openclaw-observability 1.0.0

package/dist/security/scanner.js

@@ -0,0 +1,150 @@
+"use strict";
+/**
+ * SecurityScanner — main entry point for security detection
+ * Coordinates L1 rule engine + L2 behavior chain detector
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecurityScanner = exports.DEFAULT_SECURITY_CONFIG = void 0;
+exports.resolveSecurityConfig = resolveSecurityConfig;
+const crypto_1 = require("crypto");
+const types_1 = require("./types");
+const rules_1 = require("./rules");
+const chain_detector_1 = require("./chain-detector");
+exports.DEFAULT_SECURITY_CONFIG = {
+    enabled: true,
+    rules: {
+        secretLeakage: true,
+        highRiskOps: true,
+        promptInjection: true,
+        chainDetection: true,
+    },
+    domainWhitelist: [],
+};
+function resolveSecurityConfig(raw) {
+    if (!raw)
+        return { ...exports.DEFAULT_SECURITY_CONFIG };
+    return {
+        enabled: raw.enabled ?? exports.DEFAULT_SECURITY_CONFIG.enabled,
+        rules: {
+            ...exports.DEFAULT_SECURITY_CONFIG.rules,
+            ...raw.rules,
+        },
+        domainWhitelist: raw.domainWhitelist ?? exports.DEFAULT_SECURITY_CONFIG.domainWhitelist,
+    };
+}
+/* ------------------------------------------------------------------ */
+/*  Scanner                                                            */
+/* ------------------------------------------------------------------ */
+/** Rule category -> config toggle mapping */
+const CATEGORY_TOGGLE = {
+    [types_1.RuleCategory.SecretLeakage]: 'secretLeakage',
+    [types_1.RuleCategory.HighRiskOp]: 'highRiskOps',
+    [types_1.RuleCategory.DataExfil]: 'highRiskOps',
+    [types_1.RuleCategory.PromptInjection]: 'promptInjection',
+    [types_1.RuleCategory.SkillAnomaly]: 'highRiskOps',
+};
+class SecurityScanner {
+    rules;
+    chainDetector;
+    config;
+    /** Runtime context — passed to each rule's detect method */
+    ruleCtx;
+    /** Cumulative statistics */
+    stats = {
+        scanned: 0,
+        alertsGenerated: 0,
+    };
+    constructor(config) {
+        this.config = config;
+        // Filter rules based on config
+        this.rules = rules_1.ALL_RULES.filter(rule => {
+            const toggle = CATEGORY_TOGGLE[rule.category];
+            return toggle ? this.config.rules[toggle] : true;
+        });
+        this.chainDetector = new chain_detector_1.ChainDetector();
+        // Build runtime context
+        this.ruleCtx = {
+            domainWhitelist: config.domainWhitelist,
+        };
+    }
+    /**
+     * Scan a single AuditAction, return 0~N security alerts
+     */
+    scan(action) {
+        if (!this.config.enabled)
+            return [];
+        this.stats.scanned++;
+        const alerts = [];
+        // --- L1: Rule quick scan ---
+        const text = this.extractText(action);
+        for (const rule of this.rules) {
+            if (!rule.enabled)
+                continue;
+            try {
+                const findings = rule.detect(text, action, this.ruleCtx);
+                for (const f of findings) {
+                    alerts.push(this.toAlert(f, action));
+                }
+            }
+            catch (err) {
+                console.error(`[audit-security] Rule ${rule.id} error:`, err);
+            }
+        }
+        // --- L2: Behavior chain detection ---
+        if (this.config.rules.chainDetection) {
+            try {
+                const chainFindings = this.chainDetector.process(action);
+                for (const f of chainFindings) {
+                    alerts.push(this.toAlert(f, action));
+                }
+            }
+            catch (err) {
+                console.error('[audit-security] Chain detector error:', err);
+            }
+        }
+        this.stats.alertsGenerated += alerts.length;
+        return alerts;
+    }
+    /** Get statistics */
+    getStats() {
+        return { ...this.stats };
+    }
+    /** Reset */
+    reset() {
+        this.chainDetector.reset();
+        this.stats = { scanned: 0, alertsGenerated: 0 };
+    }
+    /* ---------------------------------------------------------------- */
+    /*  Internal methods                                                  */
+    /* ---------------------------------------------------------------- */
+    /** Extract all scannable text from an action */
+    extractText(action) {
+        const parts = [];
+        if (action.inputParams)
+            parts.push(JSON.stringify(action.inputParams));
+        if (action.outputResult)
+            parts.push(JSON.stringify(action.outputResult));
+        return parts.join('\n');
+    }
+    /** SecurityFinding -> SecurityAlert */
+    toAlert(finding, action) {
+        return {
+            alertId: (0, crypto_1.randomUUID)(),
+            sessionId: action.sessionId,
+            actionType: action.actionType,
+            actionName: action.actionName,
+            ruleId: finding.ruleId,
+            ruleName: finding.ruleName,
+            category: finding.category,
+            severity: finding.severity,
+            finding: finding.finding,
+            context: finding.context,
+            status: 'open',
+            userId: action.userId,
+            modelName: action.modelName,
+            createdAt: new Date(),
+        };
+    }
+}
+exports.SecurityScanner = SecurityScanner;
+//# sourceMappingURL=scanner.js.map

package/dist/security/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../../src/security/scanner.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAqCH,sDAYC;AA/CD,mCAAoC;AAEpC,mCAAiF;AACjF,mCAA+D;AAC/D,qDAAiD;AAoBpC,QAAA,uBAAuB,GAAmB;IACrD,OAAO,EAAE,IAAI;IACb,KAAK,EAAE;QACL,aAAa,EAAE,IAAI;QACnB,WAAW,EAAE,IAAI;QACjB,eAAe,EAAE,IAAI;QACrB,cAAc,EAAE,IAAI;KACrB;IACD,eAAe,EAAE,EAAE;CACpB,CAAC;AAEF,SAAgB,qBAAqB,CACnC,GAAwC;IAExC,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,GAAG,+BAAuB,EAAE,CAAC;IAChD,OAAO;QACL,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,+BAAuB,CAAC,OAAO;QACvD,KAAK,EAAE;YACL,GAAG,+BAAuB,CAAC,KAAK;YAChC,GAAG,GAAG,CAAC,KAAK;SACb;QACD,eAAe,EAAE,GAAG,CAAC,eAAe,IAAI,+BAAuB,CAAC,eAAe;KAChF,CAAC;AACJ,CAAC;AAED,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,6CAA6C;AAC7C,MAAM,eAAe,GAAkD;IACrE,CAAC,oBAAY,CAAC,aAAa,CAAC,EAAE,eAAe;IAC7C,CAAC,oBAAY,CAAC,UAAU,CAAC,EAAE,aAAa;IACxC,CAAC,oBAAY,CAAC,SAAS,CAAC,EAAE,aAAa;IACvC,CAAC,oBAAY,CAAC,eAAe,CAAC,EAAE,iBAAiB;IACjD,CAAC,oBAAY,CAAC,YAAY,CAAC,EAAE,aAAa;CAC3C,CAAC;AAEF,MAAa,eAAe;IAClB,KAAK,CAAiB;IACtB,aAAa,CAAgB;IAC7B,MAAM,CAAiB;IAC/B,4DAA4D;IACpD,OAAO,CAAc;IAE7B,4BAA4B;IACpB,KAAK,GAAG;QACd,OAAO,EAAE,CAAC;QACV,eAAe,EAAE,CAAC;KACnB,CAAC;IAEF,YAAY,MAAsB;QAChC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QAErB,+BAA+B;QAC/B,IAAI,CAAC,KAAK,GAAG,iBAAS,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;YACnC,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC9C,OAAO,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,GAAG,IAAI,8BAAa,EAAE,CAAC;QAEzC,wBAAwB;QACxB,IAAI,CAAC,OAAO,GAAG;YACb,eAAe,EAAE,MAAM,CAAC,eAAe;SACxC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,IAAI,CAAC,MAAmB;QACtB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC;QAEpC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;QACrB,MAAM,MAAM,GAAoB,EAAE,CAAC;QAEnC,8BAA8B;QAC9B,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAEtC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,CAAC,IAAI,CAAC,OAAO;gBAAE,SAAS;YAC5B,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;gBACzD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;oBACzB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;gBACvC,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,yBAAyB,IAAI,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;YAChE,CAAC;QACH,CAAC;QAED,uCAAuC;QACvC,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;YACrC,IAAI,CAAC;gBACH,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;gBACzD,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;oBAC9B,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;gBACvC,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,GAAG,CAAC,CAAC;YAC/D,CAAC;QACH,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,eAAe,IAAI,MAAM,CAAC,MAAM,CAAC;QAC5C,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,qBAAqB;IACrB,QAAQ;QACN,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;IAC3B,CAAC;IAED,YAAY;IACZ,KAAK;QACH,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;QAC3B,IAAI,CAAC,KAAK,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,CAAC;IAClD,CAAC;IAED,sEAAsE;IACtE,wEAAwE;IACxE,sEAAsE;IAEtE,gDAAgD;IACxC,WAAW,CAAC,MAAmB;QACrC,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,IAAI,MAAM,CAAC,WAAW;YAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;QACvE,IAAI,MAAM,CAAC,YAAY;YAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;QACzE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,uCAAuC;IAC/B,OAAO,CAAC,OAAwB,EAAE,MAAmB;QAC3D,OAAO;YACL,OAAO,EAAE,IAAA,mBAAU,GAAE;YACrB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;YAE7B,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAE1B,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,OAAO,EAAE,OAAO,CAAC,OAAO;YAExB,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;IACJ,CAAC;CACF;AAnHD,0CAmHC"}

package/dist/security/types.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Security audit type definitions
+ */
+/** Security rule severity level */
+export declare enum Severity {
+    INFO = "info",
+    WARN = "warn",
+    CRITICAL = "critical"
+}
+/** Security rule category */
+export declare enum RuleCategory {
+    SecretLeakage = "secret_leakage",
+    HighRiskOp = "high_risk_operation",
+    DataExfil = "data_exfiltration",
+    PromptInjection = "prompt_injection",
+    SkillAnomaly = "skill_anomaly"
+}
+/** Security alert record */
+export interface SecurityAlert {
+    alertId: string;
+    sessionId: string;
+    actionType: string;
+    actionName: string;
+    ruleId: string;
+    ruleName: string;
+    category: RuleCategory;
+    severity: Severity;
+    /** Finding summary (redacted) */
+    finding: string;
+    /** Context (match location, surrounding text, etc.) */
+    context: string;
+    /** Processing status */
+    status: 'open' | 'acknowledged' | 'resolved' | 'false_positive';
+    userId: string;
+    modelName: string;
+    createdAt: Date;
+}
+/** Security scan finding (intermediate state, not yet persisted) */
+export interface SecurityFinding {
+    ruleId: string;
+    ruleName: string;
+    category: RuleCategory;
+    severity: Severity;
+    finding: string;
+    context: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/security/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/security/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,mCAAmC;AACnC,oBAAY,QAAQ;IAClB,IAAI,SAAS;IACb,IAAI,SAAS;IACb,QAAQ,aAAa;CACtB;AAED,6BAA6B;AAC7B,oBAAY,YAAY;IACtB,aAAa,mBAAmB;IAChC,UAAU,wBAAwB;IAClC,SAAS,sBAAsB;IAC/B,eAAe,qBAAqB;IACpC,YAAY,kBAAkB;CAC/B;AAED,4BAA4B;AAC5B,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IAEnB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,YAAY,CAAC;IACvB,QAAQ,EAAE,QAAQ,CAAC;IAEnB,iCAAiC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,uDAAuD;IACvD,OAAO,EAAE,MAAM,CAAC;IAEhB,wBAAwB;IACxB,MAAM,EAAE,MAAM,GAAG,cAAc,GAAG,UAAU,GAAG,gBAAgB,CAAC;IAEhE,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,oEAAoE;AACpE,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,YAAY,CAAC;IACvB,QAAQ,EAAE,QAAQ,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;CACjB"}

package/dist/security/types.js

@@ -0,0 +1,23 @@
+"use strict";
+/**
+ * Security audit type definitions
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RuleCategory = exports.Severity = void 0;
+/** Security rule severity level */
+var Severity;
+(function (Severity) {
+    Severity["INFO"] = "info";
+    Severity["WARN"] = "warn";
+    Severity["CRITICAL"] = "critical";
+})(Severity || (exports.Severity = Severity = {}));
+/** Security rule category */
+var RuleCategory;
+(function (RuleCategory) {
+    RuleCategory["SecretLeakage"] = "secret_leakage";
+    RuleCategory["HighRiskOp"] = "high_risk_operation";
+    RuleCategory["DataExfil"] = "data_exfiltration";
+    RuleCategory["PromptInjection"] = "prompt_injection";
+    RuleCategory["SkillAnomaly"] = "skill_anomaly";
+})(RuleCategory || (exports.RuleCategory = RuleCategory = {}));
+//# sourceMappingURL=types.js.map

package/dist/security/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/security/types.ts"],"names":[],"mappings":";AAAA;;GAEG;;;AAEH,mCAAmC;AACnC,IAAY,QAIX;AAJD,WAAY,QAAQ;IAClB,yBAAa,CAAA;IACb,yBAAa,CAAA;IACb,iCAAqB,CAAA;AACvB,CAAC,EAJW,QAAQ,wBAAR,QAAQ,QAInB;AAED,6BAA6B;AAC7B,IAAY,YAMX;AAND,WAAY,YAAY;IACtB,gDAAgC,CAAA;IAChC,kDAAkC,CAAA;IAClC,+CAA+B,CAAA;IAC/B,oDAAoC,CAAA;IACpC,8CAA8B,CAAA;AAChC,CAAC,EANW,YAAY,4BAAZ,YAAY,QAMvB"}

package/dist/storage/buffer.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Async batch buffer queue
+ * Dual-trigger flush mechanism based on count threshold + time threshold
+ */
+import { AuditAction, AuditSession } from '../types';
+import { BufferConfig } from '../config';
+/** Buffer entry type */
+export type BufferEntry = {
+    type: 'action';
+    data: AuditAction;
+} | {
+    type: 'session';
+    data: AuditSession;
+};
+/** Flush callback function type */
+export type FlushCallback = (entries: BufferEntry[]) => Promise<void>;
+/**
+ * Async batch buffer
+ * - Triggers flush when buffer size reaches batchSize
+ * - Auto-flushes every flushIntervalMs milliseconds
+ * - Supports manual forced flush (e.g. on session end)
+ * - Discards oldest entries when buffer exceeds MAX_BUFFER_SIZE
+ */
+export declare class AsyncBatchBuffer {
+    private buffer;
+    private timer;
+    private flushing;
+    private flushCallback;
+    private config;
+    constructor(config: BufferConfig, flushCallback: FlushCallback);
+    /**
+     * Start periodic flush timer
+     */
+    start(): void;
+    /**
+     * Stop periodic flush timer
+     */
+    stop(): void;
+    /**
+     * Add audit record to buffer
+     */
+    add(entry: BufferEntry): Promise<void>;
+    /**
+     * Add audit action record
+     */
+    addAction(action: AuditAction): Promise<void>;
+    /**
+     * Add or update session summary record
+     */
+    addSession(session: AuditSession): Promise<void>;
+    /**
+     * Force flush buffer (write all entries to database)
+     */
+    flush(): Promise<void>;
+    /**
+     * Get current buffer size
+     */
+    get size(): number;
+    /**
+     * Graceful shutdown: stop timer and flush remaining data
+     */
+    shutdown(): Promise<void>;
+}
+//# sourceMappingURL=buffer.d.ts.map

package/dist/storage/buffer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"buffer.d.ts","sourceRoot":"","sources":["../../src/storage/buffer.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAEzC,wBAAwB;AACxB,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,IAAI,EAAE,WAAW,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAA;CAAE,CAAC;AAE5C,mCAAmC;AACnC,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,EAAE,WAAW,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AAKtE;;;;;;GAMG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,KAAK,CAA+C;IAC5D,OAAO,CAAC,QAAQ,CAAkB;IAClC,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,MAAM,CAAe;gBAEjB,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa;IAK9D;;OAEG;IACH,KAAK,IAAI,IAAI;IAiBb;;OAEG;IACH,IAAI,IAAI,IAAI;IAOZ;;OAEG;IACG,GAAG,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAgB5C;;OAEG;IACG,SAAS,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAInD;;OAEG;IACG,UAAU,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;IAItD;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAuB5B;;OAEG;IACH,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED;;OAEG;IACG,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAIhC"}

package/dist/storage/buffer.js

@@ -0,0 +1,120 @@
+"use strict";
+/**
+ * Async batch buffer queue
+ * Dual-trigger flush mechanism based on count threshold + time threshold
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AsyncBatchBuffer = void 0;
+/** Max buffer entries (oldest entries are discarded when exceeded) */
+const MAX_BUFFER_SIZE = 5000;
+/**
+ * Async batch buffer
+ * - Triggers flush when buffer size reaches batchSize
+ * - Auto-flushes every flushIntervalMs milliseconds
+ * - Supports manual forced flush (e.g. on session end)
+ * - Discards oldest entries when buffer exceeds MAX_BUFFER_SIZE
+ */
+class AsyncBatchBuffer {
+    buffer = [];
+    timer = null;
+    flushing = false;
+    flushCallback;
+    config;
+    constructor(config, flushCallback) {
+        this.config = config;
+        this.flushCallback = flushCallback;
+    }
+    /**
+     * Start periodic flush timer
+     */
+    start() {
+        if (this.timer) {
+            return;
+        }
+        this.timer = setInterval(async () => {
+            if (this.buffer.length > 0) {
+                await this.flush();
+            }
+        }, this.config.flushIntervalMs);
+        // Ensure timer does not prevent process exit
+        if (this.timer && typeof this.timer === 'object' && 'unref' in this.timer) {
+            this.timer.unref();
+        }
+    }
+    /**
+     * Stop periodic flush timer
+     */
+    stop() {
+        if (this.timer) {
+            clearInterval(this.timer);
+            this.timer = null;
+        }
+    }
+    /**
+     * Add audit record to buffer
+     */
+    async add(entry) {
+        // Prevent unbounded buffer growth (when flush keeps failing)
+        if (this.buffer.length >= MAX_BUFFER_SIZE) {
+            const drop = Math.floor(MAX_BUFFER_SIZE * 0.1); // discard oldest 10%
+            this.buffer.splice(0, drop);
+            console.warn(`[audit-duckdb] Buffer overflow, dropped ${drop} oldest entries`);
+        }
+        this.buffer.push(entry);
+        // Threshold reached, trigger flush
+        if (this.buffer.length >= this.config.batchSize) {
+            await this.flush();
+        }
+    }
+    /**
+     * Add audit action record
+     */
+    async addAction(action) {
+        await this.add({ type: 'action', data: action });
+    }
+    /**
+     * Add or update session summary record
+     */
+    async addSession(session) {
+        await this.add({ type: 'session', data: session });
+    }
+    /**
+     * Force flush buffer (write all entries to database)
+     */
+    async flush() {
+        // Prevent concurrent flushes
+        if (this.flushing || this.buffer.length === 0) {
+            return;
+        }
+        this.flushing = true;
+        // Take all current buffer contents
+        const entries = [...this.buffer];
+        this.buffer = [];
+        try {
+            await this.flushCallback(entries);
+        }
+        catch (error) {
+            // On flush failure, put entries back (prepend to maintain order)
+            this.buffer = [...entries, ...this.buffer];
+            console.error('[audit-duckdb] Failed to flush buffer:', error);
+        }
+        finally {
+            this.flushing = false;
+        }
+    }
+    /**
+     * Get current buffer size
+     */
+    get size() {
+        return this.buffer.length;
+    }
+    /**
+     * Graceful shutdown: stop timer and flush remaining data
+     */
+    async shutdown() {
+        this.stop();
+        await this.flush();
+    }
+}
+exports.AsyncBatchBuffer = AsyncBatchBuffer;
+//# sourceMappingURL=buffer.js.map

package/dist/storage/buffer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"buffer.js","sourceRoot":"","sources":["../../src/storage/buffer.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAaH,sEAAsE;AACtE,MAAM,eAAe,GAAG,IAAI,CAAC;AAE7B;;;;;;GAMG;AACH,MAAa,gBAAgB;IACnB,MAAM,GAAkB,EAAE,CAAC;IAC3B,KAAK,GAA0C,IAAI,CAAC;IACpD,QAAQ,GAAY,KAAK,CAAC;IAC1B,aAAa,CAAgB;IAC7B,MAAM,CAAe;IAE7B,YAAY,MAAoB,EAAE,aAA4B;QAC5D,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;IACrC,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,OAAO;QACT,CAAC;QAED,IAAI,CAAC,KAAK,GAAG,WAAW,CAAC,KAAK,IAAI,EAAE;YAClC,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC3B,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;YACrB,CAAC;QACH,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QAEhC,6CAA6C;QAC7C,IAAI,IAAI,CAAC,KAAK,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,IAAI,OAAO,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC1E,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,IAAI;QACF,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC1B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QACpB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAG,CAAC,KAAkB;QAC1B,6DAA6D;QAC7D,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,eAAe,EAAE,CAAC;YAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,GAAG,GAAG,CAAC,CAAC,CAAC,qBAAqB;YACrE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;YAC5B,OAAO,CAAC,IAAI,CAAC,2CAA2C,IAAI,iBAAiB,CAAC,CAAC;QACjF,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAExB,mCAAmC;QACnC,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAChD,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CAAC,MAAmB;QACjC,MAAM,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;IACnD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CAAC,OAAqB;QACpC,MAAM,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IACrD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAK;QACT,6BAA6B;QAC7B,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9C,OAAO;QACT,CAAC;QAED,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QAErB,mCAAmC;QACnC,MAAM,OAAO,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;QACjC,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC;QAEjB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,iEAAiE;YACjE,IAAI,CAAC,MAAM,GAAG,CAAC,GAAG,OAAO,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;YAC3C,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,KAAK,CAAC,CAAC;QACjE,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC;QACxB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ;QACZ,IAAI,CAAC,IAAI,EAAE,CAAC;QACZ,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF;AAnHD,4CAmHC"}

package/dist/storage/duckdb-local-writer.d.ts

@@ -0,0 +1,26 @@
+/**
+ * DuckDB local write layer
+ * Uses embedded DuckDB (@duckdb/node-api), zero-config out of the box
+ */
+import { SecurityAlert } from '../security/types';
+import { BufferEntry } from './buffer';
+import { QueryPool, AuditWriter } from './writer';
+import { DuckDBConfig } from '../config';
+export declare class DuckDBLocalWriter implements AuditWriter {
+    private pool;
+    private config;
+    private initialized;
+    private initializing;
+    constructor(config: DuckDBConfig);
+    initialize(maxRetries?: number, retryDelayMs?: number): Promise<void>;
+    ensureReady(): Promise<boolean>;
+    private _doInitialize;
+    writeBatch(entries: BufferEntry[]): Promise<void>;
+    private writeActions;
+    private writeSessions;
+    writeAlerts(alerts: SecurityAlert[]): Promise<void>;
+    getPool(): QueryPool | null;
+    close(): Promise<void>;
+    private _formatDate;
+}
+//# sourceMappingURL=duckdb-local-writer.d.ts.map

package/dist/storage/duckdb-local-writer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"duckdb-local-writer.d.ts","sourceRoot":"","sources":["../../src/storage/duckdb-local-writer.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AA+NzC,qBAAa,iBAAkB,YAAW,WAAW;IACnD,OAAO,CAAC,IAAI,CAA2B;IACvC,OAAO,CAAC,MAAM,CAAe;IAC7B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,YAAY,CAAS;gBAEjB,MAAM,EAAE,YAAY;IAI1B,UAAU,CAAC,UAAU,SAAI,EAAE,YAAY,SAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAwB9D,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;YAUvB,aAAa;IAqCrB,UAAU,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;YAWzC,YAAY;YAsBZ,aAAa;IAqErB,WAAW,CAAC,MAAM,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAoBzD,OAAO,IAAI,SAAS,GAAG,IAAI;IAIrB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAW5B,OAAO,CAAC,WAAW;CAKpB"}