@queno/agent-node 0.1.2

package/dist/transport/secure-request.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-request.js","sourceRoot":"","sources":["../../src/transport/secure-request.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,KAAK,MAAM,YAAY,CAAC;AAC/B,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAmBzC,SAAS,WAAW,CAAC,EAAU;IAC7B,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;AAC5C,CAAC;AAED,SAAS,eAAe,CAAC,IAAqB;IAC5C,2CAA2C;IAC3C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC7D,CAAC;AAWD;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,KAAyB;IACrD,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC;IAC7D,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACvB,MAAM,OAAO,GAAG,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC;IAExC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,qBAAqB,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAElE,MAAM,OAAO,GAAyB;YACpC,MAAM;YACN,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,IAAI,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACpC,IAAI,EAAE,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,MAAM;YAC3B,OAAO;YACP,GAAG,CAAC,OAAO;gBACT,CAAC,CAAC;oBACE,EAAE,EAAE,GAAG,CAAC,MAAM;oBACd,IAAI,EAAE,GAAG,CAAC,UAAU;oBACpB,GAAG,EAAE,GAAG,CAAC,SAAS;oBAClB,kBAAkB,EAAE,GAAG,CAAC,kBAAkB,IAAI,IAAI;oBAClD,0CAA0C;oBAC1C,mBAAmB,EAAE,CAAC,IAAY,EAAE,IAAqB,EAAqB,EAAE;wBAC9E,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;4BAAE,OAAO,SAAS,CAAC;wBAC1C,MAAM,EAAE,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;wBACjC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;4BACzB,OAAO,IAAI,KAAK,CACd,uEAAuE,IAAI,GAAG,CAC/E,CAAC;wBACJ,CAAC;wBACD,OAAO,SAAS,CAAC;oBACnB,CAAC;iBACF;gBACH,CAAC,CAAC,EAAE,CAAC;SACR,CAAC;QAEF,MAAM,SAAS,GAAG,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;QACzC,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YAC7C,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YAC9C,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACjB,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;gBACpD,MAAM,MAAM,GAAG,GAAG,CAAC,UAAU,IAAI,CAAC,CAAC;gBACnC,IAAI,MAAM,GAAG,GAAG,IAAI,MAAM,IAAI,GAAG,EAAE,CAAC;oBAClC,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC,QAAQ,WAAW,MAAM,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC;oBAC9E,OAAO;gBACT,CAAC;gBACD,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACxC,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,MAAM,CAAC,GAAY,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,GAAG,CAAC,UAAU,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC,CAAC,CAAC;QAC5F,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACxB,sEAAsE;QACtE,GAAG,CAAC,EAAE,CAAC,eAAwB,EAAE,GAAG,EAAE;YACpC,MAAM,MAAM,GAAG,GAAG,CAAC,MAA+B,CAAC;YACnD,IAAI,MAAM,IAAI,OAAO,IAAI,CAAC,GAAG,CAAC,kBAAkB,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;gBAChF,GAAG,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,wCAAwC,MAAM,CAAC,kBAAkB,EAAE,CAAC,CAAC,CAAC;YAC9F,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,IAAI,IAAI;YAAE,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC1B,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,311 @@
+/**
+ * Public type definitions for `@queno/agent-node`.
+ *
+ * These types form the contract between:
+ *  - the customer application (RaspConfig, NormalizedRequest),
+ *  - the framework integrations (Express/Fastify/NestJS adapters),
+ *  - the bundled detectors (DetectionResult),
+ *  - the collector backend (EventPayload, HeartbeatPayload, HeartbeatResponse),
+ *  - the local redaction audit log (RedactionAuditEntry).
+ */
+/** Detection severity, ordered from worst to least severe. */
+export type Severity = "critical" | "high" | "medium" | "low";
+/**
+ * Agent enforcement mode.
+ *
+ * - `monitor` (default): detections are recorded and reported but the request
+ *   is allowed to continue.
+ * - `block`: detections cause the integration to respond with HTTP 403.
+ */
+export type AgentMode = "monitor" | "block";
+/**
+ * Self-reported agent health, sent on every heartbeat.
+ *
+ * - `healthy`: agent is operating normally.
+ * - `degraded`: agent is running but a non-fatal subsystem has issues.
+ * - `error`: agent is in a broken state but still attempting to report.
+ */
+export type AgentStatus = "healthy" | "degraded" | "error";
+/**
+ * Runtime configuration accepted by {@link RaspAgent}.
+ *
+ * Only `apiKey`, `projectId` and `agentId` are mandatory. All other fields
+ * have sensible defaults applied by the Zod schema in `config.ts`.
+ */
+export interface RaspConfig {
+    /** Bearer API key issued by the RASP dashboard. Sent as `Authorization: Bearer <key>`. */
+    apiKey: string;
+    /** Project ID from the RASP dashboard. Scopes all telemetry to a tenant. */
+    projectId: string;
+    /** Stable identifier for this agent instance (e.g. hostname or pod name). */
+    agentId: string;
+    /** Free-form agent version string, echoed back in telemetry for debugging. */
+    agentVersion?: string;
+    /** Enforcement mode. Defaults to `monitor` - see {@link AgentMode}. */
+    mode?: AgentMode;
+    /** Stability channel for policy/version distribution. Default `stable`. */
+    channel?: "stable" | "early" | "edge";
+    /** Heartbeat interval in ms. Min 5_000, default 30_000. */
+    heartbeatIntervalMs?: number;
+    /** Buffer flush interval in ms. Min 1_000, default 5_000. */
+    flushIntervalMs?: number;
+    /** Max events held in the buffer before a forced flush. Min 1, default 50. */
+    bufferMaxSize?: number;
+    /** HTTP request timeout to the collector in ms. Min 500, default 5_000. */
+    transportTimeoutMs?: number;
+    /** Whether to write the local redaction audit log. Default true. */
+    auditLog?: boolean;
+    /** Filesystem path for the local audit log. Default `./rasp-audit.log`. */
+    auditLogPath?: string;
+    /** Max audit log file size in bytes before rotation. Default 10 MB. */
+    auditLogMaxBytes?: number;
+    /** Framework hint included in telemetry (e.g. `express`, `fastify`, `nestjs`). */
+    framework?: string;
+    /** Runtime hint included in telemetry. Default `node`. */
+    runtime?: string;
+    /** Discovery flush interval in ms. Min 5_000, default 60_000. */
+    discoveryFlushIntervalMs?: number;
+    /**
+     * Pinned Ed25519 public key (PEM, SPKI) used to verify signed policies
+     * distributed by the control plane. This is the trust anchor (Addendum
+     * E.4.1). In production it is embedded in the package by default and may be
+     * overridden here for sovereign/on-prem deployments. When absent, the agent
+     * cannot apply any policy and stays on its boot configuration (fail-safe).
+     */
+    policyPublicKey?: string;
+    /** Per-request HMAC secret used to sign telemetry batches (Addendum E.5). */
+    hmacSecret?: string;
+    /**
+     * Instrument common database drivers (pg, mysql2, mongoose, sequelize, knex)
+     * to enable BOLA-via-DB correlation (Addendum A.4). Off by default; enabling
+     * monkey-patches driver query methods at agent start.
+     */
+    instrumentDb?: boolean;
+    /**
+     * Enable runtime self-protection (Addendum E.7): periodic DB-hook integrity
+     * checks and basic anti-debug detection. Secrets are always held encrypted in
+     * memory regardless of this flag. Defaults to `false`.
+     */
+    selfProtect?: boolean;
+    /**
+     * TLS options for certificate pinning + mutual TLS to the collector
+     * (Addendum E.4.2). When set, the agent uses a pinned HTTPS transport.
+     */
+    tls?: {
+        caCert?: string;
+        clientCert?: string;
+        clientKey?: string;
+        collectorFingerprints?: string[];
+        rejectUnauthorized?: boolean;
+    };
+}
+/**
+ * Framework-agnostic view of an incoming HTTP request.
+ *
+ * Integrations are responsible for mapping their native request object to this
+ * shape before calling {@link RaspAgent.inspect}.
+ */
+export interface NormalizedRequest {
+    /** HTTP verb (e.g. `GET`, `POST`). */
+    method: string;
+    /** Request path without the query string. */
+    path: string;
+    /** Parsed query parameters. */
+    query: Record<string, unknown>;
+    /** Raw HTTP headers as provided by the framework. */
+    headers: Record<string, string | string[] | undefined>;
+    /** Parsed request body, if available. May be undefined for streaming bodies. */
+    body: unknown;
+    /** Best-effort source IP, typically resolved from `X-Forwarded-For` or the socket. */
+    sourceIp?: string;
+}
+/**
+ * The outcome of a single detector run.
+ *
+ * Returned by {@link Detector.detect} when something suspicious is found, and
+ * fed into {@link RaspAgent.inspect}'s event-building pipeline.
+ */
+export interface DetectionResult {
+    /** Identifier of the detector that produced this result (e.g. `sql-injection`). */
+    detectorName: string;
+    /** Stable machine-readable event type used by the collector (e.g. `sql_injection`). */
+    eventType: string;
+    /** Severity assigned by the detector. */
+    severity: Severity;
+    /** Human-readable description of what was detected. */
+    description: string;
+    /**
+     * The matched value or pattern. This may contain sensitive substrings - the
+     * redaction engine MUST be run before the event leaves the process.
+     */
+    matchedValue?: string;
+    /** Which field or location triggered the detection (e.g. `query/body`, `header:host`). */
+    location?: string;
+}
+/**
+ * Payload sent to the collector's `POST /v1/events` endpoint.
+ *
+ * Always passes through the redaction engine before being enqueued.
+ */
+export interface EventPayload {
+    /** Project the event belongs to. */
+    projectId: string;
+    /** Stable identifier of the agent that produced the event. */
+    agentId?: string;
+    /** Version of the agent that produced the event. */
+    agentVersion?: string;
+    /** Runtime hint (e.g. `node`). */
+    runtime?: string;
+    /** Framework hint (e.g. `express`). */
+    framework?: string;
+    /** Stable machine-readable event type (see {@link DetectionResult.eventType}). */
+    eventType: string;
+    /** Severity of the detection. */
+    severity: Severity;
+    /** Mode in effect when the detection happened (`monitor` or `block`). */
+    action: AgentMode;
+    /** HTTP method of the originating request. */
+    method?: string;
+    /** Request path. */
+    path?: string;
+    /** Best-effort source IP. */
+    sourceIp?: string;
+    /** ISO-8601 timestamp set by the agent. */
+    timestamp?: string;
+    /**
+     * Detection metadata.
+     *
+     * `redacted: true` is always present and signals that the redaction engine
+     * has processed this payload. `auditLoggedLocally` indicates whether at
+     * least one field was redacted (and therefore an audit log line was
+     * written). Extra keys are detector-specific.
+     */
+    metadata: {
+        redacted: true;
+        matchedRule?: string;
+        auditLoggedLocally?: boolean;
+        [key: string]: unknown;
+    };
+}
+/**
+ * Payload sent to the collector's `POST /v1/heartbeat` endpoint.
+ *
+ * The heartbeat is the agent's liveness signal and the channel through which
+ * the backend delivers the kill switch and policy version.
+ */
+export interface HeartbeatPayload {
+    projectId: string;
+    agentId: string;
+    agentVersion?: string;
+    runtime?: string;
+    framework?: string;
+    /** Self-reported health. */
+    status: AgentStatus;
+    /** Mode currently enforced by the agent. */
+    mode: AgentMode;
+    /** ISO-8601 timestamp set by the agent. */
+    timestamp?: string;
+}
+/**
+ * Response returned by the collector for `POST /v1/heartbeat`.
+ *
+ * The agent reacts to three fields:
+ *  - `killSwitch: true` → the agent stops inspecting and shuts down its buffer.
+ *  - `policyVersion` change → triggers `onPolicyChange` (reserved for future rule refresh).
+ *  - `mode` → the enforcement mode stored on the server; the agent applies it immediately.
+ */
+export interface HeartbeatResponse {
+    ok: boolean;
+    killSwitch: boolean;
+    policyVersion: string;
+    mode?: AgentMode;
+    /** Version this agent should be running (canary cohort / pin). */
+    targetVersion?: string | null;
+    /** True when `targetVersion` differs from the running version. */
+    upgradeAvailable?: boolean;
+    /** Changelog for the target version (shown in logs). */
+    changelog?: string | null;
+    /** Expected impact/risk notes for the target version. */
+    impact?: string | null;
+}
+/**
+ * Auth status heuristic inferred from the presence/absence of an
+ * `Authorization` header on the observed request.
+ */
+export type AuthStatus = "authenticated" | "unauthenticated" | "unknown";
+/**
+ * A single discovered endpoint entry, aggregated by {@link EndpointObserver}
+ * and flushed by {@link DiscoveryBuffer}.
+ */
+export interface DiscoveryEntry {
+    /** HTTP verb (upper-cased). */
+    method: string;
+    /** Normalised path pattern (e.g. `/api/users/:id`). */
+    pathPattern: string;
+    /** Auth heuristic for this endpoint. */
+    authStatus: AuthStatus;
+    /** True when request body/query keys matched sensitive-data patterns. */
+    hasSensitiveData: boolean;
+    /** Number of observations since the last flush. */
+    observationCount: number;
+    /**
+     * Whether an auth middleware was observed populating the request
+     * (e.g. `req.user`/`req.auth`). More reliable than the header heuristic.
+     */
+    authObserved?: boolean;
+    /** Count of responses with status >= 400 since the last flush. */
+    errorCount?: number;
+    /** Sum of observed response durations (ms); used to derive an average. */
+    sumDurationMs?: number;
+    /** Number of responses timed (denominator for the average). */
+    timedCount?: number;
+    /** Inferred parameter schema: field name -> JSON type. */
+    schemaFields?: Record<string, string>;
+}
+/**
+ * Response-phase outcome fed back to the {@link EndpointObserver} so it can
+ * build a traffic profile (error rate, latency) and confirm auth middleware
+ * execution.
+ */
+export interface RequestOutcome {
+    statusCode?: number;
+    durationMs?: number;
+    /** True if an auth middleware populated the request (req.user / req.auth). */
+    authenticated?: boolean;
+}
+/**
+ * Payload sent to the collector's `POST /v1/discovery` endpoint.
+ */
+export interface DiscoveryPayload {
+    projectId: string;
+    agentId: string;
+    /** ISO-8601 timestamp set by the agent at flush time. */
+    timestamp?: string;
+    /** Up to 500 entries per batch. */
+    endpoints: DiscoveryEntry[];
+}
+/**
+ * A single line written to the local redaction audit log.
+ *
+ * Serialised as one JSON object per line (JSONL). Contains only metadata -
+ * never the raw redacted values.
+ */
+export interface RedactionAuditEntry {
+    /** ISO-8601 timestamp. */
+    ts: string;
+    agentId: string;
+    projectId: string;
+    /** Event type that triggered the detection. */
+    eventType: string;
+    /** Severity of the detection. */
+    severity?: string;
+    /** Name of the detector that fired. */
+    detectorName?: string;
+    /** Dotted field paths that were replaced by `[REDACTED]`. */
+    redactedFields: string[];
+    /** True when the event was dropped (e.g. because redaction failed). */
+    dropped: boolean;
+    /** Free-form reason set when `dropped` is true. */
+    dropReason?: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,8DAA8D;AAC9D,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAE9D;;;;;;GAMG;AACH,MAAM,MAAM,SAAS,GAAG,SAAS,GAAG,OAAO,CAAC;AAE5C;;;;;;GAMG;AACH,MAAM,MAAM,WAAW,GAAG,SAAS,GAAG,UAAU,GAAG,OAAO,CAAC;AAE3D;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IACzB,0FAA0F;IAC1F,MAAM,EAAE,MAAM,CAAC;IACf,4EAA4E;IAC5E,SAAS,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,OAAO,EAAE,MAAM,CAAC;IAChB,8EAA8E;IAC9E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,uEAAuE;IACvE,IAAI,CAAC,EAAE,SAAS,CAAC;IACjB,2EAA2E;IAC3E,OAAO,CAAC,EAAE,QAAQ,GAAG,OAAO,GAAG,MAAM,CAAC;IACtC,2DAA2D;IAC3D,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,6DAA6D;IAC7D,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,8EAA8E;IAC9E,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,2EAA2E;IAC3E,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,oEAAoE;IACpE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,2EAA2E;IAC3E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,uEAAuE;IACvE,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,kFAAkF;IAClF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,0DAA0D;IAC1D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iEAAiE;IACjE,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC;;;;;;OAMG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,6EAA6E;IAC7E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB;;;;OAIG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB;;;OAGG;IACH,GAAG,CAAC,EAAE;QACJ,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;QACjC,kBAAkB,CAAC,EAAE,OAAO,CAAC;KAC9B,CAAC;CACH;AAED;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,sCAAsC;IACtC,MAAM,EAAE,MAAM,CAAC;IACf,6CAA6C;IAC7C,IAAI,EAAE,MAAM,CAAC;IACb,+BAA+B;IAC/B,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,qDAAqD;IACrD,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;IACvD,gFAAgF;IAChF,IAAI,EAAE,OAAO,CAAC;IACd,sFAAsF;IACtF,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,mFAAmF;IACnF,YAAY,EAAE,MAAM,CAAC;IACrB,uFAAuF;IACvF,SAAS,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,QAAQ,EAAE,QAAQ,CAAC;IACnB,uDAAuD;IACvD,WAAW,EAAE,MAAM,CAAC;IACpB;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,0FAA0F;IAC1F,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAY;IAC3B,oCAAoC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,8DAA8D;IAC9D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kCAAkC;IAClC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uCAAuC;IACvC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,SAAS,EAAE,MAAM,CAAC;IAClB,iCAAiC;IACjC,QAAQ,EAAE,QAAQ,CAAC;IACnB,yEAAyE;IACzE,MAAM,EAAE,SAAS,CAAC;IAClB,8CAA8C;IAC9C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,oBAAoB;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,6BAA6B;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2CAA2C;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;;;OAOG;IACH,QAAQ,EAAE;QACR,QAAQ,EAAE,IAAI,CAAC;QACf,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC;CACH;AAED;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,4BAA4B;IAC5B,MAAM,EAAE,WAAW,CAAC;IACpB,4CAA4C;IAC5C,IAAI,EAAE,SAAS,CAAC;IAChB,2CAA2C;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,OAAO,CAAC;IACZ,UAAU,EAAE,OAAO,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,SAAS,CAAC;IACjB,kEAAkE;IAClE,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,kEAAkE;IAClE,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,wDAAwD;IACxD,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,yDAAyD;IACzD,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;AAED;;;GAGG;AACH,MAAM,MAAM,UAAU,GAAG,eAAe,GAAG,iBAAiB,GAAG,SAAS,CAAC;AAEzE;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,+BAA+B;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,WAAW,EAAE,MAAM,CAAC;IACpB,wCAAwC;IACxC,UAAU,EAAE,UAAU,CAAC;IACvB,yEAAyE;IACzE,gBAAgB,EAAE,OAAO,CAAC;IAC1B,mDAAmD;IACnD,gBAAgB,EAAE,MAAM,CAAC;IACzB;;;OAGG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,kEAAkE;IAClE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0EAA0E;IAC1E,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,+DAA+D;IAC/D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACvC;AAED;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8EAA8E;IAC9E,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,yDAAyD;IACzD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mCAAmC;IACnC,SAAS,EAAE,cAAc,EAAE,CAAC;CAC7B;AAED;;;;;GAKG;AACH,MAAM,WAAW,mBAAmB;IAClC,0BAA0B;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,+CAA+C;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,iCAAiC;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,uCAAuC;IACvC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6DAA6D;IAC7D,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,uEAAuE;IACvE,OAAO,EAAE,OAAO,CAAC;IACjB,mDAAmD;IACnD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB"}

package/dist/types.js

@@ -0,0 +1,12 @@
+/**
+ * Public type definitions for `@queno/agent-node`.
+ *
+ * These types form the contract between:
+ *  - the customer application (RaspConfig, NormalizedRequest),
+ *  - the framework integrations (Express/Fastify/NestJS adapters),
+ *  - the bundled detectors (DetectionResult),
+ *  - the collector backend (EventPayload, HeartbeatPayload, HeartbeatResponse),
+ *  - the local redaction audit log (RedactionAuditEntry).
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG"}

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "@queno/agent-node",
+  "version": "0.1.2",
+  "description": "RASP agent for Node.js - Express, Fastify, NestJS",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc --project tsconfig.build.json",
+    "dev": "tsx watch src/index.ts",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
+  "dependencies": {
+    "zod": "^4.4.3"
+  },
+  "peerDependencies": {
+    "@nestjs/common": ">=10",
+    "express": ">=4",
+    "fastify": ">=4"
+  },
+  "peerDependenciesMeta": {
+    "express": {
+      "optional": true
+    },
+    "fastify": {
+      "optional": true
+    },
+    "@nestjs/common": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@nestjs/common": "^11.1.24",
+    "@nestjs/core": "^11.1.24",
+    "@types/express": "^5.0.2",
+    "@types/node": "^20",
+    "fastify": "^5.8.5",
+    "reflect-metadata": "^0.2.2",
+    "tsx": "^4.22.3",
+    "typescript": "^5",
+    "vitest": "^4.1.7"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}