devfortress-sdk 4.2.0 → 4.2.1

package/dist/token-alias.js

@@ -0,0 +1,312 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenAliasManager = exports.EmergencyBlocklist = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+const ENCRYPTED_PREFIX = 'enc:v1:';
+function encrypt(plaintext, keyHex) {
+    const key = Buffer.from(keyHex, 'hex');
+    const iv = crypto_1.default.randomBytes(12);
+    const cipher = crypto_1.default.createCipheriv('aes-256-gcm', key, iv);
+    const encrypted = Buffer.concat([
+        cipher.update(plaintext, 'utf8'),
+        cipher.final(),
+    ]);
+    const authTag = cipher.getAuthTag();
+    return (ENCRYPTED_PREFIX +
+        iv.toString('hex') +
+        ':' +
+        encrypted.toString('hex') +
+        ':' +
+        authTag.toString('hex'));
+}
+function decrypt(ciphertext, keyHex) {
+    if (!ciphertext.startsWith(ENCRYPTED_PREFIX)) {
+        return ciphertext;
+    }
+    const parts = ciphertext.slice(ENCRYPTED_PREFIX.length).split(':');
+    if (parts.length !== 3)
+        throw new Error('Invalid encrypted format');
+    const iv = Buffer.from(parts[0], 'hex');
+    const encrypted = Buffer.from(parts[1], 'hex');
+    const authTag = Buffer.from(parts[2], 'hex');
+    const key = Buffer.from(keyHex, 'hex');
+    const decipher = crypto_1.default.createDecipheriv('aes-256-gcm', key, iv);
+    decipher.setAuthTag(authTag);
+    return Buffer.concat([decipher.update(encrypted), decipher.final()]).toString('utf8');
+}
+function hashToken(realToken) {
+    return crypto_1.default.createHash('sha256').update(realToken).digest('hex');
+}
+class LRUCache {
+    constructor(maxEntries = 1000, defaultTtlSeconds = 60) {
+        this.cache = new Map();
+        this.maxEntries = maxEntries;
+        this.defaultTtl = defaultTtlSeconds;
+    }
+    get(key) {
+        const entry = this.cache.get(key);
+        if (!entry)
+            return null;
+        if (Date.now() > entry.expiresAt) {
+            this.cache.delete(key);
+            return null;
+        }
+        this.cache.delete(key);
+        this.cache.set(key, entry);
+        return entry.value;
+    }
+    set(key, value, ttlSeconds) {
+        if (this.cache.size >= this.maxEntries) {
+            const oldestKey = this.cache.keys().next().value;
+            if (oldestKey !== undefined)
+                this.cache.delete(oldestKey);
+        }
+        this.cache.set(key, {
+            value,
+            expiresAt: Date.now() + (ttlSeconds ?? this.defaultTtl) * 1000,
+        });
+    }
+    del(key) {
+        this.cache.delete(key);
+    }
+    has(key) {
+        return this.get(key) !== null;
+    }
+}
+const memStore = new Map();
+const memoryAdapter = {
+    async get(key) {
+        const entry = memStore.get(key);
+        if (!entry)
+            return null;
+        if (Date.now() > entry.expiresAt) {
+            memStore.delete(key);
+            return null;
+        }
+        return entry.value;
+    },
+    async set(key, value, ttlSeconds) {
+        memStore.set(key, {
+            value,
+            expiresAt: Date.now() + ttlSeconds * 1000,
+        });
+    },
+    async del(key) {
+        memStore.delete(key);
+    },
+};
+class EmergencyBlocklist {
+    constructor(cache, ttlSeconds = 900) {
+        this.cache = cache || memoryAdapter;
+        this.lru = new LRUCache(5000, ttlSeconds);
+        this.defaultTtlSeconds = ttlSeconds;
+    }
+    async blockIP(ip, reason = 'critical_event') {
+        const value = JSON.stringify({ reason, blockedAt: Date.now() });
+        this.lru.set(`emergency:block:${ip}`, value, this.defaultTtlSeconds);
+        try {
+            await this.cache.set(`emergency:block:${ip}`, value, this.defaultTtlSeconds);
+        }
+        catch {
+        }
+    }
+    async isBlocked(ip) {
+        if (this.lru.has(`emergency:block:${ip}`))
+            return true;
+        try {
+            const val = await this.cache.get(`emergency:block:${ip}`);
+            return val !== null;
+        }
+        catch {
+            return false;
+        }
+    }
+    async unblockIP(ip) {
+        this.lru.del(`emergency:block:${ip}`);
+        try {
+            await this.cache.del(`emergency:block:${ip}`);
+        }
+        catch {
+        }
+    }
+}
+exports.EmergencyBlocklist = EmergencyBlocklist;
+class TokenAliasManager {
+    constructor(cacheAdapter, config) {
+        this.cache = cacheAdapter || memoryAdapter;
+        this.encryptionKey =
+            config?.encryptionKey ||
+                process.env.DEVFORTRESS_REDIS_ENCRYPTION_KEY ||
+                null;
+        this.lru = new LRUCache(config?.lruMaxEntries ?? 1000, config?.lruTtlSeconds ?? 60);
+        this.rotationGracePeriod = config?.rotationGracePeriodSeconds ?? 1200;
+        this.onFallbackRevocation = config?.onFallbackRevocation;
+        if (this.encryptionKey && this.encryptionKey.length !== 64) {
+            throw new Error('DEVFORTRESS_REDIS_ENCRYPTION_KEY must be a 32-byte hex string (64 hex characters)');
+        }
+    }
+    encryptValue(plaintext) {
+        if (!this.encryptionKey)
+            return plaintext;
+        return encrypt(plaintext, this.encryptionKey);
+    }
+    decryptValue(ciphertext) {
+        if (!this.encryptionKey)
+            return ciphertext;
+        return decrypt(ciphertext, this.encryptionKey);
+    }
+    async cacheGet(key) {
+        try {
+            const value = await this.cache.get(key);
+            if (value !== null) {
+                this.lru.set(key, value);
+                return value;
+            }
+        }
+        catch {
+        }
+        return this.lru.get(key);
+    }
+    async cacheSet(key, value, ttlSeconds) {
+        this.lru.set(key, value, ttlSeconds);
+        try {
+            await this.cache.set(key, value, ttlSeconds);
+        }
+        catch {
+        }
+    }
+    async cacheDel(key) {
+        this.lru.del(key);
+        try {
+            await this.cache.del(key);
+        }
+        catch {
+        }
+    }
+    async createAlias(realToken, userId, ttlSeconds = 3600) {
+        const tokenHash = hashToken(realToken);
+        const existingAlias = await this.cacheGet(`cred:alias:${tokenHash}`);
+        if (existingAlias)
+            return existingAlias;
+        const alias = 'df_sid_' + crypto_1.default.randomBytes(16).toString('hex');
+        const data = {
+            realToken,
+            userId,
+            createdAt: Date.now(),
+        };
+        const encryptedData = this.encryptValue(JSON.stringify(data));
+        await this.cacheSet(`alias:${alias}`, encryptedData, ttlSeconds);
+        await this.cacheSet(`cred:alias:${tokenHash}`, alias, ttlSeconds);
+        return alias;
+    }
+    async resolveAlias(alias) {
+        const raw = await this.cacheGet(`alias:${alias}`);
+        if (!raw)
+            return null;
+        try {
+            const decrypted = this.decryptValue(raw);
+            const data = JSON.parse(decrypted);
+            return {
+                realToken: data.realToken,
+                userId: data.userId,
+                createdAt: data.createdAt,
+            };
+        }
+        catch {
+            return null;
+        }
+    }
+    async revokeByAlias(alias, reason = 'active_threat', subjectId) {
+        try {
+            const resolved = await this.resolveAlias(alias);
+            if (!resolved) {
+                if (subjectId && this.onFallbackRevocation) {
+                    await this.onFallbackRevocation(subjectId, `[DF] alias resolution failed for ${alias} — falling back to subjectId revocation`);
+                }
+                return null;
+            }
+            const tokenHash = hashToken(resolved.realToken);
+            await this.cacheDel(`alias:${alias}`);
+            await this.cacheDel(`cred:alias:${tokenHash}`);
+            const revocationMarker = JSON.stringify({
+                revoked: true,
+                reason,
+                revokedAt: Date.now(),
+                revocation_scope: 'precise',
+            });
+            await this.cacheSet(`revoked:alias:${alias}`, revocationMarker, 86400);
+            return resolved;
+        }
+        catch (error) {
+            const fallbackSubject = subjectId || 'unknown';
+            if (this.onFallbackRevocation) {
+                await this.onFallbackRevocation(fallbackSubject, `[DF] cache error during revokeByAlias(${alias}) — falling back to subjectId revocation. Error: ${error instanceof Error ? error.message : String(error)}`);
+            }
+            try {
+                const revocationMarker = JSON.stringify({
+                    revoked: true,
+                    reason,
+                    revokedAt: Date.now(),
+                    revocation_scope: 'broad',
+                });
+                await this.cacheSet(`revoked:alias:${alias}`, revocationMarker, 86400);
+            }
+            catch {
+            }
+            return null;
+        }
+    }
+    async rotateAlias(oldAlias, ttlSeconds = 3600) {
+        const resolved = await this.resolveAlias(oldAlias);
+        if (!resolved)
+            return null;
+        const rotatingData = {
+            ...resolved,
+            status: 'rotating',
+            canCreateNewEvents: false,
+        };
+        const encryptedRotating = this.encryptValue(JSON.stringify(rotatingData));
+        await this.cacheSet(`alias:${oldAlias}`, encryptedRotating, this.rotationGracePeriod);
+        const tokenHash = hashToken(resolved.realToken);
+        await this.cacheDel(`cred:alias:${tokenHash}`);
+        return this.createAlias(resolved.realToken, resolved.userId, ttlSeconds);
+    }
+    async revokeOnLogout(realToken) {
+        const tokenHash = hashToken(realToken);
+        const alias = await this.cacheGet(`cred:alias:${tokenHash}`);
+        if (!alias)
+            return;
+        const revocationMarker = JSON.stringify({
+            revoked: true,
+            reason: 'logout',
+            revokedAt: Date.now(),
+            revocation_scope: 'precise',
+        });
+        await this.cacheSet(`revoked:alias:${alias}`, revocationMarker, 86400);
+        await this.cacheDel(`alias:${alias}`);
+        await this.cacheDel(`cred:alias:${tokenHash}`);
+    }
+    async isRevoked(alias) {
+        const revoked = await this.cacheGet(`revoked:alias:${alias}`);
+        return revoked !== null;
+    }
+    async getRevocationDetails(alias) {
+        const raw = await this.cacheGet(`revoked:alias:${alias}`);
+        if (!raw)
+            return null;
+        try {
+            return JSON.parse(raw);
+        }
+        catch {
+            return {
+                reason: 'active_threat',
+                revokedAt: Date.now(),
+                revocation_scope: 'precise',
+            };
+        }
+    }
+}
+exports.TokenAliasManager = TokenAliasManager;

package/dist/types.d.ts

@@ -1,28 +1,8 @@
-/**
- * DevFortress SDK v3.0.0 — Type Definitions
- *
- * Covers:
- * - Event types & severity levels
- * - SDK configuration & enrichment hooks
- * - Threat events & webhook payloads
- * - Token alias interfaces
- * - AbuseIPDB types
- */
-/** Closed-loop protection mode:
- * - 'external': SDK → DevFortress Platform → webhook → response (default)
- * - 'internal': 3-tier local engine, no platform calls (enterprise/air-gap)
- * - 'hybrid':   Internal evaluates first, external enriches asynchronously
- */
 export type CLMode = 'external' | 'internal' | 'hybrid';
 export type EventType = 'auth_failure' | 'validation_error' | 'rate_limit_exceeded' | '5xx_error' | '4xx_error' | 'suspicious_pattern' | 'sql_injection_attempt' | 'xss_attempt' | 'custom' | 'login_brute_force' | 'credential_stuffing' | 'password_spray' | 'honeypot_triggered' | 'sql_injection' | 'auth_endpoint_scan' | 'recon_scan' | 'bot_signature' | 'brute_force' | 'token_replay' | 'privilege_escalation' | 'suspicious_ip' | 'anomalous_volume' | 'geo_anomaly';
 export type SeverityLevel = 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
 export type ThreatSeverity = 'low' | 'medium' | 'high' | 'critical';
-/** Authentication phase when the event occurred:
- * - 'pre_auth':  Before authentication (login attempts, public endpoint attacks)
- * - 'post_auth': After authentication (session-based threats, privilege escalation)
- */
 export type AuthPhase = 'pre_auth' | 'post_auth';
-/** Action taken by the protection system in response to the threat */
 export type ActionTaken = 'blocked' | 'rate_limited' | 'session_revoked' | 'captcha_challenged' | 'flagged' | 'allowed' | 'monitored';
 export interface LiveThreatEvent {
     eventType: EventType;
@@ -42,15 +22,10 @@ export interface LiveThreatEvent {
     environment?: string;
     compositeScore?: number;
     abuseipdb?: AbuseIPDBScore;
-    /** Closed-loop protection mode active when event was captured */
     clMode?: CLMode;
-    /** Whether event occurred pre-auth or post-auth */
     authPhase?: AuthPhase;
-    /** Action taken by the protection system */
     actionTaken?: ActionTaken;
-    /** Response latency in milliseconds (time from request to SDK event emission) */
     responseLatencyMs?: number;
-    /** Whether user session remained active after the action was taken */
     sessionActiveAfterAction?: boolean;
 }
 export interface DevFortressClientOptions {
@@ -79,30 +54,18 @@ export interface DevFortressConfig {
         url?: string;
         ttl?: number;
     };
-    /** Closed-loop protection mode. Default: 'external' */
     mode?: CLMode;
-    /** Subscription tier for feature gating */
     tier?: 'starter' | 'pro' | 'enterprise';
-    /** Whether the hybrid add-on is enabled (Pro tier only) */
     hybridAddonEnabled?: boolean;
-    /** Internal closed-loop engine configuration (for 'internal' or 'hybrid' mode) */
     internalCL?: {
-        /** Fail-closed (block on error) or fail-open. Default: 'closed' */
         failMode?: 'closed' | 'open';
-        /** Custom Tier 2 scorer */
         tier2Scorer?: (request: unknown) => Promise<number> | number;
-        /** Score threshold for auto-block. Default: 85 */
         blockThreshold?: number;
-        /** Rate limit: max requests per window. Default: 100 */
         rateLimitMax?: number;
-        /** Rate limit window in ms. Default: 60000 */
         rateLimitWindowMs?: number;
     };
-    /** Circuit breaker config for hybrid mode fallback */
     circuitBreaker?: {
-        /** Failures before opening circuit. Default: 3 */
         failureThreshold?: number;
-        /** Time before testing recovery in ms. Default: 60000 */
         recoveryTimeMs?: number;
     };
 }

package/dist/types.js

@@ -1,12 +1,2 @@
 "use strict";
-/**
- * DevFortress SDK v3.0.0 — Type Definitions
- *
- * Covers:
- * - Event types & severity levels
- * - SDK configuration & enrichment hooks
- * - Threat events & webhook payloads
- * - Token alias interfaces
- * - AbuseIPDB types
- */
 Object.defineProperty(exports, "__esModule", { value: true });

package/dist/unified-audit.d.ts

@@ -0,0 +1,70 @@
+import type { ThreatSeverity } from './types';
+import type { InternalCLDecision } from './internal-closed-loop-engine';
+export type AuditSource = 'internal' | 'external' | 'hybrid';
+export interface UnifiedAuditEntry {
+    eventId: string;
+    timestamp: number;
+    source: AuditSource;
+    tier: 0 | 1 | 2 | 3;
+    decision: InternalCLDecision | 'webhook_response';
+    score: number;
+    severity: ThreatSeverity;
+    latencyMs: number;
+    ip: string;
+    path: string;
+    method: string;
+    matchedRules: string[];
+    userId?: string | null;
+    agentId?: string;
+    sessionId?: string | null;
+    fallbackMode?: boolean;
+    meta?: Record<string, unknown>;
+}
+export interface UnifiedAuditConfig {
+    maxEntries?: number;
+    onEntry?: (entry: UnifiedAuditEntry) => void | Promise<void>;
+    debug?: boolean;
+}
+export declare class UnifiedAuditTrail {
+    private entries;
+    private maxEntries;
+    private onEntry?;
+    private debug;
+    private stats;
+    constructor(config?: UnifiedAuditConfig);
+    record(entry: UnifiedAuditEntry): void;
+    query(filters?: {
+        source?: AuditSource;
+        decision?: string;
+        ip?: string;
+        userId?: string;
+        agentId?: string;
+        minScore?: number;
+        since?: number;
+        limit?: number;
+    }): ReadonlyArray<UnifiedAuditEntry>;
+    getStats(): {
+        total: number;
+        internalDecisions: number;
+        externalDecisions: number;
+        hybridDecisions: number;
+        fallbackEvents: number;
+        totalBlocks: number;
+        totalAllows: number;
+        totalRateLimits: number;
+        avgInternalLatencyMs: number;
+        avgExternalLatencyMs: number;
+    };
+    getDecisionDistribution(): Record<string, number>;
+    getLatencyHistogram(): {
+        under1ms: number;
+        under5ms: number;
+        under50ms: number;
+        under200ms: number;
+        under1s: number;
+        over1s: number;
+    };
+    exportJSON(since?: number): string;
+    _reset(): void;
+    private updateStats;
+}

package/dist/unified-audit.js

@@ -0,0 +1,171 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UnifiedAuditTrail = void 0;
+class UnifiedAuditTrail {
+    constructor(config = {}) {
+        this.entries = [];
+        this.stats = {
+            internalDecisions: 0,
+            externalDecisions: 0,
+            hybridDecisions: 0,
+            fallbackEvents: 0,
+            totalBlocks: 0,
+            totalAllows: 0,
+            totalRateLimits: 0,
+            avgInternalLatencyMs: 0,
+            avgExternalLatencyMs: 0,
+            internalLatencySum: 0,
+            externalLatencySum: 0,
+        };
+        this.maxEntries = config.maxEntries ?? 100000;
+        this.onEntry = config.onEntry;
+        this.debug = config.debug ?? false;
+    }
+    record(entry) {
+        if (this.entries.length >= this.maxEntries) {
+            this.entries.splice(0, Math.floor(this.maxEntries * 0.1));
+        }
+        this.entries.push(entry);
+        this.updateStats(entry);
+        if (this.onEntry) {
+            try {
+                const result = this.onEntry(entry);
+                if (result && typeof result.catch === 'function') {
+                    result.catch(() => { });
+                }
+            }
+            catch {
+            }
+        }
+        if (this.debug) {
+            console.log(`[DF Audit] ${entry.source}:tier${entry.tier} ${entry.decision} score=${entry.score} ${entry.ip} ${entry.method} ${entry.path} (${entry.latencyMs}ms)`);
+        }
+    }
+    query(filters) {
+        let result = this.entries;
+        if (filters) {
+            if (filters.source) {
+                result = result.filter(e => e.source === filters.source);
+            }
+            if (filters.decision) {
+                result = result.filter(e => e.decision === filters.decision);
+            }
+            if (filters.ip) {
+                result = result.filter(e => e.ip === filters.ip);
+            }
+            if (filters.userId) {
+                result = result.filter(e => e.userId === filters.userId);
+            }
+            if (filters.agentId) {
+                result = result.filter(e => e.agentId === filters.agentId);
+            }
+            if (filters.minScore !== undefined) {
+                result = result.filter(e => e.score >= filters.minScore);
+            }
+            if (filters.since) {
+                result = result.filter(e => e.timestamp >= filters.since);
+            }
+        }
+        const limit = filters?.limit ?? 100;
+        return result.slice(-limit);
+    }
+    getStats() {
+        return {
+            total: this.entries.length,
+            ...this.stats,
+            avgInternalLatencyMs: this.stats.internalDecisions > 0
+                ? Math.round(this.stats.internalLatencySum / this.stats.internalDecisions)
+                : 0,
+            avgExternalLatencyMs: this.stats.externalDecisions > 0
+                ? Math.round(this.stats.externalLatencySum / this.stats.externalDecisions)
+                : 0,
+        };
+    }
+    getDecisionDistribution() {
+        const dist = {};
+        for (const entry of this.entries) {
+            const key = `${entry.source}:${entry.decision}`;
+            dist[key] = (dist[key] || 0) + 1;
+        }
+        return dist;
+    }
+    getLatencyHistogram() {
+        const hist = {
+            under1ms: 0,
+            under5ms: 0,
+            under50ms: 0,
+            under200ms: 0,
+            under1s: 0,
+            over1s: 0,
+        };
+        for (const entry of this.entries) {
+            if (entry.latencyMs < 1)
+                hist.under1ms++;
+            else if (entry.latencyMs < 5)
+                hist.under5ms++;
+            else if (entry.latencyMs < 50)
+                hist.under50ms++;
+            else if (entry.latencyMs < 200)
+                hist.under200ms++;
+            else if (entry.latencyMs < 1000)
+                hist.under1s++;
+            else
+                hist.over1s++;
+        }
+        return hist;
+    }
+    exportJSON(since) {
+        const entries = since
+            ? this.entries.filter(e => e.timestamp >= since)
+            : this.entries;
+        return JSON.stringify(entries, null, 2);
+    }
+    _reset() {
+        this.entries = [];
+        this.stats = {
+            internalDecisions: 0,
+            externalDecisions: 0,
+            hybridDecisions: 0,
+            fallbackEvents: 0,
+            totalBlocks: 0,
+            totalAllows: 0,
+            totalRateLimits: 0,
+            avgInternalLatencyMs: 0,
+            avgExternalLatencyMs: 0,
+            internalLatencySum: 0,
+            externalLatencySum: 0,
+        };
+    }
+    updateStats(entry) {
+        if (entry.source === 'internal') {
+            this.stats.internalDecisions++;
+            this.stats.internalLatencySum += entry.latencyMs;
+        }
+        else if (entry.source === 'external') {
+            this.stats.externalDecisions++;
+            this.stats.externalLatencySum += entry.latencyMs;
+        }
+        else {
+            this.stats.hybridDecisions++;
+            if (entry.tier > 0) {
+                this.stats.internalLatencySum += entry.latencyMs;
+            }
+            else {
+                this.stats.externalLatencySum += entry.latencyMs;
+            }
+        }
+        if (entry.fallbackMode) {
+            this.stats.fallbackEvents++;
+        }
+        if (entry.decision === 'block') {
+            this.stats.totalBlocks++;
+        }
+        else if (entry.decision === 'allow') {
+            this.stats.totalAllows++;
+        }
+        else if (entry.decision === 'rate_limit') {
+            this.stats.totalRateLimits++;
+        }
+    }
+}
+exports.UnifiedAuditTrail = UnifiedAuditTrail;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "devfortress-sdk",
-  "version": "4.2.0",
+  "version": "4.2.1",
   "description": "DevFortress SDK — API and application security with automated threat response, session privacy, and AI agent observability.",
   "main": "dist/index.js",
   "browser": "dist/browser.js",
@@ -27,20 +27,7 @@
     "devfortress-init": "./bin/devfortress-init.js"
   },
   "files": [
-    "dist/index.js",
-    "dist/index.d.ts",
-    "dist/client.js",
-    "dist/client.d.ts",
-    "dist/browser.js",
-    "dist/browser.d.ts",
-    "dist/quick.js",
-    "dist/quick.d.ts",
-    "dist/types.js",
-    "dist/types.d.ts",
-    "dist/circuit-breaker.js",
-    "dist/circuit-breaker.d.ts",
-    "dist/middleware/express.js",
-    "dist/middleware/express.d.ts",
+    "dist",
     "bin/devfortress-init.js",
     "src/middleware/fastapi.py",
     "src/middleware/flask.py",