chainlesschain 0.66.0 → 0.132.0

package/src/lib/session-manager.js

@@ -262,3 +262,332 @@ export function exportSessionMarkdown(session) {
 
   return lines.join("\n");
 }
+
+/* ═══════════════════════════════════════════════════════════════
+ * V2 Surface — Session governance layer.
+ * Tracks conversation maturity + turn lifecycle independent of
+ * legacy llm_sessions SQLite store above.
+ * ═══════════════════════════════════════════════════════════════ */
+
+export const CONVERSATION_MATURITY_V2 = Object.freeze({
+  DRAFT: "draft",
+  ACTIVE: "active",
+  PAUSED: "paused",
+  ARCHIVED: "archived",
+});
+
+export const TURN_LIFECYCLE_V2 = Object.freeze({
+  PENDING: "pending",
+  STREAMING: "streaming",
+  COMPLETED: "completed",
+  FAILED: "failed",
+  CANCELLED: "cancelled",
+});
+
+const CONV_TRANSITIONS_V2 = new Map([
+  ["draft", new Set(["active", "archived"])],
+  ["active", new Set(["paused", "archived"])],
+  ["paused", new Set(["active", "archived"])],
+  ["archived", new Set()],
+]);
+const CONV_TERMINALS_V2 = new Set(["archived"]);
+
+const TURN_TRANSITIONS_V2 = new Map([
+  ["pending", new Set(["streaming", "cancelled"])],
+  ["streaming", new Set(["completed", "failed", "cancelled"])],
+  ["completed", new Set()],
+  ["failed", new Set()],
+  ["cancelled", new Set()],
+]);
+const TURN_TERMINALS_V2 = new Set(["completed", "failed", "cancelled"]);
+
+export const SESSION_DEFAULT_MAX_ACTIVE_CONV_PER_USER = 50;
+export const SESSION_DEFAULT_MAX_PENDING_TURNS_PER_CONV = 3;
+export const SESSION_DEFAULT_CONV_IDLE_MS = 1000 * 60 * 60 * 24 * 14; // 14 days
+export const SESSION_DEFAULT_TURN_STUCK_MS = 1000 * 60 * 5; // 5 min
+
+const _conversationsV2 = new Map();
+const _turnsV2 = new Map();
+let _maxActiveConvPerUserV2 = SESSION_DEFAULT_MAX_ACTIVE_CONV_PER_USER;
+let _maxPendingTurnsPerConvV2 = SESSION_DEFAULT_MAX_PENDING_TURNS_PER_CONV;
+let _convIdleMsV2 = SESSION_DEFAULT_CONV_IDLE_MS;
+let _turnStuckMsV2 = SESSION_DEFAULT_TURN_STUCK_MS;
+
+function _posIntSessionV2(n, label) {
+  const v = Math.floor(Number(n));
+  if (!Number.isFinite(v) || v <= 0)
+    throw new Error(`${label} must be a positive integer`);
+  return v;
+}
+
+export function getMaxActiveConvPerUserV2() {
+  return _maxActiveConvPerUserV2;
+}
+export function setMaxActiveConvPerUserV2(n) {
+  _maxActiveConvPerUserV2 = _posIntSessionV2(n, "maxActiveConvPerUser");
+}
+export function getMaxPendingTurnsPerConvV2() {
+  return _maxPendingTurnsPerConvV2;
+}
+export function setMaxPendingTurnsPerConvV2(n) {
+  _maxPendingTurnsPerConvV2 = _posIntSessionV2(n, "maxPendingTurnsPerConv");
+}
+export function getConvIdleMsV2() {
+  return _convIdleMsV2;
+}
+export function setConvIdleMsV2(n) {
+  _convIdleMsV2 = _posIntSessionV2(n, "convIdleMs");
+}
+export function getTurnStuckMsV2() {
+  return _turnStuckMsV2;
+}
+export function setTurnStuckMsV2(n) {
+  _turnStuckMsV2 = _posIntSessionV2(n, "turnStuckMs");
+}
+
+export function getActiveConvCountV2(userId) {
+  let n = 0;
+  for (const c of _conversationsV2.values()) {
+    if (c.userId === userId && c.status === "active") n += 1;
+  }
+  return n;
+}
+
+export function getPendingTurnCountV2(conversationId) {
+  let n = 0;
+  for (const t of _turnsV2.values()) {
+    if (
+      t.conversationId === conversationId &&
+      (t.status === "pending" || t.status === "streaming")
+    )
+      n += 1;
+  }
+  return n;
+}
+
+function _copyConvV2(c) {
+  return { ...c, metadata: { ...c.metadata } };
+}
+function _copyTurnV2(t) {
+  return { ...t, metadata: { ...t.metadata } };
+}
+
+export function registerConversationV2(
+  id,
+  { userId, model, metadata = {}, now = Date.now() } = {},
+) {
+  if (!id || typeof id !== "string") throw new Error("id must be a string");
+  if (!userId || typeof userId !== "string")
+    throw new Error("userId must be a string");
+  if (!model || typeof model !== "string")
+    throw new Error("model must be a string");
+  if (_conversationsV2.has(id))
+    throw new Error(`conversation ${id} already exists`);
+  const c = {
+    id,
+    userId,
+    model,
+    status: "draft",
+    createdAt: now,
+    lastSeenAt: now,
+    activatedAt: null,
+    archivedAt: null,
+    metadata: { ...metadata },
+  };
+  _conversationsV2.set(id, c);
+  return _copyConvV2(c);
+}
+
+export function getConversationV2(id) {
+  const c = _conversationsV2.get(id);
+  return c ? _copyConvV2(c) : null;
+}
+
+export function listConversationsV2({ userId, status } = {}) {
+  const out = [];
+  for (const c of _conversationsV2.values()) {
+    if (userId && c.userId !== userId) continue;
+    if (status && c.status !== status) continue;
+    out.push(_copyConvV2(c));
+  }
+  return out;
+}
+
+export function setConversationStatusV2(id, next, { now = Date.now() } = {}) {
+  const c = _conversationsV2.get(id);
+  if (!c) throw new Error(`conversation ${id} not found`);
+  if (!CONV_TRANSITIONS_V2.has(next))
+    throw new Error(`unknown conversation status: ${next}`);
+  if (CONV_TERMINALS_V2.has(c.status))
+    throw new Error(`conversation ${id} is in terminal state ${c.status}`);
+  const allowed = CONV_TRANSITIONS_V2.get(c.status);
+  if (!allowed.has(next))
+    throw new Error(
+      `cannot transition conversation from ${c.status} to ${next}`,
+    );
+  if (next === "active") {
+    if (c.status === "draft") {
+      const count = getActiveConvCountV2(c.userId);
+      if (count >= _maxActiveConvPerUserV2)
+        throw new Error(
+          `user ${c.userId} already at active-conversation cap (${_maxActiveConvPerUserV2})`,
+        );
+    }
+    if (!c.activatedAt) c.activatedAt = now;
+  }
+  if (next === "archived" && !c.archivedAt) c.archivedAt = now;
+  c.status = next;
+  c.lastSeenAt = now;
+  return _copyConvV2(c);
+}
+
+export function activateConversationV2(id, opts) {
+  return setConversationStatusV2(id, "active", opts);
+}
+export function pauseConversationV2(id, opts) {
+  return setConversationStatusV2(id, "paused", opts);
+}
+export function archiveConversationV2(id, opts) {
+  return setConversationStatusV2(id, "archived", opts);
+}
+
+export function touchConversationV2(id, { now = Date.now() } = {}) {
+  const c = _conversationsV2.get(id);
+  if (!c) throw new Error(`conversation ${id} not found`);
+  c.lastSeenAt = now;
+  return _copyConvV2(c);
+}
+
+export function createTurnV2(
+  id,
+  { conversationId, role = "user", metadata = {}, now = Date.now() } = {},
+) {
+  if (!id || typeof id !== "string") throw new Error("id must be a string");
+  if (!conversationId || typeof conversationId !== "string")
+    throw new Error("conversationId must be a string");
+  if (_turnsV2.has(id)) throw new Error(`turn ${id} already exists`);
+  const count = getPendingTurnCountV2(conversationId);
+  if (count >= _maxPendingTurnsPerConvV2)
+    throw new Error(
+      `conversation ${conversationId} already at pending-turn cap (${_maxPendingTurnsPerConvV2})`,
+    );
+  const t = {
+    id,
+    conversationId,
+    role,
+    status: "pending",
+    createdAt: now,
+    lastSeenAt: now,
+    streamingStartedAt: null,
+    settledAt: null,
+    metadata: { ...metadata },
+  };
+  _turnsV2.set(id, t);
+  return _copyTurnV2(t);
+}
+
+export function getTurnV2(id) {
+  const t = _turnsV2.get(id);
+  return t ? _copyTurnV2(t) : null;
+}
+
+export function listTurnsV2({ conversationId, status } = {}) {
+  const out = [];
+  for (const t of _turnsV2.values()) {
+    if (conversationId && t.conversationId !== conversationId) continue;
+    if (status && t.status !== status) continue;
+    out.push(_copyTurnV2(t));
+  }
+  return out;
+}
+
+export function setTurnStatusV2(id, next, { now = Date.now() } = {}) {
+  const t = _turnsV2.get(id);
+  if (!t) throw new Error(`turn ${id} not found`);
+  if (!TURN_TRANSITIONS_V2.has(next))
+    throw new Error(`unknown turn status: ${next}`);
+  if (TURN_TERMINALS_V2.has(t.status))
+    throw new Error(`turn ${id} is in terminal state ${t.status}`);
+  const allowed = TURN_TRANSITIONS_V2.get(t.status);
+  if (!allowed.has(next))
+    throw new Error(`cannot transition turn from ${t.status} to ${next}`);
+  if (next === "streaming" && !t.streamingStartedAt) t.streamingStartedAt = now;
+  if (TURN_TERMINALS_V2.has(next) && !t.settledAt) t.settledAt = now;
+  t.status = next;
+  t.lastSeenAt = now;
+  return _copyTurnV2(t);
+}
+
+export function streamTurnV2(id, opts) {
+  return setTurnStatusV2(id, "streaming", opts);
+}
+export function completeTurnV2(id, opts) {
+  return setTurnStatusV2(id, "completed", opts);
+}
+export function failTurnV2(id, opts) {
+  return setTurnStatusV2(id, "failed", opts);
+}
+export function cancelTurnV2(id, opts) {
+  return setTurnStatusV2(id, "cancelled", opts);
+}
+
+export function autoArchiveIdleConversationsV2({ now = Date.now() } = {}) {
+  const flipped = [];
+  for (const c of _conversationsV2.values()) {
+    if (c.status === "archived" || c.status === "draft") continue;
+    if (now - c.lastSeenAt > _convIdleMsV2) {
+      c.status = "archived";
+      c.lastSeenAt = now;
+      if (!c.archivedAt) c.archivedAt = now;
+      flipped.push(_copyConvV2(c));
+    }
+  }
+  return flipped;
+}
+
+export function autoFailStuckTurnsV2({ now = Date.now() } = {}) {
+  const flipped = [];
+  for (const t of _turnsV2.values()) {
+    if (t.status !== "streaming") continue;
+    const ref = t.streamingStartedAt ?? t.lastSeenAt;
+    if (now - ref > _turnStuckMsV2) {
+      t.status = "failed";
+      t.lastSeenAt = now;
+      if (!t.settledAt) t.settledAt = now;
+      flipped.push(_copyTurnV2(t));
+    }
+  }
+  return flipped;
+}
+
+export function getSessionManagerStatsV2() {
+  const conversationsByStatus = {};
+  for (const v of Object.values(CONVERSATION_MATURITY_V2))
+    conversationsByStatus[v] = 0;
+  for (const c of _conversationsV2.values())
+    conversationsByStatus[c.status] += 1;
+
+  const turnsByStatus = {};
+  for (const v of Object.values(TURN_LIFECYCLE_V2)) turnsByStatus[v] = 0;
+  for (const t of _turnsV2.values()) turnsByStatus[t.status] += 1;
+
+  return {
+    totalConversationsV2: _conversationsV2.size,
+    totalTurnsV2: _turnsV2.size,
+    maxActiveConvPerUser: _maxActiveConvPerUserV2,
+    maxPendingTurnsPerConv: _maxPendingTurnsPerConvV2,
+    convIdleMs: _convIdleMsV2,
+    turnStuckMs: _turnStuckMsV2,
+    conversationsByStatus,
+    turnsByStatus,
+  };
+}
+
+export function _resetStateSessionManagerV2() {
+  _conversationsV2.clear();
+  _turnsV2.clear();
+  _maxActiveConvPerUserV2 = SESSION_DEFAULT_MAX_ACTIVE_CONV_PER_USER;
+  _maxPendingTurnsPerConvV2 = SESSION_DEFAULT_MAX_PENDING_TURNS_PER_CONV;
+  _convIdleMsV2 = SESSION_DEFAULT_CONV_IDLE_MS;
+  _turnStuckMsV2 = SESSION_DEFAULT_TURN_STUCK_MS;
+}

package/src/lib/siem-exporter.js

@@ -135,3 +135,336 @@ export function _resetState() {
   _targets.clear();
   _exports.length = 0;
 }
+
+// ═══════════════════════════════════════════════════════════════
+// V2 Canonical Surface (Phase 51)
+// ═══════════════════════════════════════════════════════════════
+
+export const SIEM_FORMAT = Object.freeze({
+  JSON: "json",
+  CEF: "cef",
+  LEEF: "leef",
+});
+
+export const SIEM_TARGET_TYPE = Object.freeze({
+  SPLUNK_HEC: "splunk_hec",
+  ELASTICSEARCH: "elasticsearch",
+  AZURE_SENTINEL: "azure_sentinel",
+});
+
+export const SIEM_SEVERITY = Object.freeze({
+  DEBUG: "debug",
+  INFO: "info",
+  WARN: "warn",
+  ERROR: "error",
+  CRITICAL: "critical",
+  FATAL: "fatal",
+});
+
+export const SIEM_TARGET_STATUS = Object.freeze({
+  ACTIVE: "active",
+  PAUSED: "paused",
+  DISABLED: "disabled",
+  ERROR: "error",
+});
+
+export const SIEM_DEFAULT_BATCH_SIZE = 100;
+
+// Design §二 severity-to-CEF table (0-10 scale, per ArcSight spec).
+const _severityCEF = Object.freeze({
+  debug: 1,
+  info: 3,
+  warn: 5,
+  error: 7,
+  critical: 9,
+  fatal: 10,
+});
+
+const _allowedTargetTransitions = new Map([
+  ["active", new Set(["paused", "disabled", "error"])],
+  ["paused", new Set(["active", "disabled", "error"])],
+  ["disabled", new Set(["active", "error"])],
+  ["error", new Set(["active", "paused", "disabled"])],
+]);
+
+function _validateFormat(format) {
+  if (!Object.values(SIEM_FORMAT).includes(format)) {
+    throw new Error(
+      `Invalid format: ${format}. Expected one of ${Object.values(SIEM_FORMAT).join("|")}`,
+    );
+  }
+}
+
+function _validateTargetType(type) {
+  if (!Object.values(SIEM_TARGET_TYPE).includes(type)) {
+    throw new Error(
+      `Invalid target type: ${type}. Expected one of ${Object.values(SIEM_TARGET_TYPE).join("|")}`,
+    );
+  }
+}
+
+function _validateSeverity(severity) {
+  if (!Object.values(SIEM_SEVERITY).includes(severity)) {
+    throw new Error(
+      `Invalid severity: ${severity}. Expected one of ${Object.values(SIEM_SEVERITY).join("|")}`,
+    );
+  }
+}
+
+function _validateStatus(status) {
+  if (!Object.values(SIEM_TARGET_STATUS).includes(status)) {
+    throw new Error(
+      `Invalid status: ${status}. Expected one of ${Object.values(SIEM_TARGET_STATUS).join("|")}`,
+    );
+  }
+}
+
+/**
+ * Map a SIEM_SEVERITY value to a CEF severity integer (0-10).
+ */
+export function severityToCEF(severity) {
+  const key = (severity || "").toLowerCase();
+  const n = _severityCEF[key];
+  if (n === undefined) {
+    throw new Error(`Unknown severity: ${severity}`);
+  }
+  return n;
+}
+
+// CEF extension-value escape (| \ = → escaped).
+function _escapeCEFExt(value) {
+  return String(value == null ? "" : value)
+    .replace(/\\/g, "\\\\")
+    .replace(/\|/g, "\\|")
+    .replace(/=/g, "\\=")
+    .replace(/\r?\n/g, "\\n");
+}
+
+function _flatExtensions(log) {
+  const pairs = [];
+  const md = log.metadata || {};
+  for (const [k, v] of Object.entries(md)) {
+    pairs.push(`${k}=${_escapeCEFExt(v)}`);
+  }
+  if (log.userId != null) pairs.push(`suser=${_escapeCEFExt(log.userId)}`);
+  if (log.ip != null) pairs.push(`src=${_escapeCEFExt(log.ip)}`);
+  if (log.message != null) pairs.push(`msg=${_escapeCEFExt(log.message)}`);
+  if (log.timestamp != null) pairs.push(`rt=${_escapeCEFExt(log.timestamp)}`);
+  return pairs;
+}
+
+/**
+ * Format a log record as CEF (ArcSight).
+ * CEF:0|Vendor|Product|Version|{eventId}|{eventName}|{severity}|{extensions}
+ */
+export function formatLogCEF(log, opts = {}) {
+  const vendor = opts.vendor || "ChainlessChain";
+  const product = opts.product || "CLI";
+  const version = opts.version || "1.0.0";
+  const eventId = log.eventId || log.id || "unknown";
+  const eventName = log.eventName || log.message || "event";
+  const severity = severityToCEF(log.severity || "info");
+  const pipeEscape = (s) => String(s).replace(/\|/g, "\\|");
+  const extensions = _flatExtensions(log).join(" ");
+  return `CEF:0|${pipeEscape(vendor)}|${pipeEscape(product)}|${pipeEscape(version)}|${pipeEscape(eventId)}|${pipeEscape(eventName)}|${severity}|${extensions}`;
+}
+
+/**
+ * Format a log record as LEEF 2.0 (IBM QRadar).
+ * LEEF:2.0|Vendor|Product|Version|{eventId}|<tab-separated key=value>
+ */
+export function formatLogLEEF(log, opts = {}) {
+  const vendor = opts.vendor || "ChainlessChain";
+  const product = opts.product || "CLI";
+  const version = opts.version || "1.0.0";
+  const eventId = log.eventId || log.id || "unknown";
+  const pipeEscape = (s) => String(s).replace(/\|/g, "\\|");
+  const pairs = [];
+  if (log.timestamp != null) pairs.push(`devTime=${log.timestamp}`);
+  if (log.userId != null) pairs.push(`usrName=${log.userId}`);
+  if (log.action != null) pairs.push(`action=${log.action}`);
+  if (log.ip != null) pairs.push(`src=${log.ip}`);
+  if (log.message != null) pairs.push(`msg=${log.message}`);
+  const md = log.metadata || {};
+  for (const [k, v] of Object.entries(md)) {
+    pairs.push(`${k}=${v}`);
+  }
+  return `LEEF:2.0|${pipeEscape(vendor)}|${pipeEscape(product)}|${pipeEscape(version)}|${pipeEscape(eventId)}|${pairs.join("\t")}`;
+}
+
+/**
+ * Format a log record as the canonical JSON envelope (Phase 51 §二).
+ */
+export function formatLogJSON(log) {
+  return {
+    timestamp: log.timestamp || Date.now(),
+    severity: (log.severity || "info").toUpperCase(),
+    source: log.source || "chainlesschain-cli",
+    message: log.message || "",
+    metadata: {
+      ...(log.metadata || {}),
+      eventId: log.eventId || log.id || null,
+      userId: log.userId || null,
+      action: log.action || null,
+      resource: log.resource || null,
+      ip: log.ip || null,
+    },
+  };
+}
+
+/**
+ * Dispatch by format. Returns string for CEF/LEEF, object for JSON.
+ */
+export function formatLog(format, log, opts) {
+  _validateFormat(format);
+  if (format === SIEM_FORMAT.CEF) return formatLogCEF(log, opts);
+  if (format === SIEM_FORMAT.LEEF) return formatLogLEEF(log, opts);
+  return formatLogJSON(log);
+}
+
+/**
+ * Add a SIEM target with V2 canonical validation.
+ */
+export function addTargetV2(db, options) {
+  if (!options || typeof options !== "object") {
+    throw new Error("options object is required");
+  }
+  const { type, url, format = SIEM_FORMAT.JSON, config = {} } = options;
+  _validateTargetType(type);
+  if (!url) throw new Error("Target URL is required");
+  _validateFormat(format);
+  return addTarget(db, type, url, format, config);
+}
+
+/**
+ * Remove a target by id. Throws if unknown.
+ */
+export function removeTarget(db, targetId) {
+  const target = _targets.get(targetId);
+  if (!target) throw new Error(`Target not found: ${targetId}`);
+  _targets.delete(targetId);
+  db.prepare(`DELETE FROM siem_exports WHERE id = ?`).run(targetId);
+  return { success: true, targetId };
+}
+
+/**
+ * Transition a target's status using the allowed state machine.
+ * active ↔ paused/disabled/error; disabled → active/error; error → any.
+ */
+export function setTargetStatus(db, targetId, newStatus) {
+  const target = _targets.get(targetId);
+  if (!target) throw new Error(`Target not found: ${targetId}`);
+  _validateStatus(newStatus);
+  if (target.status === newStatus) {
+    return { ...target };
+  }
+  const allowed = _allowedTargetTransitions.get(target.status) || new Set();
+  if (!allowed.has(newStatus)) {
+    throw new Error(
+      `Invalid status transition: ${target.status} → ${newStatus}`,
+    );
+  }
+  target.status = newStatus;
+  db.prepare(`UPDATE siem_exports SET status = ? WHERE id = ?`).run(
+    newStatus,
+    targetId,
+  );
+  return { ...target };
+}
+
+/**
+ * Batch-export logs to a target.
+ * - Skips when target.status !== "active" (returns { skipped: true, ... }).
+ * - Chunks logs into slices of batchSize (default 100).
+ * - Returns { batches, exported, skipped, lastId }.
+ */
+export function exportLogsV2(db, options) {
+  if (!options || typeof options !== "object") {
+    throw new Error("options object is required");
+  }
+  const { targetId, logs = [], batchSize = SIEM_DEFAULT_BATCH_SIZE } = options;
+  if (!Number.isInteger(batchSize) || batchSize <= 0) {
+    throw new Error("batchSize must be a positive integer");
+  }
+  const target = _targets.get(targetId);
+  if (!target) throw new Error(`Target not found: ${targetId}`);
+  if (target.status !== SIEM_TARGET_STATUS.ACTIVE) {
+    return {
+      skipped: true,
+      reason: `target status is ${target.status}`,
+      batches: 0,
+      exported: 0,
+      lastId: target.lastExportedLogId,
+    };
+  }
+  if (!Array.isArray(logs)) {
+    throw new Error("logs must be an array");
+  }
+
+  let batches = 0;
+  let exported = 0;
+  for (let i = 0; i < logs.length; i += batchSize) {
+    const slice = logs.slice(i, i + batchSize);
+    exportLogs(db, targetId, slice);
+    batches += 1;
+    exported += slice.length;
+  }
+  // Handle zero-length input — register one empty batch for stats parity.
+  if (logs.length === 0) {
+    exportLogs(db, targetId, []);
+    batches = 0; // no real batch was sent
+  }
+  return {
+    skipped: false,
+    batches,
+    exported,
+    lastId: target.lastExportedLogId,
+  };
+}
+
+/**
+ * Extended stats with byFormat / byType / byStatus breakdowns + totals.
+ */
+export function getSIEMStatsV2() {
+  const targets = [..._targets.values()];
+  const byFormat = {};
+  for (const v of Object.values(SIEM_FORMAT)) byFormat[v] = 0;
+  const byType = {};
+  for (const v of Object.values(SIEM_TARGET_TYPE)) byType[v] = 0;
+  const byStatus = {};
+  for (const v of Object.values(SIEM_TARGET_STATUS)) byStatus[v] = 0;
+  let totalExported = 0;
+  for (const t of targets) {
+    if (byFormat[t.format] !== undefined) byFormat[t.format] += 1;
+    if (byType[t.type] !== undefined) byType[t.type] += 1;
+    if (byStatus[t.status] !== undefined) byStatus[t.status] += 1;
+    totalExported += t.exportedCount || 0;
+  }
+  return {
+    totalTargets: targets.length,
+    totalExported,
+    totalBatches: _exports.length,
+    byFormat,
+    byType,
+    byStatus,
+    targets: targets.map((t) => ({
+      id: t.id,
+      type: t.type,
+      url: t.url,
+      format: t.format,
+      status: t.status,
+      exportedCount: t.exportedCount,
+      lastExportAt: t.lastExportAt,
+    })),
+  };
+}
+
+/**
+ * List targets filtered by status.
+ */
+export function listTargetsByStatus(status) {
+  _validateStatus(status);
+  return [..._targets.values()].filter((t) => t.status === status);
+}
+
+export { _severityCEF, _allowedTargetTransitions };