@queno/agent-node 0.1.2

package/dist/api-discovery/discovery-buffer.js

@@ -0,0 +1,50 @@
+const MAX_BATCH_SIZE = 500;
+export class DiscoveryBuffer {
+    client;
+    observer;
+    projectId;
+    agentId;
+    timer = null;
+    constructor(client, observer, opts) {
+        this.client = client;
+        this.observer = observer;
+        this.projectId = opts.projectId;
+        this.agentId = opts.agentId;
+        this.timer = setInterval(() => {
+            this.flush().catch(() => { });
+        }, opts.flushIntervalMs);
+        // Allow Node.js to exit even if the timer is still running
+        if (this.timer.unref)
+            this.timer.unref();
+    }
+    /** Stop the flush timer and send a final batch. */
+    async stop() {
+        if (this.timer) {
+            clearInterval(this.timer);
+            this.timer = null;
+        }
+        await this.flush();
+    }
+    async flush() {
+        const entries = this.observer.drain();
+        if (entries.length === 0)
+            return;
+        const timestamp = new Date().toISOString();
+        // Split into chunks of MAX_BATCH_SIZE
+        for (let i = 0; i < entries.length; i += MAX_BATCH_SIZE) {
+            const chunk = entries.slice(i, i + MAX_BATCH_SIZE);
+            try {
+                await this.client.sendDiscovery({
+                    projectId: this.projectId,
+                    agentId: this.agentId,
+                    timestamp,
+                    endpoints: chunk,
+                });
+            }
+            catch {
+                // Fail open
+            }
+        }
+    }
+}
+//# sourceMappingURL=discovery-buffer.js.map

package/dist/api-discovery/discovery-buffer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery-buffer.js","sourceRoot":"","sources":["../../src/api-discovery/discovery-buffer.ts"],"names":[],"mappings":"AAiBA,MAAM,cAAc,GAAG,GAAG,CAAC;AAE3B,MAAM,OAAO,eAAe;IACT,MAAM,CAAkB;IACxB,QAAQ,CAAmB;IAC3B,SAAS,CAAS;IAClB,OAAO,CAAS;IACzB,KAAK,GAA0C,IAAI,CAAC;IAE5D,YACE,MAAuB,EACvB,QAA0B,EAC1B,IAA4B;QAE5B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAChC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAE5B,IAAI,CAAC,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE;YAC5B,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAC/B,CAAC,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;QAEzB,2DAA2D;QAC3D,IAAI,IAAI,CAAC,KAAK,CAAC,KAAK;YAAE,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IAC3C,CAAC;IAED,mDAAmD;IACnD,KAAK,CAAC,IAAI;QACR,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC1B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QACpB,CAAC;QACD,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;IAEO,KAAK,CAAC,KAAK;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QACtC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAEjC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAE3C,sCAAsC;QACtC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,IAAI,cAAc,EAAE,CAAC;YACxD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,cAAc,CAAC,CAAC;YACnD,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;oBAC9B,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,SAAS;oBACT,SAAS,EAAE,KAAK;iBACjB,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,YAAY;YACd,CAAC;QACH,CAAC;IACH,CAAC;CACF"}

package/dist/api-discovery/endpoint-observer.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Observes HTTP requests passively and aggregates per-endpoint statistics for
+ * runtime API discovery (Addendum A.2): endpoint inventory, auth state, data
+ * sensitivity, schema inference and traffic profile (volume, error rate,
+ * latency).
+ *
+ * All operations are synchronous and in-memory - no I/O, no throws. Designed to
+ * be called from {@link RaspAgent.inspect} (request phase) and from the
+ * integration's response hook via {@link EndpointObserver.observeOutcome}.
+ */
+import type { NormalizedRequest, DiscoveryEntry, RequestOutcome } from "../types.js";
+export declare class EndpointObserver {
+    private readonly stats;
+    /** Record one request observation. Synchronous, never throws. */
+    observe(req: NormalizedRequest): void;
+    /**
+     * Record the response-phase outcome for a request. Updates the traffic
+     * profile (error rate, latency) and confirms auth middleware execution.
+     */
+    observeOutcome(req: NormalizedRequest, outcome: RequestOutcome): void;
+    /** Drain accumulated stats and reset. */
+    drain(): DiscoveryEntry[];
+    get size(): number;
+}
+//# sourceMappingURL=endpoint-observer.d.ts.map

package/dist/api-discovery/endpoint-observer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"endpoint-observer.d.ts","sourceRoot":"","sources":["../../src/api-discovery/endpoint-observer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,KAAK,EAAE,iBAAiB,EAAc,cAAc,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAwDjG,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAoC;IAE1D,iEAAiE;IACjE,OAAO,CAAC,GAAG,EAAE,iBAAiB,GAAG,IAAI;IAgCrC;;;OAGG;IACH,cAAc,CAAC,GAAG,EAAE,iBAAiB,EAAE,OAAO,EAAE,cAAc,GAAG,IAAI;IAqBrE,yCAAyC;IACzC,KAAK,IAAI,cAAc,EAAE;IAqBzB,IAAI,IAAI,IAAI,MAAM,CAEjB;CACF"}

package/dist/api-discovery/endpoint-observer.js

@@ -0,0 +1,127 @@
+import { normalizePath } from "./route-normalizer.js";
+import { DEFAULT_REDACTION_PATTERNS } from "../redaction/patterns.js";
+function hasSensitiveKeys(obj) {
+    if (!obj || typeof obj !== "object")
+        return false;
+    return Object.keys(obj).some((key) => DEFAULT_REDACTION_PATTERNS.some((p) => p.matchKey.test(key)));
+}
+function inferAuthStatus(req) {
+    const auth = req.headers["authorization"];
+    if (auth && typeof auth === "string" && auth.length > 0) {
+        return "authenticated";
+    }
+    return "unauthenticated";
+}
+function inferHasSensitiveData(req) {
+    return hasSensitiveKeys(req.body) || hasSensitiveKeys(req.query);
+}
+function jsonType(v) {
+    if (v === null)
+        return "null";
+    if (Array.isArray(v))
+        return "array";
+    return typeof v;
+}
+/** Merge the top-level keys of query + body into a field -> type map. */
+function inferSchema(req, into) {
+    const sources = [req.query, req.body];
+    for (const src of sources) {
+        if (src && typeof src === "object" && !Array.isArray(src)) {
+            for (const [k, v] of Object.entries(src)) {
+                if (!(k in into))
+                    into[k] = jsonType(v);
+            }
+        }
+    }
+}
+function keyFor(req) {
+    return `${req.method.toUpperCase()}:${normalizePath(req.path)}`;
+}
+export class EndpointObserver {
+    stats = new Map();
+    /** Record one request observation. Synchronous, never throws. */
+    observe(req) {
+        try {
+            const key = keyFor(req);
+            const existing = this.stats.get(key);
+            if (existing) {
+                existing.count++;
+                if (existing.authStatus !== "authenticated") {
+                    existing.authStatus = inferAuthStatus(req);
+                }
+                if (!existing.hasSensitiveData) {
+                    existing.hasSensitiveData = inferHasSensitiveData(req);
+                }
+                inferSchema(req, existing.schemaFields);
+            }
+            else {
+                const schemaFields = {};
+                inferSchema(req, schemaFields);
+                this.stats.set(key, {
+                    authStatus: inferAuthStatus(req),
+                    hasSensitiveData: inferHasSensitiveData(req),
+                    count: 1,
+                    authObserved: false,
+                    errorCount: 0,
+                    sumDurationMs: 0,
+                    timedCount: 0,
+                    schemaFields,
+                });
+            }
+        }
+        catch {
+            // Fail open - never propagate to host application.
+        }
+    }
+    /**
+     * Record the response-phase outcome for a request. Updates the traffic
+     * profile (error rate, latency) and confirms auth middleware execution.
+     */
+    observeOutcome(req, outcome) {
+        try {
+            const key = keyFor(req);
+            const s = this.stats.get(key);
+            if (!s)
+                return;
+            if (typeof outcome.statusCode === "number" && outcome.statusCode >= 400) {
+                s.errorCount++;
+            }
+            if (typeof outcome.durationMs === "number" && outcome.durationMs >= 0) {
+                s.sumDurationMs += outcome.durationMs;
+                s.timedCount++;
+            }
+            if (outcome.authenticated) {
+                s.authObserved = true;
+                s.authStatus = "authenticated";
+            }
+        }
+        catch {
+            // Fail open.
+        }
+    }
+    /** Drain accumulated stats and reset. */
+    drain() {
+        const entries = [];
+        for (const [key, s] of this.stats) {
+            const colonIdx = key.indexOf(":");
+            entries.push({
+                method: key.slice(0, colonIdx),
+                pathPattern: key.slice(colonIdx + 1),
+                authStatus: s.authStatus,
+                hasSensitiveData: s.hasSensitiveData,
+                observationCount: s.count,
+                authObserved: s.authObserved,
+                errorCount: s.errorCount,
+                sumDurationMs: s.sumDurationMs,
+                timedCount: s.timedCount,
+                schemaFields: s.schemaFields,
+            });
+        }
+        this.stats.clear();
+        return entries;
+    }
+    get size() {
+        return this.stats.size;
+    }
+}
+//# sourceMappingURL=endpoint-observer.js.map

package/dist/api-discovery/endpoint-observer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"endpoint-observer.js","sourceRoot":"","sources":["../../src/api-discovery/endpoint-observer.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AAatE,SAAS,gBAAgB,CAAC,GAAY;IACpC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAClD,OAAO,MAAM,CAAC,IAAI,CAAC,GAA8B,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAC9D,0BAA0B,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAC7D,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,GAAsB;IAC7C,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxD,OAAO,eAAe,CAAC;IACzB,CAAC;IACD,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAsB;IACnD,OAAO,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;AACnE,CAAC;AAED,SAAS,QAAQ,CAAC,CAAU;IAC1B,IAAI,CAAC,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAC9B,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAAE,OAAO,OAAO,CAAC;IACrC,OAAO,OAAO,CAAC,CAAC;AAClB,CAAC;AAED,yEAAyE;AACzE,SAAS,WAAW,CAAC,GAAsB,EAAE,IAA4B;IACvE,MAAM,OAAO,GAAc,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;IACjD,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1D,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAA8B,CAAC,EAAE,CAAC;gBACpE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;oBAAE,IAAI,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,MAAM,CAAC,GAAsB;IACpC,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;AAClE,CAAC;AAED,MAAM,OAAO,gBAAgB;IACV,KAAK,GAAG,IAAI,GAAG,EAAyB,CAAC;IAE1D,iEAAiE;IACjE,OAAO,CAAC,GAAsB;QAC5B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;YACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACrC,IAAI,QAAQ,EAAE,CAAC;gBACb,QAAQ,CAAC,KAAK,EAAE,CAAC;gBACjB,IAAI,QAAQ,CAAC,UAAU,KAAK,eAAe,EAAE,CAAC;oBAC5C,QAAQ,CAAC,UAAU,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;gBAC7C,CAAC;gBACD,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC;oBAC/B,QAAQ,CAAC,gBAAgB,GAAG,qBAAqB,CAAC,GAAG,CAAC,CAAC;gBACzD,CAAC;gBACD,WAAW,CAAC,GAAG,EAAE,QAAQ,CAAC,YAAY,CAAC,CAAC;YAC1C,CAAC;iBAAM,CAAC;gBACN,MAAM,YAAY,GAA2B,EAAE,CAAC;gBAChD,WAAW,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;gBAC/B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE;oBAClB,UAAU,EAAE,eAAe,CAAC,GAAG,CAAC;oBAChC,gBAAgB,EAAE,qBAAqB,CAAC,GAAG,CAAC;oBAC5C,KAAK,EAAE,CAAC;oBACR,YAAY,EAAE,KAAK;oBACnB,UAAU,EAAE,CAAC;oBACb,aAAa,EAAE,CAAC;oBAChB,UAAU,EAAE,CAAC;oBACb,YAAY;iBACb,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,cAAc,CAAC,GAAsB,EAAE,OAAuB;QAC5D,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;YACxB,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC9B,IAAI,CAAC,CAAC;gBAAE,OAAO;YACf,IAAI,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ,IAAI,OAAO,CAAC,UAAU,IAAI,GAAG,EAAE,CAAC;gBACxE,CAAC,CAAC,UAAU,EAAE,CAAC;YACjB,CAAC;YACD,IAAI,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ,IAAI,OAAO,CAAC,UAAU,IAAI,CAAC,EAAE,CAAC;gBACtE,CAAC,CAAC,aAAa,IAAI,OAAO,CAAC,UAAU,CAAC;gBACtC,CAAC,CAAC,UAAU,EAAE,CAAC;YACjB,CAAC;YACD,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;gBAC1B,CAAC,CAAC,YAAY,GAAG,IAAI,CAAC;gBACtB,CAAC,CAAC,UAAU,GAAG,eAAe,CAAC;YACjC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,aAAa;QACf,CAAC;IACH,CAAC;IAED,yCAAyC;IACzC,KAAK;QACH,MAAM,OAAO,GAAqB,EAAE,CAAC;QACrC,KAAK,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC;gBACX,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC;gBAC9B,WAAW,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC;gBACpC,UAAU,EAAE,CAAC,CAAC,UAAU;gBACxB,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;gBACpC,gBAAgB,EAAE,CAAC,CAAC,KAAK;gBACzB,YAAY,EAAE,CAAC,CAAC,YAAY;gBAC5B,UAAU,EAAE,CAAC,CAAC,UAAU;gBACxB,aAAa,EAAE,CAAC,CAAC,aAAa;gBAC9B,UAAU,EAAE,CAAC,CAAC,UAAU;gBACxB,YAAY,EAAE,CAAC,CAAC,YAAY;aAC7B,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACnB,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IACzB,CAAC;CACF"}

package/dist/api-discovery/route-normalizer.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Normalises raw request paths into stable route patterns.
+ *
+ * Examples:
+ *   /api/users/42          → /api/users/:id
+ *   /api/users/abc-123-def → /api/users/:id   (UUID-like)
+ *   /api/users/me          → /api/users/me    (unchanged - not ID-like)
+ */
+/**
+ * Replace ID-like path segments with `:id`.
+ *
+ * Only the path (no query string) should be passed in.
+ */
+export declare function normalizePath(path: string): string;
+//# sourceMappingURL=route-normalizer.d.ts.map

package/dist/api-discovery/route-normalizer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"route-normalizer.d.ts","sourceRoot":"","sources":["../../src/api-discovery/route-normalizer.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAmBH;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAQlD"}

package/dist/api-discovery/route-normalizer.js

@@ -0,0 +1,34 @@
+/**
+ * Normalises raw request paths into stable route patterns.
+ *
+ * Examples:
+ *   /api/users/42          → /api/users/:id
+ *   /api/users/abc-123-def → /api/users/:id   (UUID-like)
+ *   /api/users/me          → /api/users/me    (unchanged - not ID-like)
+ */
+/** Matches plain numeric IDs up to 12 digits (e.g. 42, 100000000000). */
+const NUMERIC_ID_RE = /^\d{1,12}$/;
+/**
+ * Matches UUID v4 variants (with or without hyphens, case-insensitive).
+ * Also catches CUID-style strings (cjld2cy...) and NanoID-like 20–26 char IDs.
+ */
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+/** Matches CUID / NanoID style: starts with a letter, 20–32 alphanum chars. */
+const CUID_RE = /^[a-z][a-z0-9]{19,31}$/i;
+function isIdSegment(segment) {
+    return NUMERIC_ID_RE.test(segment) || UUID_RE.test(segment) || CUID_RE.test(segment);
+}
+/**
+ * Replace ID-like path segments with `:id`.
+ *
+ * Only the path (no query string) should be passed in.
+ */
+export function normalizePath(path) {
+    // Strip query string if accidentally included
+    const bare = path.split("?")[0] ?? path;
+    return bare
+        .split("/")
+        .map((segment) => (isIdSegment(segment) ? ":id" : segment))
+        .join("/");
+}
+//# sourceMappingURL=route-normalizer.js.map

package/dist/api-discovery/route-normalizer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"route-normalizer.js","sourceRoot":"","sources":["../../src/api-discovery/route-normalizer.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,yEAAyE;AACzE,MAAM,aAAa,GAAG,YAAY,CAAC;AAEnC;;;GAGG;AACH,MAAM,OAAO,GACX,iEAAiE,CAAC;AAEpE,+EAA+E;AAC/E,MAAM,OAAO,GAAG,yBAAyB,CAAC;AAE1C,SAAS,WAAW,CAAC,OAAe;IAClC,OAAO,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACvF,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,8CAA8C;IAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAExC,OAAO,IAAI;SACR,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;SAC1D,IAAI,CAAC,GAAG,CAAC,CAAC;AACf,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,100 @@
+/**
+ * Runtime configuration validation for the RASP agent.
+ *
+ * Wraps user-supplied {@link RaspConfig} in a Zod schema that:
+ *  - enforces required fields (`apiKey`, `projectId`, `agentId`),
+ *  - applies safe defaults for everything else,
+ *  - rejects degenerate values (e.g. 0 ms intervals).
+ *
+ * {@link validateConfig} is the only sanctioned way to produce a
+ * {@link ValidatedRaspConfig} - every other module relies on the post-parse
+ * defaults being present.
+ */
+import { z } from "zod";
+import type { RaspConfig } from "./types.js";
+/**
+ * Collector base URL.
+ *
+ * Per `AGENTS.md` "Security Rules", the agent must not perform arbitrary
+ * outbound network calls - only this endpoint is allowed.
+ *
+ * `RASP_COLLECTOR_URL` is intentionally only read here so that example apps
+ * and local test environments can point the agent at a local collector without
+ * modifying source code. In production the env var is not set and the
+ * hard-coded default is used.
+ */
+export declare const COLLECTOR_URL: string;
+/**
+ * Default pinned policy-signing public key (the trust anchor for signed policy
+ * distribution - Addendum E.4.1).
+ *
+ * This is the DEVELOPMENT key shipped so the signed-policy flow works
+ * end-to-end out of the box. The matching private key is documented in the
+ * README ("Policy signing bootstrap") for local use ONLY.
+ *
+ * In production this constant is replaced at release time with the real public
+ * key, and/or overridden per-deployment via `RaspConfig.policyPublicKey` or the
+ * `RASP_POLICY_PUBLIC_KEY` env var. The private key never ships.
+ */
+export declare const DEFAULT_POLICY_PUBLIC_KEY: string;
+/**
+ * Zod schema mirroring {@link RaspConfig}.
+ *
+ * Each default here matches the documented behaviour in `types.ts` and the
+ * lower bounds protect against pathological values (e.g. a 100 ms heartbeat
+ * that would DOS the collector).
+ */
+declare const RaspConfigSchema: z.ZodObject<{
+    apiKey: z.ZodString;
+    projectId: z.ZodString;
+    agentId: z.ZodString;
+    agentVersion: z.ZodOptional<z.ZodString>;
+    mode: z.ZodDefault<z.ZodEnum<{
+        monitor: "monitor";
+        block: "block";
+    }>>;
+    channel: z.ZodDefault<z.ZodEnum<{
+        stable: "stable";
+        early: "early";
+        edge: "edge";
+    }>>;
+    heartbeatIntervalMs: z.ZodDefault<z.ZodNumber>;
+    flushIntervalMs: z.ZodDefault<z.ZodNumber>;
+    bufferMaxSize: z.ZodDefault<z.ZodNumber>;
+    transportTimeoutMs: z.ZodDefault<z.ZodNumber>;
+    auditLog: z.ZodDefault<z.ZodBoolean>;
+    auditLogPath: z.ZodDefault<z.ZodString>;
+    auditLogMaxBytes: z.ZodDefault<z.ZodNumber>;
+    framework: z.ZodOptional<z.ZodString>;
+    runtime: z.ZodDefault<z.ZodString>;
+    discoveryFlushIntervalMs: z.ZodDefault<z.ZodNumber>;
+    policyPublicKey: z.ZodDefault<z.ZodString>;
+    hmacSecret: z.ZodOptional<z.ZodString>;
+    instrumentDb: z.ZodDefault<z.ZodBoolean>;
+    selfProtect: z.ZodDefault<z.ZodBoolean>;
+    tls: z.ZodOptional<z.ZodObject<{
+        caCert: z.ZodOptional<z.ZodString>;
+        clientCert: z.ZodOptional<z.ZodString>;
+        clientKey: z.ZodOptional<z.ZodString>;
+        collectorFingerprints: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        rejectUnauthorized: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+/**
+ * Fully resolved configuration with all defaults applied.
+ *
+ * Internal modules (`agent.ts`, `transport/*`, `redaction/*`) accept this
+ * stricter type rather than the user-facing optional-heavy {@link RaspConfig}.
+ */
+export type ValidatedRaspConfig = z.infer<typeof RaspConfigSchema>;
+/**
+ * Validate a raw user config and return a fully resolved one.
+ *
+ * @param raw - The configuration object passed to `new RaspAgent(...)`.
+ * @returns The same configuration with all defaults applied.
+ * @throws {Error} If validation fails. The error message has the form
+ *   `[rasp-agent] Invalid configuration - field1: msg1; field2: msg2`.
+ */
+export declare function validateConfig(raw: RaspConfig): ValidatedRaspConfig;
+export {};
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C;;;;;;;;;;GAUG;AACH,eAAO,MAAM,aAAa,QACsC,CAAC;AAEjE;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,yBAAyB,QAMxB,CAAC;AAEf;;;;;;GAMG;AACH,QAAA,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA8BpB,CAAC;AAEH;;;;;GAKG;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEnE;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,UAAU,GAAG,mBAAmB,CAUnE"}

package/dist/config.js

@@ -0,0 +1,101 @@
+/**
+ * Runtime configuration validation for the RASP agent.
+ *
+ * Wraps user-supplied {@link RaspConfig} in a Zod schema that:
+ *  - enforces required fields (`apiKey`, `projectId`, `agentId`),
+ *  - applies safe defaults for everything else,
+ *  - rejects degenerate values (e.g. 0 ms intervals).
+ *
+ * {@link validateConfig} is the only sanctioned way to produce a
+ * {@link ValidatedRaspConfig} - every other module relies on the post-parse
+ * defaults being present.
+ */
+import { z } from "zod";
+/**
+ * Collector base URL.
+ *
+ * Per `AGENTS.md` "Security Rules", the agent must not perform arbitrary
+ * outbound network calls - only this endpoint is allowed.
+ *
+ * `RASP_COLLECTOR_URL` is intentionally only read here so that example apps
+ * and local test environments can point the agent at a local collector without
+ * modifying source code. In production the env var is not set and the
+ * hard-coded default is used.
+ */
+export const COLLECTOR_URL = process.env.RASP_COLLECTOR_URL ?? "https://collector.rasp.dev";
+/**
+ * Default pinned policy-signing public key (the trust anchor for signed policy
+ * distribution - Addendum E.4.1).
+ *
+ * This is the DEVELOPMENT key shipped so the signed-policy flow works
+ * end-to-end out of the box. The matching private key is documented in the
+ * README ("Policy signing bootstrap") for local use ONLY.
+ *
+ * In production this constant is replaced at release time with the real public
+ * key, and/or overridden per-deployment via `RaspConfig.policyPublicKey` or the
+ * `RASP_POLICY_PUBLIC_KEY` env var. The private key never ships.
+ */
+export const DEFAULT_POLICY_PUBLIC_KEY = process.env.RASP_POLICY_PUBLIC_KEY ??
+    [
+        "-----BEGIN PUBLIC KEY-----",
+        "MCowBQYDK2VwAyEAI/7DX+UlM7pdHvIPZXGBtr7WvYKi3ZnRY7QtOhiFufM=",
+        "-----END PUBLIC KEY-----",
+    ].join("\n");
+/**
+ * Zod schema mirroring {@link RaspConfig}.
+ *
+ * Each default here matches the documented behaviour in `types.ts` and the
+ * lower bounds protect against pathological values (e.g. a 100 ms heartbeat
+ * that would DOS the collector).
+ */
+const RaspConfigSchema = z.object({
+    apiKey: z.string().min(1, "apiKey is required"),
+    projectId: z.string().min(1, "projectId is required"),
+    agentId: z.string().min(1, "agentId is required"),
+    agentVersion: z.string().optional(),
+    mode: z.enum(["monitor", "block"]).default("monitor"),
+    channel: z.enum(["stable", "early", "edge"]).default("stable"),
+    heartbeatIntervalMs: z.number().int().min(5_000).default(30_000),
+    flushIntervalMs: z.number().int().min(1_000).default(5_000),
+    bufferMaxSize: z.number().int().min(1).default(50),
+    transportTimeoutMs: z.number().int().min(500).default(5_000),
+    auditLog: z.boolean().default(true),
+    auditLogPath: z.string().default("./rasp-audit.log"),
+    auditLogMaxBytes: z.number().int().min(1).default(10 * 1024 * 1024),
+    framework: z.string().optional(),
+    runtime: z.string().default("node"),
+    discoveryFlushIntervalMs: z.number().int().min(5_000).default(60_000),
+    policyPublicKey: z.string().default(DEFAULT_POLICY_PUBLIC_KEY),
+    hmacSecret: z.string().optional(),
+    instrumentDb: z.boolean().default(false),
+    selfProtect: z.boolean().default(false),
+    tls: z
+        .object({
+        caCert: z.string().optional(),
+        clientCert: z.string().optional(),
+        clientKey: z.string().optional(),
+        collectorFingerprints: z.array(z.string()).optional(),
+        rejectUnauthorized: z.boolean().optional(),
+    })
+        .optional(),
+});
+/**
+ * Validate a raw user config and return a fully resolved one.
+ *
+ * @param raw - The configuration object passed to `new RaspAgent(...)`.
+ * @returns The same configuration with all defaults applied.
+ * @throws {Error} If validation fails. The error message has the form
+ *   `[rasp-agent] Invalid configuration - field1: msg1; field2: msg2`.
+ */
+export function validateConfig(raw) {
+    const result = RaspConfigSchema.safeParse(raw);
+    if (!result.success) {
+        const fields = result.error.flatten().fieldErrors;
+        const msg = Object.entries(fields)
+            .map(([k, v]) => `${k}: ${v?.join(", ")}`)
+            .join("; ");
+        throw new Error(`[rasp-agent] Invalid configuration - ${msg}`);
+    }
+    return result.data;
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,aAAa,GACxB,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,4BAA4B,CAAC;AAEjE;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,yBAAyB,GACpC,OAAO,CAAC,GAAG,CAAC,sBAAsB;IAClC;QACE,4BAA4B;QAC5B,8DAA8D;QAC9D,0BAA0B;KAC3B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAEf;;;;;;GAMG;AACH,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,oBAAoB,CAAC;IAC/C,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,uBAAuB,CAAC;IACrD,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,qBAAqB,CAAC;IACjD,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IACrD,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAC9D,mBAAmB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAChE,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAC3D,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAClD,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAC5D,QAAQ,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACnC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,kBAAkB,CAAC;IACpD,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;IACnE,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;IACnC,wBAAwB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IACrE,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,yBAAyB,CAAC;IAC9D,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,YAAY,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACxC,WAAW,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACvC,GAAG,EAAE,CAAC;SACH,MAAM,CAAC;QACN,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC7B,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACjC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAChC,qBAAqB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;QACrD,kBAAkB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;KAC3C,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAUH;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAAC,GAAe;IAC5C,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC/C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC;QAClD,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;aAC/B,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;aACzC,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,wCAAwC,GAAG,EAAE,CAAC,CAAC;IACjE,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC"}

package/dist/db-hooks/correlate.d.ts

@@ -0,0 +1,19 @@
+/**
+ * BOLA-via-DB correlation (Addendum A.4 / OWASP API #1).
+ *
+ * Runs at response time. Correlates the request (authenticated user, resource
+ * id in the URL) with the DB queries that actually executed while handling it.
+ *
+ * Heuristics (each is monitor-grade - flagged, not blocked):
+ *  1. **Cross-object access**: an authenticated request whose DB queries
+ *     reference id literals that match neither the URL resource id nor the
+ *     user id, on an endpoint that did NOT have authorization enforced. This is
+ *     the classic IDOR shape: the handler fetched an object the request was not
+ *     scoped to and no authz gate ran.
+ *  2. **Fan-out enumeration**: a single request issuing queries that touch an
+ *     unusually large number of distinct object ids (possible mass-extraction).
+ */
+import type { DetectionResult } from "../types.js";
+import type { RequestContext } from "../runtime-context.js";
+export declare function correlateBola(ctx: RequestContext): DetectionResult | null;
+//# sourceMappingURL=correlate.d.ts.map

package/dist/db-hooks/correlate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"correlate.d.ts","sourceRoot":"","sources":["../../src/db-hooks/correlate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAK5D,wBAAgB,aAAa,CAAC,GAAG,EAAE,cAAc,GAAG,eAAe,GAAG,IAAI,CA2CzE"}

package/dist/db-hooks/correlate.js

@@ -0,0 +1,45 @@
+/** Distinct DB object ids in one request above which we flag fan-out. */
+const FANOUT_ID_THRESHOLD = 25;
+export function correlateBola(ctx) {
+    if (ctx.dbQueries.length === 0)
+        return null;
+    const distinctIds = new Set();
+    for (const q of ctx.dbQueries) {
+        for (const id of q.ids)
+            distinctIds.add(id);
+    }
+    // Heuristic 2: fan-out enumeration in a single request.
+    if (distinctIds.size > FANOUT_ID_THRESHOLD) {
+        return {
+            detectorName: "bola-db",
+            eventType: "bola",
+            severity: "high",
+            description: `Single request touched ${distinctIds.size} distinct object ids in the database (possible mass extraction)`,
+            location: "db",
+        };
+    }
+    // Heuristic 1: cross-object access without authorization.
+    if (ctx.userId && !ctx.authEnforced) {
+        const allowed = new Set();
+        if (ctx.userId)
+            allowed.add(ctx.userId);
+        if (ctx.pathId)
+            allowed.add(ctx.pathId);
+        for (const q of ctx.dbQueries) {
+            for (const id of q.ids) {
+                if (!allowed.has(id)) {
+                    return {
+                        detectorName: "bola-db",
+                        eventType: "bola",
+                        severity: "medium",
+                        description: "Authenticated request accessed a database object id not scoped to the URL/user, with no authorization enforced",
+                        matchedValue: id,
+                        location: "db",
+                    };
+                }
+            }
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=correlate.js.map

package/dist/db-hooks/correlate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"correlate.js","sourceRoot":"","sources":["../../src/db-hooks/correlate.ts"],"names":[],"mappings":"AAkBA,yEAAyE;AACzE,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAE/B,MAAM,UAAU,aAAa,CAAC,GAAmB;IAC/C,IAAI,GAAG,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE5C,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;IACtC,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;QAC9B,KAAK,MAAM,EAAE,IAAI,CAAC,CAAC,GAAG;YAAE,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED,wDAAwD;IACxD,IAAI,WAAW,CAAC,IAAI,GAAG,mBAAmB,EAAE,CAAC;QAC3C,OAAO;YACL,YAAY,EAAE,SAAS;YACvB,SAAS,EAAE,MAAM;YACjB,QAAQ,EAAE,MAAM;YAChB,WAAW,EAAE,0BAA0B,WAAW,CAAC,IAAI,iEAAiE;YACxH,QAAQ,EAAE,IAAI;SACf,CAAC;IACJ,CAAC;IAED,0DAA0D;IAC1D,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;QACpC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;QAClC,IAAI,GAAG,CAAC,MAAM;YAAE,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACxC,IAAI,GAAG,CAAC,MAAM;YAAE,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAExC,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;YAC9B,KAAK,MAAM,EAAE,IAAI,CAAC,CAAC,GAAG,EAAE,CAAC;gBACvB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;oBACrB,OAAO;wBACL,YAAY,EAAE,SAAS;wBACvB,SAAS,EAAE,MAAM;wBACjB,QAAQ,EAAE,QAAQ;wBAClB,WAAW,EACT,gHAAgH;wBAClH,YAAY,EAAE,EAAE;wBAChB,QAAQ,EAAE,IAAI;qBACf,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/db-hooks/instrument.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Verify every installed DB hook is still in place (same wrapper reference and
+ * carrying the PATCHED marker). Returns the list of tampered hooks; empty when
+ * integrity is intact.
+ */
+export declare function verifyHookIntegrity(): {
+    driver: string;
+    method: string;
+}[];
+/** Number of hooks currently registered (diagnostics / tests). */
+export declare function installedHookCount(): number;
+/**
+ * Instrument all detectable database drivers. Safe to call multiple times.
+ *
+ * @param requireFn - Optional resolver (used in tests). Defaults to the
+ *   ambient CommonJS `require` when available.
+ */
+export declare function instrumentDatabaseDrivers(requireFn?: (name: string) => unknown): void;
+/**
+ * Instrument a Prisma Client instance. Prisma cannot be patched at the module
+ * level, so the integrator passes the client (created with
+ * `new PrismaClient({ log: [{ emit: 'event', level: 'query' }] })`).
+ */
+export declare function instrumentPrismaClient(client: unknown): void;
+/** Reset the one-shot guard (tests only). */
+export declare function __resetInstrumentationForTests(): void;
+//# sourceMappingURL=instrument.d.ts.map

package/dist/db-hooks/instrument.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"instrument.d.ts","sourceRoot":"","sources":["../../src/db-hooks/instrument.ts"],"names":[],"mappings":"AAgDA;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,EAAE,CAS1E;AAED,kEAAkE;AAClE,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAqDD;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,SAAS,GAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAoB,GAAG,IAAI,CAiEjG;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI,CAS5D;AAED,6CAA6C;AAC7C,wBAAgB,8BAA8B,IAAI,IAAI,CAGrD"}