npm - @sanctuary-framework/mcp-server - Versions diffs - 0.10.0 → 0.10.1 - Mend

@sanctuary-framework/mcp-server 0.10.0 → 0.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -159,11 +159,29 @@ declare class AuditLog {
     private readonly maxTotalSizeBytes;
     private readonly maxEntries;
     private rotationInFlight;
+    private readonly pendingWrites;
     constructor(storage: StorageBackend, masterKey: Uint8Array, config?: AuditLogConfig);
     /**
      * Append an audit entry.
+     *
+     * The on-disk persist is async and tracked via `pendingWrites`. Long-lived
+     * callers (the main MCP server) can ignore that tracking and let writes
+     * drain naturally. Short-lived callers — the `sanctuary secrets` CLI which
+     * `process.exit()`s immediately after returning from a broker mutation —
+     * MUST await `flush()` before exiting, or in-flight writes get killed
+     * with the event loop and the entry is silently lost. That was the
+     * v0.10.0-rc.2 soak failure mode where `secrets audit` returned empty
+     * after a clean 7-verb lifecycle.
      */
     append(layer: AuditEntry["layer"], operation: string, identityId: string, details?: Record<string, unknown>, result?: "success" | "failure"): void;
+    /**
+     * Wait for every in-flight `append()` persist (and its rotation pass) to
+     * settle. Safe to call multiple times — newly-appended entries during a
+     * flush are also awaited. Re-entrant only at the granularity of "drain
+     * everything queued so far". Short-lived CLIs MUST call this before
+     * `process.exit()` to keep audit writes durable.
+     */
+    flush(): Promise<void>;
     private persistEntry;
     /**
      * Prune oldest audit entries when storage exceeds configured limits.

package/dist/index.d.ts CHANGED Viewed

@@ -159,11 +159,29 @@ declare class AuditLog {
     private readonly maxTotalSizeBytes;
     private readonly maxEntries;
     private rotationInFlight;
+    private readonly pendingWrites;
     constructor(storage: StorageBackend, masterKey: Uint8Array, config?: AuditLogConfig);
     /**
      * Append an audit entry.
+     *
+     * The on-disk persist is async and tracked via `pendingWrites`. Long-lived
+     * callers (the main MCP server) can ignore that tracking and let writes
+     * drain naturally. Short-lived callers — the `sanctuary secrets` CLI which
+     * `process.exit()`s immediately after returning from a broker mutation —
+     * MUST await `flush()` before exiting, or in-flight writes get killed
+     * with the event loop and the entry is silently lost. That was the
+     * v0.10.0-rc.2 soak failure mode where `secrets audit` returned empty
+     * after a clean 7-verb lifecycle.
      */
     append(layer: AuditEntry["layer"], operation: string, identityId: string, details?: Record<string, unknown>, result?: "success" | "failure"): void;
+    /**
+     * Wait for every in-flight `append()` persist (and its rotation pass) to
+     * settle. Safe to call multiple times — newly-appended entries during a
+     * flush are also awaited. Re-entrant only at the granularity of "drain
+     * everything queued so far". Short-lived CLIs MUST call this before
+     * `process.exit()` to keep audit writes durable.
+     */
+    flush(): Promise<void>;
     private persistEntry;
     /**
      * Prune oldest audit entries when storage exceeds configured limits.

package/dist/index.js CHANGED Viewed

@@ -1978,6 +1978,7 @@ var AuditLog = class {
   maxTotalSizeBytes;
   maxEntries;
   rotationInFlight = false;
+  pendingWrites = /* @__PURE__ */ new Set();
   constructor(storage, masterKey, config) {
     this.storage = storage;
     this.encryptionKey = derivePurposeKey(masterKey, "audit-log");
@@ -1986,6 +1987,15 @@ var AuditLog = class {
   }
   /**
    * Append an audit entry.
+   *
+   * The on-disk persist is async and tracked via `pendingWrites`. Long-lived
+   * callers (the main MCP server) can ignore that tracking and let writes
+   * drain naturally. Short-lived callers — the `sanctuary secrets` CLI which
+   * `process.exit()`s immediately after returning from a broker mutation —
+   * MUST await `flush()` before exiting, or in-flight writes get killed
+   * with the event loop and the entry is silently lost. That was the
+   * v0.10.0-rc.2 soak failure mode where `secrets audit` returned empty
+   * after a clean 7-verb lifecycle.
    */
   append(layer, operation, identityId, details, result = "success") {
     const entry = {
@@ -1997,8 +2007,22 @@ var AuditLog = class {
       details
     };
     this.entries.push(entry);
-    this.persistEntry(entry).catch(() => {
+    const writePromise = this.persistEntry(entry).catch(() => {
     });
+    this.pendingWrites.add(writePromise);
+    void writePromise.finally(() => this.pendingWrites.delete(writePromise));
+  }
+  /**
+   * Wait for every in-flight `append()` persist (and its rotation pass) to
+   * settle. Safe to call multiple times — newly-appended entries during a
+   * flush are also awaited. Re-entrant only at the granularity of "drain
+   * everything queued so far". Short-lived CLIs MUST call this before
+   * `process.exit()` to keep audit writes durable.
+   */
+  async flush() {
+    while (this.pendingWrites.size > 0) {
+      await Promise.allSettled([...this.pendingWrites]);
+    }
   }
   async persistEntry(entry) {
     const key = `${Date.now()}-${this.counter++}`;
@@ -2009,7 +2033,7 @@ var AuditLog = class {
       key,
       stringToBytes(JSON.stringify(encrypted))
     );
-    this.maybeRotate().catch(() => {
+    await this.maybeRotate().catch(() => {
     });
   }
   /**