kavachos 0.0.3 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/dist/a2a/index.d.ts +2341 -0
  2. package/dist/a2a/index.js +821 -0
  3. package/dist/a2a/index.js.map +1 -0
  4. package/dist/agent/index.d.ts +3 -3
  5. package/dist/agent/index.js +3 -2
  6. package/dist/audit/index.d.ts +2 -2
  7. package/dist/audit/index.js +2 -2
  8. package/dist/auth/index.d.ts +490 -92
  9. package/dist/auth/index.js +3 -2
  10. package/dist/chunk-3AZDFCQF.js +186 -0
  11. package/dist/chunk-3AZDFCQF.js.map +1 -0
  12. package/dist/{chunk-SJGSPIAD.js → chunk-4CANWZWP.js} +3 -3
  13. package/dist/{chunk-SJGSPIAD.js.map → chunk-4CANWZWP.js.map} +1 -1
  14. package/dist/{chunk-KL6XW4S4.js → chunk-62P5FJ34.js} +2375 -633
  15. package/dist/chunk-62P5FJ34.js.map +1 -0
  16. package/dist/chunk-ELGG2VW2.js +538 -0
  17. package/dist/chunk-ELGG2VW2.js.map +1 -0
  18. package/dist/{chunk-5DT4DN4Y.js → chunk-IS5FRKIS.js} +13 -13
  19. package/dist/chunk-IS5FRKIS.js.map +1 -0
  20. package/dist/{chunk-V66UUIA7.js → chunk-KNNJ4COO.js} +92 -3
  21. package/dist/chunk-KNNJ4COO.js.map +1 -0
  22. package/dist/{chunk-OVGNZ5OX.js → chunk-O7VQ2LQE.js} +6 -6
  23. package/dist/chunk-O7VQ2LQE.js.map +1 -0
  24. package/dist/index.d.ts +138 -5
  25. package/dist/index.js +564 -29
  26. package/dist/index.js.map +1 -1
  27. package/dist/mcp/index.d.ts +2 -2
  28. package/dist/mcp/index.js +11 -15
  29. package/dist/mcp/index.js.map +1 -1
  30. package/dist/permission/index.d.ts +3 -3
  31. package/dist/permission/index.js +3 -2
  32. package/dist/{types-Xk83hv4O.d.ts → types-BTui0HQU.d.ts} +1763 -98
  33. package/dist/vc/index.d.ts +800 -0
  34. package/dist/vc/index.js +5 -0
  35. package/dist/vc/index.js.map +1 -0
  36. package/package.json +17 -1
  37. package/dist/chunk-5DT4DN4Y.js.map +0 -1
  38. package/dist/chunk-KL6XW4S4.js.map +0 -1
  39. package/dist/chunk-OVGNZ5OX.js.map +0 -1
  40. package/dist/chunk-V66UUIA7.js.map +0 -1
  41. package/dist/{types-mwupB57A.d.ts → types-BuHrZcjE.d.ts} +2 -2
@@ -0,0 +1,186 @@
1
+ // src/crypto/web-crypto.ts
2
+ var HEX_CHARS = "0123456789abcdef";
3
+ function toHex(bytes) {
4
+ let hex = "";
5
+ for (let i = 0; i < bytes.length; i++) {
6
+ const b = bytes[i];
7
+ hex += HEX_CHARS[b >> 4];
8
+ hex += HEX_CHARS[b & 15];
9
+ }
10
+ return hex;
11
+ }
12
+ function fromHex(hex) {
13
+ if (hex.length % 2 !== 0) {
14
+ throw new Error("fromHex: hex string must have even length");
15
+ }
16
+ const bytes = new Uint8Array(hex.length / 2);
17
+ for (let i = 0; i < bytes.length; i++) {
18
+ const hi = parseInt(hex[i * 2], 16);
19
+ const lo = parseInt(hex[i * 2 + 1], 16);
20
+ if (Number.isNaN(hi) || Number.isNaN(lo)) {
21
+ throw new Error(`fromHex: invalid hex character at position ${i * 2}`);
22
+ }
23
+ bytes[i] = hi << 4 | lo;
24
+ }
25
+ return bytes;
26
+ }
27
+ function toBase64Url(bytes) {
28
+ let binary = "";
29
+ for (let i = 0; i < bytes.length; i++) {
30
+ binary += String.fromCharCode(bytes[i]);
31
+ }
32
+ return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
33
+ }
34
+ function fromBase64Url(b64) {
35
+ let base64 = b64.replace(/-/g, "+").replace(/_/g, "/");
36
+ while (base64.length % 4 !== 0) {
37
+ base64 += "=";
38
+ }
39
+ const binary = atob(base64);
40
+ const bytes = new Uint8Array(binary.length);
41
+ for (let i = 0; i < binary.length; i++) {
42
+ bytes[i] = binary.charCodeAt(i);
43
+ }
44
+ return bytes;
45
+ }
46
+ function generateId() {
47
+ return globalThis.crypto.randomUUID();
48
+ }
49
+ function randomBytes(length) {
50
+ const bytes = new Uint8Array(length);
51
+ globalThis.crypto.getRandomValues(bytes);
52
+ return bytes;
53
+ }
54
+ function randomBytesHex(length) {
55
+ return toHex(randomBytes(length));
56
+ }
57
+ var TEXT_ENCODER = new TextEncoder();
58
+ function toBytes(data) {
59
+ if (typeof data === "string") {
60
+ const encoded = TEXT_ENCODER.encode(data);
61
+ return encoded.buffer.slice(
62
+ encoded.byteOffset,
63
+ encoded.byteOffset + encoded.byteLength
64
+ );
65
+ }
66
+ return data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength);
67
+ }
68
+ async function sha256(data) {
69
+ const digest = await globalThis.crypto.subtle.digest("SHA-256", toBytes(data));
70
+ return toHex(new Uint8Array(digest));
71
+ }
72
+ async function sha256Raw(data) {
73
+ const digest = await globalThis.crypto.subtle.digest("SHA-256", toBytes(data));
74
+ return new Uint8Array(digest);
75
+ }
76
+ async function sha1(data) {
77
+ const digest = await globalThis.crypto.subtle.digest("SHA-1", toBytes(data));
78
+ return toHex(new Uint8Array(digest));
79
+ }
80
+ async function importHmacKey(key, hash = "SHA-256") {
81
+ const keyData = typeof key === "string" ? TEXT_ENCODER.encode(key) : key;
82
+ return globalThis.crypto.subtle.importKey(
83
+ "raw",
84
+ keyData.buffer.slice(
85
+ keyData.byteOffset,
86
+ keyData.byteOffset + keyData.byteLength
87
+ ),
88
+ { name: "HMAC", hash: { name: hash } },
89
+ false,
90
+ ["sign", "verify"]
91
+ );
92
+ }
93
+ async function hmacSha256(key, data) {
94
+ const cryptoKey = await importHmacKey(key, "SHA-256");
95
+ const signature = await globalThis.crypto.subtle.sign("HMAC", cryptoKey, toBytes(data));
96
+ return toHex(new Uint8Array(signature));
97
+ }
98
+ async function hmacSha256Raw(key, data) {
99
+ const cryptoKey = await importHmacKey(key, "SHA-256");
100
+ const signature = await globalThis.crypto.subtle.sign("HMAC", cryptoKey, toBytes(data));
101
+ return new Uint8Array(signature);
102
+ }
103
+ async function hmacSha1Raw(key, data) {
104
+ const cryptoKey = await importHmacKey(key, "SHA-1");
105
+ const buf = data.buffer.slice(
106
+ data.byteOffset,
107
+ data.byteOffset + data.byteLength
108
+ );
109
+ const signature = await globalThis.crypto.subtle.sign("HMAC", cryptoKey, buf);
110
+ return new Uint8Array(signature);
111
+ }
112
+ var PBKDF2_ITERATIONS = 6e5;
113
+ var PBKDF2_KEY_LENGTH = 64;
114
+ var PBKDF2_SALT_LENGTH = 32;
115
+ async function pbkdf2Hash(password, salt, iterations) {
116
+ const actualSalt = salt ?? randomBytes(PBKDF2_SALT_LENGTH);
117
+ const actualIterations = iterations ?? PBKDF2_ITERATIONS;
118
+ const keyMaterial = await globalThis.crypto.subtle.importKey(
119
+ "raw",
120
+ TEXT_ENCODER.encode(password),
121
+ "PBKDF2",
122
+ false,
123
+ ["deriveBits"]
124
+ );
125
+ const saltBuf = actualSalt.buffer.slice(
126
+ actualSalt.byteOffset,
127
+ actualSalt.byteOffset + actualSalt.byteLength
128
+ );
129
+ const derived = await globalThis.crypto.subtle.deriveBits(
130
+ {
131
+ name: "PBKDF2",
132
+ salt: saltBuf,
133
+ iterations: actualIterations,
134
+ hash: "SHA-256"
135
+ },
136
+ keyMaterial,
137
+ PBKDF2_KEY_LENGTH * 8
138
+ );
139
+ return `pbkdf2:${actualIterations}:${toHex(actualSalt)}:${toHex(new Uint8Array(derived))}`;
140
+ }
141
+ async function pbkdf2Verify(password, stored) {
142
+ const parts = stored.split(":");
143
+ if (parts.length !== 4 || parts[0] !== "pbkdf2") {
144
+ return false;
145
+ }
146
+ const iterations = parseInt(parts[1], 10);
147
+ const salt = fromHex(parts[2]);
148
+ const storedHash = fromHex(parts[3]);
149
+ if (Number.isNaN(iterations)) return false;
150
+ const keyMaterial = await globalThis.crypto.subtle.importKey(
151
+ "raw",
152
+ TEXT_ENCODER.encode(password),
153
+ "PBKDF2",
154
+ false,
155
+ ["deriveBits"]
156
+ );
157
+ const saltBuf = salt.buffer.slice(
158
+ salt.byteOffset,
159
+ salt.byteOffset + salt.byteLength
160
+ );
161
+ const derived = await globalThis.crypto.subtle.deriveBits(
162
+ {
163
+ name: "PBKDF2",
164
+ salt: saltBuf,
165
+ iterations,
166
+ hash: "SHA-256"
167
+ },
168
+ keyMaterial,
169
+ storedHash.length * 8
170
+ );
171
+ return constantTimeEqual(new Uint8Array(derived), storedHash);
172
+ }
173
+ function constantTimeEqual(a, b) {
174
+ if (a.byteLength !== b.byteLength) {
175
+ return false;
176
+ }
177
+ let diff = 0;
178
+ for (let i = 0; i < a.byteLength; i++) {
179
+ diff |= a[i] ^ b[i];
180
+ }
181
+ return diff === 0;
182
+ }
183
+
184
+ export { constantTimeEqual, fromBase64Url, fromHex, generateId, hmacSha1Raw, hmacSha256, hmacSha256Raw, importHmacKey, pbkdf2Hash, pbkdf2Verify, randomBytes, randomBytesHex, sha1, sha256, sha256Raw, toBase64Url, toHex };
185
+ //# sourceMappingURL=chunk-3AZDFCQF.js.map
186
+ //# sourceMappingURL=chunk-3AZDFCQF.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/crypto/web-crypto.ts"],"names":[],"mappings":";AAYA,IAAM,SAAA,GAAY,kBAAA;AAGX,SAAS,MAAM,KAAA,EAA2B;AAChD,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAM,CAAA,GAAI,MAAM,CAAC,CAAA;AACjB,IAAA,GAAA,IAAO,SAAA,CAAU,KAAK,CAAC,CAAA;AACvB,IAAA,GAAA,IAAO,SAAA,CAAU,IAAI,EAAI,CAAA;AAAA,EAC1B;AACA,EAAA,OAAO,GAAA;AACR;AAGO,SAAS,QAAQ,GAAA,EAAyB;AAChD,EAAA,IAAI,GAAA,CAAI,MAAA,GAAS,CAAA,KAAM,CAAA,EAAG;AACzB,IAAA,MAAM,IAAI,MAAM,2CAA2C,CAAA;AAAA,EAC5D;AACA,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,GAAA,CAAI,SAAS,CAAC,CAAA;AAC3C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAM,KAAK,QAAA,CAAS,GAAA,CAAI,CAAA,GAAI,CAAC,GAAa,EAAE,CAAA;AAC5C,IAAA,MAAM,KAAK,QAAA,CAAS,GAAA,CAAI,IAAI,CAAA,GAAI,CAAC,GAAa,EAAE,CAAA;AAChD,IAAA,IAAI,OAAO,KAAA,CAAM,EAAE,KAAK,MAAA,CAAO,KAAA,CAAM,EAAE,CAAA,EAAG;AACzC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,2CAAA,EAA8C,CAAA,GAAI,CAAC,CAAA,CAAE,CAAA;AAAA,IACtE;AACA,IAAA,KAAA,CAAM,CAAC,CAAA,GAAK,EAAA,IAAM,CAAA,GAAK,EAAA;AAAA,EACxB;AACA,EAAA,OAAO,KAAA;AACR;AAGO,SAAS,YAAY,KAAA,EAA2B;AACtD,EAAA,IAAI,MAAA,GAAS,EAAA;AACb,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAA,IAAU,MAAA,CAAO,YAAA,CAAa,KAAA,CAAM,CAAC,CAAW,CAAA;AAAA,EACjD;AACA,EAAA,OAAO,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC9E;AAGO,SAAS,cAAc,GAAA,EAAyB;AAEtD,EAAA,IAAI,MAAA,GAAS,IAAI,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AAErD,EAAA,OAAO,MAAA,CAAO,MAAA,GAAS,CAAA,KAAM,CAAA,EAAG;AAC/B,IAAA,MAAA,IAAU,GAAA;AAAA,EACX;AACA,EAAA,MAAM,MAAA,GAAS,KAAK,MAAM,CAAA;AAC1B,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAA,CAAO,MAAM,CAAA;AAC1C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,QAAQ,CAAA,EAAA,EAAK;AACvC,IAAA,KAAA,CAAM,CAAC,CAAA,GAAI,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA;AAAA,EAC/B;AACA,EAAA,OAAO,KAAA;AACR;AAOO,SAAS,UAAA,GAAqB;AACpC,EAAA,OAAO,UAAA,CAAW,OAAO,UAAA,EAAW;AACrC;AAGO,SAAS,YAAY,MAAA,EAA4B;AACvD,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,UAAA,CAAW,MAAA,CAAO,gBAAgB,KAAK,CAAA;AACvC,EAAA,OAAO,KAAA;AACR;AAGO,SAAS,eAAe,MAAA,EAAwB;AACtD,EAAA,OAAO,KAAA,CAAM,WAAA,CAAY,MAAM,CAAC,CAAA;AACjC;AAMA,IAAM,YAAA,GAAe,IAAI,WAAA,EAAY;AAErC,SAAS,QAAQ,IAAA,EAAwC;AACxD,EAAA,IAAI,OAAO,SAAS,QAAA,EAAU;AAC7B,IAAA,MAAM,OAAA,GAAU,YAAA,CAAa,MAAA,CAAO,IAAI,CAAA;AACxC,IAAA,OAAQ,QAAQ,MAAA,CAAuB,KAAA;AAAA,MACtC,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,aAAa,OAAA,CAAQ;AAAA,KAC9B;AAAA,EACD;AACA,EAAA,OAAQ,IAAA,CAAK,OAAuB,KAAA,CAAM,IAAA,CAAK,YAAY,IAAA,CAAK,UAAA,GAAa,KAAK,UAAU,CAAA;AAC7F;AAOA,eAAsB,OAAO,IAAA,EAA4C;AACxE,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,MAAA,CAAO,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC7E,EAAA,OAAO,KAAA,CAAM,IAAI,UAAA,CAAW,MAAM,CAAC,CAAA;AACpC;AAGA,eAAsB,UAAU,IAAA,EAAgD;AAC/E,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,MAAA,CAAO,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC7E,EAAA,OAAO,IAAI,WAAW,MAAM,CAAA;AAC7B;AAGA,eAAsB,KAAK,IAAA,EAA4C;AACtE,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,MAAA,CAAO,OAAA,EAAS,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC3E,EAAA,OAAO,KAAA,CAAM,IAAI,UAAA,CAAW,MAAM,CAAC,CAAA;AACpC;AAOA,eAAsB,aAAA,CACrB,GAAA,EACA,IAAA,GAA4B,SAAA,EACP;AACrB,EAAA,MAAM,UAAU,OAAO,GAAA,KAAQ,WAAW,YAAA,CAAa,MAAA,CAAO,GAAG,CAAA,GAAI,GAAA;AACrE,EAAA,OAAO,UAAA,CAAW,OAAO,MAAA,CAAO,SAAA;AAAA,IAC/B,KAAA;AAAA,IACC,QAAQ,MAAA,CAAuB,KAAA;AAAA,MAC/B,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,aAAa,OAAA,CAAQ;AAAA,KAC9B;AAAA,IACA,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAM,EAAE,IAAA,EAAM,MAAK,EAAE;AAAA,IACrC,KAAA;AAAA,IACA,CAAC,QAAQ,QAAQ;AAAA,GAClB;AACD;AAGA,eAAsB,UAAA,CACrB,KACA,IAAA,EACkB;AAClB,EAAA,MAAM,SAAA,GAAY,MAAM,aAAA,CAAc,GAAA,EAAK,SAAS,CAAA;AACpD,EAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,KAAK,MAAA,EAAQ,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AACtF,EAAA,OAAO,KAAA,CAAM,IAAI,UAAA,CAAW,SAAS,CAAC,CAAA;AACvC;AAGA,eAAsB,aAAA,CACrB,KACA,IAAA,EACsB;AACtB,EAAA,MAAM,SAAA,GAAY,MAAM,aAAA,CAAc,GAAA,EAAK,SAAS,CAAA;AACpD,EAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,KAAK,MAAA,EAAQ,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AACtF,EAAA,OAAO,IAAI,WAAW,SAAS,CAAA;AAChC;AAGA,eAAsB,WAAA,CAAY,KAAiB,IAAA,EAAuC;AACzF,EAAA,MAAM,SAAA,GAAY,MAAM,aAAA,CAAc,GAAA,EAAK,OAAO,CAAA;AAClD,EAAA,MAAM,GAAA,GAAO,KAAK,MAAA,CAAuB,KAAA;AAAA,IACxC,IAAA,CAAK,UAAA;AAAA,IACL,IAAA,CAAK,aAAa,IAAA,CAAK;AAAA,GACxB;AACA,EAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,IAAA,CAAK,MAAA,EAAQ,WAAW,GAAG,CAAA;AAC5E,EAAA,OAAO,IAAI,WAAW,SAAS,CAAA;AAChC;AAMA,IAAM,iBAAA,GAAoB,GAAA;AAC1B,IAAM,iBAAA,GAAoB,EAAA;AAC1B,IAAM,kBAAA,GAAqB,EAAA;AAQ3B,eAAsB,UAAA,CACrB,QAAA,EACA,IAAA,EACA,UAAA,EACkB;AAClB,EAAA,MAAM,UAAA,GAAa,IAAA,IAAQ,WAAA,CAAY,kBAAkB,CAAA;AACzD,EAAA,MAAM,mBAAmB,UAAA,IAAc,iBAAA;AAEvC,EAAA,MAAM,WAAA,GAAc,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,IAClD,KAAA;AAAA,IACA,YAAA,CAAa,OAAO,QAAQ,CAAA;AAAA,IAC5B,QAAA;AAAA,IACA,KAAA;AAAA,IACA,CAAC,YAAY;AAAA,GACd;AAEA,EAAA,MAAM,OAAA,GAAW,WAAW,MAAA,CAAuB,KAAA;AAAA,IAClD,UAAA,CAAW,UAAA;AAAA,IACX,UAAA,CAAW,aAAa,UAAA,CAAW;AAAA,GACpC;AACA,EAAA,MAAM,OAAA,GAAU,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,UAAA;AAAA,IAC9C;AAAA,MACC,IAAA,EAAM,QAAA;AAAA,MACN,IAAA,EAAM,OAAA;AAAA,MACN,UAAA,EAAY,gBAAA;AAAA,MACZ,IAAA,EAAM;AAAA,KACP;AAAA,IACA,WAAA;AAAA,IACA,iBAAA,GAAoB;AAAA,GACrB;AAEA,EAAA,OAAO,CAAA,OAAA,EAAU,gBAAgB,CAAA,CAAA,EAAI,KAAA,CAAM,UAAU,CAAC,CAAA,CAAA,EAAI,KAAA,CAAM,IAAI,UAAA,CAAW,OAAO,CAAC,CAAC,CAAA,CAAA;AACzF;AAOA,eAAsB,YAAA,CAAa,UAAkB,MAAA,EAAkC;AACtF,EAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,CAAA;AAC9B,EAAA,IAAI,MAAM,MAAA,KAAW,CAAA,IAAK,KAAA,CAAM,CAAC,MAAM,QAAA,EAAU;AAChD,IAAA,OAAO,KAAA;AAAA,EACR;AAEA,EAAA,MAAM,UAAA,GAAa,QAAA,CAAS,KAAA,CAAM,CAAC,GAAa,EAAE,CAAA;AAClD,EAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,KAAA,CAAM,CAAC,CAAW,CAAA;AACvC,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,KAAA,CAAM,CAAC,CAAW,CAAA;AAE7C,EAAA,IAAI,MAAA,CAAO,KAAA,CAAM,UAAU,CAAA,EAAG,OAAO,KAAA;AAErC,EAAA,MAAM,WAAA,GAAc,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,IAClD,KAAA;AAAA,IACA,YAAA,CAAa,OAAO,QAAQ,CAAA;AAAA,IAC5B,QAAA;AAAA,IACA,KAAA;AAAA,IACA,CAAC,YAAY;AAAA,GACd;AAEA,EAAA,MAAM,OAAA,GAAW,KAAK,MAAA,CAAuB,KAAA;AAAA,IAC5C,IAAA,CAAK,UAAA;AAAA,IACL,IAAA,CAAK,aAAa,IAAA,CAAK;AAAA,GACxB;AACA,EAAA,MAAM,OAAA,GAAU,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,UAAA;AAAA,IAC9C;AAAA,MACC,IAAA,EAAM,QAAA;AAAA,MACN,IAAA,EAAM,OAAA;AAAA,MACN,UAAA;AAAA,MACA,IAAA,EAAM;AAAA,KACP;AAAA,IACA,WAAA;AAAA,IACA,WAAW,MAAA,GAAS;AAAA,GACrB;AAEA,EAAA,OAAO,iBAAA,CAAkB,IAAI,UAAA,CAAW,OAAO,GAAG,UAAU,CAAA;AAC7D;AAUO,SAAS,iBAAA,CAAkB,GAAe,CAAA,EAAwB;AACxE,EAAA,IAAI,CAAA,CAAE,UAAA,KAAe,CAAA,CAAE,UAAA,EAAY;AAClC,IAAA,OAAO,KAAA;AAAA,EACR;AACA,EAAA,IAAI,IAAA,GAAO,CAAA;AACX,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,YAAY,CAAA,EAAA,EAAK;AACtC,IAAA,IAAA,IAAS,CAAA,CAAE,CAAC,CAAA,GAAgB,CAAA,CAAE,CAAC,CAAA;AAAA,EAChC;AACA,EAAA,OAAO,IAAA,KAAS,CAAA;AACjB","file":"chunk-3AZDFCQF.js","sourcesContent":["/**\n * Web Crypto API utilities for KavachOS.\n *\n * This module uses ONLY the Web Crypto API (globalThis.crypto) which is\n * available natively in Cloudflare Workers, Deno, Bun, and Node 20+.\n * No `node:crypto` imports are used, making the core package edge-compatible.\n */\n\n// ---------------------------------------------------------------------------\n// Encoding helpers\n// ---------------------------------------------------------------------------\n\nconst HEX_CHARS = \"0123456789abcdef\";\n\n/** Encode a Uint8Array as a lowercase hex string. */\nexport function toHex(bytes: Uint8Array): string {\n\tlet hex = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst b = bytes[i] as number;\n\t\thex += HEX_CHARS[b >> 4] as string;\n\t\thex += HEX_CHARS[b & 0x0f] as string;\n\t}\n\treturn hex;\n}\n\n/** Decode a hex string into a Uint8Array. */\nexport function fromHex(hex: string): Uint8Array {\n\tif (hex.length % 2 !== 0) {\n\t\tthrow new Error(\"fromHex: hex string must have even length\");\n\t}\n\tconst bytes = new Uint8Array(hex.length / 2);\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst hi = parseInt(hex[i * 2] as string, 16);\n\t\tconst lo = parseInt(hex[i * 2 + 1] as string, 16);\n\t\tif (Number.isNaN(hi) || Number.isNaN(lo)) {\n\t\t\tthrow new Error(`fromHex: invalid hex character at position ${i * 2}`);\n\t\t}\n\t\tbytes[i] = (hi << 4) | lo;\n\t}\n\treturn bytes;\n}\n\n/** Encode a Uint8Array as a base64url string (no padding). */\nexport function toBase64Url(bytes: Uint8Array): string {\n\tlet binary = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tbinary += String.fromCharCode(bytes[i] as number);\n\t}\n\treturn btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\n/** Decode a base64url string into a Uint8Array. */\nexport function fromBase64Url(b64: string): Uint8Array {\n\t// Restore standard base64\n\tlet base64 = b64.replace(/-/g, \"+\").replace(/_/g, \"/\");\n\t// Add padding\n\twhile (base64.length % 4 !== 0) {\n\t\tbase64 += \"=\";\n\t}\n\tconst binary = atob(base64);\n\tconst bytes = new Uint8Array(binary.length);\n\tfor (let i = 0; i < binary.length; i++) {\n\t\tbytes[i] = binary.charCodeAt(i);\n\t}\n\treturn bytes;\n}\n\n// ---------------------------------------------------------------------------\n// Random generation\n// ---------------------------------------------------------------------------\n\n/** Generate a v4 UUID using the globally available crypto.randomUUID(). */\nexport function generateId(): string {\n\treturn globalThis.crypto.randomUUID();\n}\n\n/** Generate cryptographically secure random bytes as a Uint8Array. */\nexport function randomBytes(length: number): Uint8Array {\n\tconst bytes = new Uint8Array(length);\n\tglobalThis.crypto.getRandomValues(bytes);\n\treturn bytes;\n}\n\n/** Generate cryptographically secure random bytes as a hex string. */\nexport function randomBytesHex(length: number): string {\n\treturn toHex(randomBytes(length));\n}\n\n// ---------------------------------------------------------------------------\n// Text encoding helper (internal)\n// ---------------------------------------------------------------------------\n\nconst TEXT_ENCODER = new TextEncoder();\n\nfunction toBytes(data: string | Uint8Array): ArrayBuffer {\n\tif (typeof data === \"string\") {\n\t\tconst encoded = TEXT_ENCODER.encode(data);\n\t\treturn (encoded.buffer as ArrayBuffer).slice(\n\t\t\tencoded.byteOffset,\n\t\t\tencoded.byteOffset + encoded.byteLength,\n\t\t);\n\t}\n\treturn (data.buffer as ArrayBuffer).slice(data.byteOffset, data.byteOffset + data.byteLength);\n}\n\n// ---------------------------------------------------------------------------\n// Hashing\n// ---------------------------------------------------------------------------\n\n/** SHA-256 hash, returns hex string. */\nexport async function sha256(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n/** SHA-256 hash, returns Uint8Array. */\nexport async function sha256Raw(data: string | Uint8Array): Promise<Uint8Array> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn new Uint8Array(digest);\n}\n\n/** SHA-1 hash, returns hex string. Needed for HIBP k-anonymity. */\nexport async function sha1(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-1\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n// ---------------------------------------------------------------------------\n// HMAC\n// ---------------------------------------------------------------------------\n\n/** Import a secret key for HMAC operations. */\nexport async function importHmacKey(\n\tkey: string | Uint8Array,\n\thash: \"SHA-256\" | \"SHA-1\" = \"SHA-256\",\n): Promise<CryptoKey> {\n\tconst keyData = typeof key === \"string\" ? TEXT_ENCODER.encode(key) : key;\n\treturn globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\t(keyData.buffer as ArrayBuffer).slice(\n\t\t\tkeyData.byteOffset,\n\t\t\tkeyData.byteOffset + keyData.byteLength,\n\t\t),\n\t\t{ name: \"HMAC\", hash: { name: hash } },\n\t\tfalse,\n\t\t[\"sign\", \"verify\"],\n\t);\n}\n\n/** HMAC-SHA256 sign, returns hex string. */\nexport async function hmacSha256(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<string> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn toHex(new Uint8Array(signature));\n}\n\n/** HMAC-SHA256 sign, returns Uint8Array. */\nexport async function hmacSha256Raw(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn new Uint8Array(signature);\n}\n\n/** HMAC-SHA1 sign, returns Uint8Array (needed for TOTP per RFC 6238). */\nexport async function hmacSha1Raw(key: Uint8Array, data: Uint8Array): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-1\");\n\tconst buf = (data.buffer as ArrayBuffer).slice(\n\t\tdata.byteOffset,\n\t\tdata.byteOffset + data.byteLength,\n\t);\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, buf);\n\treturn new Uint8Array(signature);\n}\n\n// ---------------------------------------------------------------------------\n// PBKDF2 password hashing\n// ---------------------------------------------------------------------------\n\nconst PBKDF2_ITERATIONS = 600_000; // OWASP 2023 recommendation for SHA-256\nconst PBKDF2_KEY_LENGTH = 64; // bytes\nconst PBKDF2_SALT_LENGTH = 32; // bytes\n\n/**\n * Hash a password using PBKDF2-SHA256.\n *\n * Returns a string in the format: `pbkdf2:iterations:salt_hex:hash_hex`\n * which is safe to store in the database.\n */\nexport async function pbkdf2Hash(\n\tpassword: string,\n\tsalt?: Uint8Array,\n\titerations?: number,\n): Promise<string> {\n\tconst actualSalt = salt ?? randomBytes(PBKDF2_SALT_LENGTH);\n\tconst actualIterations = iterations ?? PBKDF2_ITERATIONS;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (actualSalt.buffer as ArrayBuffer).slice(\n\t\tactualSalt.byteOffset,\n\t\tactualSalt.byteOffset + actualSalt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations: actualIterations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tPBKDF2_KEY_LENGTH * 8,\n\t);\n\n\treturn `pbkdf2:${actualIterations}:${toHex(actualSalt)}:${toHex(new Uint8Array(derived))}`;\n}\n\n/**\n * Verify a password against a stored PBKDF2 hash.\n *\n * Supports the `pbkdf2:iterations:salt:hash` format produced by `pbkdf2Hash`.\n */\nexport async function pbkdf2Verify(password: string, stored: string): Promise<boolean> {\n\tconst parts = stored.split(\":\");\n\tif (parts.length !== 4 || parts[0] !== \"pbkdf2\") {\n\t\treturn false;\n\t}\n\n\tconst iterations = parseInt(parts[1] as string, 10);\n\tconst salt = fromHex(parts[2] as string);\n\tconst storedHash = fromHex(parts[3] as string);\n\n\tif (Number.isNaN(iterations)) return false;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (salt.buffer as ArrayBuffer).slice(\n\t\tsalt.byteOffset,\n\t\tsalt.byteOffset + salt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tstoredHash.length * 8,\n\t);\n\n\treturn constantTimeEqual(new Uint8Array(derived), storedHash);\n}\n\n// ---------------------------------------------------------------------------\n// Constant-time comparison\n// ---------------------------------------------------------------------------\n\n/**\n * Constant-time comparison of two Uint8Arrays.\n * Returns false immediately if lengths differ (length is not secret).\n */\nexport function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n\tif (a.byteLength !== b.byteLength) {\n\t\treturn false;\n\t}\n\tlet diff = 0;\n\tfor (let i = 0; i < a.byteLength; i++) {\n\t\tdiff |= (a[i] as number) ^ (b[i] as number);\n\t}\n\treturn diff === 0;\n}\n"]}
@@ -1,4 +1,4 @@
1
- import { auditLogs } from './chunk-V66UUIA7.js';
1
+ import { auditLogs } from './chunk-KNNJ4COO.js';
2
2
  import { eq, gte, lte, desc, and, lt } from 'drizzle-orm';
3
3
 
4
4
  function createAuditModule(config) {
@@ -97,5 +97,5 @@ function toAuditEntry(row) {
97
97
  }
98
98
 
99
99
  export { createAuditModule };
100
- //# sourceMappingURL=chunk-SJGSPIAD.js.map
101
- //# sourceMappingURL=chunk-SJGSPIAD.js.map
100
+ //# sourceMappingURL=chunk-4CANWZWP.js.map
101
+ //# sourceMappingURL=chunk-4CANWZWP.js.map
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/audit/audit.ts"],"names":[],"mappings":";;;AAaO,SAAS,kBAAkB,MAAA,EAA2B;AAC5D,EAAA,MAAM,EAAE,IAAG,GAAI,MAAA;AAEf,EAAA,eAAe,MAAM,MAAA,EAA4C;AAChE,IAAA,MAAM,aAAa,EAAC;AAEpB,IAAA,IAAI,MAAA,CAAO,SAAS,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,OAAA,EAAS,MAAA,CAAO,OAAO,CAAC,CAAA;AACzE,IAAA,IAAI,MAAA,CAAO,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AACtE,IAAA,IAAI,MAAA,CAAO,OAAO,UAAA,CAAW,IAAA,CAAK,IAAI,SAAA,CAAU,SAAA,EAAW,MAAA,CAAO,KAAK,CAAC,CAAA;AACxE,IAAA,IAAI,MAAA,CAAO,OAAO,UAAA,CAAW,IAAA,CAAK,IAAI,SAAA,CAAU,SAAA,EAAW,MAAA,CAAO,KAAK,CAAC,CAAA;AACxE,IAAA,IAAI,MAAA,CAAO,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AAEtE,IAAA,IAAI,CAAA,GAAI,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC,EAAE,QAAA,EAAS;AAEhF,IAAA,IAAI,UAAA,CAAW,SAAS,CAAA,EAAG;AAC1B,MAAA,CAAA,GAAI,CAAA,CAAE,KAAA,CAAM,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA;AAAA,IAC/B;AAEA,IAAA,IAAI,OAAO,KAAA,EAAO;AACjB,MAAA,CAAA,GAAI,CAAA,CAAE,KAAA,CAAM,MAAA,CAAO,KAAK,CAAA;AAAA,IACzB;AACA,IAAA,IAAI,OAAO,MAAA,EAAQ;AAClB,MAAA,CAAA,GAAI,CAAA,CAAE,MAAA,CAAO,MAAA,CAAO,MAAM,CAAA;AAAA,IAC3B;AAEA,IAAA,MAAM,OAAO,MAAM,CAAA;AAEnB,IAAA,OAAO,IAAA,CACL,MAAA,CAAO,CAAC,GAAA,KAAQ;AAEhB,MAAA,IAAI,MAAA,CAAO,OAAA,IAAW,MAAA,CAAO,OAAA,CAAQ,SAAS,CAAA,EAAG;AAChD,QAAA,OAAO,MAAA,CAAO,OAAA,CAAQ,QAAA,CAAS,GAAA,CAAI,MAAM,CAAA;AAAA,MAC1C;AACA,MAAA,OAAO,IAAA;AAAA,IACR,CAAC,CAAA,CACA,GAAA,CAAI,YAAY,CAAA;AAAA,EACnB;AAEA,EAAA,eAAe,WAAW,OAAA,EAA8C;AACvE,IAAA,MAAM,OAAA,GAAU,MAAM,KAAA,CAAM;AAAA,MAC3B,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,KAAA,EAAO;AAAA;AAAA,KACP,CAAA;AAED,IAAA,IAAI,OAAA,CAAQ,WAAW,MAAA,EAAQ;AAC9B,MAAA,OAAO,IAAA,CAAK,SAAA,CAAU,OAAA,EAAS,IAAA,EAAM,CAAC,CAAA;AAAA,IACvC;AAGA,IAAA,MAAM,OAAA,GAAU;AAAA,MACf,IAAA;AAAA,MACA,SAAA;AAAA,MACA,QAAA;AAAA,MACA,QAAA;AAAA,MACA,UAAA;AAAA,MACA,QAAA;AAAA,MACA,QAAA;AAAA,MACA,YAAA;AAAA,MACA,YAAA;AAAA,MACA;AAAA,KACD;AACA,IAAA,MAAM,OAAA,GAAU,CAAC,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAC,CAAA;AAElC,IAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC5B,MAAA,OAAA,CAAQ,IAAA;AAAA,QACP;AAAA,UACC,KAAA,CAAM,EAAA;AAAA,UACN,KAAA,CAAM,OAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,KAAA,CAAM,QAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,CAAA,CAAA,EAAK,KAAA,CAA2C,MAAA,IAAU,EAAE,CAAA,CAAA,CAAA;AAAA,UAC5D,KAAA,CAAM,UAAA;AAAA,UACN,MAAM,UAAA,IAAc,EAAA;AAAA,UACpB,KAAA,CAAM,UAAU,WAAA;AAAY,SAC7B,CAAE,KAAK,GAAG;AAAA,OACX;AAAA,IACD;AAEA,IAAA,OAAO,OAAA,CAAQ,KAAK,IAAI,CAAA;AAAA,EACzB;AAMA,EAAA,eAAe,QAAQ,OAAA,EAAkE;AACxF,IAAA,MAAM,MAAA,GAAS,IAAI,IAAA,CAAK,IAAA,CAAK,GAAA,EAAI,GAAI,OAAA,CAAQ,aAAA,GAAgB,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAGhF,IAAA,MAAM,WAAW,MAAM,EAAA,CACrB,OAAO,EAAE,EAAA,EAAI,UAAU,EAAA,EAAI,CAAA,CAC3B,IAAA,CAAK,SAAS,CAAA,CACd,KAAA,CAAM,GAAG,SAAA,CAAU,SAAA,EAAW,MAAM,CAAC,CAAA;AAEvC,IAAA,IAAI,QAAA,CAAS,WAAW,CAAA,EAAG;AAC1B,MAAA,OAAO,EAAE,SAAS,CAAA,EAAE;AAAA,IACrB;AAEA,IAAA,MAAM,EAAA,CAAG,OAAO,SAAS,CAAA,CAAE,MAAM,EAAA,CAAG,SAAA,CAAU,SAAA,EAAW,MAAM,CAAC,CAAA;AAEhE,IAAA,OAAO,EAAE,OAAA,EAAS,QAAA,CAAS,MAAA,EAAO;AAAA,EACnC;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,MAAA,EAAQ,UAAA,EAAY,OAAA,EAAQ;AAC7C;AAEA,SAAS,aAAa,GAAA,EAAgD;AACrE,EAAA,OAAO;AAAA,IACN,IAAI,GAAA,CAAI,EAAA;AAAA,IACR,SAAS,GAAA,CAAI,OAAA;AAAA,IACb,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,UAAU,GAAA,CAAI,QAAA;AAAA,IACd,UAAA,EAAa,GAAA,CAAI,UAAA,IAA0C,EAAC;AAAA,IAC5D,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,MAAA,EAAQ,IAAI,MAAA,IAAU,MAAA;AAAA,IACtB,YAAY,GAAA,CAAI,UAAA;AAAA,IAChB,UAAA,EAAY,IAAI,UAAA,IAAc,MAAA;AAAA,IAC9B,WAAW,GAAA,CAAI;AAAA,GAChB;AACD","file":"chunk-SJGSPIAD.js","sourcesContent":["import { and, desc, eq, gte, lt, lte } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { auditLogs } from \"../db/schema.js\";\nimport type { AuditEntry, AuditExportOptions, AuditFilter } from \"../types.js\";\n\ninterface AuditModuleConfig {\n\tdb: Database;\n}\n\n/**\n * Create the audit log module.\n * Provides query and export capabilities for the immutable audit trail.\n */\nexport function createAuditModule(config: AuditModuleConfig) {\n\tconst { db } = config;\n\n\tasync function query(filter: AuditFilter): Promise<AuditEntry[]> {\n\t\tconst conditions = [];\n\n\t\tif (filter.agentId) conditions.push(eq(auditLogs.agentId, filter.agentId));\n\t\tif (filter.userId) conditions.push(eq(auditLogs.userId, filter.userId));\n\t\tif (filter.since) conditions.push(gte(auditLogs.timestamp, filter.since));\n\t\tif (filter.until) conditions.push(lte(auditLogs.timestamp, filter.until));\n\t\tif (filter.result) conditions.push(eq(auditLogs.result, filter.result));\n\n\t\tlet q = db.select().from(auditLogs).orderBy(desc(auditLogs.timestamp)).$dynamic();\n\n\t\tif (conditions.length > 0) {\n\t\t\tq = q.where(and(...conditions));\n\t\t}\n\n\t\tif (filter.limit) {\n\t\t\tq = q.limit(filter.limit);\n\t\t}\n\t\tif (filter.offset) {\n\t\t\tq = q.offset(filter.offset);\n\t\t}\n\n\t\tconst rows = await q;\n\n\t\treturn rows\n\t\t\t.filter((row) => {\n\t\t\t\t// Filter by actions if specified\n\t\t\t\tif (filter.actions && filter.actions.length > 0) {\n\t\t\t\t\treturn filter.actions.includes(row.action);\n\t\t\t\t}\n\t\t\t\treturn true;\n\t\t\t})\n\t\t\t.map(toAuditEntry);\n\t}\n\n\tasync function exportLogs(options: AuditExportOptions): Promise<string> {\n\t\tconst entries = await query({\n\t\t\tsince: options.since,\n\t\t\tuntil: options.until,\n\t\t\tlimit: 10000, // cap exports\n\t\t});\n\n\t\tif (options.format === \"json\") {\n\t\t\treturn JSON.stringify(entries, null, 2);\n\t\t}\n\n\t\t// CSV format\n\t\tconst headers = [\n\t\t\t\"id\",\n\t\t\t\"agentId\",\n\t\t\t\"userId\",\n\t\t\t\"action\",\n\t\t\t\"resource\",\n\t\t\t\"result\",\n\t\t\t\"reason\",\n\t\t\t\"durationMs\",\n\t\t\t\"tokensCost\",\n\t\t\t\"timestamp\",\n\t\t];\n\t\tconst csvRows = [headers.join(\",\")];\n\n\t\tfor (const entry of entries) {\n\t\t\tcsvRows.push(\n\t\t\t\t[\n\t\t\t\t\tentry.id,\n\t\t\t\t\tentry.agentId,\n\t\t\t\t\tentry.userId,\n\t\t\t\t\tentry.action,\n\t\t\t\t\tentry.resource,\n\t\t\t\t\tentry.result,\n\t\t\t\t\t`\"${(entry as AuditEntry & { reason?: string }).reason ?? \"\"}\"`,\n\t\t\t\t\tentry.durationMs,\n\t\t\t\t\tentry.tokensCost ?? \"\",\n\t\t\t\t\tentry.timestamp.toISOString(),\n\t\t\t\t].join(\",\"),\n\t\t\t);\n\t\t}\n\n\t\treturn csvRows.join(\"\\n\");\n\t}\n\n\t/**\n\t * Delete audit log entries older than the specified retention period.\n\t * Returns the count of deleted rows.\n\t */\n\tasync function cleanup(options: { retentionDays: number }): Promise<{ deleted: number }> {\n\t\tconst cutoff = new Date(Date.now() - options.retentionDays * 24 * 60 * 60 * 1000);\n\n\t\t// Count rows to be deleted before removing them\n\t\tconst toDelete = await db\n\t\t\t.select({ id: auditLogs.id })\n\t\t\t.from(auditLogs)\n\t\t\t.where(lt(auditLogs.timestamp, cutoff));\n\n\t\tif (toDelete.length === 0) {\n\t\t\treturn { deleted: 0 };\n\t\t}\n\n\t\tawait db.delete(auditLogs).where(lt(auditLogs.timestamp, cutoff));\n\n\t\treturn { deleted: toDelete.length };\n\t}\n\n\treturn { query, export: exportLogs, cleanup };\n}\n\nfunction toAuditEntry(row: typeof auditLogs.$inferSelect): AuditEntry {\n\treturn {\n\t\tid: row.id,\n\t\tagentId: row.agentId,\n\t\tuserId: row.userId,\n\t\taction: row.action,\n\t\tresource: row.resource,\n\t\tparameters: (row.parameters as Record<string, unknown>) ?? {},\n\t\tresult: row.result as AuditEntry[\"result\"],\n\t\treason: row.reason ?? undefined,\n\t\tdurationMs: row.durationMs,\n\t\ttokensCost: row.tokensCost ?? undefined,\n\t\ttimestamp: row.timestamp,\n\t};\n}\n"]}
1
+ {"version":3,"sources":["../src/audit/audit.ts"],"names":[],"mappings":";;;AAaO,SAAS,kBAAkB,MAAA,EAA2B;AAC5D,EAAA,MAAM,EAAE,IAAG,GAAI,MAAA;AAEf,EAAA,eAAe,MAAM,MAAA,EAA4C;AAChE,IAAA,MAAM,aAAa,EAAC;AAEpB,IAAA,IAAI,MAAA,CAAO,SAAS,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,OAAA,EAAS,MAAA,CAAO,OAAO,CAAC,CAAA;AACzE,IAAA,IAAI,MAAA,CAAO,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AACtE,IAAA,IAAI,MAAA,CAAO,OAAO,UAAA,CAAW,IAAA,CAAK,IAAI,SAAA,CAAU,SAAA,EAAW,MAAA,CAAO,KAAK,CAAC,CAAA;AACxE,IAAA,IAAI,MAAA,CAAO,OAAO,UAAA,CAAW,IAAA,CAAK,IAAI,SAAA,CAAU,SAAA,EAAW,MAAA,CAAO,KAAK,CAAC,CAAA;AACxE,IAAA,IAAI,MAAA,CAAO,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AAEtE,IAAA,IAAI,CAAA,GAAI,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC,EAAE,QAAA,EAAS;AAEhF,IAAA,IAAI,UAAA,CAAW,SAAS,CAAA,EAAG;AAC1B,MAAA,CAAA,GAAI,CAAA,CAAE,KAAA,CAAM,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA;AAAA,IAC/B;AAEA,IAAA,IAAI,OAAO,KAAA,EAAO;AACjB,MAAA,CAAA,GAAI,CAAA,CAAE,KAAA,CAAM,MAAA,CAAO,KAAK,CAAA;AAAA,IACzB;AACA,IAAA,IAAI,OAAO,MAAA,EAAQ;AAClB,MAAA,CAAA,GAAI,CAAA,CAAE,MAAA,CAAO,MAAA,CAAO,MAAM,CAAA;AAAA,IAC3B;AAEA,IAAA,MAAM,OAAO,MAAM,CAAA;AAEnB,IAAA,OAAO,IAAA,CACL,MAAA,CAAO,CAAC,GAAA,KAAQ;AAEhB,MAAA,IAAI,MAAA,CAAO,OAAA,IAAW,MAAA,CAAO,OAAA,CAAQ,SAAS,CAAA,EAAG;AAChD,QAAA,OAAO,MAAA,CAAO,OAAA,CAAQ,QAAA,CAAS,GAAA,CAAI,MAAM,CAAA;AAAA,MAC1C;AACA,MAAA,OAAO,IAAA;AAAA,IACR,CAAC,CAAA,CACA,GAAA,CAAI,YAAY,CAAA;AAAA,EACnB;AAEA,EAAA,eAAe,WAAW,OAAA,EAA8C;AACvE,IAAA,MAAM,OAAA,GAAU,MAAM,KAAA,CAAM;AAAA,MAC3B,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,KAAA,EAAO;AAAA;AAAA,KACP,CAAA;AAED,IAAA,IAAI,OAAA,CAAQ,WAAW,MAAA,EAAQ;AAC9B,MAAA,OAAO,IAAA,CAAK,SAAA,CAAU,OAAA,EAAS,IAAA,EAAM,CAAC,CAAA;AAAA,IACvC;AAGA,IAAA,MAAM,OAAA,GAAU;AAAA,MACf,IAAA;AAAA,MACA,SAAA;AAAA,MACA,QAAA;AAAA,MACA,QAAA;AAAA,MACA,UAAA;AAAA,MACA,QAAA;AAAA,MACA,QAAA;AAAA,MACA,YAAA;AAAA,MACA,YAAA;AAAA,MACA;AAAA,KACD;AACA,IAAA,MAAM,OAAA,GAAU,CAAC,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAC,CAAA;AAElC,IAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC5B,MAAA,OAAA,CAAQ,IAAA;AAAA,QACP;AAAA,UACC,KAAA,CAAM,EAAA;AAAA,UACN,KAAA,CAAM,OAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,KAAA,CAAM,QAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,CAAA,CAAA,EAAK,KAAA,CAA2C,MAAA,IAAU,EAAE,CAAA,CAAA,CAAA;AAAA,UAC5D,KAAA,CAAM,UAAA;AAAA,UACN,MAAM,UAAA,IAAc,EAAA;AAAA,UACpB,KAAA,CAAM,UAAU,WAAA;AAAY,SAC7B,CAAE,KAAK,GAAG;AAAA,OACX;AAAA,IACD;AAEA,IAAA,OAAO,OAAA,CAAQ,KAAK,IAAI,CAAA;AAAA,EACzB;AAMA,EAAA,eAAe,QAAQ,OAAA,EAAkE;AACxF,IAAA,MAAM,MAAA,GAAS,IAAI,IAAA,CAAK,IAAA,CAAK,GAAA,EAAI,GAAI,OAAA,CAAQ,aAAA,GAAgB,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAGhF,IAAA,MAAM,WAAW,MAAM,EAAA,CACrB,OAAO,EAAE,EAAA,EAAI,UAAU,EAAA,EAAI,CAAA,CAC3B,IAAA,CAAK,SAAS,CAAA,CACd,KAAA,CAAM,GAAG,SAAA,CAAU,SAAA,EAAW,MAAM,CAAC,CAAA;AAEvC,IAAA,IAAI,QAAA,CAAS,WAAW,CAAA,EAAG;AAC1B,MAAA,OAAO,EAAE,SAAS,CAAA,EAAE;AAAA,IACrB;AAEA,IAAA,MAAM,EAAA,CAAG,OAAO,SAAS,CAAA,CAAE,MAAM,EAAA,CAAG,SAAA,CAAU,SAAA,EAAW,MAAM,CAAC,CAAA;AAEhE,IAAA,OAAO,EAAE,OAAA,EAAS,QAAA,CAAS,MAAA,EAAO;AAAA,EACnC;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,MAAA,EAAQ,UAAA,EAAY,OAAA,EAAQ;AAC7C;AAEA,SAAS,aAAa,GAAA,EAAgD;AACrE,EAAA,OAAO;AAAA,IACN,IAAI,GAAA,CAAI,EAAA;AAAA,IACR,SAAS,GAAA,CAAI,OAAA;AAAA,IACb,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,UAAU,GAAA,CAAI,QAAA;AAAA,IACd,UAAA,EAAa,GAAA,CAAI,UAAA,IAA0C,EAAC;AAAA,IAC5D,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,MAAA,EAAQ,IAAI,MAAA,IAAU,MAAA;AAAA,IACtB,YAAY,GAAA,CAAI,UAAA;AAAA,IAChB,UAAA,EAAY,IAAI,UAAA,IAAc,MAAA;AAAA,IAC9B,WAAW,GAAA,CAAI;AAAA,GAChB;AACD","file":"chunk-4CANWZWP.js","sourcesContent":["import { and, desc, eq, gte, lt, lte } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { auditLogs } from \"../db/schema.js\";\nimport type { AuditEntry, AuditExportOptions, AuditFilter } from \"../types.js\";\n\ninterface AuditModuleConfig {\n\tdb: Database;\n}\n\n/**\n * Create the audit log module.\n * Provides query and export capabilities for the immutable audit trail.\n */\nexport function createAuditModule(config: AuditModuleConfig) {\n\tconst { db } = config;\n\n\tasync function query(filter: AuditFilter): Promise<AuditEntry[]> {\n\t\tconst conditions = [];\n\n\t\tif (filter.agentId) conditions.push(eq(auditLogs.agentId, filter.agentId));\n\t\tif (filter.userId) conditions.push(eq(auditLogs.userId, filter.userId));\n\t\tif (filter.since) conditions.push(gte(auditLogs.timestamp, filter.since));\n\t\tif (filter.until) conditions.push(lte(auditLogs.timestamp, filter.until));\n\t\tif (filter.result) conditions.push(eq(auditLogs.result, filter.result));\n\n\t\tlet q = db.select().from(auditLogs).orderBy(desc(auditLogs.timestamp)).$dynamic();\n\n\t\tif (conditions.length > 0) {\n\t\t\tq = q.where(and(...conditions));\n\t\t}\n\n\t\tif (filter.limit) {\n\t\t\tq = q.limit(filter.limit);\n\t\t}\n\t\tif (filter.offset) {\n\t\t\tq = q.offset(filter.offset);\n\t\t}\n\n\t\tconst rows = await q;\n\n\t\treturn rows\n\t\t\t.filter((row) => {\n\t\t\t\t// Filter by actions if specified\n\t\t\t\tif (filter.actions && filter.actions.length > 0) {\n\t\t\t\t\treturn filter.actions.includes(row.action);\n\t\t\t\t}\n\t\t\t\treturn true;\n\t\t\t})\n\t\t\t.map(toAuditEntry);\n\t}\n\n\tasync function exportLogs(options: AuditExportOptions): Promise<string> {\n\t\tconst entries = await query({\n\t\t\tsince: options.since,\n\t\t\tuntil: options.until,\n\t\t\tlimit: 10000, // cap exports\n\t\t});\n\n\t\tif (options.format === \"json\") {\n\t\t\treturn JSON.stringify(entries, null, 2);\n\t\t}\n\n\t\t// CSV format\n\t\tconst headers = [\n\t\t\t\"id\",\n\t\t\t\"agentId\",\n\t\t\t\"userId\",\n\t\t\t\"action\",\n\t\t\t\"resource\",\n\t\t\t\"result\",\n\t\t\t\"reason\",\n\t\t\t\"durationMs\",\n\t\t\t\"tokensCost\",\n\t\t\t\"timestamp\",\n\t\t];\n\t\tconst csvRows = [headers.join(\",\")];\n\n\t\tfor (const entry of entries) {\n\t\t\tcsvRows.push(\n\t\t\t\t[\n\t\t\t\t\tentry.id,\n\t\t\t\t\tentry.agentId,\n\t\t\t\t\tentry.userId,\n\t\t\t\t\tentry.action,\n\t\t\t\t\tentry.resource,\n\t\t\t\t\tentry.result,\n\t\t\t\t\t`\"${(entry as AuditEntry & { reason?: string }).reason ?? \"\"}\"`,\n\t\t\t\t\tentry.durationMs,\n\t\t\t\t\tentry.tokensCost ?? \"\",\n\t\t\t\t\tentry.timestamp.toISOString(),\n\t\t\t\t].join(\",\"),\n\t\t\t);\n\t\t}\n\n\t\treturn csvRows.join(\"\\n\");\n\t}\n\n\t/**\n\t * Delete audit log entries older than the specified retention period.\n\t * Returns the count of deleted rows.\n\t */\n\tasync function cleanup(options: { retentionDays: number }): Promise<{ deleted: number }> {\n\t\tconst cutoff = new Date(Date.now() - options.retentionDays * 24 * 60 * 60 * 1000);\n\n\t\t// Count rows to be deleted before removing them\n\t\tconst toDelete = await db\n\t\t\t.select({ id: auditLogs.id })\n\t\t\t.from(auditLogs)\n\t\t\t.where(lt(auditLogs.timestamp, cutoff));\n\n\t\tif (toDelete.length === 0) {\n\t\t\treturn { deleted: 0 };\n\t\t}\n\n\t\tawait db.delete(auditLogs).where(lt(auditLogs.timestamp, cutoff));\n\n\t\treturn { deleted: toDelete.length };\n\t}\n\n\treturn { query, export: exportLogs, cleanup };\n}\n\nfunction toAuditEntry(row: typeof auditLogs.$inferSelect): AuditEntry {\n\treturn {\n\t\tid: row.id,\n\t\tagentId: row.agentId,\n\t\tuserId: row.userId,\n\t\taction: row.action,\n\t\tresource: row.resource,\n\t\tparameters: (row.parameters as Record<string, unknown>) ?? {},\n\t\tresult: row.result as AuditEntry[\"result\"],\n\t\treason: row.reason ?? undefined,\n\t\tdurationMs: row.durationMs,\n\t\ttokensCost: row.tokensCost ?? undefined,\n\t\ttimestamp: row.timestamp,\n\t};\n}\n"]}