npm - @pellux/goodvibes-sdk - Versions diffs - 0.21.29 → 0.21.33 - Mend

@pellux/goodvibes-sdk 0.21.29 → 0.21.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (323) hide show

package/dist/_internal/platform/daemon/http/router.js CHANGED Viewed

@@ -5,6 +5,7 @@ import { buildOperatorContract } from '../../control-plane/operator-contract.js'
 import { getProviderRuntimeSnapshot, getProviderUsageSnapshot, listProviderRuntimeSnapshots, } from '../../providers/runtime-snapshot.js';
 import { inspectKnowledgeGraphqlAccess } from '../../knowledge/index.js';
 import { emitCompanionMessageReceived } from '../../runtime/emitters/session.js';
+import { correlationCtx } from '../../runtime/correlation.js';
 import { TelemetryApiService } from '../../runtime/telemetry/api.js';
 import { inspectInboundTls, inspectOutboundTls } from '../../runtime/network/index.js';
 import { dispatchDaemonApiRoutes } from '../../control-plane/routes/index.js';
@@ -13,6 +14,7 @@ import { createDaemonKnowledgeRouteHandlers } from './knowledge-routes.js';
 import { createDaemonMediaRouteHandlers } from './media-routes.js';
 import { createDaemonRemoteRouteHandlers, handleRemotePairRequest, handleRemotePairVerify, handleRemotePeerHeartbeat, handleRemotePeerWorkPull, handleRemotePeerWorkComplete, } from './remote-routes.js';
 import { createDaemonRuntimeRouteHandlers } from './runtime-routes.js';
+import { snapshotMetrics } from '../../runtime/metrics.js';
 import { createDaemonControlRouteHandlers } from './control-routes.js';
 import { createDaemonIntegrationRouteHandlers } from './integration-routes.js';
 import { createDaemonTelemetryRouteHandlers } from './telemetry-routes.js';
@@ -40,75 +42,77 @@ export class DaemonHttpRouter {
         this.telemetryApi?.dispose();
     }
     async handleRequest(req) {
-        const url = new URL(req.url);
-        if (url.pathname === '/login' && req.method === 'POST') {
-            return this.handleLogin(req);
-        }
-        if (url.pathname === '/api/remote/pair/request' && req.method === 'POST') {
-            return handleRemotePairRequest({
-                parseJsonBody: (request) => this.parseJsonBody(request),
-                distributedRuntime: this.context.distributedRuntime,
-            }, req);
-        }
-        if (url.pathname === '/api/remote/pair/verify' && req.method === 'POST') {
-            return handleRemotePairVerify({
-                parseJsonBody: (request) => this.parseJsonBody(request),
-                distributedRuntime: this.context.distributedRuntime,
-            }, req);
-        }
-        if (url.pathname === '/api/remote/heartbeat' && req.method === 'POST') {
-            return handleRemotePeerHeartbeat({
-                parseJsonBody: (request) => this.parseJsonBody(request),
-                requireRemotePeer: (request, scope) => this.context.requireRemotePeer(request, scope),
-                distributedRuntime: this.context.distributedRuntime,
-            }, req);
-        }
-        if (url.pathname === '/api/remote/work/pull' && req.method === 'POST') {
-            return handleRemotePeerWorkPull({
-                parseJsonBody: (request) => this.parseJsonBody(request),
-                requireRemotePeer: (request, scope) => this.context.requireRemotePeer(request, scope),
-                distributedRuntime: this.context.distributedRuntime,
-            }, req);
-        }
-        const remoteWorkCompleteMatch = url.pathname.match(/^\/api\/remote\/work\/([^/]+)\/complete$/);
-        if (remoteWorkCompleteMatch && req.method === 'POST') {
-            return handleRemotePeerWorkComplete({
-                parseJsonBody: (request) => this.parseJsonBody(request),
-                requireRemotePeer: (request, scope) => this.context.requireRemotePeer(request, scope),
-                distributedRuntime: this.context.distributedRuntime,
-            }, remoteWorkCompleteMatch[1], req);
-        }
-        if (url.pathname === '/webhook/github' && req.method === 'POST') {
-            return this.handleGitHubWebhook(req);
-        }
-        if (url.pathname.startsWith('/webhook/')) {
-            const pluginResponse = await this.context.channelPlugins.handleInbound(url.pathname, req);
-            if (pluginResponse)
-                return pluginResponse;
-        }
-        if (url.pathname === '/api/control-plane/web' && req.method === 'GET') {
-            return this.context.controlPlaneGateway.renderWebUi();
-        }
-        if ((url.pathname === '/api/control-plane/auth' || url.pathname === '/api/control-plane/whoami') && req.method === 'GET') {
+        return correlationCtx.run({ requestId: req.headers.get('x-request-id') ?? crypto.randomUUID() }, async () => {
+            const url = new URL(req.url);
+            if (url.pathname === '/login' && req.method === 'POST') {
+                return this.handleLogin(req);
+            }
+            if (url.pathname === '/api/remote/pair/request' && req.method === 'POST') {
+                return handleRemotePairRequest({
+                    parseJsonBody: (request) => this.parseJsonBody(request),
+                    distributedRuntime: this.context.distributedRuntime,
+                }, req);
+            }
+            if (url.pathname === '/api/remote/pair/verify' && req.method === 'POST') {
+                return handleRemotePairVerify({
+                    parseJsonBody: (request) => this.parseJsonBody(request),
+                    distributedRuntime: this.context.distributedRuntime,
+                }, req);
+            }
+            if (url.pathname === '/api/remote/heartbeat' && req.method === 'POST') {
+                return handleRemotePeerHeartbeat({
+                    parseJsonBody: (request) => this.parseJsonBody(request),
+                    requireRemotePeer: (request, scope) => this.context.requireRemotePeer(request, scope),
+                    distributedRuntime: this.context.distributedRuntime,
+                }, req);
+            }
+            if (url.pathname === '/api/remote/work/pull' && req.method === 'POST') {
+                return handleRemotePeerWorkPull({
+                    parseJsonBody: (request) => this.parseJsonBody(request),
+                    requireRemotePeer: (request, scope) => this.context.requireRemotePeer(request, scope),
+                    distributedRuntime: this.context.distributedRuntime,
+                }, req);
+            }
+            const remoteWorkCompleteMatch = url.pathname.match(/^\/api\/remote\/work\/([^/]+)\/complete$/);
+            if (remoteWorkCompleteMatch && req.method === 'POST') {
+                return handleRemotePeerWorkComplete({
+                    parseJsonBody: (request) => this.parseJsonBody(request),
+                    requireRemotePeer: (request, scope) => this.context.requireRemotePeer(request, scope),
+                    distributedRuntime: this.context.distributedRuntime,
+                }, remoteWorkCompleteMatch[1], req);
+            }
+            if (url.pathname === '/webhook/github' && req.method === 'POST') {
+                return this.handleGitHubWebhook(req);
+            }
+            if (url.pathname.startsWith('/webhook/')) {
+                const pluginResponse = await this.context.channelPlugins.handleInbound(url.pathname, req);
+                if (pluginResponse)
+                    return pluginResponse;
+            }
+            if (url.pathname === '/api/control-plane/web' && req.method === 'GET') {
+                return this.context.controlPlaneGateway.renderWebUi();
+            }
+            if ((url.pathname === '/api/control-plane/auth' || url.pathname === '/api/control-plane/whoami') && req.method === 'GET') {
+                const apiResponse = await this.dispatchApiRoutes(req);
+                if (apiResponse)
+                    return apiResponse;
+            }
+            if (!this.context.checkAuth(req)) {
+                return jsonErrorResponse(new AppError('Authentication required', 'AUTH_REQUIRED', false, {
+                    category: 'authentication',
+                    source: 'runtime',
+                    guidance: 'Authenticate with the operator shared token or an authenticated user session before calling daemon APIs.',
+                }), { status: 401 });
+            }
             const apiResponse = await this.dispatchApiRoutes(req);
             if (apiResponse)
                 return apiResponse;
-        }
-        if (!this.context.checkAuth(req)) {
-            return jsonErrorResponse(new AppError('Authentication required', 'AUTH_REQUIRED', false, {
-                category: 'authentication',
+            return jsonErrorResponse(new AppError(`Route not found: ${url.pathname}`, 'NOT_FOUND', false, {
+                category: 'not_found',
                 source: 'runtime',
-                guidance: 'Authenticate with the operator shared token or an authenticated user session before calling daemon APIs.',
-            }), { status: 401 });
-        }
-        const apiResponse = await this.dispatchApiRoutes(req);
-        if (apiResponse)
-            return apiResponse;
-        return jsonErrorResponse(new AppError(`Route not found: ${url.pathname}`, 'NOT_FOUND', false, {
-            category: 'not_found',
-            source: 'runtime',
-            guidance: 'Check the daemon API path and version. New SDK-facing routes are published under /api/v1.',
-        }), { status: 404 });
+                guidance: 'Check the daemon API path and version. New SDK-facing routes are published under /api/v1.',
+            }), { status: 404 });
+        });
     }
     async dispatchApiRoutes(req) {
         // Companion chat routes — scoped to /api/companion/chat/..., session-isolated.
@@ -295,6 +299,7 @@ export class DaemonHttpRouter {
                     // subscribe and render the companion message in the conversation view.
                     emitCompanionMessageReceived(this.context.runtimeBus, { sessionId, traceId: `companion:${envelope.messageId}`, source: 'companion-followup' }, { sessionId, ...envelope });
                 },
+                snapshotMetrics: () => snapshotMetrics(),
                 openSessionEventStream: (req, sessionId) => {
                     // Create a session-scoped SSE stream for the companion app to receive
                     // turn events (STREAM_DELTA, TURN_COMPLETED, etc.) and agent events.
@@ -351,15 +356,34 @@ export class DaemonHttpRouter {
         });
     }
     async parseJsonBody(req) {
+        // SEC-05: cap inbound JSON bodies at 1 MiB to prevent memory exhaustion.
+        const MAX_JSON_BYTES = 1 * 1024 * 1024; // 1 MiB
+        const contentLength = req.headers.get('content-length');
+        if (contentLength !== null && Number(contentLength) > MAX_JSON_BYTES) {
+            return Response.json({ error: 'Request body too large' }, { status: 413 });
+        }
         try {
-            return await req.json();
+            const text = await req.text();
+            if (text.length > MAX_JSON_BYTES) {
+                return Response.json({ error: 'Request body too large' }, { status: 413 });
+            }
+            return this.parseJsonText(text);
         }
         catch {
             return Response.json({ error: 'Invalid JSON body' }, { status: 400 });
         }
     }
     async parseOptionalJsonBody(req) {
+        // SEC-05: cap inbound JSON bodies at 1 MiB to prevent memory exhaustion.
+        const MAX_JSON_BYTES = 1 * 1024 * 1024; // 1 MiB
+        const contentLength = req.headers.get('content-length');
+        if (contentLength !== null && Number(contentLength) > MAX_JSON_BYTES) {
+            return Response.json({ error: 'Request body too large' }, { status: 413 });
+        }
         const raw = await req.text();
+        if (raw.length > MAX_JSON_BYTES) {
+            return Response.json({ error: 'Request body too large' }, { status: 413 });
+        }
         if (!raw.trim())
             return null;
         return this.parseJsonText(raw);

package/dist/_internal/platform/daemon/http/runtime-route-types.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"runtime-route-types.d.ts","sourceRoot":"","sources":["../../../../../src/_internal/platform/daemon/http/runtime-route-types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,uCAAuC,CAAC;AACpF,OAAO,KAAK,EAAE,yBAAyB,IAAI,4BAA4B,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9G,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;~~AAE1E~~,MAAM,MAAM,qBAAqB,GAAG,MAAM,CAAC;AAC3C,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC,QAAQ,CAAC,eAAe,CAAC,EAAE,eAAe,CAAC;CAC5C;AACD,UAAU,sBAAsB;IAC9B,QAAQ,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC;CACtB;AACD,KAAK,eAAe,GAAG;IACrB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,QAAQ,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC,CAAC;AACF,KAAK,iBAAiB,GAAG;IAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAAC;AACjD,KAAK,iBAAiB,GAAG;IACvB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;CACpC,CAAC;AACF,UAAU,eAAe;IACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AACD,UAAU,oBAAoB;IAC5B,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;CAC9C;AAED,MAAM,WAAW,yBAA0B,SAAQ,IAAI,CAAC,4BAA4B,EAAE,eAAe,CAAC;IACpG,QAAQ,CAAC,aAAa,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAC,CAAC;IACvE,QAAQ,CAAC,qBAAqB,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,GAAG,IAAI,GAAG,QAAQ,CAAC,CAAC;IACtF,QAAQ,CAAC,iBAAiB,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,KAAK,QAAQ,CAAC;IACzF,QAAQ,CAAC,YAAY,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,QAAQ,GAAG,IAAI,CAAC;IACzD,QAAQ,CAAC,aAAa,EAAE;QACtB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;QACvB,aAAa,CAAC,KAAK,EAAE;YACnB,SAAS,CAAC,EAAE,MAAM,CAAC;YACnB,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,WAAW,EAAE,qBAAqB,CAAC;YACnC,SAAS,EAAE,MAAM,CAAC;YAClB,UAAU,CAAC,EAAE,MAAM,CAAC;YACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,MAAM,CAAC,EAAE,MAAM,CAAC;YAChB,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB,KAAK,CAAC,EAAE,MAAM,CAAC;YACf,IAAI,EAAE,MAAM,CAAC;YACb,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YACnC,OAAO,CAAC,EAAE,0BAA0B,CAAC;SACtC,GAAG,OAAO,CAAC;YACV,IAAI,EAAE,gBAAgB,GAAG,OAAO,GAAG,kBAAkB,GAAG,UAAU,CAAC;YACnE,KAAK,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,OAAO,CAAC,EAAE,0BAA0B,CAAA;aAAE,CAAC;YAC5D,OAAO,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,MAAM,EAAE,MAAM,CAAA;aAAE,CAAC;YACxC,YAAY,CAAC,EAAE,sBAAsB,CAAC;YACtC,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;YAC9B,WAAW,CAAC,EAAE,OAAO,CAAC;SACvB,CAAC,CAAC;QACH,YAAY,CAAC,KAAK,EAAE;YAClB,SAAS,CAAC,EAAE,MAAM,CAAC;YACnB,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,WAAW,EAAE,qBAAqB,CAAC;YACnC,SAAS,EAAE,MAAM,CAAC;YAClB,UAAU,CAAC,EAAE,MAAM,CAAC;YACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,MAAM,CAAC,EAAE,MAAM,CAAC;YAChB,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB,KAAK,CAAC,EAAE,MAAM,CAAC;YACf,IAAI,EAAE,MAAM,CAAC;YACb,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YACnC,OAAO,CAAC,EAAE,0BAA0B,CAAC;YACrC,kBAAkB,CAAC,EAAE,OAAO,CAAC;SAC9B,GAAG,OAAO,CAAC;YACV,IAAI,EAAE,gBAAgB,GAAG,OAAO,GAAG,kBAAkB,GAAG,UAAU,CAAC;YACnE,KAAK,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAC;gBAAC,OAAO,CAAC,EAAE,0BAA0B,CAAA;aAAE,CAAC;YAC3E,OAAO,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,MAAM,EAAE,MAAM,CAAA;aAAE,CAAC;YACxC,YAAY,CAAC,EAAE,sBAAsB,CAAC;YACtC,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;YAC9B,WAAW,CAAC,EAAE,OAAO,CAAC;SACvB,CAAC,CAAC;QACH,eAAe,CAAC,KAAK,EAAE;YACrB,SAAS,CAAC,EAAE,MAAM,CAAC;YACnB,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,WAAW,EAAE,qBAAqB,CAAC;YACnC,SAAS,EAAE,MAAM,CAAC;YAClB,UAAU,CAAC,EAAE,MAAM,CAAC;YACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,MAAM,CAAC,EAAE,MAAM,CAAC;YAChB,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB,KAAK,CAAC,EAAE,MAAM,CAAC;YACf,IAAI,EAAE,MAAM,CAAC;YACb,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YACnC,OAAO,CAAC,EAAE,0BAA0B,CAAC;SACtC,GAAG,OAAO,CAAC;YACV,IAAI,EAAE,gBAAgB,GAAG,OAAO,GAAG,kBAAkB,GAAG,UAAU,CAAC;YACnE,KAAK,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAC;gBAAC,OAAO,CAAC,EAAE,0BAA0B,CAAA;aAAE,CAAC;YAC3E,OAAO,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,MAAM,EAAE,MAAM,CAAA;aAAE,CAAC;YACxC,YAAY,CAAC,EAAE,sBAAsB,CAAC;YACtC,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;YAC9B,WAAW,CAAC,EAAE,OAAO,CAAC;SACvB,CAAC,CAAC;QACH,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAChE,aAAa,CAAC,KAAK,EAAE;YACnB,EAAE,CAAC,EAAE,MAAM,CAAC;YACZ,KAAK,CAAC,EAAE,MAAM,CAAC;YACf,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YACnC,YAAY,CAAC,EAAE,sBAAsB,CAAC;YACtC,WAAW,CAAC,EAAE;gBACZ,WAAW,EAAE,qBAAqB,CAAC;gBACnC,SAAS,EAAE,MAAM,CAAC;gBAClB,UAAU,CAAC,EAAE,MAAM,CAAC;gBACpB,MAAM,CAAC,EAAE,MAAM,CAAC;gBAChB,WAAW,CAAC,EAAE,MAAM,CAAC;gBACrB,OAAO,CAAC,EAAE,MAAM,CAAC;gBACjB,UAAU,EAAE,MAAM,CAAC;aACpB,CAAC;SACH,GAAG,OAAO,CAAC;YAAE,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QAC5B,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAC;YAAC,YAAY,EAAE,MAAM,CAAC;YAAC,aAAa,CAAC,EAAE,MAAM,CAAA;SAAE,GAAG,IAAI,CAAC;QACnH,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,EAAE,CAAC;QACzD,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,EAAE,CAAC;QACvD,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;YAAE,EAAE,EAAE,MAAM,CAAA;SAAE,GAAG,IAAI,CAAC,CAAC;QAChE,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;YAAE,EAAE,EAAE,MAAM,CAAA;SAAE,GAAG,IAAI,CAAC,CAAC;QACjE,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;QACzE,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC9H,sBAAsB,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE;YAC/C,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;YAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;YACtB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;YAC3B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;SACzB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;KACtB,CAAC;IACF,QAAQ,CAAC,YAAY,EAAE;QACrB,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAAC;QACnD,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;KAC/B,CAAC;IACF,QAAQ,CAAC,iBAAiB,EAAE;QAC1B,QAAQ,IAAI,iBAAiB,EAAE,CAAC;QAChC,QAAQ,IAAI,iBAAiB,EAAE,CAAC;QAChC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,GAAG,SAAS,CAAC;QAC5D,gBAAgB,CAAC,KAAK,EAAE;YAAE,MAAM,EAAE,MAAM,CAAA;SAAE,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAC9D,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;QAClE,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAC1C,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;QACtE,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAAC;QAC5F,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QACxC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAAC;QAC/E,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QACjF,oBAAoB,IAAI;YAAE,WAAW,EAAE,MAAM,CAAC;YAAC,YAAY,EAAE,MAAM,CAAC;YAAC,WAAW,EAAE,MAAM,CAAC;YAAC,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAA;SAAE,CAAC;KACjI,CAAC;IACF,QAAQ,CAAC,mBAAmB,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC;IACtD,QAAQ,CAAC,sBAAsB,EAAE,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC;IAC3F,QAAQ,CAAC,qBAAqB,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC;IACxG,QAAQ,CAAC,aAAa,EAAE;QACtB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;QACvB,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,sBAAsB,GAAG,SAAS,CAAC;KAC5D,CAAC;IACF,QAAQ,CAAC,aAAa,EAAE,CAAC,KAAK,EAAE;QAC9B,IAAI,EAAE,OAAO,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,KAAK,CAAC,EAAE,MAAM,EAAE,GAAG,SAAS,MAAM,EAAE,CAAC;QACrC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,eAAe,CAAC,EAAE,eAAe,CAAC;KACnC,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,KAAK,eAAe,GAAG,QAAQ,CAAC;IACvE,QAAQ,CAAC,4BAA4B,EAAE,CACrC,OAAO,EAAE,sBAAsB,GAAG,SAAS,EAC3C,KAAK,EAAE;QAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;KAAE,KACrF,IAAI,CAAC;IACV,QAAQ,CAAC,sBAAsB,EAAE,CAAC,OAAO,EAAE,OAAO,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,GAAG,UAAU,GAAG,aAAa,GAAG,QAAQ,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,KAAK,OAAO,CAAC;IACxN,QAAQ,CAAC,oBAAoB,EAAE,CAAC,MAAM,EAAE,eAAe,EAAE,SAAS,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;IACrF,QAAQ,CAAC,qBAAqB,EAAE,CAAC,MAAM,EAAE,eAAe,KAAK,IAAI,CAAC;IAClE,QAAQ,CAAC,aAAa,EAAE;QACtB,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KAC3B,CAAC;IACF,QAAQ,CAAC,YAAY,EAAE;QAAE,QAAQ,IAAI;YAAE,KAAK,EAAE,oBAAoB,CAAA;SAAE,CAAA;KAAE,GAAG,IAAI,CAAC;IAC9E,QAAQ,CAAC,eAAe,EAAE;QACxB,qBAAqB,CACnB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC9B,MAAM,EAAE,MAAM,GACb,IAAI,CAAC;KACT,GAAG,IAAI,CAAC;CACV;AAED,YAAY,EAAE,QAAQ,EAAE,CAAC;AAEzB,MAAM,MAAM,4BAA4B,GAAG,IAAI,CAC7C,sBAAsB,EACpB,qBAAqB,GACrB,mBAAmB,GACnB,mBAAmB,GACnB,mBAAmB,GACnB,kBAAkB,GAClB,wBAAwB,GACxB,yBAAyB,GACzB,qBAAqB,GACrB,oBAAoB,GACpB,qBAAqB,GACrB,yBAAyB,GACzB,qBAAqB,GACrB,UAAU,GACV,kBAAkB,GAClB,oBAAoB,GACpB,qBAAqB,GACrB,0BAA0B,GAC1B,wBAAwB,GACxB,0BAA0B,GAC1B,wBAAwB,GACxB,2BAA2B,GAC3B,0BAA0B,GAC1B,gBAAgB,GAChB,mBAAmB,GACnB,eAAe,GACf,cAAc,GACd,cAAc,GACd,gBAAgB,GAChB,oBAAoB,GACpB,gBAAgB,GAChB,sBAAsB,CACzB,CAAC"}
1	+ {"version":3,"file":"runtime-route-types.d.ts","sourceRoot":"","sources":["../../../../../src/_internal/platform/daemon/http/runtime-route-types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,uCAAuC,CAAC;AACpF,OAAO,KAAK,EAAE,yBAAyB,IAAI,4BAA4B,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9G,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AAU1E,MAAM,MAAM,qBAAqB,GAAG,MAAM,CAAC;AAC3C,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC,QAAQ,CAAC,eAAe,CAAC,EAAE,eAAe,CAAC;CAC5C;AACD,UAAU,sBAAsB;IAC9B,QAAQ,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC;CACtB;AACD,KAAK,eAAe,GAAG;IACrB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,QAAQ,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC,CAAC;AACF,KAAK,iBAAiB,GAAG;IAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAAC;AACjD,KAAK,iBAAiB,GAAG;IACvB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;CACpC,CAAC;AACF,UAAU,eAAe;IACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AACD,UAAU,oBAAoB;IAC5B,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;CAC9C;AAED,MAAM,WAAW,yBAA0B,SAAQ,IAAI,CAAC,4BAA4B,EAAE,eAAe,CAAC;IACpG,QAAQ,CAAC,aAAa,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAC,CAAC;IACvE,QAAQ,CAAC,qBAAqB,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,GAAG,IAAI,GAAG,QAAQ,CAAC,CAAC;IACtF,QAAQ,CAAC,iBAAiB,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,KAAK,QAAQ,CAAC;IACzF,QAAQ,CAAC,YAAY,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,QAAQ,GAAG,IAAI,CAAC;IACzD,QAAQ,CAAC,aAAa,EAAE;QACtB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;QACvB,aAAa,CAAC,KAAK,EAAE;YACnB,SAAS,CAAC,EAAE,MAAM,CAAC;YACnB,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,WAAW,EAAE,qBAAqB,CAAC;YACnC,SAAS,EAAE,MAAM,CAAC;YAClB,UAAU,CAAC,EAAE,MAAM,CAAC;YACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,MAAM,CAAC,EAAE,MAAM,CAAC;YAChB,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB,KAAK,CAAC,EAAE,MAAM,CAAC;YACf,IAAI,EAAE,MAAM,CAAC;YACb,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YACnC,OAAO,CAAC,EAAE,0BAA0B,CAAC;SACtC,GAAG,OAAO,CAAC;YACV,IAAI,EAAE,gBAAgB,GAAG,OAAO,GAAG,kBAAkB,GAAG,UAAU,CAAC;YACnE,KAAK,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,OAAO,CAAC,EAAE,0BAA0B,CAAA;aAAE,CAAC;YAC5D,OAAO,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,MAAM,EAAE,MAAM,CAAA;aAAE,CAAC;YACxC,YAAY,CAAC,EAAE,sBAAsB,CAAC;YACtC,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;YAC9B,WAAW,CAAC,EAAE,OAAO,CAAC;SACvB,CAAC,CAAC;QACH,YAAY,CAAC,KAAK,EAAE;YAClB,SAAS,CAAC,EAAE,MAAM,CAAC;YACnB,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,WAAW,EAAE,qBAAqB,CAAC;YACnC,SAAS,EAAE,MAAM,CAAC;YAClB,UAAU,CAAC,EAAE,MAAM,CAAC;YACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,MAAM,CAAC,EAAE,MAAM,CAAC;YAChB,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB,KAAK,CAAC,EAAE,MAAM,CAAC;YACf,IAAI,EAAE,MAAM,CAAC;YACb,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YACnC,OAAO,CAAC,EAAE,0BAA0B,CAAC;YACrC,kBAAkB,CAAC,EAAE,OAAO,CAAC;SAC9B,GAAG,OAAO,CAAC;YACV,IAAI,EAAE,gBAAgB,GAAG,OAAO,GAAG,kBAAkB,GAAG,UAAU,CAAC;YACnE,KAAK,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAC;gBAAC,OAAO,CAAC,EAAE,0BAA0B,CAAA;aAAE,CAAC;YAC3E,OAAO,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,MAAM,EAAE,MAAM,CAAA;aAAE,CAAC;YACxC,YAAY,CAAC,EAAE,sBAAsB,CAAC;YACtC,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;YAC9B,WAAW,CAAC,EAAE,OAAO,CAAC;SACvB,CAAC,CAAC;QACH,eAAe,CAAC,KAAK,EAAE;YACrB,SAAS,CAAC,EAAE,MAAM,CAAC;YACnB,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,WAAW,EAAE,qBAAqB,CAAC;YACnC,SAAS,EAAE,MAAM,CAAC;YAClB,UAAU,CAAC,EAAE,MAAM,CAAC;YACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,MAAM,CAAC,EAAE,MAAM,CAAC;YAChB,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB,KAAK,CAAC,EAAE,MAAM,CAAC;YACf,IAAI,EAAE,MAAM,CAAC;YACb,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YACnC,OAAO,CAAC,EAAE,0BAA0B,CAAC;SACtC,GAAG,OAAO,CAAC;YACV,IAAI,EAAE,gBAAgB,GAAG,OAAO,GAAG,kBAAkB,GAAG,UAAU,CAAC;YACnE,KAAK,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAC;gBAAC,OAAO,CAAC,EAAE,0BAA0B,CAAA;aAAE,CAAC;YAC3E,OAAO,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,MAAM,EAAE,MAAM,CAAA;aAAE,CAAC;YACxC,YAAY,CAAC,EAAE,sBAAsB,CAAC;YACtC,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;YAC9B,WAAW,CAAC,EAAE,OAAO,CAAC;SACvB,CAAC,CAAC;QACH,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAChE,aAAa,CAAC,KAAK,EAAE;YACnB,EAAE,CAAC,EAAE,MAAM,CAAC;YACZ,KAAK,CAAC,EAAE,MAAM,CAAC;YACf,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YACnC,YAAY,CAAC,EAAE,sBAAsB,CAAC;YACtC,WAAW,CAAC,EAAE;gBACZ,WAAW,EAAE,qBAAqB,CAAC;gBACnC,SAAS,EAAE,MAAM,CAAC;gBAClB,UAAU,CAAC,EAAE,MAAM,CAAC;gBACpB,MAAM,CAAC,EAAE,MAAM,CAAC;gBAChB,WAAW,CAAC,EAAE,MAAM,CAAC;gBACrB,OAAO,CAAC,EAAE,MAAM,CAAC;gBACjB,UAAU,EAAE,MAAM,CAAC;aACpB,CAAC;SACH,GAAG,OAAO,CAAC;YAAE,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QAC5B,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAC;YAAC,YAAY,EAAE,MAAM,CAAC;YAAC,aAAa,CAAC,EAAE,MAAM,CAAA;SAAE,GAAG,IAAI,CAAC;QACnH,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,EAAE,CAAC;QACzD,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,EAAE,CAAC;QACvD,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;YAAE,EAAE,EAAE,MAAM,CAAA;SAAE,GAAG,IAAI,CAAC,CAAC;QAChE,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;YAAE,EAAE,EAAE,MAAM,CAAA;SAAE,GAAG,IAAI,CAAC,CAAC;QACjE,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;QACzE,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC9H,sBAAsB,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE;YAC/C,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;YAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;YACtB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;YAC3B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;SACzB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;KACtB,CAAC;IACF,QAAQ,CAAC,YAAY,EAAE;QACrB,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAAC;QACnD,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;KAC/B,CAAC;IACF,QAAQ,CAAC,iBAAiB,EAAE;QAC1B,QAAQ,IAAI,iBAAiB,EAAE,CAAC;QAChC,QAAQ,IAAI,iBAAiB,EAAE,CAAC;QAChC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,GAAG,SAAS,CAAC;QAC5D,gBAAgB,CAAC,KAAK,EAAE;YAAE,MAAM,EAAE,MAAM,CAAA;SAAE,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAC9D,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;QAClE,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAC1C,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;QACtE,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAAC;QAC5F,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QACxC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAAC;QAC/E,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QACjF,oBAAoB,IAAI;YAAE,WAAW,EAAE,MAAM,CAAC;YAAC,YAAY,EAAE,MAAM,CAAC;YAAC,WAAW,EAAE,MAAM,CAAC;YAAC,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAA;SAAE,CAAC;KACjI,CAAC;IACF,QAAQ,CAAC,mBAAmB,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC;IACtD,QAAQ,CAAC,sBAAsB,EAAE,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC;IAC3F,QAAQ,CAAC,qBAAqB,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC;IACxG,QAAQ,CAAC,aAAa,EAAE;QACtB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;QACvB,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,sBAAsB,GAAG,SAAS,CAAC;KAC5D,CAAC;IACF,QAAQ,CAAC,aAAa,EAAE,CAAC,KAAK,EAAE;QAC9B,IAAI,EAAE,OAAO,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,KAAK,CAAC,EAAE,MAAM,EAAE,GAAG,SAAS,MAAM,EAAE,CAAC;QACrC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,eAAe,CAAC,EAAE,eAAe,CAAC;KACnC,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,KAAK,eAAe,GAAG,QAAQ,CAAC;IACvE,QAAQ,CAAC,4BAA4B,EAAE,CACrC,OAAO,EAAE,sBAAsB,GAAG,SAAS,EAC3C,KAAK,EAAE;QAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;KAAE,KACrF,IAAI,CAAC;IACV,QAAQ,CAAC,sBAAsB,EAAE,CAAC,OAAO,EAAE,OAAO,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,GAAG,UAAU,GAAG,aAAa,GAAG,QAAQ,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,KAAK,OAAO,CAAC;IACxN,QAAQ,CAAC,oBAAoB,EAAE,CAAC,MAAM,EAAE,eAAe,EAAE,SAAS,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;IACrF,QAAQ,CAAC,qBAAqB,EAAE,CAAC,MAAM,EAAE,eAAe,KAAK,IAAI,CAAC;IAClE,QAAQ,CAAC,aAAa,EAAE;QACtB,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KAC3B,CAAC;IACF,QAAQ,CAAC,YAAY,EAAE;QAAE,QAAQ,IAAI;YAAE,KAAK,EAAE,oBAAoB,CAAA;SAAE,CAAA;KAAE,GAAG,IAAI,CAAC;IAC9E,QAAQ,CAAC,eAAe,EAAE;QACxB,qBAAqB,CACnB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC9B,MAAM,EAAE,MAAM,GACb,IAAI,CAAC;KACT,GAAG,IAAI,CAAC;CACV;AAED,YAAY,EAAE,QAAQ,EAAE,CAAC;AAEzB,MAAM,MAAM,4BAA4B,GAAG,IAAI,CAC7C,sBAAsB,EACpB,qBAAqB,GACrB,mBAAmB,GACnB,mBAAmB,GACnB,mBAAmB,GACnB,kBAAkB,GAClB,wBAAwB,GACxB,yBAAyB,GACzB,qBAAqB,GACrB,oBAAoB,GACpB,qBAAqB,GACrB,yBAAyB,GACzB,qBAAqB,GACrB,UAAU,GACV,kBAAkB,GAClB,oBAAoB,GACpB,qBAAqB,GACrB,0BAA0B,GAC1B,wBAAwB,GACxB,0BAA0B,GAC1B,wBAAwB,GACxB,2BAA2B,GAC3B,0BAA0B,GAC1B,gBAAgB,GAChB,mBAAmB,GACnB,eAAe,GACf,cAAc,GACd,cAAc,GACd,gBAAgB,GAChB,oBAAoB,GACpB,gBAAgB,GAChB,sBAAsB,CACzB,CAAC"}

package/dist/_internal/platform/daemon/http-listener.d.ts CHANGED Viewed

@@ -18,6 +18,17 @@ interface HttpListenerConfig {
      * reverse proxy. Overrides the httpListener.trustProxy config value when set.
      */
     trustProxy?: boolean;
+    /**
+     * When true, CORS enforcement is active:
+     *   - Constructor refuses to start when hostMode=network and allowedOrigins is empty
+     *   - Requests carrying an Origin header are validated against allowedOrigins
+     * Default: false (permissive — no CORS enforcement). Opt-in for multi-user,
+     * internet-exposed, or enterprise deployments where browser-based CSRF is a
+     * concern. Home/single-user local deployments do not need this and the default
+     * behavior matches pre-0.21.29 semantics. When true, allowedOrigins must be
+     * configured (or hostMode must be local/loopback) — see SEC-07.
+     */
+    enforceCors?: boolean;
     /** Pre-configured UserAuthManager owned by the runtime service graph. */
     userAuth: UserAuthManager;
 }
@@ -40,6 +51,8 @@ export declare class HttpListener {
     private port;
     private host;
     private allowedOrigins;
+    /** SEC-07: opt-in strict CORS enforcement. Default false (permissive). */
+    private enforceCors;
     private hookDispatcher;
     private authToken;
     private userAuth;
@@ -90,6 +103,7 @@ export declare class HttpListener {
     private checkAuth;
     private parseJsonBody;
     private handleRequest;
+    private _handleRequestInner;
     private handleLogin;
     private handleWebhook;
 }

package/dist/_internal/platform/daemon/http-listener.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"http-listener.d.ts","sourceRoot":"","sources":["../../../../src/_internal/platform/daemon/http-listener.ts"],"names":[],"mappings":"~~AACA~~,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAMxD,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;~~AAWrD~~,UAAU,kBAAkB;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,aAAa,EAAE,aAAa,CAAC;IAC7B,YAAY,CAAC,EAAE,OAAO,GAAG,CAAC,KAAK,CAAC;IAChC,6DAA6D;IAC7D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wEAAwE;IACxE,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,yEAAyE;IACzE,QAAQ,EAAE,eAAe,CAAC;CAC3B;AAED,UAAU,gBAAgB;IACxB,YAAY,EAAE,OAAO,CAAC;CACvB;~~AA0ED~~;;;;;;;;GAQG;AACH,qBAAa,YAAY;~~IA0BX~~,OAAO,CAAC,MAAM;~~IAzB1B~~,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,MAAM,CAA6C;IAC3D,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,cAAc,CAAW;IACjC,OAAO,CAAC,cAAc,CAAwB;IAC9C,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,QAAQ,CAAkB;IAClC,OAAO,CAAC,WAAW,CAAc;IACjC,6DAA6D;IAC7D,OAAO,CAAC,gBAAgB,CAAc;IACtC,6EAA6E;IAC7E,OAAO,CAAC,UAAU,CAAU;IAC5B,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAgB;IAC9C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAmB;IAChD,OAAO,CAAC,QAAQ,CAA0C;IAC1D,4EAA4E;IAC5E,OAAO,CAAC,iBAAiB,CAA6B;IACtD,gFAAgF;IAChF,OAAO,CAAC,WAAW,CAAS;IAC5B,sEAAsE;IACtE,OAAO,CAAC,kBAAkB,CAA8B;IACxD,0FAA0F;IAC1F,OAAO,CAAC,aAAa,CAAS;gBAEV,MAAM,EAAE,kBAAkB;~~IAiC9C~~;;;;OAIG;IACH,MAAM,CAAC,YAAY,EAAE,gBAAgB,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO;IAU/D;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAsC5B;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;IAKrC;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAqB3B;;;OAGG;IACH,OAAO,CAAC,gCAAgC;IAwDxC;;OAEG;IACH,IAAI,SAAS,IAAI,OAAO,CAEvB;IAMD,OAAO,CAAC,SAAS;YAOH,aAAa;~~YAYb~~,aAAa;~~YA0Db~~,WAAW;~~YA6BX~~,aAAa;CAgD5B"}
1	+ {"version":3,"file":"http-listener.d.ts","sourceRoot":"","sources":["../../../../src/_internal/platform/daemon/http-listener.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAMxD,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAYrD,UAAU,kBAAkB;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,aAAa,EAAE,aAAa,CAAC;IAC7B,YAAY,CAAC,EAAE,OAAO,GAAG,CAAC,KAAK,CAAC;IAChC,6DAA6D;IAC7D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wEAAwE;IACxE,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;;;;OASG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,yEAAyE;IACzE,QAAQ,EAAE,eAAe,CAAC;CAC3B;AAED,UAAU,gBAAgB;IACxB,YAAY,EAAE,OAAO,CAAC;CACvB;AAMD;;;;;;;;GAQG;AACH,qBAAa,YAAY;IA4BX,OAAO,CAAC,MAAM;IA3B1B,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,MAAM,CAA6C;IAC3D,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,cAAc,CAAW;IACjC,0EAA0E;IAC1E,OAAO,CAAC,WAAW,CAAU;IAC7B,OAAO,CAAC,cAAc,CAAwB;IAC9C,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,QAAQ,CAAkB;IAClC,OAAO,CAAC,WAAW,CAAc;IACjC,6DAA6D;IAC7D,OAAO,CAAC,gBAAgB,CAAc;IACtC,6EAA6E;IAC7E,OAAO,CAAC,UAAU,CAAU;IAC5B,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAgB;IAC9C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAmB;IAChD,OAAO,CAAC,QAAQ,CAA0C;IAC1D,4EAA4E;IAC5E,OAAO,CAAC,iBAAiB,CAA6B;IACtD,gFAAgF;IAChF,OAAO,CAAC,WAAW,CAAS;IAC5B,sEAAsE;IACtE,OAAO,CAAC,kBAAkB,CAA8B;IACxD,0FAA0F;IAC1F,OAAO,CAAC,aAAa,CAAS;gBAEV,MAAM,EAAE,kBAAkB;IAoC9C;;;;OAIG;IACH,MAAM,CAAC,YAAY,EAAE,gBAAgB,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO;IAU/D;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAsC5B;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;IAKrC;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAqB3B;;;OAGG;IACH,OAAO,CAAC,gCAAgC;IAwDxC;;OAEG;IACH,IAAI,SAAS,IAAI,OAAO,CAEvB;IAMD,OAAO,CAAC,SAAS;YAOH,aAAa;YAsBb,aAAa;YAiCb,mBAAmB;YA4DnB,WAAW;YAiDX,aAAa;CAgD5B"}

package/dist/_internal/platform/daemon/http-listener.js CHANGED Viewed

@@ -1,4 +1,6 @@
+import { randomUUID } from 'node:crypto';
 import { logger } from '../utils/logger.js';
+import { authFailureTotal, authSuccessTotal, httpRequestDurationMs, httpRequestsTotal, } from '../runtime/metrics.js';
 import { HookDispatcher } from '../hooks/dispatcher.js';
 import { authenticateOperatorRequest, buildOperatorSessionCookie, } from '../security/http-auth.js';
 import { UserAuthManager } from '../security/user-auth.js';
@@ -8,68 +10,7 @@ import { summarizeError } from '../utils/error-display.js';
 import { requirePortAvailable } from './port-check.js';
 import { resolveHostBinding } from './host-resolver.js';
 import { createHostModeRestartWatcher } from './host-mode-watcher.js';
-// ---------------------------------------------------------------------------
-// Rate limiter (sliding window per IP, in-memory)
-// ---------------------------------------------------------------------------
-const RATE_WINDOW_MS = 60_000;
-/** Entries older than this are eligible for TTL eviction. Default: 10 minutes. */
-const RATE_TTL_MS = 10 * 60_000;
-/** Maximum number of IP entries kept in the limiter at any time (LRU eviction). */
-const RATE_MAX_ENTRIES = 10_000;
-/** How often the background sweep runs to evict expired entries (ms). */
-const RATE_SWEEP_INTERVAL_MS = 60_000;
-class RateLimiter {
-    limit;
-    /** hits[ip] = sorted ascending array of request timestamps within the window */
-    counts = new Map();
-    /** Insertion-order LRU: tracks which IP was most recently active */
-    accessOrder = [];
-    sweepInterval = null;
-    constructor(limit) {
-        this.limit = limit;
-        // Periodic sweep to evict entries whose TTL has expired (C5 fix)
-        this.sweepInterval = setInterval(() => this._sweep(), RATE_SWEEP_INTERVAL_MS);
-    }
-    /** Returns true if the request is allowed, false if rate-limited. */
-    check(ip) {
-        const now = Date.now();
-        const windowStart = now - RATE_WINDOW_MS;
-        const hits = (this.counts.get(ip) ?? []).filter((t) => t > windowStart);
-        hits.push(now);
-        this.counts.set(ip, hits);
-        // Maintain LRU access order
-        const idx = this.accessOrder.indexOf(ip);
-        if (idx !== -1)
-            this.accessOrder.splice(idx, 1);
-        this.accessOrder.push(ip);
-        // Evict oldest entry when cap is exceeded
-        if (this.accessOrder.length > RATE_MAX_ENTRIES) {
-            const evict = this.accessOrder.shift();
-            this.counts.delete(evict);
-        }
-        return hits.length <= this.limit;
-    }
-    /** Stop the background sweep interval. Call this when the listener stops. */
-    stop() {
-        if (this.sweepInterval !== null) {
-            clearInterval(this.sweepInterval);
-            this.sweepInterval = null;
-        }
-    }
-    /** Evict entries whose last-seen timestamp is older than RATE_TTL_MS. */
-    _sweep() {
-        const cutoff = Date.now() - RATE_TTL_MS;
-        for (const [ip, hits] of this.counts) {
-            // If the most recent hit is older than TTL, the entry is stale
-            if (hits.length === 0 || hits[hits.length - 1] < cutoff) {
-                this.counts.delete(ip);
-                const idx = this.accessOrder.indexOf(ip);
-                if (idx !== -1)
-                    this.accessOrder.splice(idx, 1);
-            }
-        }
-    }
-}
+import { RateLimiter } from './http/rate-limiter.js';
 // ---------------------------------------------------------------------------
 // HttpListener
 // ---------------------------------------------------------------------------
@@ -89,6 +30,8 @@ export class HttpListener {
     port;
     host;
     allowedOrigins;
+    /** SEC-07: opt-in strict CORS enforcement. Default false (permissive). */
+    enforceCors;
     hookDispatcher;
     authToken = null;
     userAuth;
@@ -115,14 +58,17 @@ export class HttpListener {
         this.port = config.port ?? resolvedHttpBinding.port;
         this.host = config.host ?? resolvedHttpBinding.host;
         this.allowedOrigins = config.allowedOrigins ?? [];
-        // SEC-07: Refuse to construct when hostMode=network and allowedOrigins is not configured.
-        // An empty allowedOrigins combined with a network-reachable bind is an open CSRF vector —
-        // any browser-initiated cross-origin request will carry an Origin header and be accepted.
-        const effectiveHostMode = this.configManager.get('httpListener.hostMode') ?? 'local';
-        if (effectiveHostMode === 'network' && this.allowedOrigins.length === 0) {
-            throw new Error('SECURITY_UNSAFE_ORIGIN_CONFIG: hostMode=network requires non-empty allowedOrigins to prevent CSRF. '
-                + 'Set config.httpListener.allowedOrigins to a list of trusted origins '
-                + "(e.g. ['https://companion.example.com']).");
+        this.enforceCors = config.enforceCors ?? false;
+        // SEC-07: When enforceCors is true, refuse to construct with hostMode=network + empty allowedOrigins.
+        // Off by default — home and single-user local deployments don't need CORS enforcement.
+        // Enterprise / multi-user / internet-exposed deployments set enforceCors: true to gate against CSRF.
+        if (this.enforceCors) {
+            const effectiveHostMode = this.configManager.get('httpListener.hostMode') ?? 'local';
+            if (effectiveHostMode === 'network' && this.allowedOrigins.length === 0) {
+                throw new Error('SECURITY_UNSAFE_ORIGIN_CONFIG: hostMode=network with enforceCors=true requires non-empty allowedOrigins. '
+                    + 'Set config.httpListener.allowedOrigins to a list of trusted origins '
+                    + "(e.g. ['https://companion.example.com']), or leave enforceCors unset for permissive mode.");
+            }
         }
         this.hookDispatcher = config.hookDispatcher ?? null;
         this.userAuth = config.userAuth;
@@ -288,8 +234,18 @@ export class HttpListener {
         }) !== null;
     }
     async parseJsonBody(req) {
+        // SEC-05: cap inbound JSON bodies at 1 MiB to prevent memory exhaustion.
+        const MAX_JSON_BYTES = 1 * 1024 * 1024; // 1 MiB
+        const contentLength = req.headers.get('content-length');
+        if (contentLength !== null && Number(contentLength) > MAX_JSON_BYTES) {
+            return Response.json({ error: 'Request body too large' }, { status: 413 });
+        }
         try {
-            return await req.json();
+            const text = await req.text();
+            if (text.length > MAX_JSON_BYTES) {
+                return Response.json({ error: 'Request body too large' }, { status: 413 });
+            }
+            return JSON.parse(text);
         }
         catch {
             return Response.json({ error: 'Invalid JSON body' }, { status: 400 });
@@ -299,23 +255,53 @@ export class HttpListener {
     // Request handling
     // -------------------------------------------------------------------------
     async handleRequest(req) {
+        const requestId = randomUUID();
+        const startMs = Date.now();
         const url = new URL(req.url);
         const clientIp = extractForwardedClientIp(req, this.trustProxy || (this.tlsState?.trustProxy ?? false)) ?? 'unknown';
-        // SEC-07: CORS origin check applies to ALL paths (including /login).
-        // Logic:
+        let response = null;
+        try {
+            response = await this._handleRequestInner(req, url, clientIp, requestId);
+            return response;
+        }
+        finally {
+            const status = response?.status ?? 500;
+            const latencyMs = Date.now() - startMs;
+            // OBS-01: structured HTTP access log — SIEM-ingestable
+            logger.info('HTTP_ACCESS_LOG', {
+                type: 'HTTP_ACCESS_LOG',
+                requestId,
+                method: req.method,
+                path: url.pathname,
+                status,
+                latencyMs,
+                clientIp,
+            });
+            // C-1: record HTTP metric instruments
+            const statusClass = status >= 500 ? '5xx' : status >= 400 ? '4xx' : '2xx';
+            const pathPattern = url.pathname.replace(/\/[0-9a-f-]{8,}(?=\/|$)/gi, '/:id');
+            httpRequestsTotal.add(1, { method: req.method, status_class: statusClass });
+            httpRequestDurationMs.record(latencyMs, { method: req.method, path_pattern: pathPattern, status_class: statusClass });
+        }
+    }
+    async _handleRequestInner(req, url, clientIp, requestId) {
+        // SEC-07: CORS origin check is OPT-IN via enforceCors. Default is permissive
+        // (home/single-user deployments) — pre-0.21.29 behavior preserved. When
+        // enforceCors is true:
         //   - No Origin header → same-origin or non-browser request → allow.
-        //   - Origin present + allowedOrigins empty → no allowlist configured; block to
-        //     prevent CSRF even when hostMode is not 'network' (e.g. 'auto' with a
-        //     network-reachable bind). Constructor already refuses hostMode=network with
-        //     empty allowedOrigins at startup, but defence-in-depth covers the request path.
+        //   - Origin present + allowedOrigins empty → no allowlist configured; 403 CORS_NOT_CONFIGURED.
+        //     (Constructor already refuses hostMode=network + empty allowlist at startup; this is
+        //     defence-in-depth for non-network modes configured with enforceCors.)
         //   - Origin present + allowedOrigins non-empty → check allowlist.
-        const origin = req.headers.get('origin');
-        if (origin !== null) {
-            if (this.allowedOrigins.length === 0) {
-                return Response.json({ error: 'CORS_NOT_CONFIGURED: no allowedOrigins set' }, { status: 403 });
-            }
-            if (!this.allowedOrigins.includes(origin)) {
-                return Response.json({ error: 'ORIGIN_NOT_ALLOWED' }, { status: 403 });
+        if (this.enforceCors) {
+            const origin = req.headers.get('origin');
+            if (origin !== null) {
+                if (this.allowedOrigins.length === 0) {
+                    return Response.json({ error: 'CORS_NOT_CONFIGURED: no allowedOrigins set' }, { status: 403 });
+                }
+                if (!this.allowedOrigins.includes(origin)) {
+                    return Response.json({ error: 'ORIGIN_NOT_ALLOWED' }, { status: 403 });
+                }
             }
         }
         // SEC-03: /login route handled AFTER origin check and under its own tight
@@ -325,7 +311,7 @@ export class HttpListener {
             if (!this.loginRateLimiter.check(clientIp)) {
                 return Response.json({ error: 'Too many requests' }, { status: 429 });
             }
-            return this.handleLogin(req);
+            return this.handleLogin(req, clientIp, requestId);
         }
         // General rate limiting for all other routes.
         if (!this.rateLimiter.check(clientIp)) {
@@ -344,7 +330,7 @@ export class HttpListener {
         }
         return Response.json({ error: 'Not found' }, { status: 404 });
     }
-    async handleLogin(req) {
+    async handleLogin(req, clientIp, requestId) {
         const body = await this.parseJsonBody(req);
         if (body instanceof Response)
             return body;
@@ -352,9 +338,29 @@ export class HttpListener {
         const password = typeof body.password === 'string' ? body.password : '';
         const user = this.userAuth.authenticate(username, password);
         if (!user) {
+            // OBS-02: AUTH_FAILED — never log credential values
+            logger.warn('AUTH_FAILED', {
+                type: 'AUTH_FAILED',
+                requestId,
+                usernameAttempted: username,
+                clientIp,
+                reason: 'invalid_credentials',
+            });
+            // C-1: record auth failure metric
+            authFailureTotal.add(1);
             return Response.json({ error: 'Invalid credentials' }, { status: 401 });
         }
         const session = this.userAuth.createSession(user.username);
+        // OBS-02: AUTH_SUCCEEDED — never log credential values
+        // C-1: record auth success metric
+        authSuccessTotal.add(1);
+        logger.info('AUTH_SUCCEEDED', {
+            type: 'AUTH_SUCCEEDED',
+            requestId,
+            username: user.username,
+            clientIp,
+            method: 'password',
+        });
         return Response.json({
             authenticated: true,
             token: session.token,

package/dist/_internal/platform/daemon/surface-delivery.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"surface-delivery.d.ts","sourceRoot":"","sources":["../../../../src/_internal/platform/daemon/surface-delivery.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,KAAK,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAK7G,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACtE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;~~AAGtD~~,KAAK,eAAe,GAChB,OAAO,GACP,SAAS,GACT,MAAM,GACN,SAAS,GACT,UAAU,GACV,aAAa,GACb,QAAQ,GACR,UAAU,GACV,UAAU,GACV,SAAS,GACT,aAAa,GACb,YAAY,GACZ,QAAQ,CAAC;AAEb,KAAK,YAAY,GAAG,OAAO,kDAAkD,EAAE,sBAAsB,CAAC;AAkBtG,UAAU,iBAAiB;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,UAAU,iBAAkB,SAAQ,iBAAiB;IACnD,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IACxC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,mBAAmB,CAAC,mBAAmB,CAAC,CAAC;CACvE;AAED,UAAU,4BAA4B;IACpC,QAAQ,CAAC,qBAAqB,EAAE,GAAG,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;IACjE,QAAQ,CAAC,oBAAoB,EAAE,oBAAoB,CAAC;IACpD,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAC;IAC1C,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;IACpC,QAAQ,CAAC,aAAa,EAAE,mBAAmB,CAAC;IAC5C,QAAQ,CAAC,aAAa,EAAE,mBAAmB,CAAC;IAC5C,QAAQ,CAAC,cAAc,EAAE,qBAAqB,CAAC;IAC/C,QAAQ,CAAC,SAAS,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;IACxC,QAAQ,CAAC,sBAAsB,EAAE,CAAC,OAAO,EAAE,eAAe,KAAK,OAAO,CAAC;CACxE;AAED,qBAAa,2BAA2B;IAC1B,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAAP,OAAO,EAAE,4BAA4B;IAElE,4BAA4B,CAAC,OAAO,EAAE,YAAY,GAAG,SAAS,EAAE,KAAK,EAAE,iBAAiB,GAAG,IAAI;IAU/F,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,GAAG,IAAI;IAgB3C,yBAAyB,CAAC,qBAAqB,EAAE,CAAC,MAAM,EAAE,OAAO,yBAAyB,EAAE,WAAW,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAuDhI,sBAAsB,CAAC,OAAO,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA2CrF,sBAAsB,CAAC,OAAO,EAAE,mBAAmB,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAwBpF,wBAAwB,CAAC,OAAO,EAAE,mBAAmB,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAsBtF,qBAAqB,CAAC,OAAO,EAAE,mBAAmB,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAqBnF,wBAAwB,CAAC,OAAO,EAAE,mBAAmB,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAyCtF,oBAAoB,CAAC,QAAQ,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC;IAgCzE,kBAAkB,CAAC,KAAK,EAAE;QAAE,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,MAAM,GAAG,SAAS;IAS5G,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM;IAKxD,OAAO,CAAC,wBAAwB;IAmE1B,0BAA0B,CAAC,QAAQ,EAAE,oBAAoB,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;IAyChG,4BAA4B,CAAC,QAAQ,EAAE,oBAAoB,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;IAyBlG,yBAAyB,CAAC,QAAQ,EAAE,oBAAoB,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;IAgB/F,4BAA4B,CAAC,QAAQ,EAAE,oBAAoB,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;CA0BzG"}
1	+ {"version":3,"file":"surface-delivery.d.ts","sourceRoot":"","sources":["../../../../src/_internal/platform/daemon/surface-delivery.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,KAAK,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAK7G,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACtE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAItD,KAAK,eAAe,GAChB,OAAO,GACP,SAAS,GACT,MAAM,GACN,SAAS,GACT,UAAU,GACV,aAAa,GACb,QAAQ,GACR,UAAU,GACV,UAAU,GACV,SAAS,GACT,aAAa,GACb,YAAY,GACZ,QAAQ,CAAC;AAEb,KAAK,YAAY,GAAG,OAAO,kDAAkD,EAAE,sBAAsB,CAAC;AAkBtG,UAAU,iBAAiB;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,UAAU,iBAAkB,SAAQ,iBAAiB;IACnD,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IACxC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,mBAAmB,CAAC,mBAAmB,CAAC,CAAC;CACvE;AAED,UAAU,4BAA4B;IACpC,QAAQ,CAAC,qBAAqB,EAAE,GAAG,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;IACjE,QAAQ,CAAC,oBAAoB,EAAE,oBAAoB,CAAC;IACpD,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAC;IAC1C,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;IACpC,QAAQ,CAAC,aAAa,EAAE,mBAAmB,CAAC;IAC5C,QAAQ,CAAC,aAAa,EAAE,mBAAmB,CAAC;IAC5C,QAAQ,CAAC,cAAc,EAAE,qBAAqB,CAAC;IAC/C,QAAQ,CAAC,SAAS,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;IACxC,QAAQ,CAAC,sBAAsB,EAAE,CAAC,OAAO,EAAE,eAAe,KAAK,OAAO,CAAC;CACxE;AAED,qBAAa,2BAA2B;IAC1B,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAAP,OAAO,EAAE,4BAA4B;IAElE,4BAA4B,CAAC,OAAO,EAAE,YAAY,GAAG,SAAS,EAAE,KAAK,EAAE,iBAAiB,GAAG,IAAI;IAU/F,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,GAAG,IAAI;IAgB3C,yBAAyB,CAAC,qBAAqB,EAAE,CAAC,MAAM,EAAE,OAAO,yBAAyB,EAAE,WAAW,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAuDhI,sBAAsB,CAAC,OAAO,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA2CrF,sBAAsB,CAAC,OAAO,EAAE,mBAAmB,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAwBpF,wBAAwB,CAAC,OAAO,EAAE,mBAAmB,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAsBtF,qBAAqB,CAAC,OAAO,EAAE,mBAAmB,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAqBnF,wBAAwB,CAAC,OAAO,EAAE,mBAAmB,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAyCtF,oBAAoB,CAAC,QAAQ,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC;IAgCzE,kBAAkB,CAAC,KAAK,EAAE;QAAE,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,MAAM,GAAG,SAAS;IAS5G,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM;IAKxD,OAAO,CAAC,wBAAwB;IAmE1B,0BAA0B,CAAC,QAAQ,EAAE,oBAAoB,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;IAyChG,4BAA4B,CAAC,QAAQ,EAAE,oBAAoB,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;IAyBlG,yBAAyB,CAAC,QAAQ,EAAE,oBAAoB,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;IAgB/F,4BAA4B,CAAC,QAAQ,EAAE,oBAAoB,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;CA0BzG"}

package/dist/_internal/platform/daemon/surface-delivery.js CHANGED Viewed

@@ -3,6 +3,7 @@ import { SlackIntegration, DiscordIntegration, NtfyIntegration } from '../integr
 import { logger } from '../utils/logger.js';
 import { validatePublicWebhookUrl } from '../utils/url-safety.js';
 import { summarizeError } from '../utils/error-display.js';
+import { instrumentedFetch } from '../utils/fetch-with-timeout.js';
 function isSupportedDeliverySurface(surface) {
     return surface === 'slack'
         || surface === 'discord'
@@ -116,7 +117,7 @@ export class DaemonSurfaceDeliveryHelper {
                 ?? process.env.SLACK_BOT_TOKEN;
             const slack = new SlackIntegration(webhookUrl ?? undefined, botToken ?? undefined);
             if (pending.responseUrl) {
-                await fetch(pending.responseUrl, {
+                await instrumentedFetch(pending.responseUrl, {
                     method: 'POST',
                     headers: { 'Content-Type': 'application/json' },
                     body: JSON.stringify({
@@ -153,7 +154,7 @@ export class DaemonSurfaceDeliveryHelper {
             ?? process.env.SLACK_BOT_TOKEN;
         const slack = new SlackIntegration(webhookUrl ?? undefined, botToken ?? undefined);
         if (pending.responseUrl) {
-            await fetch(pending.responseUrl, {
+            await instrumentedFetch(pending.responseUrl, {
                 method: 'POST',
                 headers: { 'Content-Type': 'application/json' },
                 body: JSON.stringify({
@@ -237,7 +238,7 @@ export class DaemonSurfaceDeliveryHelper {
         else if (secret && pending.callbackSignature === 'shared-secret') {
             headers.set('X-Goodvibes-Webhook-Secret', secret);
         }
-        await fetch(validation.url, {
+        await instrumentedFetch(validation.url, {
             method: 'POST',
             headers,
             signal: AbortSignal.timeout(timeoutMs),
@@ -379,7 +380,7 @@ export class DaemonSurfaceDeliveryHelper {
             ]
             : undefined;
         if (typeof binding.metadata.responseUrl === 'string' && binding.metadata.responseUrl.startsWith('https://')) {
-            await fetch(binding.metadata.responseUrl, {
+            await instrumentedFetch(binding.metadata.responseUrl, {
                 method: 'POST',
                 headers: { 'Content-Type': 'application/json' },
                 body: JSON.stringify({
@@ -450,7 +451,7 @@ export class DaemonSurfaceDeliveryHelper {
         if (secret) {
             headers.set('X-Goodvibes-Signature', this.signWebhookPayload(payload, secret));
         }
-        await fetch(validation.url, {
+        await instrumentedFetch(validation.url, {
             method: 'POST',
             headers,
             body: payload,

package/dist/_internal/platform/discovery/mcp-scanner.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"mcp-scanner.d.ts","sourceRoot":"","sources":["../../../../src/_internal/platform/discovery/mcp-scanner.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAIlE,MAAM,WAAW,kBAAkB;IACjC,wDAAwD;IACxD,WAAW,EAAE,eAAe,EAAE,CAAC;IAC/B,kCAAkC;IAClC,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,MAAM,iBAAiB,GAAG,IAAI,CAAC,gBAAgB,EAAE,kBAAkB,GAAG,eAAe,CAAC,GAAG;IAC7F,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B,CAAC;AA4KF;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,iBAAiB,EACxB,eAAe,GAAE,GAAG,CAAC,MAAM,CAAa,GACvC,OAAO,CAAC,kBAAkB,CAAC,~~CAiC7B~~"}
1	+ {"version":3,"file":"mcp-scanner.d.ts","sourceRoot":"","sources":["../../../../src/_internal/platform/discovery/mcp-scanner.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAIlE,MAAM,WAAW,kBAAkB;IACjC,wDAAwD;IACxD,WAAW,EAAE,eAAe,EAAE,CAAC;IAC/B,kCAAkC;IAClC,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,MAAM,iBAAiB,GAAG,IAAI,CAAC,gBAAgB,EAAE,kBAAkB,GAAG,eAAe,CAAC,GAAG;IAC7F,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B,CAAC;AA4KF;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,iBAAiB,EACxB,eAAe,GAAE,GAAG,CAAC,MAAM,CAAa,GACvC,OAAO,CAAC,kBAAkB,CAAC,CAwC7B"}