akemon 0.3.4 → 0.3.5

package/dist/privacy-filter.js

@@ -0,0 +1,269 @@
+import { spawn } from "node:child_process";
+import { redactText } from "./redaction.js";
+export class PrivacyFilterUnavailableError extends Error {
+    constructor(message, options = {}) {
+        super(message);
+        this.name = "PrivacyFilterUnavailableError";
+        if (options.cause !== undefined) {
+            this.cause = options.cause;
+        }
+    }
+}
+const DEFAULT_OPF_COMMAND = "opf";
+const DEFAULT_TIMEOUT_MS = 30_000;
+const DEFAULT_MAX_BUFFER_BYTES = 2 * 1024 * 1024;
+const DEFAULT_MAX_INPUT_CHARS = 32_000;
+export async function sanitizeText(text, options = {}) {
+    const mode = normalizeMode(options.mode);
+    const env = { ...process.env, ...(options.env || {}) };
+    const backend = resolveBackend(mode, options.backend, env);
+    const fastText = redactText(text || "");
+    if (backend === "fast") {
+        return {
+            text: fastText,
+            mode,
+            backend,
+            opfApplied: false,
+            warnings: [],
+        };
+    }
+    try {
+        const filteredText = await runOpfCli(fastText, options, env);
+        return {
+            text: filteredText,
+            mode,
+            backend,
+            opfApplied: true,
+            warnings: [],
+        };
+    }
+    catch (error) {
+        if (mode === "strict") {
+            throw toPrivacyFilterUnavailableError(error);
+        }
+        return {
+            text: fastText,
+            mode,
+            backend,
+            opfApplied: false,
+            warnings: [`OPF unavailable, used built-in redaction: ${redactText(errorMessage(error))}`],
+        };
+    }
+}
+function normalizeMode(mode) {
+    if (mode === undefined)
+        return "fast";
+    if (mode === "fast" || mode === "pii" || mode === "strict")
+        return mode;
+    throw new TypeError(`Invalid privacy filter mode: ${String(mode)}`);
+}
+function resolveBackend(mode, backend, env) {
+    if (backend !== undefined)
+        return normalizeBackend(backend);
+    const envBackend = env.AKEMON_PRIVACY_FILTER?.trim().toLowerCase();
+    if (envBackend)
+        return normalizeBackend(envBackend);
+    return mode === "strict" ? "opf" : "fast";
+}
+function normalizeBackend(backend) {
+    if (backend === "fast" || backend === "opf")
+        return backend;
+    throw new TypeError(`Invalid privacy filter backend: ${backend}`);
+}
+async function runOpfCli(text, options, env) {
+    const maxInputChars = readPositiveInt(options.maxInputChars, env.AKEMON_OPF_MAX_INPUT_CHARS, DEFAULT_MAX_INPUT_CHARS);
+    if (text.length > maxInputChars) {
+        throw new PrivacyFilterUnavailableError(`OPF input length ${text.length} exceeds max ${maxInputChars} chars`);
+    }
+    const command = options.command || env.AKEMON_OPF_COMMAND || DEFAULT_OPF_COMMAND;
+    const timeoutMs = readPositiveInt(options.timeoutMs, env.AKEMON_OPF_TIMEOUT_MS, DEFAULT_TIMEOUT_MS);
+    const maxBufferBytes = readPositiveInt(options.maxBufferBytes, env.AKEMON_OPF_MAX_BUFFER_BYTES, DEFAULT_MAX_BUFFER_BYTES);
+    const device = options.device || env.AKEMON_OPF_DEVICE;
+    const checkpoint = options.checkpoint || env.AKEMON_OPF_CHECKPOINT;
+    const args = buildOpfArgs({ device, checkpoint });
+    const spawnImpl = options.spawnImpl || spawn;
+    const stdout = await collectChildOutput(spawnImpl(command, args, {
+        env,
+        stdio: ["pipe", "pipe", "pipe"],
+    }), text, timeoutMs, maxBufferBytes);
+    return parseOpfRedactedText(stdout, text);
+}
+function buildOpfArgs(options) {
+    const args = [
+        "redact",
+        "--format",
+        "json",
+        "--output-mode",
+        "redacted",
+        "--json-indent",
+        "0",
+        "--no-print-color-coded-text",
+    ];
+    if (options.device)
+        args.push("--device", options.device);
+    if (options.checkpoint)
+        args.push("--checkpoint", options.checkpoint);
+    return args;
+}
+function collectChildOutput(child, inputText, timeoutMs, maxBufferBytes) {
+    return new Promise((resolve, reject) => {
+        let stdout = "";
+        let stderr = "";
+        let stdoutBytes = 0;
+        let stderrBytes = 0;
+        let settled = false;
+        const timer = setTimeout(() => {
+            fail(new PrivacyFilterUnavailableError(`OPF timed out after ${timeoutMs}ms`));
+            child.kill("SIGTERM");
+        }, timeoutMs);
+        const fail = (error) => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timer);
+            reject(toPrivacyFilterUnavailableError(error));
+        };
+        child.stdout?.on("data", (chunk) => {
+            const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+            stdoutBytes += buffer.byteLength;
+            if (stdoutBytes > maxBufferBytes) {
+                fail(new PrivacyFilterUnavailableError(`OPF stdout exceeded ${maxBufferBytes} bytes`));
+                child.kill("SIGTERM");
+                return;
+            }
+            stdout += buffer.toString("utf8");
+        });
+        child.stderr?.on("data", (chunk) => {
+            const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+            stderrBytes += buffer.byteLength;
+            if (stderrBytes > maxBufferBytes) {
+                fail(new PrivacyFilterUnavailableError(`OPF stderr exceeded ${maxBufferBytes} bytes`));
+                child.kill("SIGTERM");
+                return;
+            }
+            stderr += buffer.toString("utf8");
+        });
+        child.on("error", fail);
+        child.on("close", (code) => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timer);
+            if (code !== 0) {
+                reject(new PrivacyFilterUnavailableError(`OPF exited with code ${code}: ${stderr.trim() || "no stderr"}`));
+                return;
+            }
+            resolve(stdout);
+        });
+        if (!child.stdin) {
+            fail(new PrivacyFilterUnavailableError("OPF stdin was not available"));
+            return;
+        }
+        child.stdin.on("error", fail);
+        child.stdin.end(inputText.endsWith("\n") ? inputText : `${inputText}\n`);
+    });
+}
+function parseOpfRedactedText(stdout, originalText) {
+    const records = parseOpfJsonRecords(stdout);
+    const redactedLines = [];
+    for (const record of records) {
+        const redacted = readOpfRedactedText(record);
+        redactedLines.push(redacted);
+    }
+    const lines = originalText.split(/\r?\n/);
+    if (lines.filter((line) => line.trim()).length > 1) {
+        let redactedIndex = 0;
+        return lines.map((line) => {
+            if (!line.trim())
+                return line;
+            return redactedLines[redactedIndex++] ?? line;
+        }).join("\n");
+    }
+    return redactedLines[0] ?? "";
+}
+function parseOpfJsonRecords(stdout) {
+    const trimmed = stdout.trim();
+    if (!trimmed) {
+        throw new PrivacyFilterUnavailableError("OPF returned empty output");
+    }
+    try {
+        return [JSON.parse(trimmed)];
+    }
+    catch { }
+    const chunks = splitConcatenatedJsonObjects(trimmed);
+    if (!chunks.length) {
+        throw new PrivacyFilterUnavailableError("OPF did not return valid JSON");
+    }
+    try {
+        return chunks.map((chunk) => JSON.parse(chunk));
+    }
+    catch (error) {
+        throw new PrivacyFilterUnavailableError("OPF did not return valid JSON", { cause: error });
+    }
+}
+function splitConcatenatedJsonObjects(text) {
+    const chunks = [];
+    let depth = 0;
+    let start = -1;
+    let inString = false;
+    let escaped = false;
+    for (let i = 0; i < text.length; i++) {
+        const char = text[i];
+        if (inString) {
+            if (escaped) {
+                escaped = false;
+            }
+            else if (char === "\\") {
+                escaped = true;
+            }
+            else if (char === "\"") {
+                inString = false;
+            }
+            continue;
+        }
+        if (char === "\"") {
+            inString = true;
+            continue;
+        }
+        if (char === "{") {
+            if (depth === 0)
+                start = i;
+            depth += 1;
+            continue;
+        }
+        if (char === "}") {
+            depth -= 1;
+            if (depth === 0 && start >= 0) {
+                chunks.push(text.slice(start, i + 1));
+                start = -1;
+            }
+        }
+    }
+    return depth === 0 && !inString ? chunks : [];
+}
+function readOpfRedactedText(parsed) {
+    if (!parsed || typeof parsed !== "object") {
+        throw new PrivacyFilterUnavailableError("OPF JSON output was not an object");
+    }
+    const redacted = parsed.redacted_text
+        ?? parsed.redactedText;
+    if (typeof redacted !== "string") {
+        throw new PrivacyFilterUnavailableError("OPF JSON output did not include redacted_text");
+    }
+    return redacted;
+}
+function readPositiveInt(value, envValue, fallback) {
+    const raw = value !== undefined ? value : envValue;
+    const parsed = typeof raw === "number" ? raw : Number(raw);
+    return Number.isInteger(parsed) && parsed > 0 ? parsed : fallback;
+}
+function toPrivacyFilterUnavailableError(error) {
+    if (error instanceof PrivacyFilterUnavailableError)
+        return error;
+    return new PrivacyFilterUnavailableError(errorMessage(error), { cause: error });
+}
+function errorMessage(error) {
+    if (error instanceof Error)
+        return error.message;
+    return String(error);
+}

package/dist/redaction.js

@@ -0,0 +1,159 @@
+const REDACTION = "[REDACTED]";
+const PRIVATE_KEY_BLOCK_RE = /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g;
+const AUTH_HEADER_RE = /\b((?:Authorization\s*:\s*)?(?:Bearer|Basic)\s+)[A-Za-z0-9._~+/=-]{12,}/gi;
+const URL_CREDENTIAL_RE = /\b([a-z][a-z0-9+.-]*:\/\/)([^/\s:@]+):([^/\s@]+)@/gi;
+const SECRET_ASSIGNMENT_RE = /((?:^|[\s{,])["']?[A-Za-z0-9_.-]*(?:secret|token|password|passwd|pwd|api[_-]?key|access[_-]?key|private[_-]?key|credential)s?["']?\s*[:=]\s*["']?)([^"',\s})]+)/gi;
+const KNOWN_TOKEN_PATTERNS = [
+    /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g,
+    /\bsk-[A-Za-z0-9_-]{20,}\b/g,
+    /\b(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{20,}\b/g,
+    /\bgithub_pat_[A-Za-z0-9_]{20,}\b/g,
+    /\bnpm_[A-Za-z0-9]{20,}\b/g,
+    /\bxox[baprs]-[A-Za-z0-9-]{20,}\b/g,
+    /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/g,
+    /\b[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}\b/g,
+];
+const SENSITIVE_KEY_NAMES = new Set([
+    "auth",
+    "authorization",
+    "bearer",
+    "credential",
+    "credentials",
+    "password",
+    "passwd",
+    "pwd",
+    "secret",
+    "secretkey",
+    "token",
+    "accesstoken",
+    "accesskey",
+    "apikey",
+    "rawapikey",
+    "privatekey",
+]);
+const DEFAULT_MAX_BUFFERED_CHARS = 8192;
+const SECRET_TERMINATOR_RE = /[\s"',}\])>]$/;
+const POTENTIAL_SECRET_TAIL_PATTERNS = [
+    /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*$/i,
+    /(?:^|[\s{,])["']?[A-Za-z0-9_.-]*(?:secret|token|password|passwd|pwd|api[_-]?key|access[_-]?key|private[_-]?key|credential)s?["']?\s*[:=]\s*["']?[^"',\s})]*$/i,
+    /\b(?:Authorization\s*:\s*)?(?:Bearer|Basic)\s+[A-Za-z0-9._~+/=-]*$/i,
+    /\b(?:sk-ant-|sk-|ghp_|gho_|ghu_|ghs_|ghr_|github_pat_|npm_|xox[baprs]-)[A-Za-z0-9._~+/=-]*$/i,
+    /\b(?:AKIA|ASIA)[0-9A-Z]*$/i,
+    /\b[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]*$/i,
+    /\b[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]*$/i,
+    /\b[a-z][a-z0-9+.-]*:\/\/[^/\s:@]+:[^/\s@]*$/i,
+];
+export class StreamingRedactor {
+    pending = "";
+    maxBufferedChars;
+    constructor(options = {}) {
+        this.maxBufferedChars = normalizePositiveInt(options.maxBufferedChars, DEFAULT_MAX_BUFFERED_CHARS);
+    }
+    push(chunk) {
+        if (!chunk)
+            return "";
+        this.pending += chunk;
+        const redacted = redactText(this.pending);
+        if (redacted !== this.pending) {
+            if (SECRET_TERMINATOR_RE.test(this.pending) || this.pending.length > this.maxBufferedChars) {
+                this.pending = "";
+                return redacted;
+            }
+            return "";
+        }
+        const holdStart = findPotentialSecretTailStart(this.pending);
+        if (holdStart >= 0) {
+            const output = this.pending.slice(0, holdStart);
+            const held = this.pending.slice(holdStart);
+            if (held.length > this.maxBufferedChars) {
+                this.pending = "";
+                return `${redactText(output)}${REDACTION}`;
+            }
+            this.pending = held;
+            return redactText(output);
+        }
+        const output = this.pending;
+        this.pending = "";
+        return output;
+    }
+    flush() {
+        if (!this.pending)
+            return "";
+        const output = redactText(this.pending);
+        this.pending = "";
+        return output;
+    }
+}
+export function redactText(text) {
+    let redacted = text;
+    redacted = redacted.replace(PRIVATE_KEY_BLOCK_RE, REDACTION);
+    redacted = redacted.replace(URL_CREDENTIAL_RE, `$1${REDACTION}@`);
+    redacted = redacted.replace(AUTH_HEADER_RE, `$1${REDACTION}`);
+    redacted = redacted.replace(SECRET_ASSIGNMENT_RE, `$1${REDACTION}`);
+    for (const pattern of KNOWN_TOKEN_PATTERNS) {
+        redacted = redacted.replace(pattern, REDACTION);
+    }
+    return redacted;
+}
+export function redactSecrets(value) {
+    return redactValue(value, new WeakMap(), "");
+}
+export function isSensitiveKey(key) {
+    const normalized = key.replace(/[^a-z0-9]/gi, "").toLowerCase();
+    return SENSITIVE_KEY_NAMES.has(normalized)
+        || normalized.endsWith("secret")
+        || normalized.endsWith("token")
+        || normalized.endsWith("password")
+        || normalized.endsWith("apikey")
+        || normalized.endsWith("accesskey")
+        || normalized.endsWith("privatekey")
+        || normalized.includes("credential");
+}
+function redactValue(value, seen, key) {
+    if (isSensitiveKey(key) && value !== undefined && value !== null) {
+        return REDACTION;
+    }
+    if (typeof value === "string") {
+        return redactText(value);
+    }
+    if (!value || typeof value !== "object") {
+        return value;
+    }
+    if (seen.has(value)) {
+        return seen.get(value);
+    }
+    if (Array.isArray(value)) {
+        const copy = [];
+        seen.set(value, copy);
+        for (const item of value)
+            copy.push(redactValue(item, seen, ""));
+        return copy;
+    }
+    if (!isPlainObject(value)) {
+        return value;
+    }
+    const copy = {};
+    seen.set(value, copy);
+    for (const [childKey, childValue] of Object.entries(value)) {
+        copy[childKey] = redactValue(childValue, seen, childKey);
+    }
+    return copy;
+}
+function isPlainObject(value) {
+    const proto = Object.getPrototypeOf(value);
+    return proto === Object.prototype || proto === null;
+}
+function findPotentialSecretTailStart(text) {
+    let start = -1;
+    for (const pattern of POTENTIAL_SECRET_TAIL_PATTERNS) {
+        pattern.lastIndex = 0;
+        const match = pattern.exec(text);
+        if (match?.index !== undefined && (start < 0 || match.index < start)) {
+            start = match.index;
+        }
+    }
+    return start;
+}
+function normalizePositiveInt(value, fallback) {
+    return typeof value === "number" && Number.isInteger(value) && value > 0 ? value : fallback;
+}

package/dist/relay-client.js

@@ -1,10 +1,12 @@
 import WebSocket from "ws";
 import http from "http";
 import { getMetrics, updateMetrics } from "./metrics.js";
+import { redactText, StreamingRedactor } from "./redaction.js";
 const DEFAULT_RELAY_URL = "wss://relay.akemon.dev";
 // Pending agent_call results (callId → resolve function)
 const pendingAgentCalls = new Map();
 let relayWsRef = null;
+const taskStreamRedactors = new Map();
 function sendRelayMessage(msg) {
     if (!relayWsRef || relayWsRef.readyState !== WebSocket.OPEN)
         return;
@@ -87,6 +89,7 @@ export function callAgent(target, task) {
     });
 }
 export function sendTaskStart(taskId, origin, cmd) {
+    clearTaskStreamRedactors(taskId);
     sendRelayMessage({
         type: "task_start",
         task_id: taskId,
@@ -95,14 +98,19 @@ export function sendTaskStart(taskId, origin, cmd) {
     });
 }
 export function sendTaskStream(taskId, stream, chunk) {
+    const safeChunk = taskStreamRedactor(taskId, stream).push(chunk);
+    if (!safeChunk)
+        return;
     sendRelayMessage({
         type: "task_stream",
         task_id: taskId,
         stream,
-        chunk,
+        chunk: safeChunk,
     });
 }
 export function sendTaskEnd(taskId, exitCode, durationMs) {
+    flushTaskStreamRedactor(taskId, "stdout");
+    flushTaskStreamRedactor(taskId, "stderr");
     sendRelayMessage({
         type: "task_end",
         task_id: taskId,
@@ -110,6 +118,35 @@ export function sendTaskEnd(taskId, exitCode, durationMs) {
         duration_ms: durationMs,
     });
 }
+function clearTaskStreamRedactors(taskId) {
+    taskStreamRedactors.delete(`${taskId}:stdout`);
+    taskStreamRedactors.delete(`${taskId}:stderr`);
+}
+function taskStreamRedactor(taskId, stream) {
+    const key = `${taskId}:${stream}`;
+    let redactor = taskStreamRedactors.get(key);
+    if (!redactor) {
+        redactor = new StreamingRedactor();
+        taskStreamRedactors.set(key, redactor);
+    }
+    return redactor;
+}
+function flushTaskStreamRedactor(taskId, stream) {
+    const key = `${taskId}:${stream}`;
+    const redactor = taskStreamRedactors.get(key);
+    if (!redactor)
+        return;
+    const safeChunk = redactor.flush();
+    taskStreamRedactors.delete(key);
+    if (!safeChunk)
+        return;
+    sendRelayMessage({
+        type: "task_stream",
+        task_id: taskId,
+        stream,
+        chunk: safeChunk,
+    });
+}
 export function connectRelay(options) {
     const relayUrl = options.relayUrl || DEFAULT_RELAY_URL;
     let wsUrl = relayUrl.replace(/^http/, "ws");
@@ -485,5 +522,5 @@ function extractSSEData(sse) {
 }
 /** Send a failure event to the relay for observability storage. Fire-and-forget. */
 export function sendFailureEvent(kind, label, message) {
-    sendRelayMessage({ type: "failure_event", kind, label, message });
+    sendRelayMessage({ type: "failure_event", kind, label, message: redactText(message) });
 }