@queno/agent-node 0.1.2

package/dist/transport/buffer.js

@@ -0,0 +1,57 @@
+export class EventBuffer {
+    queue = [];
+    client;
+    maxSize;
+    timer = null;
+    constructor(client, cfg) {
+        this.client = client;
+        this.maxSize = cfg.maxSize;
+        this.timer = setInterval(() => {
+            this.flush().catch(() => {
+                // Fail-open - transport errors must not propagate.
+            });
+        }, cfg.flushIntervalMs);
+        if (this.timer.unref) {
+            this.timer.unref();
+        }
+    }
+    /**
+     * Append an event. Triggers an immediate flush once the queue reaches
+     * `maxSize`.
+     *
+     * The event is expected to have already passed through the redaction
+     * engine - the buffer does not sanitise.
+     */
+    enqueue(event) {
+        this.queue.push(event);
+        if (this.queue.length >= this.maxSize) {
+            this.flush().catch(() => { });
+        }
+    }
+    /**
+     * Atomically drain the queue and fire all sends in parallel.
+     *
+     * Uses `Promise.allSettled` so a single failed send cannot block the
+     * others. Per-event errors are caught and ignored (the event is lost).
+     */
+    async flush() {
+        if (this.queue.length === 0)
+            return;
+        const batch = this.queue.splice(0, this.queue.length);
+        await Promise.allSettled(batch.map((event) => this.client.sendEvent(event).catch(() => {
+            // Per-event failure - the event is dropped.
+        })));
+    }
+    /**
+     * Cancel the timer and perform a final drain. Awaited during agent
+     * shutdown.
+     */
+    async stop() {
+        if (this.timer) {
+            clearInterval(this.timer);
+            this.timer = null;
+        }
+        await this.flush();
+    }
+}
+//# sourceMappingURL=buffer.js.map

package/dist/transport/buffer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"buffer.js","sourceRoot":"","sources":["../../src/transport/buffer.ts"],"names":[],"mappings":"AA0BA,MAAM,OAAO,WAAW;IACL,KAAK,GAAmB,EAAE,CAAC;IAC3B,MAAM,CAAkB;IACxB,OAAO,CAAS;IACzB,KAAK,GAA0C,IAAI,CAAC;IAE5D,YAAY,MAAuB,EAAE,GAAiB;QACpD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;QAE3B,IAAI,CAAC,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE;YAC5B,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE;gBACtB,mDAAmD;YACrD,CAAC,CAAC,CAAC;QACL,CAAC,EAAE,GAAG,CAAC,eAAe,CAAC,CAAC;QAExB,IAAI,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACrB,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,OAAO,CAAC,KAAmB;QACzB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAEvB,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACtC,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAEpC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEtD,MAAM,OAAO,CAAC,UAAU,CACtB,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAClB,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;YACtC,4CAA4C;QAC9C,CAAC,CAAC,CACH,CACF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,IAAI;QACR,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC1B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QACpB,CAAC;QACD,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF"}

package/dist/transport/client.d.ts

@@ -0,0 +1,77 @@
+import type { EventPayload, HeartbeatPayload, HeartbeatResponse, DiscoveryPayload } from "../types.js";
+import type { DistributedPolicy } from "../policy/types.js";
+import { type TlsOptions } from "./secure-request.js";
+export interface TransportConfig {
+    /** Base URL of the collector (no trailing slash required). */
+    collectorUrl: string;
+    /** Bearer API key sent with every request. */
+    apiKey: string;
+    /** Per-request timeout in ms (also enforced via `AbortController`). */
+    timeoutMs: number;
+    /**
+     * Optional per-agent HMAC secret. When set, every request body is signed and
+     * the digest is sent as `X-RASP-Signature: sha256=<hex>` (Addendum E.5).
+     */
+    hmacSecret?: string;
+    /**
+     * Optional TLS options enabling certificate pinning + mutual TLS. When set,
+     * requests use a pinned HTTPS transport instead of `fetch` (Addendum E.4.2).
+     */
+    tls?: TlsOptions;
+}
+export declare class TransportClient {
+    private readonly baseUrl;
+    private readonly timeoutMs;
+    private readonly tls?;
+    /**
+     * Secrets (API key, HMAC secret) are held encrypted in memory rather than as
+     * plaintext fields, so a heap dump or accidental log of the client does not
+     * leak them (Addendum E.7).
+     */
+    private readonly secrets;
+    private readonly hasHmac;
+    constructor(cfg: TransportConfig);
+    /** Build request headers, decrypting the API key on demand. */
+    private buildHeaders;
+    /** Compute the `X-RASP-Signature` value for a serialised body, if signing. */
+    private signBody;
+    /**
+     * POST a sanitised event to `/v1/events`.
+     *
+     * @throws On non-2xx responses or network errors. The buffer treats this
+     *   as a per-event failure and drops the event (fail-open).
+     */
+    sendEvent(payload: EventPayload): Promise<void>;
+    sendDiscovery(payload: DiscoveryPayload): Promise<void>;
+    /**
+     * Fetch the latest signed policy from `GET /v1/policy`.
+     *
+     * Returns the parsed {@link DistributedPolicy} or `null` on any failure
+     * (network, 404 when no policy is published, etc.). Errors are swallowed so a
+     * policy fetch can never crash the host application.
+     *
+     * @param agentId - Used by the collector to resolve the agent's channel.
+     * @param channel - Optional explicit channel override.
+     */
+    fetchPolicy(agentId: string, channel?: string): Promise<DistributedPolicy | null>;
+    /**
+     * POST a heartbeat to `/v1/heartbeat`.
+     *
+     * @returns The parsed {@link HeartbeatResponse}, or `null` if the request
+     *   failed for any reason. Errors are intentionally suppressed - the
+     *   heartbeat must never crash the host.
+     */
+    sendHeartbeat(payload: HeartbeatPayload): Promise<HeartbeatResponse | null>;
+    /**
+     * Shared POST helper.
+     *
+     * Sets up an `AbortController` that fires after `timeoutMs`, sends the
+     * JSON body and rejects on a non-2xx status.
+     */
+    private post;
+    /**
+     * Shared GET helper. Same timeout budget and non-2xx handling as POST.
+     */
+    private get;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/transport/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/transport/client.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACvG,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAiB,KAAK,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGrE,MAAM,WAAW,eAAe;IAC9B,8DAA8D;IAC9D,YAAY,EAAE,MAAM,CAAC;IACrB,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;IACf,uEAAuE;IACvE,SAAS,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;OAGG;IACH,GAAG,CAAC,EAAE,UAAU,CAAC;CAClB;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAa;IAClC;;;;OAIG;IACH,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAqB;IAC7C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;gBAEtB,GAAG,EAAE,eAAe;IAShC,+DAA+D;IAC/D,OAAO,CAAC,YAAY;IAQpB,8EAA8E;IAC9E,OAAO,CAAC,QAAQ;IAQhB;;;;;OAKG;IACG,SAAS,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/C,aAAa,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC;IAI7D;;;;;;;;;OASG;IACG,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IAWvF;;;;;;OAMG;IACG,aAAa,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IASjF;;;;;OAKG;YACW,IAAI;IAyClB;;OAEG;YACW,GAAG;CAgClB"}

package/dist/transport/client.js

@@ -0,0 +1,178 @@
+/**
+ * Thin HTTP client used to talk to the collector.
+ *
+ * The agent only ever calls two endpoints - `POST /v1/events` and
+ * `POST /v1/heartbeat`. Both use `Authorization: Bearer <apiKey>` and a JSON
+ * body. A per-call `AbortController` enforces the `timeoutMs` budget.
+ *
+ * Failure semantics differ between the two methods:
+ *  - {@link sendEvent} **throws** on transport / non-2xx errors so the
+ *    buffer layer can decide whether to retry or drop.
+ *  - {@link sendHeartbeat} **swallows** errors and returns `null` so the
+ *    heartbeat loop never crashes the host application.
+ */
+import { createHmac } from "node:crypto";
+import { secureRequest } from "./secure-request.js";
+import { SecureStore } from "../self-protect.js";
+export class TransportClient {
+    baseUrl;
+    timeoutMs;
+    tls;
+    /**
+     * Secrets (API key, HMAC secret) are held encrypted in memory rather than as
+     * plaintext fields, so a heap dump or accidental log of the client does not
+     * leak them (Addendum E.7).
+     */
+    secrets = new SecureStore();
+    hasHmac;
+    constructor(cfg) {
+        this.baseUrl = cfg.collectorUrl.replace(/\/$/, "");
+        this.timeoutMs = cfg.timeoutMs;
+        this.tls = cfg.tls;
+        this.secrets.set("apiKey", cfg.apiKey);
+        this.hasHmac = Boolean(cfg.hmacSecret);
+        if (cfg.hmacSecret)
+            this.secrets.set("hmacSecret", cfg.hmacSecret);
+    }
+    /** Build request headers, decrypting the API key on demand. */
+    buildHeaders(extra) {
+        return {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${this.secrets.get("apiKey") ?? ""}`,
+            ...extra,
+        };
+    }
+    /** Compute the `X-RASP-Signature` value for a serialised body, if signing. */
+    signBody(body) {
+        if (!this.hasHmac)
+            return null;
+        const secret = this.secrets.get("hmacSecret");
+        if (!secret)
+            return null;
+        const digest = createHmac("sha256", secret).update(body).digest("hex");
+        return `sha256=${digest}`;
+    }
+    /**
+     * POST a sanitised event to `/v1/events`.
+     *
+     * @throws On non-2xx responses or network errors. The buffer treats this
+     *   as a per-event failure and drops the event (fail-open).
+     */
+    async sendEvent(payload) {
+        await this.post("/v1/events", payload);
+    }
+    async sendDiscovery(payload) {
+        await this.post("/v1/discovery", payload);
+    }
+    /**
+     * Fetch the latest signed policy from `GET /v1/policy`.
+     *
+     * Returns the parsed {@link DistributedPolicy} or `null` on any failure
+     * (network, 404 when no policy is published, etc.). Errors are swallowed so a
+     * policy fetch can never crash the host application.
+     *
+     * @param agentId - Used by the collector to resolve the agent's channel.
+     * @param channel - Optional explicit channel override.
+     */
+    async fetchPolicy(agentId, channel) {
+        try {
+            const qs = new URLSearchParams({ agentId });
+            if (channel)
+                qs.set("channel", channel);
+            const res = await this.get(`/v1/policy?${qs.toString()}`);
+            return res;
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * POST a heartbeat to `/v1/heartbeat`.
+     *
+     * @returns The parsed {@link HeartbeatResponse}, or `null` if the request
+     *   failed for any reason. Errors are intentionally suppressed - the
+     *   heartbeat must never crash the host.
+     */
+    async sendHeartbeat(payload) {
+        try {
+            const res = await this.post("/v1/heartbeat", payload);
+            return res;
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Shared POST helper.
+     *
+     * Sets up an `AbortController` that fires after `timeoutMs`, sends the
+     * JSON body and rejects on a non-2xx status.
+     */
+    async post(path, body) {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), this.timeoutMs);
+        try {
+            const serialized = JSON.stringify(body);
+            const signature = this.signBody(serialized);
+            const headers = this.buildHeaders(signature ? { "X-RASP-Signature": signature } : undefined);
+            // Pinned HTTPS / mutual-TLS path.
+            if (this.tls) {
+                return await secureRequest({
+                    method: "POST",
+                    url: `${this.baseUrl}${path}`,
+                    headers,
+                    body: serialized,
+                    timeoutMs: this.timeoutMs,
+                    tls: this.tls,
+                });
+            }
+            const res = await fetch(`${this.baseUrl}${path}`, {
+                method: "POST",
+                headers,
+                body: serialized,
+                signal: controller.signal,
+            });
+            if (!res.ok) {
+                const text = await res.text().catch(() => "");
+                throw new Error(`[rasp-transport] ${path} → HTTP ${res.status}: ${text}`);
+            }
+            return res.json();
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+    /**
+     * Shared GET helper. Same timeout budget and non-2xx handling as POST.
+     */
+    async get(path) {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), this.timeoutMs);
+        try {
+            const headers = this.buildHeaders();
+            if (this.tls) {
+                return await secureRequest({
+                    method: "GET",
+                    url: `${this.baseUrl}${path}`,
+                    headers,
+                    timeoutMs: this.timeoutMs,
+                    tls: this.tls,
+                });
+            }
+            const res = await fetch(`${this.baseUrl}${path}`, {
+                method: "GET",
+                headers,
+                signal: controller.signal,
+            });
+            if (!res.ok) {
+                const text = await res.text().catch(() => "");
+                throw new Error(`[rasp-transport] ${path} → HTTP ${res.status}: ${text}`);
+            }
+            return res.json();
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/transport/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/transport/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC,OAAO,EAAE,aAAa,EAAmB,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAqBjD,MAAM,OAAO,eAAe;IACT,OAAO,CAAS;IAChB,SAAS,CAAS;IAClB,GAAG,CAAc;IAClC;;;;OAIG;IACc,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAC5B,OAAO,CAAU;IAElC,YAAY,GAAoB;QAC9B,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACnD,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC,SAAS,CAAC;QAC/B,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QACnB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;QACvC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACvC,IAAI,GAAG,CAAC,UAAU;YAAE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC;IACrE,CAAC;IAED,+DAA+D;IACvD,YAAY,CAAC,KAA8B;QACjD,OAAO;YACL,cAAc,EAAE,kBAAkB;YAClC,aAAa,EAAE,UAAU,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE;YAC3D,GAAG,KAAK;SACT,CAAC;IACJ,CAAC;IAED,8EAA8E;IACtE,QAAQ,CAAC,IAAY;QAC3B,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAC9C,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QACzB,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,OAAO,UAAU,MAAM,EAAE,CAAC;IAC5B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,SAAS,CAAC,OAAqB;QACnC,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAyB;QAC3C,MAAM,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,WAAW,CAAC,OAAe,EAAE,OAAgB;QACjD,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;YAC5C,IAAI,OAAO;gBAAE,EAAE,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YAC1D,OAAO,GAAwB,CAAC;QAClC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,aAAa,CAAC,OAAyB;QAC3C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;YACtD,OAAO,GAAwB,CAAC;QAClC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,IAAI,CAAC,IAAY,EAAE,IAAa;QAC5C,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QAEnE,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAC/B,SAAS,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,SAAS,CAC1D,CAAC;YAEF,kCAAkC;YAClC,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;gBACb,OAAO,MAAM,aAAa,CAAC;oBACzB,MAAM,EAAE,MAAM;oBACd,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE;oBAC7B,OAAO;oBACP,IAAI,EAAE,UAAU;oBAChB,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,GAAG,EAAE,IAAI,CAAC,GAAG;iBACd,CAAC,CAAC;YACL,CAAC;YAED,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE;gBAChD,MAAM,EAAE,MAAM;gBACd,OAAO;gBACP,IAAI,EAAE,UAAU;gBAChB,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;gBAC9C,MAAM,IAAI,KAAK,CAAC,oBAAoB,IAAI,WAAW,GAAG,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC,CAAC;YAC5E,CAAC;YAED,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,GAAG,CAAC,IAAY;QAC5B,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QAEnE,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;YACpC,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;gBACb,OAAO,MAAM,aAAa,CAAC;oBACzB,MAAM,EAAE,KAAK;oBACb,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE;oBAC7B,OAAO;oBACP,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,GAAG,EAAE,IAAI,CAAC,GAAG;iBACd,CAAC,CAAC;YACL,CAAC;YAED,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE;gBAChD,MAAM,EAAE,KAAK;gBACb,OAAO;gBACP,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;gBAC9C,MAAM,IAAI,KAAK,CAAC,oBAAoB,IAAI,WAAW,GAAG,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC,CAAC;YAC5E,CAAC;YAED,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;CACF"}

package/dist/transport/heartbeat.d.ts

@@ -0,0 +1,86 @@
+/**
+ * Heartbeat scheduler.
+ *
+ * Periodically sends an {@link HeartbeatPayload} to the collector. The
+ * heartbeat is the bidirectional control channel: the agent reports its
+ * health and mode, and the collector replies with the kill-switch flag and
+ * the current policy version.
+ *
+ * Behaviour:
+ *  - {@link start} immediately fires one heartbeat, then arms an interval
+ *    of `cfg.heartbeatIntervalMs`. The timer is `unref`'d so it doesn't
+ *    keep the process alive.
+ *  - On a `killSwitch: true` response, the scheduler stops itself and
+ *    invokes `onKillSwitch` so the agent can drain its buffer and disable
+ *    inspection.
+ *  - On a `policyVersion` change, `onPolicyChange` is invoked once
+ *    (reserved for future dynamic rule refresh).
+ *  - All heartbeat failures are swallowed by {@link TransportClient.sendHeartbeat}
+ *    so the loop never crashes.
+ */
+import type { AgentStatus, AgentMode } from "../types.js";
+import type { TransportClient } from "./client.js";
+import type { ValidatedRaspConfig } from "../config.js";
+export type KillSwitchHandler = () => void;
+export type RecoverHandler = () => void;
+export type PolicyChangeHandler = (version: string) => void;
+export type ModeChangeHandler = (mode: AgentMode) => void;
+export interface TargetVersionInfo {
+    targetVersion: string | null;
+    upgradeAvailable: boolean;
+    changelog: string | null;
+    impact: string | null;
+}
+export type TargetVersionHandler = (info: TargetVersionInfo) => void;
+export declare class HeartbeatScheduler {
+    private readonly client;
+    private readonly cfg;
+    private timer;
+    private status;
+    private readonly onKillSwitch;
+    private readonly onRecover?;
+    private readonly onPolicyChange;
+    private readonly onModeChange;
+    private readonly onTargetVersion?;
+    private readonly getMode;
+    private lastPolicyVersion;
+    private lastMode;
+    private lastTargetVersion;
+    /** Tracks whether the kill switch was active on the last heartbeat response. */
+    private killSwitchActive;
+    /**
+     * @param client - Transport used to deliver heartbeats.
+     * @param cfg - Validated config. Provides identity, mode and interval.
+     * @param handlers - Callbacks fired when the backend signals a kill
+     *   switch, a policy change, or a mode change.
+     */
+    constructor(client: TransportClient, cfg: ValidatedRaspConfig, handlers: {
+        onKillSwitch: KillSwitchHandler;
+        /** Called once when the kill switch transitions from active back to inactive. */
+        onRecover?: RecoverHandler;
+        onPolicyChange: PolicyChangeHandler;
+        onModeChange: ModeChangeHandler;
+        onTargetVersion?: TargetVersionHandler;
+        /** Returns the agent's current enforcement mode so the heartbeat payload stays accurate. */
+        getMode: () => AgentMode;
+    });
+    /**
+     * Send an immediate heartbeat and arm the periodic loop. Idempotent -
+     * calling `start` twice has no extra effect.
+     */
+    start(): void;
+    /** Cancel the periodic loop. Safe to call multiple times. */
+    stop(): void;
+    /**
+     * Override the self-reported status sent on the next beat. Used by the
+     * agent when subsystems degrade.
+     */
+    setStatus(status: AgentStatus): void;
+    /**
+     * Send one heartbeat, then react to the response:
+     *  - `killSwitch` → stop the loop and fire {@link onKillSwitch}.
+     *  - `policyVersion` change → cache it and fire {@link onPolicyChange}.
+     */
+    private beat;
+}
+//# sourceMappingURL=heartbeat.d.ts.map

package/dist/transport/heartbeat.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"heartbeat.d.ts","sourceRoot":"","sources":["../../src/transport/heartbeat.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,OAAO,KAAK,EAAoB,WAAW,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAC5E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAExD,MAAM,MAAM,iBAAiB,GAAG,MAAM,IAAI,CAAC;AAC3C,MAAM,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC;AACxC,MAAM,MAAM,mBAAmB,GAAG,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;AAC5D,MAAM,MAAM,iBAAiB,GAAG,CAAC,IAAI,EAAE,SAAS,KAAK,IAAI,CAAC;AAC1D,MAAM,WAAW,iBAAiB;IAChC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AACD,MAAM,MAAM,oBAAoB,GAAG,CAAC,IAAI,EAAE,iBAAiB,KAAK,IAAI,CAAC;AAErE,qBAAa,kBAAkB;IAsB3B,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,GAAG;IAtBtB,OAAO,CAAC,KAAK,CAA+C;IAC5D,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoB;IACjD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAiB;IAC5C,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAsB;IACrD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoB;IACjD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAuB;IACxD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAkB;IAC1C,OAAO,CAAC,iBAAiB,CAAM;IAC/B,OAAO,CAAC,QAAQ,CAAsB;IACtC,OAAO,CAAC,iBAAiB,CAAwC;IACjE,gFAAgF;IAChF,OAAO,CAAC,gBAAgB,CAAS;IAEjC;;;;;OAKG;gBAEgB,MAAM,EAAE,eAAe,EACvB,GAAG,EAAE,mBAAmB,EACzC,QAAQ,EAAE;QACR,YAAY,EAAE,iBAAiB,CAAC;QAChC,iFAAiF;QACjF,SAAS,CAAC,EAAE,cAAc,CAAC;QAC3B,cAAc,EAAE,mBAAmB,CAAC;QACpC,YAAY,EAAE,iBAAiB,CAAC;QAChC,eAAe,CAAC,EAAE,oBAAoB,CAAC;QACvC,4FAA4F;QAC5F,OAAO,EAAE,MAAM,SAAS,CAAC;KAC1B;IAUH;;;OAGG;IACH,KAAK,IAAI,IAAI;IAcb,6DAA6D;IAC7D,IAAI,IAAI,IAAI;IAOZ;;;OAGG;IACH,SAAS,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI;IAIpC;;;;OAIG;YACW,IAAI;CA6CnB"}

package/dist/transport/heartbeat.js

@@ -0,0 +1,110 @@
+export class HeartbeatScheduler {
+    client;
+    cfg;
+    timer = null;
+    status = "healthy";
+    onKillSwitch;
+    onRecover;
+    onPolicyChange;
+    onModeChange;
+    onTargetVersion;
+    getMode;
+    lastPolicyVersion = "";
+    lastMode = "";
+    lastTargetVersion = undefined;
+    /** Tracks whether the kill switch was active on the last heartbeat response. */
+    killSwitchActive = false;
+    /**
+     * @param client - Transport used to deliver heartbeats.
+     * @param cfg - Validated config. Provides identity, mode and interval.
+     * @param handlers - Callbacks fired when the backend signals a kill
+     *   switch, a policy change, or a mode change.
+     */
+    constructor(client, cfg, handlers) {
+        this.client = client;
+        this.cfg = cfg;
+        this.onKillSwitch = handlers.onKillSwitch;
+        this.onRecover = handlers.onRecover;
+        this.onPolicyChange = handlers.onPolicyChange;
+        this.onModeChange = handlers.onModeChange;
+        this.onTargetVersion = handlers.onTargetVersion;
+        this.getMode = handlers.getMode;
+    }
+    /**
+     * Send an immediate heartbeat and arm the periodic loop. Idempotent -
+     * calling `start` twice has no extra effect.
+     */
+    start() {
+        if (this.timer)
+            return;
+        this.beat().catch(() => { });
+        this.timer = setInterval(() => {
+            this.beat().catch(() => { });
+        }, this.cfg.heartbeatIntervalMs);
+        if (this.timer.unref) {
+            this.timer.unref();
+        }
+    }
+    /** Cancel the periodic loop. Safe to call multiple times. */
+    stop() {
+        if (this.timer) {
+            clearInterval(this.timer);
+            this.timer = null;
+        }
+    }
+    /**
+     * Override the self-reported status sent on the next beat. Used by the
+     * agent when subsystems degrade.
+     */
+    setStatus(status) {
+        this.status = status;
+    }
+    /**
+     * Send one heartbeat, then react to the response:
+     *  - `killSwitch` → stop the loop and fire {@link onKillSwitch}.
+     *  - `policyVersion` change → cache it and fire {@link onPolicyChange}.
+     */
+    async beat() {
+        const payload = {
+            projectId: this.cfg.projectId,
+            agentId: this.cfg.agentId,
+            agentVersion: this.cfg.agentVersion,
+            runtime: this.cfg.runtime,
+            framework: this.cfg.framework,
+            status: this.status,
+            mode: this.getMode(),
+            timestamp: new Date().toISOString(),
+        };
+        const res = await this.client.sendHeartbeat(payload);
+        if (!res)
+            return;
+        if (res.killSwitch && !this.killSwitchActive) {
+            this.killSwitchActive = true;
+            this.onKillSwitch();
+        }
+        else if (!res.killSwitch && this.killSwitchActive) {
+            this.killSwitchActive = false;
+            this.onRecover?.();
+        }
+        if (res.policyVersion && res.policyVersion !== this.lastPolicyVersion) {
+            this.lastPolicyVersion = res.policyVersion;
+            if (this.lastPolicyVersion) {
+                this.onPolicyChange(res.policyVersion);
+            }
+        }
+        if (res.mode && res.mode !== this.lastMode) {
+            this.lastMode = res.mode;
+            this.onModeChange(res.mode);
+        }
+        if (this.onTargetVersion && res.targetVersion !== this.lastTargetVersion) {
+            this.lastTargetVersion = res.targetVersion ?? null;
+            this.onTargetVersion({
+                targetVersion: res.targetVersion ?? null,
+                upgradeAvailable: res.upgradeAvailable ?? false,
+                changelog: res.changelog ?? null,
+                impact: res.impact ?? null,
+            });
+        }
+    }
+}
+//# sourceMappingURL=heartbeat.js.map

package/dist/transport/heartbeat.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"heartbeat.js","sourceRoot":"","sources":["../../src/transport/heartbeat.ts"],"names":[],"mappings":"AAoCA,MAAM,OAAO,kBAAkB;IAsBV;IACA;IAtBX,KAAK,GAA0C,IAAI,CAAC;IACpD,MAAM,GAAgB,SAAS,CAAC;IACvB,YAAY,CAAoB;IAChC,SAAS,CAAkB;IAC3B,cAAc,CAAsB;IACpC,YAAY,CAAoB;IAChC,eAAe,CAAwB;IACvC,OAAO,CAAkB;IAClC,iBAAiB,GAAG,EAAE,CAAC;IACvB,QAAQ,GAAmB,EAAE,CAAC;IAC9B,iBAAiB,GAA8B,SAAS,CAAC;IACjE,gFAAgF;IACxE,gBAAgB,GAAG,KAAK,CAAC;IAEjC;;;;;OAKG;IACH,YACmB,MAAuB,EACvB,GAAwB,EACzC,QASC;QAXgB,WAAM,GAAN,MAAM,CAAiB;QACvB,QAAG,GAAH,GAAG,CAAqB;QAYzC,IAAI,CAAC,YAAY,GAAG,QAAQ,CAAC,YAAY,CAAC;QAC1C,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC;QACpC,IAAI,CAAC,cAAc,GAAG,QAAQ,CAAC,cAAc,CAAC;QAC9C,IAAI,CAAC,YAAY,GAAG,QAAQ,CAAC,YAAY,CAAC;QAC1C,IAAI,CAAC,eAAe,GAAG,QAAQ,CAAC,eAAe,CAAC;QAChD,IAAI,CAAC,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;IAClC,CAAC;IAED;;;OAGG;IACH,KAAK;QACH,IAAI,IAAI,CAAC,KAAK;YAAE,OAAO;QAEvB,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAE5B,IAAI,CAAC,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE;YAC5B,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAC9B,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;QAEjC,IAAI,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACrB,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED,6DAA6D;IAC7D,IAAI;QACF,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC1B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QACpB,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,SAAS,CAAC,MAAmB;QAC3B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,IAAI;QAChB,MAAM,OAAO,GAAqB;YAChC,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS;YAC7B,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO;YACzB,YAAY,EAAE,IAAI,CAAC,GAAG,CAAC,YAAY;YACnC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO;YACzB,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS;YAC7B,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE;YACpB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;QAEF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QACrD,IAAI,CAAC,GAAG;YAAE,OAAO;QAEjB,IAAI,GAAG,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC7C,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;YAC7B,IAAI,CAAC,YAAY,EAAE,CAAC;QACtB,CAAC;aAAM,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACpD,IAAI,CAAC,gBAAgB,GAAG,KAAK,CAAC;YAC9B,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC;QACrB,CAAC;QAED,IAAI,GAAG,CAAC,aAAa,IAAI,GAAG,CAAC,aAAa,KAAK,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACtE,IAAI,CAAC,iBAAiB,GAAG,GAAG,CAAC,aAAa,CAAC;YAC3C,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC3B,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;QAED,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC3C,IAAI,CAAC,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC;YACzB,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC9B,CAAC;QAED,IAAI,IAAI,CAAC,eAAe,IAAI,GAAG,CAAC,aAAa,KAAK,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACzE,IAAI,CAAC,iBAAiB,GAAG,GAAG,CAAC,aAAa,IAAI,IAAI,CAAC;YACnD,IAAI,CAAC,eAAe,CAAC;gBACnB,aAAa,EAAE,GAAG,CAAC,aAAa,IAAI,IAAI;gBACxC,gBAAgB,EAAE,GAAG,CAAC,gBAAgB,IAAI,KAAK;gBAC/C,SAAS,EAAE,GAAG,CAAC,SAAS,IAAI,IAAI;gBAChC,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,IAAI;aAC3B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;CACF"}

package/dist/transport/secure-request.d.ts

@@ -0,0 +1,30 @@
+export interface TlsOptions {
+    /** PEM trust anchor (private CA) added to the default roots. */
+    caCert?: string;
+    /** Client certificate (PEM) presented for mutual TLS. */
+    clientCert?: string;
+    /** Client private key (PEM) for mutual TLS. */
+    clientKey?: string;
+    /**
+     * Pinned server certificate SHA-256 fingerprints (hex, with or without
+     * colons, case-insensitive). When set, the server cert must match one.
+     */
+    collectorFingerprints?: string[];
+    /** Reject self-signed/untrusted certs. Default true. */
+    rejectUnauthorized?: boolean;
+}
+export interface SecureRequestInput {
+    method: "GET" | "POST";
+    url: string;
+    headers: Record<string, string>;
+    body?: string;
+    timeoutMs: number;
+    tls: TlsOptions;
+}
+/**
+ * Perform a pinned HTTPS (or plain HTTP for non-https URLs) JSON request.
+ * Resolves with the parsed JSON body, rejects on transport / non-2xx / pinning
+ * failures.
+ */
+export declare function secureRequest(input: SecureRequestInput): Promise<unknown>;
+//# sourceMappingURL=secure-request.d.ts.map

package/dist/transport/secure-request.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-request.d.ts","sourceRoot":"","sources":["../../src/transport/secure-request.ts"],"names":[],"mappings":"AAoBA,MAAM,WAAW,UAAU;IACzB,gEAAgE;IAChE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yDAAyD;IACzD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+CAA+C;IAC/C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,wDAAwD;IACxD,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAWD,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,KAAK,GAAG,MAAM,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,UAAU,CAAC;CACjB;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,OAAO,CAAC,CAmEzE"}

package/dist/transport/secure-request.js

@@ -0,0 +1,95 @@
+/**
+ * Pinned HTTPS transport (the codeable slice of mTLS - Addendum E.4.2).
+ *
+ * Used in place of `fetch` when the agent is configured with {@link TlsOptions}.
+ * It provides two guarantees that global `fetch` cannot easily express:
+ *
+ *  1. **Server certificate pinning**: the collector's certificate must match
+ *     one of the pinned SHA-256 fingerprints. This defeats a rogue CA or a
+ *     TLS-terminating proxy injected between the agent and the collector.
+ *  2. **Mutual TLS**: the agent presents a client certificate/key so the
+ *     collector can authenticate the agent at the transport layer.
+ *
+ * A private CA can be trusted via `caCert`. Everything is fail-closed: a
+ * fingerprint mismatch or TLS error rejects the request.
+ */
+import https from "node:https";
+import http from "node:http";
+import { createHash } from "node:crypto";
+function normalizeFp(fp) {
+    return fp.replace(/:/g, "").toLowerCase();
+}
+function certFingerprint(cert) {
+    // cert.raw is the DER-encoded certificate.
+    return createHash("sha256").update(cert.raw).digest("hex");
+}
+/**
+ * Perform a pinned HTTPS (or plain HTTP for non-https URLs) JSON request.
+ * Resolves with the parsed JSON body, rejects on transport / non-2xx / pinning
+ * failures.
+ */
+export function secureRequest(input) {
+    const { method, url, headers, body, timeoutMs, tls } = input;
+    const u = new URL(url);
+    const isHttps = u.protocol === "https:";
+    return new Promise((resolve, reject) => {
+        const pinned = (tls.collectorFingerprints ?? []).map(normalizeFp);
+        const options = {
+            method,
+            hostname: u.hostname,
+            port: u.port || (isHttps ? 443 : 80),
+            path: u.pathname + u.search,
+            headers,
+            ...(isHttps
+                ? {
+                    ca: tls.caCert,
+                    cert: tls.clientCert,
+                    key: tls.clientKey,
+                    rejectUnauthorized: tls.rejectUnauthorized ?? true,
+                    // Pin the server certificate fingerprint.
+                    checkServerIdentity: (host, cert) => {
+                        if (pinned.length === 0)
+                            return undefined;
+                        const fp = certFingerprint(cert);
+                        if (!pinned.includes(fp)) {
+                            return new Error(`[rasp-transport] collector certificate fingerprint not pinned (host ${host})`);
+                        }
+                        return undefined;
+                    },
+                }
+                : {}),
+        };
+        const transport = isHttps ? https : http;
+        const req = transport.request(options, (res) => {
+            const chunks = [];
+            res.on("data", (c) => chunks.push(c));
+            res.on("end", () => {
+                const text = Buffer.concat(chunks).toString("utf8");
+                const status = res.statusCode ?? 0;
+                if (status < 200 || status >= 300) {
+                    reject(new Error(`[rasp-transport] ${u.pathname} → HTTP ${status}: ${text}`));
+                    return;
+                }
+                try {
+                    resolve(text ? JSON.parse(text) : {});
+                }
+                catch (err) {
+                    reject(err);
+                }
+            });
+        });
+        req.setTimeout(timeoutMs, () => req.destroy(new Error("[rasp-transport] request timeout")));
+        req.on("error", reject);
+        // For mutual TLS, surface a clear error if the handshake is rejected.
+        req.on("secureConnect", () => {
+            const socket = req.socket;
+            if (socket && isHttps && (tls.rejectUnauthorized ?? true) && !socket.authorized) {
+                req.destroy(new Error(`[rasp-transport] TLS not authorized: ${socket.authorizationError}`));
+            }
+        });
+        if (body)
+            req.write(body);
+        req.end();
+    });
+}
+//# sourceMappingURL=secure-request.js.map