@superblocksteam/telemetry 2.0.93 → 2.0.94-next.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +59 -44
- package/dist/browser/index.d.ts +2 -2
- package/dist/browser/resilient-exporter.d.ts.map +1 -1
- package/dist/browser/resilient-exporter.js.map +1 -1
- package/dist/common/contracts/tier2-traces.d.ts +62 -50
- package/dist/common/contracts/tier2-traces.d.ts.map +1 -1
- package/dist/common/contracts/tier2-traces.js +484 -138
- package/dist/common/contracts/tier2-traces.js.map +1 -1
- package/dist/common/guardrails.d.ts +2 -2
- package/dist/common/guardrails.d.ts.map +1 -1
- package/dist/common/guardrails.js +7 -7
- package/dist/common/guardrails.js.map +1 -1
- package/dist/common/log-sanitizer.d.ts +88 -0
- package/dist/common/log-sanitizer.d.ts.map +1 -1
- package/dist/common/log-sanitizer.js +304 -6
- package/dist/common/log-sanitizer.js.map +1 -1
- package/dist/common/resource.d.ts +4 -1
- package/dist/common/resource.d.ts.map +1 -1
- package/dist/common/resource.js +4 -2
- package/dist/common/resource.js.map +1 -1
- package/dist/common/trace-sanitizer.d.ts +82 -0
- package/dist/common/trace-sanitizer.d.ts.map +1 -0
- package/dist/common/trace-sanitizer.js +230 -0
- package/dist/common/trace-sanitizer.js.map +1 -0
- package/dist/index.d.ts +2 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +16 -8
- package/dist/index.js.map +1 -1
- package/dist/lint/forbidden-attributes.d.ts +2 -2
- package/dist/lint/forbidden-attributes.d.ts.map +1 -1
- package/dist/lint/forbidden-attributes.js +41 -40
- package/dist/lint/forbidden-attributes.js.map +1 -1
- package/dist/lint/index.d.ts +1 -1
- package/dist/llmobs/index.d.ts +2 -2
- package/dist/llmobs/tier1-exporter.d.ts +2 -2
- package/dist/llmobs/tier1-exporter.d.ts.map +1 -1
- package/dist/llmobs/tier1-exporter.js +17 -14
- package/dist/llmobs/tier1-exporter.js.map +1 -1
- package/dist/llmobs/tier2-summarizer.d.ts.map +1 -1
- package/dist/llmobs/tier2-summarizer.js +10 -4
- package/dist/llmobs/tier2-summarizer.js.map +1 -1
- package/dist/node/exporters/resilient-exporter.d.ts +14 -0
- package/dist/node/exporters/resilient-exporter.d.ts.map +1 -1
- package/dist/node/exporters/resilient-exporter.js +8 -1
- package/dist/node/exporters/resilient-exporter.js.map +1 -1
- package/dist/node/index.d.ts +2 -1
- package/dist/node/index.d.ts.map +1 -1
- package/dist/node/index.js +7 -2
- package/dist/node/index.js.map +1 -1
- package/dist/node/init.d.ts.map +1 -1
- package/dist/node/init.js +61 -12
- package/dist/node/init.js.map +1 -1
- package/dist/node/log-processor.d.ts +41 -6
- package/dist/node/log-processor.d.ts.map +1 -1
- package/dist/node/log-processor.js +152 -61
- package/dist/node/log-processor.js.map +1 -1
- package/dist/node/metrics-client.d.ts.map +1 -1
- package/dist/node/metrics-client.js.map +1 -1
- package/dist/node/safe-logger.d.ts +55 -0
- package/dist/node/safe-logger.d.ts.map +1 -0
- package/dist/node/safe-logger.js +158 -0
- package/dist/node/safe-logger.js.map +1 -0
- package/dist/node/sanitizing-processor.d.ts +56 -0
- package/dist/node/sanitizing-processor.d.ts.map +1 -0
- package/dist/node/sanitizing-processor.js +124 -0
- package/dist/node/sanitizing-processor.js.map +1 -0
- package/dist/node/traced-socket.d.ts +47 -3
- package/dist/node/traced-socket.d.ts.map +1 -1
- package/dist/node/traced-socket.js +96 -19
- package/dist/node/traced-socket.js.map +1 -1
- package/dist/testing/in-memory-exporter.d.ts +3 -3
- package/dist/testing/in-memory-exporter.d.ts.map +1 -1
- package/dist/testing/in-memory-exporter.js +3 -1
- package/dist/testing/in-memory-exporter.js.map +1 -1
- package/dist/testing/index.d.ts +2 -2
- package/dist/types/index.d.ts +28 -1
- package/dist/types/index.d.ts.map +1 -1
- package/dist-esm/browser/index.d.ts +2 -2
- package/dist-esm/browser/index.js +2 -2
- package/dist-esm/browser/resilient-exporter.d.ts.map +1 -1
- package/dist-esm/browser/resilient-exporter.js.map +1 -1
- package/dist-esm/common/contracts/tier2-traces.d.ts +62 -50
- package/dist-esm/common/contracts/tier2-traces.d.ts.map +1 -1
- package/dist-esm/common/contracts/tier2-traces.js +480 -137
- package/dist-esm/common/contracts/tier2-traces.js.map +1 -1
- package/dist-esm/common/guardrails.d.ts +2 -2
- package/dist-esm/common/guardrails.d.ts.map +1 -1
- package/dist-esm/common/guardrails.js +9 -9
- package/dist-esm/common/guardrails.js.map +1 -1
- package/dist-esm/common/log-sanitizer.d.ts +88 -0
- package/dist-esm/common/log-sanitizer.d.ts.map +1 -1
- package/dist-esm/common/log-sanitizer.js +294 -5
- package/dist-esm/common/log-sanitizer.js.map +1 -1
- package/dist-esm/common/resource.d.ts +4 -1
- package/dist-esm/common/resource.d.ts.map +1 -1
- package/dist-esm/common/resource.js +3 -1
- package/dist-esm/common/resource.js.map +1 -1
- package/dist-esm/common/trace-sanitizer.d.ts +82 -0
- package/dist-esm/common/trace-sanitizer.d.ts.map +1 -0
- package/dist-esm/common/trace-sanitizer.js +226 -0
- package/dist-esm/common/trace-sanitizer.js.map +1 -0
- package/dist-esm/index.d.ts +2 -1
- package/dist-esm/index.d.ts.map +1 -1
- package/dist-esm/index.js +2 -1
- package/dist-esm/index.js.map +1 -1
- package/dist-esm/lint/forbidden-attributes.d.ts +2 -2
- package/dist-esm/lint/forbidden-attributes.d.ts.map +1 -1
- package/dist-esm/lint/forbidden-attributes.js +43 -42
- package/dist-esm/lint/forbidden-attributes.js.map +1 -1
- package/dist-esm/lint/index.d.ts +1 -1
- package/dist-esm/lint/index.js +1 -1
- package/dist-esm/llmobs/index.d.ts +2 -2
- package/dist-esm/llmobs/index.js +2 -2
- package/dist-esm/llmobs/tier1-exporter.d.ts +2 -2
- package/dist-esm/llmobs/tier1-exporter.d.ts.map +1 -1
- package/dist-esm/llmobs/tier1-exporter.js +18 -15
- package/dist-esm/llmobs/tier1-exporter.js.map +1 -1
- package/dist-esm/llmobs/tier2-summarizer.d.ts.map +1 -1
- package/dist-esm/llmobs/tier2-summarizer.js +10 -4
- package/dist-esm/llmobs/tier2-summarizer.js.map +1 -1
- package/dist-esm/node/exporters/resilient-exporter.d.ts +14 -0
- package/dist-esm/node/exporters/resilient-exporter.d.ts.map +1 -1
- package/dist-esm/node/exporters/resilient-exporter.js +8 -1
- package/dist-esm/node/exporters/resilient-exporter.js.map +1 -1
- package/dist-esm/node/index.d.ts +2 -1
- package/dist-esm/node/index.d.ts.map +1 -1
- package/dist-esm/node/index.js +2 -1
- package/dist-esm/node/index.js.map +1 -1
- package/dist-esm/node/init.d.ts.map +1 -1
- package/dist-esm/node/init.js +61 -12
- package/dist-esm/node/init.js.map +1 -1
- package/dist-esm/node/log-processor.d.ts +41 -6
- package/dist-esm/node/log-processor.d.ts.map +1 -1
- package/dist-esm/node/log-processor.js +151 -62
- package/dist-esm/node/log-processor.js.map +1 -1
- package/dist-esm/node/metrics-client.d.ts.map +1 -1
- package/dist-esm/node/metrics-client.js.map +1 -1
- package/dist-esm/node/safe-logger.d.ts +55 -0
- package/dist-esm/node/safe-logger.d.ts.map +1 -0
- package/dist-esm/node/safe-logger.js +154 -0
- package/dist-esm/node/safe-logger.js.map +1 -0
- package/dist-esm/node/sanitizing-processor.d.ts +56 -0
- package/dist-esm/node/sanitizing-processor.d.ts.map +1 -0
- package/dist-esm/node/sanitizing-processor.js +120 -0
- package/dist-esm/node/sanitizing-processor.js.map +1 -0
- package/dist-esm/node/traced-socket.d.ts +47 -3
- package/dist-esm/node/traced-socket.d.ts.map +1 -1
- package/dist-esm/node/traced-socket.js +96 -19
- package/dist-esm/node/traced-socket.js.map +1 -1
- package/dist-esm/testing/in-memory-exporter.d.ts +3 -3
- package/dist-esm/testing/in-memory-exporter.d.ts.map +1 -1
- package/dist-esm/testing/in-memory-exporter.js +4 -2
- package/dist-esm/testing/in-memory-exporter.js.map +1 -1
- package/dist-esm/testing/index.d.ts +2 -2
- package/dist-esm/testing/index.js +2 -2
- package/dist-esm/types/index.d.ts +28 -1
- package/dist-esm/types/index.d.ts.map +1 -1
- package/dist-esm/types/index.js +1 -1
- package/package.json +17 -18
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tier2-traces.js","sourceRoot":"","sources":["../../../src/common/contracts/tier2-traces.ts"],"names":[],"mappings":";AAAA
|
|
1
|
+
{"version":3,"file":"tier2-traces.js","sourceRoot":"","sources":["../../../src/common/contracts/tier2-traces.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAwBH,4CAEC;AAuXD,4CAUC;AAwFD,wEAwBC;AA4BD,oDAEC;AAED,8CAEC;AAED,gDAEC;AAED,4DAGC;AAED,gDAEC;AAxjBD,oDAA6D;AAsB7D,SAAgB,gBAAgB,CAAC,IAAsB;IACrD,OAAO,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;AACrD,CAAC;AAED;;;GAGG;AACU,QAAA,qBAAqB,GAAqB;IACrD;QACE,IAAI,EAAE,YAAY;QAClB,iBAAiB,EAAE;YACjB,aAAa;YACb,EAAE,IAAI,EAAE,YAAY,EAAE,cAAc,EAAE,GAAG,EAAE;YAC3C,kBAAkB;YAClB,8BAA8B;YAC9B,EAAE,IAAI,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,EAAE;SACrE;KACF;IACD;QACE,IAAI,EAAE,aAAa;QACnB,iBAAiB,EAAE;YACjB,aAAa;YACb,EAAE,IAAI,EAAE,YAAY,EAAE,cAAc,EAAE,GAAG,EAAE;YAC3C,kBAAkB;YAClB,8BAA8B;YAC9B,6BAA6B;YAC7B,EAAE,IAAI,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,EAAE;SACrE;KACF;IACD;QACE,IAAI,EAAE,YAAY;QAClB,iBAAiB,EAAE;YACjB,aAAa;YACb,EAAE,IAAI,EAAE,YAAY,EAAE,cAAc,EAAE,GAAG,EAAE;YAC3C,kBAAkB;YAClB,8BAA8B;YAC9B,6BAA6B;SAC9B;KACF;IACD;QACE,IAAI,EAAE,eAAe;QACrB,iBAAiB,EAAE;YACjB,aAAa;YACb,EAAE,IAAI,EAAE,YAAY,EAAE,cAAc,EAAE,GAAG,EAAE;YAC3C,kBAAkB;YAClB,8BAA8B;SAC/B;KACF;IACD;QACE,IAAI,EAAE,cAAc;QACpB,iBAAiB,EAAE;YACjB,aAAa;YACb,EAAE,IAAI,EAAE,YAAY,EAAE,cAAc,EAAE,GAAG,EAAE;YAC3C,kBAAkB;YAClB,8BAA8B;YAC9B,6BAA6B;SAC9B;KACF;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,iBAAiB,EAAE;YACjB,aAAa;YACb,EAAE,IAAI,EAAE,YAAY,EAAE,cAAc,EAAE,GAAG,EAAE;YAC3C,kBAAkB;YAClB,8BAA8B;YAC9B,6BAA6B;YAC7B,EAAE,IAAI,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,EAAE;YACpE,eAAe;SAChB;KACF;IACD;QACE,IAAI,EAAE,aAAa;QACnB,iBAAiB,EAAE;YACjB,EAAE,IAAI,EAAE,kBAAkB,EAAE,aAAa,EAAE,CAAC,IAAI,EAAE,WAAW,CAAC,EAAE;YAChE,EAAE,IAAI,EAAE,4BAA4B,EAAE,aAAa,EAAE,CAAC,WAAW,CAAC,EAAE;YACpE,EAAE,IAAI,EAAE,YAAY,EAAE,cAAc,EAAE,EAAE,EAAE;SAC3C;KACF;IACD;QACE,IAAI,EAAE,aAAa;QACnB,iBAAiB,EAAE;YACjB,EAAE,IAAI,EAAE,kBAAkB,EAAE,aAAa,EAAE,CAAC,IAAI,EAAE,WAAW,CAAC,EAAE;SACjE;KACF;IACD;QACE,IAAI,EAAE,cAAc;QACpB,iBAAiB,EAAE;YACjB,EAAE,IAAI,EAAE,kBAAkB,EAAE,aAAa,EAAE,CAAC,IAAI,EAAE,WAAW,CAAC,EAAE;YAChE,EAAE,IAAI,EAAE,4BAA4B,EAAE,aAAa,EAAE,CAAC,WAAW,CAAC,EAAE;SACrE;KACF;IACD;QACE,IAAI,EAAE,aAAa;QACnB,YAAY,EAAE,IAAI;QAClB,iBAAiB,EAAE;YACjB,EAAE,IAAI,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,CAAC,EAAE;YACrE;gBACE,IAAI,EAAE,YAAY;gBAClB,aAAa,EAAE,CAAC,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,CAAC;aAC5D;YACD,EAAE,IAAI,EAAE,UAAU,EAAE,aAAa,EAAE,CAAC,KAAK,EAAE,UAAU,EAAE,eAAe,CAAC,EAAE;YACzE,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,QAAQ,EAAE;YAC1C,EAAE,IAAI,EAAE,iBAAiB,EAAE,IAAI,EAAE,QAAQ,EAAE;YAC3C,EAAE,IAAI,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE;YACpD,kBAAkB;YAClB,yBAAyB;SAC1B;KACF;IACD;QACE,IAAI,EAAE,UAAU;QAChB,iBAAiB,EAAE;YACjB,EAAE,IAAI,EAAE,WAAW,EAAE,cAAc,EAAE,EAAE,EAAE;YACzC,EAAE,IAAI,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE;YAC5D,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,QAAQ,EAAE;YAC5C,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,QAAQ,EAAE;YAC5C,kBAAkB;SACnB;KACF;IACD;QACE,IAAI,EAAE,aAAa;QACnB,iBAAiB,EAAE;YACjB,EAAE,IAAI,EAAE,YAAY,EAAE,cAAc,EAAE,EAAE,EAAE;YAC1C,EAAE,IAAI,EAAE,cAAc,EAAE,aAAa,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE;SAC9D;KACF;IACD;QACE,IAAI,EAAE,UAAU;QAChB,iBAAiB,EAAE;YACjB,EAAE,IAAI,EAAE,aAAa,EAAE,cAAc,EAAE,EAAE,EAAE;YAC3C;gBACE,IAAI,EAAE,cAAc;gBACpB,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,YAAY,CAAC;aAC7D;YACD,EAAE,IAAI,EAAE,eAAe,EAAE,aAAa,EAAE,CAAC,WAAW,EAAE,QAAQ,CAAC,EAAE;YACjE,EAAE,IAAI,EAAE,oBAAoB,EAAE,IAAI,EAAE,QAAQ,EAAE;YAC9C,kBAAkB;SACnB;KACF;IACD;QACE,IAAI,EAAE,MAAM;QACZ,iBAAiB,EAAE;YACjB;gBACE,IAAI,EAAE,WAAW;gBACjB,aAAa,EAAE;oBACb,YAAY;oBACZ,OAAO;oBACP,OAAO;oBACP,SAAS;oBACT,OAAO;oBACP,WAAW;oBACX,UAAU;oBACV,YAAY;oBACZ,UAAU;oBACV,QAAQ;iBACT;aACF;YACD;gBACE,IAAI,EAAE,cAAc;gBACpB,aAAa,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC;aACjE;YACD,EAAE,IAAI,EAAE,SAAS,EAAE,cAAc,EAAE,EAAE,EAAE;YACvC,kBAAkB;SACnB;KACF;IACD;QACE,IAAI,EAAE,aAAa;QACnB,iBAAiB,EAAE;YACjB;gBACE,IAAI,EAAE,uBAAuB;gBAC7B,aAAa,EAAE;oBACb,MAAM;oBACN,iBAAiB;oBACjB,YAAY;oBACZ,cAAc;oBACd,cAAc;oBACd,kBAAkB;iBACnB;aACF;YACD;gBACE,IAAI,EAAE,eAAe;gBACrB,aAAa,EAAE;oBACb,QAAQ;oBACR,WAAW;oBACX,aAAa;oBACb,iBAAiB;oBACjB,oBAAoB;oBACpB,YAAY;oBACZ,eAAe;oBACf,QAAQ;oBACR,YAAY;oBACZ,UAAU;oBACV,MAAM;iBACP;aACF;YACD;gBACE,IAAI,EAAE,sBAAsB;gBAC5B,aAAa,EAAE;oBACb,QAAQ;oBACR,WAAW;oBACX,aAAa;oBACb,iBAAiB;oBACjB,oBAAoB;oBACpB,YAAY;oBACZ,eAAe;oBACf,QAAQ;oBACR,YAAY;oBACZ,UAAU;oBACV,MAAM;iBACP;aACF;YACD,EAAE,IAAI,EAAE,sBAAsB,EAAE,cAAc,EAAE,EAAE,EAAE;YACpD,EAAE,IAAI,EAAE,uBAAuB,EAAE,cAAc,EAAE,EAAE,EAAE;YACrD,cAAc;YACd,WAAW;YACX,YAAY;YACZ;gBACE,IAAI,EAAE,oBAAoB;gBAC1B,aAAa,EAAE;oBACb,MAAM;oBACN,YAAY;oBACZ,gBAAgB;oBAChB,gBAAgB;oBAChB,OAAO;oBACP,SAAS;oBACT,SAAS;oBACT,YAAY;oBACZ,WAAW;oBACX,kBAAkB;oBAClB,SAAS;oBACT,SAAS;iBACV;aACF;YACD,iBAAiB;YACjB,2BAA2B;YAC3B,4BAA4B;YAC5B,kBAAkB;YAClB,mBAAmB;YACnB,kBAAkB;YAClB,sBAAsB;YACtB,mBAAmB;YACnB,cAAc;YACd,EAAE,IAAI,EAAE,mCAAmC,EAAE,IAAI,EAAE,QAAQ,EAAE;YAC7D,EAAE,IAAI,EAAE,4BAA4B,EAAE,IAAI,EAAE,QAAQ,EAAE;YACtD,gCAAgC;YAChC,mBAAmB;YACnB,kBAAkB;SACnB;KACF;IACD;QACE,IAAI,EAAE,eAAe;QACrB,iBAAiB,EAAE;YACjB,EAAE,IAAI,EAAE,WAAW,EAAE,cAAc,EAAE,EAAE,EAAE;YACzC,EAAE,IAAI,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE;YAC5D;gBACE,IAAI,EAAE,qBAAqB;gBAC3B,aAAa,EAAE;oBACb,MAAM;oBACN,SAAS;oBACT,iBAAiB;oBACjB,kBAAkB;oBAClB,mBAAmB;oBACnB,WAAW;oBACX,SAAS;iBACV;aACF;YACD,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,QAAQ,EAAE;YAC5C,kBAAkB;SACnB;KACF;IACD;QACE,IAAI,EAAE,eAAe;QACrB,iBAAiB,EAAE;YACjB,cAAc;YACd,WAAW;YACX,kBAAkB;YAClB,gBAAgB;SACjB;KACF;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,iBAAiB,EAAE;YACjB,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,QAAQ,EAAE;YACvC;gBACE,IAAI,EAAE,WAAW;gBACjB,aAAa,EAAE,CAAC,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,WAAW,CAAC;aAC9D;SACF;KACF;IACD;QACE,IAAI,EAAE,eAAe;QACrB,iBAAiB,EAAE;YACjB,qBAAqB;YACrB,oBAAoB;YACpB,wBAAwB;YACxB,yBAAyB;YACzB,sBAAsB;YACtB;gBACE,IAAI,EAAE,iBAAiB;gBACvB,aAAa,EAAE,CAAC,SAAS,EAAE,OAAO,EAAE,SAAS,CAAC;aAC/C;SACF;KACF;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,iBAAiB,EAAE;YACjB,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,QAAQ,EAAE;YAC1C;gBACE,IAAI,EAAE,aAAa;gBACnB,aAAa,EAAE,CAAC,gBAAgB,EAAE,oBAAoB,EAAE,OAAO,CAAC;aACjE;YACD,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,QAAQ,EAAE;SAC7C;KACF;IACD;QACE,IAAI,EAAE,QAAQ;QACd,iBAAiB,EAAE;YACjB,EAAE,IAAI,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC,MAAM,CAAC,EAAE;YAC/C,EAAE,IAAI,EAAE,aAAa,EAAE,cAAc,EAAE,EAAE,EAAE;YAC3C,EAAE,IAAI,EAAE,YAAY,EAAE,cAAc,EAAE,GAAG,EAAE;YAC3C,EAAE,IAAI,EAAE,sBAAsB,EAAE,IAAI,EAAE,QAAQ,EAAE;SACjD;KACF;IACD;QACE,IAAI,EAAE,SAAS;QACf,iBAAiB,EAAE;YACjB,EAAE,IAAI,EAAE,kBAAkB,EAAE,aAAa,EAAE,CAAC,OAAO,CAAC,EAAE;YACtD,EAAE,IAAI,EAAE,uBAAuB,EAAE,cAAc,EAAE,EAAE,EAAE;YACrD;gBACE,IAAI,EAAE,qBAAqB;gBAC3B,aAAa,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC;aACjD;SACF;KACF;IACD;QACE,IAAI,EAAE,SAAS;QACf,iBAAiB,EAAE;YACjB,EAAE,IAAI,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC,OAAO,CAAC,EAAE;YAC/C,EAAE,IAAI,EAAE,cAAc,EAAE,cAAc,EAAE,EAAE,EAAE;SAC7C;KACF;IACD;QACE,IAAI,EAAE,OAAO;QACb,iBAAiB,EAAE;YACjB,aAAa;YACb,kBAAkB;YAClB,EAAE,IAAI,EAAE,WAAW,EAAE,cAAc,EAAE,GAAG,EAAE;SAC3C;KACF;IACD;QACE,IAAI,EAAE,YAAY;QAClB,iBAAiB,EAAE;YACjB;gBACE,IAAI,EAAE,eAAe;gBACrB,aAAa,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC;aAChD;YACD;gBACE,IAAI,EAAE,iBAAiB;gBACvB,aAAa,EAAE,CAAC,SAAS,EAAE,OAAO,EAAE,SAAS,CAAC;aAC/C;SACF;KACF;CACF,CAAC;AAEF;;;GAGG;AACU,QAAA,oBAAoB,GAAqB;IACpD,EAAE,IAAI,EAAE,GAAG,EAAE,iBAAiB,EAAE,EAAE,EAAE;CACrC,CAAC;AAEF;;;;GAIG;AACH,SAAgB,gBAAgB,CAC9B,cAAkC;IAElC,QAAQ,cAAc,EAAE,CAAC;QACvB,KAAK,2BAAkB,CAAC,KAAK;YAC3B,OAAO,4BAAoB,CAAC;QAC9B,KAAK,2BAAkB,CAAC,UAAU,CAAC;QACnC;YACE,OAAO,6BAAqB,CAAC;IACjC,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,6DAA6D;AAC7D,8EAA8E;AAE9E,8FAA8F;AACjF,QAAA,gCAAgC,GAAa;IACxD,cAAc;IACd,eAAe;IACf,QAAQ;IACR,MAAM;IACN,YAAY;IACZ,aAAa;IACb,WAAW;IACX,cAAc;IACd,cAAc;IACd,eAAe;IACf,eAAe;IACf,mBAAmB;IACnB,oBAAoB;IACpB,UAAU;IACV,WAAW;IACX,UAAU;IACV,aAAa;IACb,YAAY;IACZ,YAAY;IACZ,YAAY;IACZ,eAAe;IACf,UAAU;IACV,UAAU;IACV,eAAe;IACf,eAAe;IACf,aAAa;IACb,QAAQ;IACR,aAAa;IACb,sBAAsB;IACtB,YAAY;IACZ,SAAS;IACT,eAAe;IACf,QAAQ;IACR,WAAW;CACZ,CAAC;AAEF,qEAAqE;AACxD,QAAA,6BAA6B,GAAa,EAAE,CAAC;AAE1D,iFAAiF;AACpE,QAAA,mCAAmC,GAAa,CAAC,cAAc,CAAC,CAAC;AAE9E,8EAA8E;AAC9E,uDAAuD;AACvD,8EAA8E;AAEjE,QAAA,0BAA0B,GAAG,IAAI,GAAG,CAC/C,wCAAgC,CACjC,CAAC;AACW,QAAA,uBAAuB,GAAG,IAAI,GAAG,CAAC,qCAA6B,CAAC,CAAC;AACjE,QAAA,wBAAwB,GAAG,IAAI,GAAG,CAC7C,2CAAmC,CACpC,CAAC;AAEF,8EAA8E;AAC9E,sDAAsD;AACtD,8EAA8E;AAE9E,iFAAiF;AACjF,MAAM,mBAAmB,GAAG,IAAI,GAAG,EAAU,CAAC;AAgB9C;;;;GAIG;AACH,SAAgB,8BAA8B,CAC5C,cAAkC;IAElC,MAAM,eAAe,GAAG,gBAAgB,CAAC,cAAc,CAAC,CAAC;IACzD,MAAM,6BAA6B,GAAG,IAAI,CAAC;IAC3C,QAAQ,cAAc,EAAE,CAAC;QACvB,KAAK,2BAAkB,CAAC,KAAK;YAC3B,OAAO;gBACL,mBAAmB,EAAE,mBAAmB;gBACxC,iBAAiB,EAAE,mBAAmB;gBACtC,gBAAgB,EAAE,mBAAmB;gBACrC,eAAe;gBACf,6BAA6B;aAC9B,CAAC;QACJ,KAAK,2BAAkB,CAAC,UAAU,CAAC;QACnC;YACE,OAAO;gBACL,mBAAmB,EAAE,kCAA0B;gBAC/C,iBAAiB,EAAE,gCAAwB;gBAC3C,gBAAgB,EAAE,+BAAuB;gBACzC,eAAe;gBACf,6BAA6B;aAC9B,CAAC;IACN,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,uEAAuE;AACvE,8EAA8E;AAE9E,0FAA0F;AAC7E,QAAA,mBAAmB,GAAG,IAAI,GAAG,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;AAE5D;;;;GAIG;AACU,QAAA,wBAAwB,GAAG;IACtC,8DAA8D;IAC9D,8BAA8B;IAC9B,8BAA8B;IAC9B,mDAAmD;IACnD,sBAAsB;IACtB,4CAA4C;IAC5C,oFAAoF;CACrF,CAAC;AAEF,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAE9E,SAAgB,oBAAoB,CAAC,IAAY;IAC/C,OAAO,kCAA0B,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED,SAAgB,iBAAiB,CAAC,IAAY;IAC5C,OAAO,+BAAuB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAC3C,CAAC;AAED,SAAgB,kBAAkB,CAAC,IAAY;IAC7C,OAAO,gCAAwB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAC5C,CAAC;AAED,SAAgB,wBAAwB,CAAC,KAAc;IACrD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5C,OAAO,gCAAwB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AACzE,CAAC;AAED,SAAgB,kBAAkB,CAAC,QAAgB;IACjD,OAAO,2BAAmB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAC3C,CAAC"}
|
|
@@ -11,7 +11,7 @@
|
|
|
11
11
|
*
|
|
12
12
|
* See obs/otel-collector/config-tiered.yaml for runtime enforcement.
|
|
13
13
|
*/
|
|
14
|
-
import type { Attributes } from
|
|
14
|
+
import type { Attributes } from "@opentelemetry/api";
|
|
15
15
|
/**
|
|
16
16
|
* Guardrail violation types.
|
|
17
17
|
*/
|
|
@@ -36,7 +36,7 @@ export interface GuardrailViolation {
|
|
|
36
36
|
/** Human-readable message */
|
|
37
37
|
message: string;
|
|
38
38
|
/** Severity level */
|
|
39
|
-
severity:
|
|
39
|
+
severity: "error" | "warning";
|
|
40
40
|
}
|
|
41
41
|
/**
|
|
42
42
|
* Mode for guardrail reporting.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"guardrails.d.ts","sourceRoot":"","sources":["../../src/common/guardrails.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AASrD;;GAEG;AACH,oBAAY,aAAa;IACvB,uCAAuC;IACvC,mBAAmB,wBAAwB;IAC3C,mEAAmE;IACnE,aAAa,kBAAkB;IAC/B,4DAA4D;IAC5D,eAAe,oBAAoB;IACnC,+CAA+C;IAC/C,gBAAgB,qBAAqB;CACtC;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,wBAAwB;IACxB,IAAI,EAAE,aAAa,CAAC;IACpB,kCAAkC;IAClC,YAAY,EAAE,MAAM,CAAC;IACrB,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,qBAAqB;IACrB,QAAQ,EAAE,OAAO,GAAG,SAAS,CAAC;CAC/B;AAED;;;;;GAKG;AACH,oBAAY,aAAa;IACvB,+CAA+C;IAC/C,IAAI,SAAS;IACb,2CAA2C;IAC3C,MAAM,WAAW;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,qBAAqB;IACrB,IAAI,EAAE,aAAa,CAAC;IACpB,mDAAmD;IACnD,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oDAAoD;IACpD,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAQD;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CACpC,UAAU,EAAE,UAAU,EACtB,OAAO,GAAE,OAAO,CAAC,gBAAgB,CAAM,GACtC,kBAAkB,EAAE,
|
|
1
|
+
{"version":3,"file":"guardrails.d.ts","sourceRoot":"","sources":["../../src/common/guardrails.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AASrD;;GAEG;AACH,oBAAY,aAAa;IACvB,uCAAuC;IACvC,mBAAmB,wBAAwB;IAC3C,mEAAmE;IACnE,aAAa,kBAAkB;IAC/B,4DAA4D;IAC5D,eAAe,oBAAoB;IACnC,+CAA+C;IAC/C,gBAAgB,qBAAqB;CACtC;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,wBAAwB;IACxB,IAAI,EAAE,aAAa,CAAC;IACpB,kCAAkC;IAClC,YAAY,EAAE,MAAM,CAAC;IACrB,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,qBAAqB;IACrB,QAAQ,EAAE,OAAO,GAAG,SAAS,CAAC;CAC/B;AAED;;;;;GAKG;AACH,oBAAY,aAAa;IACvB,+CAA+C;IAC/C,IAAI,SAAS;IACb,2CAA2C;IAC3C,MAAM,WAAW;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,qBAAqB;IACrB,IAAI,EAAE,aAAa,CAAC;IACpB,mDAAmD;IACnD,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oDAAoD;IACpD,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAQD;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CACpC,UAAU,EAAE,UAAU,EACtB,OAAO,GAAE,OAAO,CAAC,gBAAgB,CAAM,GACtC,kBAAkB,EAAE,CAyDtB;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,EACjD,OAAO,GAAE,OAAO,CAAC,gBAAgB,CAAM,GACtC,kBAAkB,EAAE,CAGtB;AAED;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,UAAU,EACtB,OAAO,GAAE,OAAO,CAAC,gBAAgB,CAAM,GACtC,IAAI,CAuBN;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAMnD;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAE/C;AAED;;GAEG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,EAAE,CAEjD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,EAAE,CAE9C"}
|
|
@@ -75,7 +75,7 @@ function validateSpanAttributes(attributes, options = {}) {
|
|
|
75
75
|
attributeKey: key,
|
|
76
76
|
message: `Attribute '${key}' is forbidden in Tier 2 telemetry. ` +
|
|
77
77
|
`Collector will filter this at runtime.`,
|
|
78
|
-
severity:
|
|
78
|
+
severity: "warning",
|
|
79
79
|
});
|
|
80
80
|
}
|
|
81
81
|
// Check for resource-only attributes
|
|
@@ -85,7 +85,7 @@ function validateSpanAttributes(attributes, options = {}) {
|
|
|
85
85
|
attributeKey: key,
|
|
86
86
|
message: `Attribute '${key}' should be a RESOURCE attribute, not a span attribute. ` +
|
|
87
87
|
`Set it in initNodeTelemetry() config, not per-span.`,
|
|
88
|
-
severity:
|
|
88
|
+
severity: "warning",
|
|
89
89
|
});
|
|
90
90
|
}
|
|
91
91
|
// Check for forbidden value patterns
|
|
@@ -95,18 +95,18 @@ function validateSpanAttributes(attributes, options = {}) {
|
|
|
95
95
|
attributeKey: key,
|
|
96
96
|
message: `Attribute '${key}' contains a forbidden pattern (JWT, API key, etc.). ` +
|
|
97
97
|
`Collector will filter this at runtime.`,
|
|
98
|
-
severity:
|
|
98
|
+
severity: "warning",
|
|
99
99
|
});
|
|
100
100
|
}
|
|
101
101
|
// Check for high cardinality
|
|
102
|
-
if (opts.checkCardinality && typeof value ===
|
|
102
|
+
if (opts.checkCardinality && typeof value === "string") {
|
|
103
103
|
if (value.length > opts.maxCardinalityLength) {
|
|
104
104
|
violations.push({
|
|
105
105
|
type: ViolationType.HIGH_CARDINALITY,
|
|
106
106
|
attributeKey: key,
|
|
107
107
|
message: `Attribute '${key}' has a very long value (${value.length} chars). ` +
|
|
108
108
|
`This may cause high cardinality. Consider using a shorter, normalized value.`,
|
|
109
|
-
severity:
|
|
109
|
+
severity: "warning",
|
|
110
110
|
});
|
|
111
111
|
}
|
|
112
112
|
}
|
|
@@ -143,10 +143,10 @@ function reportViolations(attributes, options = {}) {
|
|
|
143
143
|
switch (opts.mode) {
|
|
144
144
|
case GuardrailMode.STRICT: {
|
|
145
145
|
throw new Error(`Guardrail violations found:\n` +
|
|
146
|
-
violations.map(v => ` - ${v.message}`).join(
|
|
146
|
+
violations.map((v) => ` - ${v.message}`).join("\n"));
|
|
147
147
|
}
|
|
148
148
|
case GuardrailMode.WARN: {
|
|
149
|
-
violations.forEach(v => {
|
|
149
|
+
violations.forEach((v) => {
|
|
150
150
|
console.warn(`[Guardrail] ${v.message}`);
|
|
151
151
|
});
|
|
152
152
|
break;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"guardrails.js","sourceRoot":"","sources":["../../src/common/guardrails.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AA+EH,
|
|
1
|
+
{"version":3,"file":"guardrails.js","sourceRoot":"","sources":["../../src/common/guardrails.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AA+EH,wDA4DC;AASD,oDAMC;AAYD,4CA0BC;AASD,wCAMC;AAQD,gCAEC;AAKD,wDAEC;AAKD,kDAEC;AApOD,iEAKqC;AACrC,+CAAyD;AAEzD;;GAEG;AACH,IAAY,aASX;AATD,WAAY,aAAa;IACvB,uCAAuC;IACvC,4DAA2C,CAAA;IAC3C,mEAAmE;IACnE,gDAA+B,CAAA;IAC/B,4DAA4D;IAC5D,oDAAmC,CAAA;IACnC,+CAA+C;IAC/C,sDAAqC,CAAA;AACvC,CAAC,EATW,aAAa,6BAAb,aAAa,QASxB;AAgBD;;;;;GAKG;AACH,IAAY,aAKX;AALD,WAAY,aAAa;IACvB,+CAA+C;IAC/C,8BAAa,CAAA;IACb,2CAA2C;IAC3C,kCAAiB,CAAA;AACnB,CAAC,EALW,aAAa,6BAAb,aAAa,QAKxB;AAcD,MAAM,eAAe,GAAqB;IACxC,IAAI,EAAE,aAAa,CAAC,IAAI;IACxB,gBAAgB,EAAE,IAAI;IACtB,oBAAoB,EAAE,GAAG;CAC1B,CAAC;AAEF;;;;;;;;GAQG;AACH,SAAgB,sBAAsB,CACpC,UAAsB,EACtB,UAAqC,EAAE;IAEvC,MAAM,IAAI,GAAG,EAAE,GAAG,eAAe,EAAE,GAAG,OAAO,EAAE,CAAC;IAChD,MAAM,UAAU,GAAyB,EAAE,CAAC;IAE5C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QACtD,iCAAiC;QACjC,IAAI,4CAA0B,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACxC,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,aAAa,CAAC,mBAAmB;gBACvC,YAAY,EAAE,GAAG;gBACjB,OAAO,EACL,cAAc,GAAG,sCAAsC;oBACvD,wCAAwC;gBAC1C,QAAQ,EAAE,SAAS;aACpB,CAAC,CAAC;QACL,CAAC;QAED,qCAAqC;QACrC,IAAI,sCAAwB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,aAAa,CAAC,aAAa;gBACjC,YAAY,EAAE,GAAG;gBACjB,OAAO,EACL,cAAc,GAAG,0DAA0D;oBAC3E,qDAAqD;gBACvD,QAAQ,EAAE,SAAS;aACpB,CAAC,CAAC;QACL,CAAC;QAED,qCAAqC;QACrC,IAAI,IAAA,0CAAwB,EAAC,KAAK,CAAC,EAAE,CAAC;YACpC,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,aAAa,CAAC,eAAe;gBACnC,YAAY,EAAE,GAAG;gBACjB,OAAO,EACL,cAAc,GAAG,uDAAuD;oBACxE,wCAAwC;gBAC1C,QAAQ,EAAE,SAAS;aACpB,CAAC,CAAC;QACL,CAAC;QAED,6BAA6B;QAC7B,IAAI,IAAI,CAAC,gBAAgB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACvD,IAAI,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,oBAAqB,EAAE,CAAC;gBAC9C,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,aAAa,CAAC,gBAAgB;oBACpC,YAAY,EAAE,GAAG;oBACjB,OAAO,EACL,cAAc,GAAG,4BAA4B,KAAK,CAAC,MAAM,WAAW;wBACpE,8EAA8E;oBAChF,QAAQ,EAAE,SAAS;iBACpB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,oBAAoB,CAClC,MAAiD,EACjD,UAAqC,EAAE;IAEvC,sDAAsD;IACtD,OAAO,sBAAsB,CAAC,MAAoB,EAAE,OAAO,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,gBAAgB,CAC9B,UAAsB,EACtB,UAAqC,EAAE;IAEvC,MAAM,IAAI,GAAG,EAAE,GAAG,eAAe,EAAE,GAAG,OAAO,EAAE,CAAC;IAChD,MAAM,UAAU,GAAG,sBAAsB,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IAE5D,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO;IACT,CAAC;IAED,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,KAAK,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAC1B,MAAM,IAAI,KAAK,CACb,+BAA+B;gBAC7B,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CACvD,CAAC;QACJ,CAAC;QAED,KAAK,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC;YACxB,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE;gBACvB,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YAC3C,CAAC,CAAC,CAAC;YACH,MAAM;QACR,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,cAAc,CAAC,GAAW;IACxC,OAAO,CACL,CAAC,4CAA0B,CAAC,GAAG,CAAC,GAAG,CAAC;QACpC,CAAC,0CAAwB,CAAC,GAAG,CAAC,GAAG,CAAC;QAClC,CAAC,sCAAwB,CAAC,GAAG,CAAC,GAAG,CAAC,CACnC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,UAAU,CAAC,GAAW;IACpC,OAAO,yCAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,SAAgB,sBAAsB;IACpC,OAAO,CAAC,GAAG,4CAA0B,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB;IACjC,OAAO,CAAC,GAAG,yCAAuB,CAAC,CAAC;AACtC,CAAC"}
|
|
@@ -14,6 +14,12 @@
|
|
|
14
14
|
*
|
|
15
15
|
* @see https://github.com/superblocksteam/engineering/blob/main/projects/o11y-refactor/epics/epic-c4-logging-strategy.md
|
|
16
16
|
*/
|
|
17
|
+
/**
|
|
18
|
+
* Patterns that indicate tokens, keys, and secrets in log messages.
|
|
19
|
+
* These use capture groups to preserve prefixes while redacting values.
|
|
20
|
+
* Exported as DEFAULT_SECRET_PATTERNS for use in LoggingPolicyConfig (e.g. cloud-prem).
|
|
21
|
+
*/
|
|
22
|
+
export declare const DEFAULT_SECRET_PATTERNS: SensitivePattern[];
|
|
17
23
|
/**
|
|
18
24
|
* Fields that contain secrets and should be stripped from log objects.
|
|
19
25
|
* Only includes actual secret field names - NOT debugging info.
|
|
@@ -22,10 +28,81 @@
|
|
|
22
28
|
* Those are handled by the OTel Collector for tier-based export filtering.
|
|
23
29
|
*/
|
|
24
30
|
export declare const SECRET_FIELDS: Set<string>;
|
|
31
|
+
/**
|
|
32
|
+
* Patterns for compound field names that contain secrets.
|
|
33
|
+
* Uses word boundary matching to avoid false positives.
|
|
34
|
+
* Exported for use in LoggingPolicyConfig (e.g. cloud-prem).
|
|
35
|
+
*/
|
|
36
|
+
export declare const SECRET_FIELD_PATTERNS: RegExp[];
|
|
25
37
|
/**
|
|
26
38
|
* Check if a field name contains secrets using word boundary matching.
|
|
27
39
|
*/
|
|
28
40
|
export declare function isSecretField(fieldName: string): boolean;
|
|
41
|
+
/**
|
|
42
|
+
* Policy-driven secret field check. When names and patterns are empty, returns false.
|
|
43
|
+
* Used by PolicyAwareLogProcessor so cloud can pass empty set/array for no redaction.
|
|
44
|
+
*/
|
|
45
|
+
export declare function isSecretFieldFromPolicy(fieldName: string, secretFieldNames: Set<string>, secretFieldPatterns: RegExp[]): boolean;
|
|
46
|
+
/**
|
|
47
|
+
* Placeholder string used when redacting forbidden or secret fields in logs.
|
|
48
|
+
* Use this constant so all packages (server, telemetry) share one value.
|
|
49
|
+
*/
|
|
50
|
+
export declare const REDACTED_PLACEHOLDER = "[REDACTED]";
|
|
51
|
+
/**
|
|
52
|
+
* Field names that must never be included in exported logs (stack, prompt, code, etc.).
|
|
53
|
+
* Used as the base for both cloud and cloud-prem.
|
|
54
|
+
*/
|
|
55
|
+
export declare const BASE_EXPORT_FORBIDDEN_FIELDS: Set<string>;
|
|
56
|
+
/** Export-forbidden fields for cloud (base only; email keys allowed). */
|
|
57
|
+
export declare const EXPORT_FORBIDDEN_FIELDS_CLOUD: Set<string>;
|
|
58
|
+
/** Export-forbidden fields for cloud-prem (base + email keys). */
|
|
59
|
+
export declare const EXPORT_FORBIDDEN_FIELDS_CLOUD_PREM: Set<string>;
|
|
60
|
+
export declare function isStackAttributeKey(key: string): boolean;
|
|
61
|
+
/**
|
|
62
|
+
* Check if a string contains a stack trace (for export redaction).
|
|
63
|
+
*/
|
|
64
|
+
export declare function containsStackTrace(text: string): boolean;
|
|
65
|
+
/** Placeholder for stack trace redaction in exported logs. Exported for use in log-processor. */
|
|
66
|
+
export declare const STACK_TRACE_REDACTED_PLACEHOLDER = "[STACK TRACE REDACTED - Tier 1 only]";
|
|
67
|
+
/**
|
|
68
|
+
* Apply redact patterns to a string with a single replacement (resets lastIndex on each pattern).
|
|
69
|
+
*/
|
|
70
|
+
export declare function applyRedactPatterns(str: string, patterns: RegExp[], replacement?: string): string;
|
|
71
|
+
/**
|
|
72
|
+
* A pattern and its replacement for sensitive value redaction (e.g. path, email).
|
|
73
|
+
* Configured in logging policy alongside forbiddenFields and redactPatterns.
|
|
74
|
+
*/
|
|
75
|
+
export interface SensitivePattern {
|
|
76
|
+
pattern: RegExp;
|
|
77
|
+
replacement: string;
|
|
78
|
+
}
|
|
79
|
+
/** Sensitive patterns for cloud: path only (emails are not redacted in cloud). */
|
|
80
|
+
export declare const SENSITIVE_PATTERNS_CLOUD: SensitivePattern[];
|
|
81
|
+
/** Default sensitive patterns (path, email) for cloud-prem and when export is strict. */
|
|
82
|
+
export declare const DEFAULT_SENSITIVE_PATTERNS: SensitivePattern[];
|
|
83
|
+
/**
|
|
84
|
+
* Regex patterns for cloud-prem log export: matched content is replaced with [REDACTED].
|
|
85
|
+
* Used as redactPatterns in LoggingPolicyConfig when deploymentType is CLOUD_PREM.
|
|
86
|
+
*/
|
|
87
|
+
export declare const CLOUD_PREM_REDACT_PATTERNS: RegExp[];
|
|
88
|
+
/**
|
|
89
|
+
* Apply sensitive patterns (pattern + replacement) to text.
|
|
90
|
+
* Used with policy.sensitivePatterns whenever redacting values for export.
|
|
91
|
+
*/
|
|
92
|
+
export declare function redactSensitivePatterns(text: string, patterns: SensitivePattern[]): string;
|
|
93
|
+
/**
|
|
94
|
+
* Redact stack trace for export: keep first line (error message) after sanitizing
|
|
95
|
+
* it with sensitive patterns, replace the rest with a placeholder.
|
|
96
|
+
* Use when exporting logs so stack traces never leave the environment.
|
|
97
|
+
*
|
|
98
|
+
* @param messageSecretPatterns - When non-empty, applied to first line before sensitivePatterns (policy-driven). When empty, uses sanitizeLogMessage for first line.
|
|
99
|
+
*/
|
|
100
|
+
export declare function redactStackTraceForExport(text: string, sensitivePatterns?: SensitivePattern[], messageSecretPatterns?: SensitivePattern[]): string;
|
|
101
|
+
/**
|
|
102
|
+
* Sanitize a log message string for export: sensitive patterns, then policy redact patterns, then
|
|
103
|
+
* stack trace redaction. Use for the message argument in log calls (e.g. safe logger stdout path).
|
|
104
|
+
*/
|
|
105
|
+
export declare function sanitizeLogMessageForExport(message: string, redactPatterns: RegExp[], sensitivePatterns: SensitivePattern[]): string;
|
|
29
106
|
/**
|
|
30
107
|
* @deprecated Use SECRET_FIELDS instead. This export is kept for backward
|
|
31
108
|
* compatibility but now only contains secret fields, not Tier 1 content fields.
|
|
@@ -57,6 +134,17 @@ export declare function redactStackTrace(stack: string): string;
|
|
|
57
134
|
* @returns Object with secrets removed
|
|
58
135
|
*/
|
|
59
136
|
export declare function sanitizeLogObject<T>(obj: T, depth?: number): T;
|
|
137
|
+
/**
|
|
138
|
+
* Sanitize an object for export: exclude forbidden keys (omitted), redact secret keys (key kept, value [REDACTED]),
|
|
139
|
+
* and apply sensitive patterns to string values. Used by PolicyAwareLogProcessor when exporting log body objects.
|
|
140
|
+
*/
|
|
141
|
+
export declare function sanitizeLogObjectForExport(obj: unknown, forbiddenFields: Set<string>, depth?: number, sensitivePatterns?: SensitivePattern[]): unknown;
|
|
142
|
+
/**
|
|
143
|
+
* Sanitize a log record for export with both key-based and value-based redaction.
|
|
144
|
+
* Applies sensitivePatterns and redactPatterns to every string value.
|
|
145
|
+
* Use for the server stdout path (safe logger and RemoteLogger redactRecord) so exported logs match OTLP behavior.
|
|
146
|
+
*/
|
|
147
|
+
export declare function sanitizeLogRecordForExport(obj: unknown, forbiddenFields: Set<string>, redactPatterns: RegExp[], sensitivePatterns: SensitivePattern[], depth?: number): unknown;
|
|
60
148
|
/**
|
|
61
149
|
* Sanitizes secrets from an error object.
|
|
62
150
|
* Preserves full stack traces for debugging.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"log-sanitizer.d.ts","sourceRoot":"","sources":["../../src/common/log-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;
|
|
1
|
+
{"version":3,"file":"log-sanitizer.d.ts","sourceRoot":"","sources":["../../src/common/log-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAMH;;;;GAIG;AACH,eAAO,MAAM,uBAAuB,EAAE,gBAAgB,EAmErD,CAAC;AAMF;;;;;;GAMG;AACH,eAAO,MAAM,aAAa,aAqBxB,CAAC;AAEH;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,EAAE,MAAM,EAuBzC,CAAC;AAEF;;GAEG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAMxD;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,SAAS,EAAE,MAAM,EACjB,gBAAgB,EAAE,GAAG,CAAC,MAAM,CAAC,EAC7B,mBAAmB,EAAE,MAAM,EAAE,GAC5B,OAAO,CAST;AAMD;;;GAGG;AACH,eAAO,MAAM,oBAAoB,eAAe,CAAC;AAEjD;;;GAGG;AACH,eAAO,MAAM,4BAA4B,aAQvC,CAAC;AAQH,yEAAyE;AACzE,eAAO,MAAM,6BAA6B,aAEzC,CAAC;AAEF,kEAAkE;AAClE,eAAO,MAAM,kCAAkC,aAG7C,CAAC;AAYH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAExD;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOxD;AAED,iGAAiG;AACjG,eAAO,MAAM,gCAAgC,yCACL,CAAC;AAEzC;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,MAAM,EAAE,EAClB,WAAW,GAAE,MAA6B,GACzC,MAAM,CAQR;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,kFAAkF;AAClF,eAAO,MAAM,wBAAwB,EAAE,gBAAgB,EAKtD,CAAC;AAEF,yFAAyF;AACzF,eAAO,MAAM,0BAA0B,EAAE,gBAAgB,EAIxD,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,0BAA0B,EAAE,MAAM,EAO9C,CAAC;AAEF;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,gBAAgB,EAAE,GAC3B,MAAM,CAQR;AAED;;;;;;GAMG;AACH,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,MAAM,EACZ,iBAAiB,GAAE,gBAAgB,EAAO,EAC1C,qBAAqB,GAAE,gBAAgB,EAAO,GAC7C,MAAM,CAWR;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,OAAO,EAAE,MAAM,EACf,cAAc,EAAE,MAAM,EAAE,EACxB,iBAAiB,EAAE,gBAAgB,EAAE,GACpC,MAAM,CAcR;AAmCD;;;GAGG;AACH,eAAO,MAAM,0BAA0B,aAAgB,CAAC;AAMxD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAc1D;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOtD;AAED;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,KAAK,SAAI,GAAG,CAAC,CAyCzD;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,GAAG,EAAE,OAAO,EACZ,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,EAC5B,KAAK,SAAI,EACT,iBAAiB,GAAE,gBAAgB,EAAO,GACzC,OAAO,CAoET;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CACxC,GAAG,EAAE,OAAO,EACZ,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,EAC5B,cAAc,EAAE,MAAM,EAAE,EACxB,iBAAiB,EAAE,gBAAgB,EAAE,EACrC,KAAK,SAAI,GACR,OAAO,CA2ET;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAsCxD;AAED;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAC/B,GAAG,EAAE,OAAO,EACZ,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,GACtB,MAAM,CA6DR"}
|
|
@@ -16,11 +16,20 @@
|
|
|
16
16
|
* @see https://github.com/superblocksteam/engineering/blob/main/projects/o11y-refactor/epics/epic-c4-logging-strategy.md
|
|
17
17
|
*/
|
|
18
18
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
19
|
-
exports.TIER1_FORBIDDEN_LOG_FIELDS = exports.SECRET_FIELDS = void 0;
|
|
19
|
+
exports.TIER1_FORBIDDEN_LOG_FIELDS = exports.CLOUD_PREM_REDACT_PATTERNS = exports.DEFAULT_SENSITIVE_PATTERNS = exports.SENSITIVE_PATTERNS_CLOUD = exports.STACK_TRACE_REDACTED_PLACEHOLDER = exports.EXPORT_FORBIDDEN_FIELDS_CLOUD_PREM = exports.EXPORT_FORBIDDEN_FIELDS_CLOUD = exports.BASE_EXPORT_FORBIDDEN_FIELDS = exports.REDACTED_PLACEHOLDER = exports.SECRET_FIELD_PATTERNS = exports.SECRET_FIELDS = exports.DEFAULT_SECRET_PATTERNS = void 0;
|
|
20
20
|
exports.isSecretField = isSecretField;
|
|
21
|
+
exports.isSecretFieldFromPolicy = isSecretFieldFromPolicy;
|
|
22
|
+
exports.isStackAttributeKey = isStackAttributeKey;
|
|
23
|
+
exports.containsStackTrace = containsStackTrace;
|
|
24
|
+
exports.applyRedactPatterns = applyRedactPatterns;
|
|
25
|
+
exports.redactSensitivePatterns = redactSensitivePatterns;
|
|
26
|
+
exports.redactStackTraceForExport = redactStackTraceForExport;
|
|
27
|
+
exports.sanitizeLogMessageForExport = sanitizeLogMessageForExport;
|
|
21
28
|
exports.sanitizeLogMessage = sanitizeLogMessage;
|
|
22
29
|
exports.redactStackTrace = redactStackTrace;
|
|
23
30
|
exports.sanitizeLogObject = sanitizeLogObject;
|
|
31
|
+
exports.sanitizeLogObjectForExport = sanitizeLogObjectForExport;
|
|
32
|
+
exports.sanitizeLogRecordForExport = sanitizeLogRecordForExport;
|
|
24
33
|
exports.sanitizeLogError = sanitizeLogError;
|
|
25
34
|
exports.safeJsonStringify = safeJsonStringify;
|
|
26
35
|
// ============================================================================
|
|
@@ -29,8 +38,9 @@ exports.safeJsonStringify = safeJsonStringify;
|
|
|
29
38
|
/**
|
|
30
39
|
* Patterns that indicate tokens, keys, and secrets in log messages.
|
|
31
40
|
* These use capture groups to preserve prefixes while redacting values.
|
|
41
|
+
* Exported as DEFAULT_SECRET_PATTERNS for use in LoggingPolicyConfig (e.g. cloud-prem).
|
|
32
42
|
*/
|
|
33
|
-
|
|
43
|
+
exports.DEFAULT_SECRET_PATTERNS = [
|
|
34
44
|
// Tokens and keys with prefixes
|
|
35
45
|
{
|
|
36
46
|
pattern: /(\bbearer\s+)[a-zA-Z0-9\-._~+/]+=*/gi,
|
|
@@ -124,8 +134,9 @@ exports.SECRET_FIELDS = new Set([
|
|
|
124
134
|
/**
|
|
125
135
|
* Patterns for compound field names that contain secrets.
|
|
126
136
|
* Uses word boundary matching to avoid false positives.
|
|
137
|
+
* Exported for use in LoggingPolicyConfig (e.g. cloud-prem).
|
|
127
138
|
*/
|
|
128
|
-
|
|
139
|
+
exports.SECRET_FIELD_PATTERNS = [
|
|
129
140
|
// Password patterns
|
|
130
141
|
/(?:^|[._-])password(?:[._-]|$)/i,
|
|
131
142
|
/(?:^|[._-])passwd(?:[._-]|$)/i,
|
|
@@ -148,11 +159,188 @@ const SECRET_FIELD_PATTERNS = [
|
|
|
148
159
|
* Check if a field name contains secrets using word boundary matching.
|
|
149
160
|
*/
|
|
150
161
|
function isSecretField(fieldName) {
|
|
162
|
+
return isSecretFieldFromPolicy(fieldName, exports.SECRET_FIELDS, exports.SECRET_FIELD_PATTERNS);
|
|
163
|
+
}
|
|
164
|
+
/**
|
|
165
|
+
* Policy-driven secret field check. When names and patterns are empty, returns false.
|
|
166
|
+
* Used by PolicyAwareLogProcessor so cloud can pass empty set/array for no redaction.
|
|
167
|
+
*/
|
|
168
|
+
function isSecretFieldFromPolicy(fieldName, secretFieldNames, secretFieldPatterns) {
|
|
169
|
+
if (secretFieldNames.size === 0 && secretFieldPatterns.length === 0) {
|
|
170
|
+
return false;
|
|
171
|
+
}
|
|
151
172
|
const lowerKey = fieldName.toLowerCase();
|
|
152
|
-
if (
|
|
173
|
+
if (secretFieldNames.has(lowerKey)) {
|
|
174
|
+
return true;
|
|
175
|
+
}
|
|
176
|
+
return secretFieldPatterns.some((pattern) => pattern.test(lowerKey));
|
|
177
|
+
}
|
|
178
|
+
// ============================================================================
|
|
179
|
+
// Export-forbidden fields (Tier 1 content - must not appear in exported logs)
|
|
180
|
+
// ============================================================================
|
|
181
|
+
/**
|
|
182
|
+
* Placeholder string used when redacting forbidden or secret fields in logs.
|
|
183
|
+
* Use this constant so all packages (server, telemetry) share one value.
|
|
184
|
+
*/
|
|
185
|
+
exports.REDACTED_PLACEHOLDER = "[REDACTED]";
|
|
186
|
+
/**
|
|
187
|
+
* Field names that must never be included in exported logs (stack, prompt, code, etc.).
|
|
188
|
+
* Used as the base for both cloud and cloud-prem.
|
|
189
|
+
*/
|
|
190
|
+
exports.BASE_EXPORT_FORBIDDEN_FIELDS = new Set([
|
|
191
|
+
"code",
|
|
192
|
+
"error.stack",
|
|
193
|
+
"exception.stacktrace",
|
|
194
|
+
"filecontent",
|
|
195
|
+
"filepath",
|
|
196
|
+
"prompt",
|
|
197
|
+
"stack",
|
|
198
|
+
]);
|
|
199
|
+
/** Email-related keys forbidden in cloud-prem export only (allowed in cloud). */
|
|
200
|
+
const EXPORT_FORBIDDEN_EMAIL_KEYS = new Set([
|
|
201
|
+
"user.email",
|
|
202
|
+
"user-email", // server req.logTags key (OBS_TAG_USER_EMAIL) for child logger bindings
|
|
203
|
+
]);
|
|
204
|
+
/** Export-forbidden fields for cloud (base only; email keys allowed). */
|
|
205
|
+
exports.EXPORT_FORBIDDEN_FIELDS_CLOUD = new Set(exports.BASE_EXPORT_FORBIDDEN_FIELDS);
|
|
206
|
+
/** Export-forbidden fields for cloud-prem (base + email keys). */
|
|
207
|
+
exports.EXPORT_FORBIDDEN_FIELDS_CLOUD_PREM = new Set([
|
|
208
|
+
...exports.BASE_EXPORT_FORBIDDEN_FIELDS,
|
|
209
|
+
...EXPORT_FORBIDDEN_EMAIL_KEYS,
|
|
210
|
+
]);
|
|
211
|
+
/**
|
|
212
|
+
* Attribute keys that conventionally hold stack traces (epic C4). Value-based
|
|
213
|
+
* sanitization (containsStackTrace) redacts stack content in any key.
|
|
214
|
+
*/
|
|
215
|
+
const STACK_ATTRIBUTE_KEYS = new Set([
|
|
216
|
+
"error.stack",
|
|
217
|
+
"exception.stacktrace",
|
|
218
|
+
"stack",
|
|
219
|
+
]);
|
|
220
|
+
function isStackAttributeKey(key) {
|
|
221
|
+
return STACK_ATTRIBUTE_KEYS.has(key.toLowerCase());
|
|
222
|
+
}
|
|
223
|
+
/**
|
|
224
|
+
* Check if a string contains a stack trace (for export redaction).
|
|
225
|
+
*/
|
|
226
|
+
function containsStackTrace(text) {
|
|
227
|
+
if (!text || typeof text !== "string")
|
|
228
|
+
return false;
|
|
229
|
+
if (/at .+\(.+:\d+:\d+\)/.test(text))
|
|
230
|
+
return true;
|
|
231
|
+
if (/goroutine \d+ \[.+\]:/.test(text))
|
|
153
232
|
return true;
|
|
233
|
+
if (/File ".+", line \d+/.test(text))
|
|
234
|
+
return true;
|
|
235
|
+
if (/at \w+\.\w+\(.+\.java:\d+\)/.test(text))
|
|
236
|
+
return true;
|
|
237
|
+
return false;
|
|
238
|
+
}
|
|
239
|
+
/** Placeholder for stack trace redaction in exported logs. Exported for use in log-processor. */
|
|
240
|
+
exports.STACK_TRACE_REDACTED_PLACEHOLDER = "[STACK TRACE REDACTED - Tier 1 only]";
|
|
241
|
+
/**
|
|
242
|
+
* Apply redact patterns to a string with a single replacement (resets lastIndex on each pattern).
|
|
243
|
+
*/
|
|
244
|
+
function applyRedactPatterns(str, patterns, replacement = exports.REDACTED_PLACEHOLDER) {
|
|
245
|
+
if (!str || typeof str !== "string")
|
|
246
|
+
return str;
|
|
247
|
+
let out = str;
|
|
248
|
+
for (const pattern of patterns) {
|
|
249
|
+
pattern.lastIndex = 0;
|
|
250
|
+
out = out.replace(pattern, replacement);
|
|
251
|
+
}
|
|
252
|
+
return out;
|
|
253
|
+
}
|
|
254
|
+
/** Sensitive patterns for cloud: path only (emails are not redacted in cloud). */
|
|
255
|
+
exports.SENSITIVE_PATTERNS_CLOUD = [
|
|
256
|
+
{
|
|
257
|
+
pattern: /\/[\w\-./]+\.(ts|js|go|py|java|sql)/gi,
|
|
258
|
+
replacement: "[PATH REDACTED]",
|
|
259
|
+
},
|
|
260
|
+
];
|
|
261
|
+
/** Default sensitive patterns (path, email) for cloud-prem and when export is strict. */
|
|
262
|
+
exports.DEFAULT_SENSITIVE_PATTERNS = [
|
|
263
|
+
...exports.SENSITIVE_PATTERNS_CLOUD,
|
|
264
|
+
// Match email-like strings with or without TLD (e.g. user@domain.com and fake_user@fake_email)
|
|
265
|
+
{ pattern: /[\w.+-]+@[\w.-]+(\.\w+)?/g, replacement: "[EMAIL REDACTED]" },
|
|
266
|
+
];
|
|
267
|
+
/**
|
|
268
|
+
* Regex patterns for cloud-prem log export: matched content is replaced with [REDACTED].
|
|
269
|
+
* Used as redactPatterns in LoggingPolicyConfig when deploymentType is CLOUD_PREM.
|
|
270
|
+
*/
|
|
271
|
+
exports.CLOUD_PREM_REDACT_PATTERNS = [
|
|
272
|
+
// JWT pattern (base64.base64.base64) - standalone tokens
|
|
273
|
+
/\b[A-Za-z0-9-_]{20,}\.[A-Za-z0-9-_]{20,}\.[A-Za-z0-9-_]{20,}\b/g,
|
|
274
|
+
// Bearer tokens
|
|
275
|
+
/\bbearer\s+[a-zA-Z0-9\-._~+/]+=*/gi,
|
|
276
|
+
// API keys
|
|
277
|
+
/\bapi[_\s]?key[:\s=]+[a-zA-Z0-9\-._~+/]+=*/gi,
|
|
278
|
+
];
|
|
279
|
+
/**
|
|
280
|
+
* Apply sensitive patterns (pattern + replacement) to text.
|
|
281
|
+
* Used with policy.sensitivePatterns whenever redacting values for export.
|
|
282
|
+
*/
|
|
283
|
+
function redactSensitivePatterns(text, patterns) {
|
|
284
|
+
if (!text || typeof text !== "string")
|
|
285
|
+
return text;
|
|
286
|
+
let out = text;
|
|
287
|
+
for (const { pattern, replacement } of patterns) {
|
|
288
|
+
pattern.lastIndex = 0;
|
|
289
|
+
out = out.replace(pattern, replacement);
|
|
290
|
+
}
|
|
291
|
+
return out;
|
|
292
|
+
}
|
|
293
|
+
/**
|
|
294
|
+
* Redact stack trace for export: keep first line (error message) after sanitizing
|
|
295
|
+
* it with sensitive patterns, replace the rest with a placeholder.
|
|
296
|
+
* Use when exporting logs so stack traces never leave the environment.
|
|
297
|
+
*
|
|
298
|
+
* @param messageSecretPatterns - When non-empty, applied to first line before sensitivePatterns (policy-driven). When empty, uses sanitizeLogMessage for first line.
|
|
299
|
+
*/
|
|
300
|
+
function redactStackTraceForExport(text, sensitivePatterns = [], messageSecretPatterns = []) {
|
|
301
|
+
if (!text || typeof text !== "string")
|
|
302
|
+
return text;
|
|
303
|
+
if (!containsStackTrace(text))
|
|
304
|
+
return text;
|
|
305
|
+
const lines = text.split("\n");
|
|
306
|
+
if (lines.length <= 1)
|
|
307
|
+
return text;
|
|
308
|
+
const firstLineRaw = messageSecretPatterns.length > 0
|
|
309
|
+
? redactSensitivePatterns(lines[0], messageSecretPatterns)
|
|
310
|
+
: sanitizeLogMessage(lines[0]);
|
|
311
|
+
const firstLine = redactSensitivePatterns(firstLineRaw, sensitivePatterns);
|
|
312
|
+
return firstLine + "\n" + exports.STACK_TRACE_REDACTED_PLACEHOLDER;
|
|
313
|
+
}
|
|
314
|
+
/**
|
|
315
|
+
* Sanitize a log message string for export: sensitive patterns, then policy redact patterns, then
|
|
316
|
+
* stack trace redaction. Use for the message argument in log calls (e.g. safe logger stdout path).
|
|
317
|
+
*/
|
|
318
|
+
function sanitizeLogMessageForExport(message, redactPatterns, sensitivePatterns) {
|
|
319
|
+
if (!message || typeof message !== "string")
|
|
320
|
+
return message;
|
|
321
|
+
let out = redactSensitivePatterns(sanitizeLogMessage(message), sensitivePatterns);
|
|
322
|
+
out = applyRedactPatterns(out, redactPatterns);
|
|
323
|
+
if (containsStackTrace(out)) {
|
|
324
|
+
return redactStackTraceForExport(sanitizeLogMessage(out), sensitivePatterns);
|
|
154
325
|
}
|
|
155
|
-
return
|
|
326
|
+
return out;
|
|
327
|
+
}
|
|
328
|
+
/**
|
|
329
|
+
* Apply value-based sanitization to a string (sensitive patterns, policy redact patterns, then stack).
|
|
330
|
+
* Used by sanitizeLogRecordForExport for string values.
|
|
331
|
+
*/
|
|
332
|
+
function sanitizeStringValueForExport(value, key, redactPatterns, sensitivePatterns) {
|
|
333
|
+
let out = redactSensitivePatterns(sanitizeLogMessage(value), sensitivePatterns);
|
|
334
|
+
out = applyRedactPatterns(out, redactPatterns);
|
|
335
|
+
if (isStackAttributeKey(key)) {
|
|
336
|
+
return containsStackTrace(out)
|
|
337
|
+
? redactStackTraceForExport(sanitizeLogMessage(out), sensitivePatterns)
|
|
338
|
+
: exports.STACK_TRACE_REDACTED_PLACEHOLDER;
|
|
339
|
+
}
|
|
340
|
+
if (containsStackTrace(out)) {
|
|
341
|
+
return redactStackTraceForExport(sanitizeLogMessage(out), sensitivePatterns);
|
|
342
|
+
}
|
|
343
|
+
return out;
|
|
156
344
|
}
|
|
157
345
|
// ============================================================================
|
|
158
346
|
// Legacy exports for backward compatibility
|
|
@@ -178,7 +366,7 @@ function sanitizeLogMessage(message) {
|
|
|
178
366
|
}
|
|
179
367
|
let sanitized = message;
|
|
180
368
|
// Only apply secret patterns - preserve debugging info
|
|
181
|
-
for (const { pattern, replacement } of
|
|
369
|
+
for (const { pattern, replacement } of exports.DEFAULT_SECRET_PATTERNS) {
|
|
182
370
|
pattern.lastIndex = 0; // Reset regex state for global patterns
|
|
183
371
|
sanitized = sanitized.replace(pattern, replacement);
|
|
184
372
|
}
|
|
@@ -238,6 +426,116 @@ function sanitizeLogObject(obj, depth = 0) {
|
|
|
238
426
|
}
|
|
239
427
|
return sanitized;
|
|
240
428
|
}
|
|
429
|
+
/**
|
|
430
|
+
* Sanitize an object for export: exclude forbidden keys (omitted), redact secret keys (key kept, value [REDACTED]),
|
|
431
|
+
* and apply sensitive patterns to string values. Used by PolicyAwareLogProcessor when exporting log body objects.
|
|
432
|
+
*/
|
|
433
|
+
function sanitizeLogObjectForExport(obj, forbiddenFields, depth = 0, sensitivePatterns = []) {
|
|
434
|
+
if (depth > 10) {
|
|
435
|
+
return "[MAX_DEPTH_REACHED]";
|
|
436
|
+
}
|
|
437
|
+
if (obj === null || obj === undefined) {
|
|
438
|
+
return obj;
|
|
439
|
+
}
|
|
440
|
+
if (typeof obj === "string") {
|
|
441
|
+
return redactSensitivePatterns(sanitizeLogMessage(obj), sensitivePatterns);
|
|
442
|
+
}
|
|
443
|
+
if (typeof obj === "number" || typeof obj === "boolean") {
|
|
444
|
+
return obj;
|
|
445
|
+
}
|
|
446
|
+
if (typeof obj !== "object") {
|
|
447
|
+
return obj;
|
|
448
|
+
}
|
|
449
|
+
if (Array.isArray(obj)) {
|
|
450
|
+
return obj.map((item) => sanitizeLogObjectForExport(item, forbiddenFields, depth + 1, sensitivePatterns));
|
|
451
|
+
}
|
|
452
|
+
const result = {};
|
|
453
|
+
for (const [key, value] of Object.entries(obj)) {
|
|
454
|
+
const lowerKey = key.toLowerCase();
|
|
455
|
+
// Secret fields: keep key, redact value (consistent with sanitizeAttributes)
|
|
456
|
+
if (isSecretField(key)) {
|
|
457
|
+
result[key] = exports.REDACTED_PLACEHOLDER;
|
|
458
|
+
continue;
|
|
459
|
+
}
|
|
460
|
+
// Forbidden fields (e.g. prompt, code, stack): exclude from export (omit key and value).
|
|
461
|
+
if (forbiddenFields.has(lowerKey)) {
|
|
462
|
+
continue;
|
|
463
|
+
}
|
|
464
|
+
// String values: redact stack traces by key or content, then sensitive patterns
|
|
465
|
+
if (typeof value === "string") {
|
|
466
|
+
if (isStackAttributeKey(key)) {
|
|
467
|
+
result[key] = containsStackTrace(value)
|
|
468
|
+
? redactStackTraceForExport(sanitizeLogMessage(value), sensitivePatterns)
|
|
469
|
+
: exports.STACK_TRACE_REDACTED_PLACEHOLDER;
|
|
470
|
+
}
|
|
471
|
+
else if (containsStackTrace(value)) {
|
|
472
|
+
result[key] = redactStackTraceForExport(sanitizeLogMessage(value), sensitivePatterns);
|
|
473
|
+
}
|
|
474
|
+
else {
|
|
475
|
+
result[key] = redactSensitivePatterns(sanitizeLogMessage(value), sensitivePatterns);
|
|
476
|
+
}
|
|
477
|
+
continue;
|
|
478
|
+
}
|
|
479
|
+
result[key] = sanitizeLogObjectForExport(value, forbiddenFields, depth + 1, sensitivePatterns);
|
|
480
|
+
}
|
|
481
|
+
return result;
|
|
482
|
+
}
|
|
483
|
+
/**
|
|
484
|
+
* Sanitize a log record for export with both key-based and value-based redaction.
|
|
485
|
+
* Applies sensitivePatterns and redactPatterns to every string value.
|
|
486
|
+
* Use for the server stdout path (safe logger and RemoteLogger redactRecord) so exported logs match OTLP behavior.
|
|
487
|
+
*/
|
|
488
|
+
function sanitizeLogRecordForExport(obj, forbiddenFields, redactPatterns, sensitivePatterns, depth = 0) {
|
|
489
|
+
if (depth > 10) {
|
|
490
|
+
return "[MAX_DEPTH_REACHED]";
|
|
491
|
+
}
|
|
492
|
+
if (obj === null || obj === undefined) {
|
|
493
|
+
return obj;
|
|
494
|
+
}
|
|
495
|
+
if (typeof obj === "string") {
|
|
496
|
+
return sanitizeLogMessageForExport(obj, redactPatterns, sensitivePatterns);
|
|
497
|
+
}
|
|
498
|
+
if (typeof obj === "number" || typeof obj === "boolean") {
|
|
499
|
+
return obj;
|
|
500
|
+
}
|
|
501
|
+
if (typeof obj !== "object") {
|
|
502
|
+
return obj;
|
|
503
|
+
}
|
|
504
|
+
// Error instances have non-enumerable message/name/stack; convert so we can redact them.
|
|
505
|
+
if (obj instanceof Error) {
|
|
506
|
+
const plain = {
|
|
507
|
+
message: obj.message,
|
|
508
|
+
name: obj.name,
|
|
509
|
+
stack: obj.stack,
|
|
510
|
+
};
|
|
511
|
+
for (const key of Object.keys(obj)) {
|
|
512
|
+
if (!Object.prototype.hasOwnProperty.call(plain, key)) {
|
|
513
|
+
plain[key] = obj[key];
|
|
514
|
+
}
|
|
515
|
+
}
|
|
516
|
+
return sanitizeLogRecordForExport(plain, forbiddenFields, redactPatterns, sensitivePatterns, depth);
|
|
517
|
+
}
|
|
518
|
+
if (Array.isArray(obj)) {
|
|
519
|
+
return obj.map((item) => sanitizeLogRecordForExport(item, forbiddenFields, redactPatterns, sensitivePatterns, depth + 1));
|
|
520
|
+
}
|
|
521
|
+
const result = {};
|
|
522
|
+
for (const [key, value] of Object.entries(obj)) {
|
|
523
|
+
const lowerKey = key.toLowerCase();
|
|
524
|
+
if (isSecretField(key)) {
|
|
525
|
+
result[key] = exports.REDACTED_PLACEHOLDER;
|
|
526
|
+
continue;
|
|
527
|
+
}
|
|
528
|
+
if (forbiddenFields.has(lowerKey)) {
|
|
529
|
+
continue;
|
|
530
|
+
}
|
|
531
|
+
if (typeof value === "string") {
|
|
532
|
+
result[key] = sanitizeStringValueForExport(value, key, redactPatterns, sensitivePatterns);
|
|
533
|
+
continue;
|
|
534
|
+
}
|
|
535
|
+
result[key] = sanitizeLogRecordForExport(value, forbiddenFields, redactPatterns, sensitivePatterns, depth + 1);
|
|
536
|
+
}
|
|
537
|
+
return result;
|
|
538
|
+
}
|
|
241
539
|
/**
|
|
242
540
|
* Sanitizes secrets from an error object.
|
|
243
541
|
* Preserves full stack traces for debugging.
|