@thotischner/observability-mcp 1.8.1 → 3.0.1

package/dist/audit/sinks/s3.d.ts

@@ -0,0 +1,61 @@
+import type { AuditEntry } from "../log.js";
+import type { AuditSink } from "./types.js";
+/** Minimal subset of the AWS SDK S3Client we depend on. */
+export interface S3ClientLike {
+    send(command: unknown): Promise<unknown>;
+}
+export interface S3SinkOptions {
+    /** Target bucket. Required. */
+    bucket: string;
+    /** Region — required for AWS, ignored by MinIO. Default us-east-1. */
+    region?: string;
+    /**
+     * Object key prefix. Default empty. The final key is
+     * `<prefix>/YYYY/MM/DD/HH/<minute>-<seqStart>-<seqEnd>.jsonl`.
+     * Trailing slash optional.
+     */
+    prefix?: string;
+    /**
+     * Override the AWS endpoint URL for S3-compatible backends
+     * (MinIO, R2, B2). Empty = use AWS regional endpoint.
+     */
+    endpoint?: string;
+    /** Force path-style addressing — required for MinIO + B2. */
+    forcePathStyle?: boolean;
+    /** Flush every N milliseconds. Default 60000 (1 minute). */
+    flushIntervalMs?: number;
+    /** Flush when buffer holds N entries. Default 1000. */
+    maxBufferSize?: number;
+    /** Optional path for unrecoverable batches. */
+    deadLetterFile?: string;
+    /** Inject a client for unit tests. */
+    client?: S3ClientLike;
+}
+export declare class S3Sink implements AuditSink {
+    readonly name = "s3";
+    private readonly bucket;
+    private readonly region;
+    private readonly prefix;
+    private readonly endpoint?;
+    private readonly forcePathStyle;
+    private readonly flushIntervalMs;
+    private readonly maxBufferSize;
+    private readonly deadLetterFile?;
+    private client;
+    private putCommand;
+    private sdkLoadError;
+    private buffer;
+    private flushTimer;
+    private writeQueue;
+    constructor(opts: S3SinkOptions);
+    /** Resolve the SDK lazily so the gateway still boots if @aws-sdk/client-s3
+     *  isn't installed. Called on the first flush attempt only. */
+    private ensureClient;
+    write(entry: AuditEntry): Promise<void>;
+    flush(): Promise<void>;
+    /** Stop the timer + flush remaining. Called on SIGTERM. */
+    shutdown(): Promise<void>;
+    private flushNow;
+    private buildKey;
+    private deadLetter;
+}

package/dist/audit/sinks/s3.js

@@ -0,0 +1,179 @@
+// S3Sink: ship audit entries to an S3-compatible object store
+// (AWS S3, MinIO, Cloudflare R2, Backblaze B2, Wasabi, …).
+//
+// Buffer audit entries in memory; every flush window (default 60 s)
+// or whenever the buffer crosses the cap (default 1000 entries),
+// concatenate as JSONL and PUT one object under
+// `<prefix>/YYYY/MM/DD/HH/<minute>-<seqStart>-<seqEnd>.jsonl`.
+//
+// Why per-minute rollups, not per-entry? S3 charges per PUT (5x per
+// LIST / 1x per GET). An audit-heavy gateway generates 100s of
+// entries/minute — per-entry PUT is wasteful on cost AND on SDK
+// concurrency. One PUT/min keeps the bill low and still lets the
+// operator scrape a minute-grained timeline in the storage console.
+//
+// Failures dead-letter to a local JSONL so a recovered S3 backend
+// can be replayed by an external tool. The on-disk audit chain stays
+// the authoritative master.
+import { appendFile } from "node:fs/promises";
+let _sdk = null;
+async function loadSdk() {
+    if (_sdk)
+        return _sdk;
+    // @aws-sdk/client-s3 is an optional runtime dependency — operators
+    // only pull it in when they enable this sink. The specifier is
+    // resolved at runtime so TypeScript doesn't require the types at
+    // build time (matches the AWS-connector lazy-load pattern from Q1).
+    const specifier = "@aws-sdk/client-s3";
+    const s3 = (await import(specifier));
+    _sdk = { S3Client: s3.S3Client, PutObjectCommand: s3.PutObjectCommand };
+    return _sdk;
+}
+export class S3Sink {
+    name = "s3";
+    bucket;
+    region;
+    prefix;
+    endpoint;
+    forcePathStyle;
+    flushIntervalMs;
+    maxBufferSize;
+    deadLetterFile;
+    client = null;
+    putCommand = null;
+    sdkLoadError = null;
+    buffer = [];
+    flushTimer = null;
+    writeQueue = Promise.resolve();
+    constructor(opts) {
+        if (!opts.bucket)
+            throw new Error("S3Sink: bucket is required");
+        this.bucket = opts.bucket;
+        this.region = opts.region ?? process.env.AWS_REGION ?? "us-east-1";
+        // Normalise to "prefix/" form (trailing slash) when non-empty so
+        // we don't ever build `<prefix>YYYY/...` with a missing slash.
+        const rawPrefix = (opts.prefix ?? "").replace(/^\/+|\/+$/g, "");
+        this.prefix = rawPrefix ? `${rawPrefix}/` : "";
+        this.endpoint = opts.endpoint || undefined;
+        this.forcePathStyle = opts.forcePathStyle ?? false;
+        this.flushIntervalMs = opts.flushIntervalMs ?? 60_000;
+        this.maxBufferSize = opts.maxBufferSize ?? 1_000;
+        this.deadLetterFile = opts.deadLetterFile;
+        if (opts.client) {
+            this.client = opts.client;
+            // Tests inject a fake client AND need PutObjectCommand to be
+            // construct-able as a plain class. We stub here so the
+            // command-pattern API surface still works.
+            const Stub = class {
+                input;
+                constructor(input) { this.input = input; }
+            };
+            Object.defineProperty(Stub, "name", { value: "PutObjectCommand" });
+            this.putCommand = Stub;
+        }
+    }
+    /** Resolve the SDK lazily so the gateway still boots if @aws-sdk/client-s3
+     *  isn't installed. Called on the first flush attempt only. */
+    async ensureClient() {
+        if (this.client && this.putCommand)
+            return true;
+        if (this.sdkLoadError)
+            return false;
+        try {
+            const sdk = await loadSdk();
+            const S3Client = sdk.S3Client;
+            this.client = new S3Client({
+                region: this.region,
+                endpoint: this.endpoint,
+                forcePathStyle: this.forcePathStyle,
+            });
+            this.putCommand = sdk.PutObjectCommand;
+            return true;
+        }
+        catch (err) {
+            this.sdkLoadError = err instanceof Error ? err.message : String(err);
+            console.warn("S3Sink: @aws-sdk/client-s3 not installed (%s) — entries will dead-letter", this.sdkLoadError);
+            return false;
+        }
+    }
+    async write(entry) {
+        this.buffer.push(entry);
+        if (!this.flushTimer && this.flushIntervalMs > 0) {
+            this.flushTimer = setInterval(() => { void this.flush(); }, this.flushIntervalMs);
+            if (this.flushTimer && typeof this.flushTimer.unref === "function") {
+                this.flushTimer.unref();
+            }
+        }
+        if (this.buffer.length >= this.maxBufferSize) {
+            // Buffer cap reached — flush in background, never block record().
+            this.writeQueue = this.writeQueue.then(() => this.flushNow());
+        }
+    }
+    async flush() {
+        this.writeQueue = this.writeQueue.then(() => this.flushNow());
+        await this.writeQueue;
+    }
+    /** Stop the timer + flush remaining. Called on SIGTERM. */
+    async shutdown() {
+        if (this.flushTimer) {
+            clearInterval(this.flushTimer);
+            this.flushTimer = null;
+        }
+        await this.flush();
+    }
+    // --- internals ----------------------------------------------------
+    async flushNow() {
+        if (this.buffer.length === 0)
+            return;
+        const batch = this.buffer.splice(0, this.buffer.length);
+        const ok = await this.ensureClient();
+        if (!ok) {
+            await this.deadLetter(batch);
+            return;
+        }
+        const body = batch.map((e) => JSON.stringify(e)).join("\n") + "\n";
+        const key = this.buildKey(batch);
+        try {
+            const cmd = new this.putCommand({
+                Bucket: this.bucket,
+                Key: key,
+                Body: body,
+                ContentType: "application/x-ndjson",
+                // Server-side encryption when running on AWS. MinIO + R2 + B2
+                // ignore the header gracefully.
+                ServerSideEncryption: "AES256",
+            });
+            await this.client.send(cmd);
+        }
+        catch (err) {
+            console.warn("S3Sink: PUT s3://%s/%s failed: %s — batch dead-letters", this.bucket, key, err instanceof Error ? err.message : String(err));
+            await this.deadLetter(batch);
+        }
+    }
+    buildKey(batch) {
+        // Derive the time bucket from the first entry's timestamp so a
+        // late-arriving entry stays grouped with its peers.
+        const t = new Date(batch[0]?.ts ?? new Date().toISOString());
+        const yyyy = String(t.getUTCFullYear());
+        const mm = String(t.getUTCMonth() + 1).padStart(2, "0");
+        const dd = String(t.getUTCDate()).padStart(2, "0");
+        const hh = String(t.getUTCHours()).padStart(2, "0");
+        const mi = String(t.getUTCMinutes()).padStart(2, "0");
+        const seqStart = batch[0]?.seq ?? 0;
+        const seqEnd = batch[batch.length - 1]?.seq ?? seqStart;
+        return `${this.prefix}${yyyy}/${mm}/${dd}/${hh}/${mi}-${seqStart}-${seqEnd}.jsonl`;
+    }
+    async deadLetter(batch) {
+        if (!this.deadLetterFile) {
+            console.warn("S3Sink: %d entries dropped (no deadLetterFile configured)", batch.length);
+            return;
+        }
+        try {
+            const body = batch.map((e) => JSON.stringify(e)).join("\n") + "\n";
+            await appendFile(this.deadLetterFile, body, "utf8");
+        }
+        catch (err) {
+            console.warn("S3Sink: DLQ write failed: %s", err instanceof Error ? err.message : String(err));
+        }
+    }
+}

package/dist/audit/sinks/s3.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/sinks/s3.test.js

@@ -0,0 +1,175 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, readFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { S3Sink } from "./s3.js";
+function entry(seq, ts, action = "write") {
+    return {
+        seq,
+        ts,
+        actor: { sub: "alice@example.com", name: "alice" },
+        tenant: "default",
+        resource: "sources",
+        action,
+        method: "POST",
+        path: `/api/sources/s${seq}`,
+        status: 201,
+        ip: "10.0.0.7",
+        prevHash: "0".repeat(64),
+        hash: String(seq).padStart(64, "0"),
+    };
+}
+function fakeClient() {
+    const sent = [];
+    let throws = false;
+    const client = {
+        sent,
+        setThrow(v) { throws = v; },
+        async send(command) {
+            if (throws)
+                throw new Error("S3 unavailable (test)");
+            const input = command.input;
+            sent.push({ Bucket: input.Bucket, Key: input.Key, Body: input.Body });
+            return { $metadata: { httpStatusCode: 200 } };
+        },
+    };
+    return client;
+}
+test("constructor: bucket is required", () => {
+    assert.throws(() => new S3Sink({ bucket: "" }), /bucket is required/);
+});
+test("write+flush: one entry → one PUT with correct key shape", async () => {
+    const client = fakeClient();
+    const sink = new S3Sink({
+        bucket: "audit-bucket",
+        prefix: "omcp",
+        flushIntervalMs: 0,
+        client,
+    });
+    await sink.write(entry(1, "2026-06-06T15:23:00Z"));
+    await sink.flush();
+    assert.equal(client.sent.length, 1);
+    const put = client.sent[0];
+    assert.equal(put.Bucket, "audit-bucket");
+    assert.equal(put.Key, "omcp/2026/06/06/15/23-1-1.jsonl");
+    assert.equal(put.Body.trim().split("\n").length, 1);
+});
+test("multiple entries are batched into one PUT on flush", async () => {
+    const client = fakeClient();
+    const sink = new S3Sink({ bucket: "b", flushIntervalMs: 0, client });
+    await sink.write(entry(1, "2026-06-06T15:23:00Z"));
+    await sink.write(entry(2, "2026-06-06T15:23:01Z"));
+    await sink.write(entry(3, "2026-06-06T15:23:02Z"));
+    await sink.flush();
+    assert.equal(client.sent.length, 1);
+    const lines = client.sent[0].Body.trim().split("\n");
+    assert.equal(lines.length, 3);
+    // Key range reflects the seq span
+    assert.match(client.sent[0].Key, /23-1-3\.jsonl$/);
+});
+test("empty buffer flush is a no-op", async () => {
+    const client = fakeClient();
+    const sink = new S3Sink({ bucket: "b", flushIntervalMs: 0, client });
+    await sink.flush();
+    assert.equal(client.sent.length, 0);
+});
+test("maxBufferSize triggers an out-of-band flush", async () => {
+    const client = fakeClient();
+    const sink = new S3Sink({ bucket: "b", flushIntervalMs: 0, maxBufferSize: 2, client });
+    await sink.write(entry(1, "2026-06-06T15:23:00Z"));
+    await sink.write(entry(2, "2026-06-06T15:23:00Z"));
+    // The second write crosses the cap → background flush
+    await sink.flush();
+    assert.equal(client.sent.length, 1);
+});
+test("PUT failure dead-letters the batch", async () => {
+    const client = fakeClient();
+    client.setThrow(true);
+    const dlq = join(mkdtempSync(join(tmpdir(), "omcp-s3-dlq-")), "dlq.jsonl");
+    const sink = new S3Sink({
+        bucket: "b",
+        flushIntervalMs: 0,
+        client,
+        deadLetterFile: dlq,
+    });
+    await sink.write(entry(1, "2026-06-06T15:23:00Z"));
+    await sink.write(entry(2, "2026-06-06T15:23:01Z"));
+    await sink.flush();
+    // No successful PUT
+    assert.equal(client.sent.length, 0);
+    // DLQ file has both entries
+    const lines = readFileSync(dlq, "utf8").trim().split("\n");
+    assert.equal(lines.length, 2);
+    assert.match(lines[0], /"seq":1/);
+});
+test("missing SDK + no client → dead-letter (no throw)", async () => {
+    // Sink with neither an injected client nor the SDK installed.
+    // We can't really uninstall the SDK in tests, but constructing the
+    // sink without `client` AND without ever populating sdkLoadError
+    // exercises the load path. Validate that flush handles the "no
+    // client" state by relying on DLQ.
+    const dlq = join(mkdtempSync(join(tmpdir(), "omcp-s3-dlq2-")), "dlq.jsonl");
+    // Forcibly break the SDK loader by trying an obviously absent bucket
+    // path with a fake client whose `send` throws "MissingCredentials" —
+    // the deadLetter path catches it.
+    const sink = new S3Sink({
+        bucket: "b",
+        flushIntervalMs: 0,
+        deadLetterFile: dlq,
+        client: {
+            async send() { throw new Error("MissingCredentials"); },
+        },
+    });
+    await sink.write(entry(1, "2026-06-06T15:23:00Z"));
+    await sink.flush();
+    const lines = readFileSync(dlq, "utf8").trim().split("\n");
+    assert.equal(lines.length, 1);
+});
+test("prefix handles both with-trailing and without-trailing slash", async () => {
+    const c1 = fakeClient();
+    const s1 = new S3Sink({ bucket: "b", prefix: "audits", flushIntervalMs: 0, client: c1 });
+    await s1.write(entry(1, "2026-06-06T15:00:00Z"));
+    await s1.flush();
+    assert.match(c1.sent[0].Key, /^audits\/2026\//);
+    const c2 = fakeClient();
+    const s2 = new S3Sink({ bucket: "b", prefix: "/audits/", flushIntervalMs: 0, client: c2 });
+    await s2.write(entry(1, "2026-06-06T15:00:00Z"));
+    await s2.flush();
+    assert.match(c2.sent[0].Key, /^audits\/2026\//);
+    assert.doesNotMatch(c2.sent[0].Key, /^\/audits/);
+    const c3 = fakeClient();
+    const s3 = new S3Sink({ bucket: "b", flushIntervalMs: 0, client: c3 });
+    await s3.write(entry(1, "2026-06-06T15:00:00Z"));
+    await s3.flush();
+    // No prefix → key starts directly with YYYY
+    assert.match(c3.sent[0].Key, /^2026\//);
+});
+test("flush serialises — concurrent calls don't lose entries", async () => {
+    const client = fakeClient();
+    const sink = new S3Sink({ bucket: "b", flushIntervalMs: 0, client });
+    for (let i = 1; i <= 50; i++)
+        await sink.write(entry(i, "2026-06-06T15:00:00Z"));
+    // Multiple parallel flushes
+    await Promise.all([sink.flush(), sink.flush(), sink.flush()]);
+    // All 50 entries land in one (or at most a few) PUTs; total lines = 50
+    const allLines = client.sent.flatMap((p) => p.Body.trim().split("\n"));
+    assert.equal(allLines.length, 50);
+});
+test("shutdown stops the timer + flushes the remainder", async () => {
+    const client = fakeClient();
+    const sink = new S3Sink({ bucket: "b", flushIntervalMs: 1_000_000, client });
+    await sink.write(entry(1, "2026-06-06T15:00:00Z"));
+    await sink.write(entry(2, "2026-06-06T15:00:01Z"));
+    await sink.shutdown();
+    assert.equal(client.sent.length, 1);
+    assert.equal(client.sent[0].Body.trim().split("\n").length, 2);
+});
+test("uses entry's own ts for the key bucket (not wall-clock)", async () => {
+    const client = fakeClient();
+    const sink = new S3Sink({ bucket: "b", flushIntervalMs: 0, client });
+    // Entry from 5 minutes earlier — key must reflect THAT minute.
+    await sink.write(entry(1, "2026-06-06T15:18:00Z"));
+    await sink.flush();
+    assert.match(client.sent[0].Key, /15\/18-1-1\.jsonl$/);
+});

package/dist/audit/sinks/types.d.ts

@@ -0,0 +1,18 @@
+import type { AuditEntry } from "../log.js";
+/**
+ * A destination that receives every chained audit entry. The on-disk
+ * JSONL chain stays the authoritative master (so the hash chain is
+ * never split-brain across sinks); sinks are mirrors for SIEM /
+ * archive / webhook fan-out.
+ *
+ * write() must NEVER throw — sinks log+swallow internally. A sink that
+ * dies must not take down the management plane.
+ */
+export interface AuditSink {
+    /** Stable identifier, used in logs and env selection. */
+    readonly name: string;
+    /** Persist one chained entry. Best-effort; failures are logged. */
+    write(entry: AuditEntry): Promise<void>;
+    /** Flush any buffered state. Called on SIGTERM and in tests. */
+    flush?(): Promise<void>;
+}

package/dist/audit/sinks/types.js

@@ -0,0 +1 @@
+export {};

package/dist/audit/sinks/webhook.d.ts

@@ -0,0 +1,45 @@
+import type { AuditEntry } from "../log.js";
+import type { AuditSink } from "./types.js";
+export interface WebhookSinkOptions {
+    /** Receiver URL. Required. */
+    url: string;
+    /** Optional bearer token mounted into the Authorization header. */
+    token?: string;
+    /** Additional headers to merge into every request. */
+    headers?: Record<string, string>;
+    /** Initial backoff before the first retry (ms). Default 1_000. */
+    initialBackoffMs?: number;
+    /** Cap on individual-retry sleep (ms). Default 30_000. */
+    maxBackoffMs?: number;
+    /** Total attempts (including the first). Default 5. */
+    maxAttempts?: number;
+    /** Path to write entries that exhausted retries. Optional. */
+    deadLetterFile?: string;
+    /** Inject a fetch impl for tests; defaults to globalThis.fetch. */
+    fetchImpl?: typeof fetch;
+    /** Inject a sleep impl for tests; defaults to setTimeout-based. */
+    sleepImpl?: (ms: number) => Promise<void>;
+    /** Per-attempt request timeout (ms). Default 5_000. */
+    requestTimeoutMs?: number;
+}
+export declare class WebhookSink implements AuditSink {
+    readonly name = "webhook";
+    private readonly url;
+    private readonly token?;
+    private readonly headers;
+    private readonly initialBackoffMs;
+    private readonly maxBackoffMs;
+    private readonly maxAttempts;
+    private readonly deadLetterFile?;
+    private readonly fetchImpl;
+    private readonly sleepImpl;
+    private readonly requestTimeoutMs;
+    /** Outbound writes are queued so retries on one entry don't reorder
+     * later entries arriving in parallel. */
+    private writeQueue;
+    constructor(opts: WebhookSinkOptions);
+    write(entry: AuditEntry): Promise<void>;
+    flush(): Promise<void>;
+    private attemptWithRetries;
+    private attemptOnce;
+}

package/dist/audit/sinks/webhook.js

@@ -0,0 +1,111 @@
+// WebhookSink: POST every audit entry to an HTTP endpoint (Splunk
+// HEC, generic SIEM ingestor, or any service that accepts a JSON
+// body). Retries with exponential backoff; entries that exhaust their
+// retries land in a dead-letter file on disk so an operator can
+// replay them once the receiver recovers.
+//
+// The sink runs entirely in-process — no queue daemon, no broker, no
+// extra runtime dep. Suitable for the OSS single-binary deployment.
+import { appendFile } from "node:fs/promises";
+export class WebhookSink {
+    name = "webhook";
+    url;
+    token;
+    headers;
+    initialBackoffMs;
+    maxBackoffMs;
+    maxAttempts;
+    deadLetterFile;
+    fetchImpl;
+    sleepImpl;
+    requestTimeoutMs;
+    /** Outbound writes are queued so retries on one entry don't reorder
+     * later entries arriving in parallel. */
+    writeQueue = Promise.resolve();
+    constructor(opts) {
+        if (!opts.url)
+            throw new Error("WebhookSink: url is required");
+        this.url = opts.url;
+        this.token = opts.token;
+        this.headers = opts.headers ?? {};
+        this.initialBackoffMs = opts.initialBackoffMs ?? 1_000;
+        this.maxBackoffMs = opts.maxBackoffMs ?? 30_000;
+        this.maxAttempts = opts.maxAttempts ?? 5;
+        this.deadLetterFile = opts.deadLetterFile;
+        this.fetchImpl = opts.fetchImpl ?? fetch;
+        this.sleepImpl =
+            opts.sleepImpl ??
+                ((ms) => new Promise((r) => setTimeout(r, ms).unref()));
+        this.requestTimeoutMs = opts.requestTimeoutMs ?? 5_000;
+    }
+    async write(entry) {
+        this.writeQueue = this.writeQueue.then(() => this.attemptWithRetries(entry).catch((err) => {
+            // Final exhaustion path already wrote to DLQ if configured;
+            // log here so the operator sees the symptom even without DLQ.
+            console.warn("WebhookSink: dropping entry seq=%d after %d attempts: %s", entry.seq, this.maxAttempts, err instanceof Error ? err.message : String(err));
+        }));
+        // Returning before the request completes keeps record() latency
+        // independent of webhook receiver health.
+        return Promise.resolve();
+    }
+    async flush() {
+        await this.writeQueue;
+    }
+    async attemptWithRetries(entry) {
+        let backoff = this.initialBackoffMs;
+        let lastErr;
+        for (let attempt = 1; attempt <= this.maxAttempts; attempt++) {
+            try {
+                await this.attemptOnce(entry);
+                return;
+            }
+            catch (err) {
+                lastErr = err;
+                if (attempt === this.maxAttempts)
+                    break;
+                await this.sleepImpl(backoff);
+                backoff = Math.min(backoff * 2, this.maxBackoffMs);
+            }
+        }
+        if (this.deadLetterFile) {
+            try {
+                await appendFile(this.deadLetterFile, JSON.stringify(entry) + "\n", "utf8");
+            }
+            catch (writeErr) {
+                console.warn("WebhookSink: DLQ write failed: %s", writeErr instanceof Error ? writeErr.message : String(writeErr));
+            }
+        }
+        throw lastErr instanceof Error
+            ? lastErr
+            : new Error(String(lastErr ?? "webhook delivery failed"));
+    }
+    async attemptOnce(entry) {
+        const headers = {
+            "content-type": "application/json",
+            ...this.headers,
+        };
+        if (this.token)
+            headers["authorization"] = `Bearer ${this.token}`;
+        const ctl = new AbortController();
+        const t = setTimeout(() => ctl.abort(), this.requestTimeoutMs).unref?.();
+        try {
+            const res = await this.fetchImpl(this.url, {
+                method: "POST",
+                headers,
+                body: JSON.stringify(entry),
+                signal: ctl.signal,
+            });
+            if (!res.ok) {
+                // Read+discard so the connection releases. Limit body so a
+                // misbehaving receiver can't make the gateway page in MB of
+                // text per failure.
+                const snippet = (await res.text().catch(() => "")).slice(0, 200);
+                throw new Error(`webhook returned ${res.status} ${res.statusText}: ${snippet}`);
+            }
+        }
+        finally {
+            if (typeof t === "object" && t)
+                clearTimeout(t);
+        }
+    }
+}

package/dist/audit/sinks/webhook.test.d.ts

@@ -0,0 +1 @@
+export {};