@neurosec/sentry 1.0.19 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -0
- package/dist/api-auth.d.ts +31 -0
- package/dist/api-auth.d.ts.map +1 -0
- package/dist/api-auth.js +105 -0
- package/dist/api-auth.js.map +1 -0
- package/dist/api-auth.test.d.ts +2 -0
- package/dist/api-auth.test.d.ts.map +1 -0
- package/dist/api-auth.test.js +89 -0
- package/dist/api-auth.test.js.map +1 -0
- package/dist/api.d.ts +8 -7
- package/dist/api.d.ts.map +1 -1
- package/dist/api.js +141 -134
- package/dist/api.js.map +1 -1
- package/dist/cli.d.ts +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +107 -14
- package/dist/cli.js.map +1 -1
- package/dist/cli.test.d.ts +2 -0
- package/dist/cli.test.d.ts.map +1 -0
- package/dist/cli.test.js +68 -0
- package/dist/cli.test.js.map +1 -0
- package/dist/config.d.ts +30 -0
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +50 -1
- package/dist/config.js.map +1 -1
- package/dist/discovery-win.d.ts +4 -0
- package/dist/discovery-win.d.ts.map +1 -0
- package/dist/discovery-win.js +153 -0
- package/dist/discovery-win.js.map +1 -0
- package/dist/discovery.d.ts.map +1 -1
- package/dist/discovery.js +23 -97
- package/dist/discovery.js.map +1 -1
- package/dist/discovery.test.js +18 -109
- package/dist/discovery.test.js.map +1 -1
- package/dist/enforcement/file-monitor.d.ts +9 -0
- package/dist/enforcement/file-monitor.d.ts.map +1 -1
- package/dist/enforcement/file-monitor.js +9 -2
- package/dist/enforcement/file-monitor.js.map +1 -1
- package/dist/enforcement/network-monitor.d.ts.map +1 -1
- package/dist/enforcement/network-monitor.js +350 -9
- package/dist/enforcement/network-monitor.js.map +1 -1
- package/dist/enforcement/network-monitor.test.d.ts +2 -0
- package/dist/enforcement/network-monitor.test.d.ts.map +1 -0
- package/dist/enforcement/network-monitor.test.js +52 -0
- package/dist/enforcement/network-monitor.test.js.map +1 -0
- package/dist/enforcement/policy-executor.d.ts +24 -1
- package/dist/enforcement/policy-executor.d.ts.map +1 -1
- package/dist/enforcement/policy-executor.js +213 -69
- package/dist/enforcement/policy-executor.js.map +1 -1
- package/dist/enforcement/policy-executor.test.d.ts +2 -0
- package/dist/enforcement/policy-executor.test.d.ts.map +1 -0
- package/dist/enforcement/policy-executor.test.js +46 -0
- package/dist/enforcement/policy-executor.test.js.map +1 -0
- package/dist/enforcement/target-validator.d.ts +37 -0
- package/dist/enforcement/target-validator.d.ts.map +1 -0
- package/dist/enforcement/target-validator.js +0 -0
- package/dist/enforcement/target-validator.js.map +1 -0
- package/dist/enforcement/target-validator.test.d.ts +2 -0
- package/dist/enforcement/target-validator.test.d.ts.map +1 -0
- package/dist/enforcement/target-validator.test.js +103 -0
- package/dist/enforcement/target-validator.test.js.map +1 -0
- package/dist/http-client.d.ts +35 -0
- package/dist/http-client.d.ts.map +1 -0
- package/dist/http-client.js +168 -0
- package/dist/http-client.js.map +1 -0
- package/dist/http-client.test.d.ts +2 -0
- package/dist/http-client.test.d.ts.map +1 -0
- package/dist/http-client.test.js +172 -0
- package/dist/http-client.test.js.map +1 -0
- package/dist/index.js +189 -113
- package/dist/index.js.map +1 -1
- package/dist/launcher.d.ts +33 -0
- package/dist/launcher.d.ts.map +1 -0
- package/dist/launcher.js +425 -0
- package/dist/launcher.js.map +1 -0
- package/dist/launcher.test.d.ts +2 -0
- package/dist/launcher.test.d.ts.map +1 -0
- package/dist/launcher.test.js +109 -0
- package/dist/launcher.test.js.map +1 -0
- package/dist/proxy/cert-manager.d.ts +24 -0
- package/dist/proxy/cert-manager.d.ts.map +1 -0
- package/dist/proxy/cert-manager.js +117 -0
- package/dist/proxy/cert-manager.js.map +1 -0
- package/dist/proxy/cert-manager.test.d.ts +2 -0
- package/dist/proxy/cert-manager.test.d.ts.map +1 -0
- package/dist/proxy/cert-manager.test.js +70 -0
- package/dist/proxy/cert-manager.test.js.map +1 -0
- package/dist/proxy/index.d.ts +61 -0
- package/dist/proxy/index.d.ts.map +1 -0
- package/dist/proxy/index.js +74 -0
- package/dist/proxy/index.js.map +1 -0
- package/dist/proxy/policy-enforcer.d.ts +30 -0
- package/dist/proxy/policy-enforcer.d.ts.map +1 -0
- package/dist/proxy/policy-enforcer.js +143 -0
- package/dist/proxy/policy-enforcer.js.map +1 -0
- package/dist/proxy/proxy-server.d.ts +42 -0
- package/dist/proxy/proxy-server.d.ts.map +1 -0
- package/dist/proxy/proxy-server.js +652 -0
- package/dist/proxy/proxy-server.js.map +1 -0
- package/dist/proxy/redaction-engine.d.ts +4 -0
- package/dist/proxy/redaction-engine.d.ts.map +1 -0
- package/dist/proxy/redaction-engine.js +50 -0
- package/dist/proxy/redaction-engine.js.map +1 -0
- package/dist/proxy/response-redaction.test.d.ts +2 -0
- package/dist/proxy/response-redaction.test.d.ts.map +1 -0
- package/dist/proxy/response-redaction.test.js +125 -0
- package/dist/proxy/response-redaction.test.js.map +1 -0
- package/dist/proxy/threat-engine.d.ts +22 -0
- package/dist/proxy/threat-engine.d.ts.map +1 -0
- package/dist/proxy/threat-engine.js +291 -0
- package/dist/proxy/threat-engine.js.map +1 -0
- package/dist/proxy/threat-engine.test.d.ts +2 -0
- package/dist/proxy/threat-engine.test.d.ts.map +1 -0
- package/dist/proxy/threat-engine.test.js +27 -0
- package/dist/proxy/threat-engine.test.js.map +1 -0
- package/dist/redirect/env-injector.d.ts +72 -0
- package/dist/redirect/env-injector.d.ts.map +1 -0
- package/dist/redirect/env-injector.js +177 -0
- package/dist/redirect/env-injector.js.map +1 -0
- package/dist/redirect/env-injector.test.d.ts +2 -0
- package/dist/redirect/env-injector.test.d.ts.map +1 -0
- package/dist/redirect/env-injector.test.js +91 -0
- package/dist/redirect/env-injector.test.js.map +1 -0
- package/dist/redirect/index.d.ts +3 -0
- package/dist/redirect/index.d.ts.map +1 -0
- package/dist/redirect/index.js +8 -0
- package/dist/redirect/index.js.map +1 -0
- package/dist/redirect/platform-redirect.d.ts +42 -0
- package/dist/redirect/platform-redirect.d.ts.map +1 -0
- package/dist/redirect/platform-redirect.js +229 -0
- package/dist/redirect/platform-redirect.js.map +1 -0
- package/dist/redirect/platform-redirect.test.d.ts +2 -0
- package/dist/redirect/platform-redirect.test.d.ts.map +1 -0
- package/dist/redirect/platform-redirect.test.js +76 -0
- package/dist/redirect/platform-redirect.test.js.map +1 -0
- package/dist/sandbox/index.d.ts +23 -2
- package/dist/sandbox/index.d.ts.map +1 -1
- package/dist/sandbox/index.js +24 -7
- package/dist/sandbox/index.js.map +1 -1
- package/dist/sandbox/linux-sandbox.d.ts +13 -2
- package/dist/sandbox/linux-sandbox.d.ts.map +1 -1
- package/dist/sandbox/linux-sandbox.js +61 -27
- package/dist/sandbox/linux-sandbox.js.map +1 -1
- package/dist/sandbox/macos-sandbox.d.ts +15 -4
- package/dist/sandbox/macos-sandbox.d.ts.map +1 -1
- package/dist/sandbox/macos-sandbox.js +36 -18
- package/dist/sandbox/macos-sandbox.js.map +1 -1
- package/dist/sandbox/sandbox-result.test.d.ts +2 -0
- package/dist/sandbox/sandbox-result.test.d.ts.map +1 -0
- package/dist/sandbox/sandbox-result.test.js +87 -0
- package/dist/sandbox/sandbox-result.test.js.map +1 -0
- package/dist/sandbox/windows-sandbox.d.ts +34 -0
- package/dist/sandbox/windows-sandbox.d.ts.map +1 -0
- package/dist/sandbox/windows-sandbox.js +161 -0
- package/dist/sandbox/windows-sandbox.js.map +1 -0
- package/dist/setup.d.ts.map +1 -1
- package/dist/setup.js +33 -43
- package/dist/setup.js.map +1 -1
- package/dist/skill-authz/skill-evaluator.d.ts +30 -0
- package/dist/skill-authz/skill-evaluator.d.ts.map +1 -1
- package/dist/skill-authz/skill-evaluator.js +161 -30
- package/dist/skill-authz/skill-evaluator.js.map +1 -1
- package/dist/skill-authz/skill-evaluator.test.d.ts +2 -0
- package/dist/skill-authz/skill-evaluator.test.d.ts.map +1 -0
- package/dist/skill-authz/skill-evaluator.test.js +127 -0
- package/dist/skill-authz/skill-evaluator.test.js.map +1 -0
- package/dist/telemetry.d.ts.map +1 -1
- package/dist/telemetry.js +16 -44
- package/dist/telemetry.js.map +1 -1
- package/dist/types.d.ts +48 -105
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js +34 -1
- package/dist/types.js.map +1 -1
- package/package.json +7 -3
- package/scripts/install-sentry-windows.ps1 +217 -0
|
@@ -1,20 +1,50 @@
|
|
|
1
1
|
import { SkillAuthzRequest, SkillAuthzDecision } from '../types';
|
|
2
2
|
import { SentryConfig } from '../config';
|
|
3
3
|
import { AuditLogger } from '../audit';
|
|
4
|
+
/**
|
|
5
|
+
* Skill authorization gate. Evaluates a tool/function/skill invocation against
|
|
6
|
+
* the host's skill policy and returns an allow/deny/require_approval decision.
|
|
7
|
+
*
|
|
8
|
+
* Fixes vs prior implementation:
|
|
9
|
+
* - TTL math (S-C10): cache expiry uses an absolute deadline. Previous
|
|
10
|
+
* code's `Date.now() - duration < Date.now()` was always true and the
|
|
11
|
+
* cache never expired.
|
|
12
|
+
* - Approval flow (S-C9): `evaluate()` now actually inserts into the
|
|
13
|
+
* pendingApprovals map when action=require_approval, so `approve()` /
|
|
14
|
+
* `deny()` / `getPendingApprovals()` work end-to-end.
|
|
15
|
+
* - LRU-ish bounding: cache and pending maps are size-capped so a flood
|
|
16
|
+
* of unique skill names cannot OOM the daemon.
|
|
17
|
+
*/
|
|
4
18
|
export declare class SkillEvaluator {
|
|
5
19
|
private config;
|
|
6
20
|
private pendingApprovals;
|
|
7
21
|
private cache;
|
|
8
22
|
private auditLogger;
|
|
23
|
+
/** Approval timeout — caller-supplied callbacks resolve with `deny` after this. */
|
|
24
|
+
private approvalTimeoutMs;
|
|
9
25
|
constructor(config: SentryConfig, auditLogger?: AuditLogger);
|
|
26
|
+
/** Override the approval timeout — exposed for tests and config integration. */
|
|
27
|
+
setApprovalTimeoutMs(ms: number): void;
|
|
10
28
|
evaluate(request: SkillAuthzRequest): SkillAuthzDecision;
|
|
29
|
+
/**
|
|
30
|
+
* Wait for an operator decision on a pending approval. Resolves with the
|
|
31
|
+
* final action ('allow' or 'deny'). After `approvalTimeoutMs` the wait
|
|
32
|
+
* resolves with 'deny' (fail closed) and the pending entry is removed.
|
|
33
|
+
*/
|
|
34
|
+
waitForApproval(invocationId: string): Promise<SkillAuthzDecision['action']>;
|
|
11
35
|
approve(invocationId: string): boolean;
|
|
12
36
|
deny(invocationId: string): boolean;
|
|
13
37
|
getPendingApprovals(): Array<{
|
|
14
38
|
invocationId: string;
|
|
15
39
|
skillName: string;
|
|
16
40
|
frameworkId: string;
|
|
41
|
+
requestedAt: number;
|
|
17
42
|
}>;
|
|
43
|
+
/** Test helper / housekeeping: drop expired entries from both maps. */
|
|
44
|
+
pruneExpired(now?: number): void;
|
|
45
|
+
private cacheDecision;
|
|
46
|
+
private registerPendingApproval;
|
|
47
|
+
private audit;
|
|
18
48
|
private computeRiskScore;
|
|
19
49
|
}
|
|
20
50
|
//# sourceMappingURL=skill-evaluator.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"skill-evaluator.d.ts","sourceRoot":"","sources":["../../src/skill-authz/skill-evaluator.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAc,MAAM,UAAU,CAAC;AAC7E,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAEzC,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;
|
|
1
|
+
{"version":3,"file":"skill-evaluator.d.ts","sourceRoot":"","sources":["../../src/skill-authz/skill-evaluator.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAc,MAAM,UAAU,CAAC;AAC7E,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAEzC,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAwBvC;;;;;;;;;;;;;GAaG;AACH,qBAAa,cAAc;IASvB,OAAO,CAAC,MAAM;IARhB,OAAO,CAAC,gBAAgB,CAA2C;IACnE,OAAO,CAAC,KAAK,CAAsC;IACnD,OAAO,CAAC,WAAW,CAAc;IAEjC,mFAAmF;IACnF,OAAO,CAAC,iBAAiB,CAAiB;gBAGhC,MAAM,EAAE,YAAY,EAC5B,WAAW,CAAC,EAAE,WAAW;IAK3B,gFAAgF;IAChF,oBAAoB,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;IAItC,QAAQ,CAAC,OAAO,EAAE,iBAAiB,GAAG,kBAAkB;IA+DxD;;;;OAIG;IACG,eAAe,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IAsBlF,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IActC,IAAI,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAYnC,mBAAmB,IAAI,KAAK,CAAC;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,CAAC;IAenH,uEAAuE;IACvE,YAAY,CAAC,GAAG,SAAa,GAAG,IAAI;IAkBpC,OAAO,CAAC,aAAa;IAcrB,OAAO,CAAC,uBAAuB;IAsB/B,OAAO,CAAC,KAAK;IAqBb,OAAO,CAAC,gBAAgB;CA6CzB"}
|
|
@@ -8,23 +8,53 @@ const os_1 = __importDefault(require("os"));
|
|
|
8
8
|
const uuid_1 = require("uuid");
|
|
9
9
|
const logger_1 = require("../logger");
|
|
10
10
|
const audit_1 = require("../audit");
|
|
11
|
+
/**
|
|
12
|
+
* Maximum number of pending approvals or cached allow decisions retained.
|
|
13
|
+
* Prevents unbounded memory growth under hostile or buggy callers.
|
|
14
|
+
*/
|
|
15
|
+
const MAX_PENDING = 1024;
|
|
16
|
+
const MAX_CACHE = 4096;
|
|
17
|
+
/**
|
|
18
|
+
* Skill authorization gate. Evaluates a tool/function/skill invocation against
|
|
19
|
+
* the host's skill policy and returns an allow/deny/require_approval decision.
|
|
20
|
+
*
|
|
21
|
+
* Fixes vs prior implementation:
|
|
22
|
+
* - TTL math (S-C10): cache expiry uses an absolute deadline. Previous
|
|
23
|
+
* code's `Date.now() - duration < Date.now()` was always true and the
|
|
24
|
+
* cache never expired.
|
|
25
|
+
* - Approval flow (S-C9): `evaluate()` now actually inserts into the
|
|
26
|
+
* pendingApprovals map when action=require_approval, so `approve()` /
|
|
27
|
+
* `deny()` / `getPendingApprovals()` work end-to-end.
|
|
28
|
+
* - LRU-ish bounding: cache and pending maps are size-capped so a flood
|
|
29
|
+
* of unique skill names cannot OOM the daemon.
|
|
30
|
+
*/
|
|
11
31
|
class SkillEvaluator {
|
|
12
32
|
constructor(config, auditLogger) {
|
|
13
33
|
this.config = config;
|
|
14
34
|
this.pendingApprovals = new Map();
|
|
15
35
|
this.cache = new Map();
|
|
36
|
+
/** Approval timeout — caller-supplied callbacks resolve with `deny` after this. */
|
|
37
|
+
this.approvalTimeoutMs = 5 * 60 * 1000; // 5 minutes
|
|
16
38
|
this.auditLogger = auditLogger ?? new audit_1.AuditLogger(config);
|
|
17
39
|
}
|
|
40
|
+
/** Override the approval timeout — exposed for tests and config integration. */
|
|
41
|
+
setApprovalTimeoutMs(ms) {
|
|
42
|
+
if (Number.isFinite(ms) && ms > 0)
|
|
43
|
+
this.approvalTimeoutMs = ms;
|
|
44
|
+
}
|
|
18
45
|
evaluate(request) {
|
|
19
46
|
const cacheKey = `${request.frameworkId}:${request.skillName}`;
|
|
20
47
|
const cached = this.cache.get(cacheKey);
|
|
21
|
-
if (cached &&
|
|
22
|
-
|
|
48
|
+
if (cached && cached.expiresAt > Date.now()) {
|
|
49
|
+
// Return a copy so callers can't mutate the cached object.
|
|
50
|
+
return { ...cached.decision, invocationId: request.invocationId };
|
|
23
51
|
}
|
|
52
|
+
if (cached)
|
|
53
|
+
this.cache.delete(cacheKey); // expired
|
|
24
54
|
const riskScore = this.computeRiskScore(request);
|
|
25
55
|
let action;
|
|
26
56
|
let reason;
|
|
27
|
-
const needsApproval = this.config.skillAuthz.requireApproval.some(pattern => request.skillName.toLowerCase().includes(pattern.toLowerCase()));
|
|
57
|
+
const needsApproval = this.config.skillAuthz.requireApproval.some((pattern) => request.skillName.toLowerCase().includes(pattern.toLowerCase()));
|
|
28
58
|
if (needsApproval && this.config.enforcement.mode !== 'monitor') {
|
|
29
59
|
action = 'require_approval';
|
|
30
60
|
reason = `Skill '${request.skillName}' requires interactive approval`;
|
|
@@ -37,7 +67,8 @@ class SkillEvaluator {
|
|
|
37
67
|
action = 'require_approval';
|
|
38
68
|
reason = `Risk score ${riskScore}/100 requires approval for '${request.skillName}'`;
|
|
39
69
|
}
|
|
40
|
-
else if (!this.config.skillAuthz.allowUnknown &&
|
|
70
|
+
else if (!this.config.skillAuthz.allowUnknown &&
|
|
71
|
+
!this.config.skillAuthz.requireApproval.some((p) => request.skillName.includes(p))) {
|
|
41
72
|
action = 'deny';
|
|
42
73
|
reason = `Skill '${request.skillName}' is not in the allowlist`;
|
|
43
74
|
}
|
|
@@ -57,28 +88,44 @@ class SkillEvaluator {
|
|
|
57
88
|
redactArgs: riskScore >= 50 ? Object.keys(request.skillArgs) : undefined,
|
|
58
89
|
};
|
|
59
90
|
if (action === 'allow') {
|
|
60
|
-
this.
|
|
91
|
+
this.cacheDecision(cacheKey, decision);
|
|
61
92
|
}
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
frameworkName: request.frameworkId,
|
|
69
|
-
pid: request.agentPid,
|
|
70
|
-
reason: decision.reason,
|
|
71
|
-
detail: {
|
|
72
|
-
skillName: request.skillName,
|
|
73
|
-
riskScore,
|
|
74
|
-
invocationId: request.invocationId,
|
|
75
|
-
},
|
|
76
|
-
hostname: os_1.default.hostname(),
|
|
77
|
-
}).catch(err => {
|
|
78
|
-
logger_1.logger.error('Skill audit log failed', { err: err.message });
|
|
79
|
-
});
|
|
93
|
+
else if (action === 'require_approval') {
|
|
94
|
+
// S-C9 fix: actually register the pending approval so approve()/deny()
|
|
95
|
+
// and getPendingApprovals() can find it.
|
|
96
|
+
this.registerPendingApproval(request, decision);
|
|
97
|
+
}
|
|
98
|
+
this.audit(request, decision, riskScore);
|
|
80
99
|
return decision;
|
|
81
100
|
}
|
|
101
|
+
/**
|
|
102
|
+
* Wait for an operator decision on a pending approval. Resolves with the
|
|
103
|
+
* final action ('allow' or 'deny'). After `approvalTimeoutMs` the wait
|
|
104
|
+
* resolves with 'deny' (fail closed) and the pending entry is removed.
|
|
105
|
+
*/
|
|
106
|
+
async waitForApproval(invocationId) {
|
|
107
|
+
const pending = this.pendingApprovals.get(invocationId);
|
|
108
|
+
if (!pending || pending.resolved)
|
|
109
|
+
return 'deny';
|
|
110
|
+
return new Promise((resolve) => {
|
|
111
|
+
pending.awaiters.push(resolve);
|
|
112
|
+
const timeoutHandle = setTimeout(() => {
|
|
113
|
+
if (!pending.resolved) {
|
|
114
|
+
pending.resolved = true;
|
|
115
|
+
pending.decision.action = 'deny';
|
|
116
|
+
pending.decision.reason = 'Approval request timed out (fail closed)';
|
|
117
|
+
for (const awaiter of pending.awaiters)
|
|
118
|
+
awaiter('deny');
|
|
119
|
+
pending.awaiters.length = 0;
|
|
120
|
+
this.pendingApprovals.delete(invocationId);
|
|
121
|
+
}
|
|
122
|
+
}, this.approvalTimeoutMs);
|
|
123
|
+
// Don't keep the event loop alive solely for this timer.
|
|
124
|
+
if (typeof timeoutHandle.unref === 'function') {
|
|
125
|
+
timeoutHandle.unref?.();
|
|
126
|
+
}
|
|
127
|
+
});
|
|
128
|
+
}
|
|
82
129
|
approve(invocationId) {
|
|
83
130
|
const pending = this.pendingApprovals.get(invocationId);
|
|
84
131
|
if (!pending || pending.resolved || Date.now() > pending.expiresAt) {
|
|
@@ -87,6 +134,9 @@ class SkillEvaluator {
|
|
|
87
134
|
pending.resolved = true;
|
|
88
135
|
pending.decision.action = 'allow';
|
|
89
136
|
pending.decision.reason = 'Approved by operator';
|
|
137
|
+
for (const awaiter of pending.awaiters)
|
|
138
|
+
awaiter('allow');
|
|
139
|
+
pending.awaiters.length = 0;
|
|
90
140
|
this.pendingApprovals.delete(invocationId);
|
|
91
141
|
return true;
|
|
92
142
|
}
|
|
@@ -97,22 +147,103 @@ class SkillEvaluator {
|
|
|
97
147
|
pending.resolved = true;
|
|
98
148
|
pending.decision.action = 'deny';
|
|
99
149
|
pending.decision.reason = 'Denied by operator';
|
|
150
|
+
for (const awaiter of pending.awaiters)
|
|
151
|
+
awaiter('deny');
|
|
152
|
+
pending.awaiters.length = 0;
|
|
100
153
|
this.pendingApprovals.delete(invocationId);
|
|
101
154
|
return true;
|
|
102
155
|
}
|
|
103
156
|
getPendingApprovals() {
|
|
157
|
+
const now = Date.now();
|
|
104
158
|
const result = [];
|
|
105
159
|
for (const [id, pending] of this.pendingApprovals) {
|
|
106
|
-
if (
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
160
|
+
if (pending.resolved || now >= pending.expiresAt)
|
|
161
|
+
continue;
|
|
162
|
+
result.push({
|
|
163
|
+
invocationId: id,
|
|
164
|
+
skillName: pending.request.skillName,
|
|
165
|
+
frameworkId: pending.request.frameworkId,
|
|
166
|
+
requestedAt: pending.request.timestamp,
|
|
167
|
+
});
|
|
113
168
|
}
|
|
114
169
|
return result;
|
|
115
170
|
}
|
|
171
|
+
/** Test helper / housekeeping: drop expired entries from both maps. */
|
|
172
|
+
pruneExpired(now = Date.now()) {
|
|
173
|
+
for (const [k, v] of this.cache) {
|
|
174
|
+
if (v.expiresAt <= now)
|
|
175
|
+
this.cache.delete(k);
|
|
176
|
+
}
|
|
177
|
+
for (const [k, v] of this.pendingApprovals) {
|
|
178
|
+
if (v.resolved || v.expiresAt <= now) {
|
|
179
|
+
// Resolve any leftover awaiters as deny so they don't leak.
|
|
180
|
+
if (!v.resolved) {
|
|
181
|
+
for (const awaiter of v.awaiters)
|
|
182
|
+
awaiter('deny');
|
|
183
|
+
v.awaiters.length = 0;
|
|
184
|
+
}
|
|
185
|
+
this.pendingApprovals.delete(k);
|
|
186
|
+
}
|
|
187
|
+
}
|
|
188
|
+
}
|
|
189
|
+
// ── private ────────────────────────────────────────────────────────────
|
|
190
|
+
cacheDecision(key, decision) {
|
|
191
|
+
// Evict oldest entries when over cap (Map preserves insertion order).
|
|
192
|
+
while (this.cache.size >= MAX_CACHE) {
|
|
193
|
+
const first = this.cache.keys().next().value;
|
|
194
|
+
if (first === undefined)
|
|
195
|
+
break;
|
|
196
|
+
this.cache.delete(first);
|
|
197
|
+
}
|
|
198
|
+
this.cache.set(key, {
|
|
199
|
+
decision,
|
|
200
|
+
// duration is in seconds (matches SkillAuthzDecision contract).
|
|
201
|
+
expiresAt: Date.now() + decision.duration * 1000,
|
|
202
|
+
});
|
|
203
|
+
}
|
|
204
|
+
registerPendingApproval(request, decision) {
|
|
205
|
+
// Bound the pending set.
|
|
206
|
+
while (this.pendingApprovals.size >= MAX_PENDING) {
|
|
207
|
+
const first = this.pendingApprovals.keys().next().value;
|
|
208
|
+
if (first === undefined)
|
|
209
|
+
break;
|
|
210
|
+
const stale = this.pendingApprovals.get(first);
|
|
211
|
+
if (stale && !stale.resolved) {
|
|
212
|
+
for (const awaiter of stale.awaiters)
|
|
213
|
+
awaiter('deny');
|
|
214
|
+
stale.awaiters.length = 0;
|
|
215
|
+
}
|
|
216
|
+
this.pendingApprovals.delete(first);
|
|
217
|
+
}
|
|
218
|
+
this.pendingApprovals.set(request.invocationId, {
|
|
219
|
+
invocationId: request.invocationId,
|
|
220
|
+
request,
|
|
221
|
+
decision,
|
|
222
|
+
expiresAt: Date.now() + this.approvalTimeoutMs,
|
|
223
|
+
resolved: false,
|
|
224
|
+
awaiters: [],
|
|
225
|
+
});
|
|
226
|
+
}
|
|
227
|
+
audit(request, decision, riskScore) {
|
|
228
|
+
this.auditLogger.log({
|
|
229
|
+
id: (0, uuid_1.v4)(),
|
|
230
|
+
timestamp: Date.now(),
|
|
231
|
+
type: 'skill',
|
|
232
|
+
action: decision.action,
|
|
233
|
+
frameworkId: request.frameworkId,
|
|
234
|
+
frameworkName: request.frameworkId,
|
|
235
|
+
pid: request.agentPid,
|
|
236
|
+
reason: decision.reason,
|
|
237
|
+
detail: {
|
|
238
|
+
skillName: request.skillName,
|
|
239
|
+
riskScore,
|
|
240
|
+
invocationId: request.invocationId,
|
|
241
|
+
},
|
|
242
|
+
hostname: os_1.default.hostname(),
|
|
243
|
+
}).catch((err) => {
|
|
244
|
+
logger_1.logger.error('Skill audit log failed', { err: err.message });
|
|
245
|
+
});
|
|
246
|
+
}
|
|
116
247
|
computeRiskScore(request) {
|
|
117
248
|
let score = 0;
|
|
118
249
|
const highRiskSkillNames = [
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"skill-evaluator.js","sourceRoot":"","sources":["../../src/skill-authz/skill-evaluator.ts"],"names":[],"mappings":";;;;;;AAAA,4CAAoB;AACpB,+BAAoC;AAGpC,sCAAmC;AACnC,oCAAuC;
|
|
1
|
+
{"version":3,"file":"skill-evaluator.js","sourceRoot":"","sources":["../../src/skill-authz/skill-evaluator.ts"],"names":[],"mappings":";;;;;;AAAA,4CAAoB;AACpB,+BAAoC;AAGpC,sCAAmC;AACnC,oCAAuC;AAiBvC;;;GAGG;AACH,MAAM,WAAW,GAAG,IAAI,CAAC;AACzB,MAAM,SAAS,GAAG,IAAI,CAAC;AAEvB;;;;;;;;;;;;;GAaG;AACH,MAAa,cAAc;IAQzB,YACU,MAAoB,EAC5B,WAAyB;QADjB,WAAM,GAAN,MAAM,CAAc;QARtB,qBAAgB,GAAiC,IAAI,GAAG,EAAE,CAAC;QAC3D,UAAK,GAA4B,IAAI,GAAG,EAAE,CAAC;QAGnD,mFAAmF;QAC3E,sBAAiB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;QAMrD,IAAI,CAAC,WAAW,GAAG,WAAW,IAAI,IAAI,mBAAW,CAAC,MAAM,CAAC,CAAC;IAC5D,CAAC;IAED,gFAAgF;IAChF,oBAAoB,CAAC,EAAU;QAC7B,IAAI,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC;YAAE,IAAI,CAAC,iBAAiB,GAAG,EAAE,CAAC;IACjE,CAAC;IAED,QAAQ,CAAC,OAA0B;QACjC,MAAM,QAAQ,GAAG,GAAG,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QAC/D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC5C,2DAA2D;YAC3D,OAAO,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,CAAC;QACpE,CAAC;QACD,IAAI,MAAM;YAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU;QAEnD,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,MAAoC,CAAC;QACzC,IAAI,MAAc,CAAC;QAEnB,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,eAAe,CAAC,IAAI,CAC/D,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAC7E,CAAC;QAEF,IAAI,aAAa,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAChE,MAAM,GAAG,kBAAkB,CAAC;YAC5B,MAAM,GAAG,UAAU,OAAO,CAAC,SAAS,iCAAiC,CAAC;QACxE,CAAC;aAAM,IAAI,SAAS,IAAI,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACzE,MAAM,GAAG,MAAM,CAAC;YAChB,MAAM,GAAG,cAAc,SAAS,+BAA+B,OAAO,CAAC,SAAS,GAAG,CAAC;QACtF,CAAC;aAAM,IAAI,SAAS,IAAI,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACzE,MAAM,GAAG,kBAAkB,CAAC;YAC5B,MAAM,GAAG,cAAc,SAAS,+BAA+B,OAAO,CAAC,SAAS,GAAG,CAAC;QACtF,CAAC;aAAM,IACL,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,YAAY;YACpC,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAClF,CAAC;YACD,MAAM,GAAG,MAAM,CAAC;YAChB,MAAM,GAAG,UAAU,OAAO,CAAC,SAAS,2BAA2B,CAAC;QAClE,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,OAAO,CAAC;YACjB,MAAM,GAAG,UAAU,OAAO,CAAC,SAAS,cAAc,CAAC;QACrD,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC/C,MAAM,GAAG,OAAO,CAAC;YACjB,MAAM,GAAG,yBAAyB,MAAM,EAAE,CAAC;QAC7C,CAAC;QAED,MAAM,QAAQ,GAAuB;YACnC,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,MAAM;YACN,MAAM;YACN,QAAQ,EAAE,GAAG;YACb,UAAU,EAAE,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS;SACzE,CAAC;QAEF,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACvB,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACzC,CAAC;aAAM,IAAI,MAAM,KAAK,kBAAkB,EAAE,CAAC;YACzC,uEAAuE;YACvE,yCAAyC;YACzC,IAAI,CAAC,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAClD,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;QAEzC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,eAAe,CAAC,YAAoB;QACxC,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ;YAAE,OAAO,MAAM,CAAC;QAChD,OAAO,IAAI,OAAO,CAA+B,CAAC,OAAO,EAAE,EAAE;YAC3D,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC/B,MAAM,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;gBACpC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;oBACtB,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;oBACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAC;oBACjC,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,0CAA0C,CAAC;oBACrE,KAAK,MAAM,OAAO,IAAI,OAAO,CAAC,QAAQ;wBAAE,OAAO,CAAC,MAAM,CAAC,CAAC;oBACxD,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;oBAC5B,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;gBAC7C,CAAC;YACH,CAAC,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAC3B,yDAAyD;YACzD,IAAI,OAAQ,aAAwC,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;gBACzE,aAAwC,CAAC,KAAK,EAAE,EAAE,CAAC;YACtD,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,CAAC,YAAoB;QAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;YACnE,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;QACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,OAAO,CAAC;QAClC,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,sBAAsB,CAAC;QACjD,KAAK,MAAM,OAAO,IAAI,OAAO,CAAC,QAAQ;YAAE,OAAO,CAAC,OAAO,CAAC,CAAC;QACzD,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QAC5B,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,YAAoB;QACvB,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC/C,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;QACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAC;QACjC,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,oBAAoB,CAAC;QAC/C,KAAK,MAAM,OAAO,IAAI,OAAO,CAAC,QAAQ;YAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QACxD,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QAC5B,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,mBAAmB;QACjB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,MAAM,GAAiG,EAAE,CAAC;QAChH,KAAK,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAClD,IAAI,OAAO,CAAC,QAAQ,IAAI,GAAG,IAAI,OAAO,CAAC,SAAS;gBAAE,SAAS;YAC3D,MAAM,CAAC,IAAI,CAAC;gBACV,YAAY,EAAE,EAAE;gBAChB,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,SAAS;gBACpC,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,WAAW;gBACxC,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,SAAS;aACvC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,uEAAuE;IACvE,YAAY,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE;QAC3B,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAChC,IAAI,CAAC,CAAC,SAAS,IAAI,GAAG;gBAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC/C,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3C,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,SAAS,IAAI,GAAG,EAAE,CAAC;gBACrC,4DAA4D;gBAC5D,IAAI,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;oBAChB,KAAK,MAAM,OAAO,IAAI,CAAC,CAAC,QAAQ;wBAAE,OAAO,CAAC,MAAM,CAAC,CAAC;oBAClD,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;gBACxB,CAAC;gBACD,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;IAED,0EAA0E;IAElE,aAAa,CAAC,GAAW,EAAE,QAA4B;QAC7D,sEAAsE;QACtE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC;YACpC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;YAC7C,IAAI,KAAK,KAAK,SAAS;gBAAE,MAAM;YAC/B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC3B,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE;YAClB,QAAQ;YACR,gEAAgE;YAChE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,QAAQ,GAAG,IAAI;SACjD,CAAC,CAAC;IACL,CAAC;IAEO,uBAAuB,CAAC,OAA0B,EAAE,QAA4B;QACtF,yBAAyB;QACzB,OAAO,IAAI,CAAC,gBAAgB,CAAC,IAAI,IAAI,WAAW,EAAE,CAAC;YACjD,MAAM,KAAK,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;YACxD,IAAI,KAAK,KAAK,SAAS;gBAAE,MAAM;YAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAC/C,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;gBAC7B,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,QAAQ;oBAAE,OAAO,CAAC,MAAM,CAAC,CAAC;gBACtD,KAAK,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;YAC5B,CAAC;YACD,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC;QACD,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,YAAY,EAAE;YAC9C,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,OAAO;YACP,QAAQ;YACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,iBAAiB;YAC9C,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,EAAE;SACb,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,OAA0B,EAAE,QAA4B,EAAE,SAAiB;QACvF,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;YACnB,EAAE,EAAE,IAAA,SAAM,GAAE;YACZ,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,IAAI,EAAE,OAAO;YACb,MAAM,EAAE,QAAQ,CAAC,MAA8B;YAC/C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,aAAa,EAAE,OAAO,CAAC,WAAW;YAClC,GAAG,EAAE,OAAO,CAAC,QAAQ;YACrB,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,MAAM,EAAE;gBACN,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,SAAS;gBACT,YAAY,EAAE,OAAO,CAAC,YAAY;aACnC;YACD,QAAQ,EAAE,YAAE,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,eAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE,EAAE,GAAG,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC1E,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,gBAAgB,CAAC,OAA0B;QACjD,IAAI,KAAK,GAAG,CAAC,CAAC;QAEd,MAAM,kBAAkB,GAAG;YACzB,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU;YACnD,mEAAmE;YACnE,wCAAwC;YACxC,gDAAgD;YAChD,qBAAqB;YACrB,6BAA6B;YAC7B,sBAAsB;YACtB,wBAAwB;YACxB,OAAO;SACR,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;YACzC,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;gBAAE,KAAK,IAAI,EAAE,CAAC;QACnD,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;QAClE,MAAM,iBAAiB,GAAG;YACxB,WAAW,EAAE,OAAO,EAAE,UAAU;YAChC,gBAAgB;YAChB,cAAc,EAAE,cAAc;YAC9B,iCAAiC;YACjC,YAAY,EAAE,YAAY,EAAE,qBAAqB;YACjD,mBAAmB;YACnB,YAAY;YACZ,cAAc;YACd,kBAAkB;YAClB,cAAc;SACf,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;YACxC,IAAI,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC;gBAAE,KAAK,IAAI,EAAE,CAAC;QAC3C,CAAC;QAED,MAAM,qBAAqB,GAAG,MAAM,CAAC;QACrC,MAAM,OAAO,GAAG,SAAS,CAAC,MAAM,CAAC;QACjC,IAAI,OAAO,GAAG,qBAAqB,EAAE,CAAC;YACpC,KAAK,IAAI,EAAE,CAAC;QACd,CAAC;QAED,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC9B,CAAC;CACF;AAhRD,wCAgRC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"skill-evaluator.test.d.ts","sourceRoot":"","sources":["../../src/skill-authz/skill-evaluator.test.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,127 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
const vitest_1 = require("vitest");
|
|
4
|
+
const skill_evaluator_1 = require("./skill-evaluator");
|
|
5
|
+
function baseConfig(overrides = {}) {
|
|
6
|
+
return {
|
|
7
|
+
sentry: { hostId: 'h', version: '1.0.0', healthPort: 0, apiPort: 0, stateDir: '/tmp', pidFilePath: '/tmp/p' },
|
|
8
|
+
neurosec: { endpoint: '', orgId: '', tokenPath: '', tlsCert: '', tlsKey: '', caBundlePath: '', pinnedFingerprintSha256: '', allowInsecureTls: false, syncIntervalMs: 1, heartbeatIntervalMs: 1 },
|
|
9
|
+
enforcement: { mode: 'enforce', sandboxEnabled: false, syscallFilterEnabled: false, networkFilterEnabled: false, filesystemFilterEnabled: false },
|
|
10
|
+
sandboxDefaults: { cpuMax: '0.5', memoryMax: '512MB', pidMax: 50 },
|
|
11
|
+
network: { allowHosts: [], blockHosts: [], allowPrivate: false, dnsMonitorEnabled: false },
|
|
12
|
+
skillAuthz: { enabled: true, allowUnknown: true, requireApproval: ['shell_exec'] },
|
|
13
|
+
audit: { logPath: '/tmp/audit.log', retentionDays: 1, maxSizeMb: 1 },
|
|
14
|
+
discovery: { intervalMs: 1, sourcePaths: [] },
|
|
15
|
+
proxy: { enabled: false, port: 0, bindAddress: '127.0.0.1', upstreamTimeoutMs: 0, maxBufferSizeMb: 0, interceptHttps: false, certPath: '', keyPath: '', allowedProviders: [], blockLocalModels: false },
|
|
16
|
+
redirect: { enabled: false, strategy: 'env-inject', preserveOriginalKey: false, injectOnDiscover: false },
|
|
17
|
+
...overrides,
|
|
18
|
+
};
|
|
19
|
+
}
|
|
20
|
+
function fakeAuditLogger() {
|
|
21
|
+
return {
|
|
22
|
+
log: vitest_1.vi.fn(async () => undefined),
|
|
23
|
+
init: vitest_1.vi.fn(async () => undefined),
|
|
24
|
+
shutdown: vitest_1.vi.fn(async () => undefined),
|
|
25
|
+
};
|
|
26
|
+
}
|
|
27
|
+
function req(skillName, opts = {}) {
|
|
28
|
+
return {
|
|
29
|
+
agentPid: 1234,
|
|
30
|
+
frameworkId: 'claude-code',
|
|
31
|
+
skillName,
|
|
32
|
+
skillArgs: {},
|
|
33
|
+
invocationId: `inv-${Math.random()}`,
|
|
34
|
+
timestamp: Date.now(),
|
|
35
|
+
...opts,
|
|
36
|
+
};
|
|
37
|
+
}
|
|
38
|
+
(0, vitest_1.describe)('SkillEvaluator — TTL (S-C10)', () => {
|
|
39
|
+
let evaluator;
|
|
40
|
+
(0, vitest_1.beforeEach)(() => {
|
|
41
|
+
evaluator = new skill_evaluator_1.SkillEvaluator(baseConfig(), fakeAuditLogger());
|
|
42
|
+
});
|
|
43
|
+
(0, vitest_1.it)('caches an allow decision and returns it on the next evaluate', () => {
|
|
44
|
+
const a = evaluator.evaluate(req('read_help'));
|
|
45
|
+
(0, vitest_1.expect)(a.action).toBe('allow');
|
|
46
|
+
const b = evaluator.evaluate(req('read_help', { invocationId: 'inv-2' }));
|
|
47
|
+
(0, vitest_1.expect)(b.action).toBe('allow');
|
|
48
|
+
// The invocationId on the cached decision is replaced with the new caller's id
|
|
49
|
+
(0, vitest_1.expect)(b.invocationId).toBe('inv-2');
|
|
50
|
+
});
|
|
51
|
+
(0, vitest_1.it)('cached entry expires when duration elapses', () => {
|
|
52
|
+
const realNow = Date.now;
|
|
53
|
+
const start = 1000000000000;
|
|
54
|
+
let now = start;
|
|
55
|
+
Date.now = () => now;
|
|
56
|
+
try {
|
|
57
|
+
const a = evaluator.evaluate(req('read_help'));
|
|
58
|
+
(0, vitest_1.expect)(a.action).toBe('allow');
|
|
59
|
+
// Advance past the 300-second cache TTL
|
|
60
|
+
now = start + 301000;
|
|
61
|
+
// Force pruning so the test asserts behavior rather than internal state
|
|
62
|
+
evaluator.pruneExpired(now);
|
|
63
|
+
const b = evaluator.evaluate(req('read_help', { invocationId: 'inv-2' }));
|
|
64
|
+
// Should be a fresh evaluation (we can't see it's a cache miss directly,
|
|
65
|
+
// but expiry of the entry is the contract — re-running yields the same
|
|
66
|
+
// action without throwing on stale entries).
|
|
67
|
+
(0, vitest_1.expect)(b.action).toBe('allow');
|
|
68
|
+
}
|
|
69
|
+
finally {
|
|
70
|
+
Date.now = realNow;
|
|
71
|
+
}
|
|
72
|
+
});
|
|
73
|
+
});
|
|
74
|
+
(0, vitest_1.describe)('SkillEvaluator — approval flow (S-C9)', () => {
|
|
75
|
+
let evaluator;
|
|
76
|
+
(0, vitest_1.beforeEach)(() => {
|
|
77
|
+
evaluator = new skill_evaluator_1.SkillEvaluator(baseConfig(), fakeAuditLogger());
|
|
78
|
+
evaluator.setApprovalTimeoutMs(100); // fast tests
|
|
79
|
+
});
|
|
80
|
+
(0, vitest_1.it)('require_approval action actually registers a pending approval', () => {
|
|
81
|
+
evaluator.evaluate(req('shell_exec', { invocationId: 'inv-pending' }));
|
|
82
|
+
const pending = evaluator.getPendingApprovals();
|
|
83
|
+
(0, vitest_1.expect)(pending).toHaveLength(1);
|
|
84
|
+
(0, vitest_1.expect)(pending[0].invocationId).toBe('inv-pending');
|
|
85
|
+
(0, vitest_1.expect)(pending[0].skillName).toBe('shell_exec');
|
|
86
|
+
});
|
|
87
|
+
(0, vitest_1.it)('approve() resolves the waitForApproval promise with "allow"', async () => {
|
|
88
|
+
evaluator.evaluate(req('shell_exec', { invocationId: 'a-1' }));
|
|
89
|
+
const wait = evaluator.waitForApproval('a-1');
|
|
90
|
+
(0, vitest_1.expect)(evaluator.approve('a-1')).toBe(true);
|
|
91
|
+
const action = await wait;
|
|
92
|
+
(0, vitest_1.expect)(action).toBe('allow');
|
|
93
|
+
(0, vitest_1.expect)(evaluator.getPendingApprovals()).toHaveLength(0);
|
|
94
|
+
});
|
|
95
|
+
(0, vitest_1.it)('deny() resolves the waitForApproval promise with "deny"', async () => {
|
|
96
|
+
evaluator.evaluate(req('shell_exec', { invocationId: 'd-1' }));
|
|
97
|
+
const wait = evaluator.waitForApproval('d-1');
|
|
98
|
+
(0, vitest_1.expect)(evaluator.deny('d-1')).toBe(true);
|
|
99
|
+
(0, vitest_1.expect)(await wait).toBe('deny');
|
|
100
|
+
});
|
|
101
|
+
(0, vitest_1.it)('approval timeout resolves as deny (fail closed)', async () => {
|
|
102
|
+
evaluator.evaluate(req('shell_exec', { invocationId: 't-1' }));
|
|
103
|
+
const wait = evaluator.waitForApproval('t-1');
|
|
104
|
+
const action = await wait;
|
|
105
|
+
(0, vitest_1.expect)(action).toBe('deny');
|
|
106
|
+
});
|
|
107
|
+
(0, vitest_1.it)('approve() returns false for unknown / already-resolved invocationId', () => {
|
|
108
|
+
(0, vitest_1.expect)(evaluator.approve('nonexistent')).toBe(false);
|
|
109
|
+
evaluator.evaluate(req('shell_exec', { invocationId: 'r-1' }));
|
|
110
|
+
(0, vitest_1.expect)(evaluator.approve('r-1')).toBe(true);
|
|
111
|
+
(0, vitest_1.expect)(evaluator.approve('r-1')).toBe(false); // already resolved
|
|
112
|
+
});
|
|
113
|
+
});
|
|
114
|
+
(0, vitest_1.describe)('SkillEvaluator — bounded memory', () => {
|
|
115
|
+
(0, vitest_1.it)('cache eviction keeps map size bounded', () => {
|
|
116
|
+
const evaluator = new skill_evaluator_1.SkillEvaluator(baseConfig(), fakeAuditLogger());
|
|
117
|
+
// 5000 unique skill names — capped at 4096
|
|
118
|
+
for (let i = 0; i < 5000; i += 1) {
|
|
119
|
+
evaluator.evaluate(req(`skill_${i}`, { invocationId: `inv-${i}` }));
|
|
120
|
+
}
|
|
121
|
+
// Internal cache cap = 4096; we don't expose size directly but pending
|
|
122
|
+
// approvals should also remain bounded.
|
|
123
|
+
const pending = evaluator.getPendingApprovals();
|
|
124
|
+
(0, vitest_1.expect)(pending.length).toBeLessThanOrEqual(1024);
|
|
125
|
+
});
|
|
126
|
+
});
|
|
127
|
+
//# sourceMappingURL=skill-evaluator.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"skill-evaluator.test.js","sourceRoot":"","sources":["../../src/skill-authz/skill-evaluator.test.ts"],"names":[],"mappings":";;AAAA,mCAA8D;AAC9D,uDAAmD;AAInD,SAAS,UAAU,CAAC,YAAmC,EAAE;IACvD,OAAO;QACL,MAAM,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE;QAC7G,QAAQ,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,uBAAuB,EAAE,EAAE,EAAE,gBAAgB,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,EAAE,mBAAmB,EAAE,CAAC,EAAE;QAChM,WAAW,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,cAAc,EAAE,KAAK,EAAE,oBAAoB,EAAE,KAAK,EAAE,oBAAoB,EAAE,KAAK,EAAE,uBAAuB,EAAE,KAAK,EAAE;QACjJ,eAAe,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE;QAClE,OAAO,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,iBAAiB,EAAE,KAAK,EAAE;QAC1F,UAAU,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC,YAAY,CAAC,EAAE;QAClF,KAAK,EAAE,EAAE,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE;QACpE,SAAS,EAAE,EAAE,UAAU,EAAE,CAAC,EAAE,WAAW,EAAE,EAAE,EAAE;QAC7C,KAAK,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,EAAE,WAAW,EAAE,WAAW,EAAE,iBAAiB,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,cAAc,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,gBAAgB,EAAE,KAAK,EAAE;QACvM,QAAQ,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,mBAAmB,EAAE,KAAK,EAAE,gBAAgB,EAAE,KAAK,EAAE;QACzG,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,SAAS,eAAe;IACtB,OAAO;QACL,GAAG,EAAE,WAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,SAAS,CAAC;QACjC,IAAI,EAAE,WAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,SAAS,CAAC;QAClC,QAAQ,EAAE,WAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,SAAS,CAAC;KAC9B,CAAC;AACb,CAAC;AAED,SAAS,GAAG,CAAC,SAAiB,EAAE,OAAmC,EAAE;IACnE,OAAO;QACL,QAAQ,EAAE,IAAI;QACd,WAAW,EAAE,aAAa;QAC1B,SAAS;QACT,SAAS,EAAE,EAAE;QACb,YAAY,EAAE,OAAO,IAAI,CAAC,MAAM,EAAE,EAAE;QACpC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,GAAG,IAAI;KACR,CAAC;AACJ,CAAC;AAED,IAAA,iBAAQ,EAAC,8BAA8B,EAAE,GAAG,EAAE;IAC5C,IAAI,SAAyB,CAAC;IAC9B,IAAA,mBAAU,EAAC,GAAG,EAAE;QACd,SAAS,GAAG,IAAI,gCAAc,CAAC,UAAU,EAAE,EAAE,eAAe,EAAW,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;QAC/C,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC/B,MAAM,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QAC1E,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC/B,+EAA+E;QAC/E,IAAA,eAAM,EAAC,CAAC,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC;QACzB,MAAM,KAAK,GAAG,aAAiB,CAAC;QAChC,IAAI,GAAG,GAAG,KAAK,CAAC;QAChB,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;YAC/C,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC/B,wCAAwC;YACxC,GAAG,GAAG,KAAK,GAAG,MAAO,CAAC;YACtB,wEAAwE;YACxE,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;YAC5B,MAAM,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;YAC1E,yEAAyE;YACzE,uEAAuE;YACvE,6CAA6C;YAC7C,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC;QACrB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,uCAAuC,EAAE,GAAG,EAAE;IACrD,IAAI,SAAyB,CAAC;IAC9B,IAAA,mBAAU,EAAC,GAAG,EAAE;QACd,SAAS,GAAG,IAAI,gCAAc,CAAC,UAAU,EAAE,EAAE,eAAe,EAAW,CAAC,CAAC;QACzE,SAAS,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,aAAa;IACpD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC;QACvE,MAAM,OAAO,GAAG,SAAS,CAAC,mBAAmB,EAAE,CAAC;QAChD,IAAA,eAAM,EAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAChC,IAAA,eAAM,EAAC,OAAO,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACpD,IAAA,eAAM,EAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6DAA6D,EAAE,KAAK,IAAI,EAAE;QAC3E,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAG,SAAS,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAA,eAAM,EAAC,SAAS,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC;QAC1B,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7B,IAAA,eAAM,EAAC,SAAS,CAAC,mBAAmB,EAAE,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAG,SAAS,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAA,eAAM,EAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzC,IAAA,eAAM,EAAC,MAAM,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAG,SAAS,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC9C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC;QAC1B,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,qEAAqE,EAAE,GAAG,EAAE;QAC7E,IAAA,eAAM,EAAC,SAAS,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrD,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/D,IAAA,eAAM,EAAC,SAAS,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAA,eAAM,EAAC,SAAS,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,mBAAmB;IACnE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,iCAAiC,EAAE,GAAG,EAAE;IAC/C,IAAA,WAAE,EAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,SAAS,GAAG,IAAI,gCAAc,CAAC,UAAU,EAAE,EAAE,eAAe,EAAW,CAAC,CAAC;QAC/E,2CAA2C;QAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,YAAY,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;QACtE,CAAC;QACD,uEAAuE;QACvE,wCAAwC;QACxC,MAAM,OAAO,GAAG,SAAS,CAAC,mBAAmB,EAAE,CAAC;QAChD,IAAA,eAAM,EAAC,OAAO,CAAC,MAAM,CAAC,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
package/dist/telemetry.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"telemetry.d.ts","sourceRoot":"","sources":["../src/telemetry.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"telemetry.d.ts","sourceRoot":"","sources":["../src/telemetry.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAqB3E,qBAAa,iBAAiB;IAO1B,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,kBAAkB;IAC1B,OAAO,CAAC,kBAAkB;IAT5B,OAAO,CAAC,cAAc,CAA+C;IACrE,OAAO,CAAC,SAAS,CAA+C;IAChE,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,iBAAiB,CAAc;gBAG7B,MAAM,EAAE,YAAY,EACpB,SAAS,EAAE,MAAM,YAAY,EAC7B,kBAAkB,EAAE,MAAM,aAAa,EAAE,EACzC,kBAAkB,EAAE,MAAM,mBAAmB,EAAE;IAGzD,KAAK,IAAI,IAAI;IAsBb,IAAI,IAAI,IAAI;IAKZ,aAAa,IAAI,MAAM,GAAG,IAAI;IAI9B,OAAO,CAAC,SAAS;YAQH,aAAa;YAgCb,cAAc;YA4Bd,aAAa;YA2Bb,UAAU;CAoBzB"}
|
package/dist/telemetry.js
CHANGED
|
@@ -4,9 +4,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
6
|
exports.TelemetryReporter = void 0;
|
|
7
|
-
const http_1 = __importDefault(require("http"));
|
|
8
|
-
const https_1 = __importDefault(require("https"));
|
|
9
7
|
const fs_1 = __importDefault(require("fs"));
|
|
8
|
+
const http_client_1 = require("./http-client");
|
|
10
9
|
const logger_1 = require("./logger");
|
|
11
10
|
class TelemetryReporter {
|
|
12
11
|
constructor(config, getStatus, getTaggedProcesses, getRecentDecisions) {
|
|
@@ -140,48 +139,21 @@ class TelemetryReporter {
|
|
|
140
139
|
}
|
|
141
140
|
}
|
|
142
141
|
async apiRequest(method, path, body) {
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
const agent = isHttps ? new https_1.default.Agent({ rejectUnauthorized: false }) : undefined;
|
|
159
|
-
const options = {
|
|
160
|
-
hostname: url.hostname,
|
|
161
|
-
port: url.port || (isHttps ? 443 : 80),
|
|
162
|
-
path: url.pathname,
|
|
163
|
-
method,
|
|
164
|
-
headers,
|
|
165
|
-
timeout: 15000,
|
|
166
|
-
agent,
|
|
167
|
-
};
|
|
168
|
-
const req = lib.request(options, res => {
|
|
169
|
-
let data = '';
|
|
170
|
-
res.on('data', chunk => { data += chunk; });
|
|
171
|
-
res.on('end', () => {
|
|
172
|
-
try {
|
|
173
|
-
resolve(JSON.parse(data));
|
|
174
|
-
}
|
|
175
|
-
catch {
|
|
176
|
-
resolve(data);
|
|
177
|
-
}
|
|
178
|
-
});
|
|
179
|
-
});
|
|
180
|
-
req.on('error', reject);
|
|
181
|
-
req.on('timeout', () => { req.destroy(); reject(new Error('Request timed out')); });
|
|
182
|
-
req.write(bodyStr);
|
|
183
|
-
req.end();
|
|
184
|
-
});
|
|
142
|
+
const token = this.readToken();
|
|
143
|
+
const headers = {
|
|
144
|
+
'X-Sentry-Host-Id': this.config.sentry.hostId,
|
|
145
|
+
'X-Sentry-Org-Id': this.config.neurosec.orgId,
|
|
146
|
+
};
|
|
147
|
+
if (token)
|
|
148
|
+
headers['Authorization'] = `Bearer ${token}`;
|
|
149
|
+
const result = await (0, http_client_1.secureRequest)({
|
|
150
|
+
endpoint: this.config.neurosec.endpoint,
|
|
151
|
+
caBundlePath: this.config.neurosec.caBundlePath || undefined,
|
|
152
|
+
pinnedFingerprintSha256: this.config.neurosec.pinnedFingerprintSha256 || undefined,
|
|
153
|
+
allowInsecureTls: this.config.neurosec.allowInsecureTls,
|
|
154
|
+
timeoutMs: 15000,
|
|
155
|
+
}, { method, path, headers, body });
|
|
156
|
+
return result.parsed ?? result.body;
|
|
185
157
|
}
|
|
186
158
|
}
|
|
187
159
|
exports.TelemetryReporter = TelemetryReporter;
|
package/dist/telemetry.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"telemetry.js","sourceRoot":"","sources":["../src/telemetry.ts"],"names":[],"mappings":";;;;;;AAAA,
|
|
1
|
+
{"version":3,"file":"telemetry.js","sourceRoot":"","sources":["../src/telemetry.ts"],"names":[],"mappings":";;;;;;AAAA,4CAAoB;AAGpB,+CAA8C;AAC9C,qCAAkC;AAmBlC,MAAa,iBAAiB;IAM5B,YACU,MAAoB,EACpB,SAA6B,EAC7B,kBAAyC,EACzC,kBAA+C;QAH/C,WAAM,GAAN,MAAM,CAAc;QACpB,cAAS,GAAT,SAAS,CAAoB;QAC7B,uBAAkB,GAAlB,kBAAkB,CAAuB;QACzC,uBAAkB,GAAlB,kBAAkB,CAA6B;QATjD,mBAAc,GAA0C,IAAI,CAAC;QAC7D,cAAS,GAA0C,IAAI,CAAC;QACxD,eAAU,GAAkB,IAAI,CAAC;QACjC,sBAAiB,GAAW,EAAE,CAAC;IAOpC,CAAC;IAEJ,KAAK;QACH,IAAI,CAAC,aAAa,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACrC,IAAI,CAAC,cAAc,GAAG,WAAW,CAC/B,GAAG,EAAE,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,eAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,GAAG,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC,EACnH,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,EAAE,KAAK,CAAC,CAC1D,CAAC;QAEF,mDAAmD;QACnD,IAAI,CAAC,SAAS,GAAG,WAAW,CAC1B,GAAG,EAAE;YACH,IAAI,CAAC,aAAa,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACrC,IAAI,CAAC,cAAc,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACxC,CAAC,EACD,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,KAAK,CAAC,CACrD,CAAC;QAEF,eAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE;YACxC,mBAAmB,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,EAAE,KAAK,CAAC;YAC9E,cAAc,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,KAAK,CAAC;SACrE,CAAC,CAAC;IACL,CAAC;IAED,IAAI;QACF,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YAAC,aAAa,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YAAC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAAC,CAAC;QAC5F,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAAC,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAAC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QAAC,CAAC;IAC/E,CAAC;IAED,aAAa;QACX,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAEO,SAAS;QACf,IAAI,CAAC;YACH,OAAO,YAAE,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QACxE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa;QACzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ;YAAE,OAAO;QAE3C,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC5C,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;QAE1C,MAAM,OAAO,GAAG;YACd,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM;YACjC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK;YACjC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO;YACnC,QAAQ;YACR,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI;YAClC,eAAe,EAAE,SAAS,CAAC,MAAM;YACjC,kBAAkB,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,MAAM;YAC7D,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,eAAe,EAAE,MAAM,CAAC,eAAe;SACxC,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,0BAA0B,EAAE,OAAO,CAAC,CAAC;YACnE,IAAI,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;YAC3C,eAAM,CAAC,KAAK,CAAC,gBAAgB,EAAE,EAAE,SAAS,EAAE,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;QAClE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAM,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAE,GAAG,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ;YAAE,OAAO;QAC3C,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC5C,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACnF,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAEtC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,0BAA0B,EAAE;gBACxD,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM;gBACjC,SAAS,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC5C,EAAE,EAAE,CAAC,CAAC,EAAE;oBACR,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,MAAM,EAAE,CAAC,CAAC,MAAM;oBAChB,MAAM,EAAE,CAAC,CAAC,MAAM;oBAChB,WAAW,EAAE,CAAC,CAAC,WAAW;oBAC1B,aAAa,EAAE,CAAC,CAAC,WAAW;oBAC5B,GAAG,EAAE,CAAC,CAAC,GAAG;oBACV,MAAM,EAAE,CAAC,CAAC,MAAM;oBAChB,SAAS,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;iBAC/C,CAAC,CAAC;aACJ,CAAC,CAAC;YACH,IAAI,CAAC,iBAAiB,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACvE,eAAM,CAAC,KAAK,CAAC,mBAAmB,EAAE,EAAE,KAAK,EAAE,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;QACpE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAM,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAE,GAAG,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa;QACzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ;YAAE,OAAO;QAE3C,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC5C,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAEnC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,0BAA0B,EAAE;gBACxD,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM;gBACjC,SAAS,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC7B,GAAG,EAAE,CAAC,CAAC,GAAG;oBACV,WAAW,EAAE,CAAC,CAAC,WAAW;oBAC1B,aAAa,EAAE,CAAC,CAAC,aAAa;oBAC9B,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,UAAU,EAAE,CAAC,CAAC,UAAU;oBACxB,SAAS,EAAE,CAAC,CAAC,SAAS;oBACtB,cAAc,EAAE,CAAC,CAAC,kBAAkB;oBACpC,OAAO,EAAE,CAAC,CAAC,OAAO;iBACnB,CAAC,CAAC;aACJ,CAAC,CAAC;YACH,eAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE,EAAE,KAAK,EAAE,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;QAChE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAM,CAAC,IAAI,CAAC,qBAAqB,EAAE,EAAE,GAAG,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,UAAU,CAAC,MAAc,EAAE,IAAY,EAAE,IAAa;QAClE,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAC/B,MAAM,OAAO,GAA2B;YACtC,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM;YAC7C,iBAAiB,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK;SAC9C,CAAC;QACF,IAAI,KAAK;YAAE,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,KAAK,EAAE,CAAC;QAExD,MAAM,MAAM,GAAG,MAAM,IAAA,2BAAa,EAChC;YACE,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ;YACvC,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,IAAI,SAAS;YAC5D,uBAAuB,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,uBAAuB,IAAI,SAAS;YAClF,gBAAgB,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB;YACvD,SAAS,EAAE,KAAK;SACjB,EACD,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAChC,CAAC;QACF,OAAO,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC;IACtC,CAAC;CACF;AA/JD,8CA+JC"}
|