npm - @mondaydotcomorg/atp-providers - Versions diffs - 0.19.7 → 0.19.9 - Mend

@mondaydotcomorg/atp-providers 0.19.7 → 0.19.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.js CHANGED Viewed

@@ -1,9 +1,1152 @@
-export { MemoryCache } from './cache/memory.js';
-export { RedisCache } from './cache/redis.js';
-export { FileCache } from './cache/file.js';
-export { EnvAuthProvider } from './auth/env.js';
-export * from './oauth/index.js';
-export { JSONLAuditSink } from './audit/jsonl.js';
-export { OpenTelemetryAuditSink } from './audit/opentelemetry.js';
-export { OTelCounter, OTelHistogram, OTelSpan, OTelAttribute, METRIC_CONFIGS, OTEL_SERVICE_NAME, OTEL_TRACER_NAME, OTEL_METER_NAME, ATTRIBUTE_PREFIX_TOOL, ATTRIBUTE_PREFIX_METADATA, } from './audit/otel-metrics.js';
+import { log } from '@mondaydotcomorg/atp-runtime';
+import { promises, existsSync } from 'fs';
+import path, { dirname } from 'path';
+import os from 'os';
+import { createHash } from 'crypto';
+import { mkdir, appendFile, readFile } from 'fs/promises';
+import { trace, metrics, context, SpanStatusCode } from '@opentelemetry/api';
+var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+// src/cache/memory.ts
+var MemoryCache = class {
+  static {
+    __name(this, "MemoryCache");
+  }
+  name = "memory";
+  cache;
+  maxKeys;
+  defaultTTL;
+  constructor(options = {}) {
+    this.cache = /* @__PURE__ */ new Map();
+    this.maxKeys = options.maxKeys || 1e3;
+    this.defaultTTL = options.defaultTTL || 3600;
+  }
+  async get(key) {
+    const entry = this.cache.get(key);
+    if (!entry) {
+      return null;
+    }
+    if (entry.expiresAt !== -1 && Date.now() > entry.expiresAt) {
+      this.cache.delete(key);
+      return null;
+    }
+    this.cache.delete(key);
+    this.cache.set(key, entry);
+    return entry.value;
+  }
+  async set(key, value, ttl) {
+    if (this.cache.size >= this.maxKeys && !this.cache.has(key)) {
+      const firstKey = this.cache.keys().next().value;
+      if (firstKey) {
+        this.cache.delete(firstKey);
+      }
+    }
+    const expiresAt = ttl ? Date.now() + ttl * 1e3 : this.defaultTTL > 0 ? Date.now() + this.defaultTTL * 1e3 : -1;
+    this.cache.set(key, {
+      value,
+      expiresAt
+    });
+  }
+  async delete(key) {
+    this.cache.delete(key);
+  }
+  async has(key) {
+    const value = await this.get(key);
+    return value !== null;
+  }
+  async clear(pattern) {
+    if (!pattern) {
+      this.cache.clear();
+      return;
+    }
+    const regex = new RegExp("^" + pattern.replace(/\*/g, ".*") + "$");
+    for (const key of this.cache.keys()) {
+      if (regex.test(key)) {
+        this.cache.delete(key);
+      }
+    }
+  }
+  async mget(keys) {
+    return Promise.all(keys.map((key) => this.get(key)));
+  }
+  async mset(entries) {
+    for (const [key, value, ttl] of entries) {
+      await this.set(key, value, ttl);
+    }
+  }
+  async disconnect() {
+    this.cache.clear();
+  }
+  /** Get cache statistics */
+  getStats() {
+    return {
+      keys: this.cache.size,
+      maxKeys: this.maxKeys,
+      utilization: this.cache.size / this.maxKeys * 100
+    };
+  }
+};
+var RedisCache = class {
+  static {
+    __name(this, "RedisCache");
+  }
+  name = "redis";
+  redis;
+  keyPrefix;
+  defaultTTL;
+  constructor(options) {
+    this.redis = options.redis;
+    this.keyPrefix = options.keyPrefix || "atp:cache:";
+    this.defaultTTL = options.defaultTTL;
+  }
+  getFullKey(key) {
+    return `${this.keyPrefix}${key}`;
+  }
+  async get(key) {
+    try {
+      const value = await this.redis.get(this.getFullKey(key));
+      if (!value) return null;
+      return JSON.parse(value);
+    } catch (error) {
+      log.error("RedisCache failed to get key", {
+        key,
+        error: error instanceof Error ? error.message : error
+      });
+      return null;
+    }
+  }
+  async set(key, value, ttl) {
+    try {
+      const serialized = JSON.stringify(value);
+      const fullKey = this.getFullKey(key);
+      const effectiveTTL = ttl ?? this.defaultTTL;
+      if (effectiveTTL) {
+        await this.redis.setex(fullKey, effectiveTTL, serialized);
+      } else {
+        await this.redis.set(fullKey, serialized);
+      }
+    } catch (error) {
+      log.error("RedisCache failed to set key", {
+        key,
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async delete(key) {
+    try {
+      await this.redis.del(this.getFullKey(key));
+    } catch (error) {
+      log.error("RedisCache failed to delete key", {
+        key,
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async has(key) {
+    try {
+      const exists = await this.redis.exists(this.getFullKey(key));
+      return exists === 1;
+    } catch (error) {
+      log.error("RedisCache failed to check key", {
+        key,
+        error: error instanceof Error ? error.message : error
+      });
+      return false;
+    }
+  }
+  async clear(pattern) {
+    try {
+      if (pattern) {
+        const fullPattern = this.getFullKey(pattern);
+        const keys = await this.redis.keys(fullPattern);
+        if (keys.length > 0) {
+          await this.redis.del(...keys);
+        }
+      } else {
+        const keys = await this.redis.keys(this.getFullKey("*"));
+        if (keys.length > 0) {
+          await this.redis.del(...keys);
+        }
+      }
+    } catch (error) {
+      log.error("RedisCache failed to clear cache", {
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async mget(keys) {
+    try {
+      const fullKeys = keys.map((key) => this.getFullKey(key));
+      const values = await this.redis.mget(...fullKeys);
+      return values.map((value) => value ? JSON.parse(value) : null);
+    } catch (error) {
+      log.error("RedisCache failed to mget keys", {
+        error: error instanceof Error ? error.message : error
+      });
+      return keys.map(() => null);
+    }
+  }
+  async mset(entries) {
+    try {
+      const pipeline = this.redis.pipeline();
+      for (const [key, value, ttl] of entries) {
+        const serialized = JSON.stringify(value);
+        const fullKey = this.getFullKey(key);
+        const effectiveTTL = ttl ?? this.defaultTTL;
+        if (effectiveTTL) {
+          pipeline.setex(fullKey, effectiveTTL, serialized);
+        } else {
+          pipeline.set(fullKey, serialized);
+        }
+      }
+      await pipeline.exec();
+    } catch (error) {
+      log.error("RedisCache failed to mset entries", {
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async disconnect() {
+    try {
+      await this.redis.quit();
+    } catch (error) {
+      log.error("RedisCache failed to disconnect", {
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+};
+var FileCache = class {
+  static {
+    __name(this, "FileCache");
+  }
+  name = "file";
+  cacheDir;
+  maxKeys;
+  defaultTTL;
+  cleanupInterval;
+  cleanupTimer;
+  initPromise;
+  constructor(options = {}) {
+    this.cacheDir = options.cacheDir || path.join(os.tmpdir(), "atp-cache");
+    this.maxKeys = options.maxKeys || 1e3;
+    this.defaultTTL = options.defaultTTL || 3600;
+    this.cleanupInterval = options.cleanupInterval || 300;
+    this.initPromise = this.initialize();
+  }
+  async initialize() {
+    try {
+      await promises.mkdir(this.cacheDir, {
+        recursive: true
+      });
+      this.startCleanup();
+    } catch (error) {
+      log.error("FileCache failed to initialize cache directory", {
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async ensureInitialized() {
+    if (this.initPromise) {
+      await this.initPromise;
+    }
+  }
+  getFilePath(key) {
+    const sanitizedKey = key.replace(/[^a-zA-Z0-9_-]/g, "_");
+    return path.join(this.cacheDir, `${sanitizedKey}.json`);
+  }
+  startCleanup() {
+    if (this.cleanupInterval > 0) {
+      this.cleanupTimer = setInterval(() => {
+        this.cleanExpired().catch((error) => {
+          log.error("FileCache cleanup error", {
+            error
+          });
+        });
+      }, this.cleanupInterval * 1e3);
+      if (this.cleanupTimer.unref) {
+        this.cleanupTimer.unref();
+      }
+    }
+  }
+  async cleanExpired() {
+    try {
+      await this.ensureInitialized();
+      const files = await promises.readdir(this.cacheDir);
+      const now = Date.now();
+      for (const file of files) {
+        if (!file.endsWith(".json")) continue;
+        const filePath = path.join(this.cacheDir, file);
+        try {
+          const content = await promises.readFile(filePath, "utf-8");
+          const entry = JSON.parse(content);
+          if (entry.expiresAt !== -1 && now > entry.expiresAt) {
+            await promises.unlink(filePath);
+          }
+        } catch {
+          try {
+            await promises.unlink(filePath);
+          } catch {
+          }
+        }
+      }
+      await this.enforceMaxKeys();
+    } catch (error) {
+      log.error("FileCache failed to clean expired entries", {
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async enforceMaxKeys() {
+    try {
+      const files = await promises.readdir(this.cacheDir);
+      const jsonFiles = files.filter((f) => f.endsWith(".json"));
+      if (jsonFiles.length > this.maxKeys) {
+        const fileStats = await Promise.all(jsonFiles.map(async (file) => {
+          const filePath = path.join(this.cacheDir, file);
+          const stats = await promises.stat(filePath);
+          return {
+            file,
+            mtime: stats.mtime.getTime()
+          };
+        }));
+        fileStats.sort((a, b) => a.mtime - b.mtime);
+        const toDelete = fileStats.slice(0, jsonFiles.length - this.maxKeys);
+        await Promise.all(toDelete.map((item) => {
+          const filePath = path.join(this.cacheDir, item.file);
+          return promises.unlink(filePath).catch(() => {
+          });
+        }));
+      }
+    } catch (error) {
+      log.error("FileCache failed to enforce max keys", {
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async get(key) {
+    try {
+      await this.ensureInitialized();
+      const filePath = this.getFilePath(key);
+      const content = await promises.readFile(filePath, "utf-8");
+      const entry = JSON.parse(content);
+      if (entry.expiresAt !== -1 && Date.now() > entry.expiresAt) {
+        await this.delete(key);
+        return null;
+      }
+      return entry.value;
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        return null;
+      }
+      log.error("FileCache failed to get key", {
+        key,
+        error: error instanceof Error ? error.message : error
+      });
+      return null;
+    }
+  }
+  async set(key, value, ttl) {
+    try {
+      await this.ensureInitialized();
+      await this.enforceMaxKeys();
+      const expiresAt = ttl ? Date.now() + ttl * 1e3 : this.defaultTTL > 0 ? Date.now() + this.defaultTTL * 1e3 : -1;
+      const entry = {
+        value,
+        expiresAt
+      };
+      const filePath = this.getFilePath(key);
+      await promises.writeFile(filePath, JSON.stringify(entry), "utf-8");
+    } catch (error) {
+      log.error("FileCache failed to set key", {
+        key,
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async delete(key) {
+    try {
+      await this.ensureInitialized();
+      const filePath = this.getFilePath(key);
+      await promises.unlink(filePath);
+    } catch (error) {
+      if (error.code !== "ENOENT") {
+        log.error("FileCache failed to delete key", {
+          key,
+          error: error instanceof Error ? error.message : error
+        });
+      }
+    }
+  }
+  async has(key) {
+    const value = await this.get(key);
+    return value !== null;
+  }
+  async clear(pattern) {
+    try {
+      await this.ensureInitialized();
+      const files = await promises.readdir(this.cacheDir);
+      if (!pattern) {
+        await Promise.all(files.filter((f) => f.endsWith(".json")).map((file) => {
+          const filePath = path.join(this.cacheDir, file);
+          return promises.unlink(filePath).catch(() => {
+          });
+        }));
+        return;
+      }
+      const regex = new RegExp("^" + pattern.replace(/\*/g, ".*") + "$");
+      for (const file of files) {
+        if (!file.endsWith(".json")) continue;
+        const keyBase = file.replace(".json", "");
+        if (regex.test(keyBase)) {
+          const filePath = path.join(this.cacheDir, file);
+          await promises.unlink(filePath).catch(() => {
+          });
+        }
+      }
+    } catch (error) {
+      log.error("FileCache failed to clear cache", {
+        error: error instanceof Error ? error.message : error
+      });
+    }
+  }
+  async mget(keys) {
+    return Promise.all(keys.map((key) => this.get(key)));
+  }
+  async mset(entries) {
+    await Promise.all(entries.map(([key, value, ttl]) => this.set(key, value, ttl)));
+  }
+  async disconnect() {
+    if (this.cleanupTimer) {
+      clearInterval(this.cleanupTimer);
+      this.cleanupTimer = void 0;
+    }
+  }
+  /** Get cache statistics */
+  async getStats() {
+    try {
+      await this.ensureInitialized();
+      const files = await promises.readdir(this.cacheDir);
+      const jsonFiles = files.filter((f) => f.endsWith(".json"));
+      let totalSize = 0;
+      for (const file of jsonFiles) {
+        const filePath = path.join(this.cacheDir, file);
+        try {
+          const stats = await promises.stat(filePath);
+          totalSize += stats.size;
+        } catch {
+        }
+      }
+      return {
+        keys: jsonFiles.length,
+        maxKeys: this.maxKeys,
+        utilization: jsonFiles.length / this.maxKeys * 100,
+        sizeBytes: totalSize,
+        cacheDir: this.cacheDir
+      };
+    } catch (error) {
+      log.error("[FileCache] Failed to get stats:", error);
+      return {
+        keys: 0,
+        maxKeys: this.maxKeys,
+        utilization: 0,
+        sizeBytes: 0,
+        cacheDir: this.cacheDir
+      };
+    }
+  }
+  /** Manually trigger cleanup of expired entries */
+  async cleanup() {
+    await this.cleanExpired();
+  }
+};
+// src/auth/env.ts
+var EnvAuthProvider = class {
+  static {
+    __name(this, "EnvAuthProvider");
+  }
+  name = "env";
+  prefix;
+  credentials;
+  constructor(options = {}) {
+    this.prefix = options.prefix || "ATP_";
+    this.credentials = /* @__PURE__ */ new Map();
+    if (options.credentials) {
+      for (const [key, value] of Object.entries(options.credentials)) {
+        this.credentials.set(key, value);
+      }
+    }
+  }
+  async getCredential(key) {
+    if (this.credentials.has(key)) {
+      return this.credentials.get(key) || null;
+    }
+    const envValue = process.env[key] || process.env[`${this.prefix}${key}`];
+    return envValue || null;
+  }
+  async setCredential(key, value, _ttl) {
+    this.credentials.set(key, value);
+  }
+  async deleteCredential(key) {
+    this.credentials.delete(key);
+  }
+  async listCredentials() {
+    const keys = /* @__PURE__ */ new Set();
+    for (const key of this.credentials.keys()) {
+      keys.add(key);
+    }
+    for (const key of Object.keys(process.env)) {
+      if (key.startsWith(this.prefix)) {
+        keys.add(key.substring(this.prefix.length));
+      }
+    }
+    return Array.from(keys);
+  }
+  async disconnect() {
+    this.credentials.clear();
+  }
+};
+var ScopeCheckerRegistry = class {
+  static {
+    __name(this, "ScopeCheckerRegistry");
+  }
+  checkers = /* @__PURE__ */ new Map();
+  scopeCache = /* @__PURE__ */ new Map();
+  cleanupInterval;
+  maxCacheSize = 1e4;
+  pendingChecks = /* @__PURE__ */ new Map();
+  constructor() {
+    this.startCleanup();
+  }
+  /**
+  * Start periodic cache cleanup
+  */
+  startCleanup() {
+    this.cleanupInterval = setInterval(() => {
+      this.cleanupExpiredCache();
+    }, 5 * 60 * 1e3);
+    if (this.cleanupInterval.unref) {
+      this.cleanupInterval.unref();
+    }
+  }
+  /**
+  * Stop periodic cache cleanup (for testing or shutdown)
+  */
+  stopCleanup() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = void 0;
+    }
+  }
+  /**
+  * Remove expired entries from cache
+  */
+  cleanupExpiredCache() {
+    const now = Date.now();
+    let cleaned = 0;
+    for (const [key, value] of this.scopeCache.entries()) {
+      if (value.expiresAt <= now) {
+        this.scopeCache.delete(key);
+        cleaned++;
+      }
+    }
+    if (this.scopeCache.size > this.maxCacheSize) {
+      const entriesToRemove = this.scopeCache.size - this.maxCacheSize;
+      const entries = Array.from(this.scopeCache.entries());
+      entries.sort((a, b) => a[1].expiresAt - b[1].expiresAt);
+      for (let i = 0; i < entriesToRemove; i++) {
+        const entry = entries[i];
+        if (entry) {
+          this.scopeCache.delete(entry[0]);
+          cleaned++;
+        }
+      }
+    }
+    if (cleaned > 0) {
+      log.debug(`Cleaned ${cleaned} expired/old scope cache entries`);
+    }
+  }
+  /**
+  * Register a custom scope checker
+  */
+  register(checker) {
+    this.checkers.set(checker.provider, checker);
+  }
+  /**
+  * Check if a scope checker is available for a provider
+  */
+  hasChecker(provider) {
+    return this.checkers.has(provider);
+  }
+  /**
+  * Get scope checker for a provider
+  */
+  getChecker(provider) {
+    return this.checkers.get(provider);
+  }
+  /**
+  * Check what scopes a token has (with caching and deduplication)
+  * @param provider - Provider name
+  * @param token - Access token
+  * @param cacheTTL - Cache TTL in seconds (default: 3600 = 1 hour)
+  */
+  async checkScopes(provider, token, cacheTTL = 3600) {
+    const cacheKey = `${provider}:${this.hashToken(token)}`;
+    const cached = this.scopeCache.get(cacheKey);
+    if (cached && cached.expiresAt > Date.now()) {
+      return cached.scopes;
+    }
+    const pending = this.pendingChecks.get(cacheKey);
+    if (pending) {
+      return pending;
+    }
+    const checker = this.checkers.get(provider);
+    if (!checker) {
+      throw new Error(`No scope checker registered for provider: ${provider}`);
+    }
+    const checkPromise = (async () => {
+      try {
+        const scopes = await checker.check(token);
+        this.scopeCache.set(cacheKey, {
+          scopes,
+          expiresAt: Date.now() + cacheTTL * 1e3
+        });
+        return scopes;
+      } finally {
+        this.pendingChecks.delete(cacheKey);
+      }
+    })();
+    this.pendingChecks.set(cacheKey, checkPromise);
+    return checkPromise;
+  }
+  /**
+  * Validate if a token is still valid
+  */
+  async validateToken(provider, token) {
+    const checker = this.checkers.get(provider);
+    if (!checker || !checker.validate) {
+      return true;
+    }
+    return await checker.validate(token);
+  }
+  /**
+  * Get complete token information
+  */
+  async getTokenInfo(provider, token) {
+    const checker = this.checkers.get(provider);
+    if (!checker) {
+      throw new Error(`No scope checker registered for provider: ${provider}`);
+    }
+    const [scopes, valid] = await Promise.all([
+      checker.check(token),
+      checker.validate ? checker.validate(token) : Promise.resolve(true)
+    ]);
+    return {
+      valid,
+      scopes
+    };
+  }
+  /**
+  * Clear cached scopes
+  */
+  clearCache(provider) {
+    if (provider) {
+      for (const key of this.scopeCache.keys()) {
+        if (key.startsWith(`${provider}:`)) {
+          this.scopeCache.delete(key);
+        }
+      }
+    } else {
+      this.scopeCache.clear();
+    }
+  }
+  /**
+  * Hash token for cache key (SHA-256, first 16 chars)
+  */
+  hashToken(token) {
+    return createHash("sha256").update(token).digest("hex").substring(0, 16);
+  }
+};
+var JSONLAuditSink = class {
+  static {
+    __name(this, "JSONLAuditSink");
+  }
+  name = "jsonl";
+  filePath;
+  sanitizeSecrets;
+  buffer = [];
+  flushInterval = null;
+  batchSize;
+  constructor(options) {
+    this.filePath = options.filePath;
+    this.sanitizeSecrets = options.sanitizeSecrets ?? true;
+    this.batchSize = options.batchSize || 10;
+    const dir = dirname(this.filePath);
+    if (!existsSync(dir)) {
+      mkdir(dir, {
+        recursive: true
+      }).catch((err) => {
+        log.error("Failed to create audit directory", {
+          error: err.message
+        });
+      });
+    }
+    if (options.flushIntervalMs) {
+      this.flushInterval = setInterval(() => {
+        if (this.buffer.length > 0) {
+          this.flush().catch((err) => {
+            log.error("Failed to flush audit buffer", {
+              error: err.message
+            });
+          });
+        }
+      }, options.flushIntervalMs);
+    }
+  }
+  async write(event) {
+    const sanitized = this.sanitizeSecrets ? this.sanitizeEvent(event) : event;
+    const line = JSON.stringify(sanitized) + "\n";
+    try {
+      await appendFile(this.filePath, line, "utf8");
+    } catch (error) {
+      log.error("Failed to write audit event", {
+        error: error.message
+      });
+      throw error;
+    }
+  }
+  async writeBatch(events) {
+    const sanitized = this.sanitizeSecrets ? events.map((e) => this.sanitizeEvent(e)) : events;
+    const lines = sanitized.map((e) => JSON.stringify(e)).join("\n") + "\n";
+    try {
+      await appendFile(this.filePath, lines, "utf8");
+    } catch (error) {
+      log.error("Failed to write audit batch", {
+        error: error.message
+      });
+      throw error;
+    }
+  }
+  async query(filter) {
+    try {
+      const content = await readFile(this.filePath, "utf8");
+      const lines = content.split("\n").filter((line) => line.trim());
+      const events = lines.map((line) => JSON.parse(line));
+      return events.filter((event) => {
+        if (filter.clientId && event.clientId !== filter.clientId) return false;
+        if (filter.userId && event.userId !== filter.userId) return false;
+        if (filter.from && event.timestamp < filter.from) return false;
+        if (filter.to && event.timestamp > filter.to) return false;
+        if (filter.resource && event.resource !== filter.resource) return false;
+        if (filter.eventType) {
+          const types = Array.isArray(filter.eventType) ? filter.eventType : [
+            filter.eventType
+          ];
+          if (!types.includes(event.eventType)) return false;
+        }
+        if (filter.status) {
+          const statuses = Array.isArray(filter.status) ? filter.status : [
+            filter.status
+          ];
+          if (!statuses.includes(event.status)) return false;
+        }
+        if (filter.minRiskScore && (event.riskScore || 0) < filter.minRiskScore) return false;
+        return true;
+      }).slice(filter.offset || 0, (filter.offset || 0) + (filter.limit || 100));
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        return [];
+      }
+      throw error;
+    }
+  }
+  async disconnect() {
+    if (this.flushInterval) {
+      clearInterval(this.flushInterval);
+    }
+    if (this.buffer.length > 0) {
+      await this.flush();
+    }
+  }
+  async flush() {
+    if (this.buffer.length === 0) return;
+    await this.writeBatch([
+      ...this.buffer
+    ]);
+    this.buffer = [];
+  }
+  sanitizeEvent(event) {
+    const sanitized = {
+      ...event
+    };
+    if (sanitized.code) {
+      sanitized.code = this.sanitizeString(sanitized.code);
+    }
+    if (sanitized.input) {
+      sanitized.input = this.sanitizeObject(sanitized.input);
+    }
+    if (sanitized.output) {
+      sanitized.output = this.sanitizeObject(sanitized.output);
+    }
+    return sanitized;
+  }
+  sanitizeString(str) {
+    const patterns = [
+      /api[_-]?key/gi,
+      /secret/gi,
+      /token/gi,
+      /password/gi,
+      /bearer/gi,
+      /authorization/gi
+    ];
+    for (const pattern of patterns) {
+      str = str.replace(new RegExp(`(${pattern.source})\\s*[:=]\\s*['"]?([^'"\\s]+)`, "gi"), "$1: [REDACTED]");
+    }
+    return str;
+  }
+  sanitizeObject(obj) {
+    if (typeof obj !== "object" || obj === null) {
+      return obj;
+    }
+    if (Array.isArray(obj)) {
+      return obj.map((item) => this.sanitizeObject(item));
+    }
+    const sanitized = {};
+    const secretPatterns = [
+      "key",
+      "secret",
+      "token",
+      "password",
+      "bearer",
+      "auth"
+    ];
+    for (const [key, value] of Object.entries(obj)) {
+      const lowerKey = key.toLowerCase();
+      if (secretPatterns.some((pattern) => lowerKey.includes(pattern))) {
+        sanitized[key] = "[REDACTED]";
+      } else if (typeof value === "object") {
+        sanitized[key] = this.sanitizeObject(value);
+      } else {
+        sanitized[key] = value;
+      }
+    }
+    return sanitized;
+  }
+};
+// src/audit/otel-metrics.ts
+var OTelCounter;
+(function(OTelCounter2) {
+  OTelCounter2["EXECUTIONS_TOTAL"] = "atp.executions.total";
+  OTelCounter2["TOOLS_CALLS"] = "atp.tools.calls";
+  OTelCounter2["LLM_CALLS"] = "atp.llm.calls";
+  OTelCounter2["APPROVALS_TOTAL"] = "atp.approvals.total";
+  OTelCounter2["SECURITY_EVENTS"] = "atp.security.events";
+})(OTelCounter || (OTelCounter = {}));
+var OTelHistogram;
+(function(OTelHistogram2) {
+  OTelHistogram2["EXECUTION_DURATION"] = "atp.execution.duration";
+  OTelHistogram2["TOOL_DURATION"] = "atp.tool.duration";
+})(OTelHistogram || (OTelHistogram = {}));
+var OTelSpan;
+(function(OTelSpan2) {
+  OTelSpan2["EXECUTION_START"] = "atp.execution.start";
+  OTelSpan2["EXECUTION_COMPLETE"] = "atp.execution.complete";
+  OTelSpan2["EXECUTION_PAUSE"] = "atp.execution.pause";
+  OTelSpan2["EXECUTION_RESUME"] = "atp.execution.resume";
+  OTelSpan2["EXECUTION_ERROR"] = "atp.execution.error";
+  OTelSpan2["TOOL_CALL"] = "atp.tool_call";
+  OTelSpan2["LLM_CALL"] = "atp.llm_call";
+  OTelSpan2["APPROVAL_REQUEST"] = "atp.approval.request";
+  OTelSpan2["APPROVAL_RESPONSE"] = "atp.approval.response";
+  OTelSpan2["CLIENT_INIT"] = "atp.client_init";
+  OTelSpan2["ERROR"] = "atp.error";
+})(OTelSpan || (OTelSpan = {}));
+var OTelAttribute;
+(function(OTelAttribute2) {
+  OTelAttribute2["EVENT_ID"] = "atp.event.id";
+  OTelAttribute2["EVENT_TYPE"] = "atp.event.type";
+  OTelAttribute2["EVENT_ACTION"] = "atp.event.action";
+  OTelAttribute2["TIMESTAMP"] = "atp.timestamp";
+  OTelAttribute2["CLIENT_ID"] = "atp.client.id";
+  OTelAttribute2["USER_ID"] = "atp.user.id";
+  OTelAttribute2["IP_ADDRESS"] = "atp.ip_address";
+  OTelAttribute2["USER_AGENT"] = "atp.user_agent";
+  OTelAttribute2["STATUS"] = "atp.status";
+  OTelAttribute2["RESOURCE"] = "atp.resource";
+  OTelAttribute2["RESOURCE_ID"] = "atp.resource.id";
+  OTelAttribute2["TOOL_NAME"] = "atp.tool.name";
+  OTelAttribute2["TOOL_INPUT_SIZE"] = "tool.input_size";
+  OTelAttribute2["TOOL_OUTPUT_SIZE"] = "tool.output_size";
+  OTelAttribute2["API_GROUP"] = "atp.api.group";
+  OTelAttribute2["DURATION_MS"] = "atp.duration_ms";
+  OTelAttribute2["MEMORY_BYTES"] = "atp.memory_bytes";
+  OTelAttribute2["LLM_CALLS"] = "atp.llm_calls";
+  OTelAttribute2["HTTP_CALLS"] = "atp.http_calls";
+  OTelAttribute2["RISK_SCORE"] = "atp.security.risk_score";
+  OTelAttribute2["SECURITY_EVENTS"] = "atp.security.events";
+  OTelAttribute2["SECURITY_EVENTS_COUNT"] = "atp.security.events_count";
+  OTelAttribute2["ERROR_MESSAGE"] = "atp.error.message";
+  OTelAttribute2["ERROR_CODE"] = "atp.error.code";
+  OTelAttribute2["ERROR_STACK"] = "atp.error.stack";
+})(OTelAttribute || (OTelAttribute = {}));
+var METRIC_CONFIGS = {
+  ["atp.executions.total"]: {
+    description: "Total number of executions",
+    unit: "1"
+  },
+  ["atp.tools.calls"]: {
+    description: "Tool call count",
+    unit: "1"
+  },
+  ["atp.llm.calls"]: {
+    description: "LLM call count",
+    unit: "1"
+  },
+  ["atp.approvals.total"]: {
+    description: "Approval request count",
+    unit: "1"
+  },
+  ["atp.security.events"]: {
+    description: "Security events count",
+    unit: "1"
+  },
+  ["atp.execution.duration"]: {
+    description: "Execution duration in milliseconds",
+    unit: "ms"
+  },
+  ["atp.tool.duration"]: {
+    description: "Tool execution duration",
+    unit: "ms"
+  }
+};
+var OTEL_SERVICE_NAME = "agent-tool-protocol";
+var OTEL_TRACER_NAME = "agent-tool-protocol";
+var OTEL_METER_NAME = "agent-tool-protocol";
+var ATTRIBUTE_PREFIX_TOOL = "atp.tool";
+var ATTRIBUTE_PREFIX_METADATA = "atp.metadata";
+// src/audit/opentelemetry.ts
+var OpenTelemetryAuditSink = class {
+  static {
+    __name(this, "OpenTelemetryAuditSink");
+  }
+  name = "opentelemetry";
+  tracer = trace.getTracer(OTEL_TRACER_NAME);
+  meter = metrics.getMeter(OTEL_METER_NAME);
+  executionCounter = this.meter.createCounter(OTelCounter.EXECUTIONS_TOTAL, METRIC_CONFIGS[OTelCounter.EXECUTIONS_TOTAL]);
+  toolCallCounter = this.meter.createCounter(OTelCounter.TOOLS_CALLS, METRIC_CONFIGS[OTelCounter.TOOLS_CALLS]);
+  llmCallCounter = this.meter.createCounter(OTelCounter.LLM_CALLS, METRIC_CONFIGS[OTelCounter.LLM_CALLS]);
+  approvalCounter = this.meter.createCounter(OTelCounter.APPROVALS_TOTAL, METRIC_CONFIGS[OTelCounter.APPROVALS_TOTAL]);
+  executionDuration = this.meter.createHistogram(OTelHistogram.EXECUTION_DURATION, METRIC_CONFIGS[OTelHistogram.EXECUTION_DURATION]);
+  toolDuration = this.meter.createHistogram(OTelHistogram.TOOL_DURATION, METRIC_CONFIGS[OTelHistogram.TOOL_DURATION]);
+  async write(event) {
+    const span = this.tracer.startSpan(`atp.${event.eventType}.${event.action}`, {
+      attributes: this.buildAttributes(event)
+    });
+    await context.with(trace.setSpan(context.active(), span), async () => {
+      try {
+        this.handleEvent(span, event);
+        this.recordMetrics(event);
+        span.setStatus({
+          code: SpanStatusCode.OK
+        });
+      } catch (error) {
+        span.setStatus({
+          code: SpanStatusCode.ERROR,
+          message: error.message
+        });
+        span.recordException(error);
+      } finally {
+        span.end();
+      }
+    });
+  }
+  async writeBatch(events) {
+    await Promise.all(events.map((event) => this.write(event)));
+  }
+  buildAttributes(event) {
+    const attrs = {
+      [OTelAttribute.EVENT_ID]: event.eventId,
+      [OTelAttribute.EVENT_TYPE]: event.eventType,
+      [OTelAttribute.EVENT_ACTION]: event.action,
+      [OTelAttribute.TIMESTAMP]: event.timestamp,
+      [OTelAttribute.CLIENT_ID]: event.clientId,
+      [OTelAttribute.STATUS]: event.status
+    };
+    if (event.userId) attrs[OTelAttribute.USER_ID] = event.userId;
+    if (event.ipAddress) attrs[OTelAttribute.IP_ADDRESS] = event.ipAddress;
+    if (event.userAgent) attrs[OTelAttribute.USER_AGENT] = event.userAgent;
+    if (event.resource) attrs[OTelAttribute.RESOURCE] = event.resource;
+    if (event.resourceId) attrs[OTelAttribute.RESOURCE_ID] = event.resourceId;
+    if (event.toolName) attrs[OTelAttribute.TOOL_NAME] = event.toolName;
+    if (event.apiGroup) attrs[OTelAttribute.API_GROUP] = event.apiGroup;
+    if (event.duration !== void 0) attrs[OTelAttribute.DURATION_MS] = event.duration;
+    if (event.memoryUsed !== void 0) attrs[OTelAttribute.MEMORY_BYTES] = event.memoryUsed;
+    if (event.llmCallsCount !== void 0) attrs[OTelAttribute.LLM_CALLS] = event.llmCallsCount;
+    if (event.httpCallsCount !== void 0) attrs[OTelAttribute.HTTP_CALLS] = event.httpCallsCount;
+    if (event.riskScore !== void 0) attrs[OTelAttribute.RISK_SCORE] = event.riskScore;
+    if (event.securityEvents && event.securityEvents.length > 0) {
+      attrs[OTelAttribute.SECURITY_EVENTS] = JSON.stringify(event.securityEvents);
+      attrs[OTelAttribute.SECURITY_EVENTS_COUNT] = event.securityEvents.length;
+    }
+    if (event.error) {
+      attrs[OTelAttribute.ERROR_MESSAGE] = event.error.message;
+      if (event.error.code) attrs[OTelAttribute.ERROR_CODE] = event.error.code;
+      if (event.error.stack) attrs[OTelAttribute.ERROR_STACK] = event.error.stack;
+    }
+    if (event.annotations) {
+      Object.assign(attrs, this.flattenObject(event.annotations, ATTRIBUTE_PREFIX_TOOL));
+    }
+    if (event.metadata) {
+      Object.assign(attrs, this.flattenObject(event.metadata, ATTRIBUTE_PREFIX_METADATA));
+    }
+    return attrs;
+  }
+  handleEvent(span, event) {
+    switch (event.eventType) {
+      case "execution":
+        if (event.action === "start") {
+          span.addEvent("Execution started", {
+            "client.id": event.clientId,
+            "resource.id": event.resourceId
+          });
+        } else if (event.action === "complete") {
+          span.addEvent("Execution completed", {
+            duration_ms: event.duration,
+            status: event.status,
+            llm_calls: event.llmCallsCount
+          });
+        } else if (event.action === "pause") {
+          span.addEvent("Execution paused", {
+            status: event.status
+          });
+        } else if (event.action === "resume") {
+          span.addEvent("Execution resumed", {
+            "resource.id": event.resourceId
+          });
+        }
+        break;
+      case "tool_call":
+        span.addEvent(`Tool ${event.action}`, {
+          "tool.name": event.toolName,
+          "api.group": event.apiGroup,
+          duration_ms: event.duration
+        });
+        if (event.input) {
+          span.setAttribute(OTelAttribute.TOOL_INPUT_SIZE, JSON.stringify(event.input).length);
+        }
+        if (event.output) {
+          span.setAttribute(OTelAttribute.TOOL_OUTPUT_SIZE, JSON.stringify(event.output).length);
+        }
+        break;
+      case "llm_call":
+        span.addEvent("LLM call", {
+          duration_ms: event.duration
+        });
+        break;
+      case "approval":
+        span.addEvent(`Approval ${event.action}`, {
+          "tool.name": event.toolName
+        });
+        break;
+      case "error":
+        if (event.error) {
+          span.addEvent("Error occurred", {
+            "error.message": event.error.message,
+            "error.code": event.error.code
+          });
+          span.recordException(new Error(event.error.message));
+        }
+        break;
+      case "client_init":
+        span.addEvent("Client initialized", {
+          "client.id": event.clientId
+        });
+        break;
+    }
+    if (event.securityEvents && event.securityEvents.length > 0) {
+      for (const secEvent of event.securityEvents) {
+        span.addEvent("Security event", {
+          "security.event": secEvent,
+          "security.risk_score": event.riskScore
+        });
+      }
+    }
+  }
+  recordMetrics(event) {
+    const commonAttrs = {
+      client_id: event.clientId,
+      event_type: event.eventType,
+      status: event.status
+    };
+    switch (event.eventType) {
+      case "execution":
+        this.executionCounter.add(1, {
+          ...commonAttrs,
+          action: event.action
+        });
+        if (event.duration !== void 0) {
+          this.executionDuration.record(event.duration, {
+            ...commonAttrs,
+            action: event.action
+          });
+        }
+        break;
+      case "tool_call":
+        this.toolCallCounter.add(1, {
+          ...commonAttrs,
+          tool_name: event.toolName,
+          api_group: event.apiGroup
+        });
+        if (event.duration !== void 0) {
+          this.toolDuration.record(event.duration, {
+            ...commonAttrs,
+            tool_name: event.toolName
+          });
+        }
+        break;
+      case "llm_call":
+        this.llmCallCounter.add(1, commonAttrs);
+        break;
+      case "approval":
+        this.approvalCounter.add(1, {
+          ...commonAttrs,
+          action: event.action
+        });
+        break;
+    }
+    if (event.securityEvents && event.securityEvents.length > 0) {
+      const securityEventCounter = this.meter.createCounter(OTelCounter.SECURITY_EVENTS, METRIC_CONFIGS[OTelCounter.SECURITY_EVENTS]);
+      securityEventCounter.add(event.securityEvents.length, {
+        ...commonAttrs,
+        risk_score: event.riskScore
+      });
+    }
+  }
+  flattenObject(obj, prefix) {
+    const result = {};
+    if (!obj || typeof obj !== "object") return result;
+    for (const [key, value] of Object.entries(obj)) {
+      const fullKey = `${prefix}.${key}`;
+      if (value === null || value === void 0) {
+        continue;
+      }
+      if (typeof value === "object" && !Array.isArray(value)) {
+        Object.assign(result, this.flattenObject(value, fullKey));
+      } else if (Array.isArray(value)) {
+        result[fullKey] = JSON.stringify(value);
+      } else {
+        result[fullKey] = value;
+      }
+    }
+    return result;
+  }
+};
+export { ATTRIBUTE_PREFIX_METADATA, ATTRIBUTE_PREFIX_TOOL, EnvAuthProvider, FileCache, JSONLAuditSink, METRIC_CONFIGS, MemoryCache, OTEL_METER_NAME, OTEL_SERVICE_NAME, OTEL_TRACER_NAME, OTelAttribute, OTelCounter, OTelHistogram, OTelSpan, OpenTelemetryAuditSink, RedisCache, ScopeCheckerRegistry };
+//# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map