@newrelic/preflight 0.0.1-pre.1 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +183 -0
- package/README.md +498 -0
- package/dist/alerts/alert-log.d.ts +24 -0
- package/dist/alerts/alert-log.d.ts.map +1 -0
- package/dist/alerts/alert-log.js +159 -0
- package/dist/alerts/alert-log.js.map +1 -0
- package/dist/alerts/alert-snapshot-collector.d.ts +168 -0
- package/dist/alerts/alert-snapshot-collector.d.ts.map +1 -0
- package/dist/alerts/alert-snapshot-collector.js +243 -0
- package/dist/alerts/alert-snapshot-collector.js.map +1 -0
- package/dist/alerts/local-alert-engine.d.ts +86 -0
- package/dist/alerts/local-alert-engine.d.ts.map +1 -0
- package/dist/alerts/local-alert-engine.js +466 -0
- package/dist/alerts/local-alert-engine.js.map +1 -0
- package/dist/alerts/local-alert-rule.d.ts +439 -0
- package/dist/alerts/local-alert-rule.d.ts.map +1 -0
- package/dist/alerts/local-alert-rule.js +139 -0
- package/dist/alerts/local-alert-rule.js.map +1 -0
- package/dist/alerts/os-notifier.d.ts +39 -0
- package/dist/alerts/os-notifier.d.ts.map +1 -0
- package/dist/alerts/os-notifier.js +170 -0
- package/dist/alerts/os-notifier.js.map +1 -0
- package/dist/alerts/types.d.ts +35 -0
- package/dist/alerts/types.d.ts.map +1 -0
- package/dist/alerts/types.js +8 -0
- package/dist/alerts/types.js.map +1 -0
- package/dist/config.d.ts +169 -0
- package/dist/config.d.ts.map +1 -0
- package/dist/config.js +868 -0
- package/dist/config.js.map +1 -0
- package/dist/dashboard/dashboard-server.d.ts +38 -0
- package/dist/dashboard/dashboard-server.d.ts.map +1 -0
- package/dist/dashboard/dashboard-server.js +207 -0
- package/dist/dashboard/dashboard-server.js.map +1 -0
- package/dist/dashboard/index.d.ts +3 -0
- package/dist/dashboard/index.d.ts.map +1 -0
- package/dist/dashboard/index.js +2 -0
- package/dist/dashboard/index.js.map +1 -0
- package/dist/dashboard/live-event-bus.d.ts +99 -0
- package/dist/dashboard/live-event-bus.d.ts.map +1 -0
- package/dist/dashboard/live-event-bus.js +56 -0
- package/dist/dashboard/live-event-bus.js.map +1 -0
- package/dist/dashboard/routes/api-handler.d.ts +122 -0
- package/dist/dashboard/routes/api-handler.d.ts.map +1 -0
- package/dist/dashboard/routes/api-handler.js +1414 -0
- package/dist/dashboard/routes/api-handler.js.map +1 -0
- package/dist/dashboard/routes/replay-analyzer.d.ts +15 -0
- package/dist/dashboard/routes/replay-analyzer.d.ts.map +1 -0
- package/dist/dashboard/routes/replay-analyzer.js +227 -0
- package/dist/dashboard/routes/replay-analyzer.js.map +1 -0
- package/dist/dashboard/routes/sse-handler.d.ts +4 -0
- package/dist/dashboard/routes/sse-handler.d.ts.map +1 -0
- package/dist/dashboard/routes/sse-handler.js +122 -0
- package/dist/dashboard/routes/sse-handler.js.map +1 -0
- package/dist/dashboard/routes/static-handler.d.ts +3 -0
- package/dist/dashboard/routes/static-handler.d.ts.map +1 -0
- package/dist/dashboard/routes/static-handler.js +123 -0
- package/dist/dashboard/routes/static-handler.js.map +1 -0
- package/dist/data/alerts/conditions/01-daily-cost-spike.json +16 -0
- package/dist/data/alerts/conditions/02-low-efficiency-score.json +16 -0
- package/dist/data/alerts/conditions/03-stuck-loop-rate.json +16 -0
- package/dist/data/alerts/conditions/04-anti-pattern-rate.json +16 -0
- package/dist/data/alerts/conditions/05-session-cost-budget.json +16 -0
- package/dist/data/alerts/conditions-personal/01-personal-daily-cost.json +16 -0
- package/dist/data/alerts/conditions-personal/02-personal-session-cost.json +16 -0
- package/dist/data/alerts/conditions-personal/03-personal-low-efficiency.json +16 -0
- package/dist/data/alerts/conditions-personal/04-personal-anti-pattern-rate.json +16 -0
- package/dist/data/alerts/conditions-personal/05-personal-stuck-loop.json +16 -0
- package/dist/data/alerts/policy.json +4 -0
- package/dist/data/dashboards/ai-coding-assistant-manager-view.json +103 -0
- package/dist/data/dashboards/ai-coding-assistant-overview.json +239 -0
- package/dist/data/dashboards/ai-coding-assistant-personal.json +442 -0
- package/dist/data/dashboards/ai-coding-assistant-platform-comparison.json +320 -0
- package/dist/data/dashboards/ai-coding-assistant-security.json +275 -0
- package/dist/data/dashboards/ai-coding-assistant-session-detail.json +296 -0
- package/dist/data/dashboards/ai-coding-assistant-team-view.json +345 -0
- package/dist/deploy/data-paths.d.ts +22 -0
- package/dist/deploy/data-paths.d.ts.map +1 -0
- package/dist/deploy/data-paths.js +69 -0
- package/dist/deploy/data-paths.js.map +1 -0
- package/dist/deploy/deploy-alerts.d.ts +58 -0
- package/dist/deploy/deploy-alerts.d.ts.map +1 -0
- package/dist/deploy/deploy-alerts.js +371 -0
- package/dist/deploy/deploy-alerts.js.map +1 -0
- package/dist/deploy/deploy-dashboards.d.ts +92 -0
- package/dist/deploy/deploy-dashboards.d.ts.map +1 -0
- package/dist/deploy/deploy-dashboards.js +282 -0
- package/dist/deploy/deploy-dashboards.js.map +1 -0
- package/dist/digest/digest-formatter.d.ts +3 -0
- package/dist/digest/digest-formatter.d.ts.map +1 -0
- package/dist/digest/digest-formatter.js +37 -0
- package/dist/digest/digest-formatter.js.map +1 -0
- package/dist/digest/digest-sender.d.ts +2 -0
- package/dist/digest/digest-sender.d.ts.map +1 -0
- package/dist/digest/digest-sender.js +29 -0
- package/dist/digest/digest-sender.js.map +1 -0
- package/dist/hooks/bash-classifier.d.ts +26 -0
- package/dist/hooks/bash-classifier.d.ts.map +1 -0
- package/dist/hooks/bash-classifier.js +409 -0
- package/dist/hooks/bash-classifier.js.map +1 -0
- package/dist/hooks/collector-script.d.ts +47 -0
- package/dist/hooks/collector-script.d.ts.map +1 -0
- package/dist/hooks/collector-script.js +662 -0
- package/dist/hooks/collector-script.js.map +1 -0
- package/dist/hooks/event-processor.d.ts +65 -0
- package/dist/hooks/event-processor.d.ts.map +1 -0
- package/dist/hooks/event-processor.js +342 -0
- package/dist/hooks/event-processor.js.map +1 -0
- package/dist/hooks/index.d.ts +7 -0
- package/dist/hooks/index.d.ts.map +1 -0
- package/dist/hooks/index.js +5 -0
- package/dist/hooks/index.js.map +1 -0
- package/dist/hooks/session-resolver.d.ts +66 -0
- package/dist/hooks/session-resolver.d.ts.map +1 -0
- package/dist/hooks/session-resolver.js +196 -0
- package/dist/hooks/session-resolver.js.map +1 -0
- package/dist/hooks/tool-parsers.d.ts +19 -0
- package/dist/hooks/tool-parsers.d.ts.map +1 -0
- package/dist/hooks/tool-parsers.js +260 -0
- package/dist/hooks/tool-parsers.js.map +1 -0
- package/dist/index.d.ts +107 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +1505 -0
- package/dist/index.js.map +1 -0
- package/dist/install/cli.d.ts +11 -0
- package/dist/install/cli.d.ts.map +1 -0
- package/dist/install/cli.js +365 -0
- package/dist/install/cli.js.map +1 -0
- package/dist/install/index.d.ts +4 -0
- package/dist/install/index.d.ts.map +1 -0
- package/dist/install/index.js +3 -0
- package/dist/install/index.js.map +1 -0
- package/dist/install/install-helper.d.ts +35 -0
- package/dist/install/install-helper.d.ts.map +1 -0
- package/dist/install/install-helper.js +227 -0
- package/dist/install/install-helper.js.map +1 -0
- package/dist/install/key-validator.d.ts +19 -0
- package/dist/install/key-validator.d.ts.map +1 -0
- package/dist/install/key-validator.js +122 -0
- package/dist/install/key-validator.js.map +1 -0
- package/dist/install/migrate.d.ts +12 -0
- package/dist/install/migrate.d.ts.map +1 -0
- package/dist/install/migrate.js +115 -0
- package/dist/install/migrate.js.map +1 -0
- package/dist/install/schedule.d.ts +11 -0
- package/dist/install/schedule.d.ts.map +1 -0
- package/dist/install/schedule.js +114 -0
- package/dist/install/schedule.js.map +1 -0
- package/dist/install/setup-wizard.d.ts +40 -0
- package/dist/install/setup-wizard.d.ts.map +1 -0
- package/dist/install/setup-wizard.js +489 -0
- package/dist/install/setup-wizard.js.map +1 -0
- package/dist/lib/date.d.ts +54 -0
- package/dist/lib/date.d.ts.map +1 -0
- package/dist/lib/date.js +85 -0
- package/dist/lib/date.js.map +1 -0
- package/dist/metrics/anti-patterns.d.ts +62 -0
- package/dist/metrics/anti-patterns.d.ts.map +1 -0
- package/dist/metrics/anti-patterns.js +301 -0
- package/dist/metrics/anti-patterns.js.map +1 -0
- package/dist/metrics/api-failure-tracker.d.ts +82 -0
- package/dist/metrics/api-failure-tracker.d.ts.map +1 -0
- package/dist/metrics/api-failure-tracker.js +202 -0
- package/dist/metrics/api-failure-tracker.js.map +1 -0
- package/dist/metrics/budget-tracker.d.ts +60 -0
- package/dist/metrics/budget-tracker.d.ts.map +1 -0
- package/dist/metrics/budget-tracker.js +130 -0
- package/dist/metrics/budget-tracker.js.map +1 -0
- package/dist/metrics/claudemd-tracker.d.ts +108 -0
- package/dist/metrics/claudemd-tracker.d.ts.map +1 -0
- package/dist/metrics/claudemd-tracker.js +337 -0
- package/dist/metrics/claudemd-tracker.js.map +1 -0
- package/dist/metrics/collaboration-profile.d.ts +65 -0
- package/dist/metrics/collaboration-profile.d.ts.map +1 -0
- package/dist/metrics/collaboration-profile.js +231 -0
- package/dist/metrics/collaboration-profile.js.map +1 -0
- package/dist/metrics/context-composition-tracker.d.ts +74 -0
- package/dist/metrics/context-composition-tracker.d.ts.map +1 -0
- package/dist/metrics/context-composition-tracker.js +202 -0
- package/dist/metrics/context-composition-tracker.js.map +1 -0
- package/dist/metrics/context-tracker.d.ts +78 -0
- package/dist/metrics/context-tracker.d.ts.map +1 -0
- package/dist/metrics/context-tracker.js +222 -0
- package/dist/metrics/context-tracker.js.map +1 -0
- package/dist/metrics/context-window-tracker.d.ts +18 -0
- package/dist/metrics/context-window-tracker.d.ts.map +1 -0
- package/dist/metrics/context-window-tracker.js +35 -0
- package/dist/metrics/context-window-tracker.js.map +1 -0
- package/dist/metrics/cost-forecast.d.ts +36 -0
- package/dist/metrics/cost-forecast.d.ts.map +1 -0
- package/dist/metrics/cost-forecast.js +91 -0
- package/dist/metrics/cost-forecast.js.map +1 -0
- package/dist/metrics/cost-per-outcome.d.ts +102 -0
- package/dist/metrics/cost-per-outcome.d.ts.map +1 -0
- package/dist/metrics/cost-per-outcome.js +266 -0
- package/dist/metrics/cost-per-outcome.js.map +1 -0
- package/dist/metrics/cost-tracker.d.ts +78 -0
- package/dist/metrics/cost-tracker.d.ts.map +1 -0
- package/dist/metrics/cost-tracker.js +169 -0
- package/dist/metrics/cost-tracker.js.map +1 -0
- package/dist/metrics/decision-tracker.d.ts +49 -0
- package/dist/metrics/decision-tracker.d.ts.map +1 -0
- package/dist/metrics/decision-tracker.js +161 -0
- package/dist/metrics/decision-tracker.js.map +1 -0
- package/dist/metrics/efficiency-score.d.ts +80 -0
- package/dist/metrics/efficiency-score.d.ts.map +1 -0
- package/dist/metrics/efficiency-score.js +219 -0
- package/dist/metrics/efficiency-score.js.map +1 -0
- package/dist/metrics/git-efficiency-tracker.d.ts +165 -0
- package/dist/metrics/git-efficiency-tracker.d.ts.map +1 -0
- package/dist/metrics/git-efficiency-tracker.js +1056 -0
- package/dist/metrics/git-efficiency-tracker.js.map +1 -0
- package/dist/metrics/index.d.ts +26 -0
- package/dist/metrics/index.d.ts.map +1 -0
- package/dist/metrics/index.js +14 -0
- package/dist/metrics/index.js.map +1 -0
- package/dist/metrics/instruction-drift-tracker.d.ts +69 -0
- package/dist/metrics/instruction-drift-tracker.d.ts.map +1 -0
- package/dist/metrics/instruction-drift-tracker.js +213 -0
- package/dist/metrics/instruction-drift-tracker.js.map +1 -0
- package/dist/metrics/latency-decomposition.d.ts +50 -0
- package/dist/metrics/latency-decomposition.d.ts.map +1 -0
- package/dist/metrics/latency-decomposition.js +112 -0
- package/dist/metrics/latency-decomposition.js.map +1 -0
- package/dist/metrics/latency-tracker.d.ts +33 -0
- package/dist/metrics/latency-tracker.d.ts.map +1 -0
- package/dist/metrics/latency-tracker.js +93 -0
- package/dist/metrics/latency-tracker.js.map +1 -0
- package/dist/metrics/live-session-registry.d.ts +29 -0
- package/dist/metrics/live-session-registry.d.ts.map +1 -0
- package/dist/metrics/live-session-registry.js +103 -0
- package/dist/metrics/live-session-registry.js.map +1 -0
- package/dist/metrics/model-usage-tracker.d.ts +21 -0
- package/dist/metrics/model-usage-tracker.d.ts.map +1 -0
- package/dist/metrics/model-usage-tracker.js +53 -0
- package/dist/metrics/model-usage-tracker.js.map +1 -0
- package/dist/metrics/percentile.d.ts +5 -0
- package/dist/metrics/percentile.d.ts.map +1 -0
- package/dist/metrics/percentile.js +10 -0
- package/dist/metrics/percentile.js.map +1 -0
- package/dist/metrics/personal-coach.d.ts +47 -0
- package/dist/metrics/personal-coach.d.ts.map +1 -0
- package/dist/metrics/personal-coach.js +241 -0
- package/dist/metrics/personal-coach.js.map +1 -0
- package/dist/metrics/prompt-feedback.d.ts +75 -0
- package/dist/metrics/prompt-feedback.d.ts.map +1 -0
- package/dist/metrics/prompt-feedback.js +286 -0
- package/dist/metrics/prompt-feedback.js.map +1 -0
- package/dist/metrics/proxy-metrics.d.ts +54 -0
- package/dist/metrics/proxy-metrics.d.ts.map +1 -0
- package/dist/metrics/proxy-metrics.js +228 -0
- package/dist/metrics/proxy-metrics.js.map +1 -0
- package/dist/metrics/quality-proxy-tracker.d.ts +51 -0
- package/dist/metrics/quality-proxy-tracker.d.ts.map +1 -0
- package/dist/metrics/quality-proxy-tracker.js +162 -0
- package/dist/metrics/quality-proxy-tracker.js.map +1 -0
- package/dist/metrics/recommendation-engine.d.ts +72 -0
- package/dist/metrics/recommendation-engine.d.ts.map +1 -0
- package/dist/metrics/recommendation-engine.js +207 -0
- package/dist/metrics/recommendation-engine.js.map +1 -0
- package/dist/metrics/retry-detector.d.ts +43 -0
- package/dist/metrics/retry-detector.d.ts.map +1 -0
- package/dist/metrics/retry-detector.js +179 -0
- package/dist/metrics/retry-detector.js.map +1 -0
- package/dist/metrics/session-tracker.d.ts +75 -0
- package/dist/metrics/session-tracker.d.ts.map +1 -0
- package/dist/metrics/session-tracker.js +249 -0
- package/dist/metrics/session-tracker.js.map +1 -0
- package/dist/metrics/task-completion-tracker.d.ts +15 -0
- package/dist/metrics/task-completion-tracker.d.ts.map +1 -0
- package/dist/metrics/task-completion-tracker.js +27 -0
- package/dist/metrics/task-completion-tracker.js.map +1 -0
- package/dist/metrics/task-detector.d.ts +84 -0
- package/dist/metrics/task-detector.d.ts.map +1 -0
- package/dist/metrics/task-detector.js +302 -0
- package/dist/metrics/task-detector.js.map +1 -0
- package/dist/metrics/tool-selection-scorer.d.ts +39 -0
- package/dist/metrics/tool-selection-scorer.d.ts.map +1 -0
- package/dist/metrics/tool-selection-scorer.js +193 -0
- package/dist/metrics/tool-selection-scorer.js.map +1 -0
- package/dist/metrics/trend-analyzer.d.ts +92 -0
- package/dist/metrics/trend-analyzer.d.ts.map +1 -0
- package/dist/metrics/trend-analyzer.js +293 -0
- package/dist/metrics/trend-analyzer.js.map +1 -0
- package/dist/metrics/turn-cost-attributor.d.ts +41 -0
- package/dist/metrics/turn-cost-attributor.d.ts.map +1 -0
- package/dist/metrics/turn-cost-attributor.js +118 -0
- package/dist/metrics/turn-cost-attributor.js.map +1 -0
- package/dist/metrics/turn-tracker.d.ts +49 -0
- package/dist/metrics/turn-tracker.d.ts.map +1 -0
- package/dist/metrics/turn-tracker.js +192 -0
- package/dist/metrics/turn-tracker.js.map +1 -0
- package/dist/platforms/amazon-q-adapter.d.ts +10 -0
- package/dist/platforms/amazon-q-adapter.d.ts.map +1 -0
- package/dist/platforms/amazon-q-adapter.js +75 -0
- package/dist/platforms/amazon-q-adapter.js.map +1 -0
- package/dist/platforms/claude-code-adapter.d.ts +10 -0
- package/dist/platforms/claude-code-adapter.d.ts.map +1 -0
- package/dist/platforms/claude-code-adapter.js +48 -0
- package/dist/platforms/claude-code-adapter.js.map +1 -0
- package/dist/platforms/continue-adapter.d.ts +10 -0
- package/dist/platforms/continue-adapter.d.ts.map +1 -0
- package/dist/platforms/continue-adapter.js +73 -0
- package/dist/platforms/continue-adapter.js.map +1 -0
- package/dist/platforms/copilot-adapter.d.ts +37 -0
- package/dist/platforms/copilot-adapter.d.ts.map +1 -0
- package/dist/platforms/copilot-adapter.js +66 -0
- package/dist/platforms/copilot-adapter.js.map +1 -0
- package/dist/platforms/cursor-adapter.d.ts +10 -0
- package/dist/platforms/cursor-adapter.d.ts.map +1 -0
- package/dist/platforms/cursor-adapter.js +60 -0
- package/dist/platforms/cursor-adapter.js.map +1 -0
- package/dist/platforms/generic-mcp-adapter.d.ts +113 -0
- package/dist/platforms/generic-mcp-adapter.d.ts.map +1 -0
- package/dist/platforms/generic-mcp-adapter.js +139 -0
- package/dist/platforms/generic-mcp-adapter.js.map +1 -0
- package/dist/platforms/index.d.ts +15 -0
- package/dist/platforms/index.d.ts.map +1 -0
- package/dist/platforms/index.js +12 -0
- package/dist/platforms/index.js.map +1 -0
- package/dist/platforms/platform-registry.d.ts +11 -0
- package/dist/platforms/platform-registry.d.ts.map +1 -0
- package/dist/platforms/platform-registry.js +54 -0
- package/dist/platforms/platform-registry.js.map +1 -0
- package/dist/platforms/types.d.ts +36 -0
- package/dist/platforms/types.d.ts.map +1 -0
- package/dist/platforms/types.js +2 -0
- package/dist/platforms/types.js.map +1 -0
- package/dist/platforms/windsurf-adapter.d.ts +10 -0
- package/dist/platforms/windsurf-adapter.d.ts.map +1 -0
- package/dist/platforms/windsurf-adapter.js +63 -0
- package/dist/platforms/windsurf-adapter.js.map +1 -0
- package/dist/platforms/zed-adapter.d.ts +10 -0
- package/dist/platforms/zed-adapter.d.ts.map +1 -0
- package/dist/platforms/zed-adapter.js +72 -0
- package/dist/platforms/zed-adapter.js.map +1 -0
- package/dist/proxy/index.d.ts +7 -0
- package/dist/proxy/index.d.ts.map +1 -0
- package/dist/proxy/index.js +5 -0
- package/dist/proxy/index.js.map +1 -0
- package/dist/proxy/otlp-receiver.d.ts +28 -0
- package/dist/proxy/otlp-receiver.d.ts.map +1 -0
- package/dist/proxy/otlp-receiver.js +319 -0
- package/dist/proxy/otlp-receiver.js.map +1 -0
- package/dist/proxy/proxy-manager.d.ts +47 -0
- package/dist/proxy/proxy-manager.d.ts.map +1 -0
- package/dist/proxy/proxy-manager.js +338 -0
- package/dist/proxy/proxy-manager.js.map +1 -0
- package/dist/proxy/types.d.ts +72 -0
- package/dist/proxy/types.d.ts.map +1 -0
- package/dist/proxy/types.js +33 -0
- package/dist/proxy/types.js.map +1 -0
- package/dist/proxy/upstream-http.d.ts +26 -0
- package/dist/proxy/upstream-http.d.ts.map +1 -0
- package/dist/proxy/upstream-http.js +209 -0
- package/dist/proxy/upstream-http.js.map +1 -0
- package/dist/proxy/upstream-stdio.d.ts +25 -0
- package/dist/proxy/upstream-stdio.d.ts.map +1 -0
- package/dist/proxy/upstream-stdio.js +256 -0
- package/dist/proxy/upstream-stdio.js.map +1 -0
- package/dist/security/audit-trail.d.ts +74 -0
- package/dist/security/audit-trail.d.ts.map +1 -0
- package/dist/security/audit-trail.js +338 -0
- package/dist/security/audit-trail.js.map +1 -0
- package/dist/security/index.d.ts +5 -0
- package/dist/security/index.d.ts.map +1 -0
- package/dist/security/index.js +4 -0
- package/dist/security/index.js.map +1 -0
- package/dist/security/ssrf.d.ts +2 -0
- package/dist/security/ssrf.d.ts.map +1 -0
- package/dist/security/ssrf.js +126 -0
- package/dist/security/ssrf.js.map +1 -0
- package/dist/server.d.ts +14 -0
- package/dist/server.d.ts.map +1 -0
- package/dist/server.js +117 -0
- package/dist/server.js.map +1 -0
- package/dist/shared/__test-utils__/log-output.d.ts +49 -0
- package/dist/shared/__test-utils__/log-output.d.ts.map +1 -0
- package/dist/shared/__test-utils__/log-output.js +38 -0
- package/dist/shared/__test-utils__/log-output.js.map +1 -0
- package/dist/shared/config.d.ts +56 -0
- package/dist/shared/config.d.ts.map +1 -0
- package/dist/shared/config.js +290 -0
- package/dist/shared/config.js.map +1 -0
- package/dist/shared/errors.d.ts +139 -0
- package/dist/shared/errors.d.ts.map +1 -0
- package/dist/shared/errors.js +406 -0
- package/dist/shared/errors.js.map +1 -0
- package/dist/shared/events/factory.d.ts +143 -0
- package/dist/shared/events/factory.d.ts.map +1 -0
- package/dist/shared/events/factory.js +351 -0
- package/dist/shared/events/factory.js.map +1 -0
- package/dist/shared/events/index.d.ts +6 -0
- package/dist/shared/events/index.d.ts.map +1 -0
- package/dist/shared/events/index.js +3 -0
- package/dist/shared/events/index.js.map +1 -0
- package/dist/shared/events/serialize.d.ts +87 -0
- package/dist/shared/events/serialize.d.ts.map +1 -0
- package/dist/shared/events/serialize.js +510 -0
- package/dist/shared/events/serialize.js.map +1 -0
- package/dist/shared/events/types.d.ts +139 -0
- package/dist/shared/events/types.d.ts.map +1 -0
- package/dist/shared/events/types.js +2 -0
- package/dist/shared/events/types.js.map +1 -0
- package/dist/shared/harvest/event-buffer.d.ts +59 -0
- package/dist/shared/harvest/event-buffer.d.ts.map +1 -0
- package/dist/shared/harvest/event-buffer.js +100 -0
- package/dist/shared/harvest/event-buffer.js.map +1 -0
- package/dist/shared/harvest/harvest-scheduler.d.ts +200 -0
- package/dist/shared/harvest/harvest-scheduler.d.ts.map +1 -0
- package/dist/shared/harvest/harvest-scheduler.js +647 -0
- package/dist/shared/harvest/harvest-scheduler.js.map +1 -0
- package/dist/shared/harvest/index.d.ts +7 -0
- package/dist/shared/harvest/index.d.ts.map +1 -0
- package/dist/shared/harvest/index.js +4 -0
- package/dist/shared/harvest/index.js.map +1 -0
- package/dist/shared/harvest/metric-aggregator.d.ts +115 -0
- package/dist/shared/harvest/metric-aggregator.d.ts.map +1 -0
- package/dist/shared/harvest/metric-aggregator.js +247 -0
- package/dist/shared/harvest/metric-aggregator.js.map +1 -0
- package/dist/shared/index.d.ts +22 -0
- package/dist/shared/index.d.ts.map +1 -0
- package/dist/shared/index.js +13 -0
- package/dist/shared/index.js.map +1 -0
- package/dist/shared/logger.d.ts +57 -0
- package/dist/shared/logger.d.ts.map +1 -0
- package/dist/shared/logger.js +166 -0
- package/dist/shared/logger.js.map +1 -0
- package/dist/shared/pricing-data.d.ts +4 -0
- package/dist/shared/pricing-data.d.ts.map +1 -0
- package/dist/shared/pricing-data.js +473 -0
- package/dist/shared/pricing-data.js.map +1 -0
- package/dist/shared/pricing.d.ts +148 -0
- package/dist/shared/pricing.d.ts.map +1 -0
- package/dist/shared/pricing.js +528 -0
- package/dist/shared/pricing.js.map +1 -0
- package/dist/shared/redact.d.ts +33 -0
- package/dist/shared/redact.d.ts.map +1 -0
- package/dist/shared/redact.js +110 -0
- package/dist/shared/redact.js.map +1 -0
- package/dist/shared/timing.d.ts +96 -0
- package/dist/shared/timing.d.ts.map +1 -0
- package/dist/shared/timing.js +173 -0
- package/dist/shared/timing.js.map +1 -0
- package/dist/shared/tokens.d.ts +145 -0
- package/dist/shared/tokens.d.ts.map +1 -0
- package/dist/shared/tokens.js +492 -0
- package/dist/shared/tokens.js.map +1 -0
- package/dist/shared/transport/events-api.d.ts +14 -0
- package/dist/shared/transport/events-api.d.ts.map +1 -0
- package/dist/shared/transport/events-api.js +29 -0
- package/dist/shared/transport/events-api.js.map +1 -0
- package/dist/shared/transport/http-client.d.ts +49 -0
- package/dist/shared/transport/http-client.d.ts.map +1 -0
- package/dist/shared/transport/http-client.js +381 -0
- package/dist/shared/transport/http-client.js.map +1 -0
- package/dist/shared/transport/index.d.ts +10 -0
- package/dist/shared/transport/index.d.ts.map +1 -0
- package/dist/shared/transport/index.js +6 -0
- package/dist/shared/transport/index.js.map +1 -0
- package/dist/shared/transport/logs-api.d.ts +29 -0
- package/dist/shared/transport/logs-api.d.ts.map +1 -0
- package/dist/shared/transport/logs-api.js +40 -0
- package/dist/shared/transport/logs-api.js.map +1 -0
- package/dist/shared/transport/metric-api.d.ts +9 -0
- package/dist/shared/transport/metric-api.d.ts.map +1 -0
- package/dist/shared/transport/metric-api.js +39 -0
- package/dist/shared/transport/metric-api.js.map +1 -0
- package/dist/shared/transport/otlp-event-bridge.d.ts +22 -0
- package/dist/shared/transport/otlp-event-bridge.d.ts.map +1 -0
- package/dist/shared/transport/otlp-event-bridge.js +50 -0
- package/dist/shared/transport/otlp-event-bridge.js.map +1 -0
- package/dist/shared/transport/otlp-shared.d.ts +14 -0
- package/dist/shared/transport/otlp-shared.d.ts.map +1 -0
- package/dist/shared/transport/otlp-shared.js +49 -0
- package/dist/shared/transport/otlp-shared.js.map +1 -0
- package/dist/shared/transport/otlp-transport.d.ts +58 -0
- package/dist/shared/transport/otlp-transport.d.ts.map +1 -0
- package/dist/shared/transport/otlp-transport.js +236 -0
- package/dist/shared/transport/otlp-transport.js.map +1 -0
- package/dist/shared/transport/types.d.ts +129 -0
- package/dist/shared/transport/types.d.ts.map +1 -0
- package/dist/shared/transport/types.js +2 -0
- package/dist/shared/transport/types.js.map +1 -0
- package/dist/shared/version.d.ts +2 -0
- package/dist/shared/version.d.ts.map +1 -0
- package/dist/shared/version.js +2 -0
- package/dist/shared/version.js.map +1 -0
- package/dist/storage/index.d.ts +7 -0
- package/dist/storage/index.d.ts.map +1 -0
- package/dist/storage/index.js +4 -0
- package/dist/storage/index.js.map +1 -0
- package/dist/storage/local-store.d.ts +153 -0
- package/dist/storage/local-store.d.ts.map +1 -0
- package/dist/storage/local-store.js +719 -0
- package/dist/storage/local-store.js.map +1 -0
- package/dist/storage/retention.d.ts +2 -0
- package/dist/storage/retention.d.ts.map +1 -0
- package/dist/storage/retention.js +53 -0
- package/dist/storage/retention.js.map +1 -0
- package/dist/storage/session-store.d.ts +97 -0
- package/dist/storage/session-store.d.ts.map +1 -0
- package/dist/storage/session-store.js +391 -0
- package/dist/storage/session-store.js.map +1 -0
- package/dist/storage/types.d.ts +64 -0
- package/dist/storage/types.d.ts.map +1 -0
- package/dist/storage/types.js +2 -0
- package/dist/storage/types.js.map +1 -0
- package/dist/storage/weekly-summary.d.ts +61 -0
- package/dist/storage/weekly-summary.d.ts.map +1 -0
- package/dist/storage/weekly-summary.js +243 -0
- package/dist/storage/weekly-summary.js.map +1 -0
- package/dist/tools/analytics-tools.d.ts +101 -0
- package/dist/tools/analytics-tools.d.ts.map +1 -0
- package/dist/tools/analytics-tools.js +71 -0
- package/dist/tools/analytics-tools.js.map +1 -0
- package/dist/tools/cost-tools.d.ts +121 -0
- package/dist/tools/cost-tools.d.ts.map +1 -0
- package/dist/tools/cost-tools.js +174 -0
- package/dist/tools/cost-tools.js.map +1 -0
- package/dist/tools/cross-session-tools.d.ts +376 -0
- package/dist/tools/cross-session-tools.d.ts.map +1 -0
- package/dist/tools/cross-session-tools.js +820 -0
- package/dist/tools/cross-session-tools.js.map +1 -0
- package/dist/tools/extended-analytics-tools.d.ts +164 -0
- package/dist/tools/extended-analytics-tools.d.ts.map +1 -0
- package/dist/tools/extended-analytics-tools.js +121 -0
- package/dist/tools/extended-analytics-tools.js.map +1 -0
- package/dist/tools/index.d.ts +7 -0
- package/dist/tools/index.d.ts.map +1 -0
- package/dist/tools/index.js +4 -0
- package/dist/tools/index.js.map +1 -0
- package/dist/tools/session-stats.d.ts +162 -0
- package/dist/tools/session-stats.d.ts.map +1 -0
- package/dist/tools/session-stats.js +1054 -0
- package/dist/tools/session-stats.js.map +1 -0
- package/dist/tools/workflow-tools.d.ts +126 -0
- package/dist/tools/workflow-tools.d.ts.map +1 -0
- package/dist/tools/workflow-tools.js +274 -0
- package/dist/tools/workflow-tools.js.map +1 -0
- package/dist/tracing/mcp-tracer.d.ts +4 -0
- package/dist/tracing/mcp-tracer.d.ts.map +1 -0
- package/dist/tracing/mcp-tracer.js +14 -0
- package/dist/tracing/mcp-tracer.js.map +1 -0
- package/dist/tracing/session-span.d.ts +14 -0
- package/dist/tracing/session-span.d.ts.map +1 -0
- package/dist/tracing/session-span.js +53 -0
- package/dist/tracing/session-span.js.map +1 -0
- package/dist/tracing/task-span-tracker.d.ts +11 -0
- package/dist/tracing/task-span-tracker.d.ts.map +1 -0
- package/dist/tracing/task-span-tracker.js +59 -0
- package/dist/tracing/task-span-tracker.js.map +1 -0
- package/dist/tracing/tool-call-span.d.ts +4 -0
- package/dist/tracing/tool-call-span.d.ts.map +1 -0
- package/dist/tracing/tool-call-span.js +60 -0
- package/dist/tracing/tool-call-span.js.map +1 -0
- package/dist/transport/index.d.ts +3 -0
- package/dist/transport/index.d.ts.map +1 -0
- package/dist/transport/index.js +2 -0
- package/dist/transport/index.js.map +1 -0
- package/dist/transport/log-ingest.d.ts +42 -0
- package/dist/transport/log-ingest.d.ts.map +1 -0
- package/dist/transport/log-ingest.js +151 -0
- package/dist/transport/log-ingest.js.map +1 -0
- package/dist/transport/nr-ingest.d.ts +171 -0
- package/dist/transport/nr-ingest.d.ts.map +1 -0
- package/dist/transport/nr-ingest.js +659 -0
- package/dist/transport/nr-ingest.js.map +1 -0
- package/dist/types.d.ts +45 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +2 -0
- package/dist/types.js.map +1 -0
- package/dist/web/assets/index-BrL281N-.css +2 -0
- package/dist/web/assets/index-CcaYZzXm.js +42 -0
- package/dist/web/favicon.svg +15 -0
- package/dist/web/index.html +15 -0
- package/examples/local-alert-rules.json +106 -0
- package/package.json +129 -1
|
@@ -0,0 +1,338 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Security Audit Trail — classifies tool calls into audit events, detects
|
|
3
|
+
* sensitive file access and destructive commands, and emits NR events for
|
|
4
|
+
* alerting.
|
|
5
|
+
*/
|
|
6
|
+
import { createLogger } from '../shared/index.js';
|
|
7
|
+
import { redactSensitive } from '../config.js';
|
|
8
|
+
import { isSyntheticSessionId } from '../hooks/session-resolver.js';
|
|
9
|
+
const logger = createLogger('audit-trail');
|
|
10
|
+
// ---------------------------------------------------------------------------
|
|
11
|
+
// Default detection patterns
|
|
12
|
+
// ---------------------------------------------------------------------------
|
|
13
|
+
export const DEFAULT_SENSITIVE_FILE_PATTERNS = [
|
|
14
|
+
/(?:^|\/)\.env(?:\..+)?$/i,
|
|
15
|
+
/(?:^|\/)credentials/i,
|
|
16
|
+
/(?:^|\/)secret/i,
|
|
17
|
+
/\.pem$/i,
|
|
18
|
+
/\.key$/i,
|
|
19
|
+
/(?:^|\/)id_rsa(?:$|\.)/i,
|
|
20
|
+
/(?:^|\/)id_ed25519(?:$|\.)/i,
|
|
21
|
+
/(?:^|\/)\.ssh\//i,
|
|
22
|
+
/(?:^|\/)password(?:s)?(?:\.[^/]*)?$/i,
|
|
23
|
+
/(?:^|\/)\.npmrc$/i,
|
|
24
|
+
/(?:^|\/)\.pypirc$/i,
|
|
25
|
+
/(?:^|\/)token(?:s)?(?:\.[^/]*)?$/i,
|
|
26
|
+
];
|
|
27
|
+
export const DEFAULT_DESTRUCTIVE_COMMAND_PATTERNS = [
|
|
28
|
+
// rm with recursive + force flags in any combination or order:
|
|
29
|
+
// combined (-rf, -fr, -rfv, -rvf, -Rf, etc.) or separate (-r -f, -f -r, -r -v -f, etc.)
|
|
30
|
+
// rm with -r/-R (recursive), in any combination of flags or alone
|
|
31
|
+
/\brm\s+(?:-[a-zA-Z]*[rR][a-zA-Z]*[fF][a-zA-Z]*|-[a-zA-Z]*[fF][a-zA-Z]*[rR][a-zA-Z]*|-[rR][a-zA-Z]*(?:\s+-[a-zA-Z]+)*\s+-[fF]|-[fF][a-zA-Z]*(?:\s+-[a-zA-Z]+)*\s+-[rR]|-[rR]\b|-[a-zA-Z]*[rR]\b)/,
|
|
32
|
+
// GNU long-form: rm --recursive
|
|
33
|
+
/\brm\b.*--recursive\b/,
|
|
34
|
+
/\bgit\s+push\s+--force\b/i,
|
|
35
|
+
/\bgit\s+push\s+-f\b/i,
|
|
36
|
+
/\bgit\s+reset\s+--hard\b/i,
|
|
37
|
+
/\bDROP\s+TABLE\b/i,
|
|
38
|
+
/\bDROP\s+DATABASE\b/i,
|
|
39
|
+
/\bDELETE\s+FROM\b/i,
|
|
40
|
+
/\bchmod\s+777\b/,
|
|
41
|
+
// Pipe to shell — matches common shells and interpreters
|
|
42
|
+
/\bcurl\b.*\|\s*(?:\/[^\s]*\/)?(?:ba|z|k|da|fi|tc|c)?sh\b/i,
|
|
43
|
+
/\bwget\b.*\|\s*(?:\/[^\s]*\/)?(?:ba|z|k|da|fi|tc|c)?sh\b/i,
|
|
44
|
+
/\bcurl\b.*\|\s*(?:\/[^\s]*\/)?(?:node|python3?|perl|ruby)\b/i,
|
|
45
|
+
/\bwget\b.*\|\s*(?:\/[^\s]*\/)?(?:node|python3?|perl|ruby)\b/i,
|
|
46
|
+
];
|
|
47
|
+
export const DEFAULT_NETWORK_COMMAND_PATTERNS = [
|
|
48
|
+
/\bcurl\b/i,
|
|
49
|
+
/\bwget\b/i,
|
|
50
|
+
/\bnc\b/,
|
|
51
|
+
/\bssh\b/,
|
|
52
|
+
];
|
|
53
|
+
// ---------------------------------------------------------------------------
|
|
54
|
+
// Tool name → AuditAction mapping
|
|
55
|
+
// ---------------------------------------------------------------------------
|
|
56
|
+
const TOOL_ACTION_MAP = {
|
|
57
|
+
Read: 'FileRead',
|
|
58
|
+
Write: 'FileWrite',
|
|
59
|
+
Edit: 'FileEdit',
|
|
60
|
+
Bash: 'BashCommand',
|
|
61
|
+
Agent: 'AgentSpawn',
|
|
62
|
+
Grep: 'Search',
|
|
63
|
+
Glob: 'Search',
|
|
64
|
+
};
|
|
65
|
+
function classifyTool(toolName) {
|
|
66
|
+
return TOOL_ACTION_MAP[toolName] ?? 'Other';
|
|
67
|
+
}
|
|
68
|
+
// ---------------------------------------------------------------------------
|
|
69
|
+
// Detail builder
|
|
70
|
+
// ---------------------------------------------------------------------------
|
|
71
|
+
function buildDetail(record) {
|
|
72
|
+
const tool = record.toolName;
|
|
73
|
+
const filePath = record.filePath;
|
|
74
|
+
const command = record.command;
|
|
75
|
+
const agentDescription = record.agentDescription;
|
|
76
|
+
const pattern = record.pattern;
|
|
77
|
+
// Redact at the source so every downstream egress (NR Events API,
|
|
78
|
+
// NR Logs API, persisted on-disk audit log) sees only scrubbed strings.
|
|
79
|
+
// detectSecurityAlert runs against the raw record before this is invoked,
|
|
80
|
+
// so pattern matching still works correctly against unredacted input.
|
|
81
|
+
if (filePath)
|
|
82
|
+
return `${tool} ${redactSensitive(filePath)}`;
|
|
83
|
+
if (command)
|
|
84
|
+
return `${tool}: ${redactSensitive(command)}`;
|
|
85
|
+
if (agentDescription)
|
|
86
|
+
return `${tool}: ${redactSensitive(agentDescription)}`;
|
|
87
|
+
if (pattern)
|
|
88
|
+
return `${tool}: ${redactSensitive(pattern)}`;
|
|
89
|
+
return tool;
|
|
90
|
+
}
|
|
91
|
+
// ---------------------------------------------------------------------------
|
|
92
|
+
// Pattern matching
|
|
93
|
+
// ---------------------------------------------------------------------------
|
|
94
|
+
function matchesAny(value, patterns) {
|
|
95
|
+
return patterns.some((p) => p.test(value));
|
|
96
|
+
}
|
|
97
|
+
function detectSecurityAlert(record, sensitivePatterns, destructivePatterns, networkPatterns) {
|
|
98
|
+
const command = record.command;
|
|
99
|
+
const filePath = record.filePath;
|
|
100
|
+
// Defense in depth: the classifier's verdict and the pattern lists are
|
|
101
|
+
// OR-ed together. Either layer flagging is enough to alert. We deliberately
|
|
102
|
+
// do NOT short-circuit on `bashDestructive === false` — the two layers can
|
|
103
|
+
// diverge (the classifier and the audit pattern list maintain independent
|
|
104
|
+
// regexes), so treating the classifier as authoritative would let a
|
|
105
|
+
// narrower classifier silently suppress a hit the audit list would have
|
|
106
|
+
// caught. Treat the classifier as additive, not authoritative, for
|
|
107
|
+
// security-critical decisions.
|
|
108
|
+
const classifierDestructive = record.bashDestructive === true;
|
|
109
|
+
const classifierNetwork = record.bashNetwork === true;
|
|
110
|
+
// Destructive commands (critical) — check first, highest priority
|
|
111
|
+
if (command) {
|
|
112
|
+
const isDestructive = classifierDestructive || matchesAny(command, destructivePatterns);
|
|
113
|
+
if (isDestructive) {
|
|
114
|
+
return {
|
|
115
|
+
severity: 'critical',
|
|
116
|
+
alertType: 'destructive_command',
|
|
117
|
+
description: `Destructive command detected: ${redactSensitive(command)}`,
|
|
118
|
+
};
|
|
119
|
+
}
|
|
120
|
+
}
|
|
121
|
+
// Sensitive file access (high)
|
|
122
|
+
if (filePath && matchesAny(filePath, sensitivePatterns)) {
|
|
123
|
+
return {
|
|
124
|
+
severity: 'high',
|
|
125
|
+
alertType: 'sensitive_file',
|
|
126
|
+
description: `Sensitive file accessed: ${redactSensitive(filePath)}`,
|
|
127
|
+
};
|
|
128
|
+
}
|
|
129
|
+
// External network request (medium) — only for Bash commands
|
|
130
|
+
if (command) {
|
|
131
|
+
const isNetwork = classifierNetwork || matchesAny(command, networkPatterns);
|
|
132
|
+
if (isNetwork) {
|
|
133
|
+
return {
|
|
134
|
+
severity: 'medium',
|
|
135
|
+
alertType: 'external_network',
|
|
136
|
+
description: `External network request: ${redactSensitive(command)}`,
|
|
137
|
+
};
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
return undefined;
|
|
141
|
+
}
|
|
142
|
+
// ---------------------------------------------------------------------------
|
|
143
|
+
// NR Event helpers
|
|
144
|
+
// ---------------------------------------------------------------------------
|
|
145
|
+
export function auditRecordToNrEvent(record, attrs) {
|
|
146
|
+
const event = {
|
|
147
|
+
eventType: 'AiAuditEvent',
|
|
148
|
+
timestamp: Math.floor(record.timestamp / 1000),
|
|
149
|
+
action: record.action,
|
|
150
|
+
tool: record.tool,
|
|
151
|
+
detail: record.detail,
|
|
152
|
+
developer: record.developer,
|
|
153
|
+
};
|
|
154
|
+
if (attrs?.teamId)
|
|
155
|
+
event.team_id = attrs.teamId;
|
|
156
|
+
if (attrs?.projectId)
|
|
157
|
+
event.project_id = attrs.projectId;
|
|
158
|
+
if (attrs?.orgId)
|
|
159
|
+
event.org_id = attrs.orgId;
|
|
160
|
+
if (record.sessionId != null)
|
|
161
|
+
event.session_id = record.sessionId;
|
|
162
|
+
if (record.filePath != null)
|
|
163
|
+
event.file_path = redactSensitive(record.filePath);
|
|
164
|
+
if (record.command != null)
|
|
165
|
+
event.command = redactSensitive(record.command);
|
|
166
|
+
if (record.securityAlert) {
|
|
167
|
+
event['audit.security_alert'] = true;
|
|
168
|
+
event['audit.severity'] = record.securityAlert.severity;
|
|
169
|
+
event['audit.alert_type'] = record.securityAlert.alertType;
|
|
170
|
+
}
|
|
171
|
+
else {
|
|
172
|
+
event['audit.security_alert'] = false;
|
|
173
|
+
}
|
|
174
|
+
return event;
|
|
175
|
+
}
|
|
176
|
+
export function securityAlertToNrEvent(record, attrs) {
|
|
177
|
+
const alert = record.securityAlert;
|
|
178
|
+
if (!alert)
|
|
179
|
+
throw new Error('securityAlertToNrEvent called with no securityAlert on record');
|
|
180
|
+
const event = {
|
|
181
|
+
eventType: 'SecurityAlert',
|
|
182
|
+
timestamp: Math.floor(record.timestamp / 1000),
|
|
183
|
+
severity: alert.severity,
|
|
184
|
+
alert_type: alert.alertType,
|
|
185
|
+
description: alert.description,
|
|
186
|
+
tool: record.tool,
|
|
187
|
+
developer: record.developer,
|
|
188
|
+
};
|
|
189
|
+
if (attrs?.teamId)
|
|
190
|
+
event.team_id = attrs.teamId;
|
|
191
|
+
if (attrs?.projectId)
|
|
192
|
+
event.project_id = attrs.projectId;
|
|
193
|
+
if (attrs?.orgId)
|
|
194
|
+
event.org_id = attrs.orgId;
|
|
195
|
+
if (record.sessionId != null)
|
|
196
|
+
event.session_id = record.sessionId;
|
|
197
|
+
if (record.filePath != null)
|
|
198
|
+
event.file_path = redactSensitive(record.filePath);
|
|
199
|
+
if (record.command != null)
|
|
200
|
+
event.command = redactSensitive(record.command);
|
|
201
|
+
return event;
|
|
202
|
+
}
|
|
203
|
+
export class AuditTrailManager {
|
|
204
|
+
developer;
|
|
205
|
+
sessionId;
|
|
206
|
+
sensitivePatterns;
|
|
207
|
+
destructivePatterns;
|
|
208
|
+
networkPatterns;
|
|
209
|
+
localStore;
|
|
210
|
+
entries = [];
|
|
211
|
+
sensitiveAccessLog = [];
|
|
212
|
+
static MAX_ENTRIES = 10_000;
|
|
213
|
+
constructor(options) {
|
|
214
|
+
this.developer = options.developer;
|
|
215
|
+
this.sessionId = options.sessionId;
|
|
216
|
+
this.sensitivePatterns = options.sensitivePatterns ?? DEFAULT_SENSITIVE_FILE_PATTERNS;
|
|
217
|
+
this.destructivePatterns = options.destructivePatterns ?? DEFAULT_DESTRUCTIVE_COMMAND_PATTERNS;
|
|
218
|
+
this.networkPatterns = options.networkPatterns ?? DEFAULT_NETWORK_COMMAND_PATTERNS;
|
|
219
|
+
this.localStore = options.localStore ?? null;
|
|
220
|
+
}
|
|
221
|
+
recordToolCall(record) {
|
|
222
|
+
const action = classifyTool(record.toolName);
|
|
223
|
+
const detail = buildDetail(record);
|
|
224
|
+
const alert = detectSecurityAlert(record, this.sensitivePatterns, this.destructivePatterns, this.networkPatterns);
|
|
225
|
+
const rawFilePath = record.filePath;
|
|
226
|
+
const rawCommand = record.command;
|
|
227
|
+
const auditRecord = {
|
|
228
|
+
timestamp: record.timestamp,
|
|
229
|
+
sessionId: record.sessionId ?? (isSyntheticSessionId(this.sessionId) ? null : this.sessionId),
|
|
230
|
+
action,
|
|
231
|
+
tool: record.toolName,
|
|
232
|
+
detail,
|
|
233
|
+
developer: this.developer,
|
|
234
|
+
// Store redacted strings on the AuditRecord so every downstream consumer
|
|
235
|
+
// (NR Events, NR Logs, on-disk audit log) carries only scrubbed values.
|
|
236
|
+
filePath: rawFilePath != null ? redactSensitive(rawFilePath) : undefined,
|
|
237
|
+
command: rawCommand != null ? redactSensitive(rawCommand) : undefined,
|
|
238
|
+
securityAlert: alert,
|
|
239
|
+
};
|
|
240
|
+
if (this.entries.length >= AuditTrailManager.MAX_ENTRIES)
|
|
241
|
+
this.entries.shift();
|
|
242
|
+
this.entries.push(auditRecord);
|
|
243
|
+
if (alert) {
|
|
244
|
+
if (this.sensitiveAccessLog.length >= AuditTrailManager.MAX_ENTRIES)
|
|
245
|
+
this.sensitiveAccessLog.shift();
|
|
246
|
+
this.sensitiveAccessLog.push(auditRecord);
|
|
247
|
+
logger.warn('Security alert', {
|
|
248
|
+
severity: alert.severity,
|
|
249
|
+
alertType: alert.alertType,
|
|
250
|
+
tool: record.toolName,
|
|
251
|
+
detail,
|
|
252
|
+
});
|
|
253
|
+
}
|
|
254
|
+
this.persistToDisk(auditRecord);
|
|
255
|
+
return auditRecord;
|
|
256
|
+
}
|
|
257
|
+
recordProxyCall(record) {
|
|
258
|
+
const detail = `McpToolCall: ${record.serverName}/${record.toolName}`;
|
|
259
|
+
const filePath = record.filePath;
|
|
260
|
+
const command = record.command;
|
|
261
|
+
const alert = detectSecurityAlert(record, this.sensitivePatterns, this.destructivePatterns, this.networkPatterns);
|
|
262
|
+
const auditRecord = {
|
|
263
|
+
timestamp: record.timestamp,
|
|
264
|
+
sessionId: record.sessionId ?? (isSyntheticSessionId(this.sessionId) ? null : this.sessionId),
|
|
265
|
+
action: 'McpToolCall',
|
|
266
|
+
tool: record.toolName,
|
|
267
|
+
detail,
|
|
268
|
+
developer: this.developer,
|
|
269
|
+
// Same redaction policy as recordToolCall — see comment there.
|
|
270
|
+
filePath: filePath != null ? redactSensitive(filePath) : undefined,
|
|
271
|
+
command: command != null ? redactSensitive(command) : undefined,
|
|
272
|
+
securityAlert: alert,
|
|
273
|
+
};
|
|
274
|
+
if (this.entries.length >= AuditTrailManager.MAX_ENTRIES)
|
|
275
|
+
this.entries.shift();
|
|
276
|
+
this.entries.push(auditRecord);
|
|
277
|
+
if (alert) {
|
|
278
|
+
if (this.sensitiveAccessLog.length >= AuditTrailManager.MAX_ENTRIES)
|
|
279
|
+
this.sensitiveAccessLog.shift();
|
|
280
|
+
this.sensitiveAccessLog.push(auditRecord);
|
|
281
|
+
logger.warn('Security alert', {
|
|
282
|
+
severity: alert.severity,
|
|
283
|
+
alertType: alert.alertType,
|
|
284
|
+
tool: record.toolName,
|
|
285
|
+
detail,
|
|
286
|
+
});
|
|
287
|
+
}
|
|
288
|
+
this.persistToDisk(auditRecord);
|
|
289
|
+
return auditRecord;
|
|
290
|
+
}
|
|
291
|
+
getAuditLog() {
|
|
292
|
+
return this.entries;
|
|
293
|
+
}
|
|
294
|
+
getSensitiveAccessLog() {
|
|
295
|
+
return this.sensitiveAccessLog;
|
|
296
|
+
}
|
|
297
|
+
getMetrics() {
|
|
298
|
+
const alertsBySeverity = {};
|
|
299
|
+
let securityAlerts = 0;
|
|
300
|
+
for (const entry of this.entries) {
|
|
301
|
+
if (entry.securityAlert) {
|
|
302
|
+
securityAlerts++;
|
|
303
|
+
const sev = entry.securityAlert.severity;
|
|
304
|
+
alertsBySeverity[sev] = (alertsBySeverity[sev] ?? 0) + 1;
|
|
305
|
+
}
|
|
306
|
+
}
|
|
307
|
+
return {
|
|
308
|
+
totalEntries: this.entries.length,
|
|
309
|
+
securityAlerts,
|
|
310
|
+
alertsBySeverity,
|
|
311
|
+
};
|
|
312
|
+
}
|
|
313
|
+
reset(sessionId) {
|
|
314
|
+
this.entries = [];
|
|
315
|
+
this.sensitiveAccessLog = [];
|
|
316
|
+
if (sessionId !== undefined) {
|
|
317
|
+
this.sessionId = sessionId;
|
|
318
|
+
}
|
|
319
|
+
}
|
|
320
|
+
persistToDisk(record) {
|
|
321
|
+
if (!this.localStore)
|
|
322
|
+
return;
|
|
323
|
+
this.localStore.appendAuditLog({
|
|
324
|
+
timestamp: record.timestamp,
|
|
325
|
+
sessionId: record.sessionId,
|
|
326
|
+
action: record.action,
|
|
327
|
+
tool: record.tool,
|
|
328
|
+
detail: record.detail,
|
|
329
|
+
developer: record.developer,
|
|
330
|
+
filePath: record.filePath,
|
|
331
|
+
command: record.command,
|
|
332
|
+
securityAlert: record.securityAlert
|
|
333
|
+
? { severity: record.securityAlert.severity, alertType: record.securityAlert.alertType }
|
|
334
|
+
: undefined,
|
|
335
|
+
});
|
|
336
|
+
}
|
|
337
|
+
}
|
|
338
|
+
//# sourceMappingURL=audit-trail.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"audit-trail.js","sourceRoot":"","sources":["../../src/security/audit-trail.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAKlD,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AAEpE,MAAM,MAAM,GAAG,YAAY,CAAC,aAAa,CAAC,CAAC;AA0C3C,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAE9E,MAAM,CAAC,MAAM,+BAA+B,GAAa;IACvD,0BAA0B;IAC1B,sBAAsB;IACtB,iBAAiB;IACjB,SAAS;IACT,SAAS;IACT,yBAAyB;IACzB,6BAA6B;IAC7B,kBAAkB;IAClB,sCAAsC;IACtC,mBAAmB;IACnB,oBAAoB;IACpB,mCAAmC;CACpC,CAAC;AAEF,MAAM,CAAC,MAAM,oCAAoC,GAAa;IAC5D,+DAA+D;IAC/D,wFAAwF;IACxF,kEAAkE;IAClE,iMAAiM;IACjM,gCAAgC;IAChC,uBAAuB;IACvB,2BAA2B;IAC3B,sBAAsB;IACtB,2BAA2B;IAC3B,mBAAmB;IACnB,sBAAsB;IACtB,oBAAoB;IACpB,iBAAiB;IACjB,yDAAyD;IACzD,2DAA2D;IAC3D,2DAA2D;IAC3D,8DAA8D;IAC9D,8DAA8D;CAC/D,CAAC;AAEF,MAAM,CAAC,MAAM,gCAAgC,GAAa;IACxD,WAAW;IACX,WAAW;IACX,QAAQ;IACR,SAAS;CACV,CAAC;AAEF,8EAA8E;AAC9E,kCAAkC;AAClC,8EAA8E;AAE9E,MAAM,eAAe,GAAgC;IACnD,IAAI,EAAE,UAAU;IAChB,KAAK,EAAE,WAAW;IAClB,IAAI,EAAE,UAAU;IAChB,IAAI,EAAE,aAAa;IACnB,KAAK,EAAE,YAAY;IACnB,IAAI,EAAE,QAAQ;IACd,IAAI,EAAE,QAAQ;CACf,CAAC;AAEF,SAAS,YAAY,CAAC,QAAgB;IACpC,OAAO,eAAe,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC;AAC9C,CAAC;AAED,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E,SAAS,WAAW,CAAC,MAAsB;IACzC,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC;IAC7B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAA8B,CAAC;IACvD,MAAM,OAAO,GAAG,MAAM,CAAC,OAA6B,CAAC;IACrD,MAAM,gBAAgB,GAAG,MAAM,CAAC,gBAAsC,CAAC;IACvE,MAAM,OAAO,GAAG,MAAM,CAAC,OAA6B,CAAC;IAErD,kEAAkE;IAClE,wEAAwE;IACxE,0EAA0E;IAC1E,sEAAsE;IACtE,IAAI,QAAQ;QAAE,OAAO,GAAG,IAAI,IAAI,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC5D,IAAI,OAAO;QAAE,OAAO,GAAG,IAAI,KAAK,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;IAC3D,IAAI,gBAAgB;QAAE,OAAO,GAAG,IAAI,KAAK,eAAe,CAAC,gBAAgB,CAAC,EAAE,CAAC;IAC7E,IAAI,OAAO;QAAE,OAAO,GAAG,IAAI,KAAK,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;IAC3D,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,SAAS,UAAU,CAAC,KAAa,EAAE,QAA2B;IAC5D,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,mBAAmB,CAC1B,MAAsB,EACtB,iBAAoC,EACpC,mBAAsC,EACtC,eAAkC;IAElC,MAAM,OAAO,GAAG,MAAM,CAAC,OAA6B,CAAC;IACrD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAA8B,CAAC;IACvD,uEAAuE;IACvE,4EAA4E;IAC5E,2EAA2E;IAC3E,0EAA0E;IAC1E,oEAAoE;IACpE,wEAAwE;IACxE,mEAAmE;IACnE,+BAA+B;IAC/B,MAAM,qBAAqB,GAAG,MAAM,CAAC,eAAe,KAAK,IAAI,CAAC;IAC9D,MAAM,iBAAiB,GAAG,MAAM,CAAC,WAAW,KAAK,IAAI,CAAC;IAEtD,kEAAkE;IAClE,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,aAAa,GAAG,qBAAqB,IAAI,UAAU,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;QACxF,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO;gBACL,QAAQ,EAAE,UAAU;gBACpB,SAAS,EAAE,qBAAqB;gBAChC,WAAW,EAAE,iCAAiC,eAAe,CAAC,OAAO,CAAC,EAAE;aACzE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,IAAI,QAAQ,IAAI,UAAU,CAAC,QAAQ,EAAE,iBAAiB,CAAC,EAAE,CAAC;QACxD,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,gBAAgB;YAC3B,WAAW,EAAE,4BAA4B,eAAe,CAAC,QAAQ,CAAC,EAAE;SACrE,CAAC;IACJ,CAAC;IAED,6DAA6D;IAC7D,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,SAAS,GAAG,iBAAiB,IAAI,UAAU,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAC5E,IAAI,SAAS,EAAE,CAAC;YACd,OAAO;gBACL,QAAQ,EAAE,QAAQ;gBAClB,SAAS,EAAE,kBAAkB;gBAC7B,WAAW,EAAE,6BAA6B,eAAe,CAAC,OAAO,CAAC,EAAE;aACrE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,MAAM,UAAU,oBAAoB,CAClC,MAAmB,EACnB,KAAoF;IAEpF,MAAM,KAAK,GAAgB;QACzB,SAAS,EAAE,cAAc;QACzB,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC;QAC9C,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,SAAS,EAAE,MAAM,CAAC,SAAS;KAC5B,CAAC;IAEF,IAAI,KAAK,EAAE,MAAM;QAAE,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC;IAChD,IAAI,KAAK,EAAE,SAAS;QAAE,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC,SAAS,CAAC;IACzD,IAAI,KAAK,EAAE,KAAK;QAAE,KAAK,CAAC,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC;IAE7C,IAAI,MAAM,CAAC,SAAS,IAAI,IAAI;QAAE,KAAK,CAAC,UAAU,GAAG,MAAM,CAAC,SAAS,CAAC;IAClE,IAAI,MAAM,CAAC,QAAQ,IAAI,IAAI;QAAE,KAAK,CAAC,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChF,IAAI,MAAM,CAAC,OAAO,IAAI,IAAI;QAAE,KAAK,CAAC,OAAO,GAAG,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAE5E,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,KAAK,CAAC,sBAAsB,CAAC,GAAG,IAAI,CAAC;QACrC,KAAK,CAAC,gBAAgB,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC;QACxD,KAAK,CAAC,kBAAkB,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC;IAC7D,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,sBAAsB,CAAC,GAAG,KAAK,CAAC;IACxC,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,MAAmB,EACnB,KAAoF;IAEpF,MAAM,KAAK,GAAG,MAAM,CAAC,aAAa,CAAC;IACnC,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;IAC7F,MAAM,KAAK,GAAgB;QACzB,SAAS,EAAE,eAAe;QAC1B,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC;QAC9C,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,UAAU,EAAE,KAAK,CAAC,SAAS;QAC3B,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,SAAS,EAAE,MAAM,CAAC,SAAS;KAC5B,CAAC;IAEF,IAAI,KAAK,EAAE,MAAM;QAAE,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC;IAChD,IAAI,KAAK,EAAE,SAAS;QAAE,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC,SAAS,CAAC;IACzD,IAAI,KAAK,EAAE,KAAK;QAAE,KAAK,CAAC,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC;IAE7C,IAAI,MAAM,CAAC,SAAS,IAAI,IAAI;QAAE,KAAK,CAAC,UAAU,GAAG,MAAM,CAAC,SAAS,CAAC;IAClE,IAAI,MAAM,CAAC,QAAQ,IAAI,IAAI;QAAE,KAAK,CAAC,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChF,IAAI,MAAM,CAAC,OAAO,IAAI,IAAI;QAAE,KAAK,CAAC,OAAO,GAAG,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAE5E,OAAO,KAAK,CAAC;AACf,CAAC;AAgBD,MAAM,OAAO,iBAAiB;IACX,SAAS,CAAS;IAC3B,SAAS,CAAgB;IAChB,iBAAiB,CAAoB;IACrC,mBAAmB,CAAoB;IACvC,eAAe,CAAoB;IACnC,UAAU,CAAoB;IAEvC,OAAO,GAAkB,EAAE,CAAC;IAC5B,kBAAkB,GAAkB,EAAE,CAAC;IACvC,MAAM,CAAU,WAAW,GAAG,MAAM,CAAC;IAE7C,YAAY,OAAiC;QAC3C,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QACnC,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QACnC,IAAI,CAAC,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,IAAI,+BAA+B,CAAC;QACtF,IAAI,CAAC,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,IAAI,oCAAoC,CAAC;QAC/F,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,gCAAgC,CAAC;QACnF,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,IAAI,CAAC;IAC/C,CAAC;IAED,cAAc,CAAC,MAAsB;QACnC,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QAEnC,MAAM,KAAK,GAAG,mBAAmB,CAC/B,MAAM,EACN,IAAI,CAAC,iBAAiB,EACtB,IAAI,CAAC,mBAAmB,EACxB,IAAI,CAAC,eAAe,CACrB,CAAC;QAEF,MAAM,WAAW,GAAG,MAAM,CAAC,QAA8B,CAAC;QAC1D,MAAM,UAAU,GAAG,MAAM,CAAC,OAA6B,CAAC;QACxD,MAAM,WAAW,GAAgB;YAC/B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC;YAC7F,MAAM;YACN,IAAI,EAAE,MAAM,CAAC,QAAQ;YACrB,MAAM;YACN,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,yEAAyE;YACzE,wEAAwE;YACxE,QAAQ,EAAE,WAAW,IAAI,IAAI,CAAC,CAAC,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;YACxE,OAAO,EAAE,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS;YACrE,aAAa,EAAE,KAAK;SACrB,CAAC;QAEF,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,iBAAiB,CAAC,WAAW;YAAE,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QAC/E,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC/B,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,IAAI,CAAC,kBAAkB,CAAC,MAAM,IAAI,iBAAiB,CAAC,WAAW;gBACjE,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,CAAC;YAClC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE;gBAC5B,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,IAAI,EAAE,MAAM,CAAC,QAAQ;gBACrB,MAAM;aACP,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC;QAChC,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,eAAe,CAAC,MAA2B;QACzC,MAAM,MAAM,GAAG,gBAAgB,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACtE,MAAM,QAAQ,GAAG,MAAM,CAAC,QAA8B,CAAC;QACvD,MAAM,OAAO,GAAG,MAAM,CAAC,OAA6B,CAAC;QAErD,MAAM,KAAK,GAAG,mBAAmB,CAC/B,MAAM,EACN,IAAI,CAAC,iBAAiB,EACtB,IAAI,CAAC,mBAAmB,EACxB,IAAI,CAAC,eAAe,CACrB,CAAC;QAEF,MAAM,WAAW,GAAgB;YAC/B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC;YAC7F,MAAM,EAAE,aAAa;YACrB,IAAI,EAAE,MAAM,CAAC,QAAQ;YACrB,MAAM;YACN,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,+DAA+D;YAC/D,QAAQ,EAAE,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;YAClE,OAAO,EAAE,OAAO,IAAI,IAAI,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS;YAC/D,aAAa,EAAE,KAAK;SACrB,CAAC;QAEF,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,iBAAiB,CAAC,WAAW;YAAE,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QAC/E,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC/B,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,IAAI,CAAC,kBAAkB,CAAC,MAAM,IAAI,iBAAiB,CAAC,WAAW;gBACjE,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,CAAC;YAClC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE;gBAC5B,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,IAAI,EAAE,MAAM,CAAC,QAAQ;gBACrB,MAAM;aACP,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC;QAChC,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,qBAAqB;QACnB,OAAO,IAAI,CAAC,kBAAkB,CAAC;IACjC,CAAC;IAED,UAAU;QACR,MAAM,gBAAgB,GAA2B,EAAE,CAAC;QACpD,IAAI,cAAc,GAAG,CAAC,CAAC;QAEvB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjC,IAAI,KAAK,CAAC,aAAa,EAAE,CAAC;gBACxB,cAAc,EAAE,CAAC;gBACjB,MAAM,GAAG,GAAG,KAAK,CAAC,aAAa,CAAC,QAAQ,CAAC;gBACzC,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC;QAED,OAAO;YACL,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM;YACjC,cAAc;YACd,gBAAgB;SACjB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,SAAyB;QAC7B,IAAI,CAAC,OAAO,GAAG,EAAE,CAAC;QAClB,IAAI,CAAC,kBAAkB,GAAG,EAAE,CAAC;QAC7B,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC7B,CAAC;IACH,CAAC;IAEO,aAAa,CAAC,MAAmB;QACvC,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,OAAO;QAC7B,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC;YAC7B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,aAAa,EAAE,MAAM,CAAC,aAAa;gBACjC,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,aAAa,CAAC,QAAQ,EAAE,SAAS,EAAE,MAAM,CAAC,aAAa,CAAC,SAAS,EAAE;gBACxF,CAAC,CAAC,SAAS;SACd,CAAC,CAAC;IACL,CAAC"}
|
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
export { validateSsrfUrl } from './ssrf.js';
|
|
2
|
+
export { AuditTrailManager, auditRecordToNrEvent, securityAlertToNrEvent } from './audit-trail.js';
|
|
3
|
+
export type { AuditAction, AlertSeverity, SecurityAlert, AuditRecord, AuditMetrics, AuditTrailManagerOptions, } from './audit-trail.js';
|
|
4
|
+
export { DEFAULT_SENSITIVE_FILE_PATTERNS, DEFAULT_DESTRUCTIVE_COMMAND_PATTERNS, DEFAULT_NETWORK_COMMAND_PATTERNS, } from './audit-trail.js';
|
|
5
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AACnG,YAAY,EACV,WAAW,EACX,aAAa,EACb,aAAa,EACb,WAAW,EACX,YAAY,EACZ,wBAAwB,GACzB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,+BAA+B,EAC/B,oCAAoC,EACpC,gCAAgC,GACjC,MAAM,kBAAkB,CAAC"}
|
|
@@ -0,0 +1,4 @@
|
|
|
1
|
+
export { validateSsrfUrl } from './ssrf.js';
|
|
2
|
+
export { AuditTrailManager, auditRecordToNrEvent, securityAlertToNrEvent } from './audit-trail.js';
|
|
3
|
+
export { DEFAULT_SENSITIVE_FILE_PATTERNS, DEFAULT_DESTRUCTIVE_COMMAND_PATTERNS, DEFAULT_NETWORK_COMMAND_PATTERNS, } from './audit-trail.js';
|
|
4
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AASnG,OAAO,EACL,+BAA+B,EAC/B,oCAAoC,EACpC,gCAAgC,GACjC,MAAM,kBAAkB,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ssrf.d.ts","sourceRoot":"","sources":["../../src/security/ssrf.ts"],"names":[],"mappings":"AA4GA,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,GAAG,IAAI,CAqC7D"}
|
|
@@ -0,0 +1,126 @@
|
|
|
1
|
+
const ALLOWED_SCHEMES = new Set(['http:', 'https:']);
|
|
2
|
+
// Cloud metadata service FQDNs that resolve to internal addresses within cloud accounts.
|
|
3
|
+
// Blocking these prevents SSRF attacks from exfiltrating cloud credentials.
|
|
4
|
+
const BLOCKED_METADATA_FQDNS = new Set([
|
|
5
|
+
'metadata.google.internal',
|
|
6
|
+
'metadata.azure.com',
|
|
7
|
+
'ec2.internal',
|
|
8
|
+
'ec2.amazonaws.com',
|
|
9
|
+
]);
|
|
10
|
+
// Cloud metadata service IPs that are not covered by RFC-1918 or link-local blocks.
|
|
11
|
+
const BLOCKED_METADATA_IPS = new Set(['100.100.100.200']);
|
|
12
|
+
// Matches loopback, RFC-1918 private ranges, link-local (169.254/16), and
|
|
13
|
+
// IPv4 multicast (224.0.0.0/4, i.e. 224–239.x.x.x).
|
|
14
|
+
// Also blocks IPv6 unspecified (::), IPv6 loopback (::1), IPv4-mapped variants (::ffff:...),
|
|
15
|
+
// IPv6 ULA (fc00::/7, fd00::/8), and IPv6 link-local (fe80::/10).
|
|
16
|
+
// Supports both decimal IPv4 and hex-normalized IPv6-mapped formats (Node.js normalizes ::ffff:127.0.0.1 to ::ffff:7f00:1).
|
|
17
|
+
// Node.js URL.hostname returns IPv6 addresses with brackets (e.g. [::1]).
|
|
18
|
+
const BLOCKED_HOST_RE = /^(?:\[)?(?:127\.(?:\d{1,3}\.)*\d{1,3}|10\.(?:\d{1,3}\.)*\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.(?:\d{1,3}\.)*\d{1,3}|192\.168\.(?:\d{1,3}\.)*\d{1,3}|169\.254\.(?:\d{1,3}\.)*\d{1,3}|(?:22[4-9]|23[0-9])\.(?:\d{1,3}\.)*\d{1,3}|::1|::|::ffff:(?:7f[0-9a-f]{2}|0a[0-9a-f]{2}|ac1[0-9a-f]|c0a8|a9fe)[0-9a-f]*:[0-9a-f]+|fc[0-9a-f]{2}:[0-9a-f:]*|fd[0-9a-f]{2}:[0-9a-f:]*|fe[89ab][0-9a-f]:[0-9a-f:]*|0\.0\.0\.0|localhost)(?:\])?$/i;
|
|
19
|
+
// Extracts embedded IPv4 from IPv6-mapped address. Returns null if not a valid mapped address.
|
|
20
|
+
// Handles both decimal form (::ffff:127.0.0.1) and hex-normalized form (::ffff:7f00:1).
|
|
21
|
+
function extractIPv4FromMappedIPv6(host) {
|
|
22
|
+
const trimmed = host.replace(/[\[\]]/g, '');
|
|
23
|
+
// Try decimal form: ::ffff:x.x.x.x
|
|
24
|
+
const decimalMatch = /^::ffff:((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$/i.exec(trimmed);
|
|
25
|
+
if (decimalMatch) {
|
|
26
|
+
return decimalMatch[1];
|
|
27
|
+
}
|
|
28
|
+
// Try hex form: ::ffff:XXXX:XXXX where XXXX are hex digits
|
|
29
|
+
const hexMatch = /^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i.exec(trimmed);
|
|
30
|
+
if (hexMatch) {
|
|
31
|
+
const part1 = parseInt(hexMatch[1], 16);
|
|
32
|
+
const part2 = parseInt(hexMatch[2], 16);
|
|
33
|
+
const b1 = (part1 >> 8) & 0xff;
|
|
34
|
+
const b2 = part1 & 0xff;
|
|
35
|
+
const b3 = (part2 >> 8) & 0xff;
|
|
36
|
+
const b4 = part2 & 0xff;
|
|
37
|
+
return `${b1}.${b2}.${b3}.${b4}`;
|
|
38
|
+
}
|
|
39
|
+
return null;
|
|
40
|
+
}
|
|
41
|
+
// Canonicalize numeric IP encodings (decimal, octal, hex) to dotted-decimal form.
|
|
42
|
+
// Returns the canonical dotted-decimal form, or null if not a recognized numeric encoding.
|
|
43
|
+
function canonicalizeNumericIP(host) {
|
|
44
|
+
// Check for pure decimal encoding: 2130706433 (127.0.0.1 in decimal)
|
|
45
|
+
if (/^\d+$/.test(host)) {
|
|
46
|
+
const num = BigInt(host);
|
|
47
|
+
if (num >= 0n && num <= 0xffffffffn) {
|
|
48
|
+
const b1 = Number((num >> 24n) & 0xffn);
|
|
49
|
+
const b2 = Number((num >> 16n) & 0xffn);
|
|
50
|
+
const b3 = Number((num >> 8n) & 0xffn);
|
|
51
|
+
const b4 = Number(num & 0xffn);
|
|
52
|
+
return `${b1}.${b2}.${b3}.${b4}`;
|
|
53
|
+
}
|
|
54
|
+
return null;
|
|
55
|
+
}
|
|
56
|
+
// Check for octal/hex encoding in dot-separated parts: 0177.0.0.1, 0x7f.0.0.1, etc.
|
|
57
|
+
const parts = host.split('.');
|
|
58
|
+
if (parts.length >= 1 && parts.length <= 4) {
|
|
59
|
+
try {
|
|
60
|
+
const octets = [];
|
|
61
|
+
for (const part of parts) {
|
|
62
|
+
let value;
|
|
63
|
+
if (part.startsWith('0x') || part.startsWith('0X')) {
|
|
64
|
+
// Hex: 0x7f
|
|
65
|
+
value = parseInt(part, 16);
|
|
66
|
+
}
|
|
67
|
+
else if (part.startsWith('0') && part.length > 1 && /^[0-7]+$/.test(part.slice(1))) {
|
|
68
|
+
// Octal: 0177
|
|
69
|
+
value = parseInt(part, 8);
|
|
70
|
+
}
|
|
71
|
+
else if (/^\d+$/.test(part)) {
|
|
72
|
+
// Decimal: 127
|
|
73
|
+
value = parseInt(part, 10);
|
|
74
|
+
}
|
|
75
|
+
else {
|
|
76
|
+
// Not a numeric part
|
|
77
|
+
return null;
|
|
78
|
+
}
|
|
79
|
+
if (value < 0 || value > 255) {
|
|
80
|
+
return null;
|
|
81
|
+
}
|
|
82
|
+
octets.push(value);
|
|
83
|
+
}
|
|
84
|
+
// If we have fewer than 4 octets, it's a shorthand notation (not standard IP format)
|
|
85
|
+
// We'll only canonicalize if we have exactly 4 parts
|
|
86
|
+
if (octets.length === 4) {
|
|
87
|
+
return octets.join('.');
|
|
88
|
+
}
|
|
89
|
+
}
|
|
90
|
+
catch {
|
|
91
|
+
return null;
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
return null;
|
|
95
|
+
}
|
|
96
|
+
export function validateSsrfUrl(label, url) {
|
|
97
|
+
if (!ALLOWED_SCHEMES.has(url.protocol)) {
|
|
98
|
+
throw new Error(`${label}: scheme "${url.protocol}" is not allowed; use http: or https:`);
|
|
99
|
+
}
|
|
100
|
+
// Strip trailing dot from hostname to prevent FQDN FQDN bypasses (F-123)
|
|
101
|
+
// Node's URL parser preserves trailing dots, but they should be treated the same as the bare hostname
|
|
102
|
+
const hostname = url.hostname.replace(/\.$/, '');
|
|
103
|
+
// Check cloud metadata service FQDNs (case-insensitive)
|
|
104
|
+
const hostnameLower = hostname.toLowerCase();
|
|
105
|
+
if (BLOCKED_METADATA_FQDNS.has(hostnameLower)) {
|
|
106
|
+
throw new Error(`${label}: host "${url.hostname}" is a cloud metadata service endpoint`);
|
|
107
|
+
}
|
|
108
|
+
// Check cloud metadata service IPs
|
|
109
|
+
if (BLOCKED_METADATA_IPS.has(hostname)) {
|
|
110
|
+
throw new Error(`${label}: host "${url.hostname}" is a cloud metadata service endpoint`);
|
|
111
|
+
}
|
|
112
|
+
// Canonicalize and check numeric IP encodings (decimal, octal, hex)
|
|
113
|
+
const canonicalIP = canonicalizeNumericIP(hostname);
|
|
114
|
+
if (canonicalIP && BLOCKED_HOST_RE.test(canonicalIP)) {
|
|
115
|
+
throw new Error(`${label}: host "${url.hostname}" is a numeric encoding of a private or loopback address`);
|
|
116
|
+
}
|
|
117
|
+
if (BLOCKED_HOST_RE.test(hostname)) {
|
|
118
|
+
throw new Error(`${label}: host "${url.hostname}" resolves to a private or loopback address`);
|
|
119
|
+
}
|
|
120
|
+
// Explicitly check IPv4-mapped IPv6 addresses by extracting and validating the embedded IPv4
|
|
121
|
+
const embeddedIPv4 = extractIPv4FromMappedIPv6(hostname);
|
|
122
|
+
if (embeddedIPv4 && BLOCKED_HOST_RE.test(embeddedIPv4)) {
|
|
123
|
+
throw new Error(`${label}: host "${url.hostname}" contains a private or loopback IPv4 address`);
|
|
124
|
+
}
|
|
125
|
+
}
|
|
126
|
+
//# sourceMappingURL=ssrf.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ssrf.js","sourceRoot":"","sources":["../../src/security/ssrf.ts"],"names":[],"mappings":"AAAA,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;AAErD,yFAAyF;AACzF,4EAA4E;AAC5E,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC;IACrC,0BAA0B;IAC1B,oBAAoB;IACpB,cAAc;IACd,mBAAmB;CACpB,CAAC,CAAC;AAEH,oFAAoF;AACpF,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC;AAE1D,0EAA0E;AAC1E,oDAAoD;AACpD,6FAA6F;AAC7F,kEAAkE;AAClE,4HAA4H;AAC5H,0EAA0E;AAC1E,MAAM,eAAe,GACnB,iaAAia,CAAC;AAEpa,+FAA+F;AAC/F,wFAAwF;AACxF,SAAS,yBAAyB,CAAC,IAAY;IAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAE5C,mCAAmC;IACnC,MAAM,YAAY,GAChB,uGAAuG,CAAC,IAAI,CAC1G,OAAO,CACR,CAAC;IACJ,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;IAED,2DAA2D;IAC3D,MAAM,QAAQ,GAAG,2CAA2C,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC3E,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACxC,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACxC,MAAM,EAAE,GAAG,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;QAC/B,MAAM,EAAE,GAAG,KAAK,GAAG,IAAI,CAAC;QACxB,MAAM,EAAE,GAAG,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;QAC/B,MAAM,EAAE,GAAG,KAAK,GAAG,IAAI,CAAC;QACxB,OAAO,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC;IACnC,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,kFAAkF;AAClF,2FAA2F;AAC3F,SAAS,qBAAqB,CAAC,IAAY;IACzC,qEAAqE;IACrE,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;QACzB,IAAI,GAAG,IAAI,EAAE,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC;YACpC,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;YACxC,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;YACxC,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC;YACvC,MAAM,EAAE,GAAG,MAAM,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC;YAC/B,OAAO,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC;QACnC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,oFAAoF;IACpF,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QAC3C,IAAI,CAAC;YACH,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,KAAa,CAAC;gBAClB,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBACnD,YAAY;oBACZ,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;gBAC7B,CAAC;qBAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACrF,cAAc;oBACd,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBAC5B,CAAC;qBAAM,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9B,eAAe;oBACf,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;gBAC7B,CAAC;qBAAM,CAAC;oBACN,qBAAqB;oBACrB,OAAO,IAAI,CAAC;gBACd,CAAC;gBAED,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,GAAG,EAAE,CAAC;oBAC7B,OAAO,IAAI,CAAC;gBACd,CAAC;gBACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC;YAED,qFAAqF;YACrF,qDAAqD;YACrD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACxB,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,KAAa,EAAE,GAAQ;IACrD,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,aAAa,GAAG,CAAC,QAAQ,uCAAuC,CAAC,CAAC;IAC5F,CAAC;IAED,yEAAyE;IACzE,sGAAsG;IACtG,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAEjD,wDAAwD;IACxD,MAAM,aAAa,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC7C,IAAI,sBAAsB,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,WAAW,GAAG,CAAC,QAAQ,wCAAwC,CAAC,CAAC;IAC3F,CAAC;IAED,mCAAmC;IACnC,IAAI,oBAAoB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,WAAW,GAAG,CAAC,QAAQ,wCAAwC,CAAC,CAAC;IAC3F,CAAC;IAED,oEAAoE;IACpE,MAAM,WAAW,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IACpD,IAAI,WAAW,IAAI,eAAe,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,KAAK,CACb,GAAG,KAAK,WAAW,GAAG,CAAC,QAAQ,0DAA0D,CAC1F,CAAC;IACJ,CAAC;IAED,IAAI,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,WAAW,GAAG,CAAC,QAAQ,6CAA6C,CAAC,CAAC;IAChG,CAAC;IAED,6FAA6F;IAC7F,MAAM,YAAY,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAC;IACzD,IAAI,YAAY,IAAI,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,WAAW,GAAG,CAAC,QAAQ,+CAA+C,CAAC,CAAC;IAClG,CAAC;AACH,CAAC"}
|
package/dist/server.d.ts
ADDED
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
import { Server } from '@modelcontextprotocol/sdk/server/index.js';
|
|
2
|
+
import type { ServerOptions } from './types.js';
|
|
3
|
+
export declare class NrMcpServer {
|
|
4
|
+
readonly server: Server;
|
|
5
|
+
private _auditTrailManager;
|
|
6
|
+
get auditTrailManager(): import('./security/audit-trail.js').AuditTrailManager | undefined;
|
|
7
|
+
set auditTrailManager(value: import('./security/audit-trail.js').AuditTrailManager | undefined);
|
|
8
|
+
constructor(options: ServerOptions);
|
|
9
|
+
private registerHandlers;
|
|
10
|
+
connectStdio(): Promise<void>;
|
|
11
|
+
close(): Promise<void>;
|
|
12
|
+
}
|
|
13
|
+
export declare function createServer(options?: Partial<ServerOptions>): NrMcpServer;
|
|
14
|
+
//# sourceMappingURL=server.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AASnE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAKhD,qBAAa,WAAW;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,OAAO,CAAC,kBAAkB,CAAoE;IAE9F,IAAI,iBAAiB,IAAI,OAAO,2BAA2B,EAAE,iBAAiB,GAAG,SAAS,CAEzF;IAED,IAAI,iBAAiB,CAAC,KAAK,EAAE,OAAO,2BAA2B,EAAE,iBAAiB,GAAG,SAAS,EAE7F;gBAEW,OAAO,EAAE,aAAa;IAiBlC,OAAO,CAAC,gBAAgB;IA2DlB,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAM7B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAI7B;AAED,wBAAgB,YAAY,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG,WAAW,CAuB1E"}
|
package/dist/server.js
ADDED
|
@@ -0,0 +1,117 @@
|
|
|
1
|
+
import { Server } from '@modelcontextprotocol/sdk/server/index.js';
|
|
2
|
+
import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
|
|
3
|
+
import { ListResourcesRequestSchema, ReadResourceRequestSchema, ErrorCode, McpError, } from '@modelcontextprotocol/sdk/types.js';
|
|
4
|
+
import { VERSION, createLogger } from './shared/index.js';
|
|
5
|
+
import { registerTools } from './tools/session-stats.js';
|
|
6
|
+
const logger = createLogger('mcp-server');
|
|
7
|
+
export class NrMcpServer {
|
|
8
|
+
server;
|
|
9
|
+
_auditTrailManager;
|
|
10
|
+
get auditTrailManager() {
|
|
11
|
+
return this._auditTrailManager;
|
|
12
|
+
}
|
|
13
|
+
set auditTrailManager(value) {
|
|
14
|
+
this._auditTrailManager = value;
|
|
15
|
+
}
|
|
16
|
+
constructor(options) {
|
|
17
|
+
const serverStartMs = Date.now();
|
|
18
|
+
this.server = new Server({ name: options.name, version: options.version }, {
|
|
19
|
+
capabilities: { tools: {}, resources: {}, logging: {} },
|
|
20
|
+
instructions: 'This server monitors tool usage for observability purposes. Metrics are sent to New Relic. ' +
|
|
21
|
+
'When token usage data is available after API calls, report it via nr_observe_report_tokens to enable cost tracking.',
|
|
22
|
+
});
|
|
23
|
+
this._auditTrailManager = options.auditTrailManager;
|
|
24
|
+
this.registerHandlers(options, serverStartMs);
|
|
25
|
+
logger.info('MCP server created', { name: options.name, version: options.version });
|
|
26
|
+
}
|
|
27
|
+
registerHandlers(options, serverStartMs) {
|
|
28
|
+
registerTools(this.server, {
|
|
29
|
+
sessionTracker: options.sessionTracker,
|
|
30
|
+
costTracker: options.costTracker,
|
|
31
|
+
taskDetector: options.taskDetector,
|
|
32
|
+
antiPatternDetector: options.antiPatternDetector,
|
|
33
|
+
efficiencyScorer: options.efficiencyScorer,
|
|
34
|
+
feedbackCollector: options.feedbackCollector,
|
|
35
|
+
sessionStore: options.sessionStore,
|
|
36
|
+
weeklySummaryGenerator: options.weeklySummaryGenerator,
|
|
37
|
+
trendAnalyzer: options.trendAnalyzer,
|
|
38
|
+
collaborationProfiler: options.collaborationProfiler,
|
|
39
|
+
claudeMdTracker: options.claudeMdTracker,
|
|
40
|
+
costPerOutcomeAnalyzer: options.costPerOutcomeAnalyzer,
|
|
41
|
+
recommendationEngine: options.recommendationEngine,
|
|
42
|
+
developer: options.developer,
|
|
43
|
+
teamId: options.teamId,
|
|
44
|
+
projectId: options.projectId,
|
|
45
|
+
sessionStartMs: serverStartMs,
|
|
46
|
+
});
|
|
47
|
+
this.server.setRequestHandler(ListResourcesRequestSchema, async () => {
|
|
48
|
+
const resources = [];
|
|
49
|
+
if (this.auditTrailManager) {
|
|
50
|
+
resources.push({
|
|
51
|
+
uri: 'nr-observe://session/audit-log',
|
|
52
|
+
name: 'Session Audit Log',
|
|
53
|
+
description: 'Security audit trail for the current session — all tool calls with classification and alerts',
|
|
54
|
+
mimeType: 'application/json',
|
|
55
|
+
});
|
|
56
|
+
}
|
|
57
|
+
return { resources };
|
|
58
|
+
});
|
|
59
|
+
this.server.setRequestHandler(ReadResourceRequestSchema, async (request) => {
|
|
60
|
+
try {
|
|
61
|
+
if (request.params.uri === 'nr-observe://session/audit-log' && this.auditTrailManager) {
|
|
62
|
+
const entries = this.auditTrailManager.getAuditLog();
|
|
63
|
+
return {
|
|
64
|
+
contents: [
|
|
65
|
+
{
|
|
66
|
+
uri: request.params.uri,
|
|
67
|
+
mimeType: 'application/json',
|
|
68
|
+
text: JSON.stringify(entries, null, 2),
|
|
69
|
+
},
|
|
70
|
+
],
|
|
71
|
+
};
|
|
72
|
+
}
|
|
73
|
+
throw new McpError(ErrorCode.InvalidRequest, `Unknown resource: ${request.params.uri}`);
|
|
74
|
+
}
|
|
75
|
+
catch (err) {
|
|
76
|
+
if (err instanceof McpError)
|
|
77
|
+
throw err;
|
|
78
|
+
logger.error('Resource handler error', { uri: request.params.uri, error: String(err) });
|
|
79
|
+
throw err;
|
|
80
|
+
}
|
|
81
|
+
});
|
|
82
|
+
}
|
|
83
|
+
async connectStdio() {
|
|
84
|
+
const transport = new StdioServerTransport();
|
|
85
|
+
await this.server.connect(transport);
|
|
86
|
+
logger.info('MCP server connected via stdio transport');
|
|
87
|
+
}
|
|
88
|
+
async close() {
|
|
89
|
+
await this.server.close();
|
|
90
|
+
logger.info('MCP server closed');
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
export function createServer(options) {
|
|
94
|
+
const resolved = {
|
|
95
|
+
name: options?.name ?? 'preflight',
|
|
96
|
+
version: options?.version ?? VERSION,
|
|
97
|
+
developer: options?.developer,
|
|
98
|
+
teamId: options?.teamId,
|
|
99
|
+
projectId: options?.projectId,
|
|
100
|
+
sessionTracker: options?.sessionTracker,
|
|
101
|
+
costTracker: options?.costTracker,
|
|
102
|
+
taskDetector: options?.taskDetector,
|
|
103
|
+
antiPatternDetector: options?.antiPatternDetector,
|
|
104
|
+
efficiencyScorer: options?.efficiencyScorer,
|
|
105
|
+
feedbackCollector: options?.feedbackCollector,
|
|
106
|
+
auditTrailManager: options?.auditTrailManager,
|
|
107
|
+
sessionStore: options?.sessionStore,
|
|
108
|
+
weeklySummaryGenerator: options?.weeklySummaryGenerator,
|
|
109
|
+
trendAnalyzer: options?.trendAnalyzer,
|
|
110
|
+
collaborationProfiler: options?.collaborationProfiler,
|
|
111
|
+
claudeMdTracker: options?.claudeMdTracker,
|
|
112
|
+
costPerOutcomeAnalyzer: options?.costPerOutcomeAnalyzer,
|
|
113
|
+
recommendationEngine: options?.recommendationEngine,
|
|
114
|
+
};
|
|
115
|
+
return new NrMcpServer(resolved);
|
|
116
|
+
}
|
|
117
|
+
//# sourceMappingURL=server.js.map
|