@neurosec/sentry 1.0.20 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -0
- package/dist/api-auth.d.ts +31 -0
- package/dist/api-auth.d.ts.map +1 -0
- package/dist/api-auth.js +105 -0
- package/dist/api-auth.js.map +1 -0
- package/dist/api-auth.test.d.ts +2 -0
- package/dist/api-auth.test.d.ts.map +1 -0
- package/dist/api-auth.test.js +89 -0
- package/dist/api-auth.test.js.map +1 -0
- package/dist/api.d.ts +8 -7
- package/dist/api.d.ts.map +1 -1
- package/dist/api.js +141 -134
- package/dist/api.js.map +1 -1
- package/dist/cli.d.ts +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +107 -14
- package/dist/cli.js.map +1 -1
- package/dist/cli.test.d.ts +2 -0
- package/dist/cli.test.d.ts.map +1 -0
- package/dist/cli.test.js +68 -0
- package/dist/cli.test.js.map +1 -0
- package/dist/config.d.ts +30 -0
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +50 -1
- package/dist/config.js.map +1 -1
- package/dist/discovery-win.d.ts +4 -0
- package/dist/discovery-win.d.ts.map +1 -0
- package/dist/discovery-win.js +153 -0
- package/dist/discovery-win.js.map +1 -0
- package/dist/discovery.d.ts.map +1 -1
- package/dist/discovery.js +23 -97
- package/dist/discovery.js.map +1 -1
- package/dist/discovery.test.js +18 -109
- package/dist/discovery.test.js.map +1 -1
- package/dist/enforcement/file-monitor.d.ts +9 -0
- package/dist/enforcement/file-monitor.d.ts.map +1 -1
- package/dist/enforcement/file-monitor.js +9 -2
- package/dist/enforcement/file-monitor.js.map +1 -1
- package/dist/enforcement/network-monitor.d.ts.map +1 -1
- package/dist/enforcement/network-monitor.js +350 -9
- package/dist/enforcement/network-monitor.js.map +1 -1
- package/dist/enforcement/network-monitor.test.d.ts +2 -0
- package/dist/enforcement/network-monitor.test.d.ts.map +1 -0
- package/dist/enforcement/network-monitor.test.js +52 -0
- package/dist/enforcement/network-monitor.test.js.map +1 -0
- package/dist/enforcement/policy-executor.d.ts +24 -1
- package/dist/enforcement/policy-executor.d.ts.map +1 -1
- package/dist/enforcement/policy-executor.js +213 -69
- package/dist/enforcement/policy-executor.js.map +1 -1
- package/dist/enforcement/policy-executor.test.d.ts +2 -0
- package/dist/enforcement/policy-executor.test.d.ts.map +1 -0
- package/dist/enforcement/policy-executor.test.js +46 -0
- package/dist/enforcement/policy-executor.test.js.map +1 -0
- package/dist/enforcement/target-validator.d.ts +37 -0
- package/dist/enforcement/target-validator.d.ts.map +1 -0
- package/dist/enforcement/target-validator.js +0 -0
- package/dist/enforcement/target-validator.js.map +1 -0
- package/dist/enforcement/target-validator.test.d.ts +2 -0
- package/dist/enforcement/target-validator.test.d.ts.map +1 -0
- package/dist/enforcement/target-validator.test.js +103 -0
- package/dist/enforcement/target-validator.test.js.map +1 -0
- package/dist/http-client.d.ts +35 -0
- package/dist/http-client.d.ts.map +1 -0
- package/dist/http-client.js +168 -0
- package/dist/http-client.js.map +1 -0
- package/dist/http-client.test.d.ts +2 -0
- package/dist/http-client.test.d.ts.map +1 -0
- package/dist/http-client.test.js +172 -0
- package/dist/http-client.test.js.map +1 -0
- package/dist/index.js +190 -114
- package/dist/index.js.map +1 -1
- package/dist/launcher.d.ts +33 -0
- package/dist/launcher.d.ts.map +1 -0
- package/dist/launcher.js +425 -0
- package/dist/launcher.js.map +1 -0
- package/dist/launcher.test.d.ts +2 -0
- package/dist/launcher.test.d.ts.map +1 -0
- package/dist/launcher.test.js +109 -0
- package/dist/launcher.test.js.map +1 -0
- package/dist/proxy/cert-manager.d.ts +24 -0
- package/dist/proxy/cert-manager.d.ts.map +1 -0
- package/dist/proxy/cert-manager.js +117 -0
- package/dist/proxy/cert-manager.js.map +1 -0
- package/dist/proxy/cert-manager.test.d.ts +2 -0
- package/dist/proxy/cert-manager.test.d.ts.map +1 -0
- package/dist/proxy/cert-manager.test.js +70 -0
- package/dist/proxy/cert-manager.test.js.map +1 -0
- package/dist/proxy/index.d.ts +61 -0
- package/dist/proxy/index.d.ts.map +1 -0
- package/dist/proxy/index.js +74 -0
- package/dist/proxy/index.js.map +1 -0
- package/dist/proxy/policy-enforcer.d.ts +30 -0
- package/dist/proxy/policy-enforcer.d.ts.map +1 -0
- package/dist/proxy/policy-enforcer.js +143 -0
- package/dist/proxy/policy-enforcer.js.map +1 -0
- package/dist/proxy/proxy-server.d.ts +42 -0
- package/dist/proxy/proxy-server.d.ts.map +1 -0
- package/dist/proxy/proxy-server.js +652 -0
- package/dist/proxy/proxy-server.js.map +1 -0
- package/dist/proxy/redaction-engine.d.ts +4 -0
- package/dist/proxy/redaction-engine.d.ts.map +1 -0
- package/dist/proxy/redaction-engine.js +50 -0
- package/dist/proxy/redaction-engine.js.map +1 -0
- package/dist/proxy/response-redaction.test.d.ts +2 -0
- package/dist/proxy/response-redaction.test.d.ts.map +1 -0
- package/dist/proxy/response-redaction.test.js +125 -0
- package/dist/proxy/response-redaction.test.js.map +1 -0
- package/dist/proxy/threat-engine.d.ts +22 -0
- package/dist/proxy/threat-engine.d.ts.map +1 -0
- package/dist/proxy/threat-engine.js +291 -0
- package/dist/proxy/threat-engine.js.map +1 -0
- package/dist/proxy/threat-engine.test.d.ts +2 -0
- package/dist/proxy/threat-engine.test.d.ts.map +1 -0
- package/dist/proxy/threat-engine.test.js +27 -0
- package/dist/proxy/threat-engine.test.js.map +1 -0
- package/dist/redirect/env-injector.d.ts +72 -0
- package/dist/redirect/env-injector.d.ts.map +1 -0
- package/dist/redirect/env-injector.js +177 -0
- package/dist/redirect/env-injector.js.map +1 -0
- package/dist/redirect/env-injector.test.d.ts +2 -0
- package/dist/redirect/env-injector.test.d.ts.map +1 -0
- package/dist/redirect/env-injector.test.js +91 -0
- package/dist/redirect/env-injector.test.js.map +1 -0
- package/dist/redirect/index.d.ts +3 -0
- package/dist/redirect/index.d.ts.map +1 -0
- package/dist/redirect/index.js +8 -0
- package/dist/redirect/index.js.map +1 -0
- package/dist/redirect/platform-redirect.d.ts +42 -0
- package/dist/redirect/platform-redirect.d.ts.map +1 -0
- package/dist/redirect/platform-redirect.js +229 -0
- package/dist/redirect/platform-redirect.js.map +1 -0
- package/dist/redirect/platform-redirect.test.d.ts +2 -0
- package/dist/redirect/platform-redirect.test.d.ts.map +1 -0
- package/dist/redirect/platform-redirect.test.js +76 -0
- package/dist/redirect/platform-redirect.test.js.map +1 -0
- package/dist/sandbox/index.d.ts +23 -2
- package/dist/sandbox/index.d.ts.map +1 -1
- package/dist/sandbox/index.js +24 -7
- package/dist/sandbox/index.js.map +1 -1
- package/dist/sandbox/linux-sandbox.d.ts +13 -2
- package/dist/sandbox/linux-sandbox.d.ts.map +1 -1
- package/dist/sandbox/linux-sandbox.js +61 -27
- package/dist/sandbox/linux-sandbox.js.map +1 -1
- package/dist/sandbox/macos-sandbox.d.ts +15 -4
- package/dist/sandbox/macos-sandbox.d.ts.map +1 -1
- package/dist/sandbox/macos-sandbox.js +36 -18
- package/dist/sandbox/macos-sandbox.js.map +1 -1
- package/dist/sandbox/sandbox-result.test.d.ts +2 -0
- package/dist/sandbox/sandbox-result.test.d.ts.map +1 -0
- package/dist/sandbox/sandbox-result.test.js +87 -0
- package/dist/sandbox/sandbox-result.test.js.map +1 -0
- package/dist/sandbox/windows-sandbox.d.ts +34 -0
- package/dist/sandbox/windows-sandbox.d.ts.map +1 -0
- package/dist/sandbox/windows-sandbox.js +161 -0
- package/dist/sandbox/windows-sandbox.js.map +1 -0
- package/dist/setup.d.ts.map +1 -1
- package/dist/setup.js +33 -43
- package/dist/setup.js.map +1 -1
- package/dist/skill-authz/skill-evaluator.d.ts +30 -0
- package/dist/skill-authz/skill-evaluator.d.ts.map +1 -1
- package/dist/skill-authz/skill-evaluator.js +161 -30
- package/dist/skill-authz/skill-evaluator.js.map +1 -1
- package/dist/skill-authz/skill-evaluator.test.d.ts +2 -0
- package/dist/skill-authz/skill-evaluator.test.d.ts.map +1 -0
- package/dist/skill-authz/skill-evaluator.test.js +127 -0
- package/dist/skill-authz/skill-evaluator.test.js.map +1 -0
- package/dist/telemetry.d.ts +2 -8
- package/dist/telemetry.d.ts.map +1 -1
- package/dist/telemetry.js +17 -147
- package/dist/telemetry.js.map +1 -1
- package/dist/types.d.ts +48 -105
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js +34 -1
- package/dist/types.js.map +1 -1
- package/package.json +7 -3
- package/scripts/install-sentry-windows.ps1 +217 -0
|
@@ -1,20 +1,50 @@
|
|
|
1
1
|
import { SkillAuthzRequest, SkillAuthzDecision } from '../types';
|
|
2
2
|
import { SentryConfig } from '../config';
|
|
3
3
|
import { AuditLogger } from '../audit';
|
|
4
|
+
/**
|
|
5
|
+
* Skill authorization gate. Evaluates a tool/function/skill invocation against
|
|
6
|
+
* the host's skill policy and returns an allow/deny/require_approval decision.
|
|
7
|
+
*
|
|
8
|
+
* Fixes vs prior implementation:
|
|
9
|
+
* - TTL math (S-C10): cache expiry uses an absolute deadline. Previous
|
|
10
|
+
* code's `Date.now() - duration < Date.now()` was always true and the
|
|
11
|
+
* cache never expired.
|
|
12
|
+
* - Approval flow (S-C9): `evaluate()` now actually inserts into the
|
|
13
|
+
* pendingApprovals map when action=require_approval, so `approve()` /
|
|
14
|
+
* `deny()` / `getPendingApprovals()` work end-to-end.
|
|
15
|
+
* - LRU-ish bounding: cache and pending maps are size-capped so a flood
|
|
16
|
+
* of unique skill names cannot OOM the daemon.
|
|
17
|
+
*/
|
|
4
18
|
export declare class SkillEvaluator {
|
|
5
19
|
private config;
|
|
6
20
|
private pendingApprovals;
|
|
7
21
|
private cache;
|
|
8
22
|
private auditLogger;
|
|
23
|
+
/** Approval timeout — caller-supplied callbacks resolve with `deny` after this. */
|
|
24
|
+
private approvalTimeoutMs;
|
|
9
25
|
constructor(config: SentryConfig, auditLogger?: AuditLogger);
|
|
26
|
+
/** Override the approval timeout — exposed for tests and config integration. */
|
|
27
|
+
setApprovalTimeoutMs(ms: number): void;
|
|
10
28
|
evaluate(request: SkillAuthzRequest): SkillAuthzDecision;
|
|
29
|
+
/**
|
|
30
|
+
* Wait for an operator decision on a pending approval. Resolves with the
|
|
31
|
+
* final action ('allow' or 'deny'). After `approvalTimeoutMs` the wait
|
|
32
|
+
* resolves with 'deny' (fail closed) and the pending entry is removed.
|
|
33
|
+
*/
|
|
34
|
+
waitForApproval(invocationId: string): Promise<SkillAuthzDecision['action']>;
|
|
11
35
|
approve(invocationId: string): boolean;
|
|
12
36
|
deny(invocationId: string): boolean;
|
|
13
37
|
getPendingApprovals(): Array<{
|
|
14
38
|
invocationId: string;
|
|
15
39
|
skillName: string;
|
|
16
40
|
frameworkId: string;
|
|
41
|
+
requestedAt: number;
|
|
17
42
|
}>;
|
|
43
|
+
/** Test helper / housekeeping: drop expired entries from both maps. */
|
|
44
|
+
pruneExpired(now?: number): void;
|
|
45
|
+
private cacheDecision;
|
|
46
|
+
private registerPendingApproval;
|
|
47
|
+
private audit;
|
|
18
48
|
private computeRiskScore;
|
|
19
49
|
}
|
|
20
50
|
//# sourceMappingURL=skill-evaluator.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"skill-evaluator.d.ts","sourceRoot":"","sources":["../../src/skill-authz/skill-evaluator.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAc,MAAM,UAAU,CAAC;AAC7E,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAEzC,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;
|
|
1
|
+
{"version":3,"file":"skill-evaluator.d.ts","sourceRoot":"","sources":["../../src/skill-authz/skill-evaluator.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAc,MAAM,UAAU,CAAC;AAC7E,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAEzC,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAwBvC;;;;;;;;;;;;;GAaG;AACH,qBAAa,cAAc;IASvB,OAAO,CAAC,MAAM;IARhB,OAAO,CAAC,gBAAgB,CAA2C;IACnE,OAAO,CAAC,KAAK,CAAsC;IACnD,OAAO,CAAC,WAAW,CAAc;IAEjC,mFAAmF;IACnF,OAAO,CAAC,iBAAiB,CAAiB;gBAGhC,MAAM,EAAE,YAAY,EAC5B,WAAW,CAAC,EAAE,WAAW;IAK3B,gFAAgF;IAChF,oBAAoB,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;IAItC,QAAQ,CAAC,OAAO,EAAE,iBAAiB,GAAG,kBAAkB;IA+DxD;;;;OAIG;IACG,eAAe,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IAsBlF,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IActC,IAAI,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAYnC,mBAAmB,IAAI,KAAK,CAAC;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,CAAC;IAenH,uEAAuE;IACvE,YAAY,CAAC,GAAG,SAAa,GAAG,IAAI;IAkBpC,OAAO,CAAC,aAAa;IAcrB,OAAO,CAAC,uBAAuB;IAsB/B,OAAO,CAAC,KAAK;IAqBb,OAAO,CAAC,gBAAgB;CA6CzB"}
|
|
@@ -8,23 +8,53 @@ const os_1 = __importDefault(require("os"));
|
|
|
8
8
|
const uuid_1 = require("uuid");
|
|
9
9
|
const logger_1 = require("../logger");
|
|
10
10
|
const audit_1 = require("../audit");
|
|
11
|
+
/**
|
|
12
|
+
* Maximum number of pending approvals or cached allow decisions retained.
|
|
13
|
+
* Prevents unbounded memory growth under hostile or buggy callers.
|
|
14
|
+
*/
|
|
15
|
+
const MAX_PENDING = 1024;
|
|
16
|
+
const MAX_CACHE = 4096;
|
|
17
|
+
/**
|
|
18
|
+
* Skill authorization gate. Evaluates a tool/function/skill invocation against
|
|
19
|
+
* the host's skill policy and returns an allow/deny/require_approval decision.
|
|
20
|
+
*
|
|
21
|
+
* Fixes vs prior implementation:
|
|
22
|
+
* - TTL math (S-C10): cache expiry uses an absolute deadline. Previous
|
|
23
|
+
* code's `Date.now() - duration < Date.now()` was always true and the
|
|
24
|
+
* cache never expired.
|
|
25
|
+
* - Approval flow (S-C9): `evaluate()` now actually inserts into the
|
|
26
|
+
* pendingApprovals map when action=require_approval, so `approve()` /
|
|
27
|
+
* `deny()` / `getPendingApprovals()` work end-to-end.
|
|
28
|
+
* - LRU-ish bounding: cache and pending maps are size-capped so a flood
|
|
29
|
+
* of unique skill names cannot OOM the daemon.
|
|
30
|
+
*/
|
|
11
31
|
class SkillEvaluator {
|
|
12
32
|
constructor(config, auditLogger) {
|
|
13
33
|
this.config = config;
|
|
14
34
|
this.pendingApprovals = new Map();
|
|
15
35
|
this.cache = new Map();
|
|
36
|
+
/** Approval timeout — caller-supplied callbacks resolve with `deny` after this. */
|
|
37
|
+
this.approvalTimeoutMs = 5 * 60 * 1000; // 5 minutes
|
|
16
38
|
this.auditLogger = auditLogger ?? new audit_1.AuditLogger(config);
|
|
17
39
|
}
|
|
40
|
+
/** Override the approval timeout — exposed for tests and config integration. */
|
|
41
|
+
setApprovalTimeoutMs(ms) {
|
|
42
|
+
if (Number.isFinite(ms) && ms > 0)
|
|
43
|
+
this.approvalTimeoutMs = ms;
|
|
44
|
+
}
|
|
18
45
|
evaluate(request) {
|
|
19
46
|
const cacheKey = `${request.frameworkId}:${request.skillName}`;
|
|
20
47
|
const cached = this.cache.get(cacheKey);
|
|
21
|
-
if (cached &&
|
|
22
|
-
|
|
48
|
+
if (cached && cached.expiresAt > Date.now()) {
|
|
49
|
+
// Return a copy so callers can't mutate the cached object.
|
|
50
|
+
return { ...cached.decision, invocationId: request.invocationId };
|
|
23
51
|
}
|
|
52
|
+
if (cached)
|
|
53
|
+
this.cache.delete(cacheKey); // expired
|
|
24
54
|
const riskScore = this.computeRiskScore(request);
|
|
25
55
|
let action;
|
|
26
56
|
let reason;
|
|
27
|
-
const needsApproval = this.config.skillAuthz.requireApproval.some(pattern => request.skillName.toLowerCase().includes(pattern.toLowerCase()));
|
|
57
|
+
const needsApproval = this.config.skillAuthz.requireApproval.some((pattern) => request.skillName.toLowerCase().includes(pattern.toLowerCase()));
|
|
28
58
|
if (needsApproval && this.config.enforcement.mode !== 'monitor') {
|
|
29
59
|
action = 'require_approval';
|
|
30
60
|
reason = `Skill '${request.skillName}' requires interactive approval`;
|
|
@@ -37,7 +67,8 @@ class SkillEvaluator {
|
|
|
37
67
|
action = 'require_approval';
|
|
38
68
|
reason = `Risk score ${riskScore}/100 requires approval for '${request.skillName}'`;
|
|
39
69
|
}
|
|
40
|
-
else if (!this.config.skillAuthz.allowUnknown &&
|
|
70
|
+
else if (!this.config.skillAuthz.allowUnknown &&
|
|
71
|
+
!this.config.skillAuthz.requireApproval.some((p) => request.skillName.includes(p))) {
|
|
41
72
|
action = 'deny';
|
|
42
73
|
reason = `Skill '${request.skillName}' is not in the allowlist`;
|
|
43
74
|
}
|
|
@@ -57,28 +88,44 @@ class SkillEvaluator {
|
|
|
57
88
|
redactArgs: riskScore >= 50 ? Object.keys(request.skillArgs) : undefined,
|
|
58
89
|
};
|
|
59
90
|
if (action === 'allow') {
|
|
60
|
-
this.
|
|
91
|
+
this.cacheDecision(cacheKey, decision);
|
|
61
92
|
}
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
frameworkName: request.frameworkId,
|
|
69
|
-
pid: request.agentPid,
|
|
70
|
-
reason: decision.reason,
|
|
71
|
-
detail: {
|
|
72
|
-
skillName: request.skillName,
|
|
73
|
-
riskScore,
|
|
74
|
-
invocationId: request.invocationId,
|
|
75
|
-
},
|
|
76
|
-
hostname: os_1.default.hostname(),
|
|
77
|
-
}).catch(err => {
|
|
78
|
-
logger_1.logger.error('Skill audit log failed', { err: err.message });
|
|
79
|
-
});
|
|
93
|
+
else if (action === 'require_approval') {
|
|
94
|
+
// S-C9 fix: actually register the pending approval so approve()/deny()
|
|
95
|
+
// and getPendingApprovals() can find it.
|
|
96
|
+
this.registerPendingApproval(request, decision);
|
|
97
|
+
}
|
|
98
|
+
this.audit(request, decision, riskScore);
|
|
80
99
|
return decision;
|
|
81
100
|
}
|
|
101
|
+
/**
|
|
102
|
+
* Wait for an operator decision on a pending approval. Resolves with the
|
|
103
|
+
* final action ('allow' or 'deny'). After `approvalTimeoutMs` the wait
|
|
104
|
+
* resolves with 'deny' (fail closed) and the pending entry is removed.
|
|
105
|
+
*/
|
|
106
|
+
async waitForApproval(invocationId) {
|
|
107
|
+
const pending = this.pendingApprovals.get(invocationId);
|
|
108
|
+
if (!pending || pending.resolved)
|
|
109
|
+
return 'deny';
|
|
110
|
+
return new Promise((resolve) => {
|
|
111
|
+
pending.awaiters.push(resolve);
|
|
112
|
+
const timeoutHandle = setTimeout(() => {
|
|
113
|
+
if (!pending.resolved) {
|
|
114
|
+
pending.resolved = true;
|
|
115
|
+
pending.decision.action = 'deny';
|
|
116
|
+
pending.decision.reason = 'Approval request timed out (fail closed)';
|
|
117
|
+
for (const awaiter of pending.awaiters)
|
|
118
|
+
awaiter('deny');
|
|
119
|
+
pending.awaiters.length = 0;
|
|
120
|
+
this.pendingApprovals.delete(invocationId);
|
|
121
|
+
}
|
|
122
|
+
}, this.approvalTimeoutMs);
|
|
123
|
+
// Don't keep the event loop alive solely for this timer.
|
|
124
|
+
if (typeof timeoutHandle.unref === 'function') {
|
|
125
|
+
timeoutHandle.unref?.();
|
|
126
|
+
}
|
|
127
|
+
});
|
|
128
|
+
}
|
|
82
129
|
approve(invocationId) {
|
|
83
130
|
const pending = this.pendingApprovals.get(invocationId);
|
|
84
131
|
if (!pending || pending.resolved || Date.now() > pending.expiresAt) {
|
|
@@ -87,6 +134,9 @@ class SkillEvaluator {
|
|
|
87
134
|
pending.resolved = true;
|
|
88
135
|
pending.decision.action = 'allow';
|
|
89
136
|
pending.decision.reason = 'Approved by operator';
|
|
137
|
+
for (const awaiter of pending.awaiters)
|
|
138
|
+
awaiter('allow');
|
|
139
|
+
pending.awaiters.length = 0;
|
|
90
140
|
this.pendingApprovals.delete(invocationId);
|
|
91
141
|
return true;
|
|
92
142
|
}
|
|
@@ -97,22 +147,103 @@ class SkillEvaluator {
|
|
|
97
147
|
pending.resolved = true;
|
|
98
148
|
pending.decision.action = 'deny';
|
|
99
149
|
pending.decision.reason = 'Denied by operator';
|
|
150
|
+
for (const awaiter of pending.awaiters)
|
|
151
|
+
awaiter('deny');
|
|
152
|
+
pending.awaiters.length = 0;
|
|
100
153
|
this.pendingApprovals.delete(invocationId);
|
|
101
154
|
return true;
|
|
102
155
|
}
|
|
103
156
|
getPendingApprovals() {
|
|
157
|
+
const now = Date.now();
|
|
104
158
|
const result = [];
|
|
105
159
|
for (const [id, pending] of this.pendingApprovals) {
|
|
106
|
-
if (
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
160
|
+
if (pending.resolved || now >= pending.expiresAt)
|
|
161
|
+
continue;
|
|
162
|
+
result.push({
|
|
163
|
+
invocationId: id,
|
|
164
|
+
skillName: pending.request.skillName,
|
|
165
|
+
frameworkId: pending.request.frameworkId,
|
|
166
|
+
requestedAt: pending.request.timestamp,
|
|
167
|
+
});
|
|
113
168
|
}
|
|
114
169
|
return result;
|
|
115
170
|
}
|
|
171
|
+
/** Test helper / housekeeping: drop expired entries from both maps. */
|
|
172
|
+
pruneExpired(now = Date.now()) {
|
|
173
|
+
for (const [k, v] of this.cache) {
|
|
174
|
+
if (v.expiresAt <= now)
|
|
175
|
+
this.cache.delete(k);
|
|
176
|
+
}
|
|
177
|
+
for (const [k, v] of this.pendingApprovals) {
|
|
178
|
+
if (v.resolved || v.expiresAt <= now) {
|
|
179
|
+
// Resolve any leftover awaiters as deny so they don't leak.
|
|
180
|
+
if (!v.resolved) {
|
|
181
|
+
for (const awaiter of v.awaiters)
|
|
182
|
+
awaiter('deny');
|
|
183
|
+
v.awaiters.length = 0;
|
|
184
|
+
}
|
|
185
|
+
this.pendingApprovals.delete(k);
|
|
186
|
+
}
|
|
187
|
+
}
|
|
188
|
+
}
|
|
189
|
+
// ── private ────────────────────────────────────────────────────────────
|
|
190
|
+
cacheDecision(key, decision) {
|
|
191
|
+
// Evict oldest entries when over cap (Map preserves insertion order).
|
|
192
|
+
while (this.cache.size >= MAX_CACHE) {
|
|
193
|
+
const first = this.cache.keys().next().value;
|
|
194
|
+
if (first === undefined)
|
|
195
|
+
break;
|
|
196
|
+
this.cache.delete(first);
|
|
197
|
+
}
|
|
198
|
+
this.cache.set(key, {
|
|
199
|
+
decision,
|
|
200
|
+
// duration is in seconds (matches SkillAuthzDecision contract).
|
|
201
|
+
expiresAt: Date.now() + decision.duration * 1000,
|
|
202
|
+
});
|
|
203
|
+
}
|
|
204
|
+
registerPendingApproval(request, decision) {
|
|
205
|
+
// Bound the pending set.
|
|
206
|
+
while (this.pendingApprovals.size >= MAX_PENDING) {
|
|
207
|
+
const first = this.pendingApprovals.keys().next().value;
|
|
208
|
+
if (first === undefined)
|
|
209
|
+
break;
|
|
210
|
+
const stale = this.pendingApprovals.get(first);
|
|
211
|
+
if (stale && !stale.resolved) {
|
|
212
|
+
for (const awaiter of stale.awaiters)
|
|
213
|
+
awaiter('deny');
|
|
214
|
+
stale.awaiters.length = 0;
|
|
215
|
+
}
|
|
216
|
+
this.pendingApprovals.delete(first);
|
|
217
|
+
}
|
|
218
|
+
this.pendingApprovals.set(request.invocationId, {
|
|
219
|
+
invocationId: request.invocationId,
|
|
220
|
+
request,
|
|
221
|
+
decision,
|
|
222
|
+
expiresAt: Date.now() + this.approvalTimeoutMs,
|
|
223
|
+
resolved: false,
|
|
224
|
+
awaiters: [],
|
|
225
|
+
});
|
|
226
|
+
}
|
|
227
|
+
audit(request, decision, riskScore) {
|
|
228
|
+
this.auditLogger.log({
|
|
229
|
+
id: (0, uuid_1.v4)(),
|
|
230
|
+
timestamp: Date.now(),
|
|
231
|
+
type: 'skill',
|
|
232
|
+
action: decision.action,
|
|
233
|
+
frameworkId: request.frameworkId,
|
|
234
|
+
frameworkName: request.frameworkId,
|
|
235
|
+
pid: request.agentPid,
|
|
236
|
+
reason: decision.reason,
|
|
237
|
+
detail: {
|
|
238
|
+
skillName: request.skillName,
|
|
239
|
+
riskScore,
|
|
240
|
+
invocationId: request.invocationId,
|
|
241
|
+
},
|
|
242
|
+
hostname: os_1.default.hostname(),
|
|
243
|
+
}).catch((err) => {
|
|
244
|
+
logger_1.logger.error('Skill audit log failed', { err: err.message });
|
|
245
|
+
});
|
|
246
|
+
}
|
|
116
247
|
computeRiskScore(request) {
|
|
117
248
|
let score = 0;
|
|
118
249
|
const highRiskSkillNames = [
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"skill-evaluator.js","sourceRoot":"","sources":["../../src/skill-authz/skill-evaluator.ts"],"names":[],"mappings":";;;;;;AAAA,4CAAoB;AACpB,+BAAoC;AAGpC,sCAAmC;AACnC,oCAAuC;
|
|
1
|
+
{"version":3,"file":"skill-evaluator.js","sourceRoot":"","sources":["../../src/skill-authz/skill-evaluator.ts"],"names":[],"mappings":";;;;;;AAAA,4CAAoB;AACpB,+BAAoC;AAGpC,sCAAmC;AACnC,oCAAuC;AAiBvC;;;GAGG;AACH,MAAM,WAAW,GAAG,IAAI,CAAC;AACzB,MAAM,SAAS,GAAG,IAAI,CAAC;AAEvB;;;;;;;;;;;;;GAaG;AACH,MAAa,cAAc;IAQzB,YACU,MAAoB,EAC5B,WAAyB;QADjB,WAAM,GAAN,MAAM,CAAc;QARtB,qBAAgB,GAAiC,IAAI,GAAG,EAAE,CAAC;QAC3D,UAAK,GAA4B,IAAI,GAAG,EAAE,CAAC;QAGnD,mFAAmF;QAC3E,sBAAiB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;QAMrD,IAAI,CAAC,WAAW,GAAG,WAAW,IAAI,IAAI,mBAAW,CAAC,MAAM,CAAC,CAAC;IAC5D,CAAC;IAED,gFAAgF;IAChF,oBAAoB,CAAC,EAAU;QAC7B,IAAI,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC;YAAE,IAAI,CAAC,iBAAiB,GAAG,EAAE,CAAC;IACjE,CAAC;IAED,QAAQ,CAAC,OAA0B;QACjC,MAAM,QAAQ,GAAG,GAAG,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QAC/D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC5C,2DAA2D;YAC3D,OAAO,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,CAAC;QACpE,CAAC;QACD,IAAI,MAAM;YAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU;QAEnD,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,MAAoC,CAAC;QACzC,IAAI,MAAc,CAAC;QAEnB,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,eAAe,CAAC,IAAI,CAC/D,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAC7E,CAAC;QAEF,IAAI,aAAa,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAChE,MAAM,GAAG,kBAAkB,CAAC;YAC5B,MAAM,GAAG,UAAU,OAAO,CAAC,SAAS,iCAAiC,CAAC;QACxE,CAAC;aAAM,IAAI,SAAS,IAAI,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACzE,MAAM,GAAG,MAAM,CAAC;YAChB,MAAM,GAAG,cAAc,SAAS,+BAA+B,OAAO,CAAC,SAAS,GAAG,CAAC;QACtF,CAAC;aAAM,IAAI,SAAS,IAAI,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACzE,MAAM,GAAG,kBAAkB,CAAC;YAC5B,MAAM,GAAG,cAAc,SAAS,+BAA+B,OAAO,CAAC,SAAS,GAAG,CAAC;QACtF,CAAC;aAAM,IACL,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,YAAY;YACpC,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAClF,CAAC;YACD,MAAM,GAAG,MAAM,CAAC;YAChB,MAAM,GAAG,UAAU,OAAO,CAAC,SAAS,2BAA2B,CAAC;QAClE,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,OAAO,CAAC;YACjB,MAAM,GAAG,UAAU,OAAO,CAAC,SAAS,cAAc,CAAC;QACrD,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC/C,MAAM,GAAG,OAAO,CAAC;YACjB,MAAM,GAAG,yBAAyB,MAAM,EAAE,CAAC;QAC7C,CAAC;QAED,MAAM,QAAQ,GAAuB;YACnC,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,MAAM;YACN,MAAM;YACN,QAAQ,EAAE,GAAG;YACb,UAAU,EAAE,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS;SACzE,CAAC;QAEF,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACvB,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACzC,CAAC;aAAM,IAAI,MAAM,KAAK,kBAAkB,EAAE,CAAC;YACzC,uEAAuE;YACvE,yCAAyC;YACzC,IAAI,CAAC,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAClD,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;QAEzC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,eAAe,CAAC,YAAoB;QACxC,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ;YAAE,OAAO,MAAM,CAAC;QAChD,OAAO,IAAI,OAAO,CAA+B,CAAC,OAAO,EAAE,EAAE;YAC3D,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC/B,MAAM,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;gBACpC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;oBACtB,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;oBACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAC;oBACjC,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,0CAA0C,CAAC;oBACrE,KAAK,MAAM,OAAO,IAAI,OAAO,CAAC,QAAQ;wBAAE,OAAO,CAAC,MAAM,CAAC,CAAC;oBACxD,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;oBAC5B,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;gBAC7C,CAAC;YACH,CAAC,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAC3B,yDAAyD;YACzD,IAAI,OAAQ,aAAwC,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;gBACzE,aAAwC,CAAC,KAAK,EAAE,EAAE,CAAC;YACtD,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,CAAC,YAAoB;QAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;YACnE,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;QACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,OAAO,CAAC;QAClC,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,sBAAsB,CAAC;QACjD,KAAK,MAAM,OAAO,IAAI,OAAO,CAAC,QAAQ;YAAE,OAAO,CAAC,OAAO,CAAC,CAAC;QACzD,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QAC5B,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,YAAoB;QACvB,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC/C,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;QACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAC;QACjC,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,oBAAoB,CAAC;QAC/C,KAAK,MAAM,OAAO,IAAI,OAAO,CAAC,QAAQ;YAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QACxD,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QAC5B,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,mBAAmB;QACjB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,MAAM,GAAiG,EAAE,CAAC;QAChH,KAAK,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAClD,IAAI,OAAO,CAAC,QAAQ,IAAI,GAAG,IAAI,OAAO,CAAC,SAAS;gBAAE,SAAS;YAC3D,MAAM,CAAC,IAAI,CAAC;gBACV,YAAY,EAAE,EAAE;gBAChB,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,SAAS;gBACpC,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,WAAW;gBACxC,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,SAAS;aACvC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,uEAAuE;IACvE,YAAY,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE;QAC3B,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAChC,IAAI,CAAC,CAAC,SAAS,IAAI,GAAG;gBAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC/C,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3C,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,SAAS,IAAI,GAAG,EAAE,CAAC;gBACrC,4DAA4D;gBAC5D,IAAI,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;oBAChB,KAAK,MAAM,OAAO,IAAI,CAAC,CAAC,QAAQ;wBAAE,OAAO,CAAC,MAAM,CAAC,CAAC;oBAClD,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;gBACxB,CAAC;gBACD,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;IAED,0EAA0E;IAElE,aAAa,CAAC,GAAW,EAAE,QAA4B;QAC7D,sEAAsE;QACtE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC;YACpC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;YAC7C,IAAI,KAAK,KAAK,SAAS;gBAAE,MAAM;YAC/B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC3B,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE;YAClB,QAAQ;YACR,gEAAgE;YAChE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,QAAQ,GAAG,IAAI;SACjD,CAAC,CAAC;IACL,CAAC;IAEO,uBAAuB,CAAC,OAA0B,EAAE,QAA4B;QACtF,yBAAyB;QACzB,OAAO,IAAI,CAAC,gBAAgB,CAAC,IAAI,IAAI,WAAW,EAAE,CAAC;YACjD,MAAM,KAAK,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;YACxD,IAAI,KAAK,KAAK,SAAS;gBAAE,MAAM;YAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAC/C,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;gBAC7B,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,QAAQ;oBAAE,OAAO,CAAC,MAAM,CAAC,CAAC;gBACtD,KAAK,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;YAC5B,CAAC;YACD,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC;QACD,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,YAAY,EAAE;YAC9C,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,OAAO;YACP,QAAQ;YACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,iBAAiB;YAC9C,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,EAAE;SACb,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,OAA0B,EAAE,QAA4B,EAAE,SAAiB;QACvF,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;YACnB,EAAE,EAAE,IAAA,SAAM,GAAE;YACZ,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,IAAI,EAAE,OAAO;YACb,MAAM,EAAE,QAAQ,CAAC,MAA8B;YAC/C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,aAAa,EAAE,OAAO,CAAC,WAAW;YAClC,GAAG,EAAE,OAAO,CAAC,QAAQ;YACrB,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,MAAM,EAAE;gBACN,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,SAAS;gBACT,YAAY,EAAE,OAAO,CAAC,YAAY;aACnC;YACD,QAAQ,EAAE,YAAE,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,eAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE,EAAE,GAAG,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC1E,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,gBAAgB,CAAC,OAA0B;QACjD,IAAI,KAAK,GAAG,CAAC,CAAC;QAEd,MAAM,kBAAkB,GAAG;YACzB,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU;YACnD,mEAAmE;YACnE,wCAAwC;YACxC,gDAAgD;YAChD,qBAAqB;YACrB,6BAA6B;YAC7B,sBAAsB;YACtB,wBAAwB;YACxB,OAAO;SACR,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;YACzC,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;gBAAE,KAAK,IAAI,EAAE,CAAC;QACnD,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;QAClE,MAAM,iBAAiB,GAAG;YACxB,WAAW,EAAE,OAAO,EAAE,UAAU;YAChC,gBAAgB;YAChB,cAAc,EAAE,cAAc;YAC9B,iCAAiC;YACjC,YAAY,EAAE,YAAY,EAAE,qBAAqB;YACjD,mBAAmB;YACnB,YAAY;YACZ,cAAc;YACd,kBAAkB;YAClB,cAAc;SACf,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;YACxC,IAAI,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC;gBAAE,KAAK,IAAI,EAAE,CAAC;QAC3C,CAAC;QAED,MAAM,qBAAqB,GAAG,MAAM,CAAC;QACrC,MAAM,OAAO,GAAG,SAAS,CAAC,MAAM,CAAC;QACjC,IAAI,OAAO,GAAG,qBAAqB,EAAE,CAAC;YACpC,KAAK,IAAI,EAAE,CAAC;QACd,CAAC;QAED,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC9B,CAAC;CACF;AAhRD,wCAgRC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"skill-evaluator.test.d.ts","sourceRoot":"","sources":["../../src/skill-authz/skill-evaluator.test.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,127 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
const vitest_1 = require("vitest");
|
|
4
|
+
const skill_evaluator_1 = require("./skill-evaluator");
|
|
5
|
+
function baseConfig(overrides = {}) {
|
|
6
|
+
return {
|
|
7
|
+
sentry: { hostId: 'h', version: '1.0.0', healthPort: 0, apiPort: 0, stateDir: '/tmp', pidFilePath: '/tmp/p' },
|
|
8
|
+
neurosec: { endpoint: '', orgId: '', tokenPath: '', tlsCert: '', tlsKey: '', caBundlePath: '', pinnedFingerprintSha256: '', allowInsecureTls: false, syncIntervalMs: 1, heartbeatIntervalMs: 1 },
|
|
9
|
+
enforcement: { mode: 'enforce', sandboxEnabled: false, syscallFilterEnabled: false, networkFilterEnabled: false, filesystemFilterEnabled: false },
|
|
10
|
+
sandboxDefaults: { cpuMax: '0.5', memoryMax: '512MB', pidMax: 50 },
|
|
11
|
+
network: { allowHosts: [], blockHosts: [], allowPrivate: false, dnsMonitorEnabled: false },
|
|
12
|
+
skillAuthz: { enabled: true, allowUnknown: true, requireApproval: ['shell_exec'] },
|
|
13
|
+
audit: { logPath: '/tmp/audit.log', retentionDays: 1, maxSizeMb: 1 },
|
|
14
|
+
discovery: { intervalMs: 1, sourcePaths: [] },
|
|
15
|
+
proxy: { enabled: false, port: 0, bindAddress: '127.0.0.1', upstreamTimeoutMs: 0, maxBufferSizeMb: 0, interceptHttps: false, certPath: '', keyPath: '', allowedProviders: [], blockLocalModels: false },
|
|
16
|
+
redirect: { enabled: false, strategy: 'env-inject', preserveOriginalKey: false, injectOnDiscover: false },
|
|
17
|
+
...overrides,
|
|
18
|
+
};
|
|
19
|
+
}
|
|
20
|
+
function fakeAuditLogger() {
|
|
21
|
+
return {
|
|
22
|
+
log: vitest_1.vi.fn(async () => undefined),
|
|
23
|
+
init: vitest_1.vi.fn(async () => undefined),
|
|
24
|
+
shutdown: vitest_1.vi.fn(async () => undefined),
|
|
25
|
+
};
|
|
26
|
+
}
|
|
27
|
+
function req(skillName, opts = {}) {
|
|
28
|
+
return {
|
|
29
|
+
agentPid: 1234,
|
|
30
|
+
frameworkId: 'claude-code',
|
|
31
|
+
skillName,
|
|
32
|
+
skillArgs: {},
|
|
33
|
+
invocationId: `inv-${Math.random()}`,
|
|
34
|
+
timestamp: Date.now(),
|
|
35
|
+
...opts,
|
|
36
|
+
};
|
|
37
|
+
}
|
|
38
|
+
(0, vitest_1.describe)('SkillEvaluator — TTL (S-C10)', () => {
|
|
39
|
+
let evaluator;
|
|
40
|
+
(0, vitest_1.beforeEach)(() => {
|
|
41
|
+
evaluator = new skill_evaluator_1.SkillEvaluator(baseConfig(), fakeAuditLogger());
|
|
42
|
+
});
|
|
43
|
+
(0, vitest_1.it)('caches an allow decision and returns it on the next evaluate', () => {
|
|
44
|
+
const a = evaluator.evaluate(req('read_help'));
|
|
45
|
+
(0, vitest_1.expect)(a.action).toBe('allow');
|
|
46
|
+
const b = evaluator.evaluate(req('read_help', { invocationId: 'inv-2' }));
|
|
47
|
+
(0, vitest_1.expect)(b.action).toBe('allow');
|
|
48
|
+
// The invocationId on the cached decision is replaced with the new caller's id
|
|
49
|
+
(0, vitest_1.expect)(b.invocationId).toBe('inv-2');
|
|
50
|
+
});
|
|
51
|
+
(0, vitest_1.it)('cached entry expires when duration elapses', () => {
|
|
52
|
+
const realNow = Date.now;
|
|
53
|
+
const start = 1000000000000;
|
|
54
|
+
let now = start;
|
|
55
|
+
Date.now = () => now;
|
|
56
|
+
try {
|
|
57
|
+
const a = evaluator.evaluate(req('read_help'));
|
|
58
|
+
(0, vitest_1.expect)(a.action).toBe('allow');
|
|
59
|
+
// Advance past the 300-second cache TTL
|
|
60
|
+
now = start + 301000;
|
|
61
|
+
// Force pruning so the test asserts behavior rather than internal state
|
|
62
|
+
evaluator.pruneExpired(now);
|
|
63
|
+
const b = evaluator.evaluate(req('read_help', { invocationId: 'inv-2' }));
|
|
64
|
+
// Should be a fresh evaluation (we can't see it's a cache miss directly,
|
|
65
|
+
// but expiry of the entry is the contract — re-running yields the same
|
|
66
|
+
// action without throwing on stale entries).
|
|
67
|
+
(0, vitest_1.expect)(b.action).toBe('allow');
|
|
68
|
+
}
|
|
69
|
+
finally {
|
|
70
|
+
Date.now = realNow;
|
|
71
|
+
}
|
|
72
|
+
});
|
|
73
|
+
});
|
|
74
|
+
(0, vitest_1.describe)('SkillEvaluator — approval flow (S-C9)', () => {
|
|
75
|
+
let evaluator;
|
|
76
|
+
(0, vitest_1.beforeEach)(() => {
|
|
77
|
+
evaluator = new skill_evaluator_1.SkillEvaluator(baseConfig(), fakeAuditLogger());
|
|
78
|
+
evaluator.setApprovalTimeoutMs(100); // fast tests
|
|
79
|
+
});
|
|
80
|
+
(0, vitest_1.it)('require_approval action actually registers a pending approval', () => {
|
|
81
|
+
evaluator.evaluate(req('shell_exec', { invocationId: 'inv-pending' }));
|
|
82
|
+
const pending = evaluator.getPendingApprovals();
|
|
83
|
+
(0, vitest_1.expect)(pending).toHaveLength(1);
|
|
84
|
+
(0, vitest_1.expect)(pending[0].invocationId).toBe('inv-pending');
|
|
85
|
+
(0, vitest_1.expect)(pending[0].skillName).toBe('shell_exec');
|
|
86
|
+
});
|
|
87
|
+
(0, vitest_1.it)('approve() resolves the waitForApproval promise with "allow"', async () => {
|
|
88
|
+
evaluator.evaluate(req('shell_exec', { invocationId: 'a-1' }));
|
|
89
|
+
const wait = evaluator.waitForApproval('a-1');
|
|
90
|
+
(0, vitest_1.expect)(evaluator.approve('a-1')).toBe(true);
|
|
91
|
+
const action = await wait;
|
|
92
|
+
(0, vitest_1.expect)(action).toBe('allow');
|
|
93
|
+
(0, vitest_1.expect)(evaluator.getPendingApprovals()).toHaveLength(0);
|
|
94
|
+
});
|
|
95
|
+
(0, vitest_1.it)('deny() resolves the waitForApproval promise with "deny"', async () => {
|
|
96
|
+
evaluator.evaluate(req('shell_exec', { invocationId: 'd-1' }));
|
|
97
|
+
const wait = evaluator.waitForApproval('d-1');
|
|
98
|
+
(0, vitest_1.expect)(evaluator.deny('d-1')).toBe(true);
|
|
99
|
+
(0, vitest_1.expect)(await wait).toBe('deny');
|
|
100
|
+
});
|
|
101
|
+
(0, vitest_1.it)('approval timeout resolves as deny (fail closed)', async () => {
|
|
102
|
+
evaluator.evaluate(req('shell_exec', { invocationId: 't-1' }));
|
|
103
|
+
const wait = evaluator.waitForApproval('t-1');
|
|
104
|
+
const action = await wait;
|
|
105
|
+
(0, vitest_1.expect)(action).toBe('deny');
|
|
106
|
+
});
|
|
107
|
+
(0, vitest_1.it)('approve() returns false for unknown / already-resolved invocationId', () => {
|
|
108
|
+
(0, vitest_1.expect)(evaluator.approve('nonexistent')).toBe(false);
|
|
109
|
+
evaluator.evaluate(req('shell_exec', { invocationId: 'r-1' }));
|
|
110
|
+
(0, vitest_1.expect)(evaluator.approve('r-1')).toBe(true);
|
|
111
|
+
(0, vitest_1.expect)(evaluator.approve('r-1')).toBe(false); // already resolved
|
|
112
|
+
});
|
|
113
|
+
});
|
|
114
|
+
(0, vitest_1.describe)('SkillEvaluator — bounded memory', () => {
|
|
115
|
+
(0, vitest_1.it)('cache eviction keeps map size bounded', () => {
|
|
116
|
+
const evaluator = new skill_evaluator_1.SkillEvaluator(baseConfig(), fakeAuditLogger());
|
|
117
|
+
// 5000 unique skill names — capped at 4096
|
|
118
|
+
for (let i = 0; i < 5000; i += 1) {
|
|
119
|
+
evaluator.evaluate(req(`skill_${i}`, { invocationId: `inv-${i}` }));
|
|
120
|
+
}
|
|
121
|
+
// Internal cache cap = 4096; we don't expose size directly but pending
|
|
122
|
+
// approvals should also remain bounded.
|
|
123
|
+
const pending = evaluator.getPendingApprovals();
|
|
124
|
+
(0, vitest_1.expect)(pending.length).toBeLessThanOrEqual(1024);
|
|
125
|
+
});
|
|
126
|
+
});
|
|
127
|
+
//# sourceMappingURL=skill-evaluator.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"skill-evaluator.test.js","sourceRoot":"","sources":["../../src/skill-authz/skill-evaluator.test.ts"],"names":[],"mappings":";;AAAA,mCAA8D;AAC9D,uDAAmD;AAInD,SAAS,UAAU,CAAC,YAAmC,EAAE;IACvD,OAAO;QACL,MAAM,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE;QAC7G,QAAQ,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,uBAAuB,EAAE,EAAE,EAAE,gBAAgB,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,EAAE,mBAAmB,EAAE,CAAC,EAAE;QAChM,WAAW,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,cAAc,EAAE,KAAK,EAAE,oBAAoB,EAAE,KAAK,EAAE,oBAAoB,EAAE,KAAK,EAAE,uBAAuB,EAAE,KAAK,EAAE;QACjJ,eAAe,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE;QAClE,OAAO,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,iBAAiB,EAAE,KAAK,EAAE;QAC1F,UAAU,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC,YAAY,CAAC,EAAE;QAClF,KAAK,EAAE,EAAE,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE;QACpE,SAAS,EAAE,EAAE,UAAU,EAAE,CAAC,EAAE,WAAW,EAAE,EAAE,EAAE;QAC7C,KAAK,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,EAAE,WAAW,EAAE,WAAW,EAAE,iBAAiB,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,cAAc,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,gBAAgB,EAAE,KAAK,EAAE;QACvM,QAAQ,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,mBAAmB,EAAE,KAAK,EAAE,gBAAgB,EAAE,KAAK,EAAE;QACzG,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,SAAS,eAAe;IACtB,OAAO;QACL,GAAG,EAAE,WAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,SAAS,CAAC;QACjC,IAAI,EAAE,WAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,SAAS,CAAC;QAClC,QAAQ,EAAE,WAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,SAAS,CAAC;KAC9B,CAAC;AACb,CAAC;AAED,SAAS,GAAG,CAAC,SAAiB,EAAE,OAAmC,EAAE;IACnE,OAAO;QACL,QAAQ,EAAE,IAAI;QACd,WAAW,EAAE,aAAa;QAC1B,SAAS;QACT,SAAS,EAAE,EAAE;QACb,YAAY,EAAE,OAAO,IAAI,CAAC,MAAM,EAAE,EAAE;QACpC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,GAAG,IAAI;KACR,CAAC;AACJ,CAAC;AAED,IAAA,iBAAQ,EAAC,8BAA8B,EAAE,GAAG,EAAE;IAC5C,IAAI,SAAyB,CAAC;IAC9B,IAAA,mBAAU,EAAC,GAAG,EAAE;QACd,SAAS,GAAG,IAAI,gCAAc,CAAC,UAAU,EAAE,EAAE,eAAe,EAAW,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;QAC/C,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC/B,MAAM,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QAC1E,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC/B,+EAA+E;QAC/E,IAAA,eAAM,EAAC,CAAC,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC;QACzB,MAAM,KAAK,GAAG,aAAiB,CAAC;QAChC,IAAI,GAAG,GAAG,KAAK,CAAC;QAChB,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;YAC/C,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC/B,wCAAwC;YACxC,GAAG,GAAG,KAAK,GAAG,MAAO,CAAC;YACtB,wEAAwE;YACxE,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;YAC5B,MAAM,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;YAC1E,yEAAyE;YACzE,uEAAuE;YACvE,6CAA6C;YAC7C,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC;QACrB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,uCAAuC,EAAE,GAAG,EAAE;IACrD,IAAI,SAAyB,CAAC;IAC9B,IAAA,mBAAU,EAAC,GAAG,EAAE;QACd,SAAS,GAAG,IAAI,gCAAc,CAAC,UAAU,EAAE,EAAE,eAAe,EAAW,CAAC,CAAC;QACzE,SAAS,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,aAAa;IACpD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC;QACvE,MAAM,OAAO,GAAG,SAAS,CAAC,mBAAmB,EAAE,CAAC;QAChD,IAAA,eAAM,EAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAChC,IAAA,eAAM,EAAC,OAAO,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACpD,IAAA,eAAM,EAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6DAA6D,EAAE,KAAK,IAAI,EAAE;QAC3E,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAG,SAAS,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAA,eAAM,EAAC,SAAS,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC;QAC1B,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7B,IAAA,eAAM,EAAC,SAAS,CAAC,mBAAmB,EAAE,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAG,SAAS,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAA,eAAM,EAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzC,IAAA,eAAM,EAAC,MAAM,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAG,SAAS,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC9C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC;QAC1B,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,qEAAqE,EAAE,GAAG,EAAE;QAC7E,IAAA,eAAM,EAAC,SAAS,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrD,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/D,IAAA,eAAM,EAAC,SAAS,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAA,eAAM,EAAC,SAAS,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,mBAAmB;IACnE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,iCAAiC,EAAE,GAAG,EAAE;IAC/C,IAAA,WAAE,EAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,SAAS,GAAG,IAAI,gCAAc,CAAC,UAAU,EAAE,EAAE,eAAe,EAAW,CAAC,CAAC;QAC/E,2CAA2C;QAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,YAAY,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;QACtE,CAAC;QACD,uEAAuE;QACvE,wCAAwC;QACxC,MAAM,OAAO,GAAG,SAAS,CAAC,mBAAmB,EAAE,CAAC;QAChD,IAAA,eAAM,EAAC,OAAO,CAAC,MAAM,CAAC,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
package/dist/telemetry.d.ts
CHANGED
|
@@ -1,20 +1,15 @@
|
|
|
1
1
|
import { SentryConfig } from './config';
|
|
2
|
-
import { TaggedProcess, EnforcementDecision, SentryStatus
|
|
2
|
+
import { TaggedProcess, EnforcementDecision, SentryStatus } from './types';
|
|
3
3
|
export declare class TelemetryReporter {
|
|
4
4
|
private config;
|
|
5
5
|
private getStatus;
|
|
6
6
|
private getTaggedProcesses;
|
|
7
7
|
private getRecentDecisions;
|
|
8
|
-
private getAgentIdentities?;
|
|
9
|
-
private getRecentActions?;
|
|
10
|
-
private getOpenAnomalies?;
|
|
11
8
|
private heartbeatTimer;
|
|
12
9
|
private syncTimer;
|
|
13
10
|
private lastSyncAt;
|
|
14
11
|
private lastDecisionsHash;
|
|
15
|
-
|
|
16
|
-
private lastAegisAnomalyHash;
|
|
17
|
-
constructor(config: SentryConfig, getStatus: () => SentryStatus, getTaggedProcesses: () => TaggedProcess[], getRecentDecisions: () => EnforcementDecision[], getAgentIdentities?: (() => AgentIdentity[]) | undefined, getRecentActions?: ((limit?: number) => AgentAction[]) | undefined, getOpenAnomalies?: (() => AnomalyAlert[]) | undefined);
|
|
12
|
+
constructor(config: SentryConfig, getStatus: () => SentryStatus, getTaggedProcesses: () => TaggedProcess[], getRecentDecisions: () => EnforcementDecision[]);
|
|
18
13
|
start(): void;
|
|
19
14
|
stop(): void;
|
|
20
15
|
getLastSyncAt(): string | null;
|
|
@@ -22,7 +17,6 @@ export declare class TelemetryReporter {
|
|
|
22
17
|
private sendHeartbeat;
|
|
23
18
|
private flushDecisions;
|
|
24
19
|
private syncProcesses;
|
|
25
|
-
private flushAegisData;
|
|
26
20
|
private apiRequest;
|
|
27
21
|
}
|
|
28
22
|
//# sourceMappingURL=telemetry.d.ts.map
|
package/dist/telemetry.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"telemetry.d.ts","sourceRoot":"","sources":["../src/telemetry.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"telemetry.d.ts","sourceRoot":"","sources":["../src/telemetry.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAqB3E,qBAAa,iBAAiB;IAO1B,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,kBAAkB;IAC1B,OAAO,CAAC,kBAAkB;IAT5B,OAAO,CAAC,cAAc,CAA+C;IACrE,OAAO,CAAC,SAAS,CAA+C;IAChE,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,iBAAiB,CAAc;gBAG7B,MAAM,EAAE,YAAY,EACpB,SAAS,EAAE,MAAM,YAAY,EAC7B,kBAAkB,EAAE,MAAM,aAAa,EAAE,EACzC,kBAAkB,EAAE,MAAM,mBAAmB,EAAE;IAGzD,KAAK,IAAI,IAAI;IAsBb,IAAI,IAAI,IAAI;IAKZ,aAAa,IAAI,MAAM,GAAG,IAAI;IAI9B,OAAO,CAAC,SAAS;YAQH,aAAa;YAgCb,cAAc;YA4Bd,aAAa;YA2Bb,UAAU;CAoBzB"}
|