npm - @superblocksteam/telemetry - Versions diffs - 2.0.123-next.0 → 2.0.124-next.0 - Mend

@superblocksteam/telemetry 2.0.123-next.0 → 2.0.124-next.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/README.md +113 -0
package/dist/common/contracts/tier2-traces.d.ts +3 -3
package/dist/common/contracts/tier2-traces.d.ts.map +1 -1
package/dist/common/contracts/tier2-traces.js +33 -6
package/dist/common/contracts/tier2-traces.js.map +1 -1
package/dist/common/index.d.ts +2 -0
package/dist/common/index.d.ts.map +1 -1
package/dist/common/index.js +2 -0
package/dist/common/index.js.map +1 -1
package/dist/common/npm-install-metrics.d.ts +88 -0
package/dist/common/npm-install-metrics.d.ts.map +1 -0
package/dist/common/npm-install-metrics.js +140 -0
package/dist/common/npm-install-metrics.js.map +1 -0
package/dist/common/sanitize-npm-attributes.d.ts +156 -0
package/dist/common/sanitize-npm-attributes.d.ts.map +1 -0
package/dist/common/sanitize-npm-attributes.js +268 -0
package/dist/common/sanitize-npm-attributes.js.map +1 -0
package/dist/node/init.d.ts.map +1 -1
package/dist/node/init.js +7 -0
package/dist/node/init.js.map +1 -1
package/dist-esm/common/contracts/tier2-traces.d.ts +3 -3
package/dist-esm/common/contracts/tier2-traces.d.ts.map +1 -1
package/dist-esm/common/contracts/tier2-traces.js +33 -6
package/dist-esm/common/contracts/tier2-traces.js.map +1 -1
package/dist-esm/common/index.d.ts +2 -0
package/dist-esm/common/index.d.ts.map +1 -1
package/dist-esm/common/index.js +2 -0
package/dist-esm/common/index.js.map +1 -1
package/dist-esm/common/npm-install-metrics.d.ts +88 -0
package/dist-esm/common/npm-install-metrics.d.ts.map +1 -0
package/dist-esm/common/npm-install-metrics.js +135 -0
package/dist-esm/common/npm-install-metrics.js.map +1 -0
package/dist-esm/common/sanitize-npm-attributes.d.ts +156 -0
package/dist-esm/common/sanitize-npm-attributes.d.ts.map +1 -0
package/dist-esm/common/sanitize-npm-attributes.js +258 -0
package/dist-esm/common/sanitize-npm-attributes.js.map +1 -0
package/dist-esm/node/init.d.ts.map +1 -1
package/dist-esm/node/init.js +7 -0
package/dist-esm/node/init.js.map +1 -1
package/package.json +11 -11

package/dist/common/sanitize-npm-attributes.d.ts ADDED Viewed

@@ -0,0 +1,156 @@
+/**
+ * NPM Registry Attribute Sanitization (APPS-4190)
+ *
+ * Sanitization helpers for the telemetry attributes that P6.2 (APPS-4189
+ * metrics) and P6.3 (APPS-4191 audit events) emit from every npm install
+ * path. Every emitter MUST pass values through these helpers before
+ * attaching them to a span, metric, log, or audit event so that cloud-prem
+ * telemetry never carries customer infra hostnames or registry tokens.
+ *
+ * Policy split — package_name is destination-dependent (decision-point
+ * captured in PR / README "NPM Registry Sanitization"):
+ *
+ *   - For metric destinations (Datadog tags, OTel metric attributes,
+ *     anything where cardinality is a billing/scale concern OR the
+ *     destination is shared across orgs): emit a low-cardinality bucket
+ *     instead of the raw name. Use `npmAttributesForMetric` →
+ *     `package_name_bucket` ∈ { public | private | unknown | invalid }.
+ *
+ *   - For audit / log destinations (per-org event streams, forensic
+ *     value, internally retained): emit the lowercased name verbatim,
+ *     gated against known-secret value shapes. Use `npmAttributesForAudit`
+ *     → `package_name` ∈ { <verbatim> | unknown | invalid }.
+ *
+ * Other attributes (the same across destinations):
+ *   - registry_host → bounded enum: public_npm | private | unknown
+ *   - npm.outcome   → closed allowlist; unknown values → `other`
+ *   - tokens        → never appear in any attribute (regression-tested)
+ */
+export declare const NPM_REGISTRY_BUCKETS: readonly ["public_npm", "private", "unknown"];
+export type NpmRegistryBucket = (typeof NPM_REGISTRY_BUCKETS)[number];
+/**
+ * Map a registry URL or bare hostname to a bounded bucket. Raw hostnames
+ * are never emitted; downstream emitters always pass values through here.
+ *
+ * Rules:
+ *   - null/undefined/blank → `unknown`
+ *   - parse failure        → `unknown`
+ *   - hostname exact-matches PUBLIC_NPM_HOSTS (case-insensitive) → `public_npm`
+ *   - anything else        → `private`
+ *
+ * `npm.pkg.github.com` is conservatively bucketed as `private`: customers
+ * deploy it as their private registry, and bucketing it as private avoids
+ * the false-negative of suppressing private-registry behavior in telemetry.
+ */
+export declare function bucketNpmRegistryHost(input: string | null | undefined): NpmRegistryBucket;
+/**
+ * Audit/log-destination form of the `package_name` attribute. Returns the
+ * lowercased input verbatim when it parses as an npm name AND does not
+ * match a known-secret value shape. Use only for destinations that can
+ * tolerate per-package cardinality and per-org name sensitivity (audit
+ * event streams, internal logs). For metric destinations, use
+ * `bucketNpmPackageName` instead — emitting raw names as metric tags is
+ * unbounded cardinality and leaks customer-internal package names across
+ * orgs sharing a metric destination.
+ *
+ *   - null/undefined/blank        → `unknown`
+ *   - matches a known-secret value pattern (token, JWT, AWS key, etc.)
+ *                                 → `invalid` (defense for developer error
+ *                                    that stuffs a secret into a name arg)
+ *   - input fails npm name spec   → `invalid`
+ *   - otherwise                   → lowercased input verbatim
+ *
+ * The known-secret check uses `containsForbiddenPattern` from the tier-2
+ * traces contract, so this helper stays in sync with the existing
+ * runtime/lint guardrails as new secret shapes are added there.
+ */
+export declare function sanitizeNpmPackageName(input: string | null | undefined): string;
+/**
+ * Metric-destination bucket for the package name. Low-cardinality and
+ * agnostic of the specific name — dashboards split installs by registry
+ * source without ever seeing customer-internal package names.
+ *
+ *   - public_npm registry + valid name → `public`
+ *   - private registry   + valid name  → `private`
+ *   - unknown registry   + valid name  → `unknown`
+ *   - name fails npm spec OR matches a known-secret value pattern → `invalid`
+ *   - name is null/empty                                          → `unknown`
+ *
+ * The registry bucket is taken as input rather than recomputed so callers
+ * never accidentally bucket a name without also bucketing its registry.
+ */
+export declare const NPM_PACKAGE_NAME_BUCKETS: readonly ["public", "private", "unknown", "invalid"];
+export type NpmPackageNameBucket = (typeof NPM_PACKAGE_NAME_BUCKETS)[number];
+export declare function bucketNpmPackageName(input: string | null | undefined, registryBucket: NpmRegistryBucket): NpmPackageNameBucket;
+/**
+ * Closed outcome enum. First five values match the structured error from
+ * APPS-4179 (P1.2) and APPS-4195 (P1.5); `tls_failed` was added in
+ * APPS-4381 to give TLS handshake failures their own dashboard facet
+ * (previously routed to `other` and lost the actionable CA-bundle signal);
+ * `other` is the catch-all so dashboards never see free-form strings.
+ */
+export declare const NPM_OUTCOMES: readonly ["success", "not_in_registry", "registry_unreachable", "registry_auth_failed", "tls_failed", "lockfile_url_mismatch", "other"];
+export type NpmOutcome = (typeof NPM_OUTCOMES)[number];
+/** Coerce an outcome to the closed enum at the emit boundary. */
+export declare function normalizeNpmOutcome(input: string | null | undefined): NpmOutcome;
+export interface NpmAttributesInput {
+    registry_host?: string | null;
+    package_name?: string | null;
+    outcome?: string | null;
+}
+/** Metric-destination output shape. Low-cardinality across all fields. */
+export interface NpmMetricAttributes {
+    registry_host: NpmRegistryBucket;
+    package_name_bucket: NpmPackageNameBucket;
+    outcome: NpmOutcome;
+}
+/**
+ * Audit/log-destination output shape. `package_name` is verbatim
+ * (lowercased) — use only for destinations that can tolerate per-package
+ * cardinality and per-org name sensitivity.
+ */
+export interface NpmAuditAttributes {
+    registry_host: NpmRegistryBucket;
+    package_name: string;
+    outcome: NpmOutcome;
+}
+/**
+ * Metric-safe attributes. Emitters of OTel metrics, Datadog metric tags,
+ * Tempo span attributes that flow to shared metric destinations, etc.
+ * MUST use this wrapper. The output never contains a raw package name.
+ */
+export declare function npmAttributesForMetric(input: NpmAttributesInput): NpmMetricAttributes;
+/**
+ * Audit/log-safe attributes. Emitters of audit events and internal logs
+ * that retain per-org context (and that operators rely on for forensic
+ * value, e.g. "which package failed for org X?") use this wrapper. The
+ * verbatim name is gated by the known-secret value pattern set.
+ */
+export declare function npmAttributesForAudit(input: NpmAttributesInput): NpmAuditAttributes;
+/**
+ * Redact registry URLs and bare hostnames from a free-text npm/pnpm error
+ * blob before it lands in a shared operational log line (auto-upgrade
+ * `[npm-install-blocked]` and any future caller). The destination is shared
+ * across orgs, so even an incidental hostname in the npm-emitted phrasing —
+ * `"401 Unauthorized - GET https://customer.jfrog.io/..."`,
+ * `"request to https://npm.private/... failed, reason: ENOTFOUND npm.private"`,
+ * `"connect ECONNREFUSED 10.0.0.5:4873"` — is a customer-infra leak that
+ * `bucketNpmRegistryHost` already prevents for the structured `registry_host`
+ * facet. This helper extends the same rule to free-text fields:
+ *
+ *   - Every `http(s)://...` URL is replaced with its registry bucket token
+ *     (`<public_npm>` or `<private>`), preserving the diagnostic shape of
+ *     the line while erasing the host.
+ *   - Bare `ENOTFOUND <host>` / `EAI_AGAIN <host>` payloads — npm emits the
+ *     host as the next whitespace-delimited token after these DNS error
+ *     codes — get the host replaced with `<host>`.
+ *   - `connect E* <ip>[:port]` payloads (ECONNREFUSED, ETIMEDOUT, …) — the
+ *     IP literal carries the same private-infra signal as a hostname — get
+ *     the address replaced with `<host>`.
+ *
+ * The replacement is intentionally lossy: the npm phrasing ("Unauthorized",
+ * "self-signed certificate in chain", "ENOTFOUND") is what operators need
+ * for triage; the host identity is what we must drop.
+ */
+export declare function redactNpmRegistryHostsFromText(input: string): string;
+//# sourceMappingURL=sanitize-npm-attributes.d.ts.map

package/dist/common/sanitize-npm-attributes.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sanitize-npm-attributes.d.ts","sourceRoot":"","sources":["../../src/common/sanitize-npm-attributes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAIH,eAAO,MAAM,oBAAoB,+CAIvB,CAAC;AACX,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,oBAAoB,CAAC,CAAC,MAAM,CAAC,CAAC;AAKtE;;;;;;;;;;;;;GAaG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC/B,iBAAiB,CAkBnB;AAeD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC/B,MAAM,CAWR;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,wBAAwB,sDAK3B,CAAC;AACX,MAAM,MAAM,oBAAoB,GAAG,CAAC,OAAO,wBAAwB,CAAC,CAAC,MAAM,CAAC,CAAC;AAE7E,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAChC,cAAc,EAAE,iBAAiB,GAChC,oBAAoB,CAetB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,YAAY,yIAQf,CAAC;AACX,MAAM,MAAM,UAAU,GAAG,CAAC,OAAO,YAAY,CAAC,CAAC,MAAM,CAAC,CAAC;AAIvD,iEAAiE;AACjE,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC/B,UAAU,CAGZ;AAED,MAAM,WAAW,kBAAkB;IACjC,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED,0EAA0E;AAC1E,MAAM,WAAW,mBAAmB;IAClC,aAAa,EAAE,iBAAiB,CAAC;IACjC,mBAAmB,EAAE,oBAAoB,CAAC;IAC1C,OAAO,EAAE,UAAU,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,aAAa,EAAE,iBAAiB,CAAC;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,UAAU,CAAC;CACrB;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,kBAAkB,GACxB,mBAAmB,CAUrB;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,kBAAkB,GACxB,kBAAkB,CAMpB;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,8BAA8B,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CA0BpE"}

package/dist/common/sanitize-npm-attributes.js ADDED Viewed

@@ -0,0 +1,268 @@
+"use strict";
+/**
+ * NPM Registry Attribute Sanitization (APPS-4190)
+ *
+ * Sanitization helpers for the telemetry attributes that P6.2 (APPS-4189
+ * metrics) and P6.3 (APPS-4191 audit events) emit from every npm install
+ * path. Every emitter MUST pass values through these helpers before
+ * attaching them to a span, metric, log, or audit event so that cloud-prem
+ * telemetry never carries customer infra hostnames or registry tokens.
+ *
+ * Policy split — package_name is destination-dependent (decision-point
+ * captured in PR / README "NPM Registry Sanitization"):
+ *
+ *   - For metric destinations (Datadog tags, OTel metric attributes,
+ *     anything where cardinality is a billing/scale concern OR the
+ *     destination is shared across orgs): emit a low-cardinality bucket
+ *     instead of the raw name. Use `npmAttributesForMetric` →
+ *     `package_name_bucket` ∈ { public | private | unknown | invalid }.
+ *
+ *   - For audit / log destinations (per-org event streams, forensic
+ *     value, internally retained): emit the lowercased name verbatim,
+ *     gated against known-secret value shapes. Use `npmAttributesForAudit`
+ *     → `package_name` ∈ { <verbatim> | unknown | invalid }.
+ *
+ * Other attributes (the same across destinations):
+ *   - registry_host → bounded enum: public_npm | private | unknown
+ *   - npm.outcome   → closed allowlist; unknown values → `other`
+ *   - tokens        → never appear in any attribute (regression-tested)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NPM_OUTCOMES = exports.NPM_PACKAGE_NAME_BUCKETS = exports.NPM_REGISTRY_BUCKETS = void 0;
+exports.bucketNpmRegistryHost = bucketNpmRegistryHost;
+exports.sanitizeNpmPackageName = sanitizeNpmPackageName;
+exports.bucketNpmPackageName = bucketNpmPackageName;
+exports.normalizeNpmOutcome = normalizeNpmOutcome;
+exports.npmAttributesForMetric = npmAttributesForMetric;
+exports.npmAttributesForAudit = npmAttributesForAudit;
+exports.redactNpmRegistryHostsFromText = redactNpmRegistryHostsFromText;
+const tier2_traces_js_1 = require("./contracts/tier2-traces.js");
+exports.NPM_REGISTRY_BUCKETS = [
+    "public_npm",
+    "private",
+    "unknown",
+];
+/** Exact-match allowlist for the `public_npm` bucket. */
+const PUBLIC_NPM_HOSTS = new Set(["registry.npmjs.org"]);
+/**
+ * Map a registry URL or bare hostname to a bounded bucket. Raw hostnames
+ * are never emitted; downstream emitters always pass values through here.
+ *
+ * Rules:
+ *   - null/undefined/blank → `unknown`
+ *   - parse failure        → `unknown`
+ *   - hostname exact-matches PUBLIC_NPM_HOSTS (case-insensitive) → `public_npm`
+ *   - anything else        → `private`
+ *
+ * `npm.pkg.github.com` is conservatively bucketed as `private`: customers
+ * deploy it as their private registry, and bucketing it as private avoids
+ * the false-negative of suppressing private-registry behavior in telemetry.
+ */
+function bucketNpmRegistryHost(input) {
+    if (input == null)
+        return "unknown";
+    const trimmed = input.trim();
+    if (trimmed === "")
+        return "unknown";
+    let host;
+    if (/^[a-z][a-z0-9+.-]*:\/\//i.test(trimmed)) {
+        try {
+            host = new URL(trimmed).hostname.toLowerCase();
+        }
+        catch {
+            return "unknown";
+        }
+    }
+    else {
+        host = trimmed.split(/[/:]/, 1)[0].toLowerCase();
+    }
+    if (host === "")
+        return "unknown";
+    return PUBLIC_NPM_HOSTS.has(host) ? "public_npm" : "private";
+}
+/** npm package name spec (lowercased): optional `@scope/` prefix + name body. */
+const VALID_PACKAGE_NAME_RE = /^(?:@[a-z0-9][a-z0-9._-]*\/)?[a-z0-9][a-z0-9._-]*$/;
+/**
+ * npm name length cap from the package-name spec. The character-set regex
+ * alone admits arbitrarily long strings of `[a-z0-9._-]`; without this cap
+ * a hostile or buggy caller can flow a 10k-char payload through the
+ * verbatim audit/log path. Enforced on both the audit and metric helpers
+ * so an oversize input is `invalid` in either destination.
+ */
+const NPM_PACKAGE_NAME_MAX_LENGTH = 214;
+/**
+ * Audit/log-destination form of the `package_name` attribute. Returns the
+ * lowercased input verbatim when it parses as an npm name AND does not
+ * match a known-secret value shape. Use only for destinations that can
+ * tolerate per-package cardinality and per-org name sensitivity (audit
+ * event streams, internal logs). For metric destinations, use
+ * `bucketNpmPackageName` instead — emitting raw names as metric tags is
+ * unbounded cardinality and leaks customer-internal package names across
+ * orgs sharing a metric destination.
+ *
+ *   - null/undefined/blank        → `unknown`
+ *   - matches a known-secret value pattern (token, JWT, AWS key, etc.)
+ *                                 → `invalid` (defense for developer error
+ *                                    that stuffs a secret into a name arg)
+ *   - input fails npm name spec   → `invalid`
+ *   - otherwise                   → lowercased input verbatim
+ *
+ * The known-secret check uses `containsForbiddenPattern` from the tier-2
+ * traces contract, so this helper stays in sync with the existing
+ * runtime/lint guardrails as new secret shapes are added there.
+ */
+function sanitizeNpmPackageName(input) {
+    if (input == null)
+        return "unknown";
+    const trimmed = input.trim();
+    if (trimmed === "")
+        return "unknown";
+    if (trimmed.length > NPM_PACKAGE_NAME_MAX_LENGTH)
+        return "invalid";
+    // Check against secret patterns BEFORE lowercasing: AKIA/JWT/PEM patterns
+    // are case-sensitive and would otherwise slip through after toLowerCase().
+    if ((0, tier2_traces_js_1.containsForbiddenPattern)(trimmed))
+        return "invalid";
+    const normalized = trimmed.toLowerCase();
+    if (!VALID_PACKAGE_NAME_RE.test(normalized))
+        return "invalid";
+    return normalized;
+}
+/**
+ * Metric-destination bucket for the package name. Low-cardinality and
+ * agnostic of the specific name — dashboards split installs by registry
+ * source without ever seeing customer-internal package names.
+ *
+ *   - public_npm registry + valid name → `public`
+ *   - private registry   + valid name  → `private`
+ *   - unknown registry   + valid name  → `unknown`
+ *   - name fails npm spec OR matches a known-secret value pattern → `invalid`
+ *   - name is null/empty                                          → `unknown`
+ *
+ * The registry bucket is taken as input rather than recomputed so callers
+ * never accidentally bucket a name without also bucketing its registry.
+ */
+exports.NPM_PACKAGE_NAME_BUCKETS = [
+    "public",
+    "private",
+    "unknown",
+    "invalid",
+];
+function bucketNpmPackageName(input, registryBucket) {
+    if (input == null)
+        return "unknown";
+    const trimmed = input.trim();
+    if (trimmed === "")
+        return "unknown";
+    if (trimmed.length > NPM_PACKAGE_NAME_MAX_LENGTH)
+        return "invalid";
+    if ((0, tier2_traces_js_1.containsForbiddenPattern)(trimmed))
+        return "invalid";
+    if (!VALID_PACKAGE_NAME_RE.test(trimmed.toLowerCase()))
+        return "invalid";
+    switch (registryBucket) {
+        case "public_npm":
+            return "public";
+        case "private":
+            return "private";
+        case "unknown":
+            return "unknown";
+    }
+}
+/**
+ * Closed outcome enum. First five values match the structured error from
+ * APPS-4179 (P1.2) and APPS-4195 (P1.5); `tls_failed` was added in
+ * APPS-4381 to give TLS handshake failures their own dashboard facet
+ * (previously routed to `other` and lost the actionable CA-bundle signal);
+ * `other` is the catch-all so dashboards never see free-form strings.
+ */
+exports.NPM_OUTCOMES = [
+    "success",
+    "not_in_registry",
+    "registry_unreachable",
+    "registry_auth_failed",
+    "tls_failed",
+    "lockfile_url_mismatch",
+    "other",
+];
+const NPM_OUTCOME_SET = new Set(exports.NPM_OUTCOMES);
+/** Coerce an outcome to the closed enum at the emit boundary. */
+function normalizeNpmOutcome(input) {
+    if (typeof input !== "string")
+        return "other";
+    return NPM_OUTCOME_SET.has(input) ? input : "other";
+}
+/**
+ * Metric-safe attributes. Emitters of OTel metrics, Datadog metric tags,
+ * Tempo span attributes that flow to shared metric destinations, etc.
+ * MUST use this wrapper. The output never contains a raw package name.
+ */
+function npmAttributesForMetric(input) {
+    const registry_host = bucketNpmRegistryHost(input.registry_host);
+    return {
+        registry_host,
+        package_name_bucket: bucketNpmPackageName(input.package_name, registry_host),
+        outcome: normalizeNpmOutcome(input.outcome),
+    };
+}
+/**
+ * Audit/log-safe attributes. Emitters of audit events and internal logs
+ * that retain per-org context (and that operators rely on for forensic
+ * value, e.g. "which package failed for org X?") use this wrapper. The
+ * verbatim name is gated by the known-secret value pattern set.
+ */
+function npmAttributesForAudit(input) {
+    return {
+        registry_host: bucketNpmRegistryHost(input.registry_host),
+        package_name: sanitizeNpmPackageName(input.package_name),
+        outcome: normalizeNpmOutcome(input.outcome),
+    };
+}
+/**
+ * Redact registry URLs and bare hostnames from a free-text npm/pnpm error
+ * blob before it lands in a shared operational log line (auto-upgrade
+ * `[npm-install-blocked]` and any future caller). The destination is shared
+ * across orgs, so even an incidental hostname in the npm-emitted phrasing —
+ * `"401 Unauthorized - GET https://customer.jfrog.io/..."`,
+ * `"request to https://npm.private/... failed, reason: ENOTFOUND npm.private"`,
+ * `"connect ECONNREFUSED 10.0.0.5:4873"` — is a customer-infra leak that
+ * `bucketNpmRegistryHost` already prevents for the structured `registry_host`
+ * facet. This helper extends the same rule to free-text fields:
+ *
+ *   - Every `http(s)://...` URL is replaced with its registry bucket token
+ *     (`<public_npm>` or `<private>`), preserving the diagnostic shape of
+ *     the line while erasing the host.
+ *   - Bare `ENOTFOUND <host>` / `EAI_AGAIN <host>` payloads — npm emits the
+ *     host as the next whitespace-delimited token after these DNS error
+ *     codes — get the host replaced with `<host>`.
+ *   - `connect E* <ip>[:port]` payloads (ECONNREFUSED, ETIMEDOUT, …) — the
+ *     IP literal carries the same private-infra signal as a hostname — get
+ *     the address replaced with `<host>`.
+ *
+ * The replacement is intentionally lossy: the npm phrasing ("Unauthorized",
+ * "self-signed certificate in chain", "ENOTFOUND") is what operators need
+ * for triage; the host identity is what we must drop.
+ */
+function redactNpmRegistryHostsFromText(input) {
+    if (input === "")
+        return input;
+    // URLs first. The match is greedy on non-whitespace/closing-paren chars to
+    // capture query strings and paths along with the host so the whole URL is
+    // replaced as a unit (a trailing `/path?token=...` containing a leaked
+    // host substring would otherwise survive a host-only replacement).
+    let out = input.replace(/https?:\/\/[^\s)]+/gi, (match) => {
+        const bucket = bucketNpmRegistryHost(match);
+        return bucket === "public_npm" ? "<public_npm>" : "<private>";
+    });
+    // DNS error codes name the host on the same line. Match the code as a
+    // word boundary so substrings inside other tokens don't trigger. The
+    // captured host token is whatever sits between the code and the next
+    // whitespace / punctuation that npm uses as a separator.
+    out = out.replace(/\b(ENOTFOUND|EAI_AGAIN)\s+([^\s,;:'")\]]+)/gi, (_m, code) => `${code} <host>`);
+    // `connect E<CODE> <ip>[:port]` — npm phrasing for low-level socket
+    // errors. The IP literal is the host facet to redact; the port is dropped
+    // alongside because port + private-IP together is the same infra signal.
+    out = out.replace(/\bconnect\s+(E[A-Z]+)\s+([0-9a-fA-F.:]+)(?::\d+)?/g, (_m, code) => `connect ${code} <host>`);
+    return out;
+}
+//# sourceMappingURL=sanitize-npm-attributes.js.map

package/dist/common/sanitize-npm-attributes.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sanitize-npm-attributes.js","sourceRoot":"","sources":["../../src/common/sanitize-npm-attributes.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;;;AA4BH,sDAoBC;AAoCD,wDAaC;AAwBD,oDAkBC;AAuBD,kDAKC;AA+BD,wDAYC;AAQD,sDAQC;AA2BD,wEA0BC;AArRD,iEAAuE;AAE1D,QAAA,oBAAoB,GAAG;IAClC,YAAY;IACZ,SAAS;IACT,SAAS;CACD,CAAC;AAGX,yDAAyD;AACzD,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAS,CAAC,oBAAoB,CAAC,CAAC,CAAC;AAEjE;;;;;;;;;;;;;GAaG;AACH,SAAgB,qBAAqB,CACnC,KAAgC;IAEhC,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,SAAS,CAAC;IACpC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,IAAI,OAAO,KAAK,EAAE;QAAE,OAAO,SAAS,CAAC;IAErC,IAAI,IAAY,CAAC;IACjB,IAAI,0BAA0B,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,IAAI,CAAC;YACH,IAAI,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IACnD,CAAC;IAED,IAAI,IAAI,KAAK,EAAE;QAAE,OAAO,SAAS,CAAC;IAClC,OAAO,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC;AAC/D,CAAC;AAED,iFAAiF;AACjF,MAAM,qBAAqB,GACzB,oDAAoD,CAAC;AAEvD;;;;;;GAMG;AACH,MAAM,2BAA2B,GAAG,GAAG,CAAC;AAExC;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,SAAgB,sBAAsB,CACpC,KAAgC;IAEhC,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,SAAS,CAAC;IACpC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,IAAI,OAAO,KAAK,EAAE;QAAE,OAAO,SAAS,CAAC;IACrC,IAAI,OAAO,CAAC,MAAM,GAAG,2BAA2B;QAAE,OAAO,SAAS,CAAC;IACnE,0EAA0E;IAC1E,2EAA2E;IAC3E,IAAI,IAAA,0CAAwB,EAAC,OAAO,CAAC;QAAE,OAAO,SAAS,CAAC;IACxD,MAAM,UAAU,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IACzC,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,UAAU,CAAC;QAAE,OAAO,SAAS,CAAC;IAC9D,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;;;;;;;;;;;GAaG;AACU,QAAA,wBAAwB,GAAG;IACtC,QAAQ;IACR,SAAS;IACT,SAAS;IACT,SAAS;CACD,CAAC;AAGX,SAAgB,oBAAoB,CAClC,KAAgC,EAChC,cAAiC;IAEjC,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,SAAS,CAAC;IACpC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,IAAI,OAAO,KAAK,EAAE;QAAE,OAAO,SAAS,CAAC;IACrC,IAAI,OAAO,CAAC,MAAM,GAAG,2BAA2B;QAAE,OAAO,SAAS,CAAC;IACnE,IAAI,IAAA,0CAAwB,EAAC,OAAO,CAAC;QAAE,OAAO,SAAS,CAAC;IACxD,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;QAAE,OAAO,SAAS,CAAC;IACzE,QAAQ,cAAc,EAAE,CAAC;QACvB,KAAK,YAAY;YACf,OAAO,QAAQ,CAAC;QAClB,KAAK,SAAS;YACZ,OAAO,SAAS,CAAC;QACnB,KAAK,SAAS;YACZ,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACU,QAAA,YAAY,GAAG;IAC1B,SAAS;IACT,iBAAiB;IACjB,sBAAsB;IACtB,sBAAsB;IACtB,YAAY;IACZ,uBAAuB;IACvB,OAAO;CACC,CAAC;AAGX,MAAM,eAAe,GAAG,IAAI,GAAG,CAAS,oBAAY,CAAC,CAAC;AAEtD,iEAAiE;AACjE,SAAgB,mBAAmB,CACjC,KAAgC;IAEhC,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,OAAO,CAAC;IAC9C,OAAO,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAE,KAAoB,CAAC,CAAC,CAAC,OAAO,CAAC;AACtE,CAAC;AA0BD;;;;GAIG;AACH,SAAgB,sBAAsB,CACpC,KAAyB;IAEzB,MAAM,aAAa,GAAG,qBAAqB,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IACjE,OAAO;QACL,aAAa;QACb,mBAAmB,EAAE,oBAAoB,CACvC,KAAK,CAAC,YAAY,EAClB,aAAa,CACd;QACD,OAAO,EAAE,mBAAmB,CAAC,KAAK,CAAC,OAAO,CAAC;KAC5C,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,qBAAqB,CACnC,KAAyB;IAEzB,OAAO;QACL,aAAa,EAAE,qBAAqB,CAAC,KAAK,CAAC,aAAa,CAAC;QACzD,YAAY,EAAE,sBAAsB,CAAC,KAAK,CAAC,YAAY,CAAC;QACxD,OAAO,EAAE,mBAAmB,CAAC,KAAK,CAAC,OAAO,CAAC;KAC5C,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,SAAgB,8BAA8B,CAAC,KAAa;IAC1D,IAAI,KAAK,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAC/B,2EAA2E;IAC3E,0EAA0E;IAC1E,uEAAuE;IACvE,mEAAmE;IACnE,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,sBAAsB,EAAE,CAAC,KAAK,EAAE,EAAE;QACxD,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QAC5C,OAAO,MAAM,KAAK,YAAY,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,WAAW,CAAC;IAChE,CAAC,CAAC,CAAC;IACH,sEAAsE;IACtE,qEAAqE;IACrE,qEAAqE;IACrE,yDAAyD;IACzD,GAAG,GAAG,GAAG,CAAC,OAAO,CACf,8CAA8C,EAC9C,CAAC,EAAE,EAAE,IAAY,EAAE,EAAE,CAAC,GAAG,IAAI,SAAS,CACvC,CAAC;IACF,oEAAoE;IACpE,0EAA0E;IAC1E,yEAAyE;IACzE,GAAG,GAAG,GAAG,CAAC,OAAO,CACf,oDAAoD,EACpD,CAAC,EAAE,EAAE,IAAY,EAAE,EAAE,CAAC,WAAW,IAAI,SAAS,CAC/C,CAAC;IACF,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/node/init.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/node/init.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAS,MAAM,EAAW,KAAK,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAQ,MAAM,EAAE,MAAM,yBAAyB,CAAC;AAWvD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;~~AAIlD~~,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAC;AAGzE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAiB,MAAM,oBAAoB,CAAC;AAOpE,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAMpD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,mEAAmE;IACnE,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,6CAA6C;IAC7C,eAAe,EAAE,wBAAwB,CAAC;IAC1C,mCAAmC;IACnC,SAAS,EAAE,CAAC,IAAI,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;IACrC,kCAAkC;IAClC,QAAQ,EAAE,CAAC,IAAI,CAAC,EAAE,MAAM,KAAK,KAAK,CAAC;IACnC,mCAAmC;IACnC,SAAS,EAAE,CAAC,IAAI,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;IACrC,oEAAoE;IACpE,aAAa,EAAE,aAAa,CAAC;IAC7B,wBAAwB;IACxB,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC/B;AAmGD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,mBAAmB,EAC3B,MAAM,EAAE,eAAe,GACtB,qBAAqB,~~CAiLvB~~;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,IAAI,qBAAqB,CAO5D;AAED;;GAEG;AACH,wBAAgB,sBAAsB,IAAI,OAAO,CAEhD;AAED;;;GAGG;AACH,wBAAgB,cAAc,IAAI,IAAI,CAErC"}
1	+ {"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/node/init.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAS,MAAM,EAAW,KAAK,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAQ,MAAM,EAAE,MAAM,yBAAyB,CAAC;AAWvD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAOlD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAC;AAGzE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAiB,MAAM,oBAAoB,CAAC;AAOpE,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAMpD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,mEAAmE;IACnE,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,6CAA6C;IAC7C,eAAe,EAAE,wBAAwB,CAAC;IAC1C,mCAAmC;IACnC,SAAS,EAAE,CAAC,IAAI,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;IACrC,kCAAkC;IAClC,QAAQ,EAAE,CAAC,IAAI,CAAC,EAAE,MAAM,KAAK,KAAK,CAAC;IACnC,mCAAmC;IACnC,SAAS,EAAE,CAAC,IAAI,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;IACrC,oEAAoE;IACpE,aAAa,EAAE,aAAa,CAAC;IAC7B,wBAAwB;IACxB,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC/B;AAmGD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,mBAAmB,EAC3B,MAAM,EAAE,eAAe,GACtB,qBAAqB,CAuLvB;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,IAAI,qBAAqB,CAO5D;AAED;;GAEG;AACH,wBAAgB,sBAAsB,IAAI,OAAO,CAEhD;AAED;;;GAGG;AACH,wBAAgB,cAAc,IAAI,IAAI,CAErC"}

package/dist/node/init.js CHANGED Viewed

@@ -20,6 +20,7 @@ const exporter_trace_otlp_http_1 = require("@opentelemetry/exporter-trace-otlp-h
 const sdk_logs_1 = require("@opentelemetry/sdk-logs");
 const sdk_metrics_1 = require("@opentelemetry/sdk-metrics");
 const sdk_node_1 = require("@opentelemetry/sdk-node");
+const sdk_trace_base_1 = require("@opentelemetry/sdk-trace-base");
 const tier2_traces_js_1 = require("../common/contracts/tier2-traces.js");
 const policy_evaluator_js_1 = require("../common/policy-evaluator.js");
 const resource_js_1 = require("../common/resource.js");
@@ -187,6 +188,12 @@ function initNodeTelemetry(config, policy) {
         });
         const spanProcessorLogger = config.logger ?? createConsoleFallbackLogger();
         spanProcessor = new sanitizing_processor_js_1.SanitizingSpanProcessor(policyEvaluator, sanitizing_processor_js_1.noopSpanProcessor, tier2Exporter, traceSanitizer, spanProcessorLogger);
+        // Local-obs override: bypass the sanitizer so the local LGTM stack sees
+        // every span (service graph, raw attrs). Same exporter as cloud — only the
+        // processor changes.
+        if (process.env.SUPERBLOCKS_LOCAL_OBS === "true") {
+            spanProcessor = new sdk_trace_base_1.BatchSpanProcessor(tier2Exporter);
+        }
     }
     // Create metric exporter if enabled
     // Use isExportEnabled (not canExport) - sampling applies at runtime, not initialization

package/dist/node/init.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/node/init.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;~~AAkLH~~,~~8CAoLC~~;AAOD,oDAOC;AAKD,wDAEC;AAMD,wCAEC;~~AAjYD~~,4CAAmE;AACnE,sDAAuD;AACvD,4EAAqF;AACrF,8CAAgE;AAChE,oFAAyE;AACzE,0FAA+E;AAC/E,sFAA4E;AAC5E,sDAAkE;AAClE,4DAGoC;AACpC,sDAAkD;~~AAGlD~~,yEAAqF;AACrF,uEAAyE;AACzE,uDAAwE;AACxE,qEAA8D;AAE9D,kDAAoE;AACpE,6EAAsE;AACtE,yDAI4B;AAC5B,2DAAoD;AACpD,uEAGmC;AAsBnC,qBAAqB;AACrB,IAAI,QAA2C,CAAC;AAEhD;;;;;;;;;;;GAWG;AACH,SAAS,kBAAkB,CACzB,MAA2B,EAC3B,MAAuB;IAEvB,MAAM,eAAe,GAAG,IAAI,8CAAwB,CAAC,MAAM,CAAC,CAAC;IAE7D,2CAA2C;IAC3C,MAAM,YAAY,GAAG,aAAO,CAAC,QAAQ,CACnC,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,cAAc,CACtB,CAAC;IAEF,OAAO;QACL,GAAG,EAAE,SAAS;QACd,eAAe;QACf,SAAS,EAAE,CAAC,IAAa,EAAE,EAAE,CAC3B,WAAK,CAAC,SAAS,CAAC,IAAI,IAAI,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACpE,QAAQ,EAAE,CAAC,IAAa,EAAE,EAAE,CAC1B,aAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACrE,SAAS,EAAE,CAAC,IAAa,EAAE,EAAE,CAC3B,eAAI,CAAC,SAAS,CAAC,IAAI,IAAI,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACnE,aAAa,EAAE,IAAI,iCAAa,CAAC,YAAY,CAAC;QAC9C,QAAQ,EAAE,KAAK,IAAI,EAAE;YACnB,uCAAuC;QACzC,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,2BAA2B;IAIlC,MAAM,GAAG,GACP,CAAC,KAAuB,EAAE,EAAE,CAC5B,CAAC,CAAkB,EAAE,CAAU,EAAQ,EAAE;QACvC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC1B,IAAI,KAAK,KAAK,MAAM;gBAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;;gBACjC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACxB,CAAC;aAAM,CAAC;YACN,IAAI,KAAK,KAAK,MAAM;gBAAE,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;;gBAC1C,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;QACjC,CAAC;IACH,CAAC,CAAC;IACJ,OAAO;QACL,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC;QACnB,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC;KAClB,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,2BAA2B,CAAC,MAA2B;IAC9D,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,EAAE,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,IAAI,EAAE,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CACb,4DAA4D,CAC7D,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,EAAE,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,IAAI,CAAC;YACH,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC1B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,gCAAgC,MAAM,CAAC,OAAO,KAAM,KAAe,CAAC,OAAO,GAAG,CAC/E,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,SAAgB,iBAAiB,CAC/B,MAA2B,EAC3B,MAAuB;IAEvB,qBAAqB;IACrB,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,+EAA+E,CAChF,CAAC;IACJ,CAAC;IAED,kBAAkB;IAClB,2BAA2B,CAAC,MAAM,CAAC,CAAC;IAEpC,kDAAkD;IAClD,IAAI,QAAQ,EAAE,CAAC;QACb,uCAAuC;QACvC,MAAM,cAAc,GAAG,QAAQ,CAAC,eAAe,CAAC,SAAS,EAAE,CAAC;QAC5D,IAAI,cAAc,CAAC,cAAc,KAAK,MAAM,CAAC,cAAc,EAAE,CAAC;YAC5D,OAAO,CAAC,IAAI,CACV,iEAAiE;gBAC/D,cAAc,cAAc,CAAC,cAAc,gBAAgB,MAAM,CAAC,cAAc,KAAK;gBACrF,8BAA8B,CACjC,CAAC;QACJ,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,iDAAiD;IACjD,IAAI,OAAO,CAAC,GAAG,CAAC,EAAE,KAAK,MAAM,EAAE,CAAC;QAC9B,OAAO,CAAC,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAC5E,QAAQ,GAAG,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC9C,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,eAAe,GAAG,IAAI,8CAAwB,CAAC,MAAM,CAAC,CAAC;IAC7D,MAAM,QAAQ,GAAG,IAAA,2BAAa,EAAC,MAAM,CAAC,CAAC;IAEvC,4CAA4C;IAC5C,IAAA,8BAAgB,EAAC,QAAQ,CAAC,CAAC;IAE3B,wCAAwC;IACxC,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,MAAM,MAAM,GAAG,CAAC,KAAa,EAAE,MAAc,EAAE,EAAE;QAC/C,YAAY,IAAI,KAAK,CAAC;QACtB,OAAO,CAAC,IAAI,CACV,uBAAuB,KAAK,WAAW,MAAM,qBAAqB,YAAY,EAAE,CACjF,CAAC;IACJ,CAAC,CAAC;IAEF,sEAAsE;IACtE,yFAAyF;IACzF,yFAAyF;IACzF,IAAI,aAAwC,CAAC;IAC7C,IACE,MAAM,CAAC,OAAO;QACd,eAAe,CAAC,eAAe,CAAC,yBAAa,CAAC,kBAAkB,CAAC,EACjE,CAAC;QACD,MAAM,aAAa,GAAG,IAAI,yCAAiB,CAAC;YAC1C,QAAQ,EAAE,IAAI,4CAAiB,CAAC,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC,OAAO,YAAY,EAAE,CAAC;YACvE,MAAM;YACN,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB,CAAC,CAAC;QACH,MAAM,UAAU,GAAG,MAAM,CAAC,wBAAwB,IAAI,IAAI,CAAC;QAC3D,MAAM,aAAa,GAAG,IAAA,gDAA8B,EAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC5E,MAAM,cAAc,GAAG,IAAI,mCAAc,CAAC;YACxC,UAAU;YACV,GAAG,aAAa;SACjB,CAAC,CAAC;QACH,MAAM,mBAAmB,GAAG,MAAM,CAAC,MAAM,IAAI,2BAA2B,EAAE,CAAC;QAC3E,aAAa,GAAG,IAAI,iDAAuB,CACzC,eAAe,EACf,2CAAiB,EACjB,aAAa,EACb,cAAc,EACd,mBAAmB,CACpB,CAAC;~~IACJ~~,CAAC;IAED,oCAAoC;IACpC,wFAAwF;IACxF,IAAI,YAAuD,CAAC;IAC5D,IACE,MAAM,CAAC,OAAO;QACd,MAAM,CAAC,cAAc,KAAK,KAAK;QAC/B,eAAe,CAAC,eAAe,CAAC,yBAAa,CAAC,kBAAkB,CAAC,EACjE,CAAC;QACD,YAAY,GAAG,IAAI,2CAA6B,CAAC;YAC/C,QAAQ,EAAE,IAAI,+CAAkB,CAAC;gBAC/B,GAAG,EAAE,GAAG,MAAM,CAAC,OAAO,aAAa;gBACnC,qBAAqB,EAAE,oCAAsB,CAAC,KAAK;aACpD,CAAC;YACF,oBAAoB,EAAE,KAAK,EAAE,mBAAmB;SACjD,CAAC,CAAC;IACL,CAAC;IAED,oEAAoE;IACpE,4DAA4D;IAC5D,kGAAkG;IAClG,gFAAgF;IAChF,2DAA2D;IAC3D,IAAI,YAAiD,CAAC;IACtD,MAAM,aAAa,GAAG,IAAA,mCAAgB,EAAC,MAAM,CAAC,CAAC;IAE/C,IACE,MAAM,CAAC,OAAO;QACd,MAAM,CAAC,WAAW,KAAK,KAAK;QAC5B,eAAe,CAAC,eAAe,CAAC,yBAAa,CAAC,kBAAkB,CAAC;QACjE,aAAa,CAAC,UAAU,KAAK,gCAAa,CAAC,UAAU,EACrD,CAAC;QACD,MAAM,cAAc,GAAG,IAAI,kCAAuB,CAChD,IAAI,yCAAe,CAAC,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC,OAAO,UAAU,EAAE,CAAC,CAC1D,CAAC;QACF,YAAY,GAAG,IAAI,0CAAuB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;IAC5E,CAAC;IAED,iBAAiB;IACjB,uGAAuG;IACvG,MAAM,GAAG,GAAG,IAAI,kBAAO,CAAC;QACtB,QAAQ;QACR,aAAa;QACb,YAAY;QACZ,kBAAkB,EAAE,YAAY;QAChC,cAAc,EAAE,IAAI,qDAA+B,EAAE;QACrD,iBAAiB,EAAE,IAAI,gCAAyB,EAAE;QAClD,iGAAiG;QACjG,gBAAgB,EAAE,CAAC,MAAM,CAAC,gBAAgB,IAAI,EAAE,CAAQ;KACzD,CAAC,CAAC;IAEH,GAAG,CAAC,KAAK,EAAE,CAAC;IAEZ,MAAM,aAAa,GAAG,aAAa;QACjC,CAAC,CAAC,4BAA4B;QAC9B,CAAC,CAAC,UAAU,CAAC;IACf,MAAM,cAAc,GAAG,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC;IAC7D,MAAM,WAAW,GAAG,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC;IAC1D,IAAI,OAAO,MAAM,CAAC,MAAM,EAAE,IAAI,KAAK,UAAU,EAAE,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB;YACE,SAAS,EAAE,WAAW;YACtB,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,IAAI,EAAE,WAAW;YACjB,OAAO,EAAE,cAAc;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,MAAM,EAAE,aAAa;SACtB,EACD,uBAAuB,CACxB,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,IAAI,CACV,+BAA+B,MAAM,CAAC,WAAW,KAAK,MAAM,CAAC,cAAc,GAAG;YAC5E,cAAc,aAAa,eAAe,cAAc,YAAY,WAAW,EAAE,CACpF,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,aAAO,CAAC,QAAQ,CACnC,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,cAAc,CACtB,CAAC;IAEF,QAAQ,GAAG;QACT,GAAG;QACH,eAAe;QACf,SAAS,EAAE,CAAC,IAAa,EAAE,EAAE,CAC3B,WAAK,CAAC,SAAS,CAAC,IAAI,IAAI,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACpE,QAAQ,EAAE,CAAC,IAAa,EAAE,EAAE,CAC1B,aAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACrE,SAAS,EAAE,CAAC,IAAa,EAAE,EAAE,CAC3B,eAAI,CAAC,SAAS,CAAC,IAAI,IAAI,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACnE,aAAa,EAAE,IAAI,iCAAa,CAAC,YAAY,CAAC;QAC9C,QAAQ,EAAE,KAAK,IAAI,EAAE;YACnB,IAAI,CAAC;gBACH,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC;YACvB,CAAC;oBAAS,CAAC;gBACT,QAAQ,GAAG,SAAS,CAAC;YACvB,CAAC;QACH,CAAC;KACF,CAAC;IAEF,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;GAIG;AACH,SAAgB,oBAAoB;IAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CACb,8DAA8D,CAC/D,CAAC;IACJ,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAgB,sBAAsB;IACpC,OAAO,QAAQ,KAAK,SAAS,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,SAAgB,cAAc;IAC5B,QAAQ,GAAG,SAAS,CAAC;AACvB,CAAC"}
1	+ {"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/node/init.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAqLH,8CA0LC;AAOD,oDAOC;AAKD,wDAEC;AAMD,wCAEC;AA1YD,4CAAmE;AACnE,sDAAuD;AACvD,4EAAqF;AACrF,8CAAgE;AAChE,oFAAyE;AACzE,0FAA+E;AAC/E,sFAA4E;AAC5E,sDAAkE;AAClE,4DAGoC;AACpC,sDAAkD;AAClD,kEAGuC;AAEvC,yEAAqF;AACrF,uEAAyE;AACzE,uDAAwE;AACxE,qEAA8D;AAE9D,kDAAoE;AACpE,6EAAsE;AACtE,yDAI4B;AAC5B,2DAAoD;AACpD,uEAGmC;AAsBnC,qBAAqB;AACrB,IAAI,QAA2C,CAAC;AAEhD;;;;;;;;;;;GAWG;AACH,SAAS,kBAAkB,CACzB,MAA2B,EAC3B,MAAuB;IAEvB,MAAM,eAAe,GAAG,IAAI,8CAAwB,CAAC,MAAM,CAAC,CAAC;IAE7D,2CAA2C;IAC3C,MAAM,YAAY,GAAG,aAAO,CAAC,QAAQ,CACnC,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,cAAc,CACtB,CAAC;IAEF,OAAO;QACL,GAAG,EAAE,SAAS;QACd,eAAe;QACf,SAAS,EAAE,CAAC,IAAa,EAAE,EAAE,CAC3B,WAAK,CAAC,SAAS,CAAC,IAAI,IAAI,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACpE,QAAQ,EAAE,CAAC,IAAa,EAAE,EAAE,CAC1B,aAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACrE,SAAS,EAAE,CAAC,IAAa,EAAE,EAAE,CAC3B,eAAI,CAAC,SAAS,CAAC,IAAI,IAAI,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACnE,aAAa,EAAE,IAAI,iCAAa,CAAC,YAAY,CAAC;QAC9C,QAAQ,EAAE,KAAK,IAAI,EAAE;YACnB,uCAAuC;QACzC,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,2BAA2B;IAIlC,MAAM,GAAG,GACP,CAAC,KAAuB,EAAE,EAAE,CAC5B,CAAC,CAAkB,EAAE,CAAU,EAAQ,EAAE;QACvC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC1B,IAAI,KAAK,KAAK,MAAM;gBAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;;gBACjC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACxB,CAAC;aAAM,CAAC;YACN,IAAI,KAAK,KAAK,MAAM;gBAAE,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;;gBAC1C,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;QACjC,CAAC;IACH,CAAC,CAAC;IACJ,OAAO;QACL,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC;QACnB,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC;KAClB,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,2BAA2B,CAAC,MAA2B;IAC9D,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,EAAE,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,IAAI,EAAE,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CACb,4DAA4D,CAC7D,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,EAAE,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,IAAI,CAAC;YACH,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC1B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,gCAAgC,MAAM,CAAC,OAAO,KAAM,KAAe,CAAC,OAAO,GAAG,CAC/E,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,SAAgB,iBAAiB,CAC/B,MAA2B,EAC3B,MAAuB;IAEvB,qBAAqB;IACrB,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,+EAA+E,CAChF,CAAC;IACJ,CAAC;IAED,kBAAkB;IAClB,2BAA2B,CAAC,MAAM,CAAC,CAAC;IAEpC,kDAAkD;IAClD,IAAI,QAAQ,EAAE,CAAC;QACb,uCAAuC;QACvC,MAAM,cAAc,GAAG,QAAQ,CAAC,eAAe,CAAC,SAAS,EAAE,CAAC;QAC5D,IAAI,cAAc,CAAC,cAAc,KAAK,MAAM,CAAC,cAAc,EAAE,CAAC;YAC5D,OAAO,CAAC,IAAI,CACV,iEAAiE;gBAC/D,cAAc,cAAc,CAAC,cAAc,gBAAgB,MAAM,CAAC,cAAc,KAAK;gBACrF,8BAA8B,CACjC,CAAC;QACJ,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,iDAAiD;IACjD,IAAI,OAAO,CAAC,GAAG,CAAC,EAAE,KAAK,MAAM,EAAE,CAAC;QAC9B,OAAO,CAAC,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAC5E,QAAQ,GAAG,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC9C,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,eAAe,GAAG,IAAI,8CAAwB,CAAC,MAAM,CAAC,CAAC;IAC7D,MAAM,QAAQ,GAAG,IAAA,2BAAa,EAAC,MAAM,CAAC,CAAC;IAEvC,4CAA4C;IAC5C,IAAA,8BAAgB,EAAC,QAAQ,CAAC,CAAC;IAE3B,wCAAwC;IACxC,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,MAAM,MAAM,GAAG,CAAC,KAAa,EAAE,MAAc,EAAE,EAAE;QAC/C,YAAY,IAAI,KAAK,CAAC;QACtB,OAAO,CAAC,IAAI,CACV,uBAAuB,KAAK,WAAW,MAAM,qBAAqB,YAAY,EAAE,CACjF,CAAC;IACJ,CAAC,CAAC;IAEF,sEAAsE;IACtE,yFAAyF;IACzF,yFAAyF;IACzF,IAAI,aAAwC,CAAC;IAC7C,IACE,MAAM,CAAC,OAAO;QACd,eAAe,CAAC,eAAe,CAAC,yBAAa,CAAC,kBAAkB,CAAC,EACjE,CAAC;QACD,MAAM,aAAa,GAAG,IAAI,yCAAiB,CAAC;YAC1C,QAAQ,EAAE,IAAI,4CAAiB,CAAC,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC,OAAO,YAAY,EAAE,CAAC;YACvE,MAAM;YACN,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB,CAAC,CAAC;QACH,MAAM,UAAU,GAAG,MAAM,CAAC,wBAAwB,IAAI,IAAI,CAAC;QAC3D,MAAM,aAAa,GAAG,IAAA,gDAA8B,EAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC5E,MAAM,cAAc,GAAG,IAAI,mCAAc,CAAC;YACxC,UAAU;YACV,GAAG,aAAa;SACjB,CAAC,CAAC;QACH,MAAM,mBAAmB,GAAG,MAAM,CAAC,MAAM,IAAI,2BAA2B,EAAE,CAAC;QAC3E,aAAa,GAAG,IAAI,iDAAuB,CACzC,eAAe,EACf,2CAAiB,EACjB,aAAa,EACb,cAAc,EACd,mBAAmB,CACpB,CAAC;QACF,wEAAwE;QACxE,2EAA2E;QAC3E,qBAAqB;QACrB,IAAI,OAAO,CAAC,GAAG,CAAC,qBAAqB,KAAK,MAAM,EAAE,CAAC;YACjD,aAAa,GAAG,IAAI,mCAAkB,CAAC,aAAa,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAED,oCAAoC;IACpC,wFAAwF;IACxF,IAAI,YAAuD,CAAC;IAC5D,IACE,MAAM,CAAC,OAAO;QACd,MAAM,CAAC,cAAc,KAAK,KAAK;QAC/B,eAAe,CAAC,eAAe,CAAC,yBAAa,CAAC,kBAAkB,CAAC,EACjE,CAAC;QACD,YAAY,GAAG,IAAI,2CAA6B,CAAC;YAC/C,QAAQ,EAAE,IAAI,+CAAkB,CAAC;gBAC/B,GAAG,EAAE,GAAG,MAAM,CAAC,OAAO,aAAa;gBACnC,qBAAqB,EAAE,oCAAsB,CAAC,KAAK;aACpD,CAAC;YACF,oBAAoB,EAAE,KAAK,EAAE,mBAAmB;SACjD,CAAC,CAAC;IACL,CAAC;IAED,oEAAoE;IACpE,4DAA4D;IAC5D,kGAAkG;IAClG,gFAAgF;IAChF,2DAA2D;IAC3D,IAAI,YAAiD,CAAC;IACtD,MAAM,aAAa,GAAG,IAAA,mCAAgB,EAAC,MAAM,CAAC,CAAC;IAE/C,IACE,MAAM,CAAC,OAAO;QACd,MAAM,CAAC,WAAW,KAAK,KAAK;QAC5B,eAAe,CAAC,eAAe,CAAC,yBAAa,CAAC,kBAAkB,CAAC;QACjE,aAAa,CAAC,UAAU,KAAK,gCAAa,CAAC,UAAU,EACrD,CAAC;QACD,MAAM,cAAc,GAAG,IAAI,kCAAuB,CAChD,IAAI,yCAAe,CAAC,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC,OAAO,UAAU,EAAE,CAAC,CAC1D,CAAC;QACF,YAAY,GAAG,IAAI,0CAAuB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;IAC5E,CAAC;IAED,iBAAiB;IACjB,uGAAuG;IACvG,MAAM,GAAG,GAAG,IAAI,kBAAO,CAAC;QACtB,QAAQ;QACR,aAAa;QACb,YAAY;QACZ,kBAAkB,EAAE,YAAY;QAChC,cAAc,EAAE,IAAI,qDAA+B,EAAE;QACrD,iBAAiB,EAAE,IAAI,gCAAyB,EAAE;QAClD,iGAAiG;QACjG,gBAAgB,EAAE,CAAC,MAAM,CAAC,gBAAgB,IAAI,EAAE,CAAQ;KACzD,CAAC,CAAC;IAEH,GAAG,CAAC,KAAK,EAAE,CAAC;IAEZ,MAAM,aAAa,GAAG,aAAa;QACjC,CAAC,CAAC,4BAA4B;QAC9B,CAAC,CAAC,UAAU,CAAC;IACf,MAAM,cAAc,GAAG,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC;IAC7D,MAAM,WAAW,GAAG,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC;IAC1D,IAAI,OAAO,MAAM,CAAC,MAAM,EAAE,IAAI,KAAK,UAAU,EAAE,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB;YACE,SAAS,EAAE,WAAW;YACtB,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,IAAI,EAAE,WAAW;YACjB,OAAO,EAAE,cAAc;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,MAAM,EAAE,aAAa;SACtB,EACD,uBAAuB,CACxB,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,IAAI,CACV,+BAA+B,MAAM,CAAC,WAAW,KAAK,MAAM,CAAC,cAAc,GAAG;YAC5E,cAAc,aAAa,eAAe,cAAc,YAAY,WAAW,EAAE,CACpF,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,aAAO,CAAC,QAAQ,CACnC,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,cAAc,CACtB,CAAC;IAEF,QAAQ,GAAG;QACT,GAAG;QACH,eAAe;QACf,SAAS,EAAE,CAAC,IAAa,EAAE,EAAE,CAC3B,WAAK,CAAC,SAAS,CAAC,IAAI,IAAI,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACpE,QAAQ,EAAE,CAAC,IAAa,EAAE,EAAE,CAC1B,aAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACrE,SAAS,EAAE,CAAC,IAAa,EAAE,EAAE,CAC3B,eAAI,CAAC,SAAS,CAAC,IAAI,IAAI,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACnE,aAAa,EAAE,IAAI,iCAAa,CAAC,YAAY,CAAC;QAC9C,QAAQ,EAAE,KAAK,IAAI,EAAE;YACnB,IAAI,CAAC;gBACH,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC;YACvB,CAAC;oBAAS,CAAC;gBACT,QAAQ,GAAG,SAAS,CAAC;YACvB,CAAC;QACH,CAAC;KACF,CAAC;IAEF,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;GAIG;AACH,SAAgB,oBAAoB;IAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CACb,8DAA8D,CAC/D,CAAC;IACJ,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAgB,sBAAsB;IACpC,OAAO,QAAQ,KAAK,SAAS,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,SAAgB,cAAc;IAC5B,QAAQ,GAAG,SAAS,CAAC;AACvB,CAAC"}

package/dist-esm/common/contracts/tier2-traces.d.ts CHANGED Viewed

@@ -1,8 +1,8 @@
 /**
- * Tier 2 Traces Contract (v0.3.0)
+ * Tier 2 Traces Contract (v0.4.0)
  *
  * Single source of truth for Tier 2 sanitized trace telemetry.
- * Mirrors: engineering/projects/o11y-refactor/contracts/tier2-traces.v0.3.0.json
+ * Mirrors: engineering/projects/o11y-refactor/contracts/tier2-traces.v0.4.0.json
  *
  * Used by:
  * - trace-sanitizer (SDK: which spans/attributes to export)
@@ -28,7 +28,7 @@ export interface SpanDefinition {
 }
 export declare function getAttributeName(attr: AllowedAttribute): string;
 /**
- * Span patterns from tier2-traces.v0.3.0.json.
+ * Span patterns from tier2-traces.v0.4.0.json.
  * Suffix wildcard only: "HTTP POST *" matches "HTTP POST /api/..." or "POST /api/...".
  */
 export declare const TIER_2_TRACE_CONTRACT: SpanDefinition[];

package/dist-esm/common/contracts/tier2-traces.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"tier2-traces.d.ts","sourceRoot":"","sources":["../../../src/common/contracts/tier2-traces.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAM7D,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,IAAI,CAAC,EAAE,QAAQ,GAAG,QAAQ,GAAG,SAAS,CAAC;CACxC;AAED,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,mBAAmB,CAAC;AAE5D,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,gBAAgB,EAAE,CAAC;IACtC,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,gBAAgB,GAAG,MAAM,CAE/D;AA0KD;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,cAAc,~~EAkTjD~~,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,oBAAoB,EAAE,cAAc,EAEhD,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,cAAc,EAAE,kBAAkB,GACjC,cAAc,EAAE,CAQlB;AAMD,8FAA8F;AAC9F,eAAO,MAAM,gCAAgC,EAAE,MAAM,~~EAqCpD~~,CAAC;AAEF,qEAAqE;AACrE,eAAO,MAAM,6BAA6B,EAAE,MAAM,EAAO,CAAC;AAE1D,iFAAiF;AACjF,eAAO,MAAM,mCAAmC,EAAE,MAAM,EAAqB,CAAC;AAM9E,eAAO,MAAM,0BAA0B,aAEtC,CAAC;AACF,eAAO,MAAM,uBAAuB,aAAyC,CAAC;AAC9E,eAAO,MAAM,wBAAwB,aAEpC,CAAC;AASF;;;GAGG;AACH,MAAM,WAAW,2BAA2B;IAC1C,mBAAmB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACjC,iBAAiB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC/B,gBAAgB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC9B,sEAAsE;IACtE,eAAe,EAAE,cAAc,EAAE,CAAC;IAClC,uFAAuF;IACvF,6BAA6B,EAAE,OAAO,CAAC;CACxC;AAED;;;;GAIG;AACH,wBAAgB,8BAA8B,CAC5C,cAAc,EAAE,kBAAkB,GACjC,2BAA2B,CAwB7B;AAMD,0FAA0F;AAC1F,eAAO,MAAM,mBAAmB,aAA2B,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,~~UAQpC~~,CAAC;AAMF,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE1D;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD;AAED,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAExD;AAED,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAGhE;AAED,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE5D"}
1	+ {"version":3,"file":"tier2-traces.d.ts","sourceRoot":"","sources":["../../../src/common/contracts/tier2-traces.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAM7D,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,IAAI,CAAC,EAAE,QAAQ,GAAG,QAAQ,GAAG,SAAS,CAAC;CACxC;AAED,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,mBAAmB,CAAC;AAE5D,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,gBAAgB,EAAE,CAAC;IACtC,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,gBAAgB,GAAG,MAAM,CAE/D;AA0KD;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,cAAc,EA+TjD,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,oBAAoB,EAAE,cAAc,EAEhD,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,cAAc,EAAE,kBAAkB,GACjC,cAAc,EAAE,CAQlB;AAMD,8FAA8F;AAC9F,eAAO,MAAM,gCAAgC,EAAE,MAAM,EAgDpD,CAAC;AAEF,qEAAqE;AACrE,eAAO,MAAM,6BAA6B,EAAE,MAAM,EAAO,CAAC;AAE1D,iFAAiF;AACjF,eAAO,MAAM,mCAAmC,EAAE,MAAM,EAAqB,CAAC;AAM9E,eAAO,MAAM,0BAA0B,aAEtC,CAAC;AACF,eAAO,MAAM,uBAAuB,aAAyC,CAAC;AAC9E,eAAO,MAAM,wBAAwB,aAEpC,CAAC;AASF;;;GAGG;AACH,MAAM,WAAW,2BAA2B;IAC1C,mBAAmB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACjC,iBAAiB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC/B,gBAAgB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC9B,sEAAsE;IACtE,eAAe,EAAE,cAAc,EAAE,CAAC;IAClC,uFAAuF;IACvF,6BAA6B,EAAE,OAAO,CAAC;CACxC;AAED;;;;GAIG;AACH,wBAAgB,8BAA8B,CAC5C,cAAc,EAAE,kBAAkB,GACjC,2BAA2B,CAwB7B;AAMD,0FAA0F;AAC1F,eAAO,MAAM,mBAAmB,aAA2B,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,UAYpC,CAAC;AAMF,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE1D;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD;AAED,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAExD;AAED,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAGhE;AAED,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE5D"}

package/dist-esm/common/contracts/tier2-traces.js CHANGED Viewed

@@ -1,8 +1,8 @@
 /**
- * Tier 2 Traces Contract (v0.3.0)
+ * Tier 2 Traces Contract (v0.4.0)
  *
  * Single source of truth for Tier 2 sanitized trace telemetry.
- * Mirrors: engineering/projects/o11y-refactor/contracts/tier2-traces.v0.3.0.json
+ * Mirrors: engineering/projects/o11y-refactor/contracts/tier2-traces.v0.4.0.json
  *
  * Used by:
  * - trace-sanitizer (SDK: which spans/attributes to export)
@@ -182,7 +182,7 @@ const GEN_AI_STREAM_STEP_ATTRIBUTES = [
     },
 ];
 /**
- * Span patterns from tier2-traces.v0.3.0.json.
+ * Span patterns from tier2-traces.v0.4.0.json.
  * Suffix wildcard only: "HTTP POST *" matches "HTTP POST /api/..." or "POST /api/...".
  */
 export const TIER_2_TRACE_CONTRACT = [
@@ -466,7 +466,7 @@ export const TIER_2_TRACE_CONTRACT = [
             },
         ],
     },
-    // SABS app-builder spans (sabs-bundle-builder service)
+    // SABS app-builder spans (v0.3.0) + bundle download span (v0.4.0)
     {
         name: "sabs.build",
         allowedAttributes: [
@@ -487,6 +487,18 @@ export const TIER_2_TRACE_CONTRACT = [
             "otel.status_description",
         ],
     },
+    // AGENT-2723: aggregate download span replacing ~511 per-file RPC spans
+    {
+        name: "sabs.bundle.download",
+        description: "Aggregate span for the full SABS bundle download. Replaces per-file spans; per-file metrics emitted as sabs.bundle.files_downloaded, sabs.bundle.bytes_downloaded, sabs.bundle.file_fetch_ms.",
+        allowedAttributes: [
+            { name: "files.count", type: "number" },
+            { name: "bytes.sum", type: "number" },
+            { name: "slowest.ms", type: "number" },
+            "otel.status_code",
+            "otel.status_description",
+        ],
+    },
 ];
 /**
  * Cloud trace contract: match-all span name ("*") so no spans are dropped by name.
@@ -510,7 +522,7 @@ export function getTraceContract(deploymentType) {
     }
 }
 // ---------------------------------------------------------------------------
-// Forbidden / hashed / dropped attribute names (v0.3.0 JSON)
+// Forbidden / hashed / dropped attribute names (v0.4.0 JSON)
 // ---------------------------------------------------------------------------
 /** Forbidden in Tier 2 (forbiddenAttributes in contract). Collector strips these entirely. */
 export const FORBIDDEN_TIER_2_SPAN_ATTRIBUTES = [
@@ -523,7 +535,6 @@ export const FORBIDDEN_TIER_2_SPAN_ATTRIBUTES = [
     "file_path",
     "file_content",
     "db.statement",
-    "db.query_text",
     "db.query.text",
     "http.request.body",
     "http.response.body",
@@ -534,7 +545,12 @@ export const FORBIDDEN_TIER_2_SPAN_ATTRIBUTES = [
     "user-email",
     "user.email",
     "user_email",
+    "user.id",
     "enduser.email",
+    // NOTE: api-id/api_id, resource-id/resource_id, integration-id/integration_id,
+    // commit-id/commit_id, profile-id/profile_id are in the v0.4.0 JSON contract's
+    // forbiddenAttributes but intentionally omitted here. See ENG-3459 to resolve.
+    // https://linear.app/superblocks/issue/ENG-3459
     "api-name",
     "api_name",
     "application-id",
@@ -550,6 +566,13 @@ export const FORBIDDEN_TIER_2_SPAN_ATTRIBUTES = [
     "authorization",
     "cookie",
     "x-api-key",
+    // APPS-4190: npm registry tokens. Bucketing in sanitize-npm-attributes.ts
+    // is the primary defense; this list is the lint/runtime backstop so a
+    // future emitter that names an attribute after the token is stripped.
+    "npm.token",
+    "npm_token",
+    "npm.registry_token",
+    "registry_token",
 ];
 /** Hashed (keyed HMAC) for Tier 2 (hashedAttributes in contract). */
 export const HASHED_TIER_2_SPAN_ATTRIBUTES = [];
@@ -613,6 +636,10 @@ export const FORBIDDEN_VALUE_PATTERNS = [
     /-----BEGIN\s+(RSA\s+)?(PRIVATE|PUBLIC)\s+KEY-----/,
     /\bAKIA[A-Z0-9]{16}\b/,
     /\b(ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{36,}\b/,
+    // npm registry tokens (`npm_<36+ alphanumerics>`). The npm-name spec allows
+    // underscores, so without this pattern a token shaped like `npm_AAAA...`
+    // would slip through `sanitizeNpmPackageName` as a "valid" package name.
+    /\bnpm_[A-Za-z0-9]{36,}\b/,
     /\b(api[_-]?key|apikey|secret[_-]?key|access[_-]?token)[=:]\s*[A-Za-z0-9_-]{20,}\b/i,
 ];
 // ---------------------------------------------------------------------------