arc-1 0.1.0

package/dist/server/server.js

@@ -0,0 +1,307 @@
+/**
+ * MCP Server for ARC-1.
+ *
+ * Creates and starts the MCP server with 11 intent-based tools.
+ * Supports two transports:
+ * - stdio (default): for local MCP clients (Claude Desktop, Claude Code, Cursor)
+ * - http-streamable: for remote/containerized deployments
+ */
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { CallToolRequestSchema, ListToolsRequestSchema } from '@modelcontextprotocol/sdk/types.js';
+import { AdtClient } from '../adt/client.js';
+import { handleToolCall, TOOL_SCOPES } from '../handlers/intent.js';
+import { getToolDefinitions } from '../handlers/tools.js';
+import { initLogger, logger } from './logger.js';
+import { FileSink } from './sinks/file.js';
+/** ARC-1 version */
+export const VERSION = '0.1.0';
+/** Build the base ADT client config (without per-user auth) */
+function buildAdtConfig(config, btpProxy) {
+    return {
+        baseUrl: config.url,
+        username: config.username,
+        password: config.password,
+        client: config.client,
+        language: config.language,
+        insecure: config.insecure,
+        btpProxy,
+        safety: {
+            readOnly: config.readOnly,
+            blockFreeSQL: config.blockFreeSQL,
+            allowedOps: config.allowedOps,
+            disallowedOps: config.disallowedOps,
+            allowedPackages: config.allowedPackages,
+            dryRun: false,
+            enableTransports: config.enableTransports,
+            transportReadOnly: false,
+            allowedTransports: [],
+            allowTransportableEdits: config.allowTransportableEdits,
+        },
+    };
+}
+/**
+ * Create a per-user ADT client for principal propagation.
+ *
+ * Called per MCP request when ppEnabled=true and user JWT is available.
+ * Looks up the BTP Destination with X-User-Token header to get per-user
+ * auth tokens, then creates an ADT client that sends the
+ * SAP-Connectivity-Authentication header with every request.
+ *
+ * The Cloud Connector uses this header to generate an X.509 cert
+ * mapped to the SAP user via CERTRULE.
+ */
+async function createPerUserClient(config, btpConfig, btpProxy, userJwt) {
+    const { lookupDestinationWithUserToken } = await import('../adt/btp.js');
+    // Use SAP_BTP_PP_DESTINATION if set, otherwise fall back to SAP_BTP_DESTINATION.
+    // This enables a dual-destination approach:
+    // - SAP_BTP_DESTINATION = BasicAuth destination (shared client, startup resolution)
+    // - SAP_BTP_PP_DESTINATION = PrincipalPropagation destination (per-user, runtime)
+    const destName = process.env.SAP_BTP_PP_DESTINATION ?? process.env.SAP_BTP_DESTINATION;
+    if (!destName) {
+        throw new Error('SAP_BTP_PP_DESTINATION or SAP_BTP_DESTINATION is required for principal propagation');
+    }
+    const { destination, authTokens } = await lookupDestinationWithUserToken(btpConfig, destName, userJwt);
+    const adtConfig = buildAdtConfig(config, btpProxy);
+    // Override URL from destination (in case it differs from startup-resolved URL)
+    adtConfig.baseUrl = destination.URL;
+    // Set per-user auth for principal propagation.
+    // Option 1 (Recommended): jwt-bearer exchanged token → Proxy-Authorization
+    // Option 2 (Backward compat): SAML assertion → SAP-Connectivity-Authentication
+    // Preserve the username for display only (e.g. SAPRead SYSTEM) by extracting it from the JWT.
+    // Safety: the JWT signature was already verified by the OIDC middleware in http.ts —
+    // we're just reading a claim from an already-trusted token. This value is never used
+    // for auth or access control; the actual SAP identity comes from the SAML assertion.
+    let displayUsername;
+    try {
+        const payload = JSON.parse(Buffer.from(userJwt.split('.')[1], 'base64url').toString());
+        displayUsername = payload.user_name ?? payload.email ?? undefined;
+    }
+    catch {
+        displayUsername = undefined;
+    }
+    if (authTokens.ppProxyAuth) {
+        // Option 1: exchanged token replaces Proxy-Authorization
+        adtConfig.ppProxyAuth = authTokens.ppProxyAuth;
+        adtConfig.username = displayUsername;
+        adtConfig.password = undefined;
+    }
+    else if (authTokens.sapConnectivityAuth) {
+        // Option 2: SAML assertion from Destination Service
+        adtConfig.sapConnectivityAuth = authTokens.sapConnectivityAuth;
+        adtConfig.username = displayUsername;
+        adtConfig.password = undefined;
+    }
+    else if (authTokens.bearerToken) {
+        // TODO: Bearer token auth for OAuth2SAMLBearerAssertion destinations
+        // This would replace basic auth with Bearer token
+        logger.warn('Bearer token auth from destination not yet implemented — falling back to basic auth');
+    }
+    else {
+        // No per-user auth token received.
+        throw new Error(`Principal propagation failed for destination '${destName}': ` +
+            'no SAP-Connectivity-Authentication header, Bearer token, or jwt-bearer exchange token returned. ' +
+            'Check Cloud Connector status, destination configuration, and user JWT validity.');
+    }
+    return new AdtClient(adtConfig);
+}
+/**
+ * Create the MCP server with registered tool handlers.
+ * @param config Server configuration
+ * @param btpProxy Optional BTP connectivity proxy config (resolved at startup)
+ * @param btpConfig Optional BTP service config (for per-user destination lookup)
+ */
+export function createServer(config, btpProxy, btpConfig) {
+    const server = new Server({ name: 'arc-1', version: VERSION }, { capabilities: { tools: {} } });
+    // Create default ADT client (shared, uses startup-time credentials)
+    const defaultClient = new AdtClient(buildAdtConfig(config, btpProxy));
+    // Register tool listing — filtered by user's scopes when auth is active
+    server.setRequestHandler(ListToolsRequestSchema, async (_request, extra) => {
+        let tools = getToolDefinitions(config);
+        // When authenticated, only show tools the user has scopes for
+        if (extra.authInfo) {
+            tools = tools.filter((tool) => {
+                const requiredScope = TOOL_SCOPES[tool.name];
+                return !requiredScope || extra.authInfo.scopes.includes(requiredScope);
+            });
+        }
+        return { tools };
+    });
+    // Register tool call handler — passes authInfo for scope enforcement + audit logging
+    server.setRequestHandler(CallToolRequestSchema, async (request, extra) => {
+        const toolName = request.params.name;
+        const args = (request.params.arguments ?? {});
+        // Principal propagation: create per-user ADT client if enabled and user JWT available.
+        // Only attempt PP when the token is a JWT (3 dot-separated parts), not a plain API key.
+        let client = defaultClient;
+        const token = extra.authInfo?.token;
+        const isJwt = token && token.split('.').length === 3;
+        if (config.ppEnabled && btpConfig && isJwt) {
+            const ppUser = (extra.authInfo?.extra?.userName ?? extra.authInfo?.clientId);
+            const ppDest = process.env.SAP_BTP_PP_DESTINATION ?? process.env.SAP_BTP_DESTINATION ?? '';
+            try {
+                client = await createPerUserClient(config, btpConfig, btpProxy, token);
+                logger.emitAudit({
+                    timestamp: new Date().toISOString(),
+                    level: 'info',
+                    event: 'auth_pp_created',
+                    user: ppUser,
+                    destination: ppDest,
+                    success: true,
+                });
+            }
+            catch (err) {
+                const errMsg = err instanceof Error ? err.message : String(err);
+                logger.emitAudit({
+                    timestamp: new Date().toISOString(),
+                    level: 'error',
+                    event: 'auth_pp_created',
+                    user: ppUser,
+                    destination: ppDest,
+                    success: false,
+                    errorMessage: errMsg,
+                });
+                if (config.ppStrict) {
+                    // Strict mode: PP failure is a hard error — never fall back to shared client.
+                    // This ensures every request runs with the authenticated user's identity.
+                    return {
+                        content: [
+                            {
+                                type: 'text',
+                                text: `Principal propagation failed (SAP_PP_STRICT=true): ${errMsg}`,
+                            },
+                        ],
+                        isError: true,
+                    };
+                }
+                // Fall back to shared client (service account)
+            }
+        }
+        else if (config.ppStrict && config.ppEnabled && !isJwt) {
+            // Strict mode with non-JWT token (e.g., API key) — reject
+            return {
+                content: [
+                    {
+                        type: 'text',
+                        text: 'Principal propagation requires a JWT token (SAP_PP_STRICT=true). API key authentication is not supported in strict PP mode.',
+                    },
+                ],
+                isError: true,
+            };
+        }
+        const result = await handleToolCall(client, config, toolName, args, extra.authInfo, server);
+        return { ...result };
+    });
+    return server;
+}
+/**
+ * Create and start the MCP server.
+ */
+export async function createAndStartServer(config) {
+    initLogger(config.logFormat, config.verbose);
+    // Add file sink if configured
+    if (config.logFile) {
+        logger.addSink(new FileSink(config.logFile));
+        logger.info('File logging enabled', { logFile: config.logFile });
+    }
+    // Add BTP Audit Log sink if auditlog service is bound (auto-detected from VCAP_SERVICES)
+    try {
+        const { BTPAuditLogSink, parseBTPAuditLogConfig } = await import('./sinks/btp-auditlog.js');
+        const auditLogConfig = parseBTPAuditLogConfig();
+        if (auditLogConfig) {
+            logger.addSink(new BTPAuditLogSink(auditLogConfig));
+            logger.info('BTP Audit Log sink enabled', { url: auditLogConfig.url });
+        }
+    }
+    catch (err) {
+        logger.warn('BTP Audit Log sink initialization failed (optional)', {
+            error: err instanceof Error ? err.message : String(err),
+        });
+    }
+    // Emit structured server_start audit event
+    logger.emitAudit({
+        timestamp: new Date().toISOString(),
+        level: 'info',
+        event: 'server_start',
+        version: VERSION,
+        transport: config.transport,
+        readOnly: config.readOnly,
+        url: config.url || '(not configured)',
+    });
+    logger.info('ARC-1 starting', {
+        version: VERSION,
+        transport: config.transport,
+        url: config.url || '(not configured)',
+        readOnly: config.readOnly,
+    });
+    // Resolve BTP Destination if configured (overrides SAP_URL/USER/PASSWORD)
+    let btpProxy;
+    let btpConfig;
+    const btpDestination = process.env.SAP_BTP_DESTINATION;
+    if (btpDestination) {
+        const { resolveBTPDestination, parseVCAPServices } = await import('../adt/btp.js');
+        const resolved = await resolveBTPDestination(btpDestination);
+        config.url = resolved.url;
+        config.username = resolved.username;
+        config.password = resolved.password;
+        config.client = resolved.client;
+        btpProxy = resolved.proxy ?? undefined;
+        // Keep btpConfig for per-user destination lookup (principal propagation)
+        if (config.ppEnabled) {
+            btpConfig = parseVCAPServices() ?? undefined;
+            logger.info('Principal propagation enabled', {
+                destination: btpDestination,
+                hasBtpConfig: !!btpConfig,
+            });
+        }
+        logger.info('BTP destination resolved', {
+            destination: btpDestination,
+            url: resolved.url,
+            user: resolved.username,
+            hasProxy: !!btpProxy,
+            ppEnabled: config.ppEnabled,
+        });
+    }
+    const server = createServer(config, btpProxy, btpConfig);
+    if (config.transport === 'stdio') {
+        const transport = new StdioServerTransport();
+        await server.connect(transport);
+        logger.info('ARC-1 MCP server running on stdio');
+    }
+    else {
+        // HTTP Streamable transport — for containerized/BTP deployments
+        // Pass the factory function so HTTP server can create fresh server+transport
+        // per request. This is required because MCP SDK's Server can only connect
+        // to one transport at a time, and clients like Copilot Studio send
+        // concurrent requests.
+        // Load XSUAA credentials if XSUAA auth is enabled
+        let xsuaaCredentials;
+        if (config.xsuaaAuth) {
+            try {
+                const xsenv = await import('@sap/xsenv');
+                const services = xsenv.getServices({ uaa: { tag: 'xsuaa' } });
+                const uaa = services.uaa;
+                xsuaaCredentials = {
+                    url: uaa.url,
+                    clientid: uaa.clientid,
+                    clientsecret: uaa.clientsecret,
+                    xsappname: uaa.xsappname,
+                    uaadomain: uaa.uaadomain,
+                };
+                logger.info('XSUAA credentials loaded', {
+                    xsappname: xsuaaCredentials.xsappname,
+                    url: xsuaaCredentials.url,
+                });
+            }
+            catch (err) {
+                logger.error('Failed to load XSUAA credentials — XSUAA auth will not work', {
+                    error: err instanceof Error ? err.message : String(err),
+                });
+            }
+        }
+        const { startHttpServer } = await import('./http.js');
+        await startHttpServer(() => createServer(config, btpProxy, btpConfig), config, xsuaaCredentials);
+    }
+    return server;
+}
+//# sourceMappingURL=server.js.map

package/dist/server/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../ts-src/server/server.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,MAAM,oCAAoC,CAAC;AAEnG,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAE7C,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAG3C,oBAAoB;AACpB,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAE/B,+DAA+D;AAC/D,SAAS,cAAc,CAAC,MAAoB,EAAE,QAAyB;IACrE,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,GAAG;QACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,QAAQ;QACR,MAAM,EAAE;YACN,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,MAAM,EAAE,KAAK;YACb,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;YACzC,iBAAiB,EAAE,KAAK;YACxB,iBAAiB,EAAE,EAAE;YACrB,uBAAuB,EAAE,MAAM,CAAC,uBAAuB;SACxD;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;GAUG;AACH,KAAK,UAAU,mBAAmB,CAChC,MAAoB,EACpB,SAAoB,EACpB,QAAoC,EACpC,OAAe;IAEf,MAAM,EAAE,8BAA8B,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;IACzE,iFAAiF;IACjF,4CAA4C;IAC5C,oFAAoF;IACpF,kFAAkF;IAClF,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACvF,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,qFAAqF,CAAC,CAAC;IACzG,CAAC;IAED,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,GAAG,MAAM,8BAA8B,CAAC,SAAS,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;IAEvG,MAAM,SAAS,GAAG,cAAc,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACnD,+EAA+E;IAC/E,SAAS,CAAC,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC;IACpC,+CAA+C;IAC/C,2EAA2E;IAC3E,+EAA+E;IAC/E,8FAA8F;IAC9F,qFAAqF;IACrF,qFAAqF;IACrF,qFAAqF;IACrF,IAAI,eAAmC,CAAC;IACxC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QACvF,eAAe,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,KAAK,IAAI,SAAS,CAAC;IACpE,CAAC;IAAC,MAAM,CAAC;QACP,eAAe,GAAG,SAAS,CAAC;IAC9B,CAAC;IAED,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC;QAC3B,yDAAyD;QACzD,SAAS,CAAC,WAAW,GAAG,UAAU,CAAC,WAAW,CAAC;QAC/C,SAAS,CAAC,QAAQ,GAAG,eAAe,CAAC;QACrC,SAAS,CAAC,QAAQ,GAAG,SAAS,CAAC;IACjC,CAAC;SAAM,IAAI,UAAU,CAAC,mBAAmB,EAAE,CAAC;QAC1C,oDAAoD;QACpD,SAAS,CAAC,mBAAmB,GAAG,UAAU,CAAC,mBAAmB,CAAC;QAC/D,SAAS,CAAC,QAAQ,GAAG,eAAe,CAAC;QACrC,SAAS,CAAC,QAAQ,GAAG,SAAS,CAAC;IACjC,CAAC;SAAM,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC;QAClC,qEAAqE;QACrE,kDAAkD;QAClD,MAAM,CAAC,IAAI,CAAC,qFAAqF,CAAC,CAAC;IACrG,CAAC;SAAM,CAAC;QACN,mCAAmC;QACnC,MAAM,IAAI,KAAK,CACb,iDAAiD,QAAQ,KAAK;YAC5D,kGAAkG;YAClG,iFAAiF,CACpF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,SAAS,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,MAAoB,EAAE,QAAyB,EAAE,SAAqB;IACjG,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IAEhG,oEAAoE;IACpE,MAAM,aAAa,GAAG,IAAI,SAAS,CAAC,cAAc,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IAEtE,wEAAwE;IACxE,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE;QACzE,IAAI,KAAK,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAEvC,8DAA8D;QAC9D,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACnB,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC5B,MAAM,aAAa,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC7C,OAAO,CAAC,aAAa,IAAI,KAAK,CAAC,QAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YAC1E,CAAC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,qFAAqF;IACrF,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;QACvE,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC;QACrC,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,IAAI,EAAE,CAA4B,CAAC;QAEzE,uFAAuF;QACvF,wFAAwF;QACxF,IAAI,MAAM,GAAG,aAAa,CAAC;QAC3B,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC;QACpC,MAAM,KAAK,GAAG,KAAK,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;QACrD,IAAI,MAAM,CAAC,SAAS,IAAI,SAAS,IAAI,KAAK,EAAE,CAAC;YAC3C,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,EAAE,QAAQ,IAAI,KAAK,CAAC,QAAQ,EAAE,QAAQ,CAAuB,CAAC;YACnG,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;YAC3F,IAAI,CAAC;gBACH,MAAM,GAAG,MAAM,mBAAmB,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;gBACvE,MAAM,CAAC,SAAS,CAAC;oBACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBACnC,KAAK,EAAE,MAAM;oBACb,KAAK,EAAE,iBAAiB;oBACxB,IAAI,EAAE,MAAM;oBACZ,WAAW,EAAE,MAAM;oBACnB,OAAO,EAAE,IAAI;iBACd,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAChE,MAAM,CAAC,SAAS,CAAC;oBACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBACnC,KAAK,EAAE,OAAO;oBACd,KAAK,EAAE,iBAAiB;oBACxB,IAAI,EAAE,MAAM;oBACZ,WAAW,EAAE,MAAM;oBACnB,OAAO,EAAE,KAAK;oBACd,YAAY,EAAE,MAAM;iBACrB,CAAC,CAAC;gBACH,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;oBACpB,8EAA8E;oBAC9E,0EAA0E;oBAC1E,OAAO;wBACL,OAAO,EAAE;4BACP;gCACE,IAAI,EAAE,MAAe;gCACrB,IAAI,EAAE,sDAAsD,MAAM,EAAE;6BACrE;yBACF;wBACD,OAAO,EAAE,IAAI;qBACa,CAAC;gBAC/B,CAAC;gBACD,+CAA+C;YACjD,CAAC;QACH,CAAC;aAAM,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,SAAS,IAAI,CAAC,KAAK,EAAE,CAAC;YACzD,0DAA0D;YAC1D,OAAO;gBACL,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAe;wBACrB,IAAI,EAAE,6HAA6H;qBACpI;iBACF;gBACD,OAAO,EAAE,IAAI;aACa,CAAC;QAC/B,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC5F,OAAO,EAAE,GAAG,MAAM,EAA6B,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,MAAoB;IAC7D,UAAU,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IAE7C,8BAA8B;IAC9B,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,MAAM,CAAC,OAAO,CAAC,IAAI,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAC7C,MAAM,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,yFAAyF;IACzF,IAAI,CAAC;QACH,MAAM,EAAE,eAAe,EAAE,sBAAsB,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QAC5F,MAAM,cAAc,GAAG,sBAAsB,EAAE,CAAC;QAChD,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,CAAC,OAAO,CAAC,IAAI,eAAe,CAAC,cAAc,CAAC,CAAC,CAAC;YACpD,MAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,GAAG,EAAE,cAAc,CAAC,GAAG,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,qDAAqD,EAAE;YACjE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACxD,CAAC,CAAC;IACL,CAAC;IAED,2CAA2C;IAC3C,MAAM,CAAC,SAAS,CAAC;QACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,KAAK,EAAE,MAAM;QACb,KAAK,EAAE,cAAc;QACrB,OAAO,EAAE,OAAO;QAChB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,GAAG,EAAE,MAAM,CAAC,GAAG,IAAI,kBAAkB;KACtC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE;QAC5B,OAAO,EAAE,OAAO;QAChB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,GAAG,EAAE,MAAM,CAAC,GAAG,IAAI,kBAAkB;QACrC,QAAQ,EAAE,MAAM,CAAC,QAAQ;KAC1B,CAAC,CAAC;IAEH,0EAA0E;IAC1E,IAAI,QAAoC,CAAC;IACzC,IAAI,SAAgC,CAAC;IACrC,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACvD,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QACnF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,cAAc,CAAC,CAAC;QAC7D,MAAM,CAAC,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC;QAC1B,MAAM,CAAC,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC;QACpC,MAAM,CAAC,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC;QACpC,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;QAChC,QAAQ,GAAG,QAAQ,CAAC,KAAK,IAAI,SAAS,CAAC;QAEvC,yEAAyE;QACzE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACrB,SAAS,GAAG,iBAAiB,EAAE,IAAI,SAAS,CAAC;YAC7C,MAAM,CAAC,IAAI,CAAC,+BAA+B,EAAE;gBAC3C,WAAW,EAAE,cAAc;gBAC3B,YAAY,EAAE,CAAC,CAAC,SAAS;aAC1B,CAAC,CAAC;QACL,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE;YACtC,WAAW,EAAE,cAAc;YAC3B,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,IAAI,EAAE,QAAQ,CAAC,QAAQ;YACvB,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,SAAS,EAAE,MAAM,CAAC,SAAS;SAC5B,CAAC,CAAC;IACL,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;IAEzD,IAAI,MAAM,CAAC,SAAS,KAAK,OAAO,EAAE,CAAC;QACjC,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;QAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAChC,MAAM,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;IACnD,CAAC;SAAM,CAAC;QACN,gEAAgE;QAChE,6EAA6E;QAC7E,0EAA0E;QAC1E,mEAAmE;QACnE,uBAAuB;QACvB,kDAAkD;QAClD,IAAI,gBAAmE,CAAC;QACxE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACrB,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;gBACzC,MAAM,QAAQ,GAAG,KAAK,CAAC,WAAW,CAAC,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;gBAC9D,MAAM,GAAG,GAAG,QAAQ,CAAC,GAA6B,CAAC;gBACnD,gBAAgB,GAAG;oBACjB,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,YAAY,EAAE,GAAG,CAAC,YAAY;oBAC9B,SAAS,EAAE,GAAG,CAAC,SAAS;oBACxB,SAAS,EAAE,GAAG,CAAC,SAAS;iBACzB,CAAC;gBACF,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE;oBACtC,SAAS,EAAE,gBAAgB,CAAC,SAAS;oBACrC,GAAG,EAAE,gBAAgB,CAAC,GAAG;iBAC1B,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,KAAK,CAAC,6DAA6D,EAAE;oBAC1E,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;iBACxD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;QACtD,MAAM,eAAe,CAAC,GAAG,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,QAAQ,EAAE,SAAS,CAAC,EAAE,MAAM,EAAE,gBAAgB,CAAC,CAAC;IACnG,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/server/sinks/btp-auditlog.d.ts

@@ -0,0 +1,48 @@
+/**
+ * BTP Audit Log sink for ARC-1.
+ *
+ * Sends structured audit events to SAP BTP Audit Log Service v2 API.
+ * Only activates when running on BTP with an auditlog premium service binding.
+ *
+ * Maps ARC-1 audit events to BTP Audit Log categories:
+ * - security-events: auth failures, scope denials, safety blocks
+ * - data-accesses: tool calls that read SAP data
+ * - data-modifications: tool calls that write/delete SAP data
+ * - configuration-changes: transport releases, activations
+ *
+ * Authentication uses mTLS (X.509 certificates) via the premium plan binding.
+ * Tokens are cached with 60s refresh buffer (same pattern as btp.ts connectivity proxy).
+ *
+ * All writes are fire-and-forget — errors go to stderr, never block tool calls.
+ */
+import type { AuditEvent } from '../audit.js';
+import type { LogSink } from './types.js';
+/** BTP Audit Log service credentials from VCAP_SERVICES */
+export interface BTPAuditLogConfig {
+    url: string;
+    uaa: {
+        url: string;
+        certurl: string;
+        clientid: string;
+        certificate: string;
+        key: string;
+    };
+}
+/**
+ * Parse BTP Audit Log credentials from VCAP_SERVICES.
+ * Returns undefined if the service is not bound.
+ */
+export declare function parseBTPAuditLogConfig(): BTPAuditLogConfig | undefined;
+export declare class BTPAuditLogSink implements LogSink {
+    private config;
+    private token;
+    private tokenExpiresAt;
+    private pendingWrites;
+    constructor(config: BTPAuditLogConfig);
+    write(event: AuditEvent): void;
+    flush(): Promise<void>;
+    private sendEvent;
+    private buildPayload;
+    private getToken;
+}
+//# sourceMappingURL=btp-auditlog.d.ts.map

package/dist/server/sinks/btp-auditlog.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"btp-auditlog.d.ts","sourceRoot":"","sources":["../../../ts-src/server/sinks/btp-auditlog.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EACV,UAAU,EAMX,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAE1C,2DAA2D;AAC3D,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE;QACH,GAAG,EAAE,MAAM,CAAC;QACZ,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;CACH;AAgCD;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI,iBAAiB,GAAG,SAAS,CA4BtE;AAED,qBAAa,eAAgB,YAAW,OAAO;IAKjC,OAAO,CAAC,MAAM;IAJ1B,OAAO,CAAC,KAAK,CAAqB;IAClC,OAAO,CAAC,cAAc,CAAK;IAC3B,OAAO,CAAC,aAAa,CAAuB;gBAExB,MAAM,EAAE,iBAAiB;IAE7C,KAAK,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI;IAuBxB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YAKd,SAAS;IAmBvB,OAAO,CAAC,YAAY;YAyFN,QAAQ;CAgCvB"}

package/dist/server/sinks/btp-auditlog.js

@@ -0,0 +1,232 @@
+/**
+ * BTP Audit Log sink for ARC-1.
+ *
+ * Sends structured audit events to SAP BTP Audit Log Service v2 API.
+ * Only activates when running on BTP with an auditlog premium service binding.
+ *
+ * Maps ARC-1 audit events to BTP Audit Log categories:
+ * - security-events: auth failures, scope denials, safety blocks
+ * - data-accesses: tool calls that read SAP data
+ * - data-modifications: tool calls that write/delete SAP data
+ * - configuration-changes: transport releases, activations
+ *
+ * Authentication uses mTLS (X.509 certificates) via the premium plan binding.
+ * Tokens are cached with 60s refresh buffer (same pattern as btp.ts connectivity proxy).
+ *
+ * All writes are fire-and-forget — errors go to stderr, never block tool calls.
+ */
+/** Categorize tool by its access pattern */
+function toolCategory(tool) {
+    if (['SAPWrite', 'SAPManage'].includes(tool))
+        return 'data-modifications';
+    if (['SAPTransport', 'SAPActivate'].includes(tool))
+        return 'configuration-changes';
+    return 'data-accesses';
+}
+/** Map ARC-1 event types to BTP Audit Log categories */
+function categorize(event) {
+    switch (event.event) {
+        case 'auth_scope_denied':
+        case 'safety_blocked':
+            return 'security-events';
+        case 'tool_call_start':
+        case 'tool_call_end':
+            return toolCategory(event.tool);
+        case 'auth_pp_created':
+            return event.level === 'error' ? 'security-events' : null;
+        // Don't send http_request, server_start, elicitation events to BTP audit log
+        default:
+            return null;
+    }
+}
+/**
+ * Parse BTP Audit Log credentials from VCAP_SERVICES.
+ * Returns undefined if the service is not bound.
+ */
+export function parseBTPAuditLogConfig() {
+    const vcap = process.env.VCAP_SERVICES;
+    if (!vcap)
+        return undefined;
+    try {
+        const services = JSON.parse(vcap);
+        // Look for auditlog service with premium plan
+        const auditlogEntries = services.auditlog ?? services['auditlog-api'] ?? [];
+        const premiumBinding = Array.isArray(auditlogEntries)
+            ? auditlogEntries.find((s) => s.plan === 'premium' || s.plan === 'oauth2')
+            : undefined;
+        if (!premiumBinding?.credentials)
+            return undefined;
+        const creds = premiumBinding.credentials;
+        return {
+            url: creds.url,
+            uaa: {
+                url: creds.uaa?.url,
+                certurl: creds.uaa?.certurl,
+                clientid: creds.uaa?.clientid,
+                certificate: creds.uaa?.certificate,
+                key: creds.uaa?.key,
+            },
+        };
+    }
+    catch {
+        return undefined;
+    }
+}
+export class BTPAuditLogSink {
+    config;
+    token;
+    tokenExpiresAt = 0;
+    pendingWrites = [];
+    constructor(config) {
+        this.config = config;
+    }
+    write(event) {
+        const category = categorize(event);
+        if (!category)
+            return;
+        // Fire-and-forget
+        const p = this.sendEvent(event, category).catch((err) => {
+            process.stderr.write(`[BTPAuditLogSink] Failed to write audit event: ${err}\n`);
+        });
+        this.pendingWrites.push(p);
+        // Cleanup completed promises periodically
+        if (this.pendingWrites.length > 50) {
+            this.pendingWrites = this.pendingWrites.filter((p) => {
+                let settled = false;
+                p.then(() => (settled = true), () => (settled = true));
+                return !settled;
+            });
+        }
+    }
+    async flush() {
+        await Promise.allSettled(this.pendingWrites);
+        this.pendingWrites = [];
+    }
+    async sendEvent(event, category) {
+        const token = await this.getToken();
+        const payload = this.buildPayload(event);
+        const response = await fetch(`${this.config.url}/audit-log/oauth2/v2/${category}`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${token}`,
+            },
+            body: JSON.stringify(payload),
+        });
+        if (!response.ok) {
+            const body = await response.text().catch(() => '');
+            throw new Error(`HTTP ${response.status}: ${body.slice(0, 200)}`);
+        }
+    }
+    buildPayload(event) {
+        const user = event.user ?? '$USER';
+        const base = {
+            uuid: crypto.randomUUID(),
+            user,
+            time: event.timestamp,
+            tenant: '$PROVIDER',
+        };
+        switch (event.event) {
+            case 'tool_call_start': {
+                const e = event;
+                const argsStr = JSON.stringify(e.args);
+                const argsSummary = argsStr.length > 500 ? `${argsStr.slice(0, 500)}...` : argsStr;
+                return {
+                    ...base,
+                    object: {
+                        type: 'MCP Tool Call',
+                        id: { tool: e.tool, requestId: e.requestId ?? '' },
+                    },
+                    attributes: [
+                        { name: 'action', new: 'invoke' },
+                        { name: 'tool', new: e.tool },
+                        { name: 'user', new: user },
+                        { name: 'clientId', new: e.clientId ?? '' },
+                        { name: 'args', new: argsSummary },
+                    ],
+                };
+            }
+            case 'tool_call_end': {
+                const e = event;
+                const attrs = [
+                    { name: 'action', new: 'complete' },
+                    { name: 'tool', new: e.tool },
+                    { name: 'user', new: user },
+                    { name: 'clientId', new: e.clientId ?? '' },
+                    { name: 'status', new: e.status },
+                    { name: 'durationMs', new: String(e.durationMs) },
+                    { name: 'resultSize', new: String(e.resultSize ?? 0) },
+                ];
+                if (e.errorMessage) {
+                    attrs.push({ name: 'error', new: e.errorMessage.slice(0, 500) });
+                }
+                if (e.errorClass) {
+                    attrs.push({ name: 'errorClass', new: e.errorClass });
+                }
+                return {
+                    ...base,
+                    object: {
+                        type: 'MCP Tool Call',
+                        id: { tool: e.tool, requestId: e.requestId ?? '' },
+                    },
+                    attributes: attrs,
+                };
+            }
+            case 'auth_scope_denied': {
+                const e = event;
+                return {
+                    ...base,
+                    data: `Access denied: user "${user}" lacks scope "${e.requiredScope}" for tool ${e.tool}. Available scopes: [${e.availableScopes.join(', ')}]`,
+                };
+            }
+            case 'safety_blocked': {
+                const e = event;
+                return {
+                    ...base,
+                    data: `Safety blocked: operation "${e.operation}" denied — ${e.reason}. User: ${user}`,
+                };
+            }
+            case 'auth_pp_created': {
+                const e = event;
+                return {
+                    ...base,
+                    data: `Principal propagation ${e.success ? 'succeeded' : 'failed'} for user "${user}" via destination "${e.destination}"${e.errorMessage ? `: ${e.errorMessage}` : ''}`,
+                };
+            }
+            default:
+                return {
+                    ...base,
+                    data: `[${event.event}] ${JSON.stringify(event)}`,
+                };
+        }
+    }
+    async getToken() {
+        // Return cached token if still valid (with 60s buffer)
+        if (this.token && Date.now() < this.tokenExpiresAt - 60_000) {
+            return this.token;
+        }
+        // For mTLS, we'd need to use the certificate and key from the service binding.
+        // Node.js fetch doesn't support client certificates directly — in production,
+        // the CF buildpack handles certificate injection via the NODE_EXTRA_CA_CERTS
+        // and the service binding provides tokens via the bound app's identity.
+        // For now, use client_credentials grant with the service binding.
+        const tokenUrl = `${this.config.uaa.certurl}/oauth/token`;
+        const params = new URLSearchParams({
+            grant_type: 'client_credentials',
+            client_id: this.config.uaa.clientid,
+        });
+        const response = await fetch(tokenUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: params.toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`Token fetch failed: HTTP ${response.status}`);
+        }
+        const data = (await response.json());
+        this.token = data.access_token;
+        this.tokenExpiresAt = Date.now() + data.expires_in * 1000;
+        return this.token;
+    }
+}
+//# sourceMappingURL=btp-auditlog.js.map

package/dist/server/sinks/btp-auditlog.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"btp-auditlog.js","sourceRoot":"","sources":["../../../ts-src/server/sinks/btp-auditlog.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AA2BH,4CAA4C;AAC5C,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,oBAAoB,CAAC;IAC1E,IAAI,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,uBAAuB,CAAC;IACnF,OAAO,eAAe,CAAC;AACzB,CAAC;AAED,wDAAwD;AACxD,SAAS,UAAU,CAAC,KAAiB;IACnC,QAAQ,KAAK,CAAC,KAAK,EAAE,CAAC;QACpB,KAAK,mBAAmB,CAAC;QACzB,KAAK,gBAAgB;YACnB,OAAO,iBAAiB,CAAC;QAE3B,KAAK,iBAAiB,CAAC;QACvB,KAAK,eAAe;YAClB,OAAO,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAElC,KAAK,iBAAiB;YACpB,OAAO,KAAK,CAAC,KAAK,KAAK,OAAO,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC;QAE5D,6EAA6E;QAC7E;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB;IACpC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACvC,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,8CAA8C;QAC9C,MAAM,eAAe,GAAG,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QAC5E,MAAM,cAAc,GAAG,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC;YACnD,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAA0B,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC;YACnG,CAAC,CAAC,SAAS,CAAC;QAEd,IAAI,CAAC,cAAc,EAAE,WAAW;YAAE,OAAO,SAAS,CAAC;QAEnD,MAAM,KAAK,GAAG,cAAc,CAAC,WAAW,CAAC;QACzC,OAAO;YACL,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,GAAG,EAAE;gBACH,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,GAAG;gBACnB,OAAO,EAAE,KAAK,CAAC,GAAG,EAAE,OAAO;gBAC3B,QAAQ,EAAE,KAAK,CAAC,GAAG,EAAE,QAAQ;gBAC7B,WAAW,EAAE,KAAK,CAAC,GAAG,EAAE,WAAW;gBACnC,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,GAAG;aACpB;SACF,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,MAAM,OAAO,eAAe;IAKN;IAJZ,KAAK,CAAqB;IAC1B,cAAc,GAAG,CAAC,CAAC;IACnB,aAAa,GAAoB,EAAE,CAAC;IAE5C,YAAoB,MAAyB;QAAzB,WAAM,GAAN,MAAM,CAAmB;IAAG,CAAC;IAEjD,KAAK,CAAC,KAAiB;QACrB,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;QACnC,IAAI,CAAC,QAAQ;YAAE,OAAO;QAEtB,kBAAkB;QAClB,MAAM,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACtD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kDAAkD,GAAG,IAAI,CAAC,CAAC;QAClF,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAE3B,0CAA0C;QAC1C,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACnC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBACnD,IAAI,OAAO,GAAG,KAAK,CAAC;gBACpB,CAAC,CAAC,IAAI,CACJ,GAAG,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,EACtB,GAAG,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CACvB,CAAC;gBACF,OAAO,CAAC,OAAO,CAAC;YAClB,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC7C,IAAI,CAAC,aAAa,GAAG,EAAE,CAAC;IAC1B,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,KAAiB,EAAE,QAAuB;QAChE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACpC,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;QAEzC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,wBAAwB,QAAQ,EAAE,EAAE;YACjF,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,aAAa,EAAE,UAAU,KAAK,EAAE;aACjC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;SAC9B,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YACnD,MAAM,IAAI,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;IAEO,YAAY,CAAC,KAAiB;QACpC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,OAAO,CAAC;QACnC,MAAM,IAAI,GAA4B;YACpC,IAAI,EAAE,MAAM,CAAC,UAAU,EAAE;YACzB,IAAI;YACJ,IAAI,EAAE,KAAK,CAAC,SAAS;YACrB,MAAM,EAAE,WAAW;SACpB,CAAC;QAEF,QAAQ,KAAK,CAAC,KAAK,EAAE,CAAC;YACpB,KAAK,iBAAiB,CAAC,CAAC,CAAC;gBACvB,MAAM,CAAC,GAAG,KAA2B,CAAC;gBACtC,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;gBACvC,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC;gBACnF,OAAO;oBACL,GAAG,IAAI;oBACP,MAAM,EAAE;wBACN,IAAI,EAAE,eAAe;wBACrB,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,IAAI,EAAE,EAAE;qBACnD;oBACD,UAAU,EAAE;wBACV,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE;wBACjC,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,IAAI,EAAE;wBAC7B,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE;wBAC3B,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC,QAAQ,IAAI,EAAE,EAAE;wBAC3C,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,WAAW,EAAE;qBACnC;iBACF,CAAC;YACJ,CAAC;YAED,KAAK,eAAe,CAAC,CAAC,CAAC;gBACrB,MAAM,CAAC,GAAG,KAAyB,CAAC;gBACpC,MAAM,KAAK,GAAG;oBACZ,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,UAAU,EAAE;oBACnC,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,IAAI,EAAE;oBAC7B,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE;oBAC3B,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC,QAAQ,IAAI,EAAE,EAAE;oBAC3C,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;oBACjC,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,EAAE;oBACjD,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,EAAE;iBACvD,CAAC;gBACF,IAAI,CAAC,CAAC,YAAY,EAAE,CAAC;oBACnB,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;gBACnE,CAAC;gBACD,IAAI,CAAC,CAAC,UAAU,EAAE,CAAC;oBACjB,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;gBACxD,CAAC;gBACD,OAAO;oBACL,GAAG,IAAI;oBACP,MAAM,EAAE;wBACN,IAAI,EAAE,eAAe;wBACrB,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,IAAI,EAAE,EAAE;qBACnD;oBACD,UAAU,EAAE,KAAK;iBAClB,CAAC;YACJ,CAAC;YAED,KAAK,mBAAmB,CAAC,CAAC,CAAC;gBACzB,MAAM,CAAC,GAAG,KAA6B,CAAC;gBACxC,OAAO;oBACL,GAAG,IAAI;oBACP,IAAI,EAAE,wBAAwB,IAAI,kBAAkB,CAAC,CAAC,aAAa,cAAc,CAAC,CAAC,IAAI,wBAAwB,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;iBAC/I,CAAC;YACJ,CAAC;YAED,KAAK,gBAAgB,CAAC,CAAC,CAAC;gBACtB,MAAM,CAAC,GAAG,KAA2B,CAAC;gBACtC,OAAO;oBACL,GAAG,IAAI;oBACP,IAAI,EAAE,8BAA8B,CAAC,CAAC,SAAS,cAAc,CAAC,CAAC,MAAM,WAAW,IAAI,EAAE;iBACvF,CAAC;YACJ,CAAC;YAED,KAAK,iBAAiB,CAAC,CAAC,CAAC;gBACvB,MAAM,CAAC,GAAG,KAA2B,CAAC;gBACtC,OAAO;oBACL,GAAG,IAAI;oBACP,IAAI,EAAE,yBAAyB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,cAAc,IAAI,sBAAsB,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE;iBACxK,CAAC;YACJ,CAAC;YAED;gBACE,OAAO;oBACL,GAAG,IAAI;oBACP,IAAI,EAAE,IAAI,KAAK,CAAC,KAAK,KAAK,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE;iBAClD,CAAC;QACN,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,QAAQ;QACpB,uDAAuD;QACvD,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,cAAc,GAAG,MAAM,EAAE,CAAC;YAC5D,OAAO,IAAI,CAAC,KAAK,CAAC;QACpB,CAAC;QAED,+EAA+E;QAC/E,8EAA8E;QAC9E,6EAA6E;QAC7E,wEAAwE;QACxE,kEAAkE;QAClE,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,cAAc,CAAC;QAC1D,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,UAAU,EAAE,oBAAoB;YAChC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ;SACpC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAiD,CAAC;QACrF,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC;QAC/B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QAC1D,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;CACF"}

package/dist/server/sinks/file.d.ts

@@ -0,0 +1,22 @@
+/**
+ * File log sink for ARC-1.
+ *
+ * Appends JSON-line audit events to a file.
+ * Useful in Docker (mount volume) or for post-hoc log analysis.
+ *
+ * Writes are fire-and-forget — errors are logged to stderr but never thrown.
+ * All events are written regardless of level (file is the full audit trail).
+ */
+import type { AuditEvent } from '../audit.js';
+import type { LogSink } from './types.js';
+export declare class FileSink implements LogSink {
+    private filePath;
+    private buffer;
+    private flushTimer;
+    constructor(filePath: string);
+    write(event: AuditEvent): void;
+    flush(): Promise<void>;
+    private flushSync;
+    private writeBuffer;
+}
+//# sourceMappingURL=file.d.ts.map

package/dist/server/sinks/file.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file.d.ts","sourceRoot":"","sources":["../../../ts-src/server/sinks/file.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAE1C,qBAAa,QAAS,YAAW,OAAO;IAI1B,OAAO,CAAC,QAAQ;IAH5B,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,UAAU,CAA6C;gBAE3C,QAAQ,EAAE,MAAM;IAWpC,KAAK,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI;IAIxB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAQ5B,OAAO,CAAC,SAAS;YAUH,WAAW;CAU1B"}