@systima/aiact-audit-log 0.1.0

package/dist/ai-sdk/middleware/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/ai-sdk/middleware/index.ts","../../../src/context.ts","../../../src/utils/uuid.ts"],"sourcesContent":["/**\n * AI SDK middleware — automatic capture for Vercel AI SDK models.\n *\n * Wraps a LanguageModelV1 and automatically logs every inference call.\n * This is the primary mechanism for satisfying Article 12(1)'s\n * \"automatic recording\" requirement for inference events.\n *\n * Usage:\n *   const model = auditMiddleware(anthropic('claude-sonnet-4-5-20250929'), { logger })\n *   const result = await generateText({ model, prompt })\n *   // ^ Inference is automatically logged\n */\n\nimport {\n  wrapLanguageModel,\n  type LanguageModelV1,\n  type LanguageModelV1Middleware,\n} from 'ai'\nimport type { AuditLogger } from '../../logger.js'\nimport { getAuditContext } from '../../context.js'\nimport { generateUUIDv7 } from '../../utils/uuid.js'\n\nexport interface AuditMiddlewareOptions {\n  logger: AuditLogger\n  captureInputs?: boolean\n  captureOutputs?: boolean\n  captureToolCalls?: boolean\n  captureParameters?: boolean\n}\n\nexport function auditMiddleware(\n  model: LanguageModelV1,\n  options: AuditMiddlewareOptions,\n): LanguageModelV1 {\n  const {\n    logger,\n    captureInputs = true,\n    captureOutputs = true,\n  } = options\n\n  const middleware: LanguageModelV1Middleware = {\n    middlewareVersion: 'v1',\n\n    wrapGenerate: async ({ doGenerate, params }) => {\n      const startTime = Date.now()\n      const context = getAuditContext()\n      const decisionId = context?.decisionId ?? generateUUIDv7()\n\n      try {\n        const result = await doGenerate()\n        const latencyMs = Date.now() - startTime\n\n        const responseModelId = extractModelId(result)\n        const text = extractText(result)\n        const usage = extractUsage(result)\n        const finishReason = extractFinishReason(result)\n\n        await logger.log({\n          decisionId,\n          eventType: 'inference',\n          modelId: responseModelId ?? model.modelId ?? null,\n          providerId: responseModelId?.split('/')[0] ?? model.provider ?? null,\n          input: captureInputs\n            ? { value: serialisePrompt(params.prompt) }\n            : { value: '', type: 'hash' },\n          output: captureOutputs\n            ? { value: text, finishReason }\n            : text\n              ? { value: '', type: 'hash', finishReason }\n              : null,\n          latencyMs,\n          usage,\n          parameters: options.captureParameters !== false\n            ? extractParams(params)\n            : null,\n          error: null,\n          captureMethod: 'middleware',\n          metadata: context?.metadata,\n        })\n\n        if (options.captureToolCalls !== false) {\n          const toolCalls = extractToolCalls(result)\n          for (const tc of toolCalls) {\n            await logger.log({\n              decisionId,\n              eventType: 'tool_call',\n              modelId: responseModelId ?? model.modelId ?? null,\n              providerId: null,\n              input: { value: JSON.stringify(tc.args) },\n              output: null,\n              latencyMs: null,\n              usage: null,\n              parameters: null,\n              error: null,\n              toolCall: {\n                toolName: tc.toolName,\n                toolArgs: tc.args,\n              },\n              captureMethod: 'middleware',\n              metadata: context?.metadata,\n            })\n          }\n        }\n\n        return result\n      } catch (error) {\n        const latencyMs = Date.now() - startTime\n\n        await logger.log({\n          decisionId,\n          eventType: 'inference',\n          modelId: model.modelId ?? null,\n          providerId: model.provider ?? null,\n          input: captureInputs\n            ? { value: serialisePrompt(params.prompt) }\n            : { value: '', type: 'hash' },\n          output: null,\n          latencyMs,\n          usage: null,\n          parameters: options.captureParameters !== false\n            ? extractParams(params)\n            : null,\n          error: {\n            code: (error as Error).name ?? 'UNKNOWN',\n            message: (error as Error).message ?? String(error),\n          },\n          captureMethod: 'middleware',\n          metadata: context?.metadata,\n        })\n\n        throw error\n      }\n    },\n\n    wrapStream: async ({ doStream, params }) => {\n      const startTime = Date.now()\n      const context = getAuditContext()\n      const decisionId = context?.decisionId ?? generateUUIDv7()\n\n      try {\n        const result = await doStream()\n        const { stream, ...rest } = result\n\n        const chunks: string[] = []\n        let streamUsage: { promptTokens: number; completionTokens: number; totalTokens: number } | null = null\n        let streamFinishReason: string | undefined\n        let streamModelId: string | null = null\n\n        const loggingStream = stream.pipeThrough(\n          new TransformStream({\n            transform(chunk, controller) {\n              if (chunk.type === 'text-delta') {\n                chunks.push(chunk.textDelta)\n              }\n              if (chunk.type === 'finish') {\n                const finishChunk = chunk as Record<string, unknown>\n                streamUsage = finishChunk.usage as typeof streamUsage ?? null\n                streamFinishReason = finishChunk.finishReason as string | undefined\n                const response = finishChunk.response as Record<string, unknown> | undefined\n                streamModelId = response?.modelId as string ?? null\n              }\n              controller.enqueue(chunk)\n            },\n            async flush() {\n              const latencyMs = Date.now() - startTime\n              const fullText = chunks.join('')\n\n              await logger.log({\n                decisionId,\n                eventType: 'inference',\n                modelId: streamModelId ?? model.modelId ?? null,\n                providerId: streamModelId?.split('/')[0] ?? model.provider ?? null,\n                input: captureInputs\n                  ? { value: serialisePrompt(params.prompt) }\n                  : { value: '', type: 'hash' },\n                output: captureOutputs\n                  ? { value: fullText, finishReason: streamFinishReason }\n                  : fullText\n                    ? { value: '', type: 'hash', finishReason: streamFinishReason }\n                    : null,\n                latencyMs,\n                usage: streamUsage,\n                parameters: options.captureParameters !== false\n                  ? extractParams(params)\n                  : null,\n                error: null,\n                captureMethod: 'middleware',\n                metadata: context?.metadata,\n              })\n            },\n          }),\n        )\n\n        return { stream: loggingStream, ...rest }\n      } catch (error) {\n        const latencyMs = Date.now() - startTime\n\n        await logger.log({\n          decisionId,\n          eventType: 'inference',\n          modelId: model.modelId ?? null,\n          providerId: model.provider ?? null,\n          input: captureInputs\n            ? { value: serialisePrompt(params.prompt) }\n            : { value: '', type: 'hash' },\n          output: null,\n          latencyMs,\n          usage: null,\n          parameters: options.captureParameters !== false\n            ? extractParams(params)\n            : null,\n          error: {\n            code: (error as Error).name ?? 'UNKNOWN',\n            message: (error as Error).message ?? String(error),\n          },\n          captureMethod: 'middleware',\n          metadata: context?.metadata,\n        })\n\n        throw error\n      }\n    },\n  }\n\n  return wrapLanguageModel({ model, middleware })\n}\n\n// ── Extraction helpers ──────────────────────────────────────\n\nfunction serialisePrompt(prompt: unknown): string {\n  if (typeof prompt === 'string') return prompt\n  try {\n    return JSON.stringify(prompt)\n  } catch {\n    return String(prompt)\n  }\n}\n\nfunction extractModelId(result: Record<string, unknown>): string | null {\n  const response = result.response as Record<string, unknown> | undefined\n  return (response?.modelId as string) ?? null\n}\n\nfunction extractText(result: Record<string, unknown>): string {\n  return (result.text as string) ?? ''\n}\n\nfunction extractFinishReason(result: Record<string, unknown>): string | undefined {\n  return result.finishReason as string | undefined\n}\n\nfunction extractUsage(result: Record<string, unknown>): {\n  promptTokens: number\n  completionTokens: number\n  totalTokens: number\n} | null {\n  const usage = result.usage as Record<string, unknown> | undefined\n  if (!usage) return null\n  return {\n    promptTokens: (usage.promptTokens as number) ?? 0,\n    completionTokens: (usage.completionTokens as number) ?? 0,\n    totalTokens: (usage.totalTokens as number) ?? 0,\n  }\n}\n\nfunction extractToolCalls(result: Record<string, unknown>): Array<{\n  toolName: string\n  args: Record<string, unknown>\n}> {\n  const toolCalls = result.toolCalls as Array<Record<string, unknown>> | undefined\n  if (!toolCalls || !Array.isArray(toolCalls)) return []\n\n  return toolCalls.map((tc) => ({\n    toolName: (tc.toolName as string) ?? 'unknown',\n    args: (tc.args as Record<string, unknown>) ?? {},\n  }))\n}\n\nfunction extractParams(params: Record<string, unknown>): Record<string, unknown> {\n  const extracted: Record<string, unknown> = {}\n  if (params.temperature !== undefined) extracted['temperature'] = params.temperature\n  if (params.maxTokens !== undefined) extracted['maxTokens'] = params.maxTokens\n  if (params.topP !== undefined) extracted['topP'] = params.topP\n  if (params.topK !== undefined) extracted['topK'] = params.topK\n  if (params.frequencyPenalty !== undefined) extracted['frequencyPenalty'] = params.frequencyPenalty\n  if (params.presencePenalty !== undefined) extracted['presencePenalty'] = params.presencePenalty\n  if (params.seed !== undefined) extracted['seed'] = params.seed\n  return Object.keys(extracted).length > 0 ? extracted : {}\n}\n","/**\n * AsyncLocalStorage-based context propagation for audit logging.\n *\n * Allows decision IDs and metadata to flow through async call chains\n * without manual threading. This reduces the integration burden that\n * leads to coverage gaps.\n */\n\nimport { AsyncLocalStorage } from 'node:async_hooks'\n\nexport interface AuditContext {\n  decisionId: string\n  parentDecisionId?: string\n  metadata?: Record<string, string | number | boolean>\n}\n\nconst auditStorage = new AsyncLocalStorage<AuditContext>()\n\nexport function withAuditContext<T>(\n  context: AuditContext,\n  callback: () => T | Promise<T>,\n): T | Promise<T> {\n  return auditStorage.run(context, callback)\n}\n\nexport function getAuditContext(): AuditContext | undefined {\n  return auditStorage.getStore()\n}\n\nexport class MissingDecisionIdError extends Error {\n  constructor() {\n    super(\n      'decisionId is required. Either provide it explicitly in the log entry, ' +\n      'or wrap the call in withAuditContext({ decisionId: \"...\" }, callback).',\n    )\n    this.name = 'MissingDecisionIdError'\n  }\n}\n","import { randomBytes } from 'node:crypto'\n\n/**\n * Generate a UUIDv7 (time-ordered, RFC 9562).\n *\n * UUIDv7 embeds a Unix timestamp in the most significant 48 bits,\n * making IDs naturally time-ordered and sortable without parsing\n * timestamps. The remaining bits are random for uniqueness.\n *\n * Format: tttttttt-tttt-7rrr-Rrrr-rrrrrrrrrrrr\n *   t = timestamp bits (48-bit ms since epoch)\n *   7 = version nibble\n *   R = variant bits (10xx)\n *   r = random bits\n */\nexport function generateUUIDv7(): string {\n  const now = Date.now()\n  const bytes = new Uint8Array(16)\n\n  const randomPart = randomBytes(10)\n  bytes.set(randomPart, 6)\n\n  bytes[0] = (now / 2 ** 40) & 0xff\n  bytes[1] = (now / 2 ** 32) & 0xff\n  bytes[2] = (now / 2 ** 24) & 0xff\n  bytes[3] = (now / 2 ** 16) & 0xff\n  bytes[4] = (now / 2 ** 8) & 0xff\n  bytes[5] = now & 0xff\n\n  bytes[6] = (bytes[6] & 0x0f) | 0x70\n  bytes[8] = (bytes[8] & 0x3f) | 0x80\n\n  return formatUUID(bytes)\n}\n\nfunction formatUUID(bytes: Uint8Array): string {\n  const hex = Array.from(bytes, (b) => b.toString(16).padStart(2, '0')).join('')\n  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20, 32)}`\n}\n\nconst UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-7[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/\n\nexport function isValidUUIDv7(id: string): boolean {\n  return UUID_PATTERN.test(id)\n}\n\nexport function extractTimestampFromUUIDv7(id: string): number {\n  const hex = id.replace(/-/g, '').slice(0, 12)\n  return parseInt(hex, 16)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAaA,gBAIO;;;ACTP,8BAAkC;AAQlC,IAAM,eAAe,IAAI,0CAAgC;AASlD,SAAS,kBAA4C;AAC1D,SAAO,aAAa,SAAS;AAC/B;;;AC3BA,yBAA4B;AAerB,SAAS,iBAAyB;AACvC,QAAM,MAAM,KAAK,IAAI;AACrB,QAAM,QAAQ,IAAI,WAAW,EAAE;AAE/B,QAAM,iBAAa,gCAAY,EAAE;AACjC,QAAM,IAAI,YAAY,CAAC;AAEvB,QAAM,CAAC,IAAK,MAAM,KAAK,KAAM;AAC7B,QAAM,CAAC,IAAK,MAAM,KAAK,KAAM;AAC7B,QAAM,CAAC,IAAK,MAAM,KAAK,KAAM;AAC7B,QAAM,CAAC,IAAK,MAAM,KAAK,KAAM;AAC7B,QAAM,CAAC,IAAK,MAAM,KAAK,IAAK;AAC5B,QAAM,CAAC,IAAI,MAAM;AAEjB,QAAM,CAAC,IAAK,MAAM,CAAC,IAAI,KAAQ;AAC/B,QAAM,CAAC,IAAK,MAAM,CAAC,IAAI,KAAQ;AAE/B,SAAO,WAAW,KAAK;AACzB;AAEA,SAAS,WAAW,OAA2B;AAC7C,QAAM,MAAM,MAAM,KAAK,OAAO,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE,KAAK,EAAE;AAC7E,SAAO,GAAG,IAAI,MAAM,GAAG,CAAC,CAAC,IAAI,IAAI,MAAM,GAAG,EAAE,CAAC,IAAI,IAAI,MAAM,IAAI,EAAE,CAAC,IAAI,IAAI,MAAM,IAAI,EAAE,CAAC,IAAI,IAAI,MAAM,IAAI,EAAE,CAAC;AAC9G;;;AFRO,SAAS,gBACd,OACA,SACiB;AACjB,QAAM;AAAA,IACJ;AAAA,IACA,gBAAgB;AAAA,IAChB,iBAAiB;AAAA,EACnB,IAAI;AAEJ,QAAM,aAAwC;AAAA,IAC5C,mBAAmB;AAAA,IAEnB,cAAc,OAAO,EAAE,YAAY,OAAO,MAAM;AAC9C,YAAM,YAAY,KAAK,IAAI;AAC3B,YAAM,UAAU,gBAAgB;AAChC,YAAM,aAAa,SAAS,cAAc,eAAe;AAEzD,UAAI;AACF,cAAM,SAAS,MAAM,WAAW;AAChC,cAAM,YAAY,KAAK,IAAI,IAAI;AAE/B,cAAM,kBAAkB,eAAe,MAAM;AAC7C,cAAM,OAAO,YAAY,MAAM;AAC/B,cAAM,QAAQ,aAAa,MAAM;AACjC,cAAM,eAAe,oBAAoB,MAAM;AAE/C,cAAM,OAAO,IAAI;AAAA,UACf;AAAA,UACA,WAAW;AAAA,UACX,SAAS,mBAAmB,MAAM,WAAW;AAAA,UAC7C,YAAY,iBAAiB,MAAM,GAAG,EAAE,CAAC,KAAK,MAAM,YAAY;AAAA,UAChE,OAAO,gBACH,EAAE,OAAO,gBAAgB,OAAO,MAAM,EAAE,IACxC,EAAE,OAAO,IAAI,MAAM,OAAO;AAAA,UAC9B,QAAQ,iBACJ,EAAE,OAAO,MAAM,aAAa,IAC5B,OACE,EAAE,OAAO,IAAI,MAAM,QAAQ,aAAa,IACxC;AAAA,UACN;AAAA,UACA;AAAA,UACA,YAAY,QAAQ,sBAAsB,QACtC,cAAc,MAAM,IACpB;AAAA,UACJ,OAAO;AAAA,UACP,eAAe;AAAA,UACf,UAAU,SAAS;AAAA,QACrB,CAAC;AAED,YAAI,QAAQ,qBAAqB,OAAO;AACtC,gBAAM,YAAY,iBAAiB,MAAM;AACzC,qBAAW,MAAM,WAAW;AAC1B,kBAAM,OAAO,IAAI;AAAA,cACf;AAAA,cACA,WAAW;AAAA,cACX,SAAS,mBAAmB,MAAM,WAAW;AAAA,cAC7C,YAAY;AAAA,cACZ,OAAO,EAAE,OAAO,KAAK,UAAU,GAAG,IAAI,EAAE;AAAA,cACxC,QAAQ;AAAA,cACR,WAAW;AAAA,cACX,OAAO;AAAA,cACP,YAAY;AAAA,cACZ,OAAO;AAAA,cACP,UAAU;AAAA,gBACR,UAAU,GAAG;AAAA,gBACb,UAAU,GAAG;AAAA,cACf;AAAA,cACA,eAAe;AAAA,cACf,UAAU,SAAS;AAAA,YACrB,CAAC;AAAA,UACH;AAAA,QACF;AAEA,eAAO;AAAA,MACT,SAAS,OAAO;AACd,cAAM,YAAY,KAAK,IAAI,IAAI;AAE/B,cAAM,OAAO,IAAI;AAAA,UACf;AAAA,UACA,WAAW;AAAA,UACX,SAAS,MAAM,WAAW;AAAA,UAC1B,YAAY,MAAM,YAAY;AAAA,UAC9B,OAAO,gBACH,EAAE,OAAO,gBAAgB,OAAO,MAAM,EAAE,IACxC,EAAE,OAAO,IAAI,MAAM,OAAO;AAAA,UAC9B,QAAQ;AAAA,UACR;AAAA,UACA,OAAO;AAAA,UACP,YAAY,QAAQ,sBAAsB,QACtC,cAAc,MAAM,IACpB;AAAA,UACJ,OAAO;AAAA,YACL,MAAO,MAAgB,QAAQ;AAAA,YAC/B,SAAU,MAAgB,WAAW,OAAO,KAAK;AAAA,UACnD;AAAA,UACA,eAAe;AAAA,UACf,UAAU,SAAS;AAAA,QACrB,CAAC;AAED,cAAM;AAAA,MACR;AAAA,IACF;AAAA,IAEA,YAAY,OAAO,EAAE,UAAU,OAAO,MAAM;AAC1C,YAAM,YAAY,KAAK,IAAI;AAC3B,YAAM,UAAU,gBAAgB;AAChC,YAAM,aAAa,SAAS,cAAc,eAAe;AAEzD,UAAI;AACF,cAAM,SAAS,MAAM,SAAS;AAC9B,cAAM,EAAE,QAAQ,GAAG,KAAK,IAAI;AAE5B,cAAM,SAAmB,CAAC;AAC1B,YAAI,cAA8F;AAClG,YAAI;AACJ,YAAI,gBAA+B;AAEnC,cAAM,gBAAgB,OAAO;AAAA,UAC3B,IAAI,gBAAgB;AAAA,YAClB,UAAU,OAAO,YAAY;AAC3B,kBAAI,MAAM,SAAS,cAAc;AAC/B,uBAAO,KAAK,MAAM,SAAS;AAAA,cAC7B;AACA,kBAAI,MAAM,SAAS,UAAU;AAC3B,sBAAM,cAAc;AACpB,8BAAc,YAAY,SAA+B;AACzD,qCAAqB,YAAY;AACjC,sBAAM,WAAW,YAAY;AAC7B,gCAAgB,UAAU,WAAqB;AAAA,cACjD;AACA,yBAAW,QAAQ,KAAK;AAAA,YAC1B;AAAA,YACA,MAAM,QAAQ;AACZ,oBAAM,YAAY,KAAK,IAAI,IAAI;AAC/B,oBAAM,WAAW,OAAO,KAAK,EAAE;AAE/B,oBAAM,OAAO,IAAI;AAAA,gBACf;AAAA,gBACA,WAAW;AAAA,gBACX,SAAS,iBAAiB,MAAM,WAAW;AAAA,gBAC3C,YAAY,eAAe,MAAM,GAAG,EAAE,CAAC,KAAK,MAAM,YAAY;AAAA,gBAC9D,OAAO,gBACH,EAAE,OAAO,gBAAgB,OAAO,MAAM,EAAE,IACxC,EAAE,OAAO,IAAI,MAAM,OAAO;AAAA,gBAC9B,QAAQ,iBACJ,EAAE,OAAO,UAAU,cAAc,mBAAmB,IACpD,WACE,EAAE,OAAO,IAAI,MAAM,QAAQ,cAAc,mBAAmB,IAC5D;AAAA,gBACN;AAAA,gBACA,OAAO;AAAA,gBACP,YAAY,QAAQ,sBAAsB,QACtC,cAAc,MAAM,IACpB;AAAA,gBACJ,OAAO;AAAA,gBACP,eAAe;AAAA,gBACf,UAAU,SAAS;AAAA,cACrB,CAAC;AAAA,YACH;AAAA,UACF,CAAC;AAAA,QACH;AAEA,eAAO,EAAE,QAAQ,eAAe,GAAG,KAAK;AAAA,MAC1C,SAAS,OAAO;AACd,cAAM,YAAY,KAAK,IAAI,IAAI;AAE/B,cAAM,OAAO,IAAI;AAAA,UACf;AAAA,UACA,WAAW;AAAA,UACX,SAAS,MAAM,WAAW;AAAA,UAC1B,YAAY,MAAM,YAAY;AAAA,UAC9B,OAAO,gBACH,EAAE,OAAO,gBAAgB,OAAO,MAAM,EAAE,IACxC,EAAE,OAAO,IAAI,MAAM,OAAO;AAAA,UAC9B,QAAQ;AAAA,UACR;AAAA,UACA,OAAO;AAAA,UACP,YAAY,QAAQ,sBAAsB,QACtC,cAAc,MAAM,IACpB;AAAA,UACJ,OAAO;AAAA,YACL,MAAO,MAAgB,QAAQ;AAAA,YAC/B,SAAU,MAAgB,WAAW,OAAO,KAAK;AAAA,UACnD;AAAA,UACA,eAAe;AAAA,UACf,UAAU,SAAS;AAAA,QACrB,CAAC;AAED,cAAM;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,aAAO,6BAAkB,EAAE,OAAO,WAAW,CAAC;AAChD;AAIA,SAAS,gBAAgB,QAAyB;AAChD,MAAI,OAAO,WAAW,SAAU,QAAO;AACvC,MAAI;AACF,WAAO,KAAK,UAAU,MAAM;AAAA,EAC9B,QAAQ;AACN,WAAO,OAAO,MAAM;AAAA,EACtB;AACF;AAEA,SAAS,eAAe,QAAgD;AACtE,QAAM,WAAW,OAAO;AACxB,SAAQ,UAAU,WAAsB;AAC1C;AAEA,SAAS,YAAY,QAAyC;AAC5D,SAAQ,OAAO,QAAmB;AACpC;AAEA,SAAS,oBAAoB,QAAqD;AAChF,SAAO,OAAO;AAChB;AAEA,SAAS,aAAa,QAIb;AACP,QAAM,QAAQ,OAAO;AACrB,MAAI,CAAC,MAAO,QAAO;AACnB,SAAO;AAAA,IACL,cAAe,MAAM,gBAA2B;AAAA,IAChD,kBAAmB,MAAM,oBAA+B;AAAA,IACxD,aAAc,MAAM,eAA0B;AAAA,EAChD;AACF;AAEA,SAAS,iBAAiB,QAGvB;AACD,QAAM,YAAY,OAAO;AACzB,MAAI,CAAC,aAAa,CAAC,MAAM,QAAQ,SAAS,EAAG,QAAO,CAAC;AAErD,SAAO,UAAU,IAAI,CAAC,QAAQ;AAAA,IAC5B,UAAW,GAAG,YAAuB;AAAA,IACrC,MAAO,GAAG,QAAoC,CAAC;AAAA,EACjD,EAAE;AACJ;AAEA,SAAS,cAAc,QAA0D;AAC/E,QAAM,YAAqC,CAAC;AAC5C,MAAI,OAAO,gBAAgB,OAAW,WAAU,aAAa,IAAI,OAAO;AACxE,MAAI,OAAO,cAAc,OAAW,WAAU,WAAW,IAAI,OAAO;AACpE,MAAI,OAAO,SAAS,OAAW,WAAU,MAAM,IAAI,OAAO;AAC1D,MAAI,OAAO,SAAS,OAAW,WAAU,MAAM,IAAI,OAAO;AAC1D,MAAI,OAAO,qBAAqB,OAAW,WAAU,kBAAkB,IAAI,OAAO;AAClF,MAAI,OAAO,oBAAoB,OAAW,WAAU,iBAAiB,IAAI,OAAO;AAChF,MAAI,OAAO,SAAS,OAAW,WAAU,MAAM,IAAI,OAAO;AAC1D,SAAO,OAAO,KAAK,SAAS,EAAE,SAAS,IAAI,YAAY,CAAC;AAC1D;","names":[]}

package/dist/ai-sdk/middleware/index.d.cts

@@ -0,0 +1,323 @@
+import { LanguageModelV1 } from 'ai';
+
+/**
+ * Storage backend interface.
+ *
+ * Abstraction layer for log persistence. v0.1 ships with S3-compatible
+ * storage only; future versions will add Azure Blob, GCS, and local
+ * filesystem backends.
+ */
+interface StorageBackend {
+    write(key: string, data: Buffer): Promise<void>;
+    read(key: string): Promise<Buffer>;
+    list(prefix: string): Promise<string[]>;
+    exists(key: string): Promise<boolean>;
+    getObjectMetadata(key: string): Promise<ObjectMetadata>;
+}
+interface ObjectMetadata {
+    lastModified: Date;
+    size: number;
+}
+interface S3StorageConfig {
+    type: 's3';
+    bucket: string;
+    region: string;
+    prefix?: string;
+    endpoint?: string;
+    forcePathStyle?: boolean;
+    credentials?: {
+        accessKeyId: string;
+        secretAccessKey: string;
+        sessionToken?: string;
+    };
+}
+type StorageConfig = S3StorageConfig;
+
+/**
+ * Schema definitions and runtime validation for audit log entries.
+ *
+ * Every field is annotated with the Article paragraph it satisfies.
+ * The schema IS the Article 12 mapping.
+ */
+declare const EVENT_TYPES: readonly ["inference", "tool_call", "tool_result", "human_intervention", "system_event", "session_start", "session_end"];
+type EventType = (typeof EVENT_TYPES)[number];
+declare const CAPTURE_METHODS: readonly ["middleware", "manual", "context"];
+type CaptureMethod = (typeof CAPTURE_METHODS)[number];
+interface InputData {
+    type: 'raw' | 'hash';
+    value: string;
+    tokenCount?: number;
+}
+interface OutputData {
+    type: 'raw' | 'hash';
+    value: string;
+    tokenCount?: number;
+    finishReason?: string;
+}
+interface TokenUsage {
+    promptTokens: number;
+    completionTokens: number;
+    totalTokens: number;
+}
+interface ErrorData {
+    code: string;
+    message: string;
+    stack?: string;
+}
+declare const HUMAN_INTERVENTION_TYPES: readonly ["approval", "rejection", "modification", "override", "escalation"];
+type HumanInterventionType = (typeof HUMAN_INTERVENTION_TYPES)[number];
+interface HumanIntervention {
+    /** @article 12(2)(c), 14(5), 12(3)(d) */
+    type: HumanInterventionType;
+    userId: string;
+    reason?: string;
+    originalOutput?: {
+        type: 'raw' | 'hash';
+        value: string;
+    };
+    timestamp: string;
+}
+interface ToolCallData {
+    toolName: string;
+    toolArgs: Record<string, unknown> | string;
+    toolResult?: string;
+}
+interface MatchResult {
+    matched: boolean;
+    matchConfidence?: number;
+    matchedRecordId?: string;
+}
+interface AuditLogEntry {
+    schemaVersion: 'v1';
+    /** @article 12(1) — unique event identification */
+    entryId: string;
+    /** @article 12(2)(a) — risk identification requires correlating related events */
+    decisionId: string;
+    /** @article 12(1) — system identification */
+    systemId: string;
+    /** @article 12(1), 12(3)(a) — automatic recording, period of each use */
+    timestamp: string;
+    /** @article 12(2)(a) — identifying situations that may present a risk */
+    eventType: EventType;
+    /** @article 12(2)(a), 72 — model version tracking */
+    modelId: string | null;
+    providerId: string | null;
+    /** @article 12(2)(a), 12(2)(c), 12(3)(c) — input context and deployer monitoring */
+    input: InputData;
+    /** @article 12(2)(a), 12(2)(b) — risk identification and post-market monitoring */
+    output: OutputData | null;
+    /** @article 12(2)(b), 72 — performance degradation detection */
+    latencyMs: number | null;
+    /** @article 72 — post-market monitoring (usage tracking) */
+    usage: TokenUsage | null;
+    /** @article 12(2)(a) — identifying situations that may present a risk */
+    error: ErrorData | null;
+    /** @article 12(2)(a) — risk identification requires knowing configuration */
+    parameters: Record<string, unknown> | null;
+    captureMethod: CaptureMethod;
+    /** @article 12(1) — event ordering */
+    seq: number;
+    prevHash: string;
+    hash: string;
+}
+interface AuditLogEntryExtended extends AuditLogEntry {
+    /** @article 12(2)(c), 14(5), 12(3)(d) */
+    humanIntervention?: HumanIntervention;
+    /** @article 12(2)(a) — tracing complex decision chains */
+    stepIndex?: number;
+    parentEntryId?: string;
+    /** @article 12(2)(a) — tool calls as risk vectors */
+    toolCall?: ToolCallData;
+    /** @article 12(3)(b) — reference database for biometric systems */
+    referenceDatabase?: string;
+    /** @article 12(3)(c) — match results for biometric systems */
+    matchResult?: MatchResult;
+    metadata?: Record<string, string | number | boolean>;
+}
+interface LogEntryInput {
+    decisionId?: string;
+    eventType: EventType;
+    modelId: string | null;
+    providerId: string | null;
+    input: {
+        value: string;
+        type?: 'raw' | 'hash';
+        tokenCount?: number;
+    };
+    output: {
+        value: string;
+        type?: 'raw' | 'hash';
+        tokenCount?: number;
+        finishReason?: string;
+    } | null;
+    latencyMs: number | null;
+    usage: TokenUsage | null;
+    parameters: Record<string, unknown> | null;
+    error: ErrorData | null;
+    captureMethod?: CaptureMethod;
+    humanIntervention?: HumanIntervention;
+    stepIndex?: number;
+    parentEntryId?: string;
+    toolCall?: ToolCallData;
+    referenceDatabase?: string;
+    matchResult?: MatchResult;
+    metadata?: Record<string, string | number | boolean>;
+}
+
+/**
+ * AuditLogger — core class for structured, tamper-evident audit logging.
+ *
+ * Satisfies Article 12(1): automatic recording of events over the
+ * lifetime of the system. Entries are batched in memory and flushed
+ * to S3-compatible storage with SHA-256 hash chains.
+ */
+
+interface RetentionOptions {
+    minimumDays?: number;
+    acknowledgeSubMinimum?: boolean;
+    autoConfigureLifecycle?: boolean;
+}
+interface PIIOptions {
+    hashInputs?: boolean;
+    hashOutputs?: boolean;
+    redactPatterns?: RegExp[];
+}
+interface BatchingOptions {
+    maxSize?: number;
+    maxDelayMs?: number;
+}
+interface ObjectLockOptions {
+    enabled?: boolean;
+    mode?: 'GOVERNANCE' | 'COMPLIANCE';
+}
+interface HealthCheckOptions {
+    enabled?: boolean;
+    intervalMs?: number;
+    onDrift?: 'warn' | 'throw' | ((drift: ComplianceDrift) => void);
+}
+interface ComplianceDrift {
+    check: string;
+    status: 'fail' | 'warn';
+    message: string;
+}
+type ErrorHandler = 'log-and-continue' | 'throw' | ((error: Error) => void);
+interface AuditLoggerConfig {
+    systemId: string;
+    storage: StorageConfig;
+    retention?: RetentionOptions;
+    pii?: PIIOptions;
+    batching?: BatchingOptions;
+    onError?: ErrorHandler;
+    objectLock?: ObjectLockOptions;
+    healthCheck?: HealthCheckOptions;
+}
+declare class AuditLogger {
+    private readonly config;
+    private readonly systemId;
+    private readonly storage;
+    private readonly storageConfig;
+    private readonly retention;
+    private readonly pii;
+    private readonly batching;
+    private readonly onError;
+    private readonly objectLock;
+    private buffer;
+    private seq;
+    private prevHash;
+    private currentFileIndex;
+    private currentFileSize;
+    private flushTimer;
+    private closed;
+    private initialised;
+    private healthCheckTimer;
+    private shutdownHandler;
+    constructor(config: AuditLoggerConfig);
+    /**
+     * Initialise the logger. Loads chain head from storage,
+     * recovers chain state, and writes initial metadata.
+     *
+     * Must be called before the first log() call. If not called
+     * explicitly, log() will call it lazily.
+     */
+    init(): Promise<void>;
+    /**
+     * Log a single event.
+     *
+     * If no decisionId is provided and no AsyncLocalStorage context is active,
+     * throws MissingDecisionIdError.
+     */
+    log(input: LogEntryInput): Promise<AuditLogEntryExtended>;
+    /**
+     * Force flush all buffered entries to storage.
+     */
+    flush(): Promise<void>;
+    /**
+     * Flush remaining entries and release all resources.
+     */
+    close(): Promise<void>;
+    /**
+     * Run a health check against the storage backend.
+     */
+    healthCheck(): Promise<HealthCheckResult>;
+    getSystemId(): string;
+    getStorageBackend(): StorageBackend;
+    getStorageConfig(): StorageConfig;
+    getCurrentSeq(): number;
+    getPrevHash(): string;
+    /** Exposed for testing with custom storage backends */
+    static createWithStorage(config: Omit<AuditLoggerConfig, 'storage'> & {
+        storage: StorageConfig;
+    }, storage: StorageBackend): AuditLogger;
+    private processInputData;
+    private processOutputData;
+    private redact;
+    private currentDatePath;
+    private currentFilePath;
+    private writeEntries;
+    private persistChainHead;
+    private loadChainHead;
+    private writeMetadata;
+    private scheduleFlush;
+    private clearFlushTimer;
+    private handleError;
+    private setupShutdownHooks;
+    private removeShutdownHooks;
+    private checkWriteAccess;
+    private checkReadAccess;
+    private checkChainHeadConsistency;
+    private checkSchemaVersion;
+}
+interface HealthCheckResult {
+    timestamp: string;
+    checks: HealthCheck[];
+    healthy: boolean;
+}
+interface HealthCheck {
+    name: string;
+    status: 'pass' | 'fail' | 'warn';
+    message: string;
+}
+
+/**
+ * AI SDK middleware — automatic capture for Vercel AI SDK models.
+ *
+ * Wraps a LanguageModelV1 and automatically logs every inference call.
+ * This is the primary mechanism for satisfying Article 12(1)'s
+ * "automatic recording" requirement for inference events.
+ *
+ * Usage:
+ *   const model = auditMiddleware(anthropic('claude-sonnet-4-5-20250929'), { logger })
+ *   const result = await generateText({ model, prompt })
+ *   // ^ Inference is automatically logged
+ */
+
+interface AuditMiddlewareOptions {
+    logger: AuditLogger;
+    captureInputs?: boolean;
+    captureOutputs?: boolean;
+    captureToolCalls?: boolean;
+    captureParameters?: boolean;
+}
+declare function auditMiddleware(model: LanguageModelV1, options: AuditMiddlewareOptions): LanguageModelV1;
+
+export { type AuditMiddlewareOptions, auditMiddleware };

package/dist/ai-sdk/middleware/index.d.ts

@@ -0,0 +1,323 @@
+import { LanguageModelV1 } from 'ai';
+
+/**
+ * Storage backend interface.
+ *
+ * Abstraction layer for log persistence. v0.1 ships with S3-compatible
+ * storage only; future versions will add Azure Blob, GCS, and local
+ * filesystem backends.
+ */
+interface StorageBackend {
+    write(key: string, data: Buffer): Promise<void>;
+    read(key: string): Promise<Buffer>;
+    list(prefix: string): Promise<string[]>;
+    exists(key: string): Promise<boolean>;
+    getObjectMetadata(key: string): Promise<ObjectMetadata>;
+}
+interface ObjectMetadata {
+    lastModified: Date;
+    size: number;
+}
+interface S3StorageConfig {
+    type: 's3';
+    bucket: string;
+    region: string;
+    prefix?: string;
+    endpoint?: string;
+    forcePathStyle?: boolean;
+    credentials?: {
+        accessKeyId: string;
+        secretAccessKey: string;
+        sessionToken?: string;
+    };
+}
+type StorageConfig = S3StorageConfig;
+
+/**
+ * Schema definitions and runtime validation for audit log entries.
+ *
+ * Every field is annotated with the Article paragraph it satisfies.
+ * The schema IS the Article 12 mapping.
+ */
+declare const EVENT_TYPES: readonly ["inference", "tool_call", "tool_result", "human_intervention", "system_event", "session_start", "session_end"];
+type EventType = (typeof EVENT_TYPES)[number];
+declare const CAPTURE_METHODS: readonly ["middleware", "manual", "context"];
+type CaptureMethod = (typeof CAPTURE_METHODS)[number];
+interface InputData {
+    type: 'raw' | 'hash';
+    value: string;
+    tokenCount?: number;
+}
+interface OutputData {
+    type: 'raw' | 'hash';
+    value: string;
+    tokenCount?: number;
+    finishReason?: string;
+}
+interface TokenUsage {
+    promptTokens: number;
+    completionTokens: number;
+    totalTokens: number;
+}
+interface ErrorData {
+    code: string;
+    message: string;
+    stack?: string;
+}
+declare const HUMAN_INTERVENTION_TYPES: readonly ["approval", "rejection", "modification", "override", "escalation"];
+type HumanInterventionType = (typeof HUMAN_INTERVENTION_TYPES)[number];
+interface HumanIntervention {
+    /** @article 12(2)(c), 14(5), 12(3)(d) */
+    type: HumanInterventionType;
+    userId: string;
+    reason?: string;
+    originalOutput?: {
+        type: 'raw' | 'hash';
+        value: string;
+    };
+    timestamp: string;
+}
+interface ToolCallData {
+    toolName: string;
+    toolArgs: Record<string, unknown> | string;
+    toolResult?: string;
+}
+interface MatchResult {
+    matched: boolean;
+    matchConfidence?: number;
+    matchedRecordId?: string;
+}
+interface AuditLogEntry {
+    schemaVersion: 'v1';
+    /** @article 12(1) — unique event identification */
+    entryId: string;
+    /** @article 12(2)(a) — risk identification requires correlating related events */
+    decisionId: string;
+    /** @article 12(1) — system identification */
+    systemId: string;
+    /** @article 12(1), 12(3)(a) — automatic recording, period of each use */
+    timestamp: string;
+    /** @article 12(2)(a) — identifying situations that may present a risk */
+    eventType: EventType;
+    /** @article 12(2)(a), 72 — model version tracking */
+    modelId: string | null;
+    providerId: string | null;
+    /** @article 12(2)(a), 12(2)(c), 12(3)(c) — input context and deployer monitoring */
+    input: InputData;
+    /** @article 12(2)(a), 12(2)(b) — risk identification and post-market monitoring */
+    output: OutputData | null;
+    /** @article 12(2)(b), 72 — performance degradation detection */
+    latencyMs: number | null;
+    /** @article 72 — post-market monitoring (usage tracking) */
+    usage: TokenUsage | null;
+    /** @article 12(2)(a) — identifying situations that may present a risk */
+    error: ErrorData | null;
+    /** @article 12(2)(a) — risk identification requires knowing configuration */
+    parameters: Record<string, unknown> | null;
+    captureMethod: CaptureMethod;
+    /** @article 12(1) — event ordering */
+    seq: number;
+    prevHash: string;
+    hash: string;
+}
+interface AuditLogEntryExtended extends AuditLogEntry {
+    /** @article 12(2)(c), 14(5), 12(3)(d) */
+    humanIntervention?: HumanIntervention;
+    /** @article 12(2)(a) — tracing complex decision chains */
+    stepIndex?: number;
+    parentEntryId?: string;
+    /** @article 12(2)(a) — tool calls as risk vectors */
+    toolCall?: ToolCallData;
+    /** @article 12(3)(b) — reference database for biometric systems */
+    referenceDatabase?: string;
+    /** @article 12(3)(c) — match results for biometric systems */
+    matchResult?: MatchResult;
+    metadata?: Record<string, string | number | boolean>;
+}
+interface LogEntryInput {
+    decisionId?: string;
+    eventType: EventType;
+    modelId: string | null;
+    providerId: string | null;
+    input: {
+        value: string;
+        type?: 'raw' | 'hash';
+        tokenCount?: number;
+    };
+    output: {
+        value: string;
+        type?: 'raw' | 'hash';
+        tokenCount?: number;
+        finishReason?: string;
+    } | null;
+    latencyMs: number | null;
+    usage: TokenUsage | null;
+    parameters: Record<string, unknown> | null;
+    error: ErrorData | null;
+    captureMethod?: CaptureMethod;
+    humanIntervention?: HumanIntervention;
+    stepIndex?: number;
+    parentEntryId?: string;
+    toolCall?: ToolCallData;
+    referenceDatabase?: string;
+    matchResult?: MatchResult;
+    metadata?: Record<string, string | number | boolean>;
+}
+
+/**
+ * AuditLogger — core class for structured, tamper-evident audit logging.
+ *
+ * Satisfies Article 12(1): automatic recording of events over the
+ * lifetime of the system. Entries are batched in memory and flushed
+ * to S3-compatible storage with SHA-256 hash chains.
+ */
+
+interface RetentionOptions {
+    minimumDays?: number;
+    acknowledgeSubMinimum?: boolean;
+    autoConfigureLifecycle?: boolean;
+}
+interface PIIOptions {
+    hashInputs?: boolean;
+    hashOutputs?: boolean;
+    redactPatterns?: RegExp[];
+}
+interface BatchingOptions {
+    maxSize?: number;
+    maxDelayMs?: number;
+}
+interface ObjectLockOptions {
+    enabled?: boolean;
+    mode?: 'GOVERNANCE' | 'COMPLIANCE';
+}
+interface HealthCheckOptions {
+    enabled?: boolean;
+    intervalMs?: number;
+    onDrift?: 'warn' | 'throw' | ((drift: ComplianceDrift) => void);
+}
+interface ComplianceDrift {
+    check: string;
+    status: 'fail' | 'warn';
+    message: string;
+}
+type ErrorHandler = 'log-and-continue' | 'throw' | ((error: Error) => void);
+interface AuditLoggerConfig {
+    systemId: string;
+    storage: StorageConfig;
+    retention?: RetentionOptions;
+    pii?: PIIOptions;
+    batching?: BatchingOptions;
+    onError?: ErrorHandler;
+    objectLock?: ObjectLockOptions;
+    healthCheck?: HealthCheckOptions;
+}
+declare class AuditLogger {
+    private readonly config;
+    private readonly systemId;
+    private readonly storage;
+    private readonly storageConfig;
+    private readonly retention;
+    private readonly pii;
+    private readonly batching;
+    private readonly onError;
+    private readonly objectLock;
+    private buffer;
+    private seq;
+    private prevHash;
+    private currentFileIndex;
+    private currentFileSize;
+    private flushTimer;
+    private closed;
+    private initialised;
+    private healthCheckTimer;
+    private shutdownHandler;
+    constructor(config: AuditLoggerConfig);
+    /**
+     * Initialise the logger. Loads chain head from storage,
+     * recovers chain state, and writes initial metadata.
+     *
+     * Must be called before the first log() call. If not called
+     * explicitly, log() will call it lazily.
+     */
+    init(): Promise<void>;
+    /**
+     * Log a single event.
+     *
+     * If no decisionId is provided and no AsyncLocalStorage context is active,
+     * throws MissingDecisionIdError.
+     */
+    log(input: LogEntryInput): Promise<AuditLogEntryExtended>;
+    /**
+     * Force flush all buffered entries to storage.
+     */
+    flush(): Promise<void>;
+    /**
+     * Flush remaining entries and release all resources.
+     */
+    close(): Promise<void>;
+    /**
+     * Run a health check against the storage backend.
+     */
+    healthCheck(): Promise<HealthCheckResult>;
+    getSystemId(): string;
+    getStorageBackend(): StorageBackend;
+    getStorageConfig(): StorageConfig;
+    getCurrentSeq(): number;
+    getPrevHash(): string;
+    /** Exposed for testing with custom storage backends */
+    static createWithStorage(config: Omit<AuditLoggerConfig, 'storage'> & {
+        storage: StorageConfig;
+    }, storage: StorageBackend): AuditLogger;
+    private processInputData;
+    private processOutputData;
+    private redact;
+    private currentDatePath;
+    private currentFilePath;
+    private writeEntries;
+    private persistChainHead;
+    private loadChainHead;
+    private writeMetadata;
+    private scheduleFlush;
+    private clearFlushTimer;
+    private handleError;
+    private setupShutdownHooks;
+    private removeShutdownHooks;
+    private checkWriteAccess;
+    private checkReadAccess;
+    private checkChainHeadConsistency;
+    private checkSchemaVersion;
+}
+interface HealthCheckResult {
+    timestamp: string;
+    checks: HealthCheck[];
+    healthy: boolean;
+}
+interface HealthCheck {
+    name: string;
+    status: 'pass' | 'fail' | 'warn';
+    message: string;
+}
+
+/**
+ * AI SDK middleware — automatic capture for Vercel AI SDK models.
+ *
+ * Wraps a LanguageModelV1 and automatically logs every inference call.
+ * This is the primary mechanism for satisfying Article 12(1)'s
+ * "automatic recording" requirement for inference events.
+ *
+ * Usage:
+ *   const model = auditMiddleware(anthropic('claude-sonnet-4-5-20250929'), { logger })
+ *   const result = await generateText({ model, prompt })
+ *   // ^ Inference is automatically logged
+ */
+
+interface AuditMiddlewareOptions {
+    logger: AuditLogger;
+    captureInputs?: boolean;
+    captureOutputs?: boolean;
+    captureToolCalls?: boolean;
+    captureParameters?: boolean;
+}
+declare function auditMiddleware(model: LanguageModelV1, options: AuditMiddlewareOptions): LanguageModelV1;
+
+export { type AuditMiddlewareOptions, auditMiddleware };