@mondaydotcomorg/atp-providers 0.19.7 → 0.19.8

package/dist/index.cjs

@@ -0,0 +1,1171 @@
+'use strict';
+
+var atpRuntime = require('@mondaydotcomorg/atp-runtime');
+var fs = require('fs');
+var path = require('path');
+var os = require('os');
+var crypto = require('crypto');
+var promises = require('fs/promises');
+var api = require('@opentelemetry/api');
+
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
+var path__default = /*#__PURE__*/_interopDefault(path);
+var os__default = /*#__PURE__*/_interopDefault(os);
+
+var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+
+// src/cache/memory.ts
+var MemoryCache = class {
+  static {
+    __name(this, "MemoryCache");
+  }
+  name = "memory";
+  cache;
+  maxKeys;
+  defaultTTL;
+  constructor(options = {}) {
+    this.cache = /* @__PURE__ */ new Map();
+    this.maxKeys = options.maxKeys || 1e3;
+    this.defaultTTL = options.defaultTTL || 3600;
+  }
+  async get(key) {
+    const entry = this.cache.get(key);
+    if (!entry) {
+      return null;
+    }
+    if (entry.expiresAt !== -1 && Date.now() > entry.expiresAt) {
+      this.cache.delete(key);
+      return null;
+    }
+    this.cache.delete(key);
+    this.cache.set(key, entry);
+    return entry.value;
+  }
+  async set(key, value, ttl) {
+    if (this.cache.size >= this.maxKeys && !this.cache.has(key)) {
+      const firstKey = this.cache.keys().next().value;
+      if (firstKey) {
+        this.cache.delete(firstKey);
+      }
+    }
+    const expiresAt = ttl ? Date.now() + ttl * 1e3 : this.defaultTTL > 0 ? Date.now() + this.defaultTTL * 1e3 : -1;
+    this.cache.set(key, {
+      value,
+      expiresAt
+    });
+  }
+  async delete(key) {
+    this.cache.delete(key);
+  }
+  async has(key) {
+    const value = await this.get(key);
+    return value !== null;
+  }
+  async clear(pattern) {
+    if (!pattern) {
+      this.cache.clear();
+      return;
+    }
+    const regex = new RegExp("^" + pattern.replace(/\*/g, ".*") + "$");
+    for (const key of this.cache.keys()) {
+      if (regex.test(key)) {
+        this.cache.delete(key);
+      }
+    }
+  }
+  async mget(keys) {
+    return Promise.all(keys.map((key) => this.get(key)));
+  }
+  async mset(entries) {
+    for (const [key, value, ttl] of entries) {
+      await this.set(key, value, ttl);
+    }
+  }
+  async disconnect() {
+    this.cache.clear();
+  }
+  /** Get cache statistics */
+  getStats() {
+    return {
+      keys: this.cache.size,
+      maxKeys: this.maxKeys,
+      utilization: this.cache.size / this.maxKeys * 100
+    };
+  }
+};
+var RedisCache = class {
+  static {
+    __name(this, "RedisCache");
+  }
+  name = "redis";
+  redis;
+  keyPrefix;
+  defaultTTL;
+  constructor(options) {
+    this.redis = options.redis;
+    this.keyPrefix = options.keyPrefix || "atp:cache:";
+    this.defaultTTL = options.defaultTTL;
+  }
+  getFullKey(key) {
+    return `${this.keyPrefix}${key}`;
+  }
+  async get(key) {
+    try {
+      const value = await this.redis.get(this.getFullKey(key));
+      if (!value) return null;
+      return JSON.parse(value);
+    } catch (error) {
+      atpRuntime.log.error("RedisCache failed to get key", {
+        key,
+        error: error instanceof Error ? error.message : error
+      });
+      return null;
+    }
+  }
+  async set(key, value, ttl) {
+    try {
+      const serialized = JSON.stringify(value);
+      const fullKey = this.getFullKey(key);
+      const effectiveTTL = ttl ?? this.defaultTTL;
+      if (effectiveTTL) {
+        await this.redis.setex(fullKey, effectiveTTL, serialized);
+      } else {
+        await this.redis.set(fullKey, serialized);
+      }
+    } catch (error) {
+      atpRuntime.log.error("RedisCache failed to set key", {
+        key,
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async delete(key) {
+    try {
+      await this.redis.del(this.getFullKey(key));
+    } catch (error) {
+      atpRuntime.log.error("RedisCache failed to delete key", {
+        key,
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async has(key) {
+    try {
+      const exists = await this.redis.exists(this.getFullKey(key));
+      return exists === 1;
+    } catch (error) {
+      atpRuntime.log.error("RedisCache failed to check key", {
+        key,
+        error: error instanceof Error ? error.message : error
+      });
+      return false;
+    }
+  }
+  async clear(pattern) {
+    try {
+      if (pattern) {
+        const fullPattern = this.getFullKey(pattern);
+        const keys = await this.redis.keys(fullPattern);
+        if (keys.length > 0) {
+          await this.redis.del(...keys);
+        }
+      } else {
+        const keys = await this.redis.keys(this.getFullKey("*"));
+        if (keys.length > 0) {
+          await this.redis.del(...keys);
+        }
+      }
+    } catch (error) {
+      atpRuntime.log.error("RedisCache failed to clear cache", {
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async mget(keys) {
+    try {
+      const fullKeys = keys.map((key) => this.getFullKey(key));
+      const values = await this.redis.mget(...fullKeys);
+      return values.map((value) => value ? JSON.parse(value) : null);
+    } catch (error) {
+      atpRuntime.log.error("RedisCache failed to mget keys", {
+        error: error instanceof Error ? error.message : error
+      });
+      return keys.map(() => null);
+    }
+  }
+  async mset(entries) {
+    try {
+      const pipeline = this.redis.pipeline();
+      for (const [key, value, ttl] of entries) {
+        const serialized = JSON.stringify(value);
+        const fullKey = this.getFullKey(key);
+        const effectiveTTL = ttl ?? this.defaultTTL;
+        if (effectiveTTL) {
+          pipeline.setex(fullKey, effectiveTTL, serialized);
+        } else {
+          pipeline.set(fullKey, serialized);
+        }
+      }
+      await pipeline.exec();
+    } catch (error) {
+      atpRuntime.log.error("RedisCache failed to mset entries", {
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async disconnect() {
+    try {
+      await this.redis.quit();
+    } catch (error) {
+      atpRuntime.log.error("RedisCache failed to disconnect", {
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+};
+var FileCache = class {
+  static {
+    __name(this, "FileCache");
+  }
+  name = "file";
+  cacheDir;
+  maxKeys;
+  defaultTTL;
+  cleanupInterval;
+  cleanupTimer;
+  initPromise;
+  constructor(options = {}) {
+    this.cacheDir = options.cacheDir || path__default.default.join(os__default.default.tmpdir(), "atp-cache");
+    this.maxKeys = options.maxKeys || 1e3;
+    this.defaultTTL = options.defaultTTL || 3600;
+    this.cleanupInterval = options.cleanupInterval || 300;
+    this.initPromise = this.initialize();
+  }
+  async initialize() {
+    try {
+      await fs.promises.mkdir(this.cacheDir, {
+        recursive: true
+      });
+      this.startCleanup();
+    } catch (error) {
+      atpRuntime.log.error("FileCache failed to initialize cache directory", {
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async ensureInitialized() {
+    if (this.initPromise) {
+      await this.initPromise;
+    }
+  }
+  getFilePath(key) {
+    const sanitizedKey = key.replace(/[^a-zA-Z0-9_-]/g, "_");
+    return path__default.default.join(this.cacheDir, `${sanitizedKey}.json`);
+  }
+  startCleanup() {
+    if (this.cleanupInterval > 0) {
+      this.cleanupTimer = setInterval(() => {
+        this.cleanExpired().catch((error) => {
+          atpRuntime.log.error("FileCache cleanup error", {
+            error
+          });
+        });
+      }, this.cleanupInterval * 1e3);
+      if (this.cleanupTimer.unref) {
+        this.cleanupTimer.unref();
+      }
+    }
+  }
+  async cleanExpired() {
+    try {
+      await this.ensureInitialized();
+      const files = await fs.promises.readdir(this.cacheDir);
+      const now = Date.now();
+      for (const file of files) {
+        if (!file.endsWith(".json")) continue;
+        const filePath = path__default.default.join(this.cacheDir, file);
+        try {
+          const content = await fs.promises.readFile(filePath, "utf-8");
+          const entry = JSON.parse(content);
+          if (entry.expiresAt !== -1 && now > entry.expiresAt) {
+            await fs.promises.unlink(filePath);
+          }
+        } catch {
+          try {
+            await fs.promises.unlink(filePath);
+          } catch {
+          }
+        }
+      }
+      await this.enforceMaxKeys();
+    } catch (error) {
+      atpRuntime.log.error("FileCache failed to clean expired entries", {
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async enforceMaxKeys() {
+    try {
+      const files = await fs.promises.readdir(this.cacheDir);
+      const jsonFiles = files.filter((f) => f.endsWith(".json"));
+      if (jsonFiles.length > this.maxKeys) {
+        const fileStats = await Promise.all(jsonFiles.map(async (file) => {
+          const filePath = path__default.default.join(this.cacheDir, file);
+          const stats = await fs.promises.stat(filePath);
+          return {
+            file,
+            mtime: stats.mtime.getTime()
+          };
+        }));
+        fileStats.sort((a, b) => a.mtime - b.mtime);
+        const toDelete = fileStats.slice(0, jsonFiles.length - this.maxKeys);
+        await Promise.all(toDelete.map((item) => {
+          const filePath = path__default.default.join(this.cacheDir, item.file);
+          return fs.promises.unlink(filePath).catch(() => {
+          });
+        }));
+      }
+    } catch (error) {
+      atpRuntime.log.error("FileCache failed to enforce max keys", {
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async get(key) {
+    try {
+      await this.ensureInitialized();
+      const filePath = this.getFilePath(key);
+      const content = await fs.promises.readFile(filePath, "utf-8");
+      const entry = JSON.parse(content);
+      if (entry.expiresAt !== -1 && Date.now() > entry.expiresAt) {
+        await this.delete(key);
+        return null;
+      }
+      return entry.value;
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        return null;
+      }
+      atpRuntime.log.error("FileCache failed to get key", {
+        key,
+        error: error instanceof Error ? error.message : error
+      });
+      return null;
+    }
+  }
+  async set(key, value, ttl) {
+    try {
+      await this.ensureInitialized();
+      await this.enforceMaxKeys();
+      const expiresAt = ttl ? Date.now() + ttl * 1e3 : this.defaultTTL > 0 ? Date.now() + this.defaultTTL * 1e3 : -1;
+      const entry = {
+        value,
+        expiresAt
+      };
+      const filePath = this.getFilePath(key);
+      await fs.promises.writeFile(filePath, JSON.stringify(entry), "utf-8");
+    } catch (error) {
+      atpRuntime.log.error("FileCache failed to set key", {
+        key,
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async delete(key) {
+    try {
+      await this.ensureInitialized();
+      const filePath = this.getFilePath(key);
+      await fs.promises.unlink(filePath);
+    } catch (error) {
+      if (error.code !== "ENOENT") {
+        atpRuntime.log.error("FileCache failed to delete key", {
+          key,
+          error: error instanceof Error ? error.message : error
+        });
+      }
+    }
+  }
+  async has(key) {
+    const value = await this.get(key);
+    return value !== null;
+  }
+  async clear(pattern) {
+    try {
+      await this.ensureInitialized();
+      const files = await fs.promises.readdir(this.cacheDir);
+      if (!pattern) {
+        await Promise.all(files.filter((f) => f.endsWith(".json")).map((file) => {
+          const filePath = path__default.default.join(this.cacheDir, file);
+          return fs.promises.unlink(filePath).catch(() => {
+          });
+        }));
+        return;
+      }
+      const regex = new RegExp("^" + pattern.replace(/\*/g, ".*") + "$");
+      for (const file of files) {
+        if (!file.endsWith(".json")) continue;
+        const keyBase = file.replace(".json", "");
+        if (regex.test(keyBase)) {
+          const filePath = path__default.default.join(this.cacheDir, file);
+          await fs.promises.unlink(filePath).catch(() => {
+          });
+        }
+      }
+    } catch (error) {
+      atpRuntime.log.error("FileCache failed to clear cache", {
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async mget(keys) {
+    return Promise.all(keys.map((key) => this.get(key)));
+  }
+  async mset(entries) {
+    await Promise.all(entries.map(([key, value, ttl]) => this.set(key, value, ttl)));
+  }
+  async disconnect() {
+    if (this.cleanupTimer) {
+      clearInterval(this.cleanupTimer);
+      this.cleanupTimer = void 0;
+    }
+  }
+  /** Get cache statistics */
+  async getStats() {
+    try {
+      await this.ensureInitialized();
+      const files = await fs.promises.readdir(this.cacheDir);
+      const jsonFiles = files.filter((f) => f.endsWith(".json"));
+      let totalSize = 0;
+      for (const file of jsonFiles) {
+        const filePath = path__default.default.join(this.cacheDir, file);
+        try {
+          const stats = await fs.promises.stat(filePath);
+          totalSize += stats.size;
+        } catch {
+        }
+      }
+      return {
+        keys: jsonFiles.length,
+        maxKeys: this.maxKeys,
+        utilization: jsonFiles.length / this.maxKeys * 100,
+        sizeBytes: totalSize,
+        cacheDir: this.cacheDir
+      };
+    } catch (error) {
+      atpRuntime.log.error("[FileCache] Failed to get stats:", error);
+      return {
+        keys: 0,
+        maxKeys: this.maxKeys,
+        utilization: 0,
+        sizeBytes: 0,
+        cacheDir: this.cacheDir
+      };
+    }
+  }
+  /** Manually trigger cleanup of expired entries */
+  async cleanup() {
+    await this.cleanExpired();
+  }
+};
+
+// src/auth/env.ts
+var EnvAuthProvider = class {
+  static {
+    __name(this, "EnvAuthProvider");
+  }
+  name = "env";
+  prefix;
+  credentials;
+  constructor(options = {}) {
+    this.prefix = options.prefix || "ATP_";
+    this.credentials = /* @__PURE__ */ new Map();
+    if (options.credentials) {
+      for (const [key, value] of Object.entries(options.credentials)) {
+        this.credentials.set(key, value);
+      }
+    }
+  }
+  async getCredential(key) {
+    if (this.credentials.has(key)) {
+      return this.credentials.get(key) || null;
+    }
+    const envValue = process.env[key] || process.env[`${this.prefix}${key}`];
+    return envValue || null;
+  }
+  async setCredential(key, value, _ttl) {
+    this.credentials.set(key, value);
+  }
+  async deleteCredential(key) {
+    this.credentials.delete(key);
+  }
+  async listCredentials() {
+    const keys = /* @__PURE__ */ new Set();
+    for (const key of this.credentials.keys()) {
+      keys.add(key);
+    }
+    for (const key of Object.keys(process.env)) {
+      if (key.startsWith(this.prefix)) {
+        keys.add(key.substring(this.prefix.length));
+      }
+    }
+    return Array.from(keys);
+  }
+  async disconnect() {
+    this.credentials.clear();
+  }
+};
+var ScopeCheckerRegistry = class {
+  static {
+    __name(this, "ScopeCheckerRegistry");
+  }
+  checkers = /* @__PURE__ */ new Map();
+  scopeCache = /* @__PURE__ */ new Map();
+  cleanupInterval;
+  maxCacheSize = 1e4;
+  pendingChecks = /* @__PURE__ */ new Map();
+  constructor() {
+    this.startCleanup();
+  }
+  /**
+  * Start periodic cache cleanup
+  */
+  startCleanup() {
+    this.cleanupInterval = setInterval(() => {
+      this.cleanupExpiredCache();
+    }, 5 * 60 * 1e3);
+    if (this.cleanupInterval.unref) {
+      this.cleanupInterval.unref();
+    }
+  }
+  /**
+  * Stop periodic cache cleanup (for testing or shutdown)
+  */
+  stopCleanup() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = void 0;
+    }
+  }
+  /**
+  * Remove expired entries from cache
+  */
+  cleanupExpiredCache() {
+    const now = Date.now();
+    let cleaned = 0;
+    for (const [key, value] of this.scopeCache.entries()) {
+      if (value.expiresAt <= now) {
+        this.scopeCache.delete(key);
+        cleaned++;
+      }
+    }
+    if (this.scopeCache.size > this.maxCacheSize) {
+      const entriesToRemove = this.scopeCache.size - this.maxCacheSize;
+      const entries = Array.from(this.scopeCache.entries());
+      entries.sort((a, b) => a[1].expiresAt - b[1].expiresAt);
+      for (let i = 0; i < entriesToRemove; i++) {
+        const entry = entries[i];
+        if (entry) {
+          this.scopeCache.delete(entry[0]);
+          cleaned++;
+        }
+      }
+    }
+    if (cleaned > 0) {
+      atpRuntime.log.debug(`Cleaned ${cleaned} expired/old scope cache entries`);
+    }
+  }
+  /**
+  * Register a custom scope checker
+  */
+  register(checker) {
+    this.checkers.set(checker.provider, checker);
+  }
+  /**
+  * Check if a scope checker is available for a provider
+  */
+  hasChecker(provider) {
+    return this.checkers.has(provider);
+  }
+  /**
+  * Get scope checker for a provider
+  */
+  getChecker(provider) {
+    return this.checkers.get(provider);
+  }
+  /**
+  * Check what scopes a token has (with caching and deduplication)
+  * @param provider - Provider name
+  * @param token - Access token
+  * @param cacheTTL - Cache TTL in seconds (default: 3600 = 1 hour)
+  */
+  async checkScopes(provider, token, cacheTTL = 3600) {
+    const cacheKey = `${provider}:${this.hashToken(token)}`;
+    const cached = this.scopeCache.get(cacheKey);
+    if (cached && cached.expiresAt > Date.now()) {
+      return cached.scopes;
+    }
+    const pending = this.pendingChecks.get(cacheKey);
+    if (pending) {
+      return pending;
+    }
+    const checker = this.checkers.get(provider);
+    if (!checker) {
+      throw new Error(`No scope checker registered for provider: ${provider}`);
+    }
+    const checkPromise = (async () => {
+      try {
+        const scopes = await checker.check(token);
+        this.scopeCache.set(cacheKey, {
+          scopes,
+          expiresAt: Date.now() + cacheTTL * 1e3
+        });
+        return scopes;
+      } finally {
+        this.pendingChecks.delete(cacheKey);
+      }
+    })();
+    this.pendingChecks.set(cacheKey, checkPromise);
+    return checkPromise;
+  }
+  /**
+  * Validate if a token is still valid
+  */
+  async validateToken(provider, token) {
+    const checker = this.checkers.get(provider);
+    if (!checker || !checker.validate) {
+      return true;
+    }
+    return await checker.validate(token);
+  }
+  /**
+  * Get complete token information
+  */
+  async getTokenInfo(provider, token) {
+    const checker = this.checkers.get(provider);
+    if (!checker) {
+      throw new Error(`No scope checker registered for provider: ${provider}`);
+    }
+    const [scopes, valid] = await Promise.all([
+      checker.check(token),
+      checker.validate ? checker.validate(token) : Promise.resolve(true)
+    ]);
+    return {
+      valid,
+      scopes
+    };
+  }
+  /**
+  * Clear cached scopes
+  */
+  clearCache(provider) {
+    if (provider) {
+      for (const key of this.scopeCache.keys()) {
+        if (key.startsWith(`${provider}:`)) {
+          this.scopeCache.delete(key);
+        }
+      }
+    } else {
+      this.scopeCache.clear();
+    }
+  }
+  /**
+  * Hash token for cache key (SHA-256, first 16 chars)
+  */
+  hashToken(token) {
+    return crypto.createHash("sha256").update(token).digest("hex").substring(0, 16);
+  }
+};
+var JSONLAuditSink = class {
+  static {
+    __name(this, "JSONLAuditSink");
+  }
+  name = "jsonl";
+  filePath;
+  sanitizeSecrets;
+  buffer = [];
+  flushInterval = null;
+  batchSize;
+  constructor(options) {
+    this.filePath = options.filePath;
+    this.sanitizeSecrets = options.sanitizeSecrets ?? true;
+    this.batchSize = options.batchSize || 10;
+    const dir = path.dirname(this.filePath);
+    if (!fs.existsSync(dir)) {
+      promises.mkdir(dir, {
+        recursive: true
+      }).catch((err) => {
+        atpRuntime.log.error("Failed to create audit directory", {
+          error: err.message
+        });
+      });
+    }
+    if (options.flushIntervalMs) {
+      this.flushInterval = setInterval(() => {
+        if (this.buffer.length > 0) {
+          this.flush().catch((err) => {
+            atpRuntime.log.error("Failed to flush audit buffer", {
+              error: err.message
+            });
+          });
+        }
+      }, options.flushIntervalMs);
+    }
+  }
+  async write(event) {
+    const sanitized = this.sanitizeSecrets ? this.sanitizeEvent(event) : event;
+    const line = JSON.stringify(sanitized) + "\n";
+    try {
+      await promises.appendFile(this.filePath, line, "utf8");
+    } catch (error) {
+      atpRuntime.log.error("Failed to write audit event", {
+        error: error.message
+      });
+      throw error;
+    }
+  }
+  async writeBatch(events) {
+    const sanitized = this.sanitizeSecrets ? events.map((e) => this.sanitizeEvent(e)) : events;
+    const lines = sanitized.map((e) => JSON.stringify(e)).join("\n") + "\n";
+    try {
+      await promises.appendFile(this.filePath, lines, "utf8");
+    } catch (error) {
+      atpRuntime.log.error("Failed to write audit batch", {
+        error: error.message
+      });
+      throw error;
+    }
+  }
+  async query(filter) {
+    try {
+      const content = await promises.readFile(this.filePath, "utf8");
+      const lines = content.split("\n").filter((line) => line.trim());
+      const events = lines.map((line) => JSON.parse(line));
+      return events.filter((event) => {
+        if (filter.clientId && event.clientId !== filter.clientId) return false;
+        if (filter.userId && event.userId !== filter.userId) return false;
+        if (filter.from && event.timestamp < filter.from) return false;
+        if (filter.to && event.timestamp > filter.to) return false;
+        if (filter.resource && event.resource !== filter.resource) return false;
+        if (filter.eventType) {
+          const types = Array.isArray(filter.eventType) ? filter.eventType : [
+            filter.eventType
+          ];
+          if (!types.includes(event.eventType)) return false;
+        }
+        if (filter.status) {
+          const statuses = Array.isArray(filter.status) ? filter.status : [
+            filter.status
+          ];
+          if (!statuses.includes(event.status)) return false;
+        }
+        if (filter.minRiskScore && (event.riskScore || 0) < filter.minRiskScore) return false;
+        return true;
+      }).slice(filter.offset || 0, (filter.offset || 0) + (filter.limit || 100));
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        return [];
+      }
+      throw error;
+    }
+  }
+  async disconnect() {
+    if (this.flushInterval) {
+      clearInterval(this.flushInterval);
+    }
+    if (this.buffer.length > 0) {
+      await this.flush();
+    }
+  }
+  async flush() {
+    if (this.buffer.length === 0) return;
+    await this.writeBatch([
+      ...this.buffer
+    ]);
+    this.buffer = [];
+  }
+  sanitizeEvent(event) {
+    const sanitized = {
+      ...event
+    };
+    if (sanitized.code) {
+      sanitized.code = this.sanitizeString(sanitized.code);
+    }
+    if (sanitized.input) {
+      sanitized.input = this.sanitizeObject(sanitized.input);
+    }
+    if (sanitized.output) {
+      sanitized.output = this.sanitizeObject(sanitized.output);
+    }
+    return sanitized;
+  }
+  sanitizeString(str) {
+    const patterns = [
+      /api[_-]?key/gi,
+      /secret/gi,
+      /token/gi,
+      /password/gi,
+      /bearer/gi,
+      /authorization/gi
+    ];
+    for (const pattern of patterns) {
+      str = str.replace(new RegExp(`(${pattern.source})\\s*[:=]\\s*['"]?([^'"\\s]+)`, "gi"), "$1: [REDACTED]");
+    }
+    return str;
+  }
+  sanitizeObject(obj) {
+    if (typeof obj !== "object" || obj === null) {
+      return obj;
+    }
+    if (Array.isArray(obj)) {
+      return obj.map((item) => this.sanitizeObject(item));
+    }
+    const sanitized = {};
+    const secretPatterns = [
+      "key",
+      "secret",
+      "token",
+      "password",
+      "bearer",
+      "auth"
+    ];
+    for (const [key, value] of Object.entries(obj)) {
+      const lowerKey = key.toLowerCase();
+      if (secretPatterns.some((pattern) => lowerKey.includes(pattern))) {
+        sanitized[key] = "[REDACTED]";
+      } else if (typeof value === "object") {
+        sanitized[key] = this.sanitizeObject(value);
+      } else {
+        sanitized[key] = value;
+      }
+    }
+    return sanitized;
+  }
+};
+
+// src/audit/otel-metrics.ts
+exports.OTelCounter = void 0;
+(function(OTelCounter2) {
+  OTelCounter2["EXECUTIONS_TOTAL"] = "atp.executions.total";
+  OTelCounter2["TOOLS_CALLS"] = "atp.tools.calls";
+  OTelCounter2["LLM_CALLS"] = "atp.llm.calls";
+  OTelCounter2["APPROVALS_TOTAL"] = "atp.approvals.total";
+  OTelCounter2["SECURITY_EVENTS"] = "atp.security.events";
+})(exports.OTelCounter || (exports.OTelCounter = {}));
+exports.OTelHistogram = void 0;
+(function(OTelHistogram2) {
+  OTelHistogram2["EXECUTION_DURATION"] = "atp.execution.duration";
+  OTelHistogram2["TOOL_DURATION"] = "atp.tool.duration";
+})(exports.OTelHistogram || (exports.OTelHistogram = {}));
+exports.OTelSpan = void 0;
+(function(OTelSpan2) {
+  OTelSpan2["EXECUTION_START"] = "atp.execution.start";
+  OTelSpan2["EXECUTION_COMPLETE"] = "atp.execution.complete";
+  OTelSpan2["EXECUTION_PAUSE"] = "atp.execution.pause";
+  OTelSpan2["EXECUTION_RESUME"] = "atp.execution.resume";
+  OTelSpan2["EXECUTION_ERROR"] = "atp.execution.error";
+  OTelSpan2["TOOL_CALL"] = "atp.tool_call";
+  OTelSpan2["LLM_CALL"] = "atp.llm_call";
+  OTelSpan2["APPROVAL_REQUEST"] = "atp.approval.request";
+  OTelSpan2["APPROVAL_RESPONSE"] = "atp.approval.response";
+  OTelSpan2["CLIENT_INIT"] = "atp.client_init";
+  OTelSpan2["ERROR"] = "atp.error";
+})(exports.OTelSpan || (exports.OTelSpan = {}));
+exports.OTelAttribute = void 0;
+(function(OTelAttribute2) {
+  OTelAttribute2["EVENT_ID"] = "atp.event.id";
+  OTelAttribute2["EVENT_TYPE"] = "atp.event.type";
+  OTelAttribute2["EVENT_ACTION"] = "atp.event.action";
+  OTelAttribute2["TIMESTAMP"] = "atp.timestamp";
+  OTelAttribute2["CLIENT_ID"] = "atp.client.id";
+  OTelAttribute2["USER_ID"] = "atp.user.id";
+  OTelAttribute2["IP_ADDRESS"] = "atp.ip_address";
+  OTelAttribute2["USER_AGENT"] = "atp.user_agent";
+  OTelAttribute2["STATUS"] = "atp.status";
+  OTelAttribute2["RESOURCE"] = "atp.resource";
+  OTelAttribute2["RESOURCE_ID"] = "atp.resource.id";
+  OTelAttribute2["TOOL_NAME"] = "atp.tool.name";
+  OTelAttribute2["TOOL_INPUT_SIZE"] = "tool.input_size";
+  OTelAttribute2["TOOL_OUTPUT_SIZE"] = "tool.output_size";
+  OTelAttribute2["API_GROUP"] = "atp.api.group";
+  OTelAttribute2["DURATION_MS"] = "atp.duration_ms";
+  OTelAttribute2["MEMORY_BYTES"] = "atp.memory_bytes";
+  OTelAttribute2["LLM_CALLS"] = "atp.llm_calls";
+  OTelAttribute2["HTTP_CALLS"] = "atp.http_calls";
+  OTelAttribute2["RISK_SCORE"] = "atp.security.risk_score";
+  OTelAttribute2["SECURITY_EVENTS"] = "atp.security.events";
+  OTelAttribute2["SECURITY_EVENTS_COUNT"] = "atp.security.events_count";
+  OTelAttribute2["ERROR_MESSAGE"] = "atp.error.message";
+  OTelAttribute2["ERROR_CODE"] = "atp.error.code";
+  OTelAttribute2["ERROR_STACK"] = "atp.error.stack";
+})(exports.OTelAttribute || (exports.OTelAttribute = {}));
+var METRIC_CONFIGS = {
+  ["atp.executions.total"]: {
+    description: "Total number of executions",
+    unit: "1"
+  },
+  ["atp.tools.calls"]: {
+    description: "Tool call count",
+    unit: "1"
+  },
+  ["atp.llm.calls"]: {
+    description: "LLM call count",
+    unit: "1"
+  },
+  ["atp.approvals.total"]: {
+    description: "Approval request count",
+    unit: "1"
+  },
+  ["atp.security.events"]: {
+    description: "Security events count",
+    unit: "1"
+  },
+  ["atp.execution.duration"]: {
+    description: "Execution duration in milliseconds",
+    unit: "ms"
+  },
+  ["atp.tool.duration"]: {
+    description: "Tool execution duration",
+    unit: "ms"
+  }
+};
+var OTEL_SERVICE_NAME = "agent-tool-protocol";
+var OTEL_TRACER_NAME = "agent-tool-protocol";
+var OTEL_METER_NAME = "agent-tool-protocol";
+var ATTRIBUTE_PREFIX_TOOL = "atp.tool";
+var ATTRIBUTE_PREFIX_METADATA = "atp.metadata";
+
+// src/audit/opentelemetry.ts
+var OpenTelemetryAuditSink = class {
+  static {
+    __name(this, "OpenTelemetryAuditSink");
+  }
+  name = "opentelemetry";
+  tracer = api.trace.getTracer(OTEL_TRACER_NAME);
+  meter = api.metrics.getMeter(OTEL_METER_NAME);
+  executionCounter = this.meter.createCounter(exports.OTelCounter.EXECUTIONS_TOTAL, METRIC_CONFIGS[exports.OTelCounter.EXECUTIONS_TOTAL]);
+  toolCallCounter = this.meter.createCounter(exports.OTelCounter.TOOLS_CALLS, METRIC_CONFIGS[exports.OTelCounter.TOOLS_CALLS]);
+  llmCallCounter = this.meter.createCounter(exports.OTelCounter.LLM_CALLS, METRIC_CONFIGS[exports.OTelCounter.LLM_CALLS]);
+  approvalCounter = this.meter.createCounter(exports.OTelCounter.APPROVALS_TOTAL, METRIC_CONFIGS[exports.OTelCounter.APPROVALS_TOTAL]);
+  executionDuration = this.meter.createHistogram(exports.OTelHistogram.EXECUTION_DURATION, METRIC_CONFIGS[exports.OTelHistogram.EXECUTION_DURATION]);
+  toolDuration = this.meter.createHistogram(exports.OTelHistogram.TOOL_DURATION, METRIC_CONFIGS[exports.OTelHistogram.TOOL_DURATION]);
+  async write(event) {
+    const span = this.tracer.startSpan(`atp.${event.eventType}.${event.action}`, {
+      attributes: this.buildAttributes(event)
+    });
+    await api.context.with(api.trace.setSpan(api.context.active(), span), async () => {
+      try {
+        this.handleEvent(span, event);
+        this.recordMetrics(event);
+        span.setStatus({
+          code: api.SpanStatusCode.OK
+        });
+      } catch (error) {
+        span.setStatus({
+          code: api.SpanStatusCode.ERROR,
+          message: error.message
+        });
+        span.recordException(error);
+      } finally {
+        span.end();
+      }
+    });
+  }
+  async writeBatch(events) {
+    await Promise.all(events.map((event) => this.write(event)));
+  }
+  buildAttributes(event) {
+    const attrs = {
+      [exports.OTelAttribute.EVENT_ID]: event.eventId,
+      [exports.OTelAttribute.EVENT_TYPE]: event.eventType,
+      [exports.OTelAttribute.EVENT_ACTION]: event.action,
+      [exports.OTelAttribute.TIMESTAMP]: event.timestamp,
+      [exports.OTelAttribute.CLIENT_ID]: event.clientId,
+      [exports.OTelAttribute.STATUS]: event.status
+    };
+    if (event.userId) attrs[exports.OTelAttribute.USER_ID] = event.userId;
+    if (event.ipAddress) attrs[exports.OTelAttribute.IP_ADDRESS] = event.ipAddress;
+    if (event.userAgent) attrs[exports.OTelAttribute.USER_AGENT] = event.userAgent;
+    if (event.resource) attrs[exports.OTelAttribute.RESOURCE] = event.resource;
+    if (event.resourceId) attrs[exports.OTelAttribute.RESOURCE_ID] = event.resourceId;
+    if (event.toolName) attrs[exports.OTelAttribute.TOOL_NAME] = event.toolName;
+    if (event.apiGroup) attrs[exports.OTelAttribute.API_GROUP] = event.apiGroup;
+    if (event.duration !== void 0) attrs[exports.OTelAttribute.DURATION_MS] = event.duration;
+    if (event.memoryUsed !== void 0) attrs[exports.OTelAttribute.MEMORY_BYTES] = event.memoryUsed;
+    if (event.llmCallsCount !== void 0) attrs[exports.OTelAttribute.LLM_CALLS] = event.llmCallsCount;
+    if (event.httpCallsCount !== void 0) attrs[exports.OTelAttribute.HTTP_CALLS] = event.httpCallsCount;
+    if (event.riskScore !== void 0) attrs[exports.OTelAttribute.RISK_SCORE] = event.riskScore;
+    if (event.securityEvents && event.securityEvents.length > 0) {
+      attrs[exports.OTelAttribute.SECURITY_EVENTS] = JSON.stringify(event.securityEvents);
+      attrs[exports.OTelAttribute.SECURITY_EVENTS_COUNT] = event.securityEvents.length;
+    }
+    if (event.error) {
+      attrs[exports.OTelAttribute.ERROR_MESSAGE] = event.error.message;
+      if (event.error.code) attrs[exports.OTelAttribute.ERROR_CODE] = event.error.code;
+      if (event.error.stack) attrs[exports.OTelAttribute.ERROR_STACK] = event.error.stack;
+    }
+    if (event.annotations) {
+      Object.assign(attrs, this.flattenObject(event.annotations, ATTRIBUTE_PREFIX_TOOL));
+    }
+    if (event.metadata) {
+      Object.assign(attrs, this.flattenObject(event.metadata, ATTRIBUTE_PREFIX_METADATA));
+    }
+    return attrs;
+  }
+  handleEvent(span, event) {
+    switch (event.eventType) {
+      case "execution":
+        if (event.action === "start") {
+          span.addEvent("Execution started", {
+            "client.id": event.clientId,
+            "resource.id": event.resourceId
+          });
+        } else if (event.action === "complete") {
+          span.addEvent("Execution completed", {
+            duration_ms: event.duration,
+            status: event.status,
+            llm_calls: event.llmCallsCount
+          });
+        } else if (event.action === "pause") {
+          span.addEvent("Execution paused", {
+            status: event.status
+          });
+        } else if (event.action === "resume") {
+          span.addEvent("Execution resumed", {
+            "resource.id": event.resourceId
+          });
+        }
+        break;
+      case "tool_call":
+        span.addEvent(`Tool ${event.action}`, {
+          "tool.name": event.toolName,
+          "api.group": event.apiGroup,
+          duration_ms: event.duration
+        });
+        if (event.input) {
+          span.setAttribute(exports.OTelAttribute.TOOL_INPUT_SIZE, JSON.stringify(event.input).length);
+        }
+        if (event.output) {
+          span.setAttribute(exports.OTelAttribute.TOOL_OUTPUT_SIZE, JSON.stringify(event.output).length);
+        }
+        break;
+      case "llm_call":
+        span.addEvent("LLM call", {
+          duration_ms: event.duration
+        });
+        break;
+      case "approval":
+        span.addEvent(`Approval ${event.action}`, {
+          "tool.name": event.toolName
+        });
+        break;
+      case "error":
+        if (event.error) {
+          span.addEvent("Error occurred", {
+            "error.message": event.error.message,
+            "error.code": event.error.code
+          });
+          span.recordException(new Error(event.error.message));
+        }
+        break;
+      case "client_init":
+        span.addEvent("Client initialized", {
+          "client.id": event.clientId
+        });
+        break;
+    }
+    if (event.securityEvents && event.securityEvents.length > 0) {
+      for (const secEvent of event.securityEvents) {
+        span.addEvent("Security event", {
+          "security.event": secEvent,
+          "security.risk_score": event.riskScore
+        });
+      }
+    }
+  }
+  recordMetrics(event) {
+    const commonAttrs = {
+      client_id: event.clientId,
+      event_type: event.eventType,
+      status: event.status
+    };
+    switch (event.eventType) {
+      case "execution":
+        this.executionCounter.add(1, {
+          ...commonAttrs,
+          action: event.action
+        });
+        if (event.duration !== void 0) {
+          this.executionDuration.record(event.duration, {
+            ...commonAttrs,
+            action: event.action
+          });
+        }
+        break;
+      case "tool_call":
+        this.toolCallCounter.add(1, {
+          ...commonAttrs,
+          tool_name: event.toolName,
+          api_group: event.apiGroup
+        });
+        if (event.duration !== void 0) {
+          this.toolDuration.record(event.duration, {
+            ...commonAttrs,
+            tool_name: event.toolName
+          });
+        }
+        break;
+      case "llm_call":
+        this.llmCallCounter.add(1, commonAttrs);
+        break;
+      case "approval":
+        this.approvalCounter.add(1, {
+          ...commonAttrs,
+          action: event.action
+        });
+        break;
+    }
+    if (event.securityEvents && event.securityEvents.length > 0) {
+      const securityEventCounter = this.meter.createCounter(exports.OTelCounter.SECURITY_EVENTS, METRIC_CONFIGS[exports.OTelCounter.SECURITY_EVENTS]);
+      securityEventCounter.add(event.securityEvents.length, {
+        ...commonAttrs,
+        risk_score: event.riskScore
+      });
+    }
+  }
+  flattenObject(obj, prefix) {
+    const result = {};
+    if (!obj || typeof obj !== "object") return result;
+    for (const [key, value] of Object.entries(obj)) {
+      const fullKey = `${prefix}.${key}`;
+      if (value === null || value === void 0) {
+        continue;
+      }
+      if (typeof value === "object" && !Array.isArray(value)) {
+        Object.assign(result, this.flattenObject(value, fullKey));
+      } else if (Array.isArray(value)) {
+        result[fullKey] = JSON.stringify(value);
+      } else {
+        result[fullKey] = value;
+      }
+    }
+    return result;
+  }
+};
+
+exports.ATTRIBUTE_PREFIX_METADATA = ATTRIBUTE_PREFIX_METADATA;
+exports.ATTRIBUTE_PREFIX_TOOL = ATTRIBUTE_PREFIX_TOOL;
+exports.EnvAuthProvider = EnvAuthProvider;
+exports.FileCache = FileCache;
+exports.JSONLAuditSink = JSONLAuditSink;
+exports.METRIC_CONFIGS = METRIC_CONFIGS;
+exports.MemoryCache = MemoryCache;
+exports.OTEL_METER_NAME = OTEL_METER_NAME;
+exports.OTEL_SERVICE_NAME = OTEL_SERVICE_NAME;
+exports.OTEL_TRACER_NAME = OTEL_TRACER_NAME;
+exports.OpenTelemetryAuditSink = OpenTelemetryAuditSink;
+exports.RedisCache = RedisCache;
+exports.ScopeCheckerRegistry = ScopeCheckerRegistry;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map