@pan-sec/notebooklm-mcp 1.4.0

package/dist/utils/audit-logger.js

@@ -0,0 +1,361 @@
+/**
+ * Audit Logger for NotebookLM MCP Server
+ *
+ * Provides comprehensive audit logging with:
+ * - Tool invocation logging
+ * - Authentication event logging
+ * - Session lifecycle logging
+ * - Security event logging
+ * - Tamper detection via hash chaining
+ * - Log rotation and retention
+ *
+ * Added by Pantheon Security for hardened fork.
+ */
+import fs from "fs";
+import path from "path";
+import crypto from "crypto";
+import { CONFIG } from "../config.js";
+import { sanitizeForLogging } from "./security.js";
+/**
+ * Get audit configuration from environment
+ */
+function getAuditConfig() {
+    return {
+        enabled: process.env.NLMCP_AUDIT_ENABLED !== "false",
+        logDir: process.env.NLMCP_AUDIT_DIR || path.join(CONFIG.dataDir, "audit"),
+        retentionDays: parseInt(process.env.NLMCP_AUDIT_RETENTION_DAYS || "30", 10),
+        includeDetails: process.env.NLMCP_AUDIT_INCLUDE_DETAILS !== "false",
+        hashChainEnabled: process.env.NLMCP_AUDIT_HASH_CHAIN !== "false",
+    };
+}
+/**
+ * Audit Logger Class
+ *
+ * Thread-safe audit logging with hash chain integrity verification.
+ */
+export class AuditLogger {
+    config;
+    currentLogFile = "";
+    previousHash = "GENESIS";
+    writeQueue = [];
+    isWriting = false;
+    stats = {
+        totalEvents: 0,
+        toolEvents: 0,
+        authEvents: 0,
+        sessionEvents: 0,
+        securityEvents: 0,
+        systemEvents: 0,
+    };
+    constructor(config) {
+        this.config = { ...getAuditConfig(), ...config };
+        if (this.config.enabled) {
+            this.ensureLogDirectory();
+            this.initializeLogFile();
+            this.cleanOldLogs();
+        }
+    }
+    /**
+     * Ensure audit log directory exists
+     */
+    ensureLogDirectory() {
+        if (!fs.existsSync(this.config.logDir)) {
+            fs.mkdirSync(this.config.logDir, { recursive: true, mode: 0o700 });
+        }
+    }
+    /**
+     * Initialize log file for today
+     */
+    initializeLogFile() {
+        const today = new Date().toISOString().split("T")[0];
+        this.currentLogFile = path.join(this.config.logDir, `audit-${today}.jsonl`);
+        // Read last hash from existing file if present
+        if (fs.existsSync(this.currentLogFile)) {
+            try {
+                const content = fs.readFileSync(this.currentLogFile, "utf-8");
+                const lines = content.trim().split("\n").filter(l => l.length > 0);
+                if (lines.length > 0) {
+                    const lastEvent = JSON.parse(lines[lines.length - 1]);
+                    this.previousHash = lastEvent.hash;
+                }
+            }
+            catch {
+                // Start fresh if file is corrupted
+                this.previousHash = "GENESIS";
+            }
+        }
+    }
+    /**
+     * Clean up old log files based on retention policy
+     */
+    cleanOldLogs() {
+        try {
+            const files = fs.readdirSync(this.config.logDir);
+            const cutoffDate = new Date();
+            cutoffDate.setDate(cutoffDate.getDate() - this.config.retentionDays);
+            for (const file of files) {
+                if (!file.startsWith("audit-") || !file.endsWith(".jsonl"))
+                    continue;
+                // Extract date from filename (audit-YYYY-MM-DD.jsonl)
+                const dateStr = file.slice(6, 16);
+                const fileDate = new Date(dateStr);
+                if (fileDate < cutoffDate) {
+                    fs.unlinkSync(path.join(this.config.logDir, file));
+                }
+            }
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+    }
+    /**
+     * Compute hash for an event (includes previous hash for chaining)
+     */
+    computeHash(event) {
+        const data = JSON.stringify({
+            timestamp: event.timestamp,
+            eventType: event.eventType,
+            eventName: event.eventName,
+            success: event.success,
+            duration_ms: event.duration_ms,
+            details: event.details,
+            previousHash: event.previousHash,
+        });
+        return crypto.createHash("sha256").update(data).digest("hex").slice(0, 16);
+    }
+    /**
+     * Sanitize details object for logging (remove sensitive data)
+     */
+    sanitizeDetails(details) {
+        const sanitized = {};
+        for (const [key, value] of Object.entries(details)) {
+            // Skip sensitive keys entirely
+            if (/password|secret|token|key|credential|auth/i.test(key)) {
+                sanitized[key] = "[REDACTED]";
+                continue;
+            }
+            // Sanitize string values
+            if (typeof value === "string") {
+                sanitized[key] = sanitizeForLogging(value);
+            }
+            else if (typeof value === "object" && value !== null) {
+                // Recursively sanitize objects
+                sanitized[key] = this.sanitizeDetails(value);
+            }
+            else {
+                sanitized[key] = value;
+            }
+        }
+        return sanitized;
+    }
+    /**
+     * Write event to log file
+     */
+    async writeEvent(event) {
+        this.writeQueue.push(event);
+        if (this.isWriting)
+            return;
+        this.isWriting = true;
+        try {
+            while (this.writeQueue.length > 0) {
+                const batch = this.writeQueue.splice(0, 100); // Write up to 100 events at once
+                const lines = batch.map(e => JSON.stringify(e)).join("\n") + "\n";
+                // Check if we need to rotate to new day's file
+                const today = new Date().toISOString().split("T")[0];
+                const expectedFile = path.join(this.config.logDir, `audit-${today}.jsonl`);
+                if (this.currentLogFile !== expectedFile) {
+                    this.currentLogFile = expectedFile;
+                }
+                fs.appendFileSync(this.currentLogFile, lines, { mode: 0o600 });
+            }
+        }
+        finally {
+            this.isWriting = false;
+        }
+    }
+    /**
+     * Log a generic event
+     */
+    async log(eventType, eventName, success, details = {}, duration_ms) {
+        if (!this.config.enabled)
+            return;
+        // Update stats
+        this.stats.totalEvents++;
+        this.stats[`${eventType}Events`]++;
+        const sanitizedDetails = this.config.includeDetails
+            ? this.sanitizeDetails(details)
+            : {};
+        const eventWithoutHash = {
+            timestamp: new Date().toISOString(),
+            eventType,
+            eventName,
+            success,
+            duration_ms,
+            details: sanitizedDetails,
+            previousHash: this.config.hashChainEnabled ? this.previousHash : "",
+        };
+        const hash = this.config.hashChainEnabled
+            ? this.computeHash(eventWithoutHash)
+            : "";
+        const event = {
+            ...eventWithoutHash,
+            hash,
+        };
+        if (this.config.hashChainEnabled) {
+            this.previousHash = hash;
+        }
+        await this.writeEvent(event);
+    }
+    // ============================================================================
+    // Public Logging Methods
+    // ============================================================================
+    /**
+     * Log a tool invocation
+     */
+    async logToolCall(toolName, args, success, duration_ms, error) {
+        await this.log("tool", toolName, success, {
+            args_summary: this.summarizeArgs(args),
+            error: error ? sanitizeForLogging(error) : undefined,
+        }, duration_ms);
+    }
+    /**
+     * Log an authentication event
+     */
+    async logAuthEvent(eventName, success, details = {}) {
+        await this.log("auth", eventName, success, details);
+    }
+    /**
+     * Log a session lifecycle event
+     */
+    async logSessionEvent(eventName, sessionId, details = {}) {
+        await this.log("session", eventName, true, {
+            session_id: sessionId,
+            ...details,
+        });
+    }
+    /**
+     * Log a security event
+     */
+    async logSecurityEvent(eventName, severity, details = {}) {
+        const success = severity === "info";
+        await this.log("security", eventName, success, {
+            severity,
+            ...details,
+        });
+    }
+    /**
+     * Log a system event
+     */
+    async logSystemEvent(eventName, details = {}) {
+        await this.log("system", eventName, true, details);
+    }
+    // ============================================================================
+    // Helper Methods
+    // ============================================================================
+    /**
+     * Summarize tool arguments (avoid logging full content)
+     */
+    summarizeArgs(args) {
+        const summary = {};
+        for (const [key, value] of Object.entries(args)) {
+            if (typeof value === "string") {
+                // Log length for long strings, actual value for short ones
+                if (value.length > 100) {
+                    summary[key] = `[string, ${value.length} chars]`;
+                }
+                else {
+                    summary[key] = sanitizeForLogging(value);
+                }
+            }
+            else if (Array.isArray(value)) {
+                summary[key] = `[array, ${value.length} items]`;
+            }
+            else if (typeof value === "object" && value !== null) {
+                summary[key] = `[object]`;
+            }
+            else {
+                summary[key] = value;
+            }
+        }
+        return summary;
+    }
+    /**
+     * Get audit statistics
+     */
+    getStats() {
+        return { ...this.stats };
+    }
+    /**
+     * Verify integrity of audit log file
+     */
+    async verifyIntegrity(logFile) {
+        const file = logFile || this.currentLogFile;
+        const errors = [];
+        if (!fs.existsSync(file)) {
+            return { valid: false, errors: ["Log file does not exist"] };
+        }
+        try {
+            const content = fs.readFileSync(file, "utf-8");
+            const lines = content.trim().split("\n").filter(l => l.length > 0);
+            let expectedPreviousHash = "GENESIS";
+            for (let i = 0; i < lines.length; i++) {
+                try {
+                    const event = JSON.parse(lines[i]);
+                    // Verify hash chain
+                    if (this.config.hashChainEnabled) {
+                        if (event.previousHash !== expectedPreviousHash) {
+                            errors.push(`Line ${i + 1}: Hash chain broken. Expected previous hash ${expectedPreviousHash}, got ${event.previousHash}`);
+                        }
+                        // Recompute hash to verify
+                        const { hash, ...eventWithoutHash } = event;
+                        const computedHash = this.computeHash(eventWithoutHash);
+                        if (computedHash !== hash) {
+                            errors.push(`Line ${i + 1}: Hash mismatch. Event may have been tampered.`);
+                        }
+                        expectedPreviousHash = event.hash;
+                    }
+                }
+                catch (e) {
+                    errors.push(`Line ${i + 1}: Invalid JSON`);
+                }
+            }
+            return { valid: errors.length === 0, errors };
+        }
+        catch (e) {
+            return { valid: false, errors: [`Failed to read log file: ${e}`] };
+        }
+    }
+    /**
+     * Force flush any pending writes
+     */
+    async flush() {
+        // Wait for any pending writes to complete
+        while (this.isWriting || this.writeQueue.length > 0) {
+            await new Promise(resolve => setTimeout(resolve, 10));
+        }
+    }
+}
+/**
+ * Global audit logger instance
+ */
+let globalAuditLogger = null;
+/**
+ * Get or create the global audit logger
+ */
+export function getAuditLogger() {
+    if (!globalAuditLogger) {
+        globalAuditLogger = new AuditLogger();
+    }
+    return globalAuditLogger;
+}
+/**
+ * Convenience functions for quick logging
+ */
+export const audit = {
+    tool: (name, args, success, duration_ms, error) => getAuditLogger().logToolCall(name, args, success, duration_ms, error),
+    auth: (event, success, details) => getAuditLogger().logAuthEvent(event, success, details),
+    session: (event, sessionId, details) => getAuditLogger().logSessionEvent(event, sessionId, details),
+    security: (event, severity, details) => getAuditLogger().logSecurityEvent(event, severity, details),
+    system: (event, details) => getAuditLogger().logSystemEvent(event, details),
+};
+//# sourceMappingURL=audit-logger.js.map

package/dist/utils/audit-logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logger.js","sourceRoot":"","sources":["../../src/utils/audit-logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAqCnD;;GAEG;AACH,SAAS,cAAc;IACrB,OAAO;QACL,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,KAAK,OAAO;QACpD,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC;QACzE,aAAa,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,IAAI,EAAE,EAAE,CAAC;QAC3E,cAAc,EAAE,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,OAAO;QACnE,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,OAAO;KACjE,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,OAAO,WAAW;IACd,MAAM,CAAc;IACpB,cAAc,GAAW,EAAE,CAAC;IAC5B,YAAY,GAAW,SAAS,CAAC;IACjC,UAAU,GAAiB,EAAE,CAAC;IAC9B,SAAS,GAAY,KAAK,CAAC;IAC3B,KAAK,GAAG;QACd,WAAW,EAAE,CAAC;QACd,UAAU,EAAE,CAAC;QACb,UAAU,EAAE,CAAC;QACb,aAAa,EAAE,CAAC;QAChB,cAAc,EAAE,CAAC;QACjB,YAAY,EAAE,CAAC;KAChB,CAAC;IAEF,YAAY,MAA6B;QACvC,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,EAAE,GAAG,MAAM,EAAE,CAAC;QAEjD,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACxB,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC1B,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACzB,IAAI,CAAC,YAAY,EAAE,CAAC;QACtB,CAAC;IACH,CAAC;IAED;;OAEG;IACK,kBAAkB;QACxB,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;YACvC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAED;;OAEG;IACK,iBAAiB;QACvB,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACrD,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,KAAK,QAAQ,CAAC,CAAC;QAE5E,+CAA+C;QAC/C,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;YACvC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;gBAC9D,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACnE,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACrB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAe,CAAC;oBACpE,IAAI,CAAC,YAAY,GAAG,SAAS,CAAC,IAAI,CAAC;gBACrC,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,mCAAmC;gBACnC,IAAI,CAAC,YAAY,GAAG,SAAS,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACK,YAAY;QAClB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACjD,MAAM,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC;YAC9B,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YAErE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBAErE,sDAAsD;gBACtD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAClC,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC;gBAEnC,IAAI,QAAQ,GAAG,UAAU,EAAE,CAAC;oBAC1B,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;gBACrD,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,KAA+B;QACjD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,YAAY,EAAE,KAAK,CAAC,YAAY;SACjC,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC7E,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,OAAgC;QACtD,MAAM,SAAS,GAA4B,EAAE,CAAC;QAE9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACnD,+BAA+B;YAC/B,IAAI,4CAA4C,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC3D,SAAS,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;gBAC9B,SAAS;YACX,CAAC;YAED,yBAAyB;YACzB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,SAAS,CAAC,GAAG,CAAC,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;YAC7C,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;gBACvD,+BAA+B;gBAC/B,SAAS,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,eAAe,CAAC,KAAgC,CAAC,CAAC;YAC1E,CAAC;iBAAM,CAAC;gBACN,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACzB,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,UAAU,CAAC,KAAiB;QACxC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAE5B,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO;QAE3B,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QAEtB,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClC,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,iCAAiC;gBAC/E,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;gBAElE,+CAA+C;gBAC/C,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACrD,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,KAAK,QAAQ,CAAC,CAAC;gBAC3E,IAAI,IAAI,CAAC,cAAc,KAAK,YAAY,EAAE,CAAC;oBACzC,IAAI,CAAC,cAAc,GAAG,YAAY,CAAC;gBACrC,CAAC;gBAED,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,cAAc,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC;QACzB,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,GAAG,CACf,SAAyB,EACzB,SAAiB,EACjB,OAAgB,EAChB,UAAmC,EAAE,EACrC,WAAoB;QAEpB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,OAAO;QAEjC,eAAe;QACf,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;QACzB,IAAI,CAAC,KAAK,CAAC,GAAG,SAAS,QAAmC,CAAC,EAAE,CAAC;QAE9D,MAAM,gBAAgB,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc;YACjD,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC;YAC/B,CAAC,CAAC,EAAE,CAAC;QAEP,MAAM,gBAAgB,GAA6B;YACjD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,SAAS;YACT,SAAS;YACT,OAAO;YACP,WAAW;YACX,OAAO,EAAE,gBAAgB;YACzB,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE;SACpE,CAAC;QAEF,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,gBAAgB;YACvC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,gBAAgB,CAAC;YACpC,CAAC,CAAC,EAAE,CAAC;QAEP,MAAM,KAAK,GAAe;YACxB,GAAG,gBAAgB;YACnB,IAAI;SACL,CAAC;QAEF,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;YACjC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QAC3B,CAAC;QAED,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,+EAA+E;IAC/E,yBAAyB;IACzB,+EAA+E;IAE/E;;OAEG;IACH,KAAK,CAAC,WAAW,CACf,QAAgB,EAChB,IAA6B,EAC7B,OAAgB,EAChB,WAAmB,EACnB,KAAc;QAEd,MAAM,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE;YACxC,YAAY,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC;YACtC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;SACrD,EAAE,WAAW,CAAC,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAChB,SAAiB,EACjB,OAAgB,EAChB,UAAmC,EAAE;QAErC,MAAM,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IACtD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CACnB,SAAiB,EACjB,SAAiB,EACjB,UAAmC,EAAE;QAErC,MAAM,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE;YACzC,UAAU,EAAE,SAAS;YACrB,GAAG,OAAO;SACX,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CACpB,SAAiB,EACjB,QAA0B,EAC1B,UAAmC,EAAE;QAErC,MAAM,OAAO,GAAG,QAAQ,KAAK,MAAM,CAAC;QACpC,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE;YAC7C,QAAQ;YACR,GAAG,OAAO;SACX,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAClB,SAAiB,EACjB,UAAmC,EAAE;QAErC,MAAM,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACrD,CAAC;IAED,+EAA+E;IAC/E,iBAAiB;IACjB,+EAA+E;IAE/E;;OAEG;IACK,aAAa,CAAC,IAA6B;QACjD,MAAM,OAAO,GAA4B,EAAE,CAAC;QAE5C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAChD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,2DAA2D;gBAC3D,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;oBACvB,OAAO,CAAC,GAAG,CAAC,GAAG,YAAY,KAAK,CAAC,MAAM,SAAS,CAAC;gBACnD,CAAC;qBAAM,CAAC;oBACN,OAAO,CAAC,GAAG,CAAC,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;gBAC3C,CAAC;YACH,CAAC;iBAAM,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,OAAO,CAAC,GAAG,CAAC,GAAG,WAAW,KAAK,CAAC,MAAM,SAAS,CAAC;YAClD,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;gBACvD,OAAO,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC;YAC5B,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACvB,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CAAC,OAAgB;QACpC,MAAM,IAAI,GAAG,OAAO,IAAI,IAAI,CAAC,cAAc,CAAC;QAC5C,MAAM,MAAM,GAAa,EAAE,CAAC;QAE5B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACzB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,yBAAyB,CAAC,EAAE,CAAC;QAC/D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAEnE,IAAI,oBAAoB,GAAG,SAAS,CAAC;YAErC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAe,CAAC;oBAEjD,oBAAoB;oBACpB,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;wBACjC,IAAI,KAAK,CAAC,YAAY,KAAK,oBAAoB,EAAE,CAAC;4BAChD,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,+CAA+C,oBAAoB,SAAS,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC;wBAC7H,CAAC;wBAED,2BAA2B;wBAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,gBAAgB,EAAE,GAAG,KAAK,CAAC;wBAC5C,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CAAC,gBAAgB,CAAC,CAAC;wBACxD,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;4BAC1B,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;wBAC7E,CAAC;wBAED,oBAAoB,GAAG,KAAK,CAAC,IAAI,CAAC;oBACpC,CAAC;gBACH,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;gBAC7C,CAAC;YACH,CAAC;YAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;QAChD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,4BAA4B,CAAC,EAAE,CAAC,EAAE,CAAC;QACrE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAK;QACT,0CAA0C;QAC1C,OAAO,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;CACF;AAED;;GAEG;AACH,IAAI,iBAAiB,GAAuB,IAAI,CAAC;AAEjD;;GAEG;AACH,MAAM,UAAU,cAAc;IAC5B,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,iBAAiB,GAAG,IAAI,WAAW,EAAE,CAAC;IACxC,CAAC;IACD,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,KAAK,GAAG;IACnB,IAAI,EAAE,CAAC,IAAY,EAAE,IAA6B,EAAE,OAAgB,EAAE,WAAmB,EAAE,KAAc,EAAE,EAAE,CAC3G,cAAc,EAAE,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,CAAC;IAEvE,IAAI,EAAE,CAAC,KAAa,EAAE,OAAgB,EAAE,OAAiC,EAAE,EAAE,CAC3E,cAAc,EAAE,CAAC,YAAY,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC;IAExD,OAAO,EAAE,CAAC,KAAa,EAAE,SAAiB,EAAE,OAAiC,EAAE,EAAE,CAC/E,cAAc,EAAE,CAAC,eAAe,CAAC,KAAK,EAAE,SAAS,EAAE,OAAO,CAAC;IAE7D,QAAQ,EAAE,CAAC,KAAa,EAAE,QAA0B,EAAE,OAAiC,EAAE,EAAE,CACzF,cAAc,EAAE,CAAC,gBAAgB,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC;IAE7D,MAAM,EAAE,CAAC,KAAa,EAAE,OAAiC,EAAE,EAAE,CAC3D,cAAc,EAAE,CAAC,cAAc,CAAC,KAAK,EAAE,OAAO,CAAC;CAClD,CAAC"}

package/dist/utils/cert-pinning.d.ts

@@ -0,0 +1,97 @@
+/**
+ * Certificate Pinning for NotebookLM MCP Server
+ *
+ * Provides certificate pinning for HTTPS connections:
+ * - Pin Google's root CA certificates
+ * - Detect MITM attacks
+ * - Validate certificate chains
+ *
+ * Why this matters:
+ * - Prevents man-in-the-middle attacks
+ * - Protects against rogue CA certificates
+ * - Ensures only Google's real servers are trusted
+ *
+ * Added by Pantheon Security for hardened fork.
+ */
+import https from "https";
+import tls from "tls";
+/**
+ * Configuration for certificate pinning
+ */
+export interface CertPinningConfig {
+    /** Enable certificate pinning (default: true) */
+    enabled: boolean;
+    /** Allow connections to fail open if pinning fails (default: false for security) */
+    failOpen: boolean;
+    /** Report-only mode - log but don't block (default: false) */
+    reportOnly: boolean;
+    /** Additional pinned certificates (SPKI hashes) */
+    additionalPins: Record<string, string[]>;
+}
+/**
+ * Calculate SPKI hash for a certificate
+ */
+export declare function calculateSPKIHash(cert: tls.PeerCertificate): string;
+/**
+ * Get all SPKI hashes from a certificate chain
+ */
+export declare function getCertificateChainHashes(socket: tls.TLSSocket): string[];
+/**
+ * Validate a certificate chain against pinned certificates
+ */
+export declare function validateCertificatePin(hostname: string, chainHashes: string[], config?: CertPinningConfig): {
+    valid: boolean;
+    matchedPin?: string;
+    error?: string;
+};
+/**
+ * Certificate Pinning Manager
+ */
+export declare class CertificatePinningManager {
+    private config;
+    private violationCount;
+    private lastViolation?;
+    constructor(config?: Partial<CertPinningConfig>);
+    /**
+     * Check if pinning is enabled
+     */
+    isEnabled(): boolean;
+    /**
+     * Validate a TLS connection
+     */
+    validateConnection(socket: tls.TLSSocket, hostname: string): Promise<boolean>;
+    /**
+     * Create an HTTPS agent with certificate pinning
+     */
+    createPinnedAgent(_hostname: string): https.Agent;
+    /**
+     * Get violation statistics
+     */
+    getStats(): {
+        enabled: boolean;
+        reportOnly: boolean;
+        violationCount: number;
+        lastViolation?: {
+            hostname: string;
+            timestamp: Date;
+        };
+    };
+    /**
+     * Update configuration
+     */
+    updateConfig(config: Partial<CertPinningConfig>): void;
+    /**
+     * Add a custom pin for a hostname
+     */
+    addPin(hostname: string, spkiHash: string): void;
+}
+/**
+ * Get or create the global pinning manager
+ */
+export declare function getCertificatePinningManager(): CertificatePinningManager;
+/**
+ * Utility to extract and display certificate pins from a hostname
+ * Useful for updating pinned certificates
+ */
+export declare function extractCertificatePins(hostname: string): Promise<string[]>;
+//# sourceMappingURL=cert-pinning.d.ts.map

package/dist/utils/cert-pinning.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cert-pinning.d.ts","sourceRoot":"","sources":["../../src/utils/cert-pinning.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,GAAG,MAAM,KAAK,CAAC;AAmDtB;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,iDAAiD;IACjD,OAAO,EAAE,OAAO,CAAC;IACjB,oFAAoF;IACpF,QAAQ,EAAE,OAAO,CAAC;IAClB,8DAA8D;IAC9D,UAAU,EAAE,OAAO,CAAC;IACpB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAC1C;AAcD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,GAAG,CAAC,eAAe,GAAG,MAAM,CAUnE;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,GAAG,CAAC,SAAS,GAAG,MAAM,EAAE,CA8BzE;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EAAE,EACrB,MAAM,GAAE,iBAAsC,GAC7C;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CA0BzD;AA8BD;;GAEG;AACH,qBAAa,yBAAyB;IACpC,OAAO,CAAC,MAAM,CAAoB;IAClC,OAAO,CAAC,cAAc,CAAa;IACnC,OAAO,CAAC,aAAa,CAAC,CAIpB;gBAEU,MAAM,CAAC,EAAE,OAAO,CAAC,iBAAiB,CAAC;IAI/C;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACG,kBAAkB,CAAC,MAAM,EAAE,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IA+CnF;;OAEG;IACH,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,KAAK,CAAC,KAAK;IA8BjD;;OAEG;IACH,QAAQ,IAAI;QACV,OAAO,EAAE,OAAO,CAAC;QACjB,UAAU,EAAE,OAAO,CAAC;QACpB,cAAc,EAAE,MAAM,CAAC;QACvB,aAAa,CAAC,EAAE;YACd,QAAQ,EAAE,MAAM,CAAC;YACjB,SAAS,EAAE,IAAI,CAAC;SACjB,CAAC;KACH;IAcD;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,IAAI;IAItD;;OAEG;IACH,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI;CAQjD;AAOD;;GAEG;AACH,wBAAgB,4BAA4B,IAAI,yBAAyB,CAKxE;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CA0BhF"}