npm - @rawdash/connector-aws-cloudwatch - Versions diffs - 0.15.0 - Mend

@rawdash/connector-aws-cloudwatch 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,141 @@
+# @rawdash/connector-aws-cloudwatch
+Rawdash connector for [AWS CloudWatch](https://docs.aws.amazon.com/cloudwatch/) — pulls the specific metric queries you declare into the `metric` storage shape via the [`GetMetricData`](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricData.html) API.
+CloudWatch is far too broad to mirror wholesale, so this connector takes a list of explicit **metric queries** (namespace + metric + statistic + period + dimensions) and emits one metric sample per returned data point. Requests are signed with AWS Signature V4 using the Web Crypto API — the package carries **no AWS SDK dependency**.
+## Auth setup
+Two mutually exclusive modes, selected by which fields you supply:
+- **Static credentials** — `accessKeyId` + `secretAccessKey` for an IAM principal with the `cloudwatch:GetMetricData` permission. Create an access key under AWS Console → **IAM → Users → Security credentials**.
+- **Role assumption** — `roleArn` (plus optional `externalId`). The connector calls STS `AssumeRole` to obtain temporary credentials, then signs CloudWatch with them. The _base_ credentials used for the `AssumeRole` call come from `accessKeyId`/`secretAccessKey` if provided, otherwise from the ambient AWS environment (`AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` / `AWS_SESSION_TOKEN`) — the path rawdash cloud uses with its task role.
+The role's trust policy must allow your base principal to `sts:AssumeRole`, and (if you set `externalId`) must require that external ID.
+## Configuration
+```ts
+import { secret } from '@rawdash/core';
+const cloudwatch = {
+  name: 'cloudwatch',
+  connectorId: 'aws-cloudwatch',
+  config: {
+    region: 'us-east-1',
+    accessKeyId: secret('AWS_ACCESS_KEY_ID'),
+    secretAccessKey: secret('AWS_SECRET_ACCESS_KEY'),
+    // roleArn: 'arn:aws:iam::123456789012:role/rawdash-cloudwatch', // instead of static keys
+    // externalId: 'rawdash',                                       // optional, with roleArn
+    metricQueries: [
+      {
+        id: 'ec2_cpu',
+        namespace: 'AWS/EC2',
+        metric: 'CPUUtilization',
+        stat: 'Average',
+        periodSeconds: 300,
+        dimensions: { InstanceId: 'i-0123456789abcdef0' },
+      },
+      {
+        id: 'alb_5xx',
+        namespace: 'AWS/ApplicationELB',
+        metric: 'HTTPCode_Target_5XX_Count',
+        stat: 'Sum',
+        periodSeconds: 300,
+      },
+    ],
+    // lookbackMinutes: 180, // optional — full-sync window when no `since` is supplied (default 180)
+  },
+};
+```
+Register the connector class when mounting the engine:
+```ts
+import { CloudWatchConnector } from '@rawdash/connector-aws-cloudwatch';
+import { mountEngine } from '@rawdash/hono';
+mountEngine(config, {
+  connectorRegistry: { 'aws-cloudwatch': CloudWatchConnector },
+});
+```
+### Metric queries
+Each entry of `metricQueries` becomes one [`MetricDataQuery`](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_MetricDataQuery.html):
+| Field           | Notes                                                                               |
+| --------------- | ----------------------------------------------------------------------------------- |
+| `id`            | Must match `^[a-z][a-zA-Z0-9_]*$` (CloudWatch's query-id rule).                     |
+| `namespace`     | e.g. `AWS/EC2`, `AWS/Lambda`, or a custom namespace.                                |
+| `metric`        | The metric name within that namespace.                                              |
+| `stat`          | Any CloudWatch statistic — `Average`, `Sum`, `Minimum`, `Maximum`, `p99`, etc.      |
+| `periodSeconds` | Aggregation period, in seconds. Must be a multiple of 60 (minimum 1 minute).        |
+| `dimensions`    | Optional `{ Name: Value }` map narrowing the metric (e.g. `{ InstanceId: 'i-…' }`). |
+Queries are batched at most 500 per `GetMetricData` call, and `NextToken` pagination is followed automatically.
+### Example dashboard
+```ts
+import { defineConfig, defineDashboard, defineMetric } from '@rawdash/core';
+export default defineConfig({
+  connectors: [cloudwatch],
+  dashboards: {
+    infra: defineDashboard({
+      widgets: {
+        cpu: {
+          kind: 'timeseries',
+          title: 'EC2 CPU %',
+          window: '24h',
+          metric: defineMetric({
+            connector: cloudwatch,
+            shape: 'metric',
+            name: 'AWS/EC2/CPUUtilization',
+            fn: 'avg',
+            window: '24h',
+            groupBy: { field: 'ts', granularity: 'hour' },
+          }),
+        },
+      },
+    }),
+  },
+});
+```
+## Data model
+| Storage shape | Metric name              | Value / attributes                                                                                                                      |
+| ------------- | ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- |
+| metric        | `${namespace}/${metric}` | `value` = the data point for that period; attributes = the query's `dimensions` plus `stat`, `period`, `queryId`, `label`, `statusCode` |
+Timestamps are stored as Unix epoch milliseconds. Data points with a non-finite value or unparseable timestamp are skipped.
+## Schemas
+`CloudWatchConnector.schemas.metric_data` is the Zod schema for the logical `GetMetricData` response (the connector parses the AWS Query-protocol XML into this shape). It powers the cloud shape-drift pipeline and the package's property tests.
+## Sync behaviour
+- **Window**: when the host supplies `since`, the connector fetches `[since, now]`. Otherwise a full sync uses `lookbackMinutes` (default 180) and a `latest` sync uses a short window covering the last few periods.
+- **Idempotent**: every sync replaces the full set of samples for the metric names it owns (`storage.metrics(samples, { names })`), so re-syncing the same window converges.
+- **Batched + paginated**: up to 500 queries per `GetMetricData` request, with `NextToken` followed until exhausted.
+- **Single-call**: the windowed pull fits in one invocation, so `sync()` returns `{ done: true }` without a resume cursor.
+## Errors
+CloudWatch and STS return AWS error codes inside the response body even on a `400`, so the connector inspects the body and maps:
+- `Throttling` / `RequestLimitExceeded` / `TooManyRequests` → `RateLimitError` — host backs off and reschedules.
+- `AccessDenied` / `InvalidClientTokenId` / `SignatureDoesNotMatch` / `AuthFailure` → `AuthError` — host pauses until credentials are fixed.
+- `5xx` → `TransientError` — host retries on the next tick.
+## Out of scope
+- **AWS Cost Explorer** — tracked separately.
+- **CloudWatch Logs / Logs Insights** — a different API surface; deferred.
+## Property tests
+`src/property.test.ts` generates synthetic `GetMetricData` responses from the Zod schema, serializes them to the Query-protocol XML the connector parses, pipes them through `connector.sync()` against `InMemoryStorage`, and asserts universal invariants (finite metric values/timestamps, no `undefined` reaching storage, no throws) plus one metric sample per paired timestamp/value.

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,94 @@
+import { BaseConnector, ConnectorContext, SyncOptions, StorageHandle, SyncResult } from '@rawdash/core';
+import { z } from 'zod';
+declare const configFields: z.ZodObject<{
+    region: z.ZodString;
+    accessKeyId: z.ZodOptional<z.ZodObject<{
+        $secret: z.ZodString;
+    }, z.core.$strip>>;
+    secretAccessKey: z.ZodOptional<z.ZodObject<{
+        $secret: z.ZodString;
+    }, z.core.$strip>>;
+    roleArn: z.ZodOptional<z.ZodString>;
+    externalId: z.ZodOptional<z.ZodString>;
+    metricQueries: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        namespace: z.ZodString;
+        metric: z.ZodString;
+        stat: z.ZodString;
+        periodSeconds: z.ZodNumber;
+        dimensions: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    }, z.core.$strip>>;
+    lookbackMinutes: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strip>;
+interface CloudWatchMetricQuery {
+    id: string;
+    namespace: string;
+    metric: string;
+    stat: string;
+    periodSeconds: number;
+    dimensions?: Record<string, string>;
+}
+interface CloudWatchSettings {
+    region: string;
+    roleArn?: string;
+    externalId?: string;
+    metricQueries: CloudWatchMetricQuery[];
+    lookbackMinutes?: number;
+}
+declare const cloudWatchCredentials: {
+    accessKeyId: {
+        description: string;
+        auth: "optional";
+    };
+    secretAccessKey: {
+        description: string;
+        auth: "optional";
+    };
+};
+type CloudWatchCredentials = typeof cloudWatchCredentials;
+declare class CloudWatchConnector extends BaseConnector<CloudWatchSettings, CloudWatchCredentials> {
+    static readonly id = "aws-cloudwatch";
+    static readonly schemas: {
+        readonly metric_data: z.ZodObject<{
+            MetricDataResults: z.ZodArray<z.ZodObject<{
+                Id: z.ZodString;
+                Label: z.ZodString;
+                Timestamps: z.ZodArray<z.ZodISODateTime>;
+                Values: z.ZodArray<z.ZodNumber>;
+                StatusCode: z.ZodEnum<{
+                    Complete: "Complete";
+                    InternalError: "InternalError";
+                    PartialData: "PartialData";
+                    Forbidden: "Forbidden";
+                }>;
+            }, z.core.$strip>>;
+            NextToken: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>;
+    };
+    static create(input: unknown, ctx?: ConnectorContext): CloudWatchConnector;
+    readonly id = "aws-cloudwatch";
+    readonly credentials: {
+        accessKeyId: {
+            description: string;
+            auth: "optional";
+        };
+        secretAccessKey: {
+            description: string;
+            auth: "optional";
+        };
+    };
+    private assumedCreds;
+    private baseCredentials;
+    private resolveSigningCredentials;
+    private assumeRole;
+    private cacheAssumedCredentials;
+    private signedPost;
+    private classifyAwsError;
+    private computeWindow;
+    private buildGetMetricDataBody;
+    sync(options: SyncOptions, storage: StorageHandle, signal?: AbortSignal): Promise<SyncResult>;
+    private collectSamples;
+}
+export { CloudWatchConnector, type CloudWatchMetricQuery, type CloudWatchSettings, configFields, CloudWatchConnector as default };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,639 @@
+// ../../connector-shared/dist/index.js
+var HttpClientError = class extends Error {
+  response;
+  constructor(message, response) {
+    super(message);
+    this.name = new.target.name;
+    this.response = response;
+  }
+};
+var TransientError = class extends HttpClientError {
+  kind = "transient";
+};
+var RateLimitError = class extends HttpClientError {
+  kind = "rate_limit";
+  retryAfter;
+  constructor(message, response, retryAfter) {
+    super(message, response);
+    this.retryAfter = retryAfter;
+  }
+};
+var AuthError = class extends HttpClientError {
+  kind = "auth";
+};
+var HTTP_CLIENT_VERSION = "0.0.0";
+var DEFAULT_USER_AGENT = `rawdash-connector/${HTTP_CLIENT_VERSION} (+https://rawdash.dev)`;
+function connectorUserAgent(connectorId) {
+  return `rawdash-connector-${connectorId}/${HTTP_CLIENT_VERSION} (+https://rawdash.dev)`;
+}
+function parseEpoch(value, unit) {
+  if (value === null || value === void 0) {
+    return null;
+  }
+  if (unit === "iso") {
+    if (typeof value !== "string") {
+      return null;
+    }
+    const ms = new Date(value).getTime();
+    return Number.isFinite(ms) ? ms : null;
+  }
+  if (typeof value === "string" && value.trim() === "") {
+    return null;
+  }
+  const n = typeof value === "number" ? value : Number(value);
+  if (!Number.isFinite(n)) {
+    return null;
+  }
+  const result = unit === "s" ? n * 1e3 : n;
+  return Number.isFinite(result) ? result : null;
+}
+// src/aws-cloudwatch.ts
+import {
+  BaseConnector,
+  defineConfigFields
+} from "@rawdash/core";
+import { z } from "zod";
+// src/sigv4.ts
+var encoder = new TextEncoder();
+var ALGORITHM = "AWS4-HMAC-SHA256";
+function u8(data) {
+  return new Uint8Array(encoder.encode(data));
+}
+function toHex(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let hex = "";
+  for (let i = 0; i < bytes.length; i++) {
+    hex += bytes[i].toString(16).padStart(2, "0");
+  }
+  return hex;
+}
+async function sha256Hex(data) {
+  const digest = await globalThis.crypto.subtle.digest("SHA-256", u8(data));
+  return toHex(digest);
+}
+async function hmac(key, data) {
+  const cryptoKey = await globalThis.crypto.subtle.importKey(
+    "raw",
+    key,
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  return globalThis.crypto.subtle.sign("HMAC", cryptoKey, u8(data));
+}
+async function deriveSigningKey(secretAccessKey, dateStamp, region, service) {
+  const kDate = await hmac(u8(`AWS4${secretAccessKey}`), dateStamp);
+  const kRegion = await hmac(kDate, region);
+  const kService = await hmac(kRegion, service);
+  return hmac(kService, "aws4_request");
+}
+function formatAmzDate(date) {
+  const amzDate = date.toISOString().replace(/[:-]|\.\d{3}/g, "");
+  return { amzDate, dateStamp: amzDate.slice(0, 8) };
+}
+async function createAuthorizationHeader(params) {
+  const lowerHeaders = {};
+  for (const [key, value] of Object.entries(params.headers)) {
+    lowerHeaders[key.toLowerCase()] = value.trim().replace(/\s+/g, " ");
+  }
+  const sortedNames = Object.keys(lowerHeaders).sort();
+  const canonicalHeaders = sortedNames.map((name) => `${name}:${lowerHeaders[name]}
+`).join("");
+  const signedHeaders = sortedNames.join(";");
+  const canonicalRequest = [
+    params.method,
+    params.path,
+    params.query,
+    canonicalHeaders,
+    signedHeaders,
+    params.payloadHash
+  ].join("\n");
+  const credentialScope = `${params.dateStamp}/${params.region}/${params.service}/aws4_request`;
+  const stringToSign = [
+    ALGORITHM,
+    params.amzDate,
+    credentialScope,
+    await sha256Hex(canonicalRequest)
+  ].join("\n");
+  const signingKey = await deriveSigningKey(
+    params.secretAccessKey,
+    params.dateStamp,
+    params.region,
+    params.service
+  );
+  const signature = toHex(await hmac(signingKey, stringToSign));
+  return `${ALGORITHM} Credential=${params.accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+}
+// src/xml.ts
+function decodeEntities(value) {
+  return value.replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/&quot;/g, '"').replace(/&#39;/g, "'").replace(/&apos;/g, "'").replace(/&amp;/g, "&");
+}
+function firstInner(xml, tag) {
+  const escapedTag = tag.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  const open = new RegExp(`<${escapedTag}(?:\\s[^>]*)?>`).exec(xml);
+  if (!open) {
+    return new RegExp(`<${escapedTag}\\s*/>`).test(xml) ? "" : null;
+  }
+  const start = open.index + open[0].length;
+  const closeIdx = xml.indexOf(`</${tag}>`, start);
+  if (closeIdx === -1) {
+    return null;
+  }
+  return xml.slice(start, closeIdx);
+}
+function firstText(xml, tag) {
+  const inner = firstInner(xml, tag);
+  return inner === null ? null : decodeEntities(inner).trim();
+}
+function topLevelMembers(xml) {
+  const results = [];
+  const re = /<member(?:\s[^>]*)?>|<\/member>/g;
+  let depth = 0;
+  let contentStart = -1;
+  let match;
+  while ((match = re.exec(xml)) !== null) {
+    if (match[0].startsWith("</")) {
+      depth--;
+      if (depth === 0 && contentStart !== -1) {
+        results.push(xml.slice(contentStart, match.index));
+        contentStart = -1;
+      }
+    } else {
+      if (depth === 0) {
+        contentStart = match.index + match[0].length;
+      }
+      depth++;
+    }
+  }
+  return results;
+}
+function parseGetMetricData(xml) {
+  const resultsBlock = firstInner(xml, "MetricDataResults") ?? "";
+  const results = topLevelMembers(resultsBlock).map((member) => {
+    const tsBlock = firstInner(member, "Timestamps") ?? "";
+    const valBlock = firstInner(member, "Values") ?? "";
+    return {
+      id: firstText(member, "Id") ?? "",
+      label: firstText(member, "Label") ?? "",
+      statusCode: firstText(member, "StatusCode") ?? "",
+      timestamps: topLevelMembers(tsBlock).map((t) => decodeEntities(t).trim()),
+      values: topLevelMembers(valBlock).map(
+        (v) => Number(decodeEntities(v).trim())
+      )
+    };
+  });
+  const nextToken = firstText(xml, "NextToken");
+  return { results, nextToken: nextToken === "" ? null : nextToken };
+}
+function parseAssumeRole(xml) {
+  const credBlock = firstInner(xml, "Credentials");
+  if (credBlock === null) {
+    return null;
+  }
+  const accessKeyId = firstText(credBlock, "AccessKeyId") ?? "";
+  const secretAccessKey = firstText(credBlock, "SecretAccessKey") ?? "";
+  if (accessKeyId === "" || secretAccessKey === "") {
+    return null;
+  }
+  return {
+    accessKeyId,
+    secretAccessKey,
+    sessionToken: firstText(credBlock, "SessionToken") ?? "",
+    expiration: firstText(credBlock, "Expiration") ?? ""
+  };
+}
+function parseErrorCode(xml) {
+  return firstText(xml, "Code");
+}
+// src/aws-cloudwatch.ts
+function readEnv(name) {
+  const env = globalThis.process?.env;
+  return env?.[name];
+}
+var metricQuerySchema = z.object({
+  id: z.string().regex(
+    /^[a-z][a-zA-Z0-9_]*$/,
+    "CloudWatch query id must start with a lowercase letter and contain only letters, digits, and underscores"
+  ),
+  namespace: z.string().min(1),
+  metric: z.string().min(1),
+  stat: z.string().min(1),
+  periodSeconds: z.number().int().min(60).refine((n) => n % 60 === 0, {
+    message: "periodSeconds must be a multiple of 60 (1 minute)"
+  }),
+  dimensions: z.record(z.string(), z.string()).optional()
+});
+var configFields = defineConfigFields(
+  z.object({
+    region: z.string().regex(
+      /^[a-z0-9-]+$/,
+      "region must look like an AWS region, e.g. us-east-1"
+    ).meta({
+      label: "AWS Region",
+      description: "The AWS region whose CloudWatch metrics you want to read, e.g. us-east-1.",
+      placeholder: "us-east-1"
+    }),
+    accessKeyId: z.object({ $secret: z.string() }).optional().meta({
+      label: "Access Key ID",
+      description: "AWS access key ID for an IAM principal with cloudwatch:GetMetricData. Use this together with the secret access key for static-credential auth.",
+      secret: true
+    }),
+    secretAccessKey: z.object({ $secret: z.string() }).optional().meta({
+      label: "Secret Access Key",
+      description: "AWS secret access key paired with the access key ID above.",
+      secret: true
+    }),
+    roleArn: z.string().regex(
+      /^arn:aws:iam::\d{12}:role\/.+/,
+      "roleArn must be a full IAM role ARN, e.g. arn:aws:iam::123456789012:role/rawdash"
+    ).optional().meta({
+      label: "Role ARN",
+      description: "IAM role to assume via STS instead of using static keys. The base credentials (the access key above, or the ambient AWS environment) must be allowed to sts:AssumeRole this role.",
+      placeholder: "arn:aws:iam::123456789012:role/rawdash-cloudwatch"
+    }),
+    externalId: z.string().min(1).optional().meta({
+      label: "External ID",
+      description: "External ID required by the trust policy of the role being assumed. Only used with Role ARN."
+    }),
+    metricQueries: z.array(metricQuerySchema).nonempty().meta({
+      label: "Metric queries",
+      description: "CloudWatch is too broad to mirror wholesale \u2014 declare the specific metrics to pull. Each query needs an id, namespace, metric name, statistic, and period (seconds, multiple of 60), with optional dimensions."
+    }),
+    lookbackMinutes: z.number().int().positive().max(40320).optional().meta({
+      label: "Lookback (minutes)",
+      description: "How far back to pull data points on a full sync when the host does not supply a since bound. Defaults to 180.",
+      placeholder: "180"
+    })
+  }).refine(
+    (val) => val.roleArn !== void 0 || val.accessKeyId !== void 0 && val.secretAccessKey !== void 0,
+    {
+      message: "Provide either accessKeyId + secretAccessKey (static credentials) or roleArn (role assumption)"
+    }
+  )
+);
+var cloudWatchCredentials = {
+  accessKeyId: {
+    description: "AWS access key ID",
+    auth: "optional"
+  },
+  secretAccessKey: {
+    description: "AWS secret access key",
+    auth: "optional"
+  }
+};
+var metricDataResponseSchema = z.object({
+  MetricDataResults: z.array(
+    z.object({
+      Id: z.string(),
+      Label: z.string(),
+      Timestamps: z.array(z.iso.datetime()),
+      Values: z.array(z.number()),
+      StatusCode: z.enum([
+        "Complete",
+        "InternalError",
+        "PartialData",
+        "Forbidden"
+      ])
+    })
+  ),
+  NextToken: z.string().optional()
+});
+var CLOUDWATCH_SERVICE = "monitoring";
+var CLOUDWATCH_API_VERSION = "2010-08-01";
+var STS_SERVICE = "sts";
+var STS_API_VERSION = "2011-06-15";
+var MAX_QUERIES_PER_CALL = 500;
+var DEFAULT_LOOKBACK_MINUTES = 180;
+var ASSUMED_ROLE_TTL_BUFFER_MS = 6e4;
+var ASSUME_ROLE_DURATION_SECONDS = 3600;
+var MS_PER_MINUTE = 6e4;
+var FORM_CONTENT_TYPE = "application/x-www-form-urlencoded; charset=utf-8";
+var CloudWatchConnector = class _CloudWatchConnector extends BaseConnector {
+  static id = "aws-cloudwatch";
+  static schemas = {
+    metric_data: metricDataResponseSchema
+  };
+  static create(input, ctx) {
+    const parsed = configFields.parse(input);
+    return new _CloudWatchConnector(
+      {
+        region: parsed.region,
+        roleArn: parsed.roleArn,
+        externalId: parsed.externalId,
+        metricQueries: parsed.metricQueries,
+        lookbackMinutes: parsed.lookbackMinutes
+      },
+      {
+        accessKeyId: parsed.accessKeyId,
+        secretAccessKey: parsed.secretAccessKey
+      },
+      ctx
+    );
+  }
+  id = "aws-cloudwatch";
+  credentials = cloudWatchCredentials;
+  assumedCreds = null;
+  // -------------------------------------------------------------------------
+  // Credential resolution
+  // -------------------------------------------------------------------------
+  baseCredentials() {
+    const { accessKeyId, secretAccessKey } = this.creds;
+    if (accessKeyId && secretAccessKey) {
+      return { accessKeyId, secretAccessKey };
+    }
+    const envAccessKeyId = readEnv("AWS_ACCESS_KEY_ID");
+    const envSecretAccessKey = readEnv("AWS_SECRET_ACCESS_KEY");
+    if (envAccessKeyId && envSecretAccessKey) {
+      return {
+        accessKeyId: envAccessKeyId,
+        secretAccessKey: envSecretAccessKey,
+        sessionToken: readEnv("AWS_SESSION_TOKEN") || void 0
+      };
+    }
+    throw new AuthError(
+      "aws-cloudwatch: no AWS credentials available \u2014 provide accessKeyId + secretAccessKey, or set them in the environment for role assumption"
+    );
+  }
+  async resolveSigningCredentials(signal) {
+    if (this.settings.roleArn === void 0) {
+      const { accessKeyId, secretAccessKey } = this.creds;
+      if (!accessKeyId || !secretAccessKey) {
+        throw new AuthError(
+          "aws-cloudwatch: static-credential auth requires both accessKeyId and secretAccessKey"
+        );
+      }
+      return { accessKeyId, secretAccessKey };
+    }
+    if (this.assumedCreds && Date.now() < this.assumedCreds.expiresAt) {
+      return this.assumedCreds.value;
+    }
+    const assumed = await this.assumeRole(this.settings.roleArn, signal);
+    return assumed;
+  }
+  async assumeRole(roleArn, signal) {
+    const params = new URLSearchParams();
+    params.set("Action", "AssumeRole");
+    params.set("Version", STS_API_VERSION);
+    params.set("RoleArn", roleArn);
+    params.set("RoleSessionName", "rawdash-aws-cloudwatch");
+    params.set("DurationSeconds", String(ASSUME_ROLE_DURATION_SECONDS));
+    if (this.settings.externalId !== void 0) {
+      params.set("ExternalId", this.settings.externalId);
+    }
+    const host = `sts.${this.settings.region}.amazonaws.com`;
+    const xml = await this.signedPost({
+      host,
+      service: STS_SERVICE,
+      body: params.toString(),
+      signingCredentials: this.baseCredentials(),
+      resource: "assume_role",
+      signal
+    });
+    const parsed = parseAssumeRole(xml);
+    if (parsed === null) {
+      throw new AuthError(
+        "aws-cloudwatch: STS AssumeRole returned no usable credentials"
+      );
+    }
+    this.cacheAssumedCredentials(parsed);
+    return {
+      accessKeyId: parsed.accessKeyId,
+      secretAccessKey: parsed.secretAccessKey,
+      sessionToken: parsed.sessionToken || void 0
+    };
+  }
+  cacheAssumedCredentials(parsed) {
+    const expirationMs = parseEpoch(parsed.expiration, "iso");
+    const expiresAt = expirationMs !== null ? expirationMs - ASSUMED_ROLE_TTL_BUFFER_MS : Date.now() + (ASSUME_ROLE_DURATION_SECONDS - 60) * 1e3;
+    this.assumedCreds = {
+      value: {
+        accessKeyId: parsed.accessKeyId,
+        secretAccessKey: parsed.secretAccessKey,
+        sessionToken: parsed.sessionToken || void 0
+      },
+      expiresAt
+    };
+  }
+  // -------------------------------------------------------------------------
+  // Signed transport
+  // -------------------------------------------------------------------------
+  async signedPost(args) {
+    const { amzDate, dateStamp } = formatAmzDate(/* @__PURE__ */ new Date());
+    const payloadHash = await sha256Hex(args.body);
+    const signedHeaders = {
+      host: args.host,
+      "content-type": FORM_CONTENT_TYPE,
+      "x-amz-content-sha256": payloadHash,
+      "x-amz-date": amzDate
+    };
+    if (args.signingCredentials.sessionToken !== void 0) {
+      signedHeaders["x-amz-security-token"] = args.signingCredentials.sessionToken;
+    }
+    const authorization = await createAuthorizationHeader({
+      method: "POST",
+      host: args.host,
+      path: "/",
+      query: "",
+      headers: signedHeaders,
+      payloadHash,
+      accessKeyId: args.signingCredentials.accessKeyId,
+      secretAccessKey: args.signingCredentials.secretAccessKey,
+      region: this.settings.region,
+      service: args.service,
+      amzDate,
+      dateStamp
+    });
+    const sendHeaders = {
+      "content-type": FORM_CONTENT_TYPE,
+      "x-amz-content-sha256": payloadHash,
+      "x-amz-date": amzDate,
+      "user-agent": connectorUserAgent("aws-cloudwatch"),
+      Authorization: authorization
+    };
+    if (args.signingCredentials.sessionToken !== void 0) {
+      sendHeaders["x-amz-security-token"] = args.signingCredentials.sessionToken;
+    }
+    try {
+      const res = await this.request(
+        {
+          url: `https://${args.host}/`,
+          method: "POST",
+          headers: sendHeaders,
+          body: args.body,
+          parseJson: false,
+          signal: args.signal
+        },
+        { resource: args.resource }
+      );
+      return res.body;
+    } catch (err) {
+      throw this.classifyAwsError(err);
+    }
+  }
+  // CloudWatch and STS return AWS error codes inside the (XML) body even on a
+  // 400 — map the documented ones to the shared error taxonomy so the host
+  // backs off / pauses / retries correctly.
+  classifyAwsError(err) {
+    if (!(err instanceof Error) || !("kind" in err)) {
+      return err;
+    }
+    const httpErr = err;
+    const body = typeof httpErr.response?.body === "string" ? httpErr.response.body : "";
+    const code = parseErrorCode(body) ?? "";
+    const status = httpErr.response?.status ?? 0;
+    if (/throttl|RequestLimitExceeded|TooManyRequests|LimitExceeded/i.test(code)) {
+      return new RateLimitError(httpErr.message, httpErr.response);
+    }
+    if (/AccessDenied|UnrecognizedClient|InvalidClientTokenId|SignatureDoesNotMatch|AuthFailure|InvalidAccessKeyId|Forbidden/i.test(
+      code
+    )) {
+      return new AuthError(httpErr.message, httpErr.response);
+    }
+    if (status >= 500) {
+      return new TransientError(httpErr.message, httpErr.response);
+    }
+    return err;
+  }
+  // -------------------------------------------------------------------------
+  // GetMetricData request building
+  // -------------------------------------------------------------------------
+  computeWindow(options) {
+    const endMs = Date.now();
+    if (options.since) {
+      const sinceMs = parseEpoch(options.since, "iso");
+      if (sinceMs !== null) {
+        return { startMs: Math.min(sinceMs, endMs), endMs };
+      }
+    }
+    if (options.mode === "latest") {
+      const maxPeriod = Math.max(
+        ...this.settings.metricQueries.map((q) => q.periodSeconds),
+        60
+      );
+      return { startMs: endMs - maxPeriod * 3 * 1e3, endMs };
+    }
+    const lookback = this.settings.lookbackMinutes ?? DEFAULT_LOOKBACK_MINUTES;
+    return { startMs: endMs - lookback * MS_PER_MINUTE, endMs };
+  }
+  buildGetMetricDataBody(queries, startMs, endMs, nextToken) {
+    const params = new URLSearchParams();
+    params.set("Action", "GetMetricData");
+    params.set("Version", CLOUDWATCH_API_VERSION);
+    params.set("StartTime", new Date(startMs).toISOString());
+    params.set("EndTime", new Date(endMs).toISOString());
+    params.set("ScanBy", "TimestampAscending");
+    if (nextToken !== void 0) {
+      params.set("NextToken", nextToken);
+    }
+    queries.forEach((query, index) => {
+      const prefix = `MetricDataQueries.member.${index + 1}`;
+      params.set(`${prefix}.Id`, query.id);
+      params.set(`${prefix}.ReturnData`, "true");
+      params.set(`${prefix}.MetricStat.Metric.Namespace`, query.namespace);
+      params.set(`${prefix}.MetricStat.Metric.MetricName`, query.metric);
+      params.set(`${prefix}.MetricStat.Period`, String(query.periodSeconds));
+      params.set(`${prefix}.MetricStat.Stat`, query.stat);
+      const dimensions = Object.entries(query.dimensions ?? {});
+      dimensions.forEach(([name, value], dimIndex) => {
+        const dimPrefix = `${prefix}.MetricStat.Metric.Dimensions.member.${dimIndex + 1}`;
+        params.set(`${dimPrefix}.Name`, name);
+        params.set(`${dimPrefix}.Value`, value);
+      });
+    });
+    return params.toString();
+  }
+  // -------------------------------------------------------------------------
+  // sync
+  // -------------------------------------------------------------------------
+  async sync(options, storage, signal) {
+    const queries = this.settings.metricQueries;
+    const names = new Set(queries.map((q) => `${q.namespace}/${q.metric}`));
+    if (queries.length === 0) {
+      return { done: true };
+    }
+    const queriesById = new Map(queries.map((q) => [q.id, q]));
+    const { startMs, endMs } = this.computeWindow(options);
+    const signingCredentials = await this.resolveSigningCredentials(signal);
+    const samples = [];
+    const host = `${CLOUDWATCH_SERVICE}.${this.settings.region}.amazonaws.com`;
+    for (let i = 0; i < queries.length; i += MAX_QUERIES_PER_CALL) {
+      const chunk = queries.slice(i, i + MAX_QUERIES_PER_CALL);
+      let nextToken;
+      let page = 0;
+      do {
+        if (signal?.aborted) {
+          return { done: false };
+        }
+        const body = this.buildGetMetricDataBody(
+          chunk,
+          startMs,
+          endMs,
+          nextToken
+        );
+        const xml = await this.signedPost({
+          host,
+          service: CLOUDWATCH_SERVICE,
+          body,
+          signingCredentials,
+          resource: "metric_data",
+          signal
+        });
+        const parsed = parseGetMetricData(xml);
+        for (const result of parsed.results) {
+          const query = queriesById.get(result.id);
+          if (query === void 0) {
+            continue;
+          }
+          this.collectSamples(samples, query, result);
+        }
+        nextToken = parsed.nextToken ?? void 0;
+        page += 1;
+        this.logger.info("fetched page", {
+          resource: "metric_data",
+          page,
+          items: parsed.results.length,
+          next: nextToken ?? null
+        });
+      } while (nextToken !== void 0);
+    }
+    await storage.metrics(samples, { names: [...names] });
+    this.logger.info("resource done", {
+      resource: "metric_data",
+      items: samples.length
+    });
+    return { done: true };
+  }
+  collectSamples(samples, query, result) {
+    const name = `${query.namespace}/${query.metric}`;
+    const baseAttributes = {
+      ...query.dimensions ?? {},
+      stat: query.stat,
+      period: query.periodSeconds,
+      queryId: query.id,
+      statusCode: result.statusCode,
+      label: result.label
+    };
+    const count = Math.min(result.timestamps.length, result.values.length);
+    for (let i = 0; i < count; i++) {
+      const ts = parseEpoch(result.timestamps[i], "iso");
+      const value = result.values[i];
+      if (ts === null || !Number.isFinite(value)) {
+        continue;
+      }
+      samples.push({ name, ts, value, attributes: { ...baseAttributes } });
+    }
+  }
+};
+// src/index.ts
+var index_default = CloudWatchConnector;
+export {
+  CloudWatchConnector,
+  configFields,
+  index_default as default
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../connector-shared/src/errors.ts","../../../connector-shared/src/retry.ts","../../../connector-shared/src/version.ts","../../../connector-shared/src/request.ts","../../../connector-shared/src/rate-limit.ts","../../../connector-shared/src/sanitize.ts","../../../connector-shared/src/epoch.ts","../../../connector-shared/src/pagination.ts","../../../connector-shared/src/logger.ts","../src/aws-cloudwatch.ts","../src/sigv4.ts","../src/xml.ts","../src/index.ts"],"sourcesContent":["import type { HttpResponse } from './types';\n\nexport type HttpErrorKind =\n | 'transient'\n | 'rate_limit'\n | 'auth'\n | 'upstream_bug'\n | 'client_bug';\n\nexport abstract class HttpClientError extends Error {\n abstract readonly kind: HttpErrorKind;\n readonly response?: HttpResponse;\n\n constructor(message: string, response?: HttpResponse) {\n super(message);\n this.name = new.target.name;\n this.response = response;\n }\n}\n\nexport class TransientError extends HttpClientError {\n readonly kind = 'transient' as const;\n}\n\nexport class RateLimitError extends HttpClientError {\n readonly kind = 'rate_limit' as const;\n readonly retryAfter?: Date;\n\n constructor(message: string, response?: HttpResponse, retryAfter?: Date) {\n super(message, response);\n this.retryAfter = retryAfter;\n }\n}\n\nexport class AuthError extends HttpClientError {\n readonly kind = 'auth' as const;\n}\n\nexport class UpstreamBugError extends HttpClientError {\n readonly kind = 'upstream_bug' as const;\n}\n\nexport class ClientBugError extends HttpClientError {\n readonly kind = 'client_bug' as const;\n}\n\nexport function classifyStatus(status: number): HttpErrorKind {\n if (status === 429) {\n return 'rate_limit';\n }\n if (status === 401 || status === 403) {\n return 'auth';\n }\n if (status === 408) {\n return 'transient';\n }\n if (status >= 500) {\n return 'upstream_bug';\n }\n if (status >= 400) {\n return 'client_bug';\n }\n return 'client_bug';\n}\n\nexport function errorForStatus(\n message: string,\n response: HttpResponse,\n retryAfter?: Date,\n): HttpClientError {\n const kind = classifyStatus(response.status);\n switch (kind) {\n case 'rate_limit':\n return new RateLimitError(message, response, retryAfter);\n case 'auth':\n return new AuthError(message, response);\n case 'transient':\n return new TransientError(message, response);\n case 'upstream_bug':\n return new UpstreamBugError(message, response);\n case 'client_bug':\n return new ClientBugError(message, response);\n }\n}\n","import { HttpClientError, RateLimitError, TransientError } from './errors';\n\nexport interface RetryPolicy {\n maxAttempts?: number;\n initialDelayMs?: number;\n maxDelayMs?: number;\n retryOn?: (status: number | null, err?: Error) => boolean;\n}\n\nexport const defaultRetryOn = (status: number | null, err?: Error): boolean => {\n if (err instanceof RateLimitError) {\n return true;\n }\n if (err instanceof TransientError) {\n return true;\n }\n if (status === null) {\n return err instanceof Error && !(err instanceof HttpClientError);\n }\n if (status === 408 || status === 429) {\n return true;\n }\n if (status >= 500) {\n return true;\n }\n return false;\n};\n\nexport function backoffDelayMs(\n attempt: number,\n policy: Required<Pick<RetryPolicy, 'initialDelayMs' | 'maxDelayMs'>>,\n): number {\n const base = policy.initialDelayMs * 2 ** attempt;\n const jitter = base * 0.25 * Math.random();\n return Math.min(base + jitter, policy.maxDelayMs);\n}\n\nexport function parseRetryAfter(\n headerValue: string | null,\n now: Date = new Date(),\n): Date | undefined {\n if (!headerValue) {\n return undefined;\n }\n const trimmed = headerValue.trim();\n if (/^\\d+$/.test(trimmed)) {\n return new Date(now.getTime() + Number(trimmed) * 1000);\n }\n const parsed = Date.parse(trimmed);\n if (Number.isNaN(parsed)) {\n return undefined;\n }\n return new Date(parsed);\n}\n\nexport function sleep(ms: number, signal?: AbortSignal): Promise<void> {\n if (signal?.aborted) {\n return Promise.reject(signal.reason ?? new Error('Aborted'));\n }\n return new Promise<void>((resolve, reject) => {\n const onAbort = () => {\n clearTimeout(timer);\n reject(signal!.reason ?? new Error('Aborted'));\n };\n const timer = setTimeout(() => {\n signal?.removeEventListener('abort', onAbort);\n resolve();\n }, ms);\n signal?.addEventListener('abort', onAbort, { once: true });\n });\n}\n","export const HTTP_CLIENT_VERSION = '0.0.0';\n\nexport const DEFAULT_USER_AGENT = `rawdash-connector/${HTTP_CLIENT_VERSION} (+https://rawdash.dev)`;\n\nexport function connectorUserAgent(connectorId: string): string {\n return `rawdash-connector-${connectorId}/${HTTP_CLIENT_VERSION} (+https://rawdash.dev)`;\n}\n","import {\n AuthError,\n ClientBugError,\n HttpClientError,\n RateLimitError,\n TransientError,\n UpstreamBugError,\n errorForStatus,\n} from './errors';\nimport { defaultRetryOn, parseRetryAfter, sleep } from './retry';\nimport type { FetchLike, HttpMethod, HttpRequest, HttpResponse } from './types';\nimport { DEFAULT_USER_AGENT } from './version';\n\nconst DEFAULT_TIMEOUT_MS = 10_000;\nconst DEFAULT_MAX_ATTEMPTS = 3;\nconst DEFAULT_INITIAL_DELAY_MS = 1000;\nconst DEFAULT_MAX_DELAY_MS = 60_000;\nconst OBSERVER_TIMEOUT_MS = 250;\n\nexport interface RequestObservation {\n url: string;\n method: HttpMethod;\n status: number;\n resource: string;\n requestId: string;\n body: unknown;\n}\n\nexport type RequestObserver = (\n event: RequestObservation,\n) => void | Promise<void>;\n\nexport interface RequestOptions {\n fetch?: FetchLike;\n observer?: RequestObserver;\n resource: string;\n requestId?: string;\n}\n\nasync function notifyObserver(\n observer: RequestObserver,\n event: RequestObservation,\n): Promise<void> {\n let result: void | Promise<void>;\n try {\n result = observer(event);\n } catch (err) {\n console.warn('[connector-shared] request observer threw:', err);\n return;\n }\n if (!(result instanceof Promise)) {\n return;\n }\n const guarded = result.catch((err) => {\n console.warn('[connector-shared] request observer rejected:', err);\n });\n let timer: ReturnType<typeof setTimeout> | undefined;\n const timeout = new Promise<void>((resolve) => {\n timer = setTimeout(resolve, OBSERVER_TIMEOUT_MS);\n });\n try {\n await Promise.race([guarded, timeout]);\n } finally {\n if (timer) {\n clearTimeout(timer);\n }\n }\n}\n\nfunction newRequestId(): string {\n const c = (globalThis as { crypto?: { randomUUID?: () => string } }).crypto;\n if (c?.randomUUID) {\n return c.randomUUID();\n }\n return `${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 10)}`;\n}\n\nfunction mergeHeaders(\n defaults: Record<string, string>,\n overrides: Record<string, string> | undefined,\n): Record<string, string> {\n const merged: Record<string, string> = {};\n for (const [k, v] of Object.entries(defaults)) {\n merged[k.toLowerCase()] = v;\n }\n if (overrides) {\n for (const [k, v] of Object.entries(overrides)) {\n merged[k.toLowerCase()] = v;\n }\n }\n return merged;\n}\n\nfunction linkTimeoutSignal(\n parent: AbortSignal | undefined,\n timeoutMs: number,\n): { signal: AbortSignal; cancel: () => void } {\n const controller = new AbortController();\n const onParentAbort = () => {\n controller.abort(parent?.reason);\n };\n if (parent) {\n if (parent.aborted) {\n controller.abort(parent.reason);\n } else {\n parent.addEventListener('abort', onParentAbort, { once: true });\n }\n }\n const timer = setTimeout(() => {\n controller.abort(new Error(`Request timed out after ${timeoutMs}ms`));\n }, timeoutMs);\n return {\n signal: controller.signal,\n cancel: () => {\n clearTimeout(timer);\n if (parent) {\n parent.removeEventListener('abort', onParentAbort);\n }\n },\n };\n}\n\nasync function readBody(res: Response, parseJson: boolean): Promise<unknown> {\n if (res.status === 204 || res.status === 205) {\n return null;\n }\n const contentType = res.headers.get('content-type') ?? '';\n if (parseJson && contentType.includes('application/json')) {\n const text = await res.text();\n if (text.length === 0) {\n return null;\n }\n return JSON.parse(text);\n }\n return res.text();\n}\n\nexport async function request<T = unknown>(\n req: HttpRequest,\n options: RequestOptions,\n): Promise<HttpResponse<T>> {\n const fetchImpl: FetchLike = options.fetch ?? (globalThis.fetch as FetchLike);\n const retry = req.retry ?? {};\n const maxAttempts = retry.maxAttempts ?? DEFAULT_MAX_ATTEMPTS;\n const initialDelayMs = retry.initialDelayMs ?? DEFAULT_INITIAL_DELAY_MS;\n const maxDelayMs = retry.maxDelayMs ?? DEFAULT_MAX_DELAY_MS;\n const retryOn = retry.retryOn ?? defaultRetryOn;\n const timeoutMs = req.timeoutMs ?? DEFAULT_TIMEOUT_MS;\n const parseJson = req.parseJson ?? true;\n\n const headers = mergeHeaders(\n {\n 'User-Agent': DEFAULT_USER_AGENT,\n Accept: 'application/json',\n },\n req.headers,\n );\n\n let lastErr: Error | undefined;\n\n for (let attempt = 0; attempt < maxAttempts; attempt++) {\n req.signal?.throwIfAborted();\n\n const { signal, cancel } = linkTimeoutSignal(req.signal, timeoutMs);\n let res: Response;\n try {\n res = await fetchImpl(req.url, {\n method: req.method ?? 'GET',\n headers,\n body: req.body as RequestInit['body'],\n signal,\n });\n } catch (err) {\n cancel();\n if (req.signal?.aborted) {\n throw req.signal.reason ?? err;\n }\n const error = err instanceof Error ? err : new Error(String(err));\n lastErr = error;\n if (attempt < maxAttempts - 1 && retryOn(null, error)) {\n const delay = computeDelay(attempt, initialDelayMs, maxDelayMs);\n await sleep(delay, req.signal);\n continue;\n }\n throw new TransientError(error.message);\n }\n cancel();\n\n const body = await readBody(res, parseJson);\n const httpResponse: HttpResponse<T> = {\n status: res.status,\n headers: res.headers,\n body: body as T,\n };\n if (req.rateLimit) {\n const state = req.rateLimit.parse(res.headers);\n if (state) {\n httpResponse.rateLimitState = state;\n }\n }\n\n if (options.observer) {\n await notifyObserver(options.observer, {\n url: req.url,\n method: req.method ?? 'GET',\n status: res.status,\n resource: options.resource,\n requestId: options.requestId ?? newRequestId(),\n body,\n });\n }\n\n if (res.ok) {\n return httpResponse;\n }\n\n const retryAfter = parseRetryAfter(res.headers.get('retry-after'));\n const message = `HTTP ${res.status} ${res.statusText} for ${req.method ?? 'GET'} ${req.url}`;\n const err = errorForStatus(message, httpResponse, retryAfter);\n\n if (\n attempt < maxAttempts - 1 &&\n retryOn(res.status, err) &&\n !(err instanceof AuthError) &&\n !(err instanceof ClientBugError)\n ) {\n lastErr = err;\n let delay = computeDelay(attempt, initialDelayMs, maxDelayMs);\n if (err instanceof RateLimitError && retryAfter) {\n const wait = retryAfter.getTime() - Date.now();\n if (wait > 0) {\n delay = Math.min(wait, maxDelayMs);\n }\n }\n await sleep(delay, req.signal);\n continue;\n }\n\n throw err;\n }\n\n throw lastErr ?? new UpstreamBugError('Exhausted retry attempts');\n}\n\nfunction computeDelay(\n attempt: number,\n initialDelayMs: number,\n maxDelayMs: number,\n): number {\n const base = initialDelayMs * 2 ** attempt;\n const jitter = base * 0.25 * Math.random();\n return Math.min(base + jitter, maxDelayMs);\n}\n\nexport { HttpClientError };\n","export interface RateLimitState {\n remaining: number;\n resetAt: Date;\n}\n\nexport interface RateLimitPolicy {\n parse(headers: Headers): RateLimitState | null;\n}\n\nexport interface StandardRateLimitPolicyConfig {\n remainingHeader: string;\n resetHeader: string;\n resetUnit: 's' | 'ms';\n resetFallbackMs?: number;\n}\n\nexport function standardRateLimitPolicy(\n config: StandardRateLimitPolicyConfig,\n): RateLimitPolicy {\n const { remainingHeader, resetHeader, resetUnit, resetFallbackMs } = config;\n const multiplier = resetUnit === 's' ? 1000 : 1;\n return {\n parse(h) {\n const remainingRaw = h.get(remainingHeader);\n if (remainingRaw === null || remainingRaw.trim() === '') {\n return null;\n }\n const remaining = Number(remainingRaw);\n if (!Number.isFinite(remaining)) {\n return null;\n }\n const resetRaw = h.get(resetHeader);\n if (resetRaw === null) {\n if (resetFallbackMs === undefined) {\n return null;\n }\n return {\n remaining,\n resetAt: new Date(Date.now() + resetFallbackMs),\n };\n }\n if (resetRaw.trim() === '') {\n return null;\n }\n const reset = Number(resetRaw);\n if (!Number.isFinite(reset) || reset < 0) {\n return null;\n }\n const resetMs = reset * multiplier;\n if (!Number.isFinite(resetMs)) {\n return null;\n }\n return { remaining, resetAt: new Date(resetMs) };\n },\n };\n}\n","export interface SanitizeAllowedUrlOptions {\n url: string | null;\n host: string;\n pathname: string;\n protocol?: 'https:' | 'http:';\n}\n\nexport function sanitizeAllowedUrl(\n options: SanitizeAllowedUrlOptions,\n): string | null {\n const { url, host, pathname, protocol = 'https:' } = options;\n if (url === null) {\n return null;\n }\n try {\n const u = new URL(url);\n if (u.protocol !== protocol || u.host !== host || u.pathname !== pathname) {\n return null;\n }\n return u.toString();\n } catch {\n return null;\n }\n}\n","export type EpochUnit = 'ms' | 's' | 'iso';\n\nexport function parseEpoch(\n value: number | string | null | undefined,\n unit: EpochUnit,\n): number | null {\n if (value === null || value === undefined) {\n return null;\n }\n if (unit === 'iso') {\n if (typeof value !== 'string') {\n return null;\n }\n const ms = new Date(value).getTime();\n return Number.isFinite(ms) ? ms : null;\n }\n if (typeof value === 'string' && value.trim() === '') {\n return null;\n }\n const n = typeof value === 'number' ? value : Number(value);\n if (!Number.isFinite(n)) {\n return null;\n }\n const result = unit === 's' ? n * 1000 : n;\n return Number.isFinite(result) ? result : null;\n}\n","import { request } from './request';\nimport type { HttpRequest } from './types';\n\nexport function parseLinkHeader(header: string | null): Record<string, string> {\n if (!header) {\n return {};\n }\n const result: Record<string, string> = {};\n for (const part of header.split(',')) {\n const match = part.match(/<([^>]+)>\\s*;\\s*rel=\"([^\"]+)\"/);\n if (match) {\n result[match[2]!] = match[1]!;\n }\n }\n return result;\n}\n\nexport async function* paginateLink<T>(\n initial: HttpRequest,\n parse: (body: unknown) => T[],\n options: { resource: string },\n): AsyncIterable<T> {\n let next: string | null = initial.url;\n while (next) {\n const res: Awaited<ReturnType<typeof request>> = await request(\n {\n ...initial,\n url: next,\n },\n { resource: options.resource },\n );\n for (const item of parse(res.body)) {\n yield item;\n }\n const links = parseLinkHeader(res.headers.get('link'));\n next = links['next'] ?? null;\n }\n}\n\nexport async function* paginateCursor<T>(\n initial: HttpRequest,\n parse: (body: unknown) => { items: T[]; nextCursor: string | null },\n buildNext: (req: HttpRequest, cursor: string) => HttpRequest,\n options: { resource: string },\n): AsyncIterable<T> {\n let req: HttpRequest = initial;\n while (true) {\n const res = await request(req, { resource: options.resource });\n const { items, nextCursor } = parse(res.body);\n for (const item of items) {\n yield item;\n }\n if (!nextCursor) {\n return;\n }\n req = buildNext(req, nextCursor);\n }\n}\n\nexport async function* paginatePage<T>(\n initial: HttpRequest,\n parse: (body: unknown) => { items: T[]; hasMore: boolean },\n buildPage: (req: HttpRequest, page: number) => HttpRequest,\n options: { resource: string },\n): AsyncIterable<T> {\n let page = 1;\n while (true) {\n const req = page === 1 ? initial : buildPage(initial, page);\n const res = await request(req, { resource: options.resource });\n const { items, hasMore } = parse(res.body);\n for (const item of items) {\n yield item;\n }\n if (!hasMore || items.length === 0) {\n return;\n }\n page++;\n }\n}\n","export type LogFields = Record<string, unknown>;\n\nexport interface ConnectorLogger {\n info(event: string, fields?: LogFields): void;\n warn(event: string, fields?: LogFields): void;\n}\n\nexport interface ConnectorLoggerOptions {\n scope: string;\n}\n\nconst MAX_VALUE_LEN = 120;\n\nfunction truncate(s: string, max = MAX_VALUE_LEN): string {\n if (s.length <= max) {\n return s;\n }\n return `${s.slice(0, max - 1)}…`;\n}\n\nfunction formatValue(value: unknown): string {\n if (value === null) {\n return 'null';\n }\n if (value === undefined) {\n return '';\n }\n if (typeof value === 'number' || typeof value === 'boolean') {\n return String(value);\n }\n if (typeof value === 'string') {\n const t = truncate(value);\n if (/[\\s\"=]/.test(t)) {\n return JSON.stringify(t);\n }\n return t;\n }\n if (typeof value === 'bigint') {\n return value.toString();\n }\n let json: string | undefined;\n try {\n json = JSON.stringify(value);\n } catch {\n json = undefined;\n }\n return truncate(json ?? String(value));\n}\n\nexport function formatLogFields(fields?: LogFields): string {\n if (!fields) {\n return '';\n }\n const parts: string[] = [];\n for (const [k, v] of Object.entries(fields)) {\n if (v === undefined) {\n continue;\n }\n parts.push(`${k}=${formatValue(v)}`);\n }\n return parts.length > 0 ? ` ${parts.join(' ')}` : '';\n}\n\nexport function formatLogLine(\n scope: string,\n event: string,\n fields?: LogFields,\n): string {\n return `[${scope}] ${event}${formatLogFields(fields)}`;\n}\n\nexport function createDefaultConnectorLogger(\n opts: ConnectorLoggerOptions,\n): ConnectorLogger {\n return {\n info(event, fields) {\n console.info(formatLogLine(opts.scope, event, fields));\n },\n warn(event, fields) {\n console.warn(formatLogLine(opts.scope, event, fields));\n },\n };\n}\n\nconst NOOP_LOGGER: ConnectorLogger = {\n info() {},\n warn() {},\n};\n\nexport function noopConnectorLogger(): ConnectorLogger {\n return NOOP_LOGGER;\n}\n","import {\n AuthError,\n type HttpClientError,\n type HttpResponse,\n RateLimitError,\n TransientError,\n connectorUserAgent,\n parseEpoch,\n} from '@rawdash/connector-shared';\nimport {\n BaseConnector,\n type ConnectorContext,\n type CredentialsSchema,\n type JSONValue,\n type MetricSample,\n type StorageHandle,\n type SyncOptions,\n type SyncResult,\n defineConfigFields,\n} from '@rawdash/core';\nimport { z } from 'zod';\n\nimport { createAuthorizationHeader, formatAmzDate, sha256Hex } from './sigv4';\nimport {\n type StsCredentials,\n parseAssumeRole,\n parseErrorCode,\n parseGetMetricData,\n} from './xml';\n\n// Read an environment variable without depending on @types/node — the role\n// path falls back to the ambient AWS credentials when no static keys are given.\nfunction readEnv(name: string): string | undefined {\n const env = (\n globalThis as {\n process?: { env?: Record<string, string | undefined> };\n }\n ).process?.env;\n return env?.[name];\n}\n\n// ---------------------------------------------------------------------------\n// configFields\n// ---------------------------------------------------------------------------\n\nconst metricQuerySchema = z.object({\n id: z\n .string()\n .regex(\n /^[a-z][a-zA-Z0-9_]*$/,\n 'CloudWatch query id must start with a lowercase letter and contain only letters, digits, and underscores',\n ),\n namespace: z.string().min(1),\n metric: z.string().min(1),\n stat: z.string().min(1),\n periodSeconds: z\n .number()\n .int()\n .min(60)\n .refine((n) => n % 60 === 0, {\n message: 'periodSeconds must be a multiple of 60 (1 minute)',\n }),\n dimensions: z.record(z.string(), z.string()).optional(),\n});\n\nexport const configFields = defineConfigFields(\n z\n .object({\n region: z\n .string()\n .regex(\n /^[a-z0-9-]+$/,\n 'region must look like an AWS region, e.g. us-east-1',\n )\n .meta({\n label: 'AWS Region',\n description:\n 'The AWS region whose CloudWatch metrics you want to read, e.g. us-east-1.',\n placeholder: 'us-east-1',\n }),\n accessKeyId: z.object({ $secret: z.string() }).optional().meta({\n label: 'Access Key ID',\n description:\n 'AWS access key ID for an IAM principal with cloudwatch:GetMetricData. Use this together with the secret access key for static-credential auth.',\n secret: true,\n }),\n secretAccessKey: z.object({ $secret: z.string() }).optional().meta({\n label: 'Secret Access Key',\n description:\n 'AWS secret access key paired with the access key ID above.',\n secret: true,\n }),\n roleArn: z\n .string()\n .regex(\n /^arn:aws:iam::\\d{12}:role\\/.+/,\n 'roleArn must be a full IAM role ARN, e.g. arn:aws:iam::123456789012:role/rawdash',\n )\n .optional()\n .meta({\n label: 'Role ARN',\n description:\n 'IAM role to assume via STS instead of using static keys. The base credentials (the access key above, or the ambient AWS environment) must be allowed to sts:AssumeRole this role.',\n placeholder: 'arn:aws:iam::123456789012:role/rawdash-cloudwatch',\n }),\n externalId: z.string().min(1).optional().meta({\n label: 'External ID',\n description:\n 'External ID required by the trust policy of the role being assumed. Only used with Role ARN.',\n }),\n metricQueries: z.array(metricQuerySchema).nonempty().meta({\n label: 'Metric queries',\n description:\n 'CloudWatch is too broad to mirror wholesale — declare the specific metrics to pull. Each query needs an id, namespace, metric name, statistic, and period (seconds, multiple of 60), with optional dimensions.',\n }),\n lookbackMinutes: z.number().int().positive().max(40_320).optional().meta({\n label: 'Lookback (minutes)',\n description:\n 'How far back to pull data points on a full sync when the host does not supply a since bound. Defaults to 180.',\n placeholder: '180',\n }),\n })\n .refine(\n (val) =>\n val.roleArn !== undefined ||\n (val.accessKeyId !== undefined && val.secretAccessKey !== undefined),\n {\n message:\n 'Provide either accessKeyId + secretAccessKey (static credentials) or roleArn (role assumption)',\n },\n ),\n);\n\n// ---------------------------------------------------------------------------\n// Settings / credentials\n// ---------------------------------------------------------------------------\n\nexport interface CloudWatchMetricQuery {\n id: string;\n namespace: string;\n metric: string;\n stat: string;\n periodSeconds: number;\n dimensions?: Record<string, string>;\n}\n\nexport interface CloudWatchSettings {\n region: string;\n roleArn?: string;\n externalId?: string;\n metricQueries: CloudWatchMetricQuery[];\n lookbackMinutes?: number;\n}\n\nconst cloudWatchCredentials = {\n accessKeyId: {\n description: 'AWS access key ID',\n auth: 'optional' as const,\n },\n secretAccessKey: {\n description: 'AWS secret access key',\n auth: 'optional' as const,\n },\n} satisfies CredentialsSchema;\n\ntype CloudWatchCredentials = typeof cloudWatchCredentials;\n\ninterface SigningCredentials {\n accessKeyId: string;\n secretAccessKey: string;\n sessionToken?: string;\n}\n\n// ---------------------------------------------------------------------------\n// Schemas — describe the logical GetMetricData response consumed by request()\n// ---------------------------------------------------------------------------\n\nconst metricDataResponseSchema = z.object({\n MetricDataResults: z.array(\n z.object({\n Id: z.string(),\n Label: z.string(),\n Timestamps: z.array(z.iso.datetime()),\n Values: z.array(z.number()),\n StatusCode: z.enum([\n 'Complete',\n 'InternalError',\n 'PartialData',\n 'Forbidden',\n ]),\n }),\n ),\n NextToken: z.string().optional(),\n});\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\nconst CLOUDWATCH_SERVICE = 'monitoring';\nconst CLOUDWATCH_API_VERSION = '2010-08-01';\nconst STS_SERVICE = 'sts';\nconst STS_API_VERSION = '2011-06-15';\nconst MAX_QUERIES_PER_CALL = 500;\nconst DEFAULT_LOOKBACK_MINUTES = 180;\nconst ASSUMED_ROLE_TTL_BUFFER_MS = 60_000;\nconst ASSUME_ROLE_DURATION_SECONDS = 3600;\nconst MS_PER_MINUTE = 60_000;\nconst FORM_CONTENT_TYPE = 'application/x-www-form-urlencoded; charset=utf-8';\n\n// ---------------------------------------------------------------------------\n// CloudWatchConnector\n// ---------------------------------------------------------------------------\n\nexport class CloudWatchConnector extends BaseConnector<\n CloudWatchSettings,\n CloudWatchCredentials\n> {\n static readonly id = 'aws-cloudwatch';\n\n static readonly schemas = {\n metric_data: metricDataResponseSchema,\n } as const;\n\n static create(input: unknown, ctx?: ConnectorContext): CloudWatchConnector {\n const parsed = configFields.parse(input);\n return new CloudWatchConnector(\n {\n region: parsed.region,\n roleArn: parsed.roleArn,\n externalId: parsed.externalId,\n metricQueries: parsed.metricQueries,\n lookbackMinutes: parsed.lookbackMinutes,\n },\n {\n accessKeyId: parsed.accessKeyId,\n secretAccessKey: parsed.secretAccessKey,\n },\n ctx,\n );\n }\n\n readonly id = 'aws-cloudwatch';\n override readonly credentials = cloudWatchCredentials;\n\n private assumedCreds: {\n value: SigningCredentials;\n expiresAt: number;\n } | null = null;\n\n // -------------------------------------------------------------------------\n // Credential resolution\n // -------------------------------------------------------------------------\n\n private baseCredentials(): SigningCredentials {\n const { accessKeyId, secretAccessKey } = this.creds;\n if (accessKeyId && secretAccessKey) {\n return { accessKeyId, secretAccessKey };\n }\n const envAccessKeyId = readEnv('AWS_ACCESS_KEY_ID');\n const envSecretAccessKey = readEnv('AWS_SECRET_ACCESS_KEY');\n if (envAccessKeyId && envSecretAccessKey) {\n return {\n accessKeyId: envAccessKeyId,\n secretAccessKey: envSecretAccessKey,\n sessionToken: readEnv('AWS_SESSION_TOKEN') || undefined,\n };\n }\n throw new AuthError(\n 'aws-cloudwatch: no AWS credentials available — provide accessKeyId + secretAccessKey, or set them in the environment for role assumption',\n );\n }\n\n private async resolveSigningCredentials(\n signal?: AbortSignal,\n ): Promise<SigningCredentials> {\n if (this.settings.roleArn === undefined) {\n const { accessKeyId, secretAccessKey } = this.creds;\n if (!accessKeyId || !secretAccessKey) {\n throw new AuthError(\n 'aws-cloudwatch: static-credential auth requires both accessKeyId and secretAccessKey',\n );\n }\n return { accessKeyId, secretAccessKey };\n }\n\n if (this.assumedCreds && Date.now() < this.assumedCreds.expiresAt) {\n return this.assumedCreds.value;\n }\n const assumed = await this.assumeRole(this.settings.roleArn, signal);\n return assumed;\n }\n\n private async assumeRole(\n roleArn: string,\n signal?: AbortSignal,\n ): Promise<SigningCredentials> {\n const params = new URLSearchParams();\n params.set('Action', 'AssumeRole');\n params.set('Version', STS_API_VERSION);\n params.set('RoleArn', roleArn);\n params.set('RoleSessionName', 'rawdash-aws-cloudwatch');\n params.set('DurationSeconds', String(ASSUME_ROLE_DURATION_SECONDS));\n if (this.settings.externalId !== undefined) {\n params.set('ExternalId', this.settings.externalId);\n }\n\n const host = `sts.${this.settings.region}.amazonaws.com`;\n const xml = await this.signedPost({\n host,\n service: STS_SERVICE,\n body: params.toString(),\n signingCredentials: this.baseCredentials(),\n resource: 'assume_role',\n signal,\n });\n\n const parsed = parseAssumeRole(xml);\n if (parsed === null) {\n throw new AuthError(\n 'aws-cloudwatch: STS AssumeRole returned no usable credentials',\n );\n }\n this.cacheAssumedCredentials(parsed);\n return {\n accessKeyId: parsed.accessKeyId,\n secretAccessKey: parsed.secretAccessKey,\n sessionToken: parsed.sessionToken || undefined,\n };\n }\n\n private cacheAssumedCredentials(parsed: StsCredentials): void {\n const expirationMs = parseEpoch(parsed.expiration, 'iso');\n const expiresAt =\n expirationMs !== null\n ? expirationMs - ASSUMED_ROLE_TTL_BUFFER_MS\n : Date.now() + (ASSUME_ROLE_DURATION_SECONDS - 60) * 1000;\n this.assumedCreds = {\n value: {\n accessKeyId: parsed.accessKeyId,\n secretAccessKey: parsed.secretAccessKey,\n sessionToken: parsed.sessionToken || undefined,\n },\n expiresAt,\n };\n }\n\n // -------------------------------------------------------------------------\n // Signed transport\n // -------------------------------------------------------------------------\n\n private async signedPost(args: {\n host: string;\n service: string;\n body: string;\n signingCredentials: SigningCredentials;\n resource: string;\n signal?: AbortSignal;\n }): Promise<string> {\n const { amzDate, dateStamp } = formatAmzDate(new Date());\n const payloadHash = await sha256Hex(args.body);\n\n const signedHeaders: Record<string, string> = {\n host: args.host,\n 'content-type': FORM_CONTENT_TYPE,\n 'x-amz-content-sha256': payloadHash,\n 'x-amz-date': amzDate,\n };\n if (args.signingCredentials.sessionToken !== undefined) {\n signedHeaders['x-amz-security-token'] =\n args.signingCredentials.sessionToken;\n }\n\n const authorization = await createAuthorizationHeader({\n method: 'POST',\n host: args.host,\n path: '/',\n query: '',\n headers: signedHeaders,\n payloadHash,\n accessKeyId: args.signingCredentials.accessKeyId,\n secretAccessKey: args.signingCredentials.secretAccessKey,\n region: this.settings.region,\n service: args.service,\n amzDate,\n dateStamp,\n });\n\n // `host` is set by the runtime from the URL; everything else is sent\n // verbatim. Extra unsigned headers added by the shared client are ignored\n // by AWS because they are not listed in SignedHeaders.\n const sendHeaders: Record<string, string> = {\n 'content-type': FORM_CONTENT_TYPE,\n 'x-amz-content-sha256': payloadHash,\n 'x-amz-date': amzDate,\n 'user-agent': connectorUserAgent('aws-cloudwatch'),\n Authorization: authorization,\n };\n if (args.signingCredentials.sessionToken !== undefined) {\n sendHeaders['x-amz-security-token'] =\n args.signingCredentials.sessionToken;\n }\n\n try {\n const res: HttpResponse<string> = await this.request<string>(\n {\n url: `https://${args.host}/`,\n method: 'POST',\n headers: sendHeaders,\n body: args.body,\n parseJson: false,\n signal: args.signal,\n },\n { resource: args.resource },\n );\n return res.body;\n } catch (err) {\n throw this.classifyAwsError(err);\n }\n }\n\n // CloudWatch and STS return AWS error codes inside the (XML) body even on a\n // 400 — map the documented ones to the shared error taxonomy so the host\n // backs off / pauses / retries correctly.\n private classifyAwsError(err: unknown): unknown {\n if (!(err instanceof Error) || !('kind' in err)) {\n return err;\n }\n const httpErr = err as HttpClientError;\n const body =\n typeof httpErr.response?.body === 'string' ? httpErr.response.body : '';\n const code = parseErrorCode(body) ?? '';\n const status = httpErr.response?.status ?? 0;\n\n if (\n /throttl|RequestLimitExceeded|TooManyRequests|LimitExceeded/i.test(code)\n ) {\n return new RateLimitError(httpErr.message, httpErr.response);\n }\n if (\n /AccessDenied|UnrecognizedClient|InvalidClientTokenId|SignatureDoesNotMatch|AuthFailure|InvalidAccessKeyId|Forbidden/i.test(\n code,\n )\n ) {\n return new AuthError(httpErr.message, httpErr.response);\n }\n if (status >= 500) {\n return new TransientError(httpErr.message, httpErr.response);\n }\n return err;\n }\n\n // -------------------------------------------------------------------------\n // GetMetricData request building\n // -------------------------------------------------------------------------\n\n private computeWindow(options: SyncOptions): {\n startMs: number;\n endMs: number;\n } {\n const endMs = Date.now();\n if (options.since) {\n const sinceMs = parseEpoch(options.since, 'iso');\n if (sinceMs !== null) {\n return { startMs: Math.min(sinceMs, endMs), endMs };\n }\n }\n if (options.mode === 'latest') {\n const maxPeriod = Math.max(\n ...this.settings.metricQueries.map((q) => q.periodSeconds),\n 60,\n );\n return { startMs: endMs - maxPeriod * 3 * 1000, endMs };\n }\n const lookback = this.settings.lookbackMinutes ?? DEFAULT_LOOKBACK_MINUTES;\n return { startMs: endMs - lookback * MS_PER_MINUTE, endMs };\n }\n\n private buildGetMetricDataBody(\n queries: CloudWatchMetricQuery[],\n startMs: number,\n endMs: number,\n nextToken: string | undefined,\n ): string {\n const params = new URLSearchParams();\n params.set('Action', 'GetMetricData');\n params.set('Version', CLOUDWATCH_API_VERSION);\n params.set('StartTime', new Date(startMs).toISOString());\n params.set('EndTime', new Date(endMs).toISOString());\n params.set('ScanBy', 'TimestampAscending');\n if (nextToken !== undefined) {\n params.set('NextToken', nextToken);\n }\n\n queries.forEach((query, index) => {\n const prefix = `MetricDataQueries.member.${index + 1}`;\n params.set(`${prefix}.Id`, query.id);\n params.set(`${prefix}.ReturnData`, 'true');\n params.set(`${prefix}.MetricStat.Metric.Namespace`, query.namespace);\n params.set(`${prefix}.MetricStat.Metric.MetricName`, query.metric);\n params.set(`${prefix}.MetricStat.Period`, String(query.periodSeconds));\n params.set(`${prefix}.MetricStat.Stat`, query.stat);\n const dimensions = Object.entries(query.dimensions ?? {});\n dimensions.forEach(([name, value], dimIndex) => {\n const dimPrefix = `${prefix}.MetricStat.Metric.Dimensions.member.${dimIndex + 1}`;\n params.set(`${dimPrefix}.Name`, name);\n params.set(`${dimPrefix}.Value`, value);\n });\n });\n\n return params.toString();\n }\n\n // -------------------------------------------------------------------------\n // sync\n // -------------------------------------------------------------------------\n\n async sync(\n options: SyncOptions,\n storage: StorageHandle,\n signal?: AbortSignal,\n ): Promise<SyncResult> {\n const queries = this.settings.metricQueries;\n const names = new Set(queries.map((q) => `${q.namespace}/${q.metric}`));\n\n if (queries.length === 0) {\n return { done: true };\n }\n\n const queriesById = new Map(queries.map((q) => [q.id, q]));\n const { startMs, endMs } = this.computeWindow(options);\n const signingCredentials = await this.resolveSigningCredentials(signal);\n\n const samples: MetricSample[] = [];\n const host = `${CLOUDWATCH_SERVICE}.${this.settings.region}.amazonaws.com`;\n\n for (let i = 0; i < queries.length; i += MAX_QUERIES_PER_CALL) {\n const chunk = queries.slice(i, i + MAX_QUERIES_PER_CALL);\n let nextToken: string | undefined;\n let page = 0;\n do {\n if (signal?.aborted) {\n return { done: false };\n }\n const body = this.buildGetMetricDataBody(\n chunk,\n startMs,\n endMs,\n nextToken,\n );\n const xml = await this.signedPost({\n host,\n service: CLOUDWATCH_SERVICE,\n body,\n signingCredentials,\n resource: 'metric_data',\n signal,\n });\n const parsed = parseGetMetricData(xml);\n for (const result of parsed.results) {\n const query = queriesById.get(result.id);\n if (query === undefined) {\n continue;\n }\n this.collectSamples(samples, query, result);\n }\n nextToken = parsed.nextToken ?? undefined;\n page += 1;\n this.logger.info('fetched page', {\n resource: 'metric_data',\n page,\n items: parsed.results.length,\n next: nextToken ?? null,\n });\n } while (nextToken !== undefined);\n }\n\n await storage.metrics(samples, { names: [...names] });\n this.logger.info('resource done', {\n resource: 'metric_data',\n items: samples.length,\n });\n return { done: true };\n }\n\n private collectSamples(\n samples: MetricSample[],\n query: CloudWatchMetricQuery,\n result: {\n timestamps: string[];\n values: number[];\n statusCode: string;\n label: string;\n },\n ): void {\n const name = `${query.namespace}/${query.metric}`;\n const baseAttributes: Record<string, JSONValue> = {\n ...(query.dimensions ?? {}),\n stat: query.stat,\n period: query.periodSeconds,\n queryId: query.id,\n statusCode: result.statusCode,\n label: result.label,\n };\n const count = Math.min(result.timestamps.length, result.values.length);\n for (let i = 0; i < count; i++) {\n const ts = parseEpoch(result.timestamps[i]!, 'iso');\n const value = result.values[i]!;\n if (ts === null || !Number.isFinite(value)) {\n continue;\n }\n samples.push({ name, ts, value, attributes: { ...baseAttributes } });\n }\n }\n}\n","// AWS Signature Version 4 signing, implemented against the Web Crypto API so\n// the connector carries no AWS SDK dependency. See\n// https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html.\n\nconst encoder = new TextEncoder();\n\nconst ALGORITHM = 'AWS4-HMAC-SHA256';\n\n// Encode to a fresh ArrayBuffer-backed view so the result is a valid\n// `BufferSource` for the Web Crypto APIs under TypeScript's generic typing.\nfunction u8(data: string): Uint8Array<ArrayBuffer> {\n return new Uint8Array(encoder.encode(data));\n}\n\nfunction toHex(buffer: ArrayBuffer): string {\n const bytes = new Uint8Array(buffer);\n let hex = '';\n for (let i = 0; i < bytes.length; i++) {\n hex += bytes[i]!.toString(16).padStart(2, '0');\n }\n return hex;\n}\n\nexport async function sha256Hex(data: string): Promise<string> {\n const digest = await globalThis.crypto.subtle.digest('SHA-256', u8(data));\n return toHex(digest);\n}\n\nasync function hmac(key: BufferSource, data: string): Promise<ArrayBuffer> {\n const cryptoKey = await globalThis.crypto.subtle.importKey(\n 'raw',\n key,\n { name: 'HMAC', hash: 'SHA-256' },\n false,\n ['sign'],\n );\n return globalThis.crypto.subtle.sign('HMAC', cryptoKey, u8(data));\n}\n\nasync function deriveSigningKey(\n secretAccessKey: string,\n dateStamp: string,\n region: string,\n service: string,\n): Promise<ArrayBuffer> {\n const kDate = await hmac(u8(`AWS4${secretAccessKey}`), dateStamp);\n const kRegion = await hmac(kDate, region);\n const kService = await hmac(kRegion, service);\n return hmac(kService, 'aws4_request');\n}\n\nexport interface AmzDate {\n amzDate: string;\n dateStamp: string;\n}\n\n// \"2015-08-30T12:36:00.000Z\" -> { amzDate: \"20150830T123600Z\", dateStamp: \"20150830\" }\nexport function formatAmzDate(date: Date): AmzDate {\n const amzDate = date.toISOString().replace(/[:-]|\\.\\d{3}/g, '');\n return { amzDate, dateStamp: amzDate.slice(0, 8) };\n}\n\nexport interface SignParams {\n method: string;\n host: string;\n path: string;\n query: string;\n headers: Record<string, string>;\n payloadHash: string;\n accessKeyId: string;\n secretAccessKey: string;\n region: string;\n service: string;\n amzDate: string;\n dateStamp: string;\n}\n\n// Returns the value for the `Authorization` header. The `headers` map must\n// contain every header that is part of the signature (at minimum `host` and\n// `x-amz-date`); extra unsigned headers sent on the wire are allowed.\nexport async function createAuthorizationHeader(\n params: SignParams,\n): Promise<string> {\n const lowerHeaders: Record<string, string> = {};\n for (const [key, value] of Object.entries(params.headers)) {\n lowerHeaders[key.toLowerCase()] = value.trim().replace(/\\s+/g, ' ');\n }\n const sortedNames = Object.keys(lowerHeaders).sort();\n\n const canonicalHeaders = sortedNames\n .map((name) => `${name}:${lowerHeaders[name]}\\n`)\n .join('');\n const signedHeaders = sortedNames.join(';');\n\n const canonicalRequest = [\n params.method,\n params.path,\n params.query,\n canonicalHeaders,\n signedHeaders,\n params.payloadHash,\n ].join('\\n');\n\n const credentialScope = `${params.dateStamp}/${params.region}/${params.service}/aws4_request`;\n const stringToSign = [\n ALGORITHM,\n params.amzDate,\n credentialScope,\n await sha256Hex(canonicalRequest),\n ].join('\\n');\n\n const signingKey = await deriveSigningKey(\n params.secretAccessKey,\n params.dateStamp,\n params.region,\n params.service,\n );\n const signature = toHex(await hmac(signingKey, stringToSign));\n\n return (\n `${ALGORITHM} Credential=${params.accessKeyId}/${credentialScope}, ` +\n `SignedHeaders=${signedHeaders}, Signature=${signature}`\n );\n}\n","// Minimal parser for the handful of AWS Query-protocol (XML) responses this\n// connector consumes: GetMetricData, STS AssumeRole, and error envelopes. It\n// is deliberately narrow — it understands the specific element nesting these\n// responses use rather than being a general-purpose XML parser.\n\nfunction decodeEntities(value: string): string {\n return value\n .replace(/</g, '<')\n .replace(/>/g, '>')\n .replace(/"/g, '\"')\n .replace(/'/g, \"'\")\n .replace(/'/g, \"'\")\n .replace(/&/g, '&');\n}\n\n// Inner text of the first `<tag>...</tag>` in `xml`. Returns '' for a\n// self-closing `<tag/>`, and null when the tag is absent. Tags that contain\n// repeated `<member>` children (Timestamps, Values, MetricDataResults) do not\n// nest within themselves, so the first matching close tag is the correct one.\nexport function firstInner(xml: string, tag: string): string | null {\n const escapedTag = tag.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&');\n const open = new RegExp(`<${escapedTag}(?:\\\\s[^>]*)?>`).exec(xml);\n if (!open) {\n return new RegExp(`<${escapedTag}\\\\s*/>`).test(xml) ? '' : null;\n }\n const start = open.index + open[0].length;\n const closeIdx = xml.indexOf(`</${tag}>`, start);\n if (closeIdx === -1) {\n return null;\n }\n return xml.slice(start, closeIdx);\n}\n\nexport function firstText(xml: string, tag: string): string | null {\n const inner = firstInner(xml, tag);\n return inner === null ? null : decodeEntities(inner).trim();\n}\n\n// Inner content of each top-level `<member>...</member>`, tracking nesting so\n// that a result member's nested Timestamps/Values members are not mistaken for\n// top-level entries.\nexport function topLevelMembers(xml: string): string[] {\n const results: string[] = [];\n const re = /<member(?:\\s[^>]*)?>|<\\/member>/g;\n let depth = 0;\n let contentStart = -1;\n let match: RegExpExecArray | null;\n while ((match = re.exec(xml)) !== null) {\n if (match[0].startsWith('</')) {\n depth--;\n if (depth === 0 && contentStart !== -1) {\n results.push(xml.slice(contentStart, match.index));\n contentStart = -1;\n }\n } else {\n if (depth === 0) {\n contentStart = match.index + match[0].length;\n }\n depth++;\n }\n }\n return results;\n}\n\nexport interface MetricDataResult {\n id: string;\n label: string;\n statusCode: string;\n timestamps: string[];\n values: number[];\n}\n\nexport interface GetMetricDataParsed {\n results: MetricDataResult[];\n nextToken: string | null;\n}\n\nexport function parseGetMetricData(xml: string): GetMetricDataParsed {\n const resultsBlock = firstInner(xml, 'MetricDataResults') ?? '';\n const results = topLevelMembers(resultsBlock).map((member) => {\n const tsBlock = firstInner(member, 'Timestamps') ?? '';\n const valBlock = firstInner(member, 'Values') ?? '';\n return {\n id: firstText(member, 'Id') ?? '',\n label: firstText(member, 'Label') ?? '',\n statusCode: firstText(member, 'StatusCode') ?? '',\n timestamps: topLevelMembers(tsBlock).map((t) => decodeEntities(t).trim()),\n values: topLevelMembers(valBlock).map((v) =>\n Number(decodeEntities(v).trim()),\n ),\n };\n });\n const nextToken = firstText(xml, 'NextToken');\n return { results, nextToken: nextToken === '' ? null : nextToken };\n}\n\nexport interface StsCredentials {\n accessKeyId: string;\n secretAccessKey: string;\n sessionToken: string;\n expiration: string;\n}\n\nexport function parseAssumeRole(xml: string): StsCredentials | null {\n const credBlock = firstInner(xml, 'Credentials');\n if (credBlock === null) {\n return null;\n }\n const accessKeyId = firstText(credBlock, 'AccessKeyId') ?? '';\n const secretAccessKey = firstText(credBlock, 'SecretAccessKey') ?? '';\n if (accessKeyId === '' || secretAccessKey === '') {\n return null;\n }\n return {\n accessKeyId,\n secretAccessKey,\n sessionToken: firstText(credBlock, 'SessionToken') ?? '',\n expiration: firstText(credBlock, 'Expiration') ?? '',\n };\n}\n\n// AWS Query-protocol error envelopes carry the machine-readable error code in\n// an `<Error><Code>...</Code></Error>` element.\nexport function parseErrorCode(xml: string): string | null {\n return firstText(xml, 'Code');\n}\n","import { CloudWatchConnector } from './aws-cloudwatch';\n\nexport { CloudWatchConnector, configFields } from './aws-cloudwatch';\nexport type {\n CloudWatchMetricQuery,\n CloudWatchSettings,\n} from './aws-cloudwatch';\nexport default CloudWatchConnector;\n"],"mappings":";AASO,IAAe,kBAAf,cAAuC,MAAM;EAEzC;EAET,YAAY,SAAiB,UAAyB;AACpD,UAAM,OAAO;AACb,SAAK,OAAO,WAAW;AACvB,SAAK,WAAW;EAClB;AACF;AAEO,IAAM,iBAAN,cAA6B,gBAAgB;EACzC,OAAO;AAClB;AAEO,IAAM,iBAAN,cAA6B,gBAAgB;EACzC,OAAO;EACP;EAET,YAAY,SAAiB,UAAyB,YAAmB;AACvE,UAAM,SAAS,QAAQ;AACvB,SAAK,aAAa;EACpB;AACF;AAEO,IAAM,YAAN,cAAwB,gBAAgB;EACpC,OAAO;AAClB;AEpCO,IAAM,sBAAsB;AAE5B,IAAM,qBAAqB,qBAAqB,mBAAmB;AAEnE,SAAS,mBAAmB,aAA6B;AAC9D,SAAO,qBAAqB,WAAW,IAAI,mBAAmB;AAChE;AIJO,SAAS,WACd,OACA,MACe;AACf,MAAI,UAAU,QAAQ,UAAU,QAAW;AACzC,WAAO;EACT;AACA,MAAI,SAAS,OAAO;AAClB,QAAI,OAAO,UAAU,UAAU;AAC7B,aAAO;IACT;AACA,UAAM,KAAK,IAAI,KAAK,KAAK,EAAE,QAAQ;AACnC,WAAO,OAAO,SAAS,EAAE,IAAI,KAAK;EACpC;AACA,MAAI,OAAO,UAAU,YAAY,MAAM,KAAK,MAAM,IAAI;AACpD,WAAO;EACT;AACA,QAAM,IAAI,OAAO,UAAU,WAAW,QAAQ,OAAO,KAAK;AAC1D,MAAI,CAAC,OAAO,SAAS,CAAC,GAAG;AACvB,WAAO;EACT;AACA,QAAM,SAAS,SAAS,MAAM,IAAI,MAAO;AACzC,SAAO,OAAO,SAAS,MAAM,IAAI,SAAS;AAC5C;;;AGhBA;AAAA,EACE;AAAA,EAQA;AAAA,OACK;AACP,SAAS,SAAS;;;AChBlB,IAAM,UAAU,IAAI,YAAY;AAEhC,IAAM,YAAY;AAIlB,SAAS,GAAG,MAAuC;AACjD,SAAO,IAAI,WAAW,QAAQ,OAAO,IAAI,CAAC;AAC5C;AAEA,SAAS,MAAM,QAA6B;AAC1C,QAAM,QAAQ,IAAI,WAAW,MAAM;AACnC,MAAI,MAAM;AACV,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,WAAO,MAAM,CAAC,EAAG,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAAA,EAC/C;AACA,SAAO;AACT;AAEA,eAAsB,UAAU,MAA+B;AAC7D,QAAM,SAAS,MAAM,WAAW,OAAO,OAAO,OAAO,WAAW,GAAG,IAAI,CAAC;AACxE,SAAO,MAAM,MAAM;AACrB;AAEA,eAAe,KAAK,KAAmB,MAAoC;AACzE,QAAM,YAAY,MAAM,WAAW,OAAO,OAAO;AAAA,IAC/C;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,IAChC;AAAA,IACA,CAAC,MAAM;AAAA,EACT;AACA,SAAO,WAAW,OAAO,OAAO,KAAK,QAAQ,WAAW,GAAG,IAAI,CAAC;AAClE;AAEA,eAAe,iBACb,iBACA,WACA,QACA,SACsB;AACtB,QAAM,QAAQ,MAAM,KAAK,GAAG,OAAO,eAAe,EAAE,GAAG,SAAS;AAChE,QAAM,UAAU,MAAM,KAAK,OAAO,MAAM;AACxC,QAAM,WAAW,MAAM,KAAK,SAAS,OAAO;AAC5C,SAAO,KAAK,UAAU,cAAc;AACtC;AAQO,SAAS,cAAc,MAAqB;AACjD,QAAM,UAAU,KAAK,YAAY,EAAE,QAAQ,iBAAiB,EAAE;AAC9D,SAAO,EAAE,SAAS,WAAW,QAAQ,MAAM,GAAG,CAAC,EAAE;AACnD;AAoBA,eAAsB,0BACpB,QACiB;AACjB,QAAM,eAAuC,CAAC;AAC9C,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,OAAO,GAAG;AACzD,iBAAa,IAAI,YAAY,CAAC,IAAI,MAAM,KAAK,EAAE,QAAQ,QAAQ,GAAG;AAAA,EACpE;AACA,QAAM,cAAc,OAAO,KAAK,YAAY,EAAE,KAAK;AAEnD,QAAM,mBAAmB,YACtB,IAAI,CAAC,SAAS,GAAG,IAAI,IAAI,aAAa,IAAI,CAAC;AAAA,CAAI,EAC/C,KAAK,EAAE;AACV,QAAM,gBAAgB,YAAY,KAAK,GAAG;AAE1C,QAAM,mBAAmB;AAAA,IACvB,OAAO;AAAA,IACP,OAAO;AAAA,IACP,OAAO;AAAA,IACP;AAAA,IACA;AAAA,IACA,OAAO;AAAA,EACT,EAAE,KAAK,IAAI;AAEX,QAAM,kBAAkB,GAAG,OAAO,SAAS,IAAI,OAAO,MAAM,IAAI,OAAO,OAAO;AAC9E,QAAM,eAAe;AAAA,IACnB;AAAA,IACA,OAAO;AAAA,IACP;AAAA,IACA,MAAM,UAAU,gBAAgB;AAAA,EAClC,EAAE,KAAK,IAAI;AAEX,QAAM,aAAa,MAAM;AAAA,IACvB,OAAO;AAAA,IACP,OAAO;AAAA,IACP,OAAO;AAAA,IACP,OAAO;AAAA,EACT;AACA,QAAM,YAAY,MAAM,MAAM,KAAK,YAAY,YAAY,CAAC;AAE5D,SACE,GAAG,SAAS,eAAe,OAAO,WAAW,IAAI,eAAe,mBAC/C,aAAa,eAAe,SAAS;AAE1D;;;ACtHA,SAAS,eAAe,OAAuB;AAC7C,SAAO,MACJ,QAAQ,SAAS,GAAG,EACpB,QAAQ,SAAS,GAAG,EACpB,QAAQ,WAAW,GAAG,EACtB,QAAQ,UAAU,GAAG,EACrB,QAAQ,WAAW,GAAG,EACtB,QAAQ,UAAU,GAAG;AAC1B;AAMO,SAAS,WAAW,KAAa,KAA4B;AAClE,QAAM,aAAa,IAAI,QAAQ,uBAAuB,MAAM;AAC5D,QAAM,OAAO,IAAI,OAAO,IAAI,UAAU,gBAAgB,EAAE,KAAK,GAAG;AAChE,MAAI,CAAC,MAAM;AACT,WAAO,IAAI,OAAO,IAAI,UAAU,QAAQ,EAAE,KAAK,GAAG,IAAI,KAAK;AAAA,EAC7D;AACA,QAAM,QAAQ,KAAK,QAAQ,KAAK,CAAC,EAAE;AACnC,QAAM,WAAW,IAAI,QAAQ,KAAK,GAAG,KAAK,KAAK;AAC/C,MAAI,aAAa,IAAI;AACnB,WAAO;AAAA,EACT;AACA,SAAO,IAAI,MAAM,OAAO,QAAQ;AAClC;AAEO,SAAS,UAAU,KAAa,KAA4B;AACjE,QAAM,QAAQ,WAAW,KAAK,GAAG;AACjC,SAAO,UAAU,OAAO,OAAO,eAAe,KAAK,EAAE,KAAK;AAC5D;AAKO,SAAS,gBAAgB,KAAuB;AACrD,QAAM,UAAoB,CAAC;AAC3B,QAAM,KAAK;AACX,MAAI,QAAQ;AACZ,MAAI,eAAe;AACnB,MAAI;AACJ,UAAQ,QAAQ,GAAG,KAAK,GAAG,OAAO,MAAM;AACtC,QAAI,MAAM,CAAC,EAAE,WAAW,IAAI,GAAG;AAC7B;AACA,UAAI,UAAU,KAAK,iBAAiB,IAAI;AACtC,gBAAQ,KAAK,IAAI,MAAM,cAAc,MAAM,KAAK,CAAC;AACjD,uBAAe;AAAA,MACjB;AAAA,IACF,OAAO;AACL,UAAI,UAAU,GAAG;AACf,uBAAe,MAAM,QAAQ,MAAM,CAAC,EAAE;AAAA,MACxC;AACA;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAeO,SAAS,mBAAmB,KAAkC;AACnE,QAAM,eAAe,WAAW,KAAK,mBAAmB,KAAK;AAC7D,QAAM,UAAU,gBAAgB,YAAY,EAAE,IAAI,CAAC,WAAW;AAC5D,UAAM,UAAU,WAAW,QAAQ,YAAY,KAAK;AACpD,UAAM,WAAW,WAAW,QAAQ,QAAQ,KAAK;AACjD,WAAO;AAAA,MACL,IAAI,UAAU,QAAQ,IAAI,KAAK;AAAA,MAC/B,OAAO,UAAU,QAAQ,OAAO,KAAK;AAAA,MACrC,YAAY,UAAU,QAAQ,YAAY,KAAK;AAAA,MAC/C,YAAY,gBAAgB,OAAO,EAAE,IAAI,CAAC,MAAM,eAAe,CAAC,EAAE,KAAK,CAAC;AAAA,MACxE,QAAQ,gBAAgB,QAAQ,EAAE;AAAA,QAAI,CAAC,MACrC,OAAO,eAAe,CAAC,EAAE,KAAK,CAAC;AAAA,MACjC;AAAA,IACF;AAAA,EACF,CAAC;AACD,QAAM,YAAY,UAAU,KAAK,WAAW;AAC5C,SAAO,EAAE,SAAS,WAAW,cAAc,KAAK,OAAO,UAAU;AACnE;AASO,SAAS,gBAAgB,KAAoC;AAClE,QAAM,YAAY,WAAW,KAAK,aAAa;AAC/C,MAAI,cAAc,MAAM;AACtB,WAAO;AAAA,EACT;AACA,QAAM,cAAc,UAAU,WAAW,aAAa,KAAK;AAC3D,QAAM,kBAAkB,UAAU,WAAW,iBAAiB,KAAK;AACnE,MAAI,gBAAgB,MAAM,oBAAoB,IAAI;AAChD,WAAO;AAAA,EACT;AACA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,cAAc,UAAU,WAAW,cAAc,KAAK;AAAA,IACtD,YAAY,UAAU,WAAW,YAAY,KAAK;AAAA,EACpD;AACF;AAIO,SAAS,eAAe,KAA4B;AACzD,SAAO,UAAU,KAAK,MAAM;AAC9B;;;AF7FA,SAAS,QAAQ,MAAkC;AACjD,QAAM,MACJ,WAGA,SAAS;AACX,SAAO,MAAM,IAAI;AACnB;AAMA,IAAM,oBAAoB,EAAE,OAAO;AAAA,EACjC,IAAI,EACD,OAAO,EACP;AAAA,IACC;AAAA,IACA;AAAA,EACF;AAAA,EACF,WAAW,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC3B,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACxB,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACtB,eAAe,EACZ,OAAO,EACP,IAAI,EACJ,IAAI,EAAE,EACN,OAAO,CAAC,MAAM,IAAI,OAAO,GAAG;AAAA,IAC3B,SAAS;AAAA,EACX,CAAC;AAAA,EACH,YAAY,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC,EAAE,SAAS;AACxD,CAAC;AAEM,IAAM,eAAe;AAAA,EAC1B,EACG,OAAO;AAAA,IACN,QAAQ,EACL,OAAO,EACP;AAAA,MACC;AAAA,MACA;AAAA,IACF,EACC,KAAK;AAAA,MACJ,OAAO;AAAA,MACP,aACE;AAAA,MACF,aAAa;AAAA,IACf,CAAC;AAAA,IACH,aAAa,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,EAAE,SAAS,EAAE,KAAK;AAAA,MAC7D,OAAO;AAAA,MACP,aACE;AAAA,MACF,QAAQ;AAAA,IACV,CAAC;AAAA,IACD,iBAAiB,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,EAAE,SAAS,EAAE,KAAK;AAAA,MACjE,OAAO;AAAA,MACP,aACE;AAAA,MACF,QAAQ;AAAA,IACV,CAAC;AAAA,IACD,SAAS,EACN,OAAO,EACP;AAAA,MACC;AAAA,MACA;AAAA,IACF,EACC,SAAS,EACT,KAAK;AAAA,MACJ,OAAO;AAAA,MACP,aACE;AAAA,MACF,aAAa;AAAA,IACf,CAAC;AAAA,IACH,YAAY,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,EAAE,KAAK;AAAA,MAC5C,OAAO;AAAA,MACP,aACE;AAAA,IACJ,CAAC;AAAA,IACD,eAAe,EAAE,MAAM,iBAAiB,EAAE,SAAS,EAAE,KAAK;AAAA,MACxD,OAAO;AAAA,MACP,aACE;AAAA,IACJ,CAAC;AAAA,IACD,iBAAiB,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,KAAM,EAAE,SAAS,EAAE,KAAK;AAAA,MACvE,OAAO;AAAA,MACP,aACE;AAAA,MACF,aAAa;AAAA,IACf,CAAC;AAAA,EACH,CAAC,EACA;AAAA,IACC,CAAC,QACC,IAAI,YAAY,UACf,IAAI,gBAAgB,UAAa,IAAI,oBAAoB;AAAA,IAC5D;AAAA,MACE,SACE;AAAA,IACJ;AAAA,EACF;AACJ;AAuBA,IAAM,wBAAwB;AAAA,EAC5B,aAAa;AAAA,IACX,aAAa;AAAA,IACb,MAAM;AAAA,EACR;AAAA,EACA,iBAAiB;AAAA,IACf,aAAa;AAAA,IACb,MAAM;AAAA,EACR;AACF;AAcA,IAAM,2BAA2B,EAAE,OAAO;AAAA,EACxC,mBAAmB,EAAE;AAAA,IACnB,EAAE,OAAO;AAAA,MACP,IAAI,EAAE,OAAO;AAAA,MACb,OAAO,EAAE,OAAO;AAAA,MAChB,YAAY,EAAE,MAAM,EAAE,IAAI,SAAS,CAAC;AAAA,MACpC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,MAC1B,YAAY,EAAE,KAAK;AAAA,QACjB;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,CAAC;AAAA,IACH,CAAC;AAAA,EACH;AAAA,EACA,WAAW,EAAE,OAAO,EAAE,SAAS;AACjC,CAAC;AAMD,IAAM,qBAAqB;AAC3B,IAAM,yBAAyB;AAC/B,IAAM,cAAc;AACpB,IAAM,kBAAkB;AACxB,IAAM,uBAAuB;AAC7B,IAAM,2BAA2B;AACjC,IAAM,6BAA6B;AACnC,IAAM,+BAA+B;AACrC,IAAM,gBAAgB;AACtB,IAAM,oBAAoB;AAMnB,IAAM,sBAAN,MAAM,6BAA4B,cAGvC;AAAA,EACA,OAAgB,KAAK;AAAA,EAErB,OAAgB,UAAU;AAAA,IACxB,aAAa;AAAA,EACf;AAAA,EAEA,OAAO,OAAO,OAAgB,KAA6C;AACzE,UAAM,SAAS,aAAa,MAAM,KAAK;AACvC,WAAO,IAAI;AAAA,MACT;AAAA,QACE,QAAQ,OAAO;AAAA,QACf,SAAS,OAAO;AAAA,QAChB,YAAY,OAAO;AAAA,QACnB,eAAe,OAAO;AAAA,QACtB,iBAAiB,OAAO;AAAA,MAC1B;AAAA,MACA;AAAA,QACE,aAAa,OAAO;AAAA,QACpB,iBAAiB,OAAO;AAAA,MAC1B;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EAES,KAAK;AAAA,EACI,cAAc;AAAA,EAExB,eAGG;AAAA;AAAA;AAAA;AAAA,EAMH,kBAAsC;AAC5C,UAAM,EAAE,aAAa,gBAAgB,IAAI,KAAK;AAC9C,QAAI,eAAe,iBAAiB;AAClC,aAAO,EAAE,aAAa,gBAAgB;AAAA,IACxC;AACA,UAAM,iBAAiB,QAAQ,mBAAmB;AAClD,UAAM,qBAAqB,QAAQ,uBAAuB;AAC1D,QAAI,kBAAkB,oBAAoB;AACxC,aAAO;AAAA,QACL,aAAa;AAAA,QACb,iBAAiB;AAAA,QACjB,cAAc,QAAQ,mBAAmB,KAAK;AAAA,MAChD;AAAA,IACF;AACA,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAc,0BACZ,QAC6B;AAC7B,QAAI,KAAK,SAAS,YAAY,QAAW;AACvC,YAAM,EAAE,aAAa,gBAAgB,IAAI,KAAK;AAC9C,UAAI,CAAC,eAAe,CAAC,iBAAiB;AACpC,cAAM,IAAI;AAAA,UACR;AAAA,QACF;AAAA,MACF;AACA,aAAO,EAAE,aAAa,gBAAgB;AAAA,IACxC;AAEA,QAAI,KAAK,gBAAgB,KAAK,IAAI,IAAI,KAAK,aAAa,WAAW;AACjE,aAAO,KAAK,aAAa;AAAA,IAC3B;AACA,UAAM,UAAU,MAAM,KAAK,WAAW,KAAK,SAAS,SAAS,MAAM;AACnE,WAAO;AAAA,EACT;AAAA,EAEA,MAAc,WACZ,SACA,QAC6B;AAC7B,UAAM,SAAS,IAAI,gBAAgB;AACnC,WAAO,IAAI,UAAU,YAAY;AACjC,WAAO,IAAI,WAAW,eAAe;AACrC,WAAO,IAAI,WAAW,OAAO;AAC7B,WAAO,IAAI,mBAAmB,wBAAwB;AACtD,WAAO,IAAI,mBAAmB,OAAO,4BAA4B,CAAC;AAClE,QAAI,KAAK,SAAS,eAAe,QAAW;AAC1C,aAAO,IAAI,cAAc,KAAK,SAAS,UAAU;AAAA,IACnD;AAEA,UAAM,OAAO,OAAO,KAAK,SAAS,MAAM;AACxC,UAAM,MAAM,MAAM,KAAK,WAAW;AAAA,MAChC;AAAA,MACA,SAAS;AAAA,MACT,MAAM,OAAO,SAAS;AAAA,MACtB,oBAAoB,KAAK,gBAAgB;AAAA,MACzC,UAAU;AAAA,MACV;AAAA,IACF,CAAC;AAED,UAAM,SAAS,gBAAgB,GAAG;AAClC,QAAI,WAAW,MAAM;AACnB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,SAAK,wBAAwB,MAAM;AACnC,WAAO;AAAA,MACL,aAAa,OAAO;AAAA,MACpB,iBAAiB,OAAO;AAAA,MACxB,cAAc,OAAO,gBAAgB;AAAA,IACvC;AAAA,EACF;AAAA,EAEQ,wBAAwB,QAA8B;AAC5D,UAAM,eAAe,WAAW,OAAO,YAAY,KAAK;AACxD,UAAM,YACJ,iBAAiB,OACb,eAAe,6BACf,KAAK,IAAI,KAAK,+BAA+B,MAAM;AACzD,SAAK,eAAe;AAAA,MAClB,OAAO;AAAA,QACL,aAAa,OAAO;AAAA,QACpB,iBAAiB,OAAO;AAAA,QACxB,cAAc,OAAO,gBAAgB;AAAA,MACvC;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,WAAW,MAOL;AAClB,UAAM,EAAE,SAAS,UAAU,IAAI,cAAc,oBAAI,KAAK,CAAC;AACvD,UAAM,cAAc,MAAM,UAAU,KAAK,IAAI;AAE7C,UAAM,gBAAwC;AAAA,MAC5C,MAAM,KAAK;AAAA,MACX,gBAAgB;AAAA,MAChB,wBAAwB;AAAA,MACxB,cAAc;AAAA,IAChB;AACA,QAAI,KAAK,mBAAmB,iBAAiB,QAAW;AACtD,oBAAc,sBAAsB,IAClC,KAAK,mBAAmB;AAAA,IAC5B;AAEA,UAAM,gBAAgB,MAAM,0BAA0B;AAAA,MACpD,QAAQ;AAAA,MACR,MAAM,KAAK;AAAA,MACX,MAAM;AAAA,MACN,OAAO;AAAA,MACP,SAAS;AAAA,MACT;AAAA,MACA,aAAa,KAAK,mBAAmB;AAAA,MACrC,iBAAiB,KAAK,mBAAmB;AAAA,MACzC,QAAQ,KAAK,SAAS;AAAA,MACtB,SAAS,KAAK;AAAA,MACd;AAAA,MACA;AAAA,IACF,CAAC;AAKD,UAAM,cAAsC;AAAA,MAC1C,gBAAgB;AAAA,MAChB,wBAAwB;AAAA,MACxB,cAAc;AAAA,MACd,cAAc,mBAAmB,gBAAgB;AAAA,MACjD,eAAe;AAAA,IACjB;AACA,QAAI,KAAK,mBAAmB,iBAAiB,QAAW;AACtD,kBAAY,sBAAsB,IAChC,KAAK,mBAAmB;AAAA,IAC5B;AAEA,QAAI;AACF,YAAM,MAA4B,MAAM,KAAK;AAAA,QAC3C;AAAA,UACE,KAAK,WAAW,KAAK,IAAI;AAAA,UACzB,QAAQ;AAAA,UACR,SAAS;AAAA,UACT,MAAM,KAAK;AAAA,UACX,WAAW;AAAA,UACX,QAAQ,KAAK;AAAA,QACf;AAAA,QACA,EAAE,UAAU,KAAK,SAAS;AAAA,MAC5B;AACA,aAAO,IAAI;AAAA,IACb,SAAS,KAAK;AACZ,YAAM,KAAK,iBAAiB,GAAG;AAAA,IACjC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,iBAAiB,KAAuB;AAC9C,QAAI,EAAE,eAAe,UAAU,EAAE,UAAU,MAAM;AAC/C,aAAO;AAAA,IACT;AACA,UAAM,UAAU;AAChB,UAAM,OACJ,OAAO,QAAQ,UAAU,SAAS,WAAW,QAAQ,SAAS,OAAO;AACvE,UAAM,OAAO,eAAe,IAAI,KAAK;AACrC,UAAM,SAAS,QAAQ,UAAU,UAAU;AAE3C,QACE,8DAA8D,KAAK,IAAI,GACvE;AACA,aAAO,IAAI,eAAe,QAAQ,SAAS,QAAQ,QAAQ;AAAA,IAC7D;AACA,QACE,uHAAuH;AAAA,MACrH;AAAA,IACF,GACA;AACA,aAAO,IAAI,UAAU,QAAQ,SAAS,QAAQ,QAAQ;AAAA,IACxD;AACA,QAAI,UAAU,KAAK;AACjB,aAAO,IAAI,eAAe,QAAQ,SAAS,QAAQ,QAAQ;AAAA,IAC7D;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAMQ,cAAc,SAGpB;AACA,UAAM,QAAQ,KAAK,IAAI;AACvB,QAAI,QAAQ,OAAO;AACjB,YAAM,UAAU,WAAW,QAAQ,OAAO,KAAK;AAC/C,UAAI,YAAY,MAAM;AACpB,eAAO,EAAE,SAAS,KAAK,IAAI,SAAS,KAAK,GAAG,MAAM;AAAA,MACpD;AAAA,IACF;AACA,QAAI,QAAQ,SAAS,UAAU;AAC7B,YAAM,YAAY,KAAK;AAAA,QACrB,GAAG,KAAK,SAAS,cAAc,IAAI,CAAC,MAAM,EAAE,aAAa;AAAA,QACzD;AAAA,MACF;AACA,aAAO,EAAE,SAAS,QAAQ,YAAY,IAAI,KAAM,MAAM;AAAA,IACxD;AACA,UAAM,WAAW,KAAK,SAAS,mBAAmB;AAClD,WAAO,EAAE,SAAS,QAAQ,WAAW,eAAe,MAAM;AAAA,EAC5D;AAAA,EAEQ,uBACN,SACA,SACA,OACA,WACQ;AACR,UAAM,SAAS,IAAI,gBAAgB;AACnC,WAAO,IAAI,UAAU,eAAe;AACpC,WAAO,IAAI,WAAW,sBAAsB;AAC5C,WAAO,IAAI,aAAa,IAAI,KAAK,OAAO,EAAE,YAAY,CAAC;AACvD,WAAO,IAAI,WAAW,IAAI,KAAK,KAAK,EAAE,YAAY,CAAC;AACnD,WAAO,IAAI,UAAU,oBAAoB;AACzC,QAAI,cAAc,QAAW;AAC3B,aAAO,IAAI,aAAa,SAAS;AAAA,IACnC;AAEA,YAAQ,QAAQ,CAAC,OAAO,UAAU;AAChC,YAAM,SAAS,4BAA4B,QAAQ,CAAC;AACpD,aAAO,IAAI,GAAG,MAAM,OAAO,MAAM,EAAE;AACnC,aAAO,IAAI,GAAG,MAAM,eAAe,MAAM;AACzC,aAAO,IAAI,GAAG,MAAM,gCAAgC,MAAM,SAAS;AACnE,aAAO,IAAI,GAAG,MAAM,iCAAiC,MAAM,MAAM;AACjE,aAAO,IAAI,GAAG,MAAM,sBAAsB,OAAO,MAAM,aAAa,CAAC;AACrE,aAAO,IAAI,GAAG,MAAM,oBAAoB,MAAM,IAAI;AAClD,YAAM,aAAa,OAAO,QAAQ,MAAM,cAAc,CAAC,CAAC;AACxD,iBAAW,QAAQ,CAAC,CAAC,MAAM,KAAK,GAAG,aAAa;AAC9C,cAAM,YAAY,GAAG,MAAM,wCAAwC,WAAW,CAAC;AAC/E,eAAO,IAAI,GAAG,SAAS,SAAS,IAAI;AACpC,eAAO,IAAI,GAAG,SAAS,UAAU,KAAK;AAAA,MACxC,CAAC;AAAA,IACH,CAAC;AAED,WAAO,OAAO,SAAS;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,KACJ,SACA,SACA,QACqB;AACrB,UAAM,UAAU,KAAK,SAAS;AAC9B,UAAM,QAAQ,IAAI,IAAI,QAAQ,IAAI,CAAC,MAAM,GAAG,EAAE,SAAS,IAAI,EAAE,MAAM,EAAE,CAAC;AAEtE,QAAI,QAAQ,WAAW,GAAG;AACxB,aAAO,EAAE,MAAM,KAAK;AAAA,IACtB;AAEA,UAAM,cAAc,IAAI,IAAI,QAAQ,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;AACzD,UAAM,EAAE,SAAS,MAAM,IAAI,KAAK,cAAc,OAAO;AACrD,UAAM,qBAAqB,MAAM,KAAK,0BAA0B,MAAM;AAEtE,UAAM,UAA0B,CAAC;AACjC,UAAM,OAAO,GAAG,kBAAkB,IAAI,KAAK,SAAS,MAAM;AAE1D,aAAS,IAAI,GAAG,IAAI,QAAQ,QAAQ,KAAK,sBAAsB;AAC7D,YAAM,QAAQ,QAAQ,MAAM,GAAG,IAAI,oBAAoB;AACvD,UAAI;AACJ,UAAI,OAAO;AACX,SAAG;AACD,YAAI,QAAQ,SAAS;AACnB,iBAAO,EAAE,MAAM,MAAM;AAAA,QACvB;AACA,cAAM,OAAO,KAAK;AAAA,UAChB;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AACA,cAAM,MAAM,MAAM,KAAK,WAAW;AAAA,UAChC;AAAA,UACA,SAAS;AAAA,UACT;AAAA,UACA;AAAA,UACA,UAAU;AAAA,UACV;AAAA,QACF,CAAC;AACD,cAAM,SAAS,mBAAmB,GAAG;AACrC,mBAAW,UAAU,OAAO,SAAS;AACnC,gBAAM,QAAQ,YAAY,IAAI,OAAO,EAAE;AACvC,cAAI,UAAU,QAAW;AACvB;AAAA,UACF;AACA,eAAK,eAAe,SAAS,OAAO,MAAM;AAAA,QAC5C;AACA,oBAAY,OAAO,aAAa;AAChC,gBAAQ;AACR,aAAK,OAAO,KAAK,gBAAgB;AAAA,UAC/B,UAAU;AAAA,UACV;AAAA,UACA,OAAO,OAAO,QAAQ;AAAA,UACtB,MAAM,aAAa;AAAA,QACrB,CAAC;AAAA,MACH,SAAS,cAAc;AAAA,IACzB;AAEA,UAAM,QAAQ,QAAQ,SAAS,EAAE,OAAO,CAAC,GAAG,KAAK,EAAE,CAAC;AACpD,SAAK,OAAO,KAAK,iBAAiB;AAAA,MAChC,UAAU;AAAA,MACV,OAAO,QAAQ;AAAA,IACjB,CAAC;AACD,WAAO,EAAE,MAAM,KAAK;AAAA,EACtB;AAAA,EAEQ,eACN,SACA,OACA,QAMM;AACN,UAAM,OAAO,GAAG,MAAM,SAAS,IAAI,MAAM,MAAM;AAC/C,UAAM,iBAA4C;AAAA,MAChD,GAAI,MAAM,cAAc,CAAC;AAAA,MACzB,MAAM,MAAM;AAAA,MACZ,QAAQ,MAAM;AAAA,MACd,SAAS,MAAM;AAAA,MACf,YAAY,OAAO;AAAA,MACnB,OAAO,OAAO;AAAA,IAChB;AACA,UAAM,QAAQ,KAAK,IAAI,OAAO,WAAW,QAAQ,OAAO,OAAO,MAAM;AACrE,aAAS,IAAI,GAAG,IAAI,OAAO,KAAK;AAC9B,YAAM,KAAK,WAAW,OAAO,WAAW,CAAC,GAAI,KAAK;AAClD,YAAM,QAAQ,OAAO,OAAO,CAAC;AAC7B,UAAI,OAAO,QAAQ,CAAC,OAAO,SAAS,KAAK,GAAG;AAC1C;AAAA,MACF;AACA,cAAQ,KAAK,EAAE,MAAM,IAAI,OAAO,YAAY,EAAE,GAAG,eAAe,EAAE,CAAC;AAAA,IACrE;AAAA,EACF;AACF;;;AG/lBA,IAAO,gBAAQ;","names":[]}

package/package.json ADDED Viewed

@@ -0,0 +1,42 @@
+{
+  "name": "@rawdash/connector-aws-cloudwatch",
+  "version": "0.15.0",
+  "description": "Rawdash connector for AWS CloudWatch — pulls declared metric queries into the six-shape storage model via GetMetricData",
+  "license": "Apache-2.0",
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/rawdash/rawdash.git",
+    "directory": "packages/connectors/aws-cloudwatch"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "exports": {
+    ".": {
+      "@rawdash/source": "./src/index.ts",
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsup",
+    "typecheck": "tsc --noEmit",
+    "lint": "eslint src",
+    "test": "vitest run"
+  },
+  "dependencies": {
+    "@rawdash/core": "workspace:*",
+    "zod": "^4.4.3"
+  },
+  "devDependencies": {
+    "@rawdash/connector-shared": "workspace:*",
+    "@rawdash/connector-test-utils": "workspace:*",
+    "fast-check": "^4.8.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.7.2",
+    "vitest": "^4.1.4"
+  }
+}