guardian-risk-logger 0.1.0 → 0.2.0

package/README.md

@@ -6,9 +6,7 @@
 npm install guardian-risk guardian-risk-logger
 ```
 
-> **Stub package** — API may change before `1.0.0`.
-
-Audit logging for [guardian-risk](https://www.npmjs.com/package/guardian-risk). Records risk reports, matched rules, and scores for compliance and debugging.
+Audit logging for [guardian-risk](https://www.npmjs.com/package/guardian-risk) analysis results.
 
 ## What gets logged
 
@@ -16,43 +14,34 @@ Audit logging for [guardian-risk](https://www.npmjs.com/package/guardian-risk).
 |-------|--------|
 | `score` | `report.score` |
 | `riskLevel` | `report.level` |
-| `matchedRules` | Count and details from `report.matchedRules` |
+| `matchedRules` | Rule names from `report.matchedRules` |
 | `reasons` | `report.reasons` |
-| `analyzedAt` | `report.analyzedAt` |
+| `context` | Sanitized request metadata (method, path, IP only) |
 
-## Usage (stub)
+## Production usage
 
 ```typescript
 import { Guardian } from 'guardian-risk';
-import { loggerPlugin, analyzeAndLog } from 'guardian-risk-logger';
-import { vpnPlugin } from 'guardian-risk-vpn';
+import { loggerPlugin } from 'guardian-risk-logger';
 
-const guardian = new Guardian()
+const template = new Guardian()
   .use(loggerPlugin({ level: 'info', minScore: 20 }))
-  .use(vpnPlugin());
-
-guardian.signal('vpn', true);
+  .rule({ name: 'Bot', when: (s) => s.headlessUA === true, score: 30 });
 
-const report = analyzeAndLog(guardian, { minScore: 0 });
+// Middleware runs analyzeAsync → afterAnalyze logs automatically
 ```
 
-## Custom sink
+## Security notes
 
-```typescript
-import { loggerPlugin, logReport, type LogSink } from 'guardian-risk-logger';
-
-const sink: LogSink = {
-  write(entry) {
-    // Send to Datadog, CloudWatch, file, etc.
-    myAuditService.record(entry);
-  },
-};
-
-const guardian = new Guardian().use(loggerPlugin({ sink }));
-const report = guardian.analyze();
-logReport(report, { sink });
-```
+- Request **headers are redacted** from log context — only method, path, and validated IP are kept.
+- Do not log raw cookies, auth tokens, or PII in custom sinks.
+- Use `minScore` to reduce noise in high-traffic apps.
+
+## API
 
-## Status
+- `loggerPlugin(options)` — `afterAnalyze` auto-logging
+- `analyzeAndLog(guardian, options)` — one-shot analyze + log
+- `logReport(report, options)` — log an existing report
+- `LogSink` — custom destination (Datadog, CloudWatch, etc.)
 
-Not yet published. Implementation in progress.
+See [SECURITY.md](../../SECURITY.md).

package/dist/index.cjs

@@ -15,37 +15,74 @@ var defaultSink = {
       score: entry.report.score,
       riskLevel: entry.report.level,
       matchedRules: entry.report.matchedRules.length,
-      timestamp: entry.timestamp
+      timestamp: entry.timestamp,
+      ...entry.context !== void 0 ? { context: entry.context } : {}
     });
     console.log(`[guardian-risk] ${payload}`);
   }
 };
 function loggerPlugin(options = {}) {
-  const { level = "info", sink = defaultSink, minScore = 0 } = options;
+  const resolved = {
+    level: "info",
+    sink: defaultSink,
+    minScore: 0,
+    includeContext: true,
+    ...options
+  };
   return {
     name: "guardian-risk-logger",
-    install(_guardian) {
+    install(guardian) {
+      guardian.afterAnalyze(({ report, data }) => {
+        logReport(report, {
+          ...resolved,
+          context: resolved.includeContext ? sanitizeLogContext(data) : void 0
+        });
+      });
     }
   };
 }
 function logReport(report, options = {}) {
-  const { level = "info", sink = defaultSink, minScore = 0 } = options;
+  const {
+    level = "info",
+    sink = defaultSink,
+    minScore = 0,
+    context,
+    includeContext = true
+  } = options;
   if (report.score < minScore) {
     return;
   }
   const entryLevel = resolveLogLevel(report, level);
+  if (!shouldLog(level, entryLevel)) {
+    return;
+  }
   sink.write({
     level: entryLevel,
-    message: `Risk analysis complete: ${report.level} (${report.score})`,
+    message: `Risk analysis: ${report.level} (score ${report.score})`,
     report,
-    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    context: includeContext ? sanitizeLogContext(context) : void 0
   });
 }
-function analyzeAndLog(guardian, options = {}) {
-  const report = guardian.analyze();
-  logReport(report, options);
+async function analyzeAndLog(guardian, context, options = {}) {
+  const report = await guardian.analyzeAsync(context);
+  logReport(report, { ...options, context });
   return report;
 }
+function sanitizeLogContext(context) {
+  if (context === null || context === void 0) {
+    return void 0;
+  }
+  if (typeof context !== "object") {
+    return void 0;
+  }
+  const record = context;
+  return {
+    method: typeof record.method === "string" ? record.method : void 0,
+    path: typeof record.path === "string" ? record.path : typeof record.originalUrl === "string" ? record.originalUrl : void 0,
+    ip: typeof record.ip === "string" ? record.ip : void 0
+  };
+}
 function resolveLogLevel(report, configured) {
   if (report.level === "CRITICAL") {
     return "error";
@@ -62,6 +99,5 @@ function shouldLog(configured, actual) {
 exports.analyzeAndLog = analyzeAndLog;
 exports.logReport = logReport;
 exports.loggerPlugin = loggerPlugin;
+exports.sanitizeLogContext = sanitizeLogContext;
 exports.shouldLog = shouldLog;
-//# sourceMappingURL=index.cjs.map
-//# sourceMappingURL=index.cjs.map

package/dist/index.d.cts

@@ -13,31 +13,23 @@ interface LogEntry {
     readonly message: string;
     readonly report: RiskReport;
     readonly timestamp: string;
+    readonly context?: unknown;
 }
-/** Options for the logger plugin (stub). */
+/** Options for the logger plugin. */
 interface LoggerPluginOptions {
-    /** Minimum level to emit. */
     readonly level?: LogLevel;
-    /** Custom sink. Defaults to console. */
     readonly sink?: LogSink;
-    /** Log only when score exceeds this threshold. */
     readonly minScore?: number;
+    /** Include redacted request metadata in logs (default: true). */
+    readonly includeContext?: boolean;
 }
-/**
- * Logger plugin for guardian-risk.
- *
- * @stub Future versions will hook into analyze() automatically.
- * For now, use `logReport()` after `guardian.analyze()`.
- */
 declare function loggerPlugin(options?: LoggerPluginOptions): Plugin;
-/**
- * Log a risk report to the configured sink.
- */
-declare function logReport(report: RiskReport, options?: LoggerPluginOptions): void;
-/**
- * Analyze and log in one step.
- */
-declare function analyzeAndLog(guardian: guardian_risk.Guardian, options?: LoggerPluginOptions): RiskReport;
+declare function logReport(report: RiskReport, options?: LoggerPluginOptions & {
+    context?: unknown;
+}): void;
+declare function analyzeAndLog(guardian: guardian_risk.Guardian, context?: unknown, options?: LoggerPluginOptions): Promise<RiskReport>;
+/** Redact sensitive request fields before logging. */
+declare function sanitizeLogContext(context: unknown): unknown;
 declare function shouldLog(configured: LogLevel, actual: LogLevel): boolean;
 
-export { type LogEntry, type LogLevel, type LogSink, type LoggerPluginOptions, analyzeAndLog, logReport, loggerPlugin, shouldLog };
+export { type LogEntry, type LogLevel, type LogSink, type LoggerPluginOptions, analyzeAndLog, logReport, loggerPlugin, sanitizeLogContext, shouldLog };

package/dist/index.d.ts

@@ -13,31 +13,23 @@ interface LogEntry {
     readonly message: string;
     readonly report: RiskReport;
     readonly timestamp: string;
+    readonly context?: unknown;
 }
-/** Options for the logger plugin (stub). */
+/** Options for the logger plugin. */
 interface LoggerPluginOptions {
-    /** Minimum level to emit. */
     readonly level?: LogLevel;
-    /** Custom sink. Defaults to console. */
     readonly sink?: LogSink;
-    /** Log only when score exceeds this threshold. */
     readonly minScore?: number;
+    /** Include redacted request metadata in logs (default: true). */
+    readonly includeContext?: boolean;
 }
-/**
- * Logger plugin for guardian-risk.
- *
- * @stub Future versions will hook into analyze() automatically.
- * For now, use `logReport()` after `guardian.analyze()`.
- */
 declare function loggerPlugin(options?: LoggerPluginOptions): Plugin;
-/**
- * Log a risk report to the configured sink.
- */
-declare function logReport(report: RiskReport, options?: LoggerPluginOptions): void;
-/**
- * Analyze and log in one step.
- */
-declare function analyzeAndLog(guardian: guardian_risk.Guardian, options?: LoggerPluginOptions): RiskReport;
+declare function logReport(report: RiskReport, options?: LoggerPluginOptions & {
+    context?: unknown;
+}): void;
+declare function analyzeAndLog(guardian: guardian_risk.Guardian, context?: unknown, options?: LoggerPluginOptions): Promise<RiskReport>;
+/** Redact sensitive request fields before logging. */
+declare function sanitizeLogContext(context: unknown): unknown;
 declare function shouldLog(configured: LogLevel, actual: LogLevel): boolean;
 
-export { type LogEntry, type LogLevel, type LogSink, type LoggerPluginOptions, analyzeAndLog, logReport, loggerPlugin, shouldLog };
+export { type LogEntry, type LogLevel, type LogSink, type LoggerPluginOptions, analyzeAndLog, logReport, loggerPlugin, sanitizeLogContext, shouldLog };

package/dist/index.js

@@ -13,37 +13,74 @@ var defaultSink = {
       score: entry.report.score,
       riskLevel: entry.report.level,
       matchedRules: entry.report.matchedRules.length,
-      timestamp: entry.timestamp
+      timestamp: entry.timestamp,
+      ...entry.context !== void 0 ? { context: entry.context } : {}
     });
     console.log(`[guardian-risk] ${payload}`);
   }
 };
 function loggerPlugin(options = {}) {
-  const { level = "info", sink = defaultSink, minScore = 0 } = options;
+  const resolved = {
+    level: "info",
+    sink: defaultSink,
+    minScore: 0,
+    includeContext: true,
+    ...options
+  };
   return {
     name: "guardian-risk-logger",
-    install(_guardian) {
+    install(guardian) {
+      guardian.afterAnalyze(({ report, data }) => {
+        logReport(report, {
+          ...resolved,
+          context: resolved.includeContext ? sanitizeLogContext(data) : void 0
+        });
+      });
     }
   };
 }
 function logReport(report, options = {}) {
-  const { level = "info", sink = defaultSink, minScore = 0 } = options;
+  const {
+    level = "info",
+    sink = defaultSink,
+    minScore = 0,
+    context,
+    includeContext = true
+  } = options;
   if (report.score < minScore) {
     return;
   }
   const entryLevel = resolveLogLevel(report, level);
+  if (!shouldLog(level, entryLevel)) {
+    return;
+  }
   sink.write({
     level: entryLevel,
-    message: `Risk analysis complete: ${report.level} (${report.score})`,
+    message: `Risk analysis: ${report.level} (score ${report.score})`,
     report,
-    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    context: includeContext ? sanitizeLogContext(context) : void 0
   });
 }
-function analyzeAndLog(guardian, options = {}) {
-  const report = guardian.analyze();
-  logReport(report, options);
+async function analyzeAndLog(guardian, context, options = {}) {
+  const report = await guardian.analyzeAsync(context);
+  logReport(report, { ...options, context });
   return report;
 }
+function sanitizeLogContext(context) {
+  if (context === null || context === void 0) {
+    return void 0;
+  }
+  if (typeof context !== "object") {
+    return void 0;
+  }
+  const record = context;
+  return {
+    method: typeof record.method === "string" ? record.method : void 0,
+    path: typeof record.path === "string" ? record.path : typeof record.originalUrl === "string" ? record.originalUrl : void 0,
+    ip: typeof record.ip === "string" ? record.ip : void 0
+  };
+}
 function resolveLogLevel(report, configured) {
   if (report.level === "CRITICAL") {
     return "error";
@@ -57,6 +94,4 @@ function shouldLog(configured, actual) {
   return LEVEL_ORDER[actual] >= LEVEL_ORDER[configured];
 }
 
-export { analyzeAndLog, logReport, loggerPlugin, shouldLog };
-//# sourceMappingURL=index.js.map
-//# sourceMappingURL=index.js.map
+export { analyzeAndLog, logReport, loggerPlugin, sanitizeLogContext, shouldLog };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardian-risk-logger",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Audit logging plugin for guardian-risk — logs reports and matched rules",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -20,7 +20,10 @@
   },
   "sideEffects": false,
   "files": [
-    "dist",
+    "dist/index.js",
+    "dist/index.cjs",
+    "dist/index.d.ts",
+    "dist/index.d.cts",
     "README.md",
     "LICENSE"
   ],
@@ -36,6 +39,7 @@
     "risk",
     "security"
   ],
+  "author": "himanshuusinghh",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -46,16 +50,17 @@
   "bugs": {
     "url": "https://github.com/himanshu6306singh/guardian-risk/issues"
   },
+  "security": "https://github.com/himanshu6306singh/guardian-risk/security/policy",
   "publishConfig": {
     "access": "public"
   },
   "peerDependencies": {
-    "guardian-risk": "^0.2.0"
+    "guardian-risk": "^0.3.0"
   },
   "devDependencies": {
     "tsup": "^8.3.5",
     "typescript": "^5.7.2",
-    "guardian-risk": "0.2.0"
+    "guardian-risk": "0.3.0"
   },
   "scripts": {
     "build": "tsup",

package/dist/index.cjs.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/index.ts"],"names":[],"mappings":";;;AA4BA,IAAM,WAAA,GAAwC;AAAA,EAC5C,KAAA,EAAO,CAAA;AAAA,EACP,IAAA,EAAM,CAAA;AAAA,EACN,IAAA,EAAM,CAAA;AAAA,EACN,KAAA,EAAO;AACT,CAAA;AAEA,IAAM,WAAA,GAAuB;AAAA,EAC3B,MAAM,KAAA,EAAa;AACjB,IAAA,MAAM,OAAA,GAAU,KAAK,SAAA,CAAU;AAAA,MAC7B,OAAO,KAAA,CAAM,KAAA;AAAA,MACb,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,KAAA,EAAO,MAAM,MAAA,CAAO,KAAA;AAAA,MACpB,SAAA,EAAW,MAAM,MAAA,CAAO,KAAA;AAAA,MACxB,YAAA,EAAc,KAAA,CAAM,MAAA,CAAO,YAAA,CAAa,MAAA;AAAA,MACxC,WAAW,KAAA,CAAM;AAAA,KAClB,CAAA;AACD,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,gBAAA,EAAmB,OAAO,CAAA,CAAE,CAAA;AAAA,EAC1C;AACF,CAAA;AAQO,SAAS,YAAA,CAAa,OAAA,GAA+B,EAAC,EAAW;AACtE,EAAA,MAAM,EAAE,KAAA,GAAQ,MAAA,EAAQ,OAAO,WAAA,EAAa,QAAA,GAAW,GAAE,GAAI,OAAA;AAE7D,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,sBAAA;AAAA,IACN,QAAQ,SAAA,EAAW;AAGZ,IAEP;AAAA,GACF;AACF;AAKO,SAAS,SAAA,CACd,MAAA,EACA,OAAA,GAA+B,EAAC,EAC1B;AACN,EAAA,MAAM,EAAE,KAAA,GAAQ,MAAA,EAAQ,OAAO,WAAA,EAAa,QAAA,GAAW,GAAE,GAAI,OAAA;AAE7D,EAAA,IAAI,MAAA,CAAO,QAAQ,QAAA,EAAU;AAC3B,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,UAAA,GAAa,eAAA,CAAgB,MAAA,EAAQ,KAAK,CAAA;AAEhD,EAAA,IAAA,CAAK,KAAA,CAAM;AAAA,IACT,KAAA,EAAO,UAAA;AAAA,IACP,SAAS,CAAA,wBAAA,EAA2B,MAAA,CAAO,KAAK,CAAA,EAAA,EAAK,OAAO,KAAK,CAAA,CAAA,CAAA;AAAA,IACjE,MAAA;AAAA,IACA,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACnC,CAAA;AACH;AAKO,SAAS,aAAA,CACd,QAAA,EACA,OAAA,GAA+B,EAAC,EACpB;AACZ,EAAA,MAAM,MAAA,GAAS,SAAS,OAAA,EAAQ;AAChC,EAAA,SAAA,CAAU,QAAQ,OAAO,CAAA;AACzB,EAAA,OAAO,MAAA;AACT;AAEA,SAAS,eAAA,CAAgB,QAAoB,UAAA,EAAgC;AAC3E,EAAA,IAAI,MAAA,CAAO,UAAU,UAAA,EAAY;AAC/B,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,MAAA,CAAO,UAAU,MAAA,EAAQ;AAC3B,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,OAAO,UAAA;AACT;AAEA,SAAS,SAAA,CAAU,YAAsB,MAAA,EAA2B;AAClE,EAAA,OAAO,WAAA,CAAY,MAAM,CAAA,IAAK,WAAA,CAAY,UAAU,CAAA;AACtD","file":"index.cjs","sourcesContent":["import type { Plugin, RiskReport } from 'guardian-risk';\n\n/** Log severity level. */\nexport type LogLevel = 'debug' | 'info' | 'warn' | 'error';\n\n/** Sink that receives structured log entries. */\nexport interface LogSink {\n  write(entry: LogEntry): void;\n}\n\n/** Structured log entry for a risk analysis. */\nexport interface LogEntry {\n  readonly level: LogLevel;\n  readonly message: string;\n  readonly report: RiskReport;\n  readonly timestamp: string;\n}\n\n/** Options for the logger plugin (stub). */\nexport interface LoggerPluginOptions {\n  /** Minimum level to emit. */\n  readonly level?: LogLevel;\n  /** Custom sink. Defaults to console. */\n  readonly sink?: LogSink;\n  /** Log only when score exceeds this threshold. */\n  readonly minScore?: number;\n}\n\nconst LEVEL_ORDER: Record<LogLevel, number> = {\n  debug: 0,\n  info: 1,\n  warn: 2,\n  error: 3,\n};\n\nconst defaultSink: LogSink = {\n  write(entry): void {\n    const payload = JSON.stringify({\n      level: entry.level,\n      message: entry.message,\n      score: entry.report.score,\n      riskLevel: entry.report.level,\n      matchedRules: entry.report.matchedRules.length,\n      timestamp: entry.timestamp,\n    });\n    console.log(`[guardian-risk] ${payload}`);\n  },\n};\n\n/**\n * Logger plugin for guardian-risk.\n *\n * @stub Future versions will hook into analyze() automatically.\n * For now, use `logReport()` after `guardian.analyze()`.\n */\nexport function loggerPlugin(options: LoggerPluginOptions = {}): Plugin {\n  const { level = 'info', sink = defaultSink, minScore = 0 } = options;\n\n  return {\n    name: 'guardian-risk-logger',\n    install(_guardian) {\n      void level;\n      void sink;\n      void minScore;\n      // Stub: will wrap analyze() and emit audit logs automatically\n    },\n  };\n}\n\n/**\n * Log a risk report to the configured sink.\n */\nexport function logReport(\n  report: RiskReport,\n  options: LoggerPluginOptions = {},\n): void {\n  const { level = 'info', sink = defaultSink, minScore = 0 } = options;\n\n  if (report.score < minScore) {\n    return;\n  }\n\n  const entryLevel = resolveLogLevel(report, level);\n\n  sink.write({\n    level: entryLevel,\n    message: `Risk analysis complete: ${report.level} (${report.score})`,\n    report,\n    timestamp: new Date().toISOString(),\n  });\n}\n\n/**\n * Analyze and log in one step.\n */\nexport function analyzeAndLog(\n  guardian: import('guardian-risk').Guardian,\n  options: LoggerPluginOptions = {},\n): RiskReport {\n  const report = guardian.analyze();\n  logReport(report, options);\n  return report;\n}\n\nfunction resolveLogLevel(report: RiskReport, configured: LogLevel): LogLevel {\n  if (report.level === 'CRITICAL') {\n    return 'error';\n  }\n  if (report.level === 'HIGH') {\n    return 'warn';\n  }\n  return configured;\n}\n\nfunction shouldLog(configured: LogLevel, actual: LogLevel): boolean {\n  return LEVEL_ORDER[actual] >= LEVEL_ORDER[configured];\n}\n\nexport { shouldLog };\n"]}

package/dist/index.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/index.ts"],"names":[],"mappings":";AA4BA,IAAM,WAAA,GAAwC;AAAA,EAC5C,KAAA,EAAO,CAAA;AAAA,EACP,IAAA,EAAM,CAAA;AAAA,EACN,IAAA,EAAM,CAAA;AAAA,EACN,KAAA,EAAO;AACT,CAAA;AAEA,IAAM,WAAA,GAAuB;AAAA,EAC3B,MAAM,KAAA,EAAa;AACjB,IAAA,MAAM,OAAA,GAAU,KAAK,SAAA,CAAU;AAAA,MAC7B,OAAO,KAAA,CAAM,KAAA;AAAA,MACb,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,KAAA,EAAO,MAAM,MAAA,CAAO,KAAA;AAAA,MACpB,SAAA,EAAW,MAAM,MAAA,CAAO,KAAA;AAAA,MACxB,YAAA,EAAc,KAAA,CAAM,MAAA,CAAO,YAAA,CAAa,MAAA;AAAA,MACxC,WAAW,KAAA,CAAM;AAAA,KAClB,CAAA;AACD,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,gBAAA,EAAmB,OAAO,CAAA,CAAE,CAAA;AAAA,EAC1C;AACF,CAAA;AAQO,SAAS,YAAA,CAAa,OAAA,GAA+B,EAAC,EAAW;AACtE,EAAA,MAAM,EAAE,KAAA,GAAQ,MAAA,EAAQ,OAAO,WAAA,EAAa,QAAA,GAAW,GAAE,GAAI,OAAA;AAE7D,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,sBAAA;AAAA,IACN,QAAQ,SAAA,EAAW;AAGZ,IAEP;AAAA,GACF;AACF;AAKO,SAAS,SAAA,CACd,MAAA,EACA,OAAA,GAA+B,EAAC,EAC1B;AACN,EAAA,MAAM,EAAE,KAAA,GAAQ,MAAA,EAAQ,OAAO,WAAA,EAAa,QAAA,GAAW,GAAE,GAAI,OAAA;AAE7D,EAAA,IAAI,MAAA,CAAO,QAAQ,QAAA,EAAU;AAC3B,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,UAAA,GAAa,eAAA,CAAgB,MAAA,EAAQ,KAAK,CAAA;AAEhD,EAAA,IAAA,CAAK,KAAA,CAAM;AAAA,IACT,KAAA,EAAO,UAAA;AAAA,IACP,SAAS,CAAA,wBAAA,EAA2B,MAAA,CAAO,KAAK,CAAA,EAAA,EAAK,OAAO,KAAK,CAAA,CAAA,CAAA;AAAA,IACjE,MAAA;AAAA,IACA,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACnC,CAAA;AACH;AAKO,SAAS,aAAA,CACd,QAAA,EACA,OAAA,GAA+B,EAAC,EACpB;AACZ,EAAA,MAAM,MAAA,GAAS,SAAS,OAAA,EAAQ;AAChC,EAAA,SAAA,CAAU,QAAQ,OAAO,CAAA;AACzB,EAAA,OAAO,MAAA;AACT;AAEA,SAAS,eAAA,CAAgB,QAAoB,UAAA,EAAgC;AAC3E,EAAA,IAAI,MAAA,CAAO,UAAU,UAAA,EAAY;AAC/B,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,MAAA,CAAO,UAAU,MAAA,EAAQ;AAC3B,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,OAAO,UAAA;AACT;AAEA,SAAS,SAAA,CAAU,YAAsB,MAAA,EAA2B;AAClE,EAAA,OAAO,WAAA,CAAY,MAAM,CAAA,IAAK,WAAA,CAAY,UAAU,CAAA;AACtD","file":"index.js","sourcesContent":["import type { Plugin, RiskReport } from 'guardian-risk';\n\n/** Log severity level. */\nexport type LogLevel = 'debug' | 'info' | 'warn' | 'error';\n\n/** Sink that receives structured log entries. */\nexport interface LogSink {\n  write(entry: LogEntry): void;\n}\n\n/** Structured log entry for a risk analysis. */\nexport interface LogEntry {\n  readonly level: LogLevel;\n  readonly message: string;\n  readonly report: RiskReport;\n  readonly timestamp: string;\n}\n\n/** Options for the logger plugin (stub). */\nexport interface LoggerPluginOptions {\n  /** Minimum level to emit. */\n  readonly level?: LogLevel;\n  /** Custom sink. Defaults to console. */\n  readonly sink?: LogSink;\n  /** Log only when score exceeds this threshold. */\n  readonly minScore?: number;\n}\n\nconst LEVEL_ORDER: Record<LogLevel, number> = {\n  debug: 0,\n  info: 1,\n  warn: 2,\n  error: 3,\n};\n\nconst defaultSink: LogSink = {\n  write(entry): void {\n    const payload = JSON.stringify({\n      level: entry.level,\n      message: entry.message,\n      score: entry.report.score,\n      riskLevel: entry.report.level,\n      matchedRules: entry.report.matchedRules.length,\n      timestamp: entry.timestamp,\n    });\n    console.log(`[guardian-risk] ${payload}`);\n  },\n};\n\n/**\n * Logger plugin for guardian-risk.\n *\n * @stub Future versions will hook into analyze() automatically.\n * For now, use `logReport()` after `guardian.analyze()`.\n */\nexport function loggerPlugin(options: LoggerPluginOptions = {}): Plugin {\n  const { level = 'info', sink = defaultSink, minScore = 0 } = options;\n\n  return {\n    name: 'guardian-risk-logger',\n    install(_guardian) {\n      void level;\n      void sink;\n      void minScore;\n      // Stub: will wrap analyze() and emit audit logs automatically\n    },\n  };\n}\n\n/**\n * Log a risk report to the configured sink.\n */\nexport function logReport(\n  report: RiskReport,\n  options: LoggerPluginOptions = {},\n): void {\n  const { level = 'info', sink = defaultSink, minScore = 0 } = options;\n\n  if (report.score < minScore) {\n    return;\n  }\n\n  const entryLevel = resolveLogLevel(report, level);\n\n  sink.write({\n    level: entryLevel,\n    message: `Risk analysis complete: ${report.level} (${report.score})`,\n    report,\n    timestamp: new Date().toISOString(),\n  });\n}\n\n/**\n * Analyze and log in one step.\n */\nexport function analyzeAndLog(\n  guardian: import('guardian-risk').Guardian,\n  options: LoggerPluginOptions = {},\n): RiskReport {\n  const report = guardian.analyze();\n  logReport(report, options);\n  return report;\n}\n\nfunction resolveLogLevel(report: RiskReport, configured: LogLevel): LogLevel {\n  if (report.level === 'CRITICAL') {\n    return 'error';\n  }\n  if (report.level === 'HIGH') {\n    return 'warn';\n  }\n  return configured;\n}\n\nfunction shouldLog(configured: LogLevel, actual: LogLevel): boolean {\n  return LEVEL_ORDER[actual] >= LEVEL_ORDER[configured];\n}\n\nexport { shouldLog };\n"]}