = this.pendingChecks.get(cacheKey);
+        if (pending) {
+            return pending;
+        }
+        const checker = this.checkers.get(provider);
+        if (!checker) {
+            throw new Error(`No scope checker registered for provider: ${provider}`);
+        }
+        const checkPromise = (async () => {
+            try {
+                const scopes = await checker.check(token);
+                this.scopeCache.set(cacheKey, {
+                    scopes,
+                    expiresAt: Date.now() + cacheTTL * 1000,
+                });
+                return scopes;
+            }
+            finally {
+                this.pendingChecks.delete(cacheKey);
+            }
+        })();
+        this.pendingChecks.set(cacheKey, checkPromise);
+        return checkPromise;
+    }
+    /**
+     * Validate if a token is still valid
+     */
+    async validateToken(provider, token) {
+        const checker = this.checkers.get(provider);
+        if (!checker || !checker.validate) {
+            return true;
+        }
+        return await checker.validate(token);
+    }
+    /**
+     * Get complete token information
+     */
+    async getTokenInfo(provider, token) {
+        const checker = this.checkers.get(provider);
+        if (!checker) {
+            throw new Error(`No scope checker registered for provider: ${provider}`);
+        }
+        const [scopes, valid] = await Promise.all([
+            checker.check(token),
+            checker.validate ? checker.validate(token) : Promise.resolve(true),
+        ]);
+        return {
+            valid,
+            scopes,
+        };
+    }
+    /**
+     * Clear cached scopes
+     */
+    clearCache(provider) {
+        if (provider) {
+            for (const key of this.scopeCache.keys()) {
+                if (key.startsWith(`${provider}:`)) {
+                    this.scopeCache.delete(key);
+                }
+            }
+        }
+        else {
+            this.scopeCache.clear();
+        }
+    }
+    /**
+     * Hash token for cache key (SHA-256, first 16 chars)
+     */
+    hashToken(token) {
+        return createHash('sha256').update(token).digest('hex').substring(0, 16);
+    }
+}
+//# sourceMappingURL=scope-checkers.js.map

package/dist/oauth/scope-checkers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope-checkers.js","sourceRoot":"","sources":["../../src/oauth/scope-checkers.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC;;;GAGG;AACH,MAAM,OAAO,oBAAoB;IACxB,QAAQ,GAAG,IAAI,GAAG,EAAwB,CAAC;IAC3C,UAAU,GAAG,IAAI,GAAG,EAAmD,CAAC;IACxE,eAAe,CAAkB;IACjC,YAAY,GAAG,KAAK,CAAC;IACrB,aAAa,GAAG,IAAI,GAAG,EAA6B,CAAC;IAE7D;QACC,IAAI,CAAC,YAAY,EAAE,CAAC;IACrB,CAAC;IAED;;OAEG;IACK,YAAY;QACnB,IAAI,CAAC,eAAe,GAAG,WAAW,CACjC,GAAG,EAAE;YACJ,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAC5B,CAAC,EACD,CAAC,GAAG,EAAE,GAAG,IAAI,CACb,CAAC;QAEF,IAAI,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;YAChC,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QAC9B,CAAC;IACF,CAAC;IAED;;OAEG;IACH,WAAW;QACV,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YAC1B,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACpC,IAAI,CAAC,eAAe,GAAG,SAAS,CAAC;QAClC,CAAC;IACF,CAAC;IAED;;OAEG;IACK,mBAAmB;QAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,CAAC,CAAC;QAEhB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;YACtD,IAAI,KAAK,CAAC,SAAS,IAAI,GAAG,EAAE,CAAC;gBAC5B,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC5B,OAAO,EAAE,CAAC;YACX,CAAC;QACF,CAAC;QAED,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;YAC9C,MAAM,eAAe,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,YAAY,CAAC;YACjE,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC;YAEtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;YAExD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,eAAe,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC1C,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;gBACzB,IAAI,KAAK,EAAE,CAAC;oBACX,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;oBACjC,OAAO,EAAE,CAAC;gBACX,CAAC;YACF,CAAC;QACF,CAAC;QAED,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;YACjB,OAAO,CAAC,KAAK,CAAC,WAAW,OAAO,kCAAkC,CAAC,CAAC;QACrE,CAAC;IACF,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,OAAqB;QAC7B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,QAAgB;QAC1B,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,QAAgB;QAC1B,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACpC,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,WAAW,CAAC,QAAgB,EAAE,KAAa,EAAE,QAAQ,GAAG,IAAI;QACjE,MAAM,QAAQ,GAAG,GAAG,QAAQ,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;QAExD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7C,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC7C,OAAO,MAAM,CAAC,MAAM,CAAC;QACtB,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACjD,IAAI,OAAO,EAAE,CAAC;YACb,OAAO,OAAO,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,6CAA6C,QAAQ,EAAE,CAAC,CAAC;QAC1E,CAAC;QAED,MAAM,YAAY,GAAG,CAAC,KAAK,IAAI,EAAE;YAChC,IAAI,CAAC;gBACJ,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBAE1C,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,EAAE;oBAC7B,MAAM;oBACN,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,GAAG,IAAI;iBACvC,CAAC,CAAC;gBAEH,OAAO,MAAM,CAAC;YACf,CAAC;oBAAS,CAAC;gBACV,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACrC,CAAC;QACF,CAAC,CAAC,EAAE,CAAC;QAEL,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAC/C,OAAO,YAAY,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,QAAgB,EAAE,KAAa;QAClD,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC;QACb,CAAC;QAED,OAAO,MAAM,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,QAAgB,EAAE,KAAa;QACjD,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,6CAA6C,QAAQ,EAAE,CAAC,CAAC;QAC1E,CAAC;QAED,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACzC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC;YACpB,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC;SAClE,CAAC,CAAC;QAEH,OAAO;YACN,KAAK;YACL,MAAM;SACN,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,QAAiB;QAC3B,IAAI,QAAQ,EAAE,CAAC;YACd,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,CAAC;gBAC1C,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC;oBACpC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC7B,CAAC;YACF,CAAC;QACF,CAAC;aAAM,CAAC;YACP,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QACzB,CAAC;IACF,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,KAAa;QAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC1E,CAAC;CACD"}

package/package.json

@@ -0,0 +1,26 @@
+{
+	"name": "@mondaydotcomorg/atp-providers",
+	"version": "0.17.14",
+	"description": "Built-in providers for Agent Tool Protocol (cache, auth, audit)",
+	"type": "module",
+	"main": "./dist/index.js",
+	"types": "./dist/index.d.ts",
+	"exports": {
+		".": {
+			"types": "./dist/index.d.ts",
+			"import": "./dist/index.js"
+		}
+	},
+	"scripts": {
+		"build": "tsc",
+		"clean": "rm -rf dist",
+		"lint": "tsc --noEmit",
+		"test": "vitest run"
+	},
+	"dependencies": {
+		"@mondaydotcomorg/atp-protocol": "0.17.14"
+	},
+	"devDependencies": {
+		"typescript": "^5.7.2"
+	}
+}

package/project.json

@@ -0,0 +1,31 @@
+{
+	"name": "@mondaydotcomorg/atp-providers",
+	"$schema": "../../node_modules/nx/schemas/project-schema.json",
+	"sourceRoot": "packages/providers/src",
+	"projectType": "library",
+	"targets": {
+		"build": {
+			"executor": "nx:run-commands",
+			"outputs": ["{workspaceRoot}/packages/providers/dist"],
+			"options": {
+				"command": "tsc --build packages/providers/tsconfig.json",
+				"cwd": "{workspaceRoot}"
+			}
+		},
+		"clean": {
+			"executor": "nx:run-commands",
+			"options": {
+				"command": "rm -rf packages/providers/dist"
+			}
+		},
+		"lint": {
+			"executor": "nx:run-commands",
+			"options": {
+				"command": "cd packages/providers && npm run lint"
+			}
+		}
+	},
+	"tags": [
+		"atp-core"
+	]
+}

package/src/audit/jsonl.ts

@@ -0,0 +1,189 @@
+import type { AuditEvent, AuditFilter, AuditSink } from '@mondaydotcomorg/atp-protocol';
+import { appendFile, readFile, mkdir } from 'node:fs/promises';
+import { existsSync } from 'node:fs';
+import { dirname } from 'node:path';
+
+/**
+ * JSONL (JSON Lines) audit sink
+ * Writes audit events to a file, one JSON object per line
+ * Simple, append-only, easy to parse with standard tools
+ */
+export class JSONLAuditSink implements AuditSink {
+	name = 'jsonl';
+	private filePath: string;
+	private sanitizeSecrets: boolean;
+	private buffer: AuditEvent[] = [];
+	private flushInterval: NodeJS.Timeout | null = null;
+	private batchSize: number;
+
+	constructor(options: {
+		filePath: string;
+		sanitizeSecrets?: boolean;
+		batchSize?: number;
+		flushIntervalMs?: number;
+	}) {
+		this.filePath = options.filePath;
+		this.sanitizeSecrets = options.sanitizeSecrets ?? true;
+		this.batchSize = options.batchSize || 10;
+
+		const dir = dirname(this.filePath);
+		if (!existsSync(dir)) {
+			mkdir(dir, { recursive: true }).catch((err) => {
+				console.error(`Failed to create audit directory: ${err.message}`);
+			});
+		}
+
+		if (options.flushIntervalMs) {
+			this.flushInterval = setInterval(() => {
+				if (this.buffer.length > 0) {
+					this.flush().catch((err) => {
+						console.error(`Failed to flush audit buffer: ${err.message}`);
+					});
+				}
+			}, options.flushIntervalMs);
+		}
+	}
+
+	async write(event: AuditEvent): Promise<void> {
+		const sanitized = this.sanitizeSecrets ? this.sanitizeEvent(event) : event;
+		const line = JSON.stringify(sanitized) + '\n';
+
+		try {
+			await appendFile(this.filePath, line, 'utf8');
+		} catch (error) {
+			console.error(`Failed to write audit event: ${(error as Error).message}`);
+			throw error;
+		}
+	}
+
+	async writeBatch(events: AuditEvent[]): Promise<void> {
+		const sanitized = this.sanitizeSecrets ? events.map((e) => this.sanitizeEvent(e)) : events;
+
+		const lines = sanitized.map((e) => JSON.stringify(e)).join('\n') + '\n';
+
+		try {
+			await appendFile(this.filePath, lines, 'utf8');
+		} catch (error) {
+			console.error(`Failed to write audit batch: ${(error as Error).message}`);
+			throw error;
+		}
+	}
+
+	async query(filter: AuditFilter): Promise<AuditEvent[]> {
+		try {
+			const content = await readFile(this.filePath, 'utf8');
+			const lines = content.split('\n').filter((line) => line.trim());
+			const events: AuditEvent[] = lines.map((line) => JSON.parse(line));
+
+			return events
+				.filter((event) => {
+					if (filter.clientId && event.clientId !== filter.clientId) return false;
+					if (filter.userId && event.userId !== filter.userId) return false;
+					if (filter.from && event.timestamp < filter.from) return false;
+					if (filter.to && event.timestamp > filter.to) return false;
+					if (filter.resource && event.resource !== filter.resource) return false;
+
+					if (filter.eventType) {
+						const types = Array.isArray(filter.eventType) ? filter.eventType : [filter.eventType];
+						if (!types.includes(event.eventType)) return false;
+					}
+
+					if (filter.status) {
+						const statuses = Array.isArray(filter.status) ? filter.status : [filter.status];
+						if (!statuses.includes(event.status)) return false;
+					}
+
+					if (filter.minRiskScore && (event.riskScore || 0) < filter.minRiskScore) return false;
+
+					return true;
+				})
+				.slice(filter.offset || 0, (filter.offset || 0) + (filter.limit || 100));
+		} catch (error) {
+			if ((error as NodeJS.ErrnoException).code === 'ENOENT') {
+				return [];
+			}
+			throw error;
+		}
+	}
+
+	async disconnect(): Promise<void> {
+		if (this.flushInterval) {
+			clearInterval(this.flushInterval);
+		}
+
+		if (this.buffer.length > 0) {
+			await this.flush();
+		}
+	}
+
+	private async flush(): Promise<void> {
+		if (this.buffer.length === 0) return;
+
+		await this.writeBatch([...this.buffer]);
+		this.buffer = [];
+	}
+
+	private sanitizeEvent(event: AuditEvent): AuditEvent {
+		const sanitized = { ...event };
+
+		if (sanitized.code) {
+			sanitized.code = this.sanitizeString(sanitized.code);
+		}
+
+		if (sanitized.input) {
+			sanitized.input = this.sanitizeObject(sanitized.input);
+		}
+		if (sanitized.output) {
+			sanitized.output = this.sanitizeObject(sanitized.output);
+		}
+
+		return sanitized;
+	}
+
+	private sanitizeString(str: string): string {
+		const patterns = [
+			/api[_-]?key/gi,
+			/secret/gi,
+			/token/gi,
+			/password/gi,
+			/bearer/gi,
+			/authorization/gi,
+		];
+
+		for (const pattern of patterns) {
+			str = str.replace(
+				new RegExp(`(${pattern.source})\\s*[:=]\\s*['\"]?([^'\"\\s]+)`, 'gi'),
+				'$1: [REDACTED]'
+			);
+		}
+
+		return str;
+	}
+
+	private sanitizeObject(obj: unknown): unknown {
+		if (typeof obj !== 'object' || obj === null) {
+			return obj;
+		}
+
+		if (Array.isArray(obj)) {
+			return obj.map((item) => this.sanitizeObject(item));
+		}
+
+		const sanitized: Record<string, unknown> = {};
+		const secretPatterns = ['key', 'secret', 'token', 'password', 'bearer', 'auth'];
+
+		for (const [key, value] of Object.entries(obj)) {
+			const lowerKey = key.toLowerCase();
+
+			if (secretPatterns.some((pattern) => lowerKey.includes(pattern))) {
+				sanitized[key] = '[REDACTED]';
+			} else if (typeof value === 'object') {
+				sanitized[key] = this.sanitizeObject(value);
+			} else {
+				sanitized[key] = value;
+			}
+		}
+
+		return sanitized;
+	}
+}