@reproapp/node-sdk 0.0.3 → 0.0.4

package/test/kafka-runtime-privacy-policy.test.js

@@ -0,0 +1,285 @@
+const assert = require('assert');
+const { normalizeRuntimePrivacyPolicy } = require('../dist/privacy');
+const { flushIngestQueue } = require('../dist/ingest/client');
+const { initReproTracing, __reproTestHooks } = require('../dist');
+
+const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+
+async function waitFor(predicate, timeoutMs = 3000) {
+    const deadline = Date.now() + timeoutMs;
+    while (Date.now() < deadline) {
+        if (predicate()) return;
+        await sleep(25);
+    }
+    assert(predicate(), 'timed out waiting for expected ingest payload');
+}
+
+async function testKafkaIntegrationConfigUsesStartupLoadedPrivacyPolicy() {
+    const mainConfig = {
+        tenantId: 'TENANT_test',
+        appId: 'APP_test',
+        appSecret: 'secret',
+        captureHeaders: false,
+        privacy: { environment: 'dev' },
+    };
+    const kafkaConfig = {
+        ...mainConfig,
+        resolveContext: () => ({ sid: 'S_test', aid: 'A_test' }),
+    };
+
+    __reproTestHooks.shareRuntimePrivacyStateForTest(mainConfig, kafkaConfig);
+
+    const policy = normalizeRuntimePrivacyPolicy({
+        environment: 'dev',
+        rawTextHints: [
+            {
+                name: 'Raw message opaque detector',
+                scope: 'RAW_TEXT_ONLY',
+                action: 'TOKENIZE',
+                regex: '\\bZXQ[0-9A-Z]{8,32}(?:-[A-Z0-9]{2,32})*\\b',
+                tokenLabel: 'rawMessage',
+            },
+            {
+                name: 'Unbound same-regex detector',
+                scope: 'RAW_TEXT_ONLY',
+                action: 'TOKENIZE',
+                regex: '\\bZXQ[0-9A-Z]{8,32}(?:-[A-Z0-9]{2,32})*\\b',
+                tokenLabel: 'wrongLabel',
+            },
+        ],
+        groups: [
+            {
+                gid: 'raw-message',
+                scope: 'FIELD',
+                selector: 'rawMessage',
+                statements: [
+                    {
+                        sid: 'raw-message',
+                        when: {
+                            scope: 'FIELD',
+                            selector: 'rawMessage',
+                            target: 'trace.args[2]',
+                        },
+                        apply: {
+                            action: 'SUMMARIZE',
+                            rawTextMode: 'REGEX_ASSISTED_EXACT',
+                        },
+                        meta: {
+                            priority: 25,
+                            review: {
+                                rawTextHintNames: ['Raw message opaque detector'],
+                            },
+                        },
+                    },
+                    {
+                        sid: 'function-param-fallback',
+                        when: {
+                            scope: 'FUNCTION',
+                            selector: 'fn:PrivacyLabDrillsService.recordConsumedEvent',
+                            target: 'trace.args[2]',
+                        },
+                        apply: { action: 'SUMMARIZE' },
+                        meta: { priority: 113 },
+                    },
+                ],
+            },
+        ],
+    });
+
+    __reproTestHooks.setRuntimePrivacyPolicyForTest(mainConfig, policy);
+    assert.strictEqual(
+        __reproTestHooks.getRuntimePrivacyPolicyForTest(kafkaConfig),
+        policy,
+        'Kafka integration config should share the startup-loaded runtime privacy state',
+    );
+
+    const opaque = 'ZXQ44B02BD9032D78A19KLM-TRACE-44B02B';
+    const sink = [];
+    await __reproTestHooks.recordKafkaTraceEventAsyncForTest(
+        {
+            type: 'enter',
+            fn: 'PrivacyLabDrillsService.recordConsumedEvent',
+            file: '/app/privacy-lab-drills.service.ts',
+            line: 76,
+            args: [
+                { eventId: 'evt-1' },
+                'privacy-lab-case',
+                `raw kafka message has ${opaque}`,
+            ],
+        },
+        sink,
+        kafkaConfig,
+        {
+            method: 'KAFKA_CONSUME',
+            path: 'kafka://privacy-lab.events',
+            key: 'KAFKA_CONSUME privacy-lab.events',
+        },
+    );
+
+    assert.strictEqual(sink.length, 1);
+    const text = JSON.stringify(sink[0]);
+    assert(!text.includes(opaque), text);
+    assert.match(sink[0].args[2], /^raw kafka message has rawMessage_tok_[a-f0-9]{12}$/);
+    assert(!text.includes('wrongLabel_tok_'), text);
+}
+
+async function testKafkaConsumerTraceUsesConsumeTraceId() {
+    const tracer = initReproTracing({ instrument: false, functionLogs: false });
+    const capturedBodies = [];
+    const originalFetch = global.fetch;
+    global.fetch = async (_url, init) => {
+        capturedBodies.push(JSON.parse(String(init?.body ?? '{}')));
+        return { ok: true };
+    };
+
+    try {
+        const cfg = {
+            tenantId: 'TENANT_test',
+            appId: 'APP_test',
+            appSecret: 'secret',
+            captureHeaders: false,
+            privacy: { environment: 'dev' },
+            ingestBase: 'http://127.0.0.1:65535',
+        };
+        const wrapped = __reproTestHooks.wrapKafkaEachMessageHandlerForTest(
+            async () => {
+                tracer.tracer.enter('consumerWork', { file: '/app/consumer.ts', line: 10 }, { args: ['ok'] });
+                tracer.tracer.exit({ fn: 'consumerWork', file: '/app/consumer.ts', line: 10 }, { returnValue: 'done' });
+
+                tracer.withTrace('parent-http-trace', () => {
+                    tracer.tracer.enter('parentWork', { file: '/app/controller.ts', line: 20 }, { args: ['wrong'] });
+                    tracer.tracer.exit({ fn: 'parentWork', file: '/app/controller.ts', line: 20 }, { returnValue: 'wrong' });
+                });
+            },
+            cfg,
+            { __repro_group_id: 'group-a' },
+        );
+
+        await wrapped({
+            topic: 'privacy-lab.events',
+            partition: 0,
+            message: {
+                offset: '42',
+                timestamp: '1778965503962',
+                key: Buffer.from('case-1'),
+                value: Buffer.from('hello'),
+                headers: {
+                    'x-bug-session-id': Buffer.from('S_kafka_trace'),
+                    'x-bug-action-id': Buffer.from('A_kafka_trace'),
+                    'x-repro-trace-id': Buffer.from('parent-http-trace'),
+                    'x-repro-request-rid': Buffer.from('parent-request-rid'),
+                    'x-repro-span-id': Buffer.from('217'),
+                },
+            },
+        });
+
+        await waitFor(() => capturedBodies.some((body) => {
+            return Array.isArray(body.events) && body.events.some((event) => event.event_type === 'trace_batch');
+        }));
+        await flushIngestQueue();
+
+        const events = capturedBodies.flatMap((body) => Array.isArray(body.events) ? body.events : []);
+        const consumeRequest = events.find((event) => event.event_type === 'backend_request');
+        assert(consumeRequest, 'expected Kafka consume request event');
+        assert.strictEqual(consumeRequest.payload.request.body.parentTraceId, 'parent-http-trace');
+        assert.strictEqual(consumeRequest.payload.request.body.parentRequestRid, 'parent-request-rid');
+
+        const traceFns = events
+            .filter((event) => event.event_type === 'trace_batch')
+            .flatMap((event) => Array.isArray(event.payload.trace) ? event.payload.trace : [])
+            .map((traceEvent) => traceEvent.fn);
+        assert(traceFns.includes('consumerWork'), traceFns.join(','));
+        assert(!traceFns.includes('parentWork'), traceFns.join(','));
+    } finally {
+        global.fetch = originalFetch;
+    }
+}
+
+async function testOversizedKafkaTraceArgsKeepBoundedPreview() {
+    const secret = 'sk_live_privacy_large_preview_secret';
+    const largeJson = JSON.stringify({
+        eventId: 'evt-large',
+        eventType: 'privacy-lab.case.observed',
+        providerResponse: {
+            credentials: {
+                apiKey: secret,
+                webhookSecret: 'whsec_large_preview_secret',
+            },
+            rawNarrative: `large narrative ${'x'.repeat(9000)}`,
+        },
+        structuredSnapshot: {
+            subject: {
+                email: 'avery.debugson@example.com',
+            },
+        },
+    });
+    const envelope = JSON.parse(largeJson);
+    const cfg = {
+        tenantId: 'TENANT_test',
+        appId: 'APP_test',
+        appSecret: 'secret',
+        captureHeaders: false,
+        privacy: { environment: 'dev' },
+    };
+    const maskReq = {
+        method: 'KAFKA_CONSUME',
+        path: 'kafka://privacy-lab.events',
+        key: 'KAFKA_CONSUME privacy-lab.events',
+    };
+
+    const parseSink = [];
+    await __reproTestHooks.recordKafkaTraceEventAsyncForTest(
+        {
+            type: 'enter',
+            fn: 'JSON.parse',
+            file: '/app/privacy-lab-drills.service.ts',
+            line: 77,
+            args: [largeJson],
+        },
+        parseSink,
+        cfg,
+        maskReq,
+    );
+
+    assert.strictEqual(parseSink.length, 1);
+    assert(parseSink[0].args, 'expected oversized JSON.parse args to keep a bounded preview');
+    assert.strictEqual(parseSink[0].args[0].__type, 'json-string');
+    assert(parseSink[0].args[0].parsed.providerResponse, JSON.stringify(parseSink[0].args[0]));
+    assert.strictEqual(parseSink[0].argsMaterialization.reason, 'inline_value_too_large');
+    assert.strictEqual(parseSink[0].argsMaterialization.preview, 'bounded');
+    assert(!JSON.stringify(parseSink[0]).includes(secret), JSON.stringify(parseSink[0]));
+
+    const consumedSink = [];
+    await __reproTestHooks.recordKafkaTraceEventAsyncForTest(
+        {
+            type: 'enter',
+            fn: 'recordConsumedEvent',
+            file: '/app/privacy-lab-drills.service.ts',
+            line: 78,
+            args: [envelope, 'privacy-lab-case', largeJson],
+        },
+        consumedSink,
+        cfg,
+        maskReq,
+    );
+
+    assert.strictEqual(consumedSink.length, 1);
+    assert(consumedSink[0].args, 'expected oversized recordConsumedEvent args to keep a bounded preview');
+    assert.strictEqual(consumedSink[0].args[1], 'privacy-lab-case');
+    assert(consumedSink[0].args[0].providerResponse, JSON.stringify(consumedSink[0].args[0]));
+    assert.strictEqual(consumedSink[0].args[2].__type, 'json-string');
+    assert.strictEqual(consumedSink[0].argsMaterialization.reason, 'inline_value_too_large');
+    assert(!JSON.stringify(consumedSink[0]).includes(secret), JSON.stringify(consumedSink[0]));
+}
+
+async function main() {
+    await testKafkaIntegrationConfigUsesStartupLoadedPrivacyPolicy();
+    await testKafkaConsumerTraceUsesConsumeTraceId();
+    await testOversizedKafkaTraceArgsKeepBoundedPreview();
+    console.log('kafka runtime privacy policy wiring OK');
+}
+
+main().catch((err) => {
+    console.error(err);
+    process.exitCode = 1;
+});