@pan-sec/notebooklm-mcp 2026.3.3 → 2026.4.0

package/dist/compliance/data-export.d.ts

@@ -82,4 +82,3 @@ export declare function exportUserDataToFile(outputPath: string, options?: Parti
  * Export user data to string
  */
 export declare function exportUserDataToString(options?: Partial<ExportOptions>): Promise<string>;
-//# sourceMappingURL=data-export.d.ts.map

package/dist/compliance/data-export.js

@@ -402,4 +402,3 @@ export async function exportUserDataToFile(outputPath, options = {}) {
 export async function exportUserDataToString(options = {}) {
     return getDataExporter().exportToString(options);
 }
-//# sourceMappingURL=data-export.js.map

package/dist/compliance/data-inventory.d.ts

@@ -133,4 +133,3 @@ export declare function getExportableData(): Promise<DataInventoryEntry[]>;
  * Get erasable data entries
  */
 export declare function getErasableData(): Promise<DataInventoryEntry[]>;
-//# sourceMappingURL=data-inventory.d.ts.map

package/dist/compliance/data-inventory.js

@@ -333,4 +333,3 @@ export async function getExportableData() {
 export async function getErasableData() {
     return getDataInventory().getErasable();
 }
-//# sourceMappingURL=data-inventory.js.map

package/dist/compliance/dsar-handler.d.ts

@@ -126,4 +126,3 @@ export declare function handleDSAR(type?: DSARRequest["type"]): Promise<DSARResp
  */
 export declare function getDSARSummary(): Promise<ReturnType<DSARHandler["getSummaryResponse"]>>;
 export {};
-//# sourceMappingURL=dsar-handler.d.ts.map

package/dist/compliance/dsar-handler.js

@@ -381,4 +381,3 @@ export async function handleDSAR(type = "access") {
 export async function getDSARSummary() {
     return getDSARHandler().getSummaryResponse();
 }
-//# sourceMappingURL=dsar-handler.js.map

package/dist/compliance/evidence-collector.d.ts

@@ -184,4 +184,3 @@ export declare function verifyEvidence(evidencePackage: EvidencePackage): {
  * List saved evidence packages
  */
 export declare function listEvidencePackages(): ReturnType<EvidenceCollector["listPackages"]>;
-//# sourceMappingURL=evidence-collector.d.ts.map

package/dist/compliance/evidence-collector.js

@@ -189,7 +189,10 @@ export class EvidenceCollector {
                 legal_basis: c.legal_basis,
                 granted_at: c.granted_at,
                 expires_at: c.expires_at,
-                is_valid: c.is_valid,
+                // Validity is derived from existing fields: granted (record exists),
+                // not revoked, and not past its optional expiry.
+                is_valid: !c.revoked &&
+                    (!c.expires_at || new Date(c.expires_at) > new Date()),
                 revoked: c.revoked,
             })),
         };
@@ -657,4 +660,3 @@ export function verifyEvidence(evidencePackage) {
 export function listEvidencePackages() {
     return getEvidenceCollector().listPackages();
 }
-//# sourceMappingURL=evidence-collector.js.map

package/dist/compliance/health-monitor.d.ts

@@ -108,4 +108,3 @@ export declare function getHealthStatus(): ReturnType<HealthMonitor["getStatus"]
  * Get last health metrics
  */
 export declare function getLastHealthMetrics(): HealthMetrics | null;
-//# sourceMappingURL=health-monitor.d.ts.map

package/dist/compliance/health-monitor.js

@@ -512,4 +512,3 @@ export function getHealthStatus() {
 export function getLastHealthMetrics() {
     return getHealthMonitor().getLastMetrics();
 }
-//# sourceMappingURL=health-monitor.js.map

package/dist/compliance/incident-manager.d.ts

@@ -128,4 +128,3 @@ export declare function updateIncidentStatus(incidentId: string, status: Inciden
  * Get incident statistics
  */
 export declare function getIncidentStatistics(): Promise<ReturnType<IncidentManager["getStatistics"]>>;
-//# sourceMappingURL=incident-manager.d.ts.map

package/dist/compliance/incident-manager.js

@@ -417,4 +417,3 @@ export async function updateIncidentStatus(incidentId, status, notes) {
 export async function getIncidentStatistics() {
     return getIncidentManager().getStatistics();
 }
-//# sourceMappingURL=incident-manager.js.map

package/dist/compliance/index.d.ts

@@ -29,4 +29,3 @@ export type { ReportType, ReportFormat, GeneratedReport, ReportOptions } from ".
 export { EvidenceCollector, getEvidenceCollector, collectEvidence, collectAndSaveEvidence, collectRegulationEvidence, verifyEvidence, listEvidencePackages, } from "./evidence-collector.js";
 export type { EvidenceType, EvidenceItem, EvidencePackage, CollectionOptions } from "./evidence-collector.js";
 export { getComplianceTools, handleComplianceToolCall, } from "./compliance-tools.js";
-//# sourceMappingURL=index.d.ts.map

package/dist/compliance/index.js

@@ -32,4 +32,3 @@ export { ComplianceDashboard, getComplianceDashboard, generateDashboard, getComp
 export { ReportGenerator, getReportGenerator, generateReport, generateAndSaveReport, listReports, } from "./report-generator.js";
 export { EvidenceCollector, getEvidenceCollector, collectEvidence, collectAndSaveEvidence, collectRegulationEvidence, verifyEvidence, listEvidencePackages, } from "./evidence-collector.js";
 export { getComplianceTools, handleComplianceToolCall, } from "./compliance-tools.js";
-//# sourceMappingURL=index.js.map

package/dist/compliance/policy-docs.d.ts

@@ -105,4 +105,3 @@ export declare function getPoliciesByRegulation(regulation: string): Promise<Pol
  * Get policy summary
  */
 export declare function getPolicySummary(): Promise<ReturnType<PolicyDocManager["getPolicySummary"]>>;
-//# sourceMappingURL=policy-docs.d.ts.map

package/dist/compliance/policy-docs.js

@@ -464,4 +464,3 @@ export async function getPoliciesByRegulation(regulation) {
 export async function getPolicySummary() {
     return getPolicyDocManager().getPolicySummary();
 }
-//# sourceMappingURL=policy-docs.js.map

package/dist/compliance/privacy-notice-text.d.ts

@@ -55,4 +55,3 @@ export declare function getProcessingAgreement(): {
     security_measures: string[];
     breach_notification: string;
 };
-//# sourceMappingURL=privacy-notice-text.d.ts.map

package/dist/compliance/privacy-notice-text.js

@@ -157,4 +157,3 @@ export function getProcessingAgreement() {
         breach_notification: "In the unlikely event of a data breach, we will notify affected users within 72 hours as required by GDPR.",
     };
 }
-//# sourceMappingURL=privacy-notice-text.js.map

package/dist/compliance/privacy-notice.d.ts

@@ -125,4 +125,3 @@ export declare function getPrivacyNotice(): ReturnType<typeof getPrivacyNoticeSt
  */
 export declare function getPrivacyNoticeCLIText(): string;
 export {};
-//# sourceMappingURL=privacy-notice.d.ts.map

package/dist/compliance/privacy-notice.js

@@ -249,4 +249,3 @@ export function getPrivacyNotice() {
 export function getPrivacyNoticeCLIText() {
     return getPrivacyNoticeManager().getCLINotice();
 }
-//# sourceMappingURL=privacy-notice.js.map

package/dist/compliance/report-generator.d.ts

@@ -115,6 +115,13 @@ export declare class ReportGenerator {
      * Convert to CSV format (flattened)
      */
     private toCSV;
+    /**
+     * Quote a CSV cell and neutralize formula injection.
+     * If the value begins with =, +, -, @, tab, or CR it is prefixed with a
+     * single quote so spreadsheet apps (Excel/Sheets) treat it as text rather
+     * than a formula. Embedded double-quotes are doubled per RFC 4180.
+     */
+    private csvSafeCell;
     /**
      * Flatten nested object
      */
@@ -165,4 +172,3 @@ export declare function generateAndSaveReport(reportType: ReportType, options?:
  */
 export declare function listReports(): ReturnType<ReportGenerator["listGeneratedReports"]>;
 export {};
-//# sourceMappingURL=report-generator.d.ts.map

package/dist/compliance/report-generator.js

@@ -149,10 +149,42 @@ export class ReportGenerator {
         const dataInventory = getDataInventory();
         const dsarHandler = getDSARHandler();
         const retentionEngine = getRetentionEngine();
+        const dashboard = getComplianceDashboard();
         const consents = await consentManager.getActiveConsents();
         const inventory = await dataInventory.getAll();
         const dsarSummary = await dsarHandler.getStatistics();
         const retentionStatus = await retentionEngine.getStatus();
+        const dashboardData = await dashboard.generateDashboard();
+        // Derive per-consent validity from real fields (mirrors evidence-collector):
+        // a consent is valid only if it is not revoked and not past its optional expiry.
+        const now = new Date();
+        const consentRows = consents.map((c) => {
+            const valid = !c.revoked && (!c.expires_at || new Date(c.expires_at) > now);
+            return {
+                purpose: c.purposes.join(", "),
+                legal_basis: c.legal_basis,
+                granted: c.granted_at,
+                valid,
+            };
+        });
+        const validConsents = consentRows.filter(c => c.valid).length;
+        // Build compliance verdict from real signals rather than hardcoding "compliant".
+        const gaps = [];
+        const recommendations = [];
+        const invalidConsents = consents.length - validConsents;
+        if (invalidConsents > 0) {
+            gaps.push(`${invalidConsents} consent record(s) are revoked or expired (Article 6 legal basis).`);
+            recommendations.push("Re-obtain or retire invalid consent records.");
+        }
+        if (dsarSummary.pending_requests > 0) {
+            gaps.push(`${dsarSummary.pending_requests} data subject request(s) pending (Articles 15/17).`);
+            recommendations.push("Process pending DSARs within the 30-day deadline.");
+        }
+        if (dashboardData.gdpr.status === "non_compliant") {
+            gaps.push("GDPR dashboard status is non-compliant.");
+        }
+        // Compliant only when the dashboard agrees and no concrete gaps were found.
+        const gdprCompliant = dashboardData.gdpr.status === "compliant" && gaps.length === 0;
         const report = {
             title: "GDPR Compliance Audit Report",
             regulation: "General Data Protection Regulation (EU) 2016/679",
@@ -165,13 +197,8 @@ export class ReportGenerator {
             article_6_legal_basis: {
                 description: "Lawfulness of Processing",
                 consent_records: consents.length,
-                valid_consents: consents.length, // All active consents are valid
-                consents: consents.map((c) => ({
-                    purpose: c.purposes.join(", "),
-                    legal_basis: c.legal_basis,
-                    granted: c.granted_at,
-                    valid: true,
-                })),
+                valid_consents: validConsents, // Derived: not revoked and not expired
+                consents: consentRows,
             },
             article_15_17_access_erasure: {
                 description: "Data Subject Access and Erasure Rights",
@@ -190,9 +217,10 @@ export class ReportGenerator {
                 status: retentionStatus,
             },
             compliance_status: {
-                compliant: true,
-                gaps: [],
-                recommendations: [],
+                compliant: gdprCompliant,
+                status: dashboardData.gdpr.status,
+                gaps,
+                recommendations,
             },
         };
         return this.formatOutput(report, format);
@@ -228,7 +256,10 @@ export class ReportGenerator {
                     principle: "CC7 - System Operations",
                     controls: {
                         health_monitoring: true,
+                        // Availability % is not measured (no downtime accounting); expose the
+                        // raw value (null) and the measurement flag rather than a fake figure.
                         uptime_percentage: dashboardData.soc2.availability.uptime_percentage,
+                        uptime_percentage_measured: dashboardData.soc2.availability.uptime_percentage_measured,
                         status: dashboardData.health.status,
                     },
                     status: dashboardData.health.status === "healthy" ? "Met" : "Partially Met",
@@ -286,11 +317,29 @@ export class ReportGenerator {
         const complianceLogger = getComplianceLogger();
         const policyManager = getPolicyDocManager();
         const incidentManager = getIncidentManager();
+        const dashboard = getComplianceDashboard();
         const loggerStats = await complianceLogger.getStats();
         const integrity = await complianceLogger.verifyIntegrity();
         const policies = await policyManager.getAllPolicies();
         const policySummary = await policyManager.getPolicySummary();
         const incidentStats = await incidentManager.getStatistics();
+        const dashboardData = await dashboard.generateDashboard();
+        // Derive the overall CSSF verdict from real signals rather than hardcoding.
+        const cssfGaps = [];
+        if (!loggerStats.enabled)
+            cssfGaps.push("Compliance audit logging is disabled (Section 4.3 audit trail).");
+        if (!integrity.valid)
+            cssfGaps.push("Audit log hash-chain integrity verification failed (tamper evidence).");
+        if (policySummary.due_for_review > 0)
+            cssfGaps.push(`${policySummary.due_for_review} policy/policies are overdue for review (Section 3 IT governance).`);
+        if (incidentStats.open_incidents > 0)
+            cssfGaps.push(`${incidentStats.open_incidents} security incident(s) open (Section 5 incident management).`);
+        // Map dashboard status to the report's verbal verdict.
+        const cssfOverall = dashboardData.cssf.status === "compliant"
+            ? "Compliant"
+            : dashboardData.cssf.status === "at_risk"
+                ? "At Risk"
+                : "Non-Compliant";
         const report = {
             title: "CSSF Compliance Audit Report",
             regulation: "CSSF Circular 20/750 - IT Risk Management",
@@ -314,7 +363,8 @@ export class ReportGenerator {
                     total_incidents: incidentStats.total_incidents,
                 },
                 statistics: incidentStats,
-                status: "Compliant",
+                // Open incidents indicate active remediation rather than a clean control.
+                status: incidentStats.open_incidents > 0 ? "At Risk" : "Compliant",
             },
             policy_management: {
                 circular_reference: "Section 3 - IT Governance",
@@ -335,8 +385,8 @@ export class ReportGenerator {
                 status: policySummary.due_for_review === 0 ? "Compliant" : "At Risk",
             },
             compliance_status: {
-                overall: "Compliant",
-                gaps: [],
+                overall: cssfOverall,
+                gaps: cssfGaps,
                 recommendations: [],
             },
         };
@@ -391,6 +441,7 @@ export class ReportGenerator {
                 total_24h: dashboardData.security.alerts.total_24h,
                 critical_24h: dashboardData.security.alerts.critical_24h,
                 unacknowledged: dashboardData.security.alerts.unacknowledged,
+                unacknowledged_tracked: dashboardData.security.alerts.unacknowledged_tracked,
             },
             recommendations: [],
         };
@@ -533,27 +584,47 @@ export class ReportGenerator {
      * Generate full audit report
      */
     async generateFullAudit(from, to, format) {
-        const [gdpr, soc2, cssf, security, incidents, dsar, retention, changes] = await Promise.all([
-            this.generateGDPRAudit(from, to, "json"),
-            this.generateSOC2Audit(from, to, "json"),
-            this.generateCSSFAudit(from, to, "json"),
-            this.generateSecurityAudit(from, to, "json"),
-            this.generateIncidentReport(from, to, "json"),
-            this.generateDSARReport(from, to, "json"),
-            this.generateRetentionReport(from, to, "json"),
-            this.generateChangeManagementReport(from, to, "json"),
-        ]);
+        // Generate each sub-report independently so a single failure degrades that
+        // one section instead of opaquely sinking the whole audit (L47). Sub-reports
+        // are produced as JSON strings then parsed back into objects; a rejected
+        // section is replaced with an explicit error placeholder.
+        const sections = [
+            { key: "gdpr_audit", gen: () => this.generateGDPRAudit(from, to, "json") },
+            { key: "soc2_audit", gen: () => this.generateSOC2Audit(from, to, "json") },
+            { key: "cssf_audit", gen: () => this.generateCSSFAudit(from, to, "json") },
+            { key: "security_audit", gen: () => this.generateSecurityAudit(from, to, "json") },
+            { key: "incident_report", gen: () => this.generateIncidentReport(from, to, "json") },
+            { key: "dsar_report", gen: () => this.generateDSARReport(from, to, "json") },
+            { key: "retention_report", gen: () => this.generateRetentionReport(from, to, "json") },
+            { key: "change_management", gen: () => this.generateChangeManagementReport(from, to, "json") },
+        ];
+        const results = await Promise.allSettled(sections.map(s => s.gen()));
         const report = {
             title: "Comprehensive Compliance Audit Report",
             period: { from: from.toISOString(), to: to.toISOString() },
-            gdpr_audit: JSON.parse(gdpr),
-            soc2_audit: JSON.parse(soc2),
-            cssf_audit: JSON.parse(cssf),
-            security_audit: JSON.parse(security),
-            incident_report: JSON.parse(incidents),
-            dsar_report: JSON.parse(dsar),
-            retention_report: JSON.parse(retention),
-            change_management: JSON.parse(changes),
+        };
+        const failedSections = [];
+        results.forEach((result, i) => {
+            const key = sections[i].key;
+            if (result.status === "fulfilled") {
+                try {
+                    report[key] = JSON.parse(result.value);
+                }
+                catch (err) {
+                    failedSections.push(key);
+                    report[key] = { error: `Failed to parse section: ${err instanceof Error ? err.message : String(err)}` };
+                }
+            }
+            else {
+                failedSections.push(key);
+                const reason = result.reason;
+                report[key] = { error: `Failed to generate section: ${reason instanceof Error ? reason.message : String(reason)}` };
+            }
+        });
+        // Surface partial-failure so an incomplete audit is never mistaken for a clean one.
+        report.generation_status = {
+            complete: failedSections.length === 0,
+            failed_sections: failedSections,
         };
         return this.formatOutput(report, format);
     }
@@ -608,11 +679,23 @@ export class ReportGenerator {
         const lines = [];
         lines.push("Key,Value");
         for (const [key, value] of Object.entries(flattened)) {
-            const escapedValue = String(value).replace(/"/g, '""');
-            lines.push(`"${key}","${escapedValue}"`);
+            lines.push(`${this.csvSafeCell(key)},${this.csvSafeCell(value)}`);
         }
         return lines.join("\n");
     }
+    /**
+     * Quote a CSV cell and neutralize formula injection.
+     * If the value begins with =, +, -, @, tab, or CR it is prefixed with a
+     * single quote so spreadsheet apps (Excel/Sheets) treat it as text rather
+     * than a formula. Embedded double-quotes are doubled per RFC 4180.
+     */
+    csvSafeCell(value) {
+        let str = String(value);
+        if (/^[=+\-@\t\r]/.test(str)) {
+            str = `'${str}`;
+        }
+        return `"${str.replace(/"/g, '""')}"`;
+    }
     /**
      * Flatten nested object
      */
@@ -829,4 +912,3 @@ export async function generateAndSaveReport(reportType, options) {
 export function listReports() {
     return getReportGenerator().listGeneratedReports();
 }
-//# sourceMappingURL=report-generator.js.map

package/dist/compliance/retention-engine.d.ts

@@ -127,4 +127,3 @@ export declare function getRetentionPolicies(): Promise<RetentionPolicy[]>;
  */
 export declare function getRetentionStatus(): Promise<ReturnType<RetentionEngine["getStatus"]>>;
 export {};
-//# sourceMappingURL=retention-engine.d.ts.map

package/dist/compliance/retention-engine.js

@@ -521,4 +521,3 @@ export async function getRetentionPolicies() {
 export async function getRetentionStatus() {
     return getRetentionEngine().getStatus();
 }
-//# sourceMappingURL=retention-engine.js.map

package/dist/compliance/siem-exporter.d.ts

@@ -29,6 +29,8 @@ export declare class SIEMExporter {
     private flushTimer;
     private isExporting;
     private failedDir;
+    private droppedEvents;
+    private lastDropWarning;
     private constructor();
     /**
      * Get singleton instance
@@ -86,7 +88,13 @@ export declare class SIEMExporter {
      */
     private formatSyslog;
     /**
-     * Export event as syslog
+     * Export event as syslog over UDP.
+     *
+     * NOTE: UDP syslog is best-effort. A successful send only means the datagram
+     * was handed to the OS — it does NOT confirm delivery to the collector. A
+     * `settled` guard ensures the socket is closed and the promise resolves exactly
+     * once (the send callback and the safety timeout previously raced, double-closing
+     * and double-resolving), and the timeout is cleared as soon as the callback fires.
      */
     private exportSyslog;
     /**
@@ -109,6 +117,21 @@ export declare class SIEMExporter {
      * Escape CEF extension value
      */
     private escapeExtension;
+    /**
+     * Escape a LEEF key or value. LEEF is tab-delimited and newline-terminated,
+     * so tabs/newlines/carriage-returns (and the `=` separator) must be neutralized
+     * to prevent attribute- or record-injection into the SIEM.
+     */
+    private escapeLeef;
+    /**
+     * Escape a CEF header component (pipe-delimited). Backslash first, then pipe.
+     */
+    private escapeCefHeader;
+    /**
+     * Strip C0 control characters (CR/LF/tab/etc.) from free-text fields so a
+     * crafted value cannot terminate or forge a syslog/LEEF record.
+     */
+    private sanitizeFreeText;
     /**
      * Save failed event for later retry
      */
@@ -127,6 +150,8 @@ export declare class SIEMExporter {
         enabled: boolean;
         format: SIEMFormat;
         queue_size: number;
+        queue_max_size: number;
+        dropped_events: number;
         endpoint_configured: boolean;
         syslog_configured: boolean;
     };
@@ -147,4 +172,3 @@ export declare function flushSIEM(): Promise<{
     failed: number;
 }>;
 export {};
-//# sourceMappingURL=siem-exporter.d.ts.map

package/dist/compliance/siem-exporter.js

@@ -86,6 +86,10 @@ export class SIEMExporter {
     flushTimer = null;
     isExporting = false;
     failedDir;
+    // Count of events dropped on queue overflow (e.g. during a SIEM outage). Without
+    // this, a backed-up queue silently sheds compliance events (L50).
+    droppedEvents = 0;
+    lastDropWarning = 0;
     constructor() {
         this.config = getSIEMConfig();
         const config = CONFIG;
@@ -157,8 +161,19 @@ export class SIEMExporter {
         }
         // Check queue size
         if (this.eventQueue.length >= this.config.queue_max_size) {
-            // Drop oldest event
-            this.eventQueue.shift();
+            // Queue full (likely a SIEM outage). Persist the oldest event to the failed
+            // dir before dropping it so it is not silently lost, then count + warn.
+            const dropped = this.eventQueue.shift();
+            this.droppedEvents++;
+            if (dropped) {
+                await this.saveFailedEvent(dropped);
+            }
+            // Throttle the warning to at most once per minute to avoid log flooding.
+            const now = Date.now();
+            if (now - this.lastDropWarning > 60000) {
+                this.lastDropWarning = now;
+                log.warning(`siem-exporter: queue full (max ${this.config.queue_max_size}); dropped oldest event (total dropped: ${this.droppedEvents}). Overflow persisted to ${this.failedDir}.`);
+            }
         }
         this.eventQueue.push(event);
         // Flush if batch size reached
@@ -225,8 +240,8 @@ export class SIEMExporter {
             "Pantheon Security",
             "NotebookLM MCP",
             "1.5.1",
-            event.event_type,
-            event.event_name,
+            this.escapeCefHeader(event.event_type),
+            this.escapeCefHeader(event.event_name),
             cefSeverity.toString(),
         ].join("|");
         // Add extension fields
@@ -258,18 +273,19 @@ export class SIEMExporter {
             "Pantheon Security",
             "NotebookLM MCP",
             "1.5.1",
-            event.event_type,
+            this.escapeLeef(event.event_type),
         ].join("|");
-        // Add attributes
+        // Add attributes — every key and value is LEEF-escaped so a crafted
+        // field cannot inject forged attributes or records via tab/newline.
         const attributes = [];
-        attributes.push(`cat=${event.event_name}`);
+        attributes.push(`cat=${this.escapeLeef(event.event_name)}`);
         attributes.push(`sev=${SYSLOG_SEVERITY[event.severity]}`);
-        attributes.push(`msg=${event.message}`);
-        attributes.push(`src=${event.source}`);
-        attributes.push(`devTime=${event.timestamp}`);
+        attributes.push(`msg=${this.escapeLeef(event.message)}`);
+        attributes.push(`src=${this.escapeLeef(event.source)}`);
+        attributes.push(`devTime=${this.escapeLeef(event.timestamp)}`);
         if (event.details) {
             for (const [key, value] of Object.entries(event.details)) {
-                attributes.push(`${key}=${String(value)}`);
+                attributes.push(`${this.escapeLeef(key)}=${this.escapeLeef(String(value))}`);
             }
         }
         return `${leef}\t${attributes.join("\t")}`;
@@ -292,10 +308,18 @@ export class SIEMExporter {
         const procId = process.pid.toString();
         const msgId = event.event_type;
         // RFC 5424 format
-        return `<${priority}>1 ${timestamp} ${hostname} ${appName} ${procId} ${msgId} - ${event.message}`;
+        // Strip C0 control chars (CR/LF etc.) so message cannot inject a forged record.
+        const safeMessage = this.sanitizeFreeText(event.message);
+        return `<${priority}>1 ${timestamp} ${hostname} ${appName} ${procId} ${msgId} - ${safeMessage}`;
     }
     /**
-     * Export event as syslog
+     * Export event as syslog over UDP.
+     *
+     * NOTE: UDP syslog is best-effort. A successful send only means the datagram
+     * was handed to the OS — it does NOT confirm delivery to the collector. A
+     * `settled` guard ensures the socket is closed and the promise resolves exactly
+     * once (the send callback and the safety timeout previously raced, double-closing
+     * and double-resolving), and the timeout is cleared as soon as the callback fires.
      */
     async exportSyslog(event) {
         if (!this.config.syslog_host) {
@@ -305,21 +329,32 @@ export class SIEMExporter {
         return new Promise((resolve) => {
             const client = dgram.createSocket("udp4");
             const buffer = Buffer.from(syslogMessage);
-            client.send(buffer, 0, buffer.length, this.config.syslog_port || 514, this.config.syslog_host, (err) => {
-                client.close();
-                resolve(!err);
-            });
-            // Timeout
-            setTimeout(() => {
+            let settled = false;
+            let timer = null;
+            const finish = (result) => {
+                if (settled)
+                    return;
+                settled = true;
+                if (timer) {
+                    clearTimeout(timer);
+                    timer = null;
+                }
                 try {
                     client.close();
                 }
                 catch (err) {
-                    log.debug(`siem-exporter: close TCP client on timeout: ${err instanceof Error ? err.message : String(err)}`);
-                    // Ignore
+                    log.debug(`siem-exporter: close UDP client: ${err instanceof Error ? err.message : String(err)}`);
+                    // Ignore — socket may already be closed.
                 }
-                resolve(false);
-            }, 5000);
+                resolve(result);
+            };
+            client.on("error", () => finish(false));
+            client.send(buffer, 0, buffer.length, this.config.syslog_port || 514, this.config.syslog_host, 
+            // Best-effort: !err means the datagram was accepted by the OS, not that
+            // the collector received it.
+            (err) => finish(!err));
+            // Safety timeout in case the send callback never fires.
+            timer = setTimeout(() => finish(false), 5000);
         });
     }
     /**
@@ -423,6 +458,35 @@ export class SIEMExporter {
             .replace(/\n/g, "\\n")
             .replace(/\r/g, "\\r");
     }
+    /**
+     * Escape a LEEF key or value. LEEF is tab-delimited and newline-terminated,
+     * so tabs/newlines/carriage-returns (and the `=` separator) must be neutralized
+     * to prevent attribute- or record-injection into the SIEM.
+     */
+    escapeLeef(value) {
+        return String(value)
+            .replace(/\\/g, "\\\\")
+            .replace(/=/g, "\\=")
+            .replace(/\t/g, " ")
+            .replace(/\r?\n/g, " ")
+            .replace(/[\x00-\x1f\x7f]/g, " ");
+    }
+    /**
+     * Escape a CEF header component (pipe-delimited). Backslash first, then pipe.
+     */
+    escapeCefHeader(value) {
+        return String(value)
+            .replace(/\\/g, "\\\\")
+            .replace(/\|/g, "\\|")
+            .replace(/[\r\n]+/g, " ");
+    }
+    /**
+     * Strip C0 control characters (CR/LF/tab/etc.) from free-text fields so a
+     * crafted value cannot terminate or forge a syslog/LEEF record.
+     */
+    sanitizeFreeText(value) {
+        return String(value).replace(/[\x00-\x1f\x7f]/g, " ");
+    }
     /**
      * Save failed event for later retry
      */
@@ -493,6 +557,8 @@ export class SIEMExporter {
             enabled: this.config.enabled,
             format: this.config.format,
             queue_size: this.eventQueue.length,
+            queue_max_size: this.config.queue_max_size,
+            dropped_events: this.droppedEvents,
             endpoint_configured: !!this.config.endpoint,
             syslog_configured: !!this.config.syslog_host,
         };
@@ -530,4 +596,3 @@ export async function exportToSIEM(eventType, eventName, severity, message, sour
 export async function flushSIEM() {
     return getSIEMExporter().flush();
 }
-//# sourceMappingURL=siem-exporter.js.map