@pawells/nestjs-shared 1.0.0-dev.3052c75

package/build/common/services/error-sanitizer.service.js

@@ -0,0 +1,287 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var ErrorSanitizerService_1;
+import { Injectable } from '@nestjs/common';
+import { HTTP_STATUS_INTERNAL_SERVER_ERROR } from '../constants/http-status.constants.js';
+import { ModuleRef } from '@nestjs/core';
+/**
+ * Injection token for ErrorSanitizerService configuration.
+ */
+export const ERROR_SANITIZER_OPTIONS = 'ERROR_SANITIZER_OPTIONS';
+/**
+ * Error Sanitizer Service.
+ * Sanitizes error responses and error context to prevent information disclosure in production.
+ * Removes sensitive information like stack traces, file paths, database URIs, API keys, email addresses,
+ * IP addresses, and custom sensitive fields.
+ *
+ * Implements defense-in-depth by sanitizing:
+ * - Error messages (via regex patterns)
+ * - Nested context objects (via field name matching)
+ * - Stack traces (removed in production)
+ *
+ * Sensitive patterns redacted:
+ * - File paths (e.g., `/home/user/app.ts` -> `[FILE]`)
+ * - Database URIs (e.g., `mongodb://...` -> `[REDACTED]`)
+ * - API keys and tokens (e.g., `Bearer sk_live_...` -> `Bearer [REDACTED]`)
+ * - Email addresses (e.g., `user@example.com` -> `[EMAIL]`)
+ * - IP addresses (IPv4 and IPv6) -> `[IP]`
+ * - Sensitive field values (passwords, tokens, API keys, etc.) -> `***REDACTED***`
+ *
+ * @remarks
+ * - Maximum message length: 5000 chars (prevents ReDoS attacks on regex patterns)
+ * - Maximum context depth: 5 levels (prevents deeply nested structure processing)
+ * - Circular reference detection prevents infinite loops
+ * - Case-insensitive field name matching for sensitivity
+ *
+ * @example
+ * ```typescript
+ * const error = {
+ *   message: 'Error at /home/user/app.ts, Bearer sk_live_abc123',
+ *   context: { password: 'secret123', userId: '456' }
+ * };
+ * const sanitized = errorSanitizer.sanitizeErrorResponse(error, false);
+ * // message: 'Error at [FILE], Bearer [REDACTED]'
+ * // context: { password: '***REDACTED***', userId: '456' }
+ * ```
+ */
+let ErrorSanitizerService = class ErrorSanitizerService {
+    static { ErrorSanitizerService_1 = this; }
+    /**
+     * Maximum length for error messages before truncation.
+     * Prevents ReDoS (Regular Expression Denial of Service) attacks by limiting
+     * the input size to regex patterns used in message sanitization.
+     */
+    // eslint-disable-next-line no-magic-numbers
+    static MAX_MESSAGE_LENGTH = 5000;
+    /**
+     * Maximum nesting depth for context object serialization.
+     * Prevents deeply nested structures from causing performance issues.
+     */
+    // eslint-disable-next-line no-magic-numbers
+    static MAX_CONTEXT_DEPTH = 5;
+    /**
+     * Precompiled regex pattern for matching file paths with code extensions
+     * Used to redact file paths from error messages
+     */
+    static FILE_PATH_REGEX = /\/[a-zA-Z0-9_./:-]{0,200}\.(?:ts|js|json|py|go|rb|java|cs|php)/g;
+    /**
+     * Precompiled regex pattern for matching IPv4 addresses
+     */
+    static IPV4_REGEX = /\b(?:\d{1,3}\.){3}\d{1,3}\b/g;
+    /**
+     * Precompiled regex pattern for matching IPv6 addresses
+     * Covers various IPv6 formats: full form, compressed form, ::1, ::ffff:IPv4, bare ::
+     * Uses a simpler, non-backtracking pattern to avoid ReDoS (Regular Expression Denial of Service)
+     */
+    static IPV6_REGEX = /(?:::(?:ffff(?::0{1,4})?:)?(?:25[0-5]|(?:2[0-4]|1?[0-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1?[0-9])?[0-9])){3}|(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?::[0-9a-fA-F]{1,4}){1,6}|:(?::[0-9a-fA-F]{1,4}){1,7}|::)/gi;
+    /**
+     * Default sensitive field names that are always redacted from context
+     * Stored as lowercase for case-insensitive matching
+     */
+    static DEFAULT_SENSITIVE_KEYS = [
+        'password',
+        'pwd',
+        'passwd',
+        'pass',
+        'token',
+        'secret',
+        'key',
+        'credential',
+        'apikey',
+        'api_key',
+        'api-key',
+        'authorization',
+        'auth',
+        'jwt',
+        'refreshtoken',
+        'accesstoken',
+        'private_key',
+        'privatekey',
+        'secret_key',
+        'client_secret',
+        'access_token',
+        'refresh_token',
+        'bearer',
+        'ssn',
+        'credit_card',
+        'creditcard',
+        'card_number',
+        'cardnumber',
+        'cvv',
+        'pin',
+    ];
+    Module;
+    constructor(module) {
+        this.Module = module;
+    }
+    get Options() {
+        try {
+            return this.Module.get(ERROR_SANITIZER_OPTIONS, { strict: false });
+        }
+        catch {
+            return undefined;
+        }
+    }
+    /**
+     * Sanitize error response for client
+     * Removes sensitive information like stack traces, file paths, etc.
+     */
+    sanitizeErrorResponse(error, isDevelopment = false) {
+        const sanitized = {
+            message: this.sanitizeMessage(error.message),
+            statusCode: error.statusCode ?? HTTP_STATUS_INTERNAL_SERVER_ERROR,
+            timestamp: new Date().toISOString(),
+        };
+        // Only include stack trace in development
+        if (isDevelopment && error.stack) {
+            sanitized.stack = error.stack;
+        }
+        // Sanitize context if present
+        if (error.context) {
+            sanitized.context = this.sanitizeContext(error.context);
+        }
+        return sanitized;
+    }
+    /**
+     * Sanitize an error message to remove sensitive information.
+     * Redacts file paths, database connection strings, API keys, Bearer tokens,
+     * email addresses, and IP addresses. Truncates overly long messages to prevent
+     * ReDoS attacks and ensure reasonable log sizes.
+     *
+     * @param message - The error message string to sanitize
+     * @returns Sanitized message with sensitive patterns replaced by placeholder strings
+     *
+     * @example
+     * ```typescript
+     * const msg = 'Error at /home/user/app.ts, Bearer sk_live_abc123';
+     * const sanitized = sanitizeMessage(msg);
+     * // Returns: 'Error at [FILE], Bearer [REDACTED]'
+     * ```
+     */
+    sanitizeMessage(message) {
+        if (!message)
+            return 'An error occurred';
+        // Ensure message is a string
+        let safeMessage = message;
+        if (typeof safeMessage !== 'string') {
+            safeMessage = String(safeMessage);
+        }
+        // Truncate message to prevent ReDoS attacks on regex patterns
+        const truncated = safeMessage.length > ErrorSanitizerService_1.MAX_MESSAGE_LENGTH
+            ? `${safeMessage.substring(0, ErrorSanitizerService_1.MAX_MESSAGE_LENGTH)}... [truncated]`
+            : safeMessage;
+        // Remove file paths - match paths with code file extensions
+        let sanitized = truncated.replace(ErrorSanitizerService_1.FILE_PATH_REGEX, '[FILE]');
+        // Remove database connection strings
+        sanitized = sanitized.replace(/mongodb:\/\/[^\s/]+/gi, '[REDACTED]');
+        sanitized = sanitized.replace(/postgres(?:ql)?:\/\/[^\s/]+/gi, '[REDACTED]');
+        // Remove API keys and tokens
+        sanitized = sanitized.replace(/Bearer\s+[a-zA-Z0-9._-]+/gi, 'Bearer [REDACTED]');
+        sanitized = sanitized.replace(/(?:api[_-]?key|sk_live|sk_test|pk_live|pk_test)[\s=:]*[a-zA-Z0-9._-]+/gi, '[REDACTED]');
+        // Remove email addresses - more restrictive pattern
+        sanitized = sanitized.replace(/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g, '[EMAIL]');
+        // Remove IP addresses (both IPv4 and IPv6)
+        sanitized = sanitized.replace(ErrorSanitizerService_1.IPV4_REGEX, '[IP]');
+        sanitized = sanitized.replace(ErrorSanitizerService_1.IPV6_REGEX, '[IP]');
+        return sanitized;
+    }
+    /**
+     * Recursively sanitize an error context object to remove sensitive field values.
+     * Identifies sensitive fields by name (e.g., password, token, secret) and replaces
+     * their values with a redaction marker. Handles nested objects and arrays while
+     * detecting circular references to prevent infinite loops.
+     *
+     * @param context - The context object to sanitize
+     * @returns Sanitized context with sensitive field values replaced
+     *
+     * @example
+     * ```typescript
+     * const ctx = { user: 'john', password: 'secret123', nested: { apiKey: 'sk_live' } };
+     * const sanitized = sanitizeContext(ctx);
+     * // Returns: { user: 'john', password: '***REDACTED***', nested: { apiKey: '***REDACTED***' } }
+     * ```
+     */
+    sanitizeContext(context) {
+        const seen = new Set();
+        const result = this.serializeWithDepthLimit(context, ErrorSanitizerService_1.MAX_CONTEXT_DEPTH, 0, seen);
+        return result ?? {};
+    }
+    /**
+     * Recursively serialize an object with depth limiting and circular reference detection.
+     * Handles nested objects and arrays while preventing infinite loops.
+     *
+     * @param obj - The object to serialize
+     * @param maxDepth - Maximum nesting depth (default 5)
+     * @param currentDepth - Current recursion depth
+     * @param seen - Set of already-visited objects to detect cycles
+     * @returns Serialized object with sensitive fields redacted
+     */
+    serializeWithDepthLimit(obj, maxDepth, currentDepth, seen) {
+        // Return non-object values as-is
+        if (typeof obj !== 'object' || obj === null) {
+            if (typeof obj === 'string') {
+                return this.sanitizeMessage(obj);
+            }
+            return obj;
+        }
+        // Check for circular reference
+        if (seen.has(obj)) {
+            return '[CIRCULAR_REF]';
+        }
+        // Check for max depth
+        if (currentDepth >= maxDepth) {
+            return '[MAX_DEPTH]';
+        }
+        // Mark object as visited immediately after circular check, before recursing
+        seen.add(obj);
+        // Handle arrays
+        if (Array.isArray(obj)) {
+            return obj.map(item => this.serializeWithDepthLimit(item, maxDepth, currentDepth + 1, seen));
+        }
+        // Handle objects
+        const sanitized = {};
+        for (const [key, value] of Object.entries(obj)) {
+            // Skip sensitive fields
+            if (this.isSensitiveField(key)) {
+                sanitized[key] = '***REDACTED***';
+            }
+            else if (typeof value === 'object' && value !== null) {
+                // For objects and arrays, recurse with depth check
+                sanitized[key] = this.serializeWithDepthLimit(value, maxDepth, currentDepth + 1, seen);
+            }
+            else if (typeof value === 'string') {
+                // Sanitize string values
+                sanitized[key] = this.sanitizeMessage(value);
+            }
+            else {
+                // Return primitive values as-is
+                sanitized[key] = value;
+            }
+        }
+        return sanitized;
+    }
+    /**
+     * Check if field is sensitive (case-insensitive comparison)
+     */
+    isSensitiveField(fieldName) {
+        const fieldNameLower = fieldName.toLowerCase();
+        const allSensitiveFields = [
+            ...ErrorSanitizerService_1.DEFAULT_SENSITIVE_KEYS,
+            ...(this.Options?.additionalSensitiveKeys ?? []),
+        ];
+        return allSensitiveFields.some(field => fieldNameLower.includes(field.toLowerCase()));
+    }
+};
+ErrorSanitizerService = ErrorSanitizerService_1 = __decorate([
+    Injectable(),
+    __metadata("design:paramtypes", [ModuleRef])
+], ErrorSanitizerService);
+export { ErrorSanitizerService };
+//# sourceMappingURL=error-sanitizer.service.js.map

package/build/common/services/error-sanitizer.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-sanitizer.service.js","sourceRoot":"","sources":["../../../src/common/services/error-sanitizer.service.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC5C,OAAO,EAAE,iCAAiC,EAAE,MAAM,uCAAuC,CAAC;AAC1F,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAkBzC;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,yBAAyB,CAAC;AAEjE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAGI,IAAM,qBAAqB,GAA3B,MAAM,qBAAqB;;IACjC;;;;OAIG;IACH,4CAA4C;IACpC,MAAM,CAAU,kBAAkB,GAAG,IAAI,CAAC;IAElD;;;OAGG;IACH,4CAA4C;IACpC,MAAM,CAAU,iBAAiB,GAAG,CAAC,CAAC;IAE9C;;;OAGG;IACK,MAAM,CAAU,eAAe,GAAG,iEAAiE,CAAC;IAE5G;;OAEG;IACK,MAAM,CAAU,UAAU,GAAG,8BAA8B,CAAC;IAEpE;;;;OAIG;IACK,MAAM,CAAU,UAAU,GAAG,igBAAigB,CAAC;IAEviB;;;OAGG;IACK,MAAM,CAAU,sBAAsB,GAAG;QAChD,UAAU;QACV,KAAK;QACL,QAAQ;QACR,MAAM;QACN,OAAO;QACP,QAAQ;QACR,KAAK;QACL,YAAY;QACZ,QAAQ;QACR,SAAS;QACT,SAAS;QACT,eAAe;QACf,MAAM;QACN,KAAK;QACL,cAAc;QACd,aAAa;QACb,aAAa;QACb,YAAY;QACZ,YAAY;QACZ,eAAe;QACf,cAAc;QACd,eAAe;QACf,QAAQ;QACR,KAAK;QACL,aAAa;QACb,YAAY;QACZ,aAAa;QACb,YAAY;QACZ,KAAK;QACL,KAAK;KACL,CAAC;IAEc,MAAM,CAAY;IAElC,YAAY,MAAiB;QAC5B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACtB,CAAC;IAED,IAAY,OAAO;QAClB,IAAI,CAAC;YACJ,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACpE,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,SAAS,CAAC;QAClB,CAAC;IACF,CAAC;IAED;;;OAGG;IACI,qBAAqB,CAAC,KAA0B,EAAE,gBAAyB,KAAK;QACtF,MAAM,SAAS,GAAwB;YACtC,OAAO,EAAE,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,OAAO,CAAC;YAC5C,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,iCAAiC;YACjE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACnC,CAAC;QAEF,0CAA0C;QAC1C,IAAI,aAAa,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAClC,SAAS,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;QAC/B,CAAC;QAED,8BAA8B;QAC9B,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YACnB,SAAS,CAAC,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACzD,CAAC;QAED,OAAO,SAAS,CAAC;IAClB,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACK,eAAe,CAAC,OAAe;QACtC,IAAI,CAAC,OAAO;YAAE,OAAO,mBAAmB,CAAC;QAEzC,6BAA6B;QAC7B,IAAI,WAAW,GAAG,OAAO,CAAC;QAC1B,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;YACrC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC;QACnC,CAAC;QAED,8DAA8D;QAC9D,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,GAAG,uBAAqB,CAAC,kBAAkB;YAC9E,CAAC,CAAC,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC,EAAE,uBAAqB,CAAC,kBAAkB,CAAC,iBAAiB;YACxF,CAAC,CAAC,WAAW,CAAC;QAEf,4DAA4D;QAC5D,IAAI,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,uBAAqB,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QAEnF,qCAAqC;QACrC,SAAS,GAAG,SAAS,CAAC,OAAO,CAC5B,uBAAuB,EACvB,YAAY,CACZ,CAAC;QACF,SAAS,GAAG,SAAS,CAAC,OAAO,CAC5B,+BAA+B,EAC/B,YAAY,CACZ,CAAC;QAEF,6BAA6B;QAC7B,SAAS,GAAG,SAAS,CAAC,OAAO,CAC5B,4BAA4B,EAC5B,mBAAmB,CACnB,CAAC;QACF,SAAS,GAAG,SAAS,CAAC,OAAO,CAC5B,yEAAyE,EACzE,YAAY,CACZ,CAAC;QAEF,oDAAoD;QACpD,SAAS,GAAG,SAAS,CAAC,OAAO,CAC5B,iDAAiD,EACjD,SAAS,CACT,CAAC;QAEF,2CAA2C;QAC3C,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,uBAAqB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACxE,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,uBAAqB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QAExE,OAAO,SAAS,CAAC;IAClB,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACK,eAAe,CAAC,OAA4B;QACnD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,uBAAuB,CAC1C,OAAO,EACP,uBAAqB,CAAC,iBAAiB,EACvC,CAAC,EACD,IAAI,CACJ,CAAC;QACF,OAAQ,MAA8B,IAAI,EAAE,CAAC;IAC9C,CAAC;IAED;;;;;;;;;OASG;IACK,uBAAuB,CAC9B,GAAY,EACZ,QAAgB,EAChB,YAAoB,EACpB,IAAiB;QAEjB,iCAAiC;QACjC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YAC7C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC7B,OAAO,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;YAClC,CAAC;YACD,OAAO,GAAG,CAAC;QACZ,CAAC;QAED,+BAA+B;QAC/B,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACnB,OAAO,gBAAgB,CAAC;QACzB,CAAC;QAED,sBAAsB;QACtB,IAAI,YAAY,IAAI,QAAQ,EAAE,CAAC;YAC9B,OAAO,aAAa,CAAC;QACtB,CAAC;QAED,4EAA4E;QAC5E,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEd,gBAAgB;QAChB,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CACrB,IAAI,CAAC,uBAAuB,CAAC,IAAI,EAAE,QAAQ,EAAE,YAAY,GAAG,CAAC,EAAE,IAAI,CAAC,CACpE,CAAC;QACH,CAAC;QAED,iBAAiB;QACjB,MAAM,SAAS,GAAwB,EAAE,CAAC;QAE1C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAChD,wBAAwB;YACxB,IAAI,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,EAAE,CAAC;gBAChC,SAAS,CAAC,GAAG,CAAC,GAAG,gBAAgB,CAAC;YACnC,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;gBACxD,mDAAmD;gBACnD,SAAS,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,uBAAuB,CAC5C,KAAK,EACL,QAAQ,EACR,YAAY,GAAG,CAAC,EAChB,IAAI,CACJ,CAAC;YACH,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACtC,yBAAyB;gBACzB,SAAS,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YAC9C,CAAC;iBAAM,CAAC;gBACP,gCAAgC;gBAChC,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACxB,CAAC;QACF,CAAC;QAED,OAAO,SAAS,CAAC;IAClB,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,SAAiB;QACzC,MAAM,cAAc,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;QAC/C,MAAM,kBAAkB,GAAG;YAC1B,GAAG,uBAAqB,CAAC,sBAAsB;YAC/C,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,uBAAuB,IAAI,EAAE,CAAC;SAChD,CAAC;QAEF,OAAO,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CACtC,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAC5C,CAAC;IACH,CAAC;;AA9RW,qBAAqB;IADjC,UAAU,EAAE;qCA0EQ,SAAS;GAzEjB,qBAAqB,CA+RjC"}

package/build/common/services/health-check.service.d.ts

@@ -0,0 +1,86 @@
+import { ModuleRef } from '@nestjs/core';
+import { LazyModuleRefService } from '../utils/lazy-getter.types.js';
+/**
+ * Health status enumeration for standardized health check responses.
+ */
+export declare enum HealthStatus {
+    OK = "ok",
+    READY = "ready",
+    ALIVE = "alive"
+}
+/**
+ * Health check response interface.
+ */
+export interface IHealthCheck {
+    status: string;
+    timestamp: string;
+    service?: string;
+    version?: string;
+    checks?: Record<string, string>;
+}
+/**
+ * Health Check Service.
+ * Provides standardized health, readiness, and liveness checks for Kubernetes probes and monitoring.
+ *
+ * Probe types:
+ * - **Health/Status**: General application health (used by load balancers)
+ * - **Readiness**: Determines if service should receive traffic (Kubernetes readiness probe)
+ * - **Liveness**: Confirms service is alive and responsive (Kubernetes liveness probe)
+ *
+ * @remarks
+ * - All responses include ISO timestamps for log correlation
+ * - Supports optional service name and version strings
+ * - Readiness probe can include custom checks (database, cache, etc.)
+ * - All checks automatically logged via AppLogger for monitoring
+ *
+ * @example
+ * ```typescript
+ * // In a health controller
+ * @Get('/')
+ * health() {
+ *   return this.healthService.getHealth('my-service', '1.0.0');
+ * }
+ *
+ * @Get('/ready')
+ * readiness() {
+ *   const checks = {
+ *     database: HealthStatus.OK,
+ *     cache: HealthStatus.OK,
+ *   };
+ *   return this.healthService.getReadiness(checks);
+ * }
+ *
+ * @Get('/live')
+ * liveness() {
+ *   return this.healthService.getLiveness();
+ * }
+ * ```
+ */
+export declare class HealthCheckService implements LazyModuleRefService {
+    private _contextualLogger;
+    readonly Module: ModuleRef;
+    constructor(module: ModuleRef);
+    private get Logger();
+    /**
+     * Get application health status
+     * Used for general health checks
+     * @param serviceName - Optional service name
+     * @param version - Optional version string
+     * @returns Health check response
+     */
+    getHealth(serviceName?: string, version?: string): IHealthCheck;
+    /**
+     * Get application readiness status
+     * Used for Kubernetes readiness probes to determine if service should receive traffic
+     * @param checks - Optional custom health checks (e.g., database, cache status)
+     * @returns Readiness check response
+     */
+    getReadiness(checks?: Record<string, string>): IHealthCheck;
+    /**
+     * Get application liveness status
+     * Used for Kubernetes liveness probes to determine if service is alive
+     * @returns Liveness check response
+     */
+    getLiveness(): IHealthCheck;
+}
+//# sourceMappingURL=health-check.service.d.ts.map

package/build/common/services/health-check.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"health-check.service.d.ts","sourceRoot":"","sources":["../../../src/common/services/health-check.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AAErE;;GAEG;AACH,oBAAY,YAAY;IACvB,EAAE,OAAO;IACT,KAAK,UAAU;IACf,KAAK,UAAU;CACf;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,qBACa,kBAAmB,YAAW,oBAAoB;IAC9D,OAAO,CAAC,iBAAiB,CAAwB;IAEjD,SAAgB,MAAM,EAAE,SAAS,CAAC;gBAEtB,MAAM,EAAE,SAAS;IAI7B,OAAO,KAAK,MAAM,GAMjB;IAED;;;;;;OAMG;IACI,SAAS,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,YAAY;IAoBtE;;;;;OAKG;IACI,YAAY,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,YAAY;IAalE;;;;OAIG;IACI,WAAW,IAAI,YAAY;CAWlC"}

package/build/common/services/health-check.service.js

@@ -0,0 +1,132 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var HealthCheckService_1;
+import { Injectable } from '@nestjs/common';
+import { ModuleRef } from '@nestjs/core';
+import { AppLogger } from './logger.service.js';
+/**
+ * Health status enumeration for standardized health check responses.
+ */
+export var HealthStatus;
+(function (HealthStatus) {
+    HealthStatus["OK"] = "ok";
+    HealthStatus["READY"] = "ready";
+    HealthStatus["ALIVE"] = "alive";
+})(HealthStatus || (HealthStatus = {}));
+/**
+ * Health Check Service.
+ * Provides standardized health, readiness, and liveness checks for Kubernetes probes and monitoring.
+ *
+ * Probe types:
+ * - **Health/Status**: General application health (used by load balancers)
+ * - **Readiness**: Determines if service should receive traffic (Kubernetes readiness probe)
+ * - **Liveness**: Confirms service is alive and responsive (Kubernetes liveness probe)
+ *
+ * @remarks
+ * - All responses include ISO timestamps for log correlation
+ * - Supports optional service name and version strings
+ * - Readiness probe can include custom checks (database, cache, etc.)
+ * - All checks automatically logged via AppLogger for monitoring
+ *
+ * @example
+ * ```typescript
+ * // In a health controller
+ * @Get('/')
+ * health() {
+ *   return this.healthService.getHealth('my-service', '1.0.0');
+ * }
+ *
+ * @Get('/ready')
+ * readiness() {
+ *   const checks = {
+ *     database: HealthStatus.OK,
+ *     cache: HealthStatus.OK,
+ *   };
+ *   return this.healthService.getReadiness(checks);
+ * }
+ *
+ * @Get('/live')
+ * liveness() {
+ *   return this.healthService.getLiveness();
+ * }
+ * ```
+ */
+let HealthCheckService = HealthCheckService_1 = class HealthCheckService {
+    _contextualLogger;
+    Module;
+    constructor(module) {
+        this.Module = module;
+    }
+    get Logger() {
+        if (!this._contextualLogger) {
+            const baseLogger = this.Module.get(AppLogger);
+            this._contextualLogger = baseLogger.createContextualLogger(HealthCheckService_1.name);
+        }
+        return this._contextualLogger;
+    }
+    /**
+     * Get application health status
+     * Used for general health checks
+     * @param serviceName - Optional service name
+     * @param version - Optional version string
+     * @returns Health check response
+     */
+    getHealth(serviceName, version) {
+        this.Logger.debug('Health check requested');
+        const response = {
+            status: HealthStatus.OK,
+            timestamp: new Date().toISOString(),
+        };
+        if (serviceName) {
+            response.service = serviceName;
+        }
+        if (version) {
+            response.version = version;
+        }
+        this.Logger.debug(`Health check response: ${JSON.stringify(response)}`);
+        return response;
+    }
+    /**
+     * Get application readiness status
+     * Used for Kubernetes readiness probes to determine if service should receive traffic
+     * @param checks - Optional custom health checks (e.g., database, cache status)
+     * @returns Readiness check response
+     */
+    getReadiness(checks) {
+        this.Logger.debug('Readiness check requested');
+        const response = {
+            status: HealthStatus.READY,
+            timestamp: new Date().toISOString(),
+            checks: checks ?? {},
+        };
+        this.Logger.debug(`Readiness check response: ${JSON.stringify(response)}`);
+        return response;
+    }
+    /**
+     * Get application liveness status
+     * Used for Kubernetes liveness probes to determine if service is alive
+     * @returns Liveness check response
+     */
+    getLiveness() {
+        this.Logger.debug('Liveness check requested');
+        const response = {
+            status: HealthStatus.ALIVE,
+            timestamp: new Date().toISOString(),
+        };
+        this.Logger.debug(`Liveness check response: ${JSON.stringify(response)}`);
+        return response;
+    }
+};
+HealthCheckService = HealthCheckService_1 = __decorate([
+    Injectable(),
+    __metadata("design:paramtypes", [ModuleRef])
+], HealthCheckService);
+export { HealthCheckService };
+//# sourceMappingURL=health-check.service.js.map

package/build/common/services/health-check.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"health-check.service.js","sourceRoot":"","sources":["../../../src/common/services/health-check.service.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAGhD;;GAEG;AACH,MAAM,CAAN,IAAY,YAIX;AAJD,WAAY,YAAY;IACvB,yBAAS,CAAA;IACT,+BAAe,CAAA;IACf,+BAAe,CAAA;AAChB,CAAC,EAJW,YAAY,KAAZ,YAAY,QAIvB;AAaD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEI,IAAM,kBAAkB,0BAAxB,MAAM,kBAAkB;IACtB,iBAAiB,CAAwB;IAEjC,MAAM,CAAY;IAElC,YAAY,MAAiB;QAC5B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACtB,CAAC;IAED,IAAY,MAAM;QACjB,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC7B,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAC9C,IAAI,CAAC,iBAAiB,GAAG,UAAU,CAAC,sBAAsB,CAAC,oBAAkB,CAAC,IAAI,CAAC,CAAC;QACrF,CAAC;QACD,OAAO,IAAI,CAAC,iBAAiB,CAAC;IAC/B,CAAC;IAED;;;;;;OAMG;IACI,SAAS,CAAC,WAAoB,EAAE,OAAgB;QACtD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAE5C,MAAM,QAAQ,GAAiB;YAC9B,MAAM,EAAE,YAAY,CAAC,EAAE;YACvB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACnC,CAAC;QAEF,IAAI,WAAW,EAAE,CAAC;YACjB,QAAQ,CAAC,OAAO,GAAG,WAAW,CAAC;QAChC,CAAC;QAED,IAAI,OAAO,EAAE,CAAC;YACb,QAAQ,CAAC,OAAO,GAAG,OAAO,CAAC;QAC5B,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QACxE,OAAO,QAAQ,CAAC;IACjB,CAAC;IAED;;;;;OAKG;IACI,YAAY,CAAC,MAA+B;QAClD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAE/C,MAAM,QAAQ,GAAiB;YAC9B,MAAM,EAAE,YAAY,CAAC,KAAK;YAC1B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,MAAM,EAAE,MAAM,IAAI,EAAE;SACpB,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QAC3E,OAAO,QAAQ,CAAC;IACjB,CAAC;IAED;;;;OAIG;IACI,WAAW;QACjB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAE9C,MAAM,QAAQ,GAAiB;YAC9B,MAAM,EAAE,YAAY,CAAC,KAAK;YAC1B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACnC,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QAC1E,OAAO,QAAQ,CAAC;IACjB,CAAC;CACD,CAAA;AA/EY,kBAAkB;IAD9B,UAAU,EAAE;qCAMQ,SAAS;GALjB,kBAAkB,CA+E9B"}

package/build/common/services/http-client.service.d.ts

@@ -0,0 +1,113 @@
+import { ModuleRef } from '@nestjs/core';
+import { LazyModuleRefService } from '../utils/lazy-getter.types.js';
+import { AppLogger } from './logger.service.js';
+/**
+ * HTTP request options.
+ */
+interface HttpRequestOptions {
+    method: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH';
+    url: string;
+    headers?: Record<string, string>;
+    data?: Record<string, unknown> | string;
+    timeout?: number;
+    correlationId?: string;
+    /**
+     * Whether to reject unauthorized (self-signed) SSL/TLS certificates.
+     * Default: true (recommended for production)
+     *
+     * Security Warning: Setting this to false allows Man-in-the-Middle (MITM) attacks
+     * in production environments. Only use for development or testing with known certificates.
+     *
+     * @default true
+     */
+    rejectUnauthorized?: boolean;
+    /**
+     * Custom Certificate Authority (CA) certificate for SSL/TLS validation.
+     * Can be a PEM-encoded certificate as a string or Buffer.
+     * Useful for environments using self-signed or internal CAs.
+     *
+     * @example
+     * ```typescript
+     * const cert = fs.readFileSync('/path/to/ca.pem');
+     * await client.request({
+     *   url: 'https://internal-api.local',
+     *   ca: cert,
+     * });
+     * ```
+     */
+    ca?: Buffer | string;
+}
+/**
+ * HTTP response wrapper.
+ */
+interface HttpResponse<T = Record<string, unknown>> {
+    data: T;
+    status: number;
+    statusText: string;
+    headers: Record<string, string>;
+    duration: number;
+}
+/**
+ * HTTP Client Service.
+ * Provides a robust HTTP client with timeout handling, SSL/TLS configuration, payload size limits,
+ * and comprehensive logging with sensitive data redaction.
+ *
+ * Features:
+ * - Configurable timeouts (default: HTTP_CLIENT_TIMEOUT)
+ * - SSL/TLS certificate validation (default: strict)
+ * - Custom CA certificate support for self-signed certs
+ * - Payload size limit enforcement (10MB default)
+ * - Automatic content-type parsing (JSON, text)
+ * - Correlation ID support for request tracing
+ * - Sensitive data redaction in logs (passwords, tokens, auth headers)
+ * - Request/response duration tracking
+ *
+ * @remarks
+ * - Maximum payload size: 10MB (prevents memory exhaustion from large responses)
+ * - Timeout error handling with clear error messages
+ * - Content-type validation before JSON parsing
+ * - All sensitive headers (Authorization, Cookie, X-API-Key) redacted in logs
+ * - URLs with embedded credentials are sanitized before logging
+ *
+ * @example
+ * ```typescript
+ * // Simple GET request
+ * const response = await client.get('https://api.example.com/users');
+ *
+ * // POST with custom timeout and correlation ID
+ * const response = await client.post('https://api.example.com/users',
+ *   { name: 'John', email: 'john@example.com' },
+ *   { timeout: 5000, correlationId: 'req-123' }
+ * );
+ *
+ * // HTTPS with custom CA certificate
+ * const cert = fs.readFileSync('/path/to/ca.pem');
+ * const response = await client.get('https://internal-api.local/data', { ca: cert });
+ * ```
+ */
+export declare class HttpClientService implements LazyModuleRefService {
+    private _contextualLogger;
+    readonly Module: ModuleRef;
+    constructor(module: ModuleRef);
+    get Logger(): AppLogger;
+    /**
+     * Makes an HTTP request. URLs with embedded credentials and sensitive headers
+     * are sanitized before logging.
+     */
+    request<T = Record<string, unknown>>(options: HttpRequestOptions): Promise<HttpResponse<T>>;
+    get<T = Record<string, unknown>>(url: string, options?: Omit<HttpRequestOptions, 'method' | 'url'>): Promise<HttpResponse<T>>;
+    post<T = Record<string, unknown>>(url: string, data?: Record<string, unknown> | string, options?: Omit<HttpRequestOptions, 'method' | 'url' | 'data'>): Promise<HttpResponse<T>>;
+    put<T = Record<string, unknown>>(url: string, data?: Record<string, unknown> | string, options?: Omit<HttpRequestOptions, 'method' | 'url' | 'data'>): Promise<HttpResponse<T>>;
+    delete<T = Record<string, unknown>>(url: string, options?: Omit<HttpRequestOptions, 'method' | 'url'>): Promise<HttpResponse<T>>;
+    /**
+     * Sanitize a URL to remove embedded credentials (e.g., https://user:pass@host/)
+     */
+    private sanitizeUrl;
+    /**
+     * Redacts sensitive headers (authorization, cookies, API keys, CSRF tokens)
+     * before logging.
+     */
+    private sanitizeHeaders;
+}
+export {};
+//# sourceMappingURL=http-client.service.d.ts.map

package/build/common/services/http-client.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-client.service.d.ts","sourceRoot":"","sources":["../../../src/common/services/http-client.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAGzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAIhD;;GAEG;AACH,UAAU,kBAAkB;IAC3B,MAAM,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,OAAO,CAAC;IACpD,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;;;;OAQG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B;;;;;;;;;;;;;OAaG;IACH,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,UAAU,YAAY,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IACjD,IAAI,EAAE,CAAC,CAAC;IACR,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,qBACa,iBAAkB,YAAW,oBAAoB;IAC7D,OAAO,CAAC,iBAAiB,CAAwB;IAEjD,SAAgB,MAAM,EAAE,SAAS,CAAC;gBAEtB,MAAM,EAAE,SAAS;IAI7B,IAAW,MAAM,IAAI,SAAS,CAM7B;IAED;;;OAGG;IAEI,OAAO,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IA8K3F,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,IAAI,CAAC,kBAAkB,EAAE,QAAQ,GAAG,KAAK,CAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAKjI,IAAI,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,EAAE,OAAO,GAAE,IAAI,CAAC,kBAAkB,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAKpL,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,EAAE,OAAO,GAAE,IAAI,CAAC,kBAAkB,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAKnL,MAAM,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,IAAI,CAAC,kBAAkB,EAAE,QAAQ,GAAG,KAAK,CAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAI3I;;OAEG;IACH,OAAO,CAAC,WAAW;IAcnB;;;OAGG;IACH,OAAO,CAAC,eAAe;CAuBvB"}