autotel-cli 0.8.15 → 0.9.0

package/dist/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/cli.ts
-import { Command as Command11 } from "commander";
+import { Command as Command12 } from "commander";
 
 // src/commands/init.ts
 import * as fs4 from "fs";
@@ -4381,6 +4381,12 @@ var INVESTIGATE_COMMANDS = [
   investigateCmd("llm expensive", "Top token-spend traces"),
   investigateCmd("llm slow", "Slowest LLM traces"),
   investigateCmd("llm tools", "Tool/function spans grouped by tool name"),
+  investigateCmd("security", "Security telemetry (parent)"),
+  investigateCmd(
+    "security summary",
+    "Security posture: events by severity/category, probe signals, denied responses"
+  ),
+  investigateCmd("security events", "List spans carrying security.* events"),
   investigateCmd("semconv", "Semantic conventions lookup (parent)", { static: true }),
   investigateCmd("semconv list", "List semconv namespaces", { static: true, network: true }),
   investigateCmd("semconv get", "Groups for one namespace", {
@@ -4720,6 +4726,16 @@ function staticFlagsFromOpts(opts) {
 function addTimeWindowFlags(cmd) {
   return cmd.option("--service-name <name>", "Filter by service name").option("--operation-name <name>", "Filter by operation name").option("--lookback-minutes <n>", "Lookback window in minutes", intArg).option("--from <iso>", "Start time (ISO 8601)").option("--to <iso>", "End time (ISO 8601)").option("--limit <n>", "Max results", intArg);
 }
+function windowFlagsFromOpts(opts) {
+  return {
+    serviceName: opts.serviceName,
+    operationName: opts.operationName,
+    lookbackMinutes: opts.lookbackMinutes,
+    from: opts.from,
+    to: opts.to,
+    limit: opts.limit
+  };
+}
 
 // src/commands/investigate/health.ts
 async function runHealth(flags) {
@@ -5782,14 +5798,233 @@ function registerCollectorCommands(program) {
   program.addCommand(collectorCmd);
 }
 
+// src/commands/investigate/security.ts
+import { Command as Command11 } from "commander";
+import { toSpanSearchQuery as toSpanSearchQuery2 } from "autotel-mcp";
+var DEFAULT_LIMIT = 500;
+var DEFAULT_DENIED_STATUSES = [401, 403, 429];
+var SAMPLE_TRACE_IDS = 10;
+function countBy(spans, tagKey) {
+  const counts = {};
+  for (const span of spans) {
+    const value = span.tags[tagKey];
+    if (value === void 0) continue;
+    const key = String(value);
+    counts[key] = (counts[key] ?? 0) + 1;
+  }
+  return counts;
+}
+function topEntries(counts, n) {
+  return Object.entries(counts).toSorted((a, b) => b[1] - a[1]).slice(0, n).map(([value, count]) => ({ value, count }));
+}
+function sampleTraceIds(spans) {
+  const ids = /* @__PURE__ */ new Set();
+  for (const span of spans) {
+    ids.add(span.traceId);
+    if (ids.size >= SAMPLE_TRACE_IDS) break;
+  }
+  return [...ids];
+}
+function dedupeSpans(...lists) {
+  const seen = /* @__PURE__ */ new Set();
+  const merged = [];
+  for (const list of lists) {
+    for (const span of list) {
+      const key = `${span.traceId}:${span.spanId}`;
+      if (seen.has(key)) continue;
+      seen.add(key);
+      merged.push(span);
+    }
+  }
+  return merged;
+}
+function countByService(spans) {
+  const counts = {};
+  for (const span of spans) {
+    counts[span.serviceName] = (counts[span.serviceName] ?? 0) + 1;
+  }
+  return counts;
+}
+function readStatus(span) {
+  const value = span.tags["http.response.status_code"] ?? span.tags["http.status_code"];
+  if (typeof value === "number") return value;
+  if (typeof value === "string") {
+    const parsed = Number.parseInt(value, 10);
+    if (!Number.isNaN(parsed)) return parsed;
+  }
+  return void 0;
+}
+async function runSecuritySummary(flags) {
+  await runInvestigate("security summary", flags, async (backend) => {
+    const limit = flags.limit ?? DEFAULT_LIMIT;
+    const deniedStatuses = flags.deniedStatuses ?? DEFAULT_DENIED_STATUSES;
+    const base = toSpanSearchQuery2({
+      serviceName: flags.serviceName,
+      lookbackMinutes: flags.lookbackMinutes,
+      from: flags.from,
+      to: flags.to,
+      limit
+    });
+    const statusValues = deniedStatuses;
+    const [events, suspicious, deniedNew, deniedLegacy] = await Promise.all([
+      backend.searchSpans({
+        ...base,
+        filters: [{ field: "security.event", operator: "exists" }]
+      }),
+      backend.searchSpans({
+        ...base,
+        filters: [
+          { field: "security.suspicious_request", operator: "exists" }
+        ]
+      }),
+      backend.searchSpans({
+        ...base,
+        filters: [
+          {
+            field: "http.response.status_code",
+            operator: "in",
+            value: statusValues,
+            valueType: "number"
+          }
+        ]
+      }),
+      backend.searchSpans({
+        ...base,
+        filters: [
+          {
+            field: "http.status_code",
+            operator: "in",
+            value: statusValues,
+            valueType: "number"
+          }
+        ]
+      })
+    ]);
+    const denied = dedupeSpans(deniedNew.items, deniedLegacy.items);
+    const deniedByStatus = {};
+    for (const span of denied) {
+      const status = readStatus(span);
+      if (status === void 0) continue;
+      deniedByStatus[status] = (deniedByStatus[status] ?? 0) + 1;
+    }
+    return {
+      window: {
+        lookbackMinutes: flags.lookbackMinutes ?? 60,
+        from: flags.from,
+        to: flags.to,
+        limitPerQuery: limit
+      },
+      securityEvents: {
+        total: events.items.length,
+        bySeverity: countBy(events.items, "security.severity"),
+        byCategory: countBy(events.items, "security.category"),
+        byOutcome: countBy(events.items, "security.outcome"),
+        topEvents: topEntries(countBy(events.items, "security.event"), 10),
+        sampleTraceIds: sampleTraceIds(events.items)
+      },
+      suspiciousRequests: {
+        total: suspicious.items.length,
+        bySignal: countBy(suspicious.items, "security.signal"),
+        byService: countByService(suspicious.items),
+        sampleTraceIds: sampleTraceIds(suspicious.items)
+      },
+      deniedResponses: {
+        total: denied.length,
+        byStatus: deniedByStatus,
+        topClients: topEntries(countBy(denied, "client.address"), 10),
+        sampleTraceIds: sampleTraceIds(denied)
+      }
+    };
+  });
+}
+async function runSecurityEvents(flags) {
+  await runInvestigate("security events", flags, async (backend) => {
+    const base = toSpanSearchQuery2({
+      serviceName: flags.serviceName,
+      lookbackMinutes: flags.lookbackMinutes,
+      from: flags.from,
+      to: flags.to,
+      limit: flags.limit ?? DEFAULT_LIMIT
+    });
+    const filters = [
+      { field: "security.event", operator: "exists" }
+    ];
+    if (flags.category !== void 0) {
+      filters.push({
+        field: "security.category",
+        operator: "equals",
+        value: flags.category
+      });
+    }
+    if (flags.severity !== void 0) {
+      filters.push({
+        field: "security.severity",
+        operator: "equals",
+        value: flags.severity
+      });
+    }
+    const result = await backend.searchSpans({ ...base, filters });
+    return {
+      totalCount: result.totalCount,
+      items: result.items.map((span) => ({
+        traceId: span.traceId,
+        spanId: span.spanId,
+        serviceName: span.serviceName,
+        operationName: span.operationName,
+        startTimeUnixMs: span.startTimeUnixMs,
+        event: span.tags["security.event"],
+        category: span.tags["security.category"],
+        outcome: span.tags["security.outcome"],
+        severity: span.tags["security.severity"],
+        reason: span.tags["security.reason"]
+      }))
+    };
+  });
+}
+function csvIntArg(value) {
+  return value.split(",").map((part) => Number.parseInt(part.trim(), 10)).filter((n) => !Number.isNaN(n));
+}
+function registerSecurityCommands(program) {
+  const securityCmd = new Command11("security").description(
+    "Security telemetry: events, suspicious requests, denied responses (JSON)"
+  );
+  const summaryCmd = addTimeWindowFlags(new Command11("summary")).description(
+    "Security posture summary: events by severity/category, probe signals, denied responses with top clients"
+  ).option(
+    "--denied-statuses <csv>",
+    "HTTP statuses counted as denied (default 401,403,429)",
+    csvIntArg
+  ).action(async function() {
+    const o = this.optsWithGlobals();
+    await runSecuritySummary({
+      ...backendFlagsFromOpts(o),
+      ...windowFlagsFromOpts(o),
+      deniedStatuses: o.deniedStatuses
+    });
+  });
+  const eventsCmd = addTimeWindowFlags(new Command11("events")).description("List spans carrying security events (security.* schema)").option("--category <name>", "Filter by security.category").option("--severity <level>", "Filter by security.severity").action(async function() {
+    const o = this.optsWithGlobals();
+    await runSecurityEvents({
+      ...backendFlagsFromOpts(o),
+      ...windowFlagsFromOpts(o),
+      category: o.category,
+      severity: o.severity
+    });
+  });
+  addBackendFlags(securityCmd);
+  securityCmd.addCommand(summaryCmd);
+  securityCmd.addCommand(eventsCmd);
+  program.addCommand(securityCmd);
+}
+
 // src/cli.ts
 function createProgram() {
-  const program = new Command11();
+  const program = new Command12();
   program.name("autotel").description("CLI for autotel - setup wizard, diagnostics, and incremental features").version("0.1.0");
   const addGlobalOptions = (cmd) => {
     return cmd.option("--cwd <path>", "Target directory", process.cwd()).option("--verbose", "Show detailed output").option("--quiet", "Only show warnings and errors");
   };
-  const initCmd = new Command11("init").description("Initialize autotel in your project").option("--dry-run", "Skip installation and print what would be done").option("--no-install", "Generate files only, skip package installation").option("--print-install-cmd", "Output the install command without running it").option("-y, --yes", "Accept defaults, non-interactive").option("--preset <name>", "Use a quick preset (e.g., node-datadog-pino)").option("--force", "Overwrite existing config (creates backup first)").option("--workspace-root", "Install at workspace root instead of package root").option("--no-detect", "Skip auto-detection of installed deps").option("--detect-only", "Run detection, print the plan, write nothing").option("--plan <path>", "Apply a pre-built InitPlan JSON file").option("--input <path>", "Read InitPlan JSON from stdin (-) or a file").option("--scan-env", "Consent to reading .env / .env.local for backend detection").option("--json", "Emit machine-readable JSON").option("--output-file <path>", "Persist JSON output to this file").option("--no-secrets-in-output", "Redact secret-shaped values").option("--no-interactive", "Never prompt; fail if input would be required").action(async (opts) => {
+  const initCmd = new Command12("init").description("Initialize autotel in your project").option("--dry-run", "Skip installation and print what would be done").option("--no-install", "Generate files only, skip package installation").option("--print-install-cmd", "Output the install command without running it").option("-y, --yes", "Accept defaults, non-interactive").option("--preset <name>", "Use a quick preset (e.g., node-datadog-pino)").option("--force", "Overwrite existing config (creates backup first)").option("--workspace-root", "Install at workspace root instead of package root").option("--no-detect", "Skip auto-detection of installed deps").option("--detect-only", "Run detection, print the plan, write nothing").option("--plan <path>", "Apply a pre-built InitPlan JSON file").option("--input <path>", "Read InitPlan JSON from stdin (-) or a file").option("--scan-env", "Consent to reading .env / .env.local for backend detection").option("--json", "Emit machine-readable JSON").option("--output-file <path>", "Persist JSON output to this file").option("--no-secrets-in-output", "Redact secret-shaped values").option("--no-interactive", "Never prompt; fail if input would be required").action(async (opts) => {
     const options = {
       cwd: opts.cwd ?? process.cwd(),
       dryRun: opts.dryRun ?? false,
@@ -5819,7 +6054,7 @@ function createProgram() {
   });
   addGlobalOptions(initCmd);
   program.addCommand(initCmd);
-  const doctorCmd = new Command11("doctor").description("Run diagnostics on your autotel setup").option("--json", "Output machine-readable JSON").option("--fix", "Auto-fix resolvable issues").option("--list-checks", "List all available checks").option("--env-file <path>", "Specify env file to check").action(async (opts) => {
+  const doctorCmd = new Command12("doctor").description("Run diagnostics on your autotel setup").option("--json", "Output machine-readable JSON").option("--fix", "Auto-fix resolvable issues").option("--list-checks", "List all available checks").option("--env-file <path>", "Specify env file to check").action(async (opts) => {
     const options = {
       cwd: opts.cwd ?? process.cwd(),
       dryRun: false,
@@ -5837,7 +6072,7 @@ function createProgram() {
   });
   addGlobalOptions(doctorCmd);
   program.addCommand(doctorCmd);
-  const addCmd = new Command11("add").description("Add a backend, subscriber, plugin, or platform").argument("[type]", "Preset type (backend, subscriber, plugin, platform)").argument("[name]", "Preset name (e.g., datadog, posthog, mongoose)").option("--list", "List available presets for the given type").option("--dry-run", "Skip installation and print what would be done").option("--no-install", "Generate files only, skip package installation").option("--print-install-cmd", "Output the install command without running it").option("-y, --yes", "Accept defaults, non-interactive").option("--force", "Overwrite non-CLI-owned config (creates backup first)").option("--json", "Output machine-readable JSON (for --list)").option("--workspace-root", "Install at workspace root instead of package root").action(async (type, name, opts) => {
+  const addCmd = new Command12("add").description("Add a backend, subscriber, plugin, or platform").argument("[type]", "Preset type (backend, subscriber, plugin, platform)").argument("[name]", "Preset name (e.g., datadog, posthog, mongoose)").option("--list", "List available presets for the given type").option("--dry-run", "Skip installation and print what would be done").option("--no-install", "Generate files only, skip package installation").option("--print-install-cmd", "Output the install command without running it").option("-y, --yes", "Accept defaults, non-interactive").option("--force", "Overwrite non-CLI-owned config (creates backup first)").option("--json", "Output machine-readable JSON (for --list)").option("--workspace-root", "Install at workspace root instead of package root").action(async (type, name, opts) => {
     const options = {
       cwd: opts.cwd ?? process.cwd(),
       dryRun: opts.dryRun ?? false,
@@ -5859,8 +6094,8 @@ function createProgram() {
   });
   addGlobalOptions(addCmd);
   program.addCommand(addCmd);
-  const codemodCmd = new Command11("codemod").description("Codemod commands for adopting autotel");
-  const traceCmd = new Command11("trace").description("Wrap functions in trace() with span name from function/variable/method name").argument("<path>", "File path or glob (e.g. src/index.ts, src/**/*.ts)").option("--dry-run", "Print changes without writing files").option("--name-pattern <pattern>", "Span name template: {name}, {file}, {path}").option("--skip <regex>...", "Skip functions whose name matches (repeatable)").option("--print-files", "Print per-file summary (wrapped count, skipped)").action(async (pathArg, opts) => {
+  const codemodCmd = new Command12("codemod").description("Codemod commands for adopting autotel");
+  const traceCmd = new Command12("trace").description("Wrap functions in trace() with span name from function/variable/method name").argument("<path>", "File path or glob (e.g. src/index.ts, src/**/*.ts)").option("--dry-run", "Print changes without writing files").option("--name-pattern <pattern>", "Span name template: {name}, {file}, {path}").option("--skip <regex>...", "Skip functions whose name matches (repeatable)").option("--print-files", "Print per-file summary (wrapped count, skipped)").action(async (pathArg, opts) => {
     const options = {
       cwd: opts.cwd ?? process.cwd(),
       dryRun: opts.dryRun ?? false,
@@ -5880,27 +6115,27 @@ function createProgram() {
   codemodCmd.addCommand(traceCmd);
   addGlobalOptions(codemodCmd);
   program.addCommand(codemodCmd);
-  const schemaCmd = new Command11("schema").description("Print the CLI manifest as JSON (agent discovery)").option("--output-file <path>", "Persist JSON to a file").option("--no-secrets-in-output", "Redact secret-shaped values").action((opts) => {
+  const schemaCmd = new Command12("schema").description("Print the CLI manifest as JSON (agent discovery)").option("--output-file <path>", "Persist JSON to a file").option("--no-secrets-in-output", "Redact secret-shaped values").action((opts) => {
     runSchema({ outputFile: opts.outputFile, noSecrets: opts.secretsInOutput === false });
   });
-  const schemaErrorsCmd = new Command11("errors").description("Print error envelope shape + AUTOTEL_E_* codes").option("--output-file <path>", "Persist JSON to a file").action((opts) => {
+  const schemaErrorsCmd = new Command12("errors").description("Print error envelope shape + AUTOTEL_E_* codes").option("--output-file <path>", "Persist JSON to a file").action((opts) => {
     runSchemaErrors({ outputFile: opts.outputFile });
   });
-  const schemaOutputsCmd = new Command11("outputs").description("Print JSON output shapes per command").option("--output-file <path>", "Persist JSON to a file").action((opts) => {
+  const schemaOutputsCmd = new Command12("outputs").description("Print JSON output shapes per command").option("--output-file <path>", "Persist JSON to a file").action((opts) => {
     runSchemaOutputs({ outputFile: opts.outputFile });
   });
   schemaCmd.addCommand(schemaErrorsCmd);
   schemaCmd.addCommand(schemaOutputsCmd);
   program.addCommand(schemaCmd);
-  const commandsCmd = new Command11("commands").description("Print compact tool-style listing of commands").option("--output-file <path>", "Persist JSON to a file").action((opts) => {
+  const commandsCmd = new Command12("commands").description("Print compact tool-style listing of commands").option("--output-file <path>", "Persist JSON to a file").action((opts) => {
     runCommandsListing({ outputFile: opts.outputFile });
   });
   program.addCommand(commandsCmd);
-  const examplesCmd = new Command11("examples").description("Print copy-pasteable examples for a command").argument("[command]", "Command name (omit for all)").option("--output-file <path>", "Persist JSON to a file").action((name, opts) => {
+  const examplesCmd = new Command12("examples").description("Print copy-pasteable examples for a command").argument("[command]", "Command name (omit for all)").option("--output-file <path>", "Persist JSON to a file").action((name, opts) => {
     runExamples(name, { outputFile: opts.outputFile });
   });
   program.addCommand(examplesCmd);
-  const versionCmd = new Command11("version").description("Print version info as JSON").option("--output-file <path>", "Persist JSON to a file").action((opts) => {
+  const versionCmd = new Command12("version").description("Print version info as JSON").option("--output-file <path>", "Persist JSON to a file").action((opts) => {
     runVersion({ outputFile: opts.outputFile });
   });
   program.addCommand(versionCmd);
@@ -5915,6 +6150,7 @@ function createProgram() {
   registerSemconvCommands(program);
   registerScoreCommands(program);
   registerCollectorCommands(program);
+  registerSecurityCommands(program);
   return program;
 }
 async function run() {
@@ -5966,7 +6202,7 @@ function jsonModeRequested() {
 run().catch((error2) => {
   const err = commanderErrorToAutotel(error2) ?? toAutotelError(error2);
   const isJson = jsonModeRequested() || // schema/commands/examples/version + investigate commands are JSON-only
-  /^(schema|commands|examples|version|health|capabilities|discover|query|trace|diagnose|topology|correlate|llm|semconv|score|collector)\b/.test(
+  /^(schema|commands|examples|version|health|capabilities|discover|query|trace|diagnose|topology|correlate|llm|semconv|score|collector|security)\b/.test(
     process.argv.slice(2).join(" ")
   );
   if (isJson) {