@optimizely-opal/opal-tool-ocp-sdk 1.0.0-beta.9 → 1.0.0

package/src/logging/ToolLogger.test.ts

@@ -88,6 +88,30 @@ describe('ToolLogger', () => {
     return response;
   };
 
+  const createMockResponseWithBody = (
+    status: number,
+    bodyData: Uint8Array | undefined,
+    contentType: string
+  ): App.Response => {
+    const mockHeaders = {
+      get: jest.fn().mockReturnValue(contentType)
+    };
+
+    const response = {
+      status,
+      headers: mockHeaders
+    } as any;
+
+    Object.defineProperty(response, 'bodyAsU8Array', {
+      get() {
+        return bodyData;
+      },
+      enumerable: true
+    });
+
+    return response;
+  };
+
   describe('logRequest', () => {
     it('should log request with parameters', () => {
       const req = createMockRequest();
@@ -240,7 +264,7 @@ describe('ToolLogger', () => {
         path: '/test-tool',
         method: 'POST',
         parameters: {
-          description: `${'a'.repeat(100)}... (truncated, 150 chars total)`,
+          description: `${'a'.repeat(118)}...[22 truncated]...${'a'.repeat(10)}`,
           short_field: 'normal'
         }
       });
@@ -265,8 +289,8 @@ describe('ToolLogger', () => {
         method: 'POST',
         parameters: {
           items: [
-            ...largeArray.slice(0, 10),
-            '... (5 more items truncated)'
+            ...largeArray.slice(0, 2),
+            '... (13 more items truncated)'
           ],
           small_array: ['a', 'b']
         }
@@ -420,6 +444,21 @@ describe('ToolLogger', () => {
       // Should not throw error or cause infinite recursion
       expect(() => ToolLogger.logRequest(req)).not.toThrow();
       expect(mockLogger.info).toHaveBeenCalled();
+
+      // Verify that deeply nested parts are replaced with placeholder
+      const logCall = mockLogger.info.mock.calls[0];
+      const loggedData = JSON.parse(logCall[1]);
+
+      // Navigate to a deeply nested level that should be truncated
+      // At maxDepth=5, objects beyond depth 5 should be replaced
+      const nested1 = loggedData.parameters.deep.nested;
+      expect(nested1).toBeDefined(); // depth 2
+      const nested2 = nested1.nested;
+      expect(nested2).toBeDefined(); // depth 3
+      const nested3 = nested2.nested;
+      expect(nested3).toBeDefined(); // depth 4
+      const nested4 = nested3.nested;
+      expect(nested4).toBe('[MAX_DEPTH_EXCEEDED]'); // depth 5, should be truncated
     });
 
     it('should replace deeply nested objects with MAX_DEPTH_EXCEEDED placeholder', () => {
@@ -465,6 +504,7 @@ describe('ToolLogger', () => {
         level1: {
           items: [
             {
+              shallow: 'data',
               level2: {
                 level3: {
                   level4: {
@@ -504,9 +544,12 @@ describe('ToolLogger', () => {
       const loggedData = JSON.parse(logCall[1]);
 
       const items = loggedData.parameters.level1.items;
+      expect(items.length).toBe(3);
 
       // First item: deeply nested object with inner parts replaced by placeholder
+      // shallow object should be processed normally
       expect(items[0]).toEqual({
+        shallow: 'data',
         level2: {
           level3: {
             level4: '[MAX_DEPTH_EXCEEDED]'
@@ -516,18 +559,6 @@ describe('ToolLogger', () => {
 
       // Second item: simple string should remain unchanged
       expect(items[1]).toBe('simple-item');
-
-      // Third item: shallow object should be processed normally
-      expect(items[2]).toEqual({ shallow: 'data' });
-
-      // Fourth item: another deeply nested object with inner parts replaced by placeholder
-      expect(items[3]).toEqual({
-        level2: {
-          level3: {
-            level4: '[MAX_DEPTH_EXCEEDED]'
-          }
-        }
-      });
     });
   });
 
@@ -545,7 +576,8 @@ describe('ToolLogger', () => {
         status: 200,
         contentType: 'application/json',
         contentLength: 34, // JSON.stringify({ result: 'success', data: 'test' }).length
-        success: true
+        success: true,
+        responseBody: { result: 'success', data: 'test' }
       };
 
       expect(mockLogger.info).toHaveBeenCalledWith(
@@ -567,14 +599,14 @@ describe('ToolLogger', () => {
         status: 400,
         contentType: 'application/json',
         contentLength: 23,
-        success: false
+        success: false,
+        responseBody: { error: 'Bad request' }
       });
     });
 
-    it('should handle response without bodyJSON', () => {
+    it('should handle response without body data', () => {
       const req = createMockRequest();
-      const response = createMockResponse(204);
-      response.bodyJSON = undefined;
+      const response = createMockResponseWithBody(204, undefined, 'application/json');
 
       ToolLogger.logResponse(req, response);
 
@@ -600,11 +632,12 @@ describe('ToolLogger', () => {
         status: 200,
         contentType: 'application/json',
         contentLength: 15,
-        success: true
+        success: true,
+        responseBody: { data: 'test' }
       });
     });
 
-    it('should handle unknown content type', () => {
+    it('should handle unknown content type - response body not logged', () => {
       const req = createMockRequest();
       const response = createMockResponse(200, { data: 'test' });
       response.headers.get = jest.fn().mockReturnValue(null);
@@ -623,21 +656,35 @@ describe('ToolLogger', () => {
 
     it('should handle content length calculation error', () => {
       const req = createMockRequest();
-      const circularObj: any = { name: 'test' };
-      circularObj.self = circularObj; // Create circular reference
 
-      const response = createMockResponse(200, circularObj);
-
-      ToolLogger.logResponse(req, response);
+      // Simulate a response that will cause errors when trying to calculate content length
+      // by providing a Uint8Array but the underlying data causes issues
+      const mockHeaders = {
+        get: jest.fn().mockReturnValue('application/json')
+      };
 
-      expectJsonLog({
-        event: 'opal_tool_response',
-        path: '/test-tool',
+      const response = {
         status: 200,
-        contentType: 'application/json',
-        contentLength: 'unknown',
-        success: true
+        headers: mockHeaders
+      } as any;
+
+      // Create a getter that throws when accessed (simulating serialization error)
+      Object.defineProperty(response, 'bodyAsU8Array', {
+        get() {
+          throw new Error('Circular structure');
+        },
+        enumerable: true
       });
+
+      ToolLogger.logResponse(req, response);
+
+      // The error causes both contentLength and responseBody to fail gracefully
+      const logCall = mockLogger.info.mock.calls[0];
+      const loggedData = JSON.parse(logCall[1]);
+
+      expect(loggedData.event).toBe('opal_tool_response');
+      expect(loggedData.contentLength).toBe('unknown');
+      expect(loggedData.responseBody).toBeUndefined();
     });
 
     it('should correctly identify success status codes', () => {
@@ -659,14 +706,16 @@ describe('ToolLogger', () => {
         const response = createMockResponse(status);
         ToolLogger.logResponse(req, response);
 
-        expectJsonLog({
-          event: 'opal_tool_response',
-          path: '/test-tool',
-          status,
-          contentType: 'application/json',
-          contentLength: 2,
-          success: expected
-        });
+        const logCall = mockLogger.info.mock.calls[0];
+        const loggedData = JSON.parse(logCall[1]);
+
+        expect(loggedData.event).toBe('opal_tool_response');
+        expect(loggedData.path).toBe('/test-tool');
+        expect(loggedData.status).toBe(status);
+        expect(loggedData.contentType).toBe('application/json');
+        expect(loggedData.contentLength).toBe(2);
+        expect(loggedData.success).toBe(expected);
+        expect(loggedData.responseBody).toEqual({});
       });
     });
 
@@ -674,29 +723,148 @@ describe('ToolLogger', () => {
       const req = createMockRequest();
 
       const testCases = [
-        'application/json',
-        'text/plain',
-        'application/xml',
-        'text/html'
+        { contentType: 'application/json', expectedBody: { data: 'test' } },
+        { contentType: 'text/plain', expectedBody: '{"data":"test"}' },
+        { contentType: 'text/html', expectedBody: '{"data":"test"}' }
       ];
 
-      testCases.forEach((contentType) => {
+      testCases.forEach(({ contentType, expectedBody }) => {
         mockLogger.info.mockClear();
         const response = createMockResponse(200, { data: 'test' });
         response.headers.get = jest.fn().mockReturnValue(contentType);
 
         ToolLogger.logResponse(req, response);
 
-        expectJsonLog({
-          event: 'opal_tool_response',
-          path: '/test-tool',
-          status: 200,
-          contentType,
-          contentLength: 15,
-          success: true
-        });
+        const logCall = mockLogger.info.mock.calls[0];
+        const loggedData = JSON.parse(logCall[1]);
+
+        expect(loggedData.event).toBe('opal_tool_response');
+        expect(loggedData.path).toBe('/test-tool');
+        expect(loggedData.status).toBe(200);
+        expect(loggedData.contentType).toBe(contentType);
+        expect(loggedData.contentLength).toBe(15);
+        expect(loggedData.success).toBe(true);
+        expect(loggedData.responseBody).toEqual(expectedBody);
+      });
+    });
+
+    it('should log short successful response body', () => {
+      const req = createMockRequest();
+      const response = createMockResponse(200, { result: 'success', data: 'test' });
+
+      ToolLogger.logResponse(req, response);
+
+      const logCall = mockLogger.info.mock.calls[0];
+      const loggedData = JSON.parse(logCall[1]);
+
+      expect(loggedData.responseBody).toEqual({ result: 'success', data: 'test' });
+      expect(loggedData.success).toBe(true);
+    });
+
+    it('should truncate long successful response body to 256 chars', () => {
+      const req = createMockRequest();
+      const longData = 'a'.repeat(300);
+      const response = createMockResponse(200, { message: longData });
+
+      ToolLogger.logResponse(req, response);
+
+      const logCall = mockLogger.info.mock.calls[0];
+      const loggedData = JSON.parse(logCall[1]);
+
+      // The response body should be truncated when stringified
+      expect(loggedData.responseBody.message).toContain(' truncated]...');
+    });
+
+    it('truncates long properties of failed responses', () => {
+      const req = createMockRequest();
+      const longData = 'a'.repeat(150);
+      const response = createMockResponse(400, { error: 'Bad request', details: longData });
+
+      ToolLogger.logResponse(req, response);
+
+      const logCall = mockLogger.info.mock.calls[0];
+      const loggedData = JSON.parse(logCall[1]);
+
+      // Failed responses should include full body, not truncated
+      expect(loggedData.responseBody.error).toEqual('Bad request');
+      expect(loggedData.responseBody.details).toContain(' truncated]...');
+      expect(loggedData.success).toBe(false);
+    });
+
+    it('should redact sensitive data in response body', () => {
+      const req = createMockRequest();
+      const response = createMockResponse(200, {
+        user: 'john',
+        password: 'secret123',
+        api_key: 'key456',
+        data: 'public'
+      });
+
+      ToolLogger.logResponse(req, response);
+
+      const logCall = mockLogger.info.mock.calls[0];
+      const loggedData = JSON.parse(logCall[1]);
+
+      expect(loggedData.responseBody).toEqual({
+        user: 'john',
+        password: '[REDACTED]',
+        api_key: '[REDACTED]',
+        data: 'public'
       });
     });
+
+    it('should handle response with no body', () => {
+      const req = createMockRequest();
+      const response = createMockResponseWithBody(204, undefined, 'application/json');
+
+      ToolLogger.logResponse(req, response);
+
+      const logCall = mockLogger.info.mock.calls[0];
+      const loggedData = JSON.parse(logCall[1]);
+
+      expect(loggedData.responseBody).toBeUndefined();
+      expect(loggedData.success).toBe(true);
+    });
+
+    it('should handle plain text response body', () => {
+      const req = createMockRequest();
+      const plainText = 'This is a plain text response';
+      const response = createMockResponseWithBody(200, new Uint8Array(Buffer.from(plainText)), 'text/plain');
+
+      ToolLogger.logResponse(req, response);
+
+      const logCall = mockLogger.info.mock.calls[0];
+      const loggedData = JSON.parse(logCall[1]);
+
+      expect(loggedData.responseBody).toBe(plainText);
+    });
+
+    it('should truncate long plain text successful responses', () => {
+      const req = createMockRequest();
+      const longText = 'a'.repeat(300);
+      const response = createMockResponseWithBody(200, new Uint8Array(Buffer.from(longText)), 'text/plain');
+
+      ToolLogger.logResponse(req, response);
+
+      const logCall = mockLogger.info.mock.calls[0];
+      const loggedData = JSON.parse(logCall[1]);
+
+      expect(loggedData.responseBody).toBe(`${'a'.repeat(256)}... (truncated)`);
+    });
+
+    it('should not truncate long plain text failed responses', () => {
+      const req = createMockRequest();
+      const longText = 'a'.repeat(150);
+      const response = createMockResponseWithBody(500, new Uint8Array(Buffer.from(longText)), 'text/plain');
+
+      ToolLogger.logResponse(req, response);
+
+      const logCall = mockLogger.info.mock.calls[0];
+      const loggedData = JSON.parse(logCall[1]);
+
+      expect(loggedData.responseBody).toBe(longText);
+      expect(loggedData.success).toBe(false);
+    });
   });
 
   describe('edge cases', () => {
@@ -743,7 +911,7 @@ describe('ToolLogger', () => {
             string: 'text',
             number: 42,
             boolean: true,
-            array: [1, 2, 3],
+            array: [1, 2],
             object: { nested: 'value' },
             nullValue: null,
             password: 'secret'
@@ -761,7 +929,7 @@ describe('ToolLogger', () => {
           string: 'text',
           number: 42,
           boolean: true,
-          array: [1, 2, 3],
+          array: [1, 2],
           object: { nested: 'value' },
           nullValue: null,
           password: '[REDACTED]'
@@ -841,24 +1009,7 @@ describe('ToolLogger', () => {
                   description: 'OVERRIDDEN: Enhanced minimum detectable effect calculation',
                   required: true
                 },
-                {
-                  name: 'sigLevel',
-                  type: 'number',
-                  description: 'OVERRIDDEN: Enhanced statistical significance level',
-                  required: true
-                },
-                {
-                  name: 'numVariations',
-                  type: 'number',
-                  description: 'OVERRIDDEN: Enhanced number of variations handling',
-                  required: true
-                },
-                {
-                  name: 'dailyVisitors',
-                  type: 'number',
-                  description: 'OVERRIDDEN: Enhanced daily visitor count with forecasting',
-                  required: true
-                }
+                '... (3 more items truncated)'
               ]
             }
           ]

package/src/logging/ToolLogger.ts

@@ -1,6 +1,10 @@
 import { logger, LogVisibility } from '@zaiusinc/app-sdk';
 import * as App from '@zaiusinc/app-sdk';
 
+const MAX_PARAM_LOG_LENGTH = 128;
+const MAX_BODY_LOG_LENGTH = 256;
+const MAX_ARRAY_ITEMS = 2;
+
 /**
  * Utility class for logging Opal tool requests and responses with security considerations
  */
@@ -48,13 +52,13 @@ export class ToolLogger {
     'bearer_token'
   ];
 
-  private static readonly MAX_PARAM_LENGTH = 100;
-  private static readonly MAX_ARRAY_ITEMS = 10;
-
   /**
    * Redacts sensitive data from an object
    */
-  private static redactSensitiveData(data: any, maxDepth = 5): any {
+  private static redactSensitiveDataAndTruncate(data: any, maxDepth = 5, accumulatedLength = 0): any {
+    if (accumulatedLength > MAX_BODY_LOG_LENGTH) {
+      return '';
+    }
     if (maxDepth <= 0) {
       return '[MAX_DEPTH_EXCEEDED]';
     }
@@ -64,9 +68,13 @@ export class ToolLogger {
     }
 
     if (typeof data === 'string') {
-      return data.length > this.MAX_PARAM_LENGTH
-        ? `${data.substring(0, this.MAX_PARAM_LENGTH)}... (truncated, ${data.length} chars total)`
-        : data;
+      if (data.length > MAX_PARAM_LOG_LENGTH) {
+        const lead = data.substring(0, MAX_PARAM_LOG_LENGTH - 10);
+        const tail = data.substring(data.length - 10);
+        return `${lead}...[${data.length - MAX_PARAM_LOG_LENGTH} truncated]...${tail}`;
+      } else {
+        return data;
+      }
     }
 
     if (typeof data === 'number' || typeof data === 'boolean') {
@@ -74,10 +82,10 @@ export class ToolLogger {
     }
 
     if (Array.isArray(data)) {
-      const truncated = data.slice(0, this.MAX_ARRAY_ITEMS);
-      const result = truncated.map((item) => this.redactSensitiveData(item, maxDepth));
-      if (data.length > this.MAX_ARRAY_ITEMS) {
-        result.push(`... (${data.length - this.MAX_ARRAY_ITEMS} more items truncated)`);
+      const truncated = data.slice(0, MAX_ARRAY_ITEMS);
+      const result = truncated.map((item) => this.redactSensitiveDataAndTruncate(item, maxDepth, accumulatedLength));
+      if (data.length > MAX_ARRAY_ITEMS) {
+        result.push(`... (${data.length - MAX_ARRAY_ITEMS} more items truncated)`);
       }
       return result;
     }
@@ -85,13 +93,20 @@ export class ToolLogger {
     if (typeof data === 'object') {
       const result: any = {};
       for (const [key, value] of Object.entries(data)) {
+        if (accumulatedLength > MAX_BODY_LOG_LENGTH) {
+          break;
+        }
         // Check if this field contains sensitive data
         const isSensitive = this.isSensitiveField(key);
 
         if (isSensitive) {
           result[key] = '[REDACTED]';
         } else {
-          result[key] = this.redactSensitiveData(value, maxDepth - 1);
+          result[key] = this.redactSensitiveDataAndTruncate(value, maxDepth - 1, accumulatedLength);
+        }
+
+        if (result[key]) {
+          accumulatedLength += JSON.stringify(result[key]).length;
         }
       }
       return result;
@@ -118,7 +133,7 @@ export class ToolLogger {
       return null;
     }
 
-    return this.redactSensitiveData(params);
+    return this.redactSensitiveDataAndTruncate(params);
   }
 
   /**
@@ -136,6 +151,99 @@ export class ToolLogger {
     }
   }
 
+  /**
+   * Extracts the response body as a string or parsed JSON object
+   */
+  private static getResponseBody(response?: App.Response): any {
+    if (!response) {
+      return null;
+    }
+
+    try {
+      const contentType = response.headers?.get('content-type') || '';
+      const isJson = contentType.includes('application/json') || contentType.includes('application/problem+json');
+      const isText = contentType.startsWith('text/');
+
+      if (!isJson && !isText) {
+        return null;
+      }
+
+      // Try to access bodyAsU8Array - this may throw
+      const bodyData = response.bodyAsU8Array;
+      if (!bodyData) {
+        return null;
+      }
+
+      // Convert Uint8Array to string
+      const bodyString = Buffer.from(bodyData).toString();
+      if (!bodyString) {
+        return null;
+      }
+
+      // Try to parse as JSON if content-type indicates JSON
+      if (isJson) {
+        try {
+          return JSON.parse(bodyString);
+        } catch {
+          // If JSON parsing fails, return as string
+          return bodyString;
+        }
+      }
+
+      // Return as plain text for non-JSON content types
+      return bodyString;
+    } catch {
+      return null;
+    }
+  }
+
+  /**
+   * Creates a summary of response body with security redaction and truncation
+   * For failed responses (4xx, 5xx): returns full body with redacted sensitive data
+   * For successful responses (2xx): returns first 100 chars with redacted sensitive data
+   */
+  private static createResponseBodySummary(response?: App.Response, success?: boolean): any {
+    const body = this.getResponseBody(response);
+    if (body === null || body === undefined) {
+      return null;
+    }
+
+    // For objects (parsed JSON), apply redaction
+    if (typeof body === 'object') {
+      // For failed responses, don't truncate strings within the object
+      const redactedBody = this.redactSensitiveDataAndTruncate(body, 5);
+
+      // For successful responses, truncate to first MAX_BODY_LOG_LENGTH chars
+      if (success) {
+        const bodyString = JSON.stringify(redactedBody);
+        if (bodyString.length > MAX_BODY_LOG_LENGTH) {
+          const truncated = bodyString.substring(0, MAX_BODY_LOG_LENGTH);
+          return `${truncated}... (truncated)`;
+        }
+        return redactedBody;
+      }
+
+      // For failed responses, return full redacted body
+      return redactedBody;
+    }
+
+    // For strings (plain text or unparseable JSON)
+    if (typeof body === 'string') {
+      // For successful responses, truncate to first 100 chars
+      if (success) {
+        if (body.length > MAX_BODY_LOG_LENGTH) {
+          return `${body.substring(0, MAX_BODY_LOG_LENGTH)}... (truncated)`;
+        }
+        return body;
+      }
+
+      // For failed responses, return full body
+      return body;
+    }
+
+    return body;
+  }
+
   /**
    * Logs an incoming request
    */
@@ -162,16 +270,22 @@ export class ToolLogger {
     response: App.Response,
     processingTimeMs?: number
   ): void {
-    const responseLog = {
+    const success = response.status >= 200 && response.status < 300;
+    const responseLog: any = {
       event: 'opal_tool_response',
       path: req.path,
       duration: processingTimeMs ? `${processingTimeMs}ms` : undefined,
       status: response.status,
       contentType: response.headers?.get('content-type') || 'unknown',
       contentLength: this.calculateContentLength(response),
-      success: response.status >= 200 && response.status < 300
+      success
     };
 
+    const responseBodySummary = this.createResponseBodySummary(response, success);
+    if (responseBodySummary) {
+      responseLog.responseBody = responseBodySummary;
+    }
+
     // Log with Zaius audience so developers only see requests for accounts they have access to
     logger.info(LogVisibility.Zaius, JSON.stringify(responseLog));
   }