@tracehound/core 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +125 -0
- package/dist/core/agent.d.ts +89 -0
- package/dist/core/agent.d.ts.map +1 -0
- package/dist/core/agent.js +141 -0
- package/dist/core/agent.js.map +1 -0
- package/dist/core/audit-chain.d.ts +39 -0
- package/dist/core/audit-chain.d.ts.map +1 -0
- package/dist/core/audit-chain.js +87 -0
- package/dist/core/audit-chain.js.map +1 -0
- package/dist/core/cold-storage.d.ts +87 -0
- package/dist/core/cold-storage.d.ts.map +1 -0
- package/dist/core/cold-storage.js +53 -0
- package/dist/core/cold-storage.js.map +1 -0
- package/dist/core/evidence-factory.d.ts +85 -0
- package/dist/core/evidence-factory.d.ts.map +1 -0
- package/dist/core/evidence-factory.js +96 -0
- package/dist/core/evidence-factory.js.map +1 -0
- package/dist/core/evidence.d.ts +48 -0
- package/dist/core/evidence.d.ts.map +1 -0
- package/dist/core/evidence.js +135 -0
- package/dist/core/evidence.js.map +1 -0
- package/dist/core/fail-safe.d.ts +149 -0
- package/dist/core/fail-safe.d.ts.map +1 -0
- package/dist/core/fail-safe.js +217 -0
- package/dist/core/fail-safe.js.map +1 -0
- package/dist/core/hound-ipc.d.ts +91 -0
- package/dist/core/hound-ipc.d.ts.map +1 -0
- package/dist/core/hound-ipc.js +196 -0
- package/dist/core/hound-ipc.js.map +1 -0
- package/dist/core/hound-pool.d.ts +157 -0
- package/dist/core/hound-pool.d.ts.map +1 -0
- package/dist/core/hound-pool.js +337 -0
- package/dist/core/hound-pool.js.map +1 -0
- package/dist/core/hound-process.d.ts +14 -0
- package/dist/core/hound-process.d.ts.map +1 -0
- package/dist/core/hound-process.js +112 -0
- package/dist/core/hound-process.js.map +1 -0
- package/dist/core/hound-worker.d.ts +14 -0
- package/dist/core/hound-worker.d.ts.map +1 -0
- package/dist/core/hound-worker.js +112 -0
- package/dist/core/hound-worker.js.map +1 -0
- package/dist/core/lane-queue.d.ts +121 -0
- package/dist/core/lane-queue.d.ts.map +1 -0
- package/dist/core/lane-queue.js +181 -0
- package/dist/core/lane-queue.js.map +1 -0
- package/dist/core/license-manager.d.ts +128 -0
- package/dist/core/license-manager.d.ts.map +1 -0
- package/dist/core/license-manager.js +219 -0
- package/dist/core/license-manager.js.map +1 -0
- package/dist/core/notification-emitter.d.ts +140 -0
- package/dist/core/notification-emitter.d.ts.map +1 -0
- package/dist/core/notification-emitter.js +197 -0
- package/dist/core/notification-emitter.js.map +1 -0
- package/dist/core/process-adapter.d.ts +146 -0
- package/dist/core/process-adapter.d.ts.map +1 -0
- package/dist/core/process-adapter.js +174 -0
- package/dist/core/process-adapter.js.map +1 -0
- package/dist/core/quarantine.d.ts +95 -0
- package/dist/core/quarantine.d.ts.map +1 -0
- package/dist/core/quarantine.js +221 -0
- package/dist/core/quarantine.js.map +1 -0
- package/dist/core/rate-limiter.d.ts +94 -0
- package/dist/core/rate-limiter.d.ts.map +1 -0
- package/dist/core/rate-limiter.js +156 -0
- package/dist/core/rate-limiter.js.map +1 -0
- package/dist/core/s3-cold-storage.d.ts +116 -0
- package/dist/core/s3-cold-storage.d.ts.map +1 -0
- package/dist/core/s3-cold-storage.js +198 -0
- package/dist/core/s3-cold-storage.js.map +1 -0
- package/dist/core/scheduler.d.ts +126 -0
- package/dist/core/scheduler.d.ts.map +1 -0
- package/dist/core/scheduler.js +138 -0
- package/dist/core/scheduler.js.map +1 -0
- package/dist/core/security-state.d.ts +170 -0
- package/dist/core/security-state.d.ts.map +1 -0
- package/dist/core/security-state.js +156 -0
- package/dist/core/security-state.js.map +1 -0
- package/dist/core/tier-capacity.d.ts +58 -0
- package/dist/core/tier-capacity.d.ts.map +1 -0
- package/dist/core/tier-capacity.js +89 -0
- package/dist/core/tier-capacity.js.map +1 -0
- package/dist/core/tracehound.d.ts +85 -0
- package/dist/core/tracehound.d.ts.map +1 -0
- package/dist/core/tracehound.js +90 -0
- package/dist/core/tracehound.js.map +1 -0
- package/dist/core/trust-boundary.d.ts +85 -0
- package/dist/core/trust-boundary.d.ts.map +1 -0
- package/dist/core/trust-boundary.js +71 -0
- package/dist/core/trust-boundary.js.map +1 -0
- package/dist/core/watcher.d.ts +153 -0
- package/dist/core/watcher.d.ts.map +1 -0
- package/dist/core/watcher.js +141 -0
- package/dist/core/watcher.js.map +1 -0
- package/dist/index.d.ts +53 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +112 -0
- package/dist/index.js.map +1 -0
- package/dist/types/audit.d.ts +45 -0
- package/dist/types/audit.d.ts.map +1 -0
- package/dist/types/audit.js +5 -0
- package/dist/types/audit.js.map +1 -0
- package/dist/types/common.d.ts +12 -0
- package/dist/types/common.d.ts.map +1 -0
- package/dist/types/common.js +5 -0
- package/dist/types/common.js.map +1 -0
- package/dist/types/config.d.ts +98 -0
- package/dist/types/config.d.ts.map +1 -0
- package/dist/types/config.js +58 -0
- package/dist/types/config.js.map +1 -0
- package/dist/types/errors.d.ts +118 -0
- package/dist/types/errors.d.ts.map +1 -0
- package/dist/types/errors.js +266 -0
- package/dist/types/errors.js.map +1 -0
- package/dist/types/evidence.d.ts +102 -0
- package/dist/types/evidence.d.ts.map +1 -0
- package/dist/types/evidence.js +5 -0
- package/dist/types/evidence.js.map +1 -0
- package/dist/types/index.d.ts +18 -0
- package/dist/types/index.d.ts.map +1 -0
- package/dist/types/index.js +9 -0
- package/dist/types/index.js.map +1 -0
- package/dist/types/result.d.ts +62 -0
- package/dist/types/result.d.ts.map +1 -0
- package/dist/types/result.js +34 -0
- package/dist/types/result.js.map +1 -0
- package/dist/types/scent.d.ts +55 -0
- package/dist/types/scent.d.ts.map +1 -0
- package/dist/types/scent.js +5 -0
- package/dist/types/scent.js.map +1 -0
- package/dist/types/signature.d.ts +47 -0
- package/dist/types/signature.d.ts.map +1 -0
- package/dist/types/signature.js +68 -0
- package/dist/types/signature.js.map +1 -0
- package/dist/types/threat.d.ts +38 -0
- package/dist/types/threat.d.ts.map +1 -0
- package/dist/types/threat.js +18 -0
- package/dist/types/threat.js.map +1 -0
- package/dist/utils/binary-codec.d.ts +225 -0
- package/dist/utils/binary-codec.d.ts.map +1 -0
- package/dist/utils/binary-codec.js +266 -0
- package/dist/utils/binary-codec.js.map +1 -0
- package/dist/utils/compare.d.ts +26 -0
- package/dist/utils/compare.d.ts.map +1 -0
- package/dist/utils/compare.js +44 -0
- package/dist/utils/compare.js.map +1 -0
- package/dist/utils/encode.d.ts +39 -0
- package/dist/utils/encode.d.ts.map +1 -0
- package/dist/utils/encode.js +124 -0
- package/dist/utils/encode.js.map +1 -0
- package/dist/utils/hash.d.ts +19 -0
- package/dist/utils/hash.d.ts.map +1 -0
- package/dist/utils/hash.js +25 -0
- package/dist/utils/hash.js.map +1 -0
- package/dist/utils/id.d.ts +20 -0
- package/dist/utils/id.d.ts.map +1 -0
- package/dist/utils/id.js +47 -0
- package/dist/utils/id.js.map +1 -0
- package/dist/utils/runtime.d.ts +24 -0
- package/dist/utils/runtime.d.ts.map +1 -0
- package/dist/utils/runtime.js +68 -0
- package/dist/utils/runtime.js.map +1 -0
- package/dist/utils/serialize.d.ts +14 -0
- package/dist/utils/serialize.d.ts.map +1 -0
- package/dist/utils/serialize.js +27 -0
- package/dist/utils/serialize.js.map +1 -0
- package/package.json +54 -0
|
@@ -0,0 +1,170 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Security State - Unified substrate for all security-related state.
|
|
3
|
+
*
|
|
4
|
+
* DESIGN PRINCIPLES:
|
|
5
|
+
* - Immutable snapshots for external consumers
|
|
6
|
+
* - Event-driven recording (no polling)
|
|
7
|
+
* - Time-series history for ThreatLedger
|
|
8
|
+
* - Zero-copy where possible
|
|
9
|
+
*/
|
|
10
|
+
import type { Severity } from '../types/common.js';
|
|
11
|
+
/**
|
|
12
|
+
* Threat statistics.
|
|
13
|
+
*/
|
|
14
|
+
export interface ThreatStats {
|
|
15
|
+
total: number;
|
|
16
|
+
byCategory: Record<string, number>;
|
|
17
|
+
bySeverity: Record<Severity, number>;
|
|
18
|
+
}
|
|
19
|
+
/**
|
|
20
|
+
* Quarantine statistics.
|
|
21
|
+
*/
|
|
22
|
+
export interface QuarantineStateStats {
|
|
23
|
+
count: number;
|
|
24
|
+
bytes: number;
|
|
25
|
+
capacityPercent: number;
|
|
26
|
+
}
|
|
27
|
+
/**
|
|
28
|
+
* Rate limit statistics.
|
|
29
|
+
*/
|
|
30
|
+
export interface RateLimitStats {
|
|
31
|
+
activeWindows: number;
|
|
32
|
+
blockedSources: number;
|
|
33
|
+
}
|
|
34
|
+
/**
|
|
35
|
+
* License state.
|
|
36
|
+
*/
|
|
37
|
+
export interface LicenseState {
|
|
38
|
+
tier: 'starter' | 'pro' | 'enterprise';
|
|
39
|
+
status: 'valid' | 'expired' | 'grace' | 'invalid' | 'none';
|
|
40
|
+
daysRemaining?: number | undefined;
|
|
41
|
+
}
|
|
42
|
+
/**
|
|
43
|
+
* Complete security snapshot.
|
|
44
|
+
*/
|
|
45
|
+
export interface SecuritySnapshot {
|
|
46
|
+
/** Snapshot timestamp */
|
|
47
|
+
timestamp: number;
|
|
48
|
+
/** System uptime in ms */
|
|
49
|
+
uptimeMs: number;
|
|
50
|
+
/** Threat statistics */
|
|
51
|
+
threats: ThreatStats;
|
|
52
|
+
/** Quarantine statistics */
|
|
53
|
+
quarantine: QuarantineStateStats;
|
|
54
|
+
/** Rate limit statistics */
|
|
55
|
+
rateLimits: RateLimitStats;
|
|
56
|
+
/** License state */
|
|
57
|
+
license: LicenseState;
|
|
58
|
+
/** System health */
|
|
59
|
+
health: 'healthy' | 'degraded' | 'critical';
|
|
60
|
+
}
|
|
61
|
+
/**
|
|
62
|
+
* History entry for time-series tracking.
|
|
63
|
+
*/
|
|
64
|
+
export interface SecurityHistoryEntry {
|
|
65
|
+
timestamp: number;
|
|
66
|
+
type: 'threat' | 'evidence' | 'eviction' | 'rate_limit' | 'panic';
|
|
67
|
+
data: Record<string, unknown>;
|
|
68
|
+
}
|
|
69
|
+
/**
|
|
70
|
+
* Security State configuration.
|
|
71
|
+
*/
|
|
72
|
+
export interface SecurityStateConfig {
|
|
73
|
+
/** Maximum history entries to retain */
|
|
74
|
+
maxHistorySize?: number;
|
|
75
|
+
/** Quarantine max bytes (for capacity calculation) */
|
|
76
|
+
quarantineMaxBytes?: number;
|
|
77
|
+
}
|
|
78
|
+
/**
|
|
79
|
+
* Security State interface.
|
|
80
|
+
*/
|
|
81
|
+
export interface ISecurityState {
|
|
82
|
+
/**
|
|
83
|
+
* Get immutable snapshot of current state.
|
|
84
|
+
*/
|
|
85
|
+
snapshot(): Readonly<SecuritySnapshot>;
|
|
86
|
+
/**
|
|
87
|
+
* Record a threat detection.
|
|
88
|
+
*/
|
|
89
|
+
recordThreat(category: string, severity: Severity): void;
|
|
90
|
+
/**
|
|
91
|
+
* Record evidence quarantine.
|
|
92
|
+
*/
|
|
93
|
+
recordEvidence(signature: string, size: number, severity: Severity): void;
|
|
94
|
+
/**
|
|
95
|
+
* Record evidence eviction.
|
|
96
|
+
*/
|
|
97
|
+
recordEviction(signature: string, reason: 'capacity' | 'policy' | 'manual'): void;
|
|
98
|
+
/**
|
|
99
|
+
* Record rate limit event.
|
|
100
|
+
*/
|
|
101
|
+
recordRateLimit(source: string, blocked: boolean): void;
|
|
102
|
+
/**
|
|
103
|
+
* Record system panic.
|
|
104
|
+
*/
|
|
105
|
+
recordPanic(level: 'warning' | 'critical' | 'fatal', reason: string): void;
|
|
106
|
+
/**
|
|
107
|
+
* Update license state.
|
|
108
|
+
*/
|
|
109
|
+
updateLicense(tier: LicenseState['tier'], status: LicenseState['status'], daysRemaining?: number): void;
|
|
110
|
+
/**
|
|
111
|
+
* Update quarantine stats (called by Quarantine).
|
|
112
|
+
*/
|
|
113
|
+
updateQuarantine(count: number, bytes: number): void;
|
|
114
|
+
/**
|
|
115
|
+
* Update rate limit stats (called by RateLimiter).
|
|
116
|
+
*/
|
|
117
|
+
updateRateLimits(activeWindows: number, blockedSources: number): void;
|
|
118
|
+
/**
|
|
119
|
+
* Get history entries (for ThreatLedger).
|
|
120
|
+
*/
|
|
121
|
+
readonly history: readonly SecurityHistoryEntry[];
|
|
122
|
+
/**
|
|
123
|
+
* Get current stats.
|
|
124
|
+
*/
|
|
125
|
+
readonly stats: SecurityStateStats;
|
|
126
|
+
}
|
|
127
|
+
/**
|
|
128
|
+
* Security State statistics.
|
|
129
|
+
*/
|
|
130
|
+
export interface SecurityStateStats {
|
|
131
|
+
historySize: number;
|
|
132
|
+
oldestEntry: number | null;
|
|
133
|
+
newestEntry: number | null;
|
|
134
|
+
}
|
|
135
|
+
/**
|
|
136
|
+
* Security State implementation.
|
|
137
|
+
*/
|
|
138
|
+
export declare class SecurityState implements ISecurityState {
|
|
139
|
+
private readonly config;
|
|
140
|
+
private readonly startTime;
|
|
141
|
+
private _threatTotal;
|
|
142
|
+
private _threatsByCategory;
|
|
143
|
+
private _threatsBySeverity;
|
|
144
|
+
private _quarantineCount;
|
|
145
|
+
private _quarantineBytes;
|
|
146
|
+
private _activeWindows;
|
|
147
|
+
private _blockedSources;
|
|
148
|
+
private _licenseTier;
|
|
149
|
+
private _licenseStatus;
|
|
150
|
+
private _licenseDaysRemaining;
|
|
151
|
+
private _history;
|
|
152
|
+
constructor(config?: SecurityStateConfig);
|
|
153
|
+
snapshot(): Readonly<SecuritySnapshot>;
|
|
154
|
+
recordThreat(category: string, severity: Severity): void;
|
|
155
|
+
recordEvidence(signature: string, size: number, severity: Severity): void;
|
|
156
|
+
recordEviction(signature: string, reason: 'capacity' | 'policy' | 'manual'): void;
|
|
157
|
+
recordRateLimit(source: string, blocked: boolean): void;
|
|
158
|
+
recordPanic(level: 'warning' | 'critical' | 'fatal', reason: string): void;
|
|
159
|
+
updateLicense(tier: LicenseState['tier'], status: LicenseState['status'], daysRemaining?: number): void;
|
|
160
|
+
updateQuarantine(count: number, bytes: number): void;
|
|
161
|
+
updateRateLimits(activeWindows: number, blockedSources: number): void;
|
|
162
|
+
get history(): readonly SecurityHistoryEntry[];
|
|
163
|
+
get stats(): SecurityStateStats;
|
|
164
|
+
private addHistory;
|
|
165
|
+
}
|
|
166
|
+
/**
|
|
167
|
+
* Create a Security State instance.
|
|
168
|
+
*/
|
|
169
|
+
export declare function createSecurityState(config?: SecurityStateConfig): ISecurityState;
|
|
170
|
+
//# sourceMappingURL=security-state.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"security-state.d.ts","sourceRoot":"","sources":["../../src/core/security-state.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAA;AAMlD;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAA;IACb,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAClC,UAAU,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;CACrC;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAA;IACb,KAAK,EAAE,MAAM,CAAA;IACb,eAAe,EAAE,MAAM,CAAA;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,aAAa,EAAE,MAAM,CAAA;IACrB,cAAc,EAAE,MAAM,CAAA;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,SAAS,GAAG,KAAK,GAAG,YAAY,CAAA;IACtC,MAAM,EAAE,OAAO,GAAG,SAAS,GAAG,OAAO,GAAG,SAAS,GAAG,MAAM,CAAA;IAC1D,aAAa,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAA;IACjB,0BAA0B;IAC1B,QAAQ,EAAE,MAAM,CAAA;IAChB,wBAAwB;IACxB,OAAO,EAAE,WAAW,CAAA;IACpB,4BAA4B;IAC5B,UAAU,EAAE,oBAAoB,CAAA;IAChC,4BAA4B;IAC5B,UAAU,EAAE,cAAc,CAAA;IAC1B,oBAAoB;IACpB,OAAO,EAAE,YAAY,CAAA;IACrB,oBAAoB;IACpB,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,UAAU,CAAA;CAC5C;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAA;IACjB,IAAI,EAAE,QAAQ,GAAG,UAAU,GAAG,UAAU,GAAG,YAAY,GAAG,OAAO,CAAA;IACjE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,wCAAwC;IACxC,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,sDAAsD;IACtD,kBAAkB,CAAC,EAAE,MAAM,CAAA;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B;;OAEG;IACH,QAAQ,IAAI,QAAQ,CAAC,gBAAgB,CAAC,CAAA;IAEtC;;OAEG;IACH,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;IAExD;;OAEG;IACH,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;IAEzE;;OAEG;IACH,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,QAAQ,GAAG,QAAQ,GAAG,IAAI,CAAA;IAEjF;;OAEG;IACH,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI,CAAA;IAEvD;;OAEG;IACH,WAAW,CAAC,KAAK,EAAE,SAAS,GAAG,UAAU,GAAG,OAAO,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;IAE1E;;OAEG;IACH,aAAa,CACX,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,EAC1B,MAAM,EAAE,YAAY,CAAC,QAAQ,CAAC,EAC9B,aAAa,CAAC,EAAE,MAAM,GACrB,IAAI,CAAA;IAEP;;OAEG;IACH,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;IAEpD;;OAEG;IACH,gBAAgB,CAAC,aAAa,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,IAAI,CAAA;IAErE;;OAEG;IACH,QAAQ,CAAC,OAAO,EAAE,SAAS,oBAAoB,EAAE,CAAA;IAEjD;;OAEG;IACH,QAAQ,CAAC,KAAK,EAAE,kBAAkB,CAAA;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAA;IACnB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;IAC1B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;CAC3B;AAQD;;GAEG;AACH,qBAAa,aAAc,YAAW,cAAc;IAClD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA+B;IACtD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAa;IAGvC,OAAO,CAAC,YAAY,CAAI;IACxB,OAAO,CAAC,kBAAkB,CAA4B;IACtD,OAAO,CAAC,kBAAkB,CAA8B;IAGxD,OAAO,CAAC,gBAAgB,CAAI;IAC5B,OAAO,CAAC,gBAAgB,CAAI;IAG5B,OAAO,CAAC,cAAc,CAAI;IAC1B,OAAO,CAAC,eAAe,CAAI;IAG3B,OAAO,CAAC,YAAY,CAAkC;IACtD,OAAO,CAAC,cAAc,CAAiC;IACvD,OAAO,CAAC,qBAAqB,CAAgC;IAG7D,OAAO,CAAC,QAAQ,CAA6B;gBAEjC,MAAM,GAAE,mBAAwB;IAO5C,QAAQ,IAAI,QAAQ,CAAC,gBAAgB,CAAC;IAsDtC,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,IAAI;IAQxD,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,IAAI;IAIzE,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,QAAQ,GAAG,QAAQ,GAAG,IAAI;IAIjF,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI;IAOvD,WAAW,CAAC,KAAK,EAAE,SAAS,GAAG,UAAU,GAAG,OAAO,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI;IAI1E,aAAa,CACX,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,EAC1B,MAAM,EAAE,YAAY,CAAC,QAAQ,CAAC,EAC9B,aAAa,CAAC,EAAE,MAAM,GACrB,IAAI;IAMP,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI;IAKpD,gBAAgB,CAAC,aAAa,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,IAAI;IAKrE,IAAI,OAAO,IAAI,SAAS,oBAAoB,EAAE,CAE7C;IAED,IAAI,KAAK,IAAI,kBAAkB,CAO9B;IAID,OAAO,CAAC,UAAU;CAYnB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,GAAE,mBAAwB,GAAG,cAAc,CAEpF"}
|
|
@@ -0,0 +1,156 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Security State - Unified substrate for all security-related state.
|
|
3
|
+
*
|
|
4
|
+
* DESIGN PRINCIPLES:
|
|
5
|
+
* - Immutable snapshots for external consumers
|
|
6
|
+
* - Event-driven recording (no polling)
|
|
7
|
+
* - Time-series history for ThreatLedger
|
|
8
|
+
* - Zero-copy where possible
|
|
9
|
+
*/
|
|
10
|
+
// ─────────────────────────────────────────────────────────────────────────────
|
|
11
|
+
// Implementation
|
|
12
|
+
// ─────────────────────────────────────────────────────────────────────────────
|
|
13
|
+
const DEFAULT_MAX_HISTORY = 10_000;
|
|
14
|
+
/**
|
|
15
|
+
* Security State implementation.
|
|
16
|
+
*/
|
|
17
|
+
export class SecurityState {
|
|
18
|
+
config;
|
|
19
|
+
startTime = Date.now();
|
|
20
|
+
// Threat tracking
|
|
21
|
+
_threatTotal = 0;
|
|
22
|
+
_threatsByCategory = new Map();
|
|
23
|
+
_threatsBySeverity = new Map();
|
|
24
|
+
// Quarantine tracking
|
|
25
|
+
_quarantineCount = 0;
|
|
26
|
+
_quarantineBytes = 0;
|
|
27
|
+
// Rate limit tracking
|
|
28
|
+
_activeWindows = 0;
|
|
29
|
+
_blockedSources = 0;
|
|
30
|
+
// License tracking
|
|
31
|
+
_licenseTier = 'starter';
|
|
32
|
+
_licenseStatus = 'none';
|
|
33
|
+
_licenseDaysRemaining = undefined;
|
|
34
|
+
// History
|
|
35
|
+
_history = [];
|
|
36
|
+
constructor(config = {}) {
|
|
37
|
+
this.config = {
|
|
38
|
+
maxHistorySize: config.maxHistorySize ?? DEFAULT_MAX_HISTORY,
|
|
39
|
+
quarantineMaxBytes: config.quarantineMaxBytes ?? 100_000_000,
|
|
40
|
+
};
|
|
41
|
+
}
|
|
42
|
+
snapshot() {
|
|
43
|
+
const now = Date.now();
|
|
44
|
+
const bySeverity = {
|
|
45
|
+
low: this._threatsBySeverity.get('low') ?? 0,
|
|
46
|
+
medium: this._threatsBySeverity.get('medium') ?? 0,
|
|
47
|
+
high: this._threatsBySeverity.get('high') ?? 0,
|
|
48
|
+
critical: this._threatsBySeverity.get('critical') ?? 0,
|
|
49
|
+
};
|
|
50
|
+
const byCategory = {};
|
|
51
|
+
for (const [cat, count] of this._threatsByCategory) {
|
|
52
|
+
byCategory[cat] = count;
|
|
53
|
+
}
|
|
54
|
+
const capacityPercent = this.config.quarantineMaxBytes > 0
|
|
55
|
+
? (this._quarantineBytes / this.config.quarantineMaxBytes) * 100
|
|
56
|
+
: 0;
|
|
57
|
+
// Determine health
|
|
58
|
+
let health = 'healthy';
|
|
59
|
+
if (capacityPercent > 90 || this._licenseStatus === 'expired') {
|
|
60
|
+
health = 'critical';
|
|
61
|
+
}
|
|
62
|
+
else if (capacityPercent > 70 || this._licenseStatus === 'grace') {
|
|
63
|
+
health = 'degraded';
|
|
64
|
+
}
|
|
65
|
+
return Object.freeze({
|
|
66
|
+
timestamp: now,
|
|
67
|
+
uptimeMs: now - this.startTime,
|
|
68
|
+
threats: {
|
|
69
|
+
total: this._threatTotal,
|
|
70
|
+
byCategory,
|
|
71
|
+
bySeverity,
|
|
72
|
+
},
|
|
73
|
+
quarantine: {
|
|
74
|
+
count: this._quarantineCount,
|
|
75
|
+
bytes: this._quarantineBytes,
|
|
76
|
+
capacityPercent,
|
|
77
|
+
},
|
|
78
|
+
rateLimits: {
|
|
79
|
+
activeWindows: this._activeWindows,
|
|
80
|
+
blockedSources: this._blockedSources,
|
|
81
|
+
},
|
|
82
|
+
license: {
|
|
83
|
+
tier: this._licenseTier,
|
|
84
|
+
status: this._licenseStatus,
|
|
85
|
+
daysRemaining: this._licenseDaysRemaining,
|
|
86
|
+
},
|
|
87
|
+
health,
|
|
88
|
+
});
|
|
89
|
+
}
|
|
90
|
+
recordThreat(category, severity) {
|
|
91
|
+
this._threatTotal++;
|
|
92
|
+
this._threatsByCategory.set(category, (this._threatsByCategory.get(category) ?? 0) + 1);
|
|
93
|
+
this._threatsBySeverity.set(severity, (this._threatsBySeverity.get(severity) ?? 0) + 1);
|
|
94
|
+
this.addHistory('threat', { category, severity });
|
|
95
|
+
}
|
|
96
|
+
recordEvidence(signature, size, severity) {
|
|
97
|
+
this.addHistory('evidence', { signature, size, severity });
|
|
98
|
+
}
|
|
99
|
+
recordEviction(signature, reason) {
|
|
100
|
+
this.addHistory('eviction', { signature, reason });
|
|
101
|
+
}
|
|
102
|
+
recordRateLimit(source, blocked) {
|
|
103
|
+
if (blocked) {
|
|
104
|
+
this._blockedSources++;
|
|
105
|
+
}
|
|
106
|
+
this.addHistory('rate_limit', { source, blocked });
|
|
107
|
+
}
|
|
108
|
+
recordPanic(level, reason) {
|
|
109
|
+
this.addHistory('panic', { level, reason });
|
|
110
|
+
}
|
|
111
|
+
updateLicense(tier, status, daysRemaining) {
|
|
112
|
+
this._licenseTier = tier;
|
|
113
|
+
this._licenseStatus = status;
|
|
114
|
+
this._licenseDaysRemaining = daysRemaining;
|
|
115
|
+
}
|
|
116
|
+
updateQuarantine(count, bytes) {
|
|
117
|
+
this._quarantineCount = count;
|
|
118
|
+
this._quarantineBytes = bytes;
|
|
119
|
+
}
|
|
120
|
+
updateRateLimits(activeWindows, blockedSources) {
|
|
121
|
+
this._activeWindows = activeWindows;
|
|
122
|
+
this._blockedSources = blockedSources;
|
|
123
|
+
}
|
|
124
|
+
get history() {
|
|
125
|
+
return this._history;
|
|
126
|
+
}
|
|
127
|
+
get stats() {
|
|
128
|
+
return {
|
|
129
|
+
historySize: this._history.length,
|
|
130
|
+
oldestEntry: this._history.length > 0 ? this._history[0].timestamp : null,
|
|
131
|
+
newestEntry: this._history.length > 0 ? this._history[this._history.length - 1].timestamp : null,
|
|
132
|
+
};
|
|
133
|
+
}
|
|
134
|
+
// ─── Private Methods ─────────────────────────────────────────────────────────
|
|
135
|
+
addHistory(type, data) {
|
|
136
|
+
this._history.push({
|
|
137
|
+
timestamp: Date.now(),
|
|
138
|
+
type,
|
|
139
|
+
data,
|
|
140
|
+
});
|
|
141
|
+
// Prune if exceeds max
|
|
142
|
+
if (this._history.length > this.config.maxHistorySize) {
|
|
143
|
+
this._history.shift();
|
|
144
|
+
}
|
|
145
|
+
}
|
|
146
|
+
}
|
|
147
|
+
// ─────────────────────────────────────────────────────────────────────────────
|
|
148
|
+
// Factory
|
|
149
|
+
// ─────────────────────────────────────────────────────────────────────────────
|
|
150
|
+
/**
|
|
151
|
+
* Create a Security State instance.
|
|
152
|
+
*/
|
|
153
|
+
export function createSecurityState(config = {}) {
|
|
154
|
+
return new SecurityState(config);
|
|
155
|
+
}
|
|
156
|
+
//# sourceMappingURL=security-state.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"security-state.js","sourceRoot":"","sources":["../../src/core/security-state.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AA2JH,gFAAgF;AAChF,iBAAiB;AACjB,gFAAgF;AAEhF,MAAM,mBAAmB,GAAG,MAAM,CAAA;AAElC;;GAEG;AACH,MAAM,OAAO,aAAa;IACP,MAAM,CAA+B;IACrC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAEvC,kBAAkB;IACV,YAAY,GAAG,CAAC,CAAA;IAChB,kBAAkB,GAAG,IAAI,GAAG,EAAkB,CAAA;IAC9C,kBAAkB,GAAG,IAAI,GAAG,EAAoB,CAAA;IAExD,sBAAsB;IACd,gBAAgB,GAAG,CAAC,CAAA;IACpB,gBAAgB,GAAG,CAAC,CAAA;IAE5B,sBAAsB;IACd,cAAc,GAAG,CAAC,CAAA;IAClB,eAAe,GAAG,CAAC,CAAA;IAE3B,mBAAmB;IACX,YAAY,GAAyB,SAAS,CAAA;IAC9C,cAAc,GAA2B,MAAM,CAAA;IAC/C,qBAAqB,GAAuB,SAAS,CAAA;IAE7D,UAAU;IACF,QAAQ,GAA2B,EAAE,CAAA;IAE7C,YAAY,SAA8B,EAAE;QAC1C,IAAI,CAAC,MAAM,GAAG;YACZ,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,mBAAmB;YAC5D,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,WAAW;SAC7D,CAAA;IACH,CAAC;IAED,QAAQ;QACN,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAEtB,MAAM,UAAU,GAA6B;YAC3C,GAAG,EAAE,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;YAC5C,MAAM,EAAE,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC;YAClD,IAAI,EAAE,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;YAC9C,QAAQ,EAAE,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;SACvD,CAAA;QAED,MAAM,UAAU,GAA2B,EAAE,CAAA;QAC7C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACnD,UAAU,CAAC,GAAG,CAAC,GAAG,KAAK,CAAA;QACzB,CAAC;QAED,MAAM,eAAe,GACnB,IAAI,CAAC,MAAM,CAAC,kBAAkB,GAAG,CAAC;YAChC,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,GAAG,GAAG;YAChE,CAAC,CAAC,CAAC,CAAA;QAEP,mBAAmB;QACnB,IAAI,MAAM,GAA+B,SAAS,CAAA;QAClD,IAAI,eAAe,GAAG,EAAE,IAAI,IAAI,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YAC9D,MAAM,GAAG,UAAU,CAAA;QACrB,CAAC;aAAM,IAAI,eAAe,GAAG,EAAE,IAAI,IAAI,CAAC,cAAc,KAAK,OAAO,EAAE,CAAC;YACnE,MAAM,GAAG,UAAU,CAAA;QACrB,CAAC;QAED,OAAO,MAAM,CAAC,MAAM,CAAC;YACnB,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,GAAG,GAAG,IAAI,CAAC,SAAS;YAC9B,OAAO,EAAE;gBACP,KAAK,EAAE,IAAI,CAAC,YAAY;gBACxB,UAAU;gBACV,UAAU;aACX;YACD,UAAU,EAAE;gBACV,KAAK,EAAE,IAAI,CAAC,gBAAgB;gBAC5B,KAAK,EAAE,IAAI,CAAC,gBAAgB;gBAC5B,eAAe;aAChB;YACD,UAAU,EAAE;gBACV,aAAa,EAAE,IAAI,CAAC,cAAc;gBAClC,cAAc,EAAE,IAAI,CAAC,eAAe;aACrC;YACD,OAAO,EAAE;gBACP,IAAI,EAAE,IAAI,CAAC,YAAY;gBACvB,MAAM,EAAE,IAAI,CAAC,cAAc;gBAC3B,aAAa,EAAE,IAAI,CAAC,qBAAqB;aAC1C;YACD,MAAM;SACP,CAAC,CAAA;IACJ,CAAC;IAED,YAAY,CAAC,QAAgB,EAAE,QAAkB;QAC/C,IAAI,CAAC,YAAY,EAAE,CAAA;QACnB,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;QACvF,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;QAEvF,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAA;IACnD,CAAC;IAED,cAAc,CAAC,SAAiB,EAAE,IAAY,EAAE,QAAkB;QAChE,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAA;IAC5D,CAAC;IAED,cAAc,CAAC,SAAiB,EAAE,MAAwC;QACxE,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAA;IACpD,CAAC;IAED,eAAe,CAAC,MAAc,EAAE,OAAgB;QAC9C,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC,eAAe,EAAE,CAAA;QACxB,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAA;IACpD,CAAC;IAED,WAAW,CAAC,KAAuC,EAAE,MAAc;QACjE,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAA;IAC7C,CAAC;IAED,aAAa,CACX,IAA0B,EAC1B,MAA8B,EAC9B,aAAsB;QAEtB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAA;QACxB,IAAI,CAAC,cAAc,GAAG,MAAM,CAAA;QAC5B,IAAI,CAAC,qBAAqB,GAAG,aAAa,CAAA;IAC5C,CAAC;IAED,gBAAgB,CAAC,KAAa,EAAE,KAAa;QAC3C,IAAI,CAAC,gBAAgB,GAAG,KAAK,CAAA;QAC7B,IAAI,CAAC,gBAAgB,GAAG,KAAK,CAAA;IAC/B,CAAC;IAED,gBAAgB,CAAC,aAAqB,EAAE,cAAsB;QAC5D,IAAI,CAAC,cAAc,GAAG,aAAa,CAAA;QACnC,IAAI,CAAC,eAAe,GAAG,cAAc,CAAA;IACvC,CAAC;IAED,IAAI,OAAO;QACT,OAAO,IAAI,CAAC,QAAQ,CAAA;IACtB,CAAC;IAED,IAAI,KAAK;QACP,OAAO;YACL,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM;YACjC,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAE,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI;YAC1E,WAAW,EACT,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAE,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI;SACvF,CAAA;IACH,CAAC;IAED,gFAAgF;IAExE,UAAU,CAAC,IAAkC,EAAE,IAA6B;QAClF,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YACjB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,IAAI;YACJ,IAAI;SACL,CAAC,CAAA;QAEF,uBAAuB;QACvB,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YACtD,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAA;QACvB,CAAC;IACH,CAAC;CACF;AAED,gFAAgF;AAChF,UAAU;AACV,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAA8B,EAAE;IAClE,OAAO,IAAI,aAAa,CAAC,MAAM,CAAC,CAAA;AAClC,CAAC"}
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Tier-Aware Capacity Configuration
|
|
3
|
+
*
|
|
4
|
+
* Maps license tiers to HoundPool capacity constraints.
|
|
5
|
+
* This enforces the pricing model's capacity-gating strategy.
|
|
6
|
+
*
|
|
7
|
+
* INVARIANT: Security features are identical across all tiers.
|
|
8
|
+
* Only capacity (poolSize, memory, timeout) varies.
|
|
9
|
+
*/
|
|
10
|
+
import type { HoundPoolConfig, PoolExhaustedAction } from './hound-pool.js';
|
|
11
|
+
import type { LicenseTier } from './license-manager.js';
|
|
12
|
+
/**
|
|
13
|
+
* Capacity limits per tier.
|
|
14
|
+
*/
|
|
15
|
+
export interface TierCapacityLimits {
|
|
16
|
+
/** Max concurrent processes */
|
|
17
|
+
poolSize: number;
|
|
18
|
+
/** Max memory per process in MB */
|
|
19
|
+
maxMemoryMB: number;
|
|
20
|
+
/** Process timeout in ms */
|
|
21
|
+
timeoutMs: number;
|
|
22
|
+
/** Action when pool exhausted */
|
|
23
|
+
onPoolExhausted: PoolExhaustedAction;
|
|
24
|
+
/** Defer queue limit */
|
|
25
|
+
deferQueueLimit: number;
|
|
26
|
+
}
|
|
27
|
+
/**
|
|
28
|
+
* Tier capacity definitions.
|
|
29
|
+
*
|
|
30
|
+
* | Tier | Processes | Memory | Timeout |
|
|
31
|
+
* |------------|-----------|--------|---------|
|
|
32
|
+
* | Starter | 1 | 64MB | 5s |
|
|
33
|
+
* | Pro | 8 | 512MB | 30s |
|
|
34
|
+
* | Enterprise | 32 | 2048MB | 60s |
|
|
35
|
+
*/
|
|
36
|
+
export declare const TIER_CAPACITY_LIMITS: Record<LicenseTier, TierCapacityLimits>;
|
|
37
|
+
/**
|
|
38
|
+
* Create tier-aware HoundPool configuration.
|
|
39
|
+
*
|
|
40
|
+
* @param tier - License tier
|
|
41
|
+
* @param overrides - Optional overrides (Enterprise can customize)
|
|
42
|
+
* @returns HoundPool configuration
|
|
43
|
+
*
|
|
44
|
+
* @example
|
|
45
|
+
* ```ts
|
|
46
|
+
* const config = createTierAwarePoolConfig('pro')
|
|
47
|
+
* const pool = createHoundPool(config)
|
|
48
|
+
* ```
|
|
49
|
+
*/
|
|
50
|
+
export declare function createTierAwarePoolConfig(tier: LicenseTier, overrides?: Partial<HoundPoolConfig>): HoundPoolConfig;
|
|
51
|
+
/**
|
|
52
|
+
* Get capacity limits for a tier (read-only).
|
|
53
|
+
*
|
|
54
|
+
* @param tier - License tier
|
|
55
|
+
* @returns Capacity limits
|
|
56
|
+
*/
|
|
57
|
+
export declare function getTierCapacityLimits(tier: LicenseTier): Readonly<TierCapacityLimits>;
|
|
58
|
+
//# sourceMappingURL=tier-capacity.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tier-capacity.d.ts","sourceRoot":"","sources":["../../src/core/tier-capacity.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAA;AAC3E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAOvD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,+BAA+B;IAC/B,QAAQ,EAAE,MAAM,CAAA;IAChB,mCAAmC;IACnC,WAAW,EAAE,MAAM,CAAA;IACnB,4BAA4B;IAC5B,SAAS,EAAE,MAAM,CAAA;IACjB,iCAAiC;IACjC,eAAe,EAAE,mBAAmB,CAAA;IACpC,wBAAwB;IACxB,eAAe,EAAE,MAAM,CAAA;CACxB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,MAAM,CAAC,WAAW,EAAE,kBAAkB,CAsB/D,CAAA;AAMV;;;;;;;;;;;;GAYG;AACH,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,WAAW,EACjB,SAAS,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,GACnC,eAAe,CAyBjB;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,WAAW,GAAG,QAAQ,CAAC,kBAAkB,CAAC,CAErF"}
|
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Tier-Aware Capacity Configuration
|
|
3
|
+
*
|
|
4
|
+
* Maps license tiers to HoundPool capacity constraints.
|
|
5
|
+
* This enforces the pricing model's capacity-gating strategy.
|
|
6
|
+
*
|
|
7
|
+
* INVARIANT: Security features are identical across all tiers.
|
|
8
|
+
* Only capacity (poolSize, memory, timeout) varies.
|
|
9
|
+
*/
|
|
10
|
+
/**
|
|
11
|
+
* Tier capacity definitions.
|
|
12
|
+
*
|
|
13
|
+
* | Tier | Processes | Memory | Timeout |
|
|
14
|
+
* |------------|-----------|--------|---------|
|
|
15
|
+
* | Starter | 1 | 64MB | 5s |
|
|
16
|
+
* | Pro | 8 | 512MB | 30s |
|
|
17
|
+
* | Enterprise | 32 | 2048MB | 60s |
|
|
18
|
+
*/
|
|
19
|
+
export const TIER_CAPACITY_LIMITS = {
|
|
20
|
+
starter: {
|
|
21
|
+
poolSize: 1,
|
|
22
|
+
maxMemoryMB: 64,
|
|
23
|
+
timeoutMs: 5_000,
|
|
24
|
+
onPoolExhausted: 'drop',
|
|
25
|
+
deferQueueLimit: 10,
|
|
26
|
+
},
|
|
27
|
+
pro: {
|
|
28
|
+
poolSize: 8,
|
|
29
|
+
maxMemoryMB: 512,
|
|
30
|
+
timeoutMs: 30_000,
|
|
31
|
+
onPoolExhausted: 'defer',
|
|
32
|
+
deferQueueLimit: 100,
|
|
33
|
+
},
|
|
34
|
+
enterprise: {
|
|
35
|
+
poolSize: 32,
|
|
36
|
+
maxMemoryMB: 2048,
|
|
37
|
+
timeoutMs: 60_000,
|
|
38
|
+
onPoolExhausted: 'defer',
|
|
39
|
+
deferQueueLimit: 1000,
|
|
40
|
+
},
|
|
41
|
+
};
|
|
42
|
+
// ─────────────────────────────────────────────────────────────────────────────
|
|
43
|
+
// Factory
|
|
44
|
+
// ─────────────────────────────────────────────────────────────────────────────
|
|
45
|
+
/**
|
|
46
|
+
* Create tier-aware HoundPool configuration.
|
|
47
|
+
*
|
|
48
|
+
* @param tier - License tier
|
|
49
|
+
* @param overrides - Optional overrides (Enterprise can customize)
|
|
50
|
+
* @returns HoundPool configuration
|
|
51
|
+
*
|
|
52
|
+
* @example
|
|
53
|
+
* ```ts
|
|
54
|
+
* const config = createTierAwarePoolConfig('pro')
|
|
55
|
+
* const pool = createHoundPool(config)
|
|
56
|
+
* ```
|
|
57
|
+
*/
|
|
58
|
+
export function createTierAwarePoolConfig(tier, overrides) {
|
|
59
|
+
const limits = TIER_CAPACITY_LIMITS[tier];
|
|
60
|
+
const processConstraints = {
|
|
61
|
+
maxMemoryMB: limits.maxMemoryMB,
|
|
62
|
+
networkAccess: false,
|
|
63
|
+
fileSystemWrite: false,
|
|
64
|
+
childSpawn: false,
|
|
65
|
+
};
|
|
66
|
+
const baseConfig = {
|
|
67
|
+
poolSize: limits.poolSize,
|
|
68
|
+
timeout: limits.timeoutMs,
|
|
69
|
+
rotationJitterMs: 1000,
|
|
70
|
+
onPoolExhausted: limits.onPoolExhausted,
|
|
71
|
+
deferQueueLimit: limits.deferQueueLimit,
|
|
72
|
+
processConstraints,
|
|
73
|
+
};
|
|
74
|
+
// Enterprise tier can override
|
|
75
|
+
if (tier === 'enterprise' && overrides) {
|
|
76
|
+
return { ...baseConfig, ...overrides };
|
|
77
|
+
}
|
|
78
|
+
return baseConfig;
|
|
79
|
+
}
|
|
80
|
+
/**
|
|
81
|
+
* Get capacity limits for a tier (read-only).
|
|
82
|
+
*
|
|
83
|
+
* @param tier - License tier
|
|
84
|
+
* @returns Capacity limits
|
|
85
|
+
*/
|
|
86
|
+
export function getTierCapacityLimits(tier) {
|
|
87
|
+
return TIER_CAPACITY_LIMITS[tier];
|
|
88
|
+
}
|
|
89
|
+
//# sourceMappingURL=tier-capacity.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tier-capacity.js","sourceRoot":"","sources":["../../src/core/tier-capacity.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AA0BH;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAA4C;IAC3E,OAAO,EAAE;QACP,QAAQ,EAAE,CAAC;QACX,WAAW,EAAE,EAAE;QACf,SAAS,EAAE,KAAK;QAChB,eAAe,EAAE,MAAM;QACvB,eAAe,EAAE,EAAE;KACpB;IACD,GAAG,EAAE;QACH,QAAQ,EAAE,CAAC;QACX,WAAW,EAAE,GAAG;QAChB,SAAS,EAAE,MAAM;QACjB,eAAe,EAAE,OAAO;QACxB,eAAe,EAAE,GAAG;KACrB;IACD,UAAU,EAAE;QACV,QAAQ,EAAE,EAAE;QACZ,WAAW,EAAE,IAAI;QACjB,SAAS,EAAE,MAAM;QACjB,eAAe,EAAE,OAAO;QACxB,eAAe,EAAE,IAAI;KACtB;CACO,CAAA;AAEV,gFAAgF;AAChF,UAAU;AACV,gFAAgF;AAEhF;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,yBAAyB,CACvC,IAAiB,EACjB,SAAoC;IAEpC,MAAM,MAAM,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAA;IAEzC,MAAM,kBAAkB,GAAqC;QAC3D,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,aAAa,EAAE,KAAK;QACpB,eAAe,EAAE,KAAK;QACtB,UAAU,EAAE,KAAK;KAClB,CAAA;IAED,MAAM,UAAU,GAAoB;QAClC,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,OAAO,EAAE,MAAM,CAAC,SAAS;QACzB,gBAAgB,EAAE,IAAI;QACtB,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,kBAAkB;KACnB,CAAA;IAED,+BAA+B;IAC/B,IAAI,IAAI,KAAK,YAAY,IAAI,SAAS,EAAE,CAAC;QACvC,OAAO,EAAE,GAAG,UAAU,EAAE,GAAG,SAAS,EAAE,CAAA;IACxC,CAAC;IAED,OAAO,UAAU,CAAA;AACnB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAiB;IACrD,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAA;AACnC,CAAC"}
|
|
@@ -0,0 +1,85 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Tracehound - Global factory and runtime instance.
|
|
3
|
+
*
|
|
4
|
+
* Provides a single entry point for initializing Tracehound.
|
|
5
|
+
*/
|
|
6
|
+
import { type IAgent } from './agent.js';
|
|
7
|
+
import { AuditChain } from './audit-chain.js';
|
|
8
|
+
import { type HoundPoolConfig, type IHoundPool } from './hound-pool.js';
|
|
9
|
+
import { type INotificationEmitter } from './notification-emitter.js';
|
|
10
|
+
import { Quarantine } from './quarantine.js';
|
|
11
|
+
import { type IRateLimiter } from './rate-limiter.js';
|
|
12
|
+
import { type IWatcher } from './watcher.js';
|
|
13
|
+
/**
|
|
14
|
+
* Tracehound initialization options.
|
|
15
|
+
*/
|
|
16
|
+
export interface TracehoundOptions {
|
|
17
|
+
/**
|
|
18
|
+
* Maximum payload size in bytes.
|
|
19
|
+
* @default 1_000_000
|
|
20
|
+
*/
|
|
21
|
+
maxPayloadSize?: number;
|
|
22
|
+
/**
|
|
23
|
+
* Quarantine configuration.
|
|
24
|
+
*/
|
|
25
|
+
quarantine?: {
|
|
26
|
+
maxCount?: number;
|
|
27
|
+
maxBytes?: number;
|
|
28
|
+
};
|
|
29
|
+
/**
|
|
30
|
+
* Rate limiter configuration.
|
|
31
|
+
*/
|
|
32
|
+
rateLimit?: {
|
|
33
|
+
windowMs?: number;
|
|
34
|
+
maxRequests?: number;
|
|
35
|
+
blockDurationMs?: number;
|
|
36
|
+
};
|
|
37
|
+
/**
|
|
38
|
+
* Watcher configuration.
|
|
39
|
+
*/
|
|
40
|
+
watcher?: {
|
|
41
|
+
maxAlertsPerWindow?: number;
|
|
42
|
+
alertWindowMs?: number;
|
|
43
|
+
quarantineHighWatermark?: number;
|
|
44
|
+
};
|
|
45
|
+
/**
|
|
46
|
+
* Hound pool configuration.
|
|
47
|
+
*/
|
|
48
|
+
houndPool?: Partial<HoundPoolConfig>;
|
|
49
|
+
}
|
|
50
|
+
/**
|
|
51
|
+
* Tracehound runtime instance.
|
|
52
|
+
*/
|
|
53
|
+
export interface ITracehound {
|
|
54
|
+
/** The Agent for intercepting requests */
|
|
55
|
+
readonly agent: IAgent;
|
|
56
|
+
/** The Quarantine storage */
|
|
57
|
+
readonly quarantine: Quarantine;
|
|
58
|
+
/** The Rate Limiter */
|
|
59
|
+
readonly rateLimiter: IRateLimiter;
|
|
60
|
+
/** The Watcher for observability */
|
|
61
|
+
readonly watcher: IWatcher;
|
|
62
|
+
/** The Audit Chain */
|
|
63
|
+
readonly auditChain: AuditChain;
|
|
64
|
+
/** The Notification Emitter */
|
|
65
|
+
readonly notifications: INotificationEmitter;
|
|
66
|
+
/** The Hound Pool */
|
|
67
|
+
readonly houndPool: IHoundPool;
|
|
68
|
+
}
|
|
69
|
+
/**
|
|
70
|
+
* Create a Tracehound instance.
|
|
71
|
+
*
|
|
72
|
+
* @example
|
|
73
|
+
* ```typescript
|
|
74
|
+
* import { createTracehound } from '@tracehound/core'
|
|
75
|
+
*
|
|
76
|
+
* const tracehound = createTracehound()
|
|
77
|
+
*
|
|
78
|
+
* // Use agent
|
|
79
|
+
* const result = tracehound.agent.intercept(scent)
|
|
80
|
+
* ```
|
|
81
|
+
*
|
|
82
|
+
* @param options - Initialization options
|
|
83
|
+
*/
|
|
84
|
+
export declare function createTracehound(options?: TracehoundOptions): ITracehound;
|
|
85
|
+
//# sourceMappingURL=tracehound.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tracehound.d.ts","sourceRoot":"","sources":["../../src/core/tracehound.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAe,KAAK,MAAM,EAAE,MAAM,YAAY,CAAA;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,OAAO,EAAmB,KAAK,eAAe,EAAE,KAAK,UAAU,EAAE,MAAM,iBAAiB,CAAA;AACxF,OAAO,EAA6B,KAAK,oBAAoB,EAAE,MAAM,2BAA2B,CAAA;AAChG,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAqB,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAA;AACxE,OAAO,EAAiB,KAAK,QAAQ,EAAE,MAAM,cAAc,CAAA;AAM3D;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAA;IAEvB;;OAEG;IACH,UAAU,CAAC,EAAE;QACX,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,QAAQ,CAAC,EAAE,MAAM,CAAA;KAClB,CAAA;IAED;;OAEG;IACH,SAAS,CAAC,EAAE;QACV,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,WAAW,CAAC,EAAE,MAAM,CAAA;QACpB,eAAe,CAAC,EAAE,MAAM,CAAA;KACzB,CAAA;IAED;;OAEG;IACH,OAAO,CAAC,EAAE;QACR,kBAAkB,CAAC,EAAE,MAAM,CAAA;QAC3B,aAAa,CAAC,EAAE,MAAM,CAAA;QACtB,uBAAuB,CAAC,EAAE,MAAM,CAAA;KACjC,CAAA;IAED;;OAEG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,CAAA;CACrC;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,0CAA0C;IAC1C,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IACtB,6BAA6B;IAC7B,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAA;IAC/B,uBAAuB;IACvB,QAAQ,CAAC,WAAW,EAAE,YAAY,CAAA;IAClC,oCAAoC;IACpC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAA;IAC1B,sBAAsB;IACtB,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAA;IAC/B,+BAA+B;IAC/B,QAAQ,CAAC,aAAa,EAAE,oBAAoB,CAAA;IAC5C,qBAAqB;IACrB,QAAQ,CAAC,SAAS,EAAE,UAAU,CAAA;CAC/B;AAgFD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,GAAE,iBAAsB,GAAG,WAAW,CAE7E"}
|
|
@@ -0,0 +1,90 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Tracehound - Global factory and runtime instance.
|
|
3
|
+
*
|
|
4
|
+
* Provides a single entry point for initializing Tracehound.
|
|
5
|
+
*/
|
|
6
|
+
import { createAgent } from './agent.js';
|
|
7
|
+
import { AuditChain } from './audit-chain.js';
|
|
8
|
+
import { EvidenceFactory } from './evidence-factory.js';
|
|
9
|
+
import { createHoundPool } from './hound-pool.js';
|
|
10
|
+
import { createNotificationEmitter } from './notification-emitter.js';
|
|
11
|
+
import { Quarantine } from './quarantine.js';
|
|
12
|
+
import { createRateLimiter } from './rate-limiter.js';
|
|
13
|
+
import { createWatcher } from './watcher.js';
|
|
14
|
+
// ─────────────────────────────────────────────────────────────────────────────
|
|
15
|
+
// Implementation
|
|
16
|
+
// ─────────────────────────────────────────────────────────────────────────────
|
|
17
|
+
/**
|
|
18
|
+
* Default HoundPool configuration.
|
|
19
|
+
*/
|
|
20
|
+
const DEFAULT_POOL_CONFIG = {
|
|
21
|
+
poolSize: 4,
|
|
22
|
+
timeout: 30_000,
|
|
23
|
+
rotationJitterMs: 1000,
|
|
24
|
+
onPoolExhausted: 'defer',
|
|
25
|
+
deferQueueLimit: 100,
|
|
26
|
+
};
|
|
27
|
+
/**
|
|
28
|
+
* Tracehound runtime implementation.
|
|
29
|
+
*/
|
|
30
|
+
class Tracehound {
|
|
31
|
+
agent;
|
|
32
|
+
quarantine;
|
|
33
|
+
rateLimiter;
|
|
34
|
+
watcher;
|
|
35
|
+
auditChain;
|
|
36
|
+
notifications;
|
|
37
|
+
houndPool;
|
|
38
|
+
evidenceFactory;
|
|
39
|
+
constructor(options = {}) {
|
|
40
|
+
// Initialize components
|
|
41
|
+
this.auditChain = new AuditChain();
|
|
42
|
+
this.notifications = createNotificationEmitter();
|
|
43
|
+
this.quarantine = new Quarantine({
|
|
44
|
+
maxCount: options.quarantine?.maxCount ?? 10_000,
|
|
45
|
+
maxBytes: options.quarantine?.maxBytes ?? 100_000_000,
|
|
46
|
+
evictionPolicy: 'priority',
|
|
47
|
+
}, this.auditChain);
|
|
48
|
+
this.rateLimiter = createRateLimiter({
|
|
49
|
+
windowMs: options.rateLimit?.windowMs ?? 60_000,
|
|
50
|
+
maxRequests: options.rateLimit?.maxRequests ?? 100,
|
|
51
|
+
blockDurationMs: options.rateLimit?.blockDurationMs ?? 300_000,
|
|
52
|
+
});
|
|
53
|
+
this.watcher = createWatcher({
|
|
54
|
+
maxAlertsPerWindow: options.watcher?.maxAlertsPerWindow ?? 10,
|
|
55
|
+
alertWindowMs: options.watcher?.alertWindowMs ?? 60_000,
|
|
56
|
+
quarantineHighWatermark: options.watcher?.quarantineHighWatermark ?? 0.8,
|
|
57
|
+
});
|
|
58
|
+
this.evidenceFactory = new EvidenceFactory();
|
|
59
|
+
// Create agent
|
|
60
|
+
this.agent = createAgent({ maxPayloadSize: options.maxPayloadSize ?? 1_000_000 }, this.quarantine, this.rateLimiter, this.evidenceFactory);
|
|
61
|
+
// Create HoundPool
|
|
62
|
+
const poolConfig = {
|
|
63
|
+
...DEFAULT_POOL_CONFIG,
|
|
64
|
+
...options.houndPool,
|
|
65
|
+
};
|
|
66
|
+
this.houndPool = createHoundPool(poolConfig);
|
|
67
|
+
}
|
|
68
|
+
}
|
|
69
|
+
// ─────────────────────────────────────────────────────────────────────────────
|
|
70
|
+
// Factory
|
|
71
|
+
// ─────────────────────────────────────────────────────────────────────────────
|
|
72
|
+
/**
|
|
73
|
+
* Create a Tracehound instance.
|
|
74
|
+
*
|
|
75
|
+
* @example
|
|
76
|
+
* ```typescript
|
|
77
|
+
* import { createTracehound } from '@tracehound/core'
|
|
78
|
+
*
|
|
79
|
+
* const tracehound = createTracehound()
|
|
80
|
+
*
|
|
81
|
+
* // Use agent
|
|
82
|
+
* const result = tracehound.agent.intercept(scent)
|
|
83
|
+
* ```
|
|
84
|
+
*
|
|
85
|
+
* @param options - Initialization options
|
|
86
|
+
*/
|
|
87
|
+
export function createTracehound(options = {}) {
|
|
88
|
+
return new Tracehound(options);
|
|
89
|
+
}
|
|
90
|
+
//# sourceMappingURL=tracehound.js.map
|