mcpmake 0.1.1 → 0.2.0

package/dist/cloud/multipart.d.ts

@@ -1,26 +0,0 @@
-/**
- * Minimal multipart/form-data parser.
- * Handles simple file uploads without external dependencies.
- * Extracted to a separate module to avoid circular dependencies.
- */
-import http from 'node:http';
-export interface ParsedMultipart {
-    fields: Map<string, string>;
-    files: Map<string, {
-        filename?: string;
-        contentType?: string;
-        data: Buffer;
-    }>;
-}
-/**
- * Parse a multipart/form-data request body.
- */
-export declare function parseMultipart(req: http.IncomingMessage, contentType: string, maxSize?: number): Promise<ParsedMultipart | null>;
-/**
- * Check whether a filename has an allowed spec extension.
- */
-export declare function isAllowedSpecFile(filename: string): boolean;
-/**
- * Extract a safe file extension from a filename.
- */
-export declare function getSafeExtension(filename: string): string;

package/dist/cloud/multipart.js

@@ -1,132 +0,0 @@
-/**
- * Minimal multipart/form-data parser.
- * Handles simple file uploads without external dependencies.
- * Extracted to a separate module to avoid circular dependencies.
- */
-const ALLOWED_EXTENSIONS = new Set(['.yaml', '.yml', '.json', '.har']);
-/**
- * Parse a multipart/form-data request body.
- */
-export async function parseMultipart(req, contentType, maxSize = 6 * 1024 * 1024) {
-    const boundaryMatch = contentType.match(/boundary=([^\s;]+)/);
-    if (!boundaryMatch)
-        return null;
-    const boundary = boundaryMatch[1];
-    const body = await readBody(req, maxSize);
-    if (!body)
-        return null;
-    const result = {
-        fields: new Map(),
-        files: new Map(),
-    };
-    const boundaryBuffer = Buffer.from(`--${boundary}`);
-    const parts = splitByBoundary(body, boundaryBuffer);
-    for (const part of parts) {
-        const headerEnd = findSequence(part, Buffer.from('\r\n\r\n'));
-        if (headerEnd === -1)
-            continue;
-        const headerSection = part.subarray(0, headerEnd).toString('utf-8');
-        const partBody = part.subarray(headerEnd + 4);
-        const dispositionMatch = headerSection.match(/Content-Disposition:\s*form-data;\s*name="([^"]+)"(?:;\s*filename="([^"]*)")?/i);
-        if (!dispositionMatch)
-            continue;
-        const fieldName = dispositionMatch[1];
-        const filename = dispositionMatch[2];
-        if (filename !== undefined) {
-            const ctMatch = headerSection.match(/Content-Type:\s*([^\r\n]+)/i);
-            result.files.set(fieldName, {
-                filename: filename || undefined,
-                contentType: ctMatch?.[1]?.trim(),
-                data: partBody,
-            });
-        }
-        else {
-            result.fields.set(fieldName, partBody.toString('utf-8'));
-        }
-    }
-    return result;
-}
-/**
- * Check whether a filename has an allowed spec extension.
- */
-export function isAllowedSpecFile(filename) {
-    const dot = filename.lastIndexOf('.');
-    if (dot === -1)
-        return false;
-    const ext = filename.slice(dot).toLowerCase();
-    return ALLOWED_EXTENSIONS.has(ext);
-}
-/**
- * Extract a safe file extension from a filename.
- */
-export function getSafeExtension(filename) {
-    const dot = filename.lastIndexOf('.');
-    if (dot === -1)
-        return '.json';
-    const ext = filename.slice(dot).toLowerCase();
-    return ALLOWED_EXTENSIONS.has(ext) ? ext : '.json';
-}
-// ---------------------------------------------------------------------------
-// Internal helpers
-// ---------------------------------------------------------------------------
-function readBody(req, maxSize) {
-    return new Promise((resolve) => {
-        const chunks = [];
-        let totalSize = 0;
-        req.on('data', (chunk) => {
-            totalSize += chunk.length;
-            if (totalSize > maxSize) {
-                req.destroy();
-                resolve(null);
-                return;
-            }
-            chunks.push(chunk);
-        });
-        req.on('end', () => {
-            resolve(Buffer.concat(chunks));
-        });
-        req.on('error', () => {
-            resolve(null);
-        });
-    });
-}
-function splitByBoundary(data, boundary) {
-    const parts = [];
-    let start = 0;
-    while (start < data.length) {
-        const idx = findSequence(data, boundary, start);
-        if (idx === -1)
-            break;
-        if (start > 0) {
-            let end = idx;
-            if (end >= 2 && data[end - 2] === 0x0d && data[end - 1] === 0x0a) {
-                end -= 2;
-            }
-            if (end > start) {
-                parts.push(data.subarray(start, end));
-            }
-        }
-        start = idx + boundary.length;
-        if (start + 1 < data.length && data[start] === 0x2d && data[start + 1] === 0x2d) {
-            break;
-        }
-        if (start + 1 < data.length && data[start] === 0x0d && data[start + 1] === 0x0a) {
-            start += 2;
-        }
-    }
-    return parts;
-}
-function findSequence(haystack, needle, offset = 0) {
-    for (let i = offset; i <= haystack.length - needle.length; i++) {
-        let match = true;
-        for (let j = 0; j < needle.length; j++) {
-            if (haystack[i + j] !== needle[j]) {
-                match = false;
-                break;
-            }
-        }
-        if (match)
-            return i;
-    }
-    return -1;
-}

package/dist/cloud/observability.d.ts

@@ -1,27 +0,0 @@
-/**
- * Lightweight observability: error reporting and startup config validation.
- *
- * Error reporting logs structured errors and, when `ERROR_WEBHOOK_URL` is set,
- * POSTs them to an external endpoint. The webhook is operator-configured and
- * trusted (Sentry's store endpoint, a Slack/Discord incoming webhook, or any
- * collector), so it is not subject to the user-URL SSRF guard.
- */
-/** True when the process is running in a production-like deployment. */
-export declare function isProduction(): boolean;
-/**
- * Report an error to logs and (if configured) an external collector.
- */
-export declare function reportError(error: unknown, context?: Record<string, unknown>): void;
-/**
- * Install process-level handlers so crashes are reported rather than silent.
- * Uncaught errors are logged + reported; the process is left running because a
- * single bad request must not take down the whole host.
- */
-export declare function installGlobalErrorHandlers(): void;
-/**
- * Validate required configuration at startup. Throws (loudly, before the server
- * accepts traffic) when a production deployment is missing critical secrets,
- * mirroring the ENCRYPTION_KEY guard. Emits non-fatal warnings for risky-but-
- * not-fatal misconfigurations (e.g. TRUST_PROXY).
- */
-export declare function validateStartupConfig(): void;

package/dist/cloud/observability.js

@@ -1,98 +0,0 @@
-/**
- * Lightweight observability: error reporting and startup config validation.
- *
- * Error reporting logs structured errors and, when `ERROR_WEBHOOK_URL` is set,
- * POSTs them to an external endpoint. The webhook is operator-configured and
- * trusted (Sentry's store endpoint, a Slack/Discord incoming webhook, or any
- * collector), so it is not subject to the user-URL SSRF guard.
- */
-import { logger } from '../utils/logger.js';
-/** True when the process is running in a production-like deployment. */
-export function isProduction() {
-    return process.env.NODE_ENV === 'production' || !!process.env.DOMAIN;
-}
-/**
- * Report an error to logs and (if configured) an external collector.
- */
-export function reportError(error, context) {
-    const err = error instanceof Error ? error : new Error(String(error));
-    const ctx = context ? ` ${JSON.stringify(context)}` : '';
-    logger.error(`[error] ${err.message}${ctx}\n${err.stack ?? ''}`);
-    const url = process.env.ERROR_WEBHOOK_URL;
-    if (!url)
-        return;
-    const payload = {
-        message: err.message,
-        stack: err.stack,
-        name: err.name,
-        ...context,
-    };
-    // Fire-and-forget; never let reporting failures cascade.
-    void fetch(url, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify(payload),
-        signal: AbortSignal.timeout(5_000),
-    }).catch(() => { });
-}
-/**
- * Install process-level handlers so crashes are reported rather than silent.
- * Uncaught errors are logged + reported; the process is left running because a
- * single bad request must not take down the whole host.
- */
-export function installGlobalErrorHandlers() {
-    process.on('uncaughtException', (err) => reportError(err, { kind: 'uncaughtException' }));
-    process.on('unhandledRejection', (reason) => reportError(reason, { kind: 'unhandledRejection' }));
-}
-/**
- * Validate required configuration at startup. Throws (loudly, before the server
- * accepts traffic) when a production deployment is missing critical secrets,
- * mirroring the ENCRYPTION_KEY guard. Emits non-fatal warnings for risky-but-
- * not-fatal misconfigurations (e.g. TRUST_PROXY).
- */
-export function validateStartupConfig() {
-    if (!isProduction())
-        return;
-    const errors = [];
-    // SMTP is only required when email verification is actually enabled. Mirrors
-    // isEmailVerificationRequired() in web/auth.ts: verification is on when
-    // REQUIRE_EMAIL_VERIFICATION=true OR SMTP_HOST is set. So the only broken
-    // combination to fail-closed on is "verification demanded but no SMTP to send
-    // it" — i.e. REQUIRE_EMAIL_VERIFICATION=true with SMTP_HOST unset. A pre-launch
-    // / allowlist-gated deployment that never turns verification on does not need
-    // SMTP and must still be allowed to boot.
-    if (process.env.REQUIRE_EMAIL_VERIFICATION === 'true' && !process.env.SMTP_HOST) {
-        errors.push('REQUIRE_EMAIL_VERIFICATION=true but SMTP_HOST is unset — verification/' +
-            'password-reset email cannot be sent, locking users out. Set ' +
-            'SMTP_HOST/SMTP_PORT/SMTP_USER/SMTP_PASS/MAIL_FROM, or unset ' +
-            'REQUIRE_EMAIL_VERIFICATION to launch without email verification.');
-    }
-    if (!process.env.ENCRYPTION_KEY || process.env.ENCRYPTION_KEY.length < 32) {
-        errors.push('ENCRYPTION_KEY must be set to at least 32 characters in production.');
-    }
-    if (!process.env.DATABASE_URL) {
-        errors.push('DATABASE_URL must be set in production — without it the server runs in-memory ' +
-            'and loses all users, servers, and usage on restart.');
-    }
-    if (!process.env.ADMIN_TOKEN) {
-        errors.push('ADMIN_TOKEN must be set in production — it gates the JSON API ' +
-            '(POST /api/servers, admin listing). Without it those endpoints are unauthenticated.');
-    }
-    if (errors.length > 0) {
-        throw new Error(`Invalid production configuration:\n  - ${errors.join('\n  - ')}`);
-    }
-    // Non-fatal warnings.
-    if (process.env.TRUST_PROXY !== 'true') {
-        logger.warn('TRUST_PROXY is not "true". Behind a reverse proxy (Caddy) every request ' +
-            'appears to come from 127.0.0.1, so per-IP rate limiting collapses to a ' +
-            'single shared bucket. Set TRUST_PROXY=true when (and only when) running ' +
-            'behind a trusted proxy.');
-    }
-    if (!process.env.STRIPE_SECRET_KEY) {
-        logger.warn('STRIPE_SECRET_KEY is not set — billing/checkout is disabled.');
-    }
-    if (!process.env.ERROR_WEBHOOK_URL && !process.env.SENTRY_DSN) {
-        logger.warn('No ERROR_WEBHOOK_URL/SENTRY_DSN configured — errors are logged only. ' +
-            'Configure error tracking and an uptime monitor on /health before launch.');
-    }
-}

package/dist/cloud/rate-limiter.d.ts

@@ -1,31 +0,0 @@
-/**
- * Simple in-memory rate limiter using a sliding window counter.
- * Tracks requests per key (e.g., IP address or user ID).
- */
-export interface RateLimiterOptions {
-    /** Maximum requests allowed in the window */
-    maxRequests: number;
-    /** Window duration in ms (default: 86_400_000 = 24 hours) */
-    windowMs?: number;
-}
-export declare class RateLimiter {
-    private readonly windows;
-    private readonly maxRequests;
-    private readonly windowMs;
-    constructor(options: RateLimiterOptions);
-    get size(): number;
-    /**
-     * Check if a request is allowed for the given key.
-     * Returns { allowed, remaining, resetAt }.
-     */
-    check(key: string): {
-        allowed: boolean;
-        remaining: number;
-        resetAt: number;
-    };
-    /**
-     * Clean up expired windows to prevent memory leaks.
-     * Call periodically (e.g., every hour).
-     */
-    cleanup(): number;
-}

package/dist/cloud/rate-limiter.js

@@ -1,58 +0,0 @@
-/**
- * Simple in-memory rate limiter using a sliding window counter.
- * Tracks requests per key (e.g., IP address or user ID).
- */
-const MAX_KEYS = 10_000;
-export class RateLimiter {
-    windows = new Map();
-    maxRequests;
-    windowMs;
-    constructor(options) {
-        this.maxRequests = options.maxRequests;
-        this.windowMs = options.windowMs ?? 86_400_000;
-    }
-    get size() {
-        return this.windows.size;
-    }
-    /**
-     * Check if a request is allowed for the given key.
-     * Returns { allowed, remaining, resetAt }.
-     */
-    check(key) {
-        const now = Date.now();
-        let entry = this.windows.get(key);
-        // Evict if map is too large (prevent memory exhaustion from IP spraying)
-        if (this.windows.size > MAX_KEYS) {
-            this.cleanup();
-        }
-        // Reset window if expired
-        if (!entry || now >= entry.resetAt) {
-            entry = { count: 0, resetAt: now + this.windowMs };
-            this.windows.set(key, entry);
-        }
-        if (entry.count >= this.maxRequests) {
-            return { allowed: false, remaining: 0, resetAt: entry.resetAt };
-        }
-        entry.count++;
-        return {
-            allowed: true,
-            remaining: this.maxRequests - entry.count,
-            resetAt: entry.resetAt,
-        };
-    }
-    /**
-     * Clean up expired windows to prevent memory leaks.
-     * Call periodically (e.g., every hour).
-     */
-    cleanup() {
-        const now = Date.now();
-        let removed = 0;
-        for (const [key, entry] of this.windows) {
-            if (now >= entry.resetAt) {
-                this.windows.delete(key);
-                removed++;
-            }
-        }
-        return removed;
-    }
-}

package/dist/cloud/request-security.d.ts

@@ -1,5 +0,0 @@
-import http from 'node:http';
-export declare function getRequestHostname(req: http.IncomingMessage): string | undefined;
-export declare function isLocalHostname(hostname: string | undefined): boolean;
-export declare function isSecureRequest(req: http.IncomingMessage): boolean;
-export declare function getClientIp(req: http.IncomingMessage): string;

package/dist/cloud/request-security.js

@@ -1,74 +0,0 @@
-import { isIP } from 'node:net';
-const LOOPBACK_HOSTS = new Set(['localhost', '127.0.0.1', '::1', '[::1]']);
-function getFirstHeaderValue(value) {
-    if (Array.isArray(value)) {
-        return getFirstHeaderValue(value[0]);
-    }
-    if (!value)
-        return undefined;
-    return value.split(',')[0]?.trim();
-}
-function normalizeHostname(hostHeader) {
-    if (!hostHeader)
-        return undefined;
-    const trimmed = hostHeader.trim().toLowerCase();
-    if (!trimmed)
-        return undefined;
-    if (trimmed.startsWith('[')) {
-        const closing = trimmed.indexOf(']');
-        return closing === -1 ? trimmed : trimmed.slice(1, closing);
-    }
-    const colonIndex = trimmed.indexOf(':');
-    return colonIndex === -1 ? trimmed : trimmed.slice(0, colonIndex);
-}
-function normalizeIp(value) {
-    if (!value)
-        return undefined;
-    const trimmed = value.trim();
-    if (!trimmed)
-        return undefined;
-    if (trimmed.startsWith('::ffff:')) {
-        const ipv4 = trimmed.slice('::ffff:'.length);
-        if (isIP(ipv4)) {
-            return ipv4;
-        }
-    }
-    if (isIP(trimmed)) {
-        return trimmed;
-    }
-    return undefined;
-}
-function trustProxyEnabled() {
-    const trustProxy = process.env.TRUST_PROXY?.toLowerCase().trim();
-    return trustProxy === '1' || trustProxy === 'true' || trustProxy === 'yes' || trustProxy === 'on';
-}
-export function getRequestHostname(req) {
-    const forwardedHost = trustProxyEnabled()
-        ? getFirstHeaderValue(req.headers['x-forwarded-host'])
-        : undefined;
-    const host = forwardedHost ?? getFirstHeaderValue(req.headers.host);
-    return normalizeHostname(host);
-}
-export function isLocalHostname(hostname) {
-    if (!hostname)
-        return false;
-    return LOOPBACK_HOSTS.has(hostname) || hostname.endsWith('.localhost');
-}
-export function isSecureRequest(req) {
-    if (trustProxyEnabled()) {
-        const forwardedProto = getFirstHeaderValue(req.headers['x-forwarded-proto'])?.toLowerCase();
-        if (forwardedProto) {
-            return forwardedProto === 'https';
-        }
-    }
-    return req.socket.encrypted === true;
-}
-export function getClientIp(req) {
-    if (trustProxyEnabled()) {
-        const forwardedIp = normalizeIp(getFirstHeaderValue(req.headers['x-forwarded-for']));
-        if (forwardedIp) {
-            return forwardedIp;
-        }
-    }
-    return normalizeIp(req.socket.remoteAddress) ?? 'unknown';
-}

package/dist/cloud/resource-monitor.d.ts

@@ -1,69 +0,0 @@
-/**
- * Host resource-pressure monitor.
- *
- * The hosting model is single-host: a burst of builds or active containers can
- * exhaust RAM or fill the disk before anyone notices. This periodically samples
- * memory, disk, and the active-container count, and alerts (via the
- * observability hook) when thresholds are crossed — the cheapest outage
- * insurance on a small VPS.
- *
- * The pressure decision is a pure function (`evaluatePressure`) so it's unit
- * testable; the class only handles sampling + scheduling + alert delivery.
- */
-export interface ResourceReading {
-    /** Memory in use as a percentage of total (0–100). */
-    memUsedPct: number;
-    /** Disk in use as a percentage of the monitored filesystem (0–100). */
-    diskUsedPct: number;
-    /** Number of running tenant containers. */
-    activeContainers: number;
-}
-export interface ResourceThresholds {
-    /** Alert when sustained memory use reaches this percent. */
-    memPct: number;
-    /** Alert when disk use reaches this percent. */
-    diskPct: number;
-    /** Consecutive over-threshold memory samples required before alerting. */
-    sustainedSamples: number;
-}
-export interface PressureState {
-    consecutiveMemBreaches: number;
-    diskAlerted: boolean;
-}
-export declare const DEFAULT_THRESHOLDS: ResourceThresholds;
-export declare const INITIAL_PRESSURE_STATE: PressureState;
-/**
- * Decide which alerts a reading triggers, given prior state. Pure.
- *
- * - Memory alerts only after `sustainedSamples` consecutive breaches (avoids
- *   flapping on transient spikes) and fires once per sustained episode.
- * - Disk alerts on the transition into breach and re-arms once it recovers.
- */
-export declare function evaluatePressure(r: ResourceReading, t: ResourceThresholds, s: PressureState): {
-    alerts: string[];
-    state: PressureState;
-};
-/** Sample current host resources. `diskPath` selects the filesystem to check. */
-export declare function gatherResourceReading(activeContainers: number, diskPath: string): Promise<ResourceReading>;
-export declare class ResourceMonitor {
-    private readonly gather;
-    private readonly opts;
-    private timer;
-    private state;
-    private last;
-    constructor(gather: () => Promise<ResourceReading>, opts?: {
-        thresholds?: ResourceThresholds;
-        intervalMs?: number;
-        onAlert?: (message: string, reading: ResourceReading) => void;
-        /**
-         * Called once per successful tick with the fresh reading. Used to persist
-         * a time-series sample. Must not throw; the monitor guards it regardless.
-         */
-        onSample?: (reading: ResourceReading) => void;
-    });
-    /** Most recent sample (for /health), or undefined before the first tick. */
-    lastReading(): ResourceReading | undefined;
-    start(): void;
-    stop(): void;
-    tick(): Promise<void>;
-}

package/dist/cloud/resource-monitor.js

@@ -1,130 +0,0 @@
-/**
- * Host resource-pressure monitor.
- *
- * The hosting model is single-host: a burst of builds or active containers can
- * exhaust RAM or fill the disk before anyone notices. This periodically samples
- * memory, disk, and the active-container count, and alerts (via the
- * observability hook) when thresholds are crossed — the cheapest outage
- * insurance on a small VPS.
- *
- * The pressure decision is a pure function (`evaluatePressure`) so it's unit
- * testable; the class only handles sampling + scheduling + alert delivery.
- */
-import os from 'node:os';
-import { statfs } from 'node:fs/promises';
-import { logger } from '../utils/logger.js';
-import { reportError } from './observability.js';
-export const DEFAULT_THRESHOLDS = {
-    memPct: 65,
-    diskPct: 75,
-    sustainedSamples: 3,
-};
-export const INITIAL_PRESSURE_STATE = {
-    consecutiveMemBreaches: 0,
-    diskAlerted: false,
-};
-/**
- * Decide which alerts a reading triggers, given prior state. Pure.
- *
- * - Memory alerts only after `sustainedSamples` consecutive breaches (avoids
- *   flapping on transient spikes) and fires once per sustained episode.
- * - Disk alerts on the transition into breach and re-arms once it recovers.
- */
-export function evaluatePressure(r, t, s) {
-    const alerts = [];
-    const consecutiveMemBreaches = r.memUsedPct >= t.memPct ? s.consecutiveMemBreaches + 1 : 0;
-    if (consecutiveMemBreaches === t.sustainedSamples) {
-        alerts.push(`RAM pressure: ${r.memUsedPct.toFixed(0)}% used (>= ${t.memPct}% for ${t.sustainedSamples} samples). Active containers: ${r.activeContainers}.`);
-    }
-    let diskAlerted = s.diskAlerted;
-    if (r.diskUsedPct >= t.diskPct) {
-        if (!s.diskAlerted) {
-            alerts.push(`Disk pressure: ${r.diskUsedPct.toFixed(0)}% used (>= ${t.diskPct}%). Prune images / add capacity.`);
-            diskAlerted = true;
-        }
-    }
-    else {
-        diskAlerted = false;
-    }
-    return { alerts, state: { consecutiveMemBreaches, diskAlerted } };
-}
-/** Sample current host resources. `diskPath` selects the filesystem to check. */
-export async function gatherResourceReading(activeContainers, diskPath) {
-    const total = os.totalmem();
-    const free = os.freemem();
-    const memUsedPct = total > 0 ? ((total - free) / total) * 100 : 0;
-    let diskUsedPct = 0;
-    try {
-        const fs = await statfs(diskPath);
-        const totalBlocks = Number(fs.blocks);
-        const freeBlocks = Number(fs.bfree);
-        if (totalBlocks > 0) {
-            diskUsedPct = ((totalBlocks - freeBlocks) / totalBlocks) * 100;
-        }
-    }
-    catch {
-        // statfs unavailable (or path missing) — leave disk at 0 rather than throw.
-    }
-    return { memUsedPct, diskUsedPct, activeContainers };
-}
-export class ResourceMonitor {
-    gather;
-    opts;
-    timer;
-    state = { ...INITIAL_PRESSURE_STATE };
-    last;
-    constructor(gather, opts = {}) {
-        this.gather = gather;
-        this.opts = opts;
-    }
-    /** Most recent sample (for /health), or undefined before the first tick. */
-    lastReading() {
-        return this.last;
-    }
-    start() {
-        if (this.timer)
-            return;
-        const intervalMs = this.opts.intervalMs ?? 300_000; // 5 min
-        this.timer = setInterval(() => {
-            void this.tick();
-        }, intervalMs);
-        this.timer.unref();
-    }
-    stop() {
-        if (this.timer) {
-            clearInterval(this.timer);
-            this.timer = undefined;
-        }
-    }
-    async tick() {
-        let reading;
-        try {
-            reading = await this.gather();
-        }
-        catch (err) {
-            logger.warn(`[resource-monitor] sampling failed: ${err}`);
-            return;
-        }
-        this.last = reading;
-        const { alerts, state } = evaluatePressure(reading, this.opts.thresholds ?? DEFAULT_THRESHOLDS, this.state);
-        this.state = state;
-        for (const message of alerts) {
-            if (this.opts.onAlert) {
-                this.opts.onAlert(message, reading);
-            }
-            else {
-                logger.error(`[resource-monitor] ${message}`);
-                reportError(new Error(message), { kind: 'resource-pressure', reading });
-            }
-        }
-        // Persist a time-series sample (best-effort; never let it break sampling).
-        if (this.opts.onSample) {
-            try {
-                this.opts.onSample(reading);
-            }
-            catch (err) {
-                logger.warn(`[resource-monitor] onSample failed: ${err}`);
-            }
-        }
-    }
-}