npm - palaryn - Versions diffs - 0.1.0 → 0.3.2 - Mend

palaryn 0.1.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (344) hide show

package/README.md +243 -588
package/dist/sdk/typescript/src/client.js +2 -2
package/dist/sdk/typescript/src/client.js.map +1 -1
package/dist/src/anomaly/detector.d.ts +7 -4
package/dist/src/anomaly/detector.d.ts.map +1 -1
package/dist/src/anomaly/detector.js +22 -12
package/dist/src/anomaly/detector.js.map +1 -1
package/dist/src/audit/logger.d.ts +10 -0
package/dist/src/audit/logger.d.ts.map +1 -1
package/dist/src/audit/logger.js +52 -38
package/dist/src/audit/logger.js.map +1 -1
package/dist/src/auth/routes.d.ts.map +1 -1
package/dist/src/auth/routes.js +35 -0
package/dist/src/auth/routes.js.map +1 -1
package/dist/src/budget/manager.d.ts +5 -0
package/dist/src/budget/manager.d.ts.map +1 -1
package/dist/src/budget/manager.js +32 -0
package/dist/src/budget/manager.js.map +1 -1
package/dist/src/budget/model-pricing.d.ts +20 -0
package/dist/src/budget/model-pricing.d.ts.map +1 -0
package/dist/src/budget/model-pricing.js +107 -0
package/dist/src/budget/model-pricing.js.map +1 -0
package/dist/src/budget/usage-extractor.d.ts +3 -1
package/dist/src/budget/usage-extractor.d.ts.map +1 -1
package/dist/src/budget/usage-extractor.js +47 -3
package/dist/src/budget/usage-extractor.js.map +1 -1
package/dist/src/config/defaults.d.ts.map +1 -1
package/dist/src/config/defaults.js +65 -13
package/dist/src/config/defaults.js.map +1 -1
package/dist/src/dlp/tool-patterns.d.ts +7 -0
package/dist/src/dlp/tool-patterns.d.ts.map +1 -0
package/dist/src/dlp/tool-patterns.js +34 -0
package/dist/src/dlp/tool-patterns.js.map +1 -0
package/dist/src/executor/filesystem-executor.d.ts +28 -0
package/dist/src/executor/filesystem-executor.d.ts.map +1 -0
package/dist/src/executor/filesystem-executor.js +192 -0
package/dist/src/executor/filesystem-executor.js.map +1 -0
package/dist/src/executor/http-executor.d.ts.map +1 -1
package/dist/src/executor/http-executor.js +22 -2
package/dist/src/executor/http-executor.js.map +1 -1
package/dist/src/executor/index.d.ts +4 -0
package/dist/src/executor/index.d.ts.map +1 -1
package/dist/src/executor/index.js +9 -1
package/dist/src/executor/index.js.map +1 -1
package/dist/src/executor/shell-executor.d.ts +22 -0
package/dist/src/executor/shell-executor.d.ts.map +1 -0
package/dist/src/executor/shell-executor.js +119 -0
package/dist/src/executor/shell-executor.js.map +1 -0
package/dist/src/executor/sql-executor.d.ts +29 -0
package/dist/src/executor/sql-executor.d.ts.map +1 -0
package/dist/src/executor/sql-executor.js +114 -0
package/dist/src/executor/sql-executor.js.map +1 -0
package/dist/src/executor/websocket-executor.d.ts +26 -0
package/dist/src/executor/websocket-executor.d.ts.map +1 -0
package/dist/src/executor/websocket-executor.js +205 -0
package/dist/src/executor/websocket-executor.js.map +1 -0
package/dist/src/interceptor/index.d.ts +2 -0
package/dist/src/interceptor/index.d.ts.map +1 -0
package/dist/src/interceptor/index.js +6 -0
package/dist/src/interceptor/index.js.map +1 -0
package/dist/src/interceptor/provider-interceptor.d.ts +36 -0
package/dist/src/interceptor/provider-interceptor.d.ts.map +1 -0
package/dist/src/interceptor/provider-interceptor.js +302 -0
package/dist/src/interceptor/provider-interceptor.js.map +1 -0
package/dist/src/mcp/auth-verifier.d.ts.map +1 -1
package/dist/src/mcp/auth-verifier.js +3 -2
package/dist/src/mcp/auth-verifier.js.map +1 -1
package/dist/src/mcp/bridge.d.ts +14 -10
package/dist/src/mcp/bridge.d.ts.map +1 -1
package/dist/src/mcp/bridge.js +51 -227
package/dist/src/mcp/bridge.js.map +1 -1
package/dist/src/mcp/http-transport.d.ts +2 -0
package/dist/src/mcp/http-transport.d.ts.map +1 -1
package/dist/src/mcp/http-transport.js +117 -66
package/dist/src/mcp/http-transport.js.map +1 -1
package/dist/src/mcp/internal-auth.d.ts +13 -0
package/dist/src/mcp/internal-auth.d.ts.map +1 -0
package/dist/src/mcp/internal-auth.js +12 -0
package/dist/src/mcp/internal-auth.js.map +1 -0
package/dist/src/mcp/tool-definitions.d.ts +41 -0
package/dist/src/mcp/tool-definitions.d.ts.map +1 -0
package/dist/src/mcp/tool-definitions.js +491 -0
package/dist/src/mcp/tool-definitions.js.map +1 -0
package/dist/src/middleware/auth.js.map +1 -1
package/dist/src/middleware/session.js.map +1 -1
package/dist/src/middleware/validate.d.ts +8 -0
package/dist/src/middleware/validate.d.ts.map +1 -1
package/dist/src/middleware/validate.js +45 -0
package/dist/src/middleware/validate.js.map +1 -1
package/dist/src/policy/engine.d.ts +4 -0
package/dist/src/policy/engine.d.ts.map +1 -1
package/dist/src/policy/engine.js +117 -0
package/dist/src/policy/engine.js.map +1 -1
package/dist/src/saas/routes.d.ts.map +1 -1
package/dist/src/saas/routes.js +355 -22
package/dist/src/saas/routes.js.map +1 -1
package/dist/src/server/app.d.ts.map +1 -1
package/dist/src/server/app.js +24 -3
package/dist/src/server/app.js.map +1 -1
package/dist/src/server/gateway.d.ts.map +1 -1
package/dist/src/server/gateway.js +17 -0
package/dist/src/server/gateway.js.map +1 -1
package/dist/src/server/index.d.ts.map +1 -1
package/dist/src/server/index.js +18 -0
package/dist/src/server/index.js.map +1 -1
package/dist/src/storage/interfaces.d.ts +14 -3
package/dist/src/storage/interfaces.d.ts.map +1 -1
package/dist/src/storage/memory.d.ts +2 -0
package/dist/src/storage/memory.d.ts.map +1 -1
package/dist/src/storage/memory.js +6 -0
package/dist/src/storage/memory.js.map +1 -1
package/dist/src/storage/postgres.d.ts +5 -0
package/dist/src/storage/postgres.d.ts.map +1 -1
package/dist/src/storage/postgres.js +16 -0
package/dist/src/storage/postgres.js.map +1 -1
package/dist/src/storage/redis.d.ts +10 -0
package/dist/src/storage/redis.d.ts.map +1 -1
package/dist/src/storage/redis.js +65 -0
package/dist/src/storage/redis.js.map +1 -1
package/dist/src/types/budget.d.ts +4 -0
package/dist/src/types/budget.d.ts.map +1 -1
package/dist/src/types/config.d.ts +58 -0
package/dist/src/types/config.d.ts.map +1 -1
package/dist/src/types/events.d.ts +1 -0
package/dist/src/types/events.d.ts.map +1 -1
package/dist/src/types/policy.d.ts +11 -1
package/dist/src/types/policy.d.ts.map +1 -1
package/dist/src/types/tool-result.d.ts +11 -0
package/dist/src/types/tool-result.d.ts.map +1 -1
package/dist/tests/unit/app-routes.test.d.ts +2 -0
package/dist/tests/unit/app-routes.test.d.ts.map +1 -0
package/dist/tests/unit/app-routes.test.js +715 -0
package/dist/tests/unit/app-routes.test.js.map +1 -0
package/dist/tests/unit/audit-logger.test.js +105 -0
package/dist/tests/unit/audit-logger.test.js.map +1 -1
package/dist/tests/unit/auth-providers.test.d.ts +2 -0
package/dist/tests/unit/auth-providers.test.d.ts.map +1 -0
package/dist/tests/unit/auth-providers.test.js +279 -0
package/dist/tests/unit/auth-providers.test.js.map +1 -0
package/dist/tests/unit/auth-routes-extended.test.d.ts +2 -0
package/dist/tests/unit/auth-routes-extended.test.d.ts.map +1 -0
package/dist/tests/unit/auth-routes-extended.test.js +993 -0
package/dist/tests/unit/auth-routes-extended.test.js.map +1 -0
package/dist/tests/unit/auth-verifier.test.d.ts +2 -0
package/dist/tests/unit/auth-verifier.test.d.ts.map +1 -0
package/dist/tests/unit/auth-verifier.test.js +505 -0
package/dist/tests/unit/auth-verifier.test.js.map +1 -0
package/dist/tests/unit/billing-routes.test.d.ts +2 -0
package/dist/tests/unit/billing-routes.test.d.ts.map +1 -0
package/dist/tests/unit/billing-routes.test.js +432 -0
package/dist/tests/unit/billing-routes.test.js.map +1 -0
package/dist/tests/unit/config-defaults.test.d.ts +2 -0
package/dist/tests/unit/config-defaults.test.d.ts.map +1 -0
package/dist/tests/unit/config-defaults.test.js +119 -0
package/dist/tests/unit/config-defaults.test.js.map +1 -0
package/dist/tests/unit/defaults.test.js +0 -10
package/dist/tests/unit/defaults.test.js.map +1 -1
package/dist/tests/unit/filesystem-executor.test.d.ts +2 -0
package/dist/tests/unit/filesystem-executor.test.d.ts.map +1 -0
package/dist/tests/unit/filesystem-executor.test.js +280 -0
package/dist/tests/unit/filesystem-executor.test.js.map +1 -0
package/dist/tests/unit/gateway-branches.test.d.ts +2 -0
package/dist/tests/unit/gateway-branches.test.d.ts.map +1 -0
package/dist/tests/unit/gateway-branches.test.js +1039 -0
package/dist/tests/unit/gateway-branches.test.js.map +1 -0
package/dist/tests/unit/http-executor-branches.test.d.ts +2 -0
package/dist/tests/unit/http-executor-branches.test.d.ts.map +1 -0
package/dist/tests/unit/http-executor-branches.test.js +495 -0
package/dist/tests/unit/http-executor-branches.test.js.map +1 -0
package/dist/tests/unit/logger.test.d.ts +2 -0
package/dist/tests/unit/logger.test.d.ts.map +1 -0
package/dist/tests/unit/logger.test.js +97 -0
package/dist/tests/unit/logger.test.js.map +1 -0
package/dist/tests/unit/mcp-internal-auth.test.d.ts +2 -0
package/dist/tests/unit/mcp-internal-auth.test.d.ts.map +1 -0
package/dist/tests/unit/mcp-internal-auth.test.js +445 -0
package/dist/tests/unit/mcp-internal-auth.test.js.map +1 -0
package/dist/tests/unit/metrics.test.js +102 -0
package/dist/tests/unit/metrics.test.js.map +1 -1
package/dist/tests/unit/model-pricing.test.d.ts +2 -0
package/dist/tests/unit/model-pricing.test.d.ts.map +1 -0
package/dist/tests/unit/model-pricing.test.js +87 -0
package/dist/tests/unit/model-pricing.test.js.map +1 -0
package/dist/tests/unit/oauth-stores.test.d.ts +2 -0
package/dist/tests/unit/oauth-stores.test.d.ts.map +1 -0
package/dist/tests/unit/oauth-stores.test.js +260 -0
package/dist/tests/unit/oauth-stores.test.js.map +1 -0
package/dist/tests/unit/policy-engine.test.js +466 -0
package/dist/tests/unit/policy-engine.test.js.map +1 -1
package/dist/tests/unit/provider-interceptor.test.d.ts +2 -0
package/dist/tests/unit/provider-interceptor.test.d.ts.map +1 -0
package/dist/tests/unit/provider-interceptor.test.js +472 -0
package/dist/tests/unit/provider-interceptor.test.js.map +1 -0
package/dist/tests/unit/saas-routes-branches.test.d.ts +2 -0
package/dist/tests/unit/saas-routes-branches.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes-branches.test.js +2165 -0
package/dist/tests/unit/saas-routes-branches.test.js.map +1 -0
package/dist/tests/unit/saas-routes-crud.test.d.ts +2 -0
package/dist/tests/unit/saas-routes-crud.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes-crud.test.js +332 -0
package/dist/tests/unit/saas-routes-crud.test.js.map +1 -0
package/dist/tests/unit/saas-routes-data.test.d.ts +2 -0
package/dist/tests/unit/saas-routes-data.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes-data.test.js +405 -0
package/dist/tests/unit/saas-routes-data.test.js.map +1 -0
package/dist/tests/unit/saas-routes.test.js +3 -3
package/dist/tests/unit/saas-routes.test.js.map +1 -1
package/dist/tests/unit/shell-executor.test.d.ts +2 -0
package/dist/tests/unit/shell-executor.test.d.ts.map +1 -0
package/dist/tests/unit/shell-executor.test.js +145 -0
package/dist/tests/unit/shell-executor.test.js.map +1 -0
package/dist/tests/unit/sql-executor.test.d.ts +2 -0
package/dist/tests/unit/sql-executor.test.d.ts.map +1 -0
package/dist/tests/unit/sql-executor.test.js +177 -0
package/dist/tests/unit/sql-executor.test.js.map +1 -0
package/dist/tests/unit/stream-proxy.test.d.ts +2 -0
package/dist/tests/unit/stream-proxy.test.d.ts.map +1 -0
package/dist/tests/unit/stream-proxy.test.js +147 -0
package/dist/tests/unit/stream-proxy.test.js.map +1 -0
package/dist/tests/unit/tool-definitions.test.d.ts +2 -0
package/dist/tests/unit/tool-definitions.test.d.ts.map +1 -0
package/dist/tests/unit/tool-definitions.test.js +184 -0
package/dist/tests/unit/tool-definitions.test.js.map +1 -0
package/dist/tests/unit/usage-extractor.test.js +140 -0
package/dist/tests/unit/usage-extractor.test.js.map +1 -1
package/dist/tests/unit/webhook-handler.test.d.ts +2 -0
package/dist/tests/unit/webhook-handler.test.d.ts.map +1 -0
package/dist/tests/unit/webhook-handler.test.js +453 -0
package/dist/tests/unit/webhook-handler.test.js.map +1 -0
package/dist/tests/unit/webhook-routes.test.d.ts +2 -0
package/dist/tests/unit/webhook-routes.test.d.ts.map +1 -0
package/dist/tests/unit/webhook-routes.test.js +69 -0
package/dist/tests/unit/webhook-routes.test.js.map +1 -0
package/dist/tests/unit/websocket-executor.test.d.ts +2 -0
package/dist/tests/unit/websocket-executor.test.d.ts.map +1 -0
package/dist/tests/unit/websocket-executor.test.js +121 -0
package/dist/tests/unit/websocket-executor.test.js.map +1 -0
package/package.json +8 -2
package/policy-packs/demo_fail.yaml +41 -0
package/policy-packs/full_tools.yaml +136 -0
package/src/admin/index.ts +1 -0
package/src/admin/routes.ts +509 -0
package/src/admin/templates.ts +572 -0
package/src/anomaly/detector.ts +730 -0
package/src/anomaly/index.ts +1 -0
package/src/approval/manager.ts +569 -0
package/src/approval/webhook.ts +133 -0
package/src/audit/logger.ts +490 -0
package/src/auth/index.ts +5 -0
package/src/auth/password.ts +21 -0
package/src/auth/pkce.ts +22 -0
package/src/auth/providers.ts +208 -0
package/src/auth/routes.ts +561 -0
package/src/auth/session.ts +84 -0
package/src/billing/index.ts +6 -0
package/src/billing/plan-enforcer.ts +135 -0
package/src/billing/routes.ts +229 -0
package/src/billing/stripe-client.ts +58 -0
package/src/billing/webhook-handler.ts +182 -0
package/src/billing/webhook-routes.ts +28 -0
package/src/budget/manager.ts +679 -0
package/src/budget/model-pricing.ts +119 -0
package/src/budget/usage-extractor.ts +214 -0
package/src/cli.ts +91 -0
package/src/config/defaults.ts +261 -0
package/src/config/validate.ts +88 -0
package/src/dlp/composite-scanner.ts +213 -0
package/src/dlp/index.ts +9 -0
package/src/dlp/interfaces.ts +34 -0
package/src/dlp/patterns.ts +30 -0
package/src/dlp/prompt-injection-backend.ts +181 -0
package/src/dlp/prompt-injection-patterns.ts +302 -0
package/src/dlp/regex-backend.ts +181 -0
package/src/dlp/scanner.ts +502 -0
package/src/dlp/text-normalizer.ts +225 -0
package/src/dlp/tool-patterns.ts +35 -0
package/src/dlp/trufflehog-backend.ts +190 -0
package/src/executor/filesystem-executor.ts +196 -0
package/src/executor/http-executor.ts +349 -0
package/src/executor/index.ts +9 -0
package/src/executor/interfaces.ts +11 -0
package/src/executor/noop-executor.ts +23 -0
package/src/executor/registry.ts +64 -0
package/src/executor/shell-executor.ts +148 -0
package/src/executor/slack-executor.ts +176 -0
package/src/executor/sql-executor.ts +146 -0
package/src/executor/websocket-executor.ts +211 -0
package/src/index.ts +24 -0
package/src/interceptor/index.ts +1 -0
package/src/interceptor/provider-interceptor.ts +315 -0
package/src/mcp/auth-verifier.ts +152 -0
package/src/mcp/bridge.ts +703 -0
package/src/mcp/http-transport.ts +698 -0
package/src/mcp/index.ts +9 -0
package/src/mcp/internal-auth.ts +14 -0
package/src/mcp/oauth-pages.ts +139 -0
package/src/mcp/oauth-postgres-stores.ts +278 -0
package/src/mcp/oauth-provider.ts +536 -0
package/src/mcp/oauth-stores.ts +202 -0
package/src/mcp/server.ts +55 -0
package/src/mcp/tool-definitions.ts +562 -0
package/src/metrics/collector.ts +357 -0
package/src/metrics/index.ts +1 -0
package/src/middleware/auth.ts +814 -0
package/src/middleware/session.ts +85 -0
package/src/middleware/validate.ts +130 -0
package/src/policy/engine.ts +815 -0
package/src/policy/index.ts +2 -0
package/src/policy/opa-engine.ts +829 -0
package/src/proxy/forward-proxy.ts +649 -0
package/src/proxy/index.ts +1 -0
package/src/ratelimit/limiter.ts +196 -0
package/src/replay/engine.ts +142 -0
package/src/replay/index.ts +1 -0
package/src/saas/index.ts +1 -0
package/src/saas/routes.ts +2178 -0
package/src/server/app.ts +985 -0
package/src/server/errors.ts +49 -0
package/src/server/gateway.ts +1130 -0
package/src/server/index.ts +307 -0
package/src/server/logger.ts +255 -0
package/src/server/stream-proxy.ts +202 -0
package/src/storage/file-persistence.ts +315 -0
package/src/storage/index.ts +4 -0
package/src/storage/interfaces.ts +287 -0
package/src/storage/memory.ts +686 -0
package/src/storage/postgres.ts +1831 -0
package/src/storage/redis.ts +835 -0
package/src/tracing/index.ts +1 -0
package/src/tracing/provider.ts +100 -0
package/src/trust/calculator.ts +141 -0
package/src/trust/index.ts +7 -0
package/src/types/budget.ts +36 -0
package/src/types/config.ts +278 -0
package/src/types/events.ts +41 -0
package/src/types/express.d.ts +14 -0
package/src/types/index.ts +7 -0
package/src/types/policy.ts +83 -0
package/src/types/stripe-config.ts +11 -0
package/src/types/subscription.ts +59 -0
package/src/types/tool-call.ts +47 -0
package/src/types/tool-result.ts +82 -0
package/src/types/user.ts +125 -0
package/tsconfig.json +24 -0

package/src/server/index.ts ADDED Viewed

@@ -0,0 +1,307 @@
+import { createApp, SaaSStores } from './app';
+import { DEFAULT_CONFIG } from '../config/defaults';
+import { GatewayConfig } from '../types/config';
+import { validateConfig } from '../config/validate';
+import { log as devLog } from './logger';
+export async function startServer(): Promise<void> {
+  const config: GatewayConfig = { ...DEFAULT_CONFIG };
+  // Wire up OpenTelemetry tracing from env vars
+  if (process.env.OTEL_EXPORTER_OTLP_ENDPOINT) {
+    config.tracing = {
+      enabled: true,
+      service_name: process.env.OTEL_SERVICE_NAME || 'palaryn',
+      otlp_endpoint: process.env.OTEL_EXPORTER_OTLP_ENDPOINT,
+      environment: process.env.NODE_ENV || 'development',
+    };
+  }
+  // Pre-initialize Postgres SaaS stores when DATABASE_URL is set (persists user
+  // data, sessions, workspaces, and API keys across restarts)
+  let externalSaaSStores: Partial<SaaSStores> | undefined;
+  if (process.env.DATABASE_URL) {
+    try {
+      const { Pool } = await import('pg');
+      const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+      const { initPostgresStorage, createPostgresSaaSStores } = await import('../storage/postgres');
+      const { PostgresOAuthClientsStore, PostgresOAuthTokenStore } = await import('../mcp/oauth-postgres-stores');
+      await initPostgresStorage(pool);
+      // Create MCP OAuth Postgres tables
+      await PostgresOAuthClientsStore.createTables(pool);
+      await PostgresOAuthTokenStore.createTables(pool);
+      const pgSaaSStores = createPostgresSaaSStores(pool);
+      const mcpOAuthClientsStore = new PostgresOAuthClientsStore(pool);
+      const mcpOAuthTokenStore = new PostgresOAuthTokenStore(pool);
+      // Hydrate SaaS stores
+      await Promise.all([
+        pgSaaSStores.userStore.hydrate(),
+        pgSaaSStores.oauthAccountStore.hydrate(),
+        pgSaaSStores.workspaceStore.hydrate(),
+        pgSaaSStores.workspaceMemberStore.hydrate(),
+        pgSaaSStores.sessionStore.hydrate(),
+        pgSaaSStores.userApiKeyStore.hydrate(),
+        pgSaaSStores.subscriptionStore.hydrate(),
+        pgSaaSStores.rateLimitConfigStore.hydrate(),
+        pgSaaSStores.budgetConfigStore.hydrate(),
+        pgSaaSStores.policyStore.hydrate(),
+        mcpOAuthClientsStore.hydrate(),
+        mcpOAuthTokenStore.hydrate(),
+      ]);
+      externalSaaSStores = {
+        ...pgSaaSStores,
+        mcpOAuthClientsStore,
+        mcpOAuthTokenStore,
+      };
+      console.log('PostgreSQL SaaS stores initialized (incl. MCP OAuth)');
+    } catch (err) {
+      console.warn('PostgreSQL SaaS store init failed, using in-memory:', (err as Error).message);
+    }
+  }
+  // Validate configuration before startup
+  const configValidation = validateConfig(config);
+  for (const issue of configValidation.issues) {
+    if (issue.level === 'fatal') {
+      console.error(`[fatal] ${issue.message}`);
+    } else {
+      console.warn(`[warn] ${issue.message}`);
+    }
+  }
+  if (!configValidation.valid) {
+    console.error('Configuration validation failed. Fix the fatal errors above and restart.');
+    process.exit(1);
+  }
+  const { app, gateway, tracer, metrics, healthChecks, saasStores, proxyServer } = createApp(config, externalSaaSStores);
+  // Startup warnings
+  const isProduction = process.env.NODE_ENV === 'production';
+  if (isProduction && !process.env.REDIS_URL && !process.env.DATABASE_URL) {
+    console.warn('[warn] Running in production without REDIS_URL or DATABASE_URL. Data is stored in-memory and will be lost on restart.');
+  }
+  if (isProduction && config.approval.token_secret === 'palaryn-dev-approval-secret') {
+    console.warn('[warn] Using default approval secret in production. Set APPROVAL_SECRET env var.');
+  }
+  const policyPack = gateway.getCurrentPolicy();
+  if (policyPack.rules.length === 0) {
+    console.warn('[warn] Policy pack has no rules. All requests will be handled by default_effect (' + config.policy.default_effect + ').');
+  }
+  // Wire up Redis if REDIS_URL is set
+  if (process.env.REDIS_URL) {
+    try {
+      const Redis = (await import('ioredis')).default;
+      const redis = new Redis(process.env.REDIS_URL);
+      const { createRedisStores } = await import('../storage/redis');
+      const stores = createRedisStores(redis, 'palaryn:');
+      // Inject Redis stores into Gateway (replaces default in-memory stores)
+      gateway.setStores({
+        idempotencyStore: stores.idempotencyStore,
+        rateLimitStore: stores.rateLimitStore,
+        auditStore: stores.auditStore,
+        budgetStore: stores.budgetStore,
+        approvalStore: stores.approvalStore,
+      });
+      // Hydrate stores from Redis (restore state after restart)
+      await Promise.all([
+        stores.budgetStore.hydrate(),
+        stores.auditStore.hydrate(),
+        stores.approvalStore.hydrate(),
+      ]);
+      // Populate AuditLogger in-memory buffer from hydrated Redis store
+      gateway.getAuditLogger().hydrateFromStore();
+      // Populate BudgetManager in-memory maps from hydrated Redis store
+      gateway.getBudgetManager().hydrateFromStore();
+      // Hydrate RateLimitStore local windows from Redis
+      if (stores.rateLimitStore.hydrateAll) {
+        await stores.rateLimitStore.hydrateAll();
+      }
+      // Register Redis health check
+      healthChecks.push({
+        name: 'redis',
+        check: async () => {
+          try {
+            const result = await redis.ping();
+            return { status: result === 'PONG' ? 'ok' : 'unhealthy', message: result };
+          } catch (err) {
+            return { status: 'unhealthy', message: (err as Error).message };
+          }
+        },
+      });
+      console.log('Redis connected:', process.env.REDIS_URL);
+    } catch (err) {
+      console.warn('Redis connection failed, using in-memory stores:', (err as Error).message);
+    }
+  }
+  // Wire up PostgreSQL if DATABASE_URL is set
+  if (process.env.DATABASE_URL) {
+    try {
+      const { Pool } = await import('pg');
+      const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+      const { initPostgresStorage, createPostgresStores } = await import('../storage/postgres');
+      await initPostgresStorage(pool);
+      // Inject Postgres stores if Redis was not already connected (Redis takes priority)
+      if (!process.env.REDIS_URL) {
+        const pgStores = createPostgresStores(pool);
+        gateway.setStores({
+          idempotencyStore: pgStores.idempotencyStore,
+          rateLimitStore: pgStores.rateLimitStore,
+          auditStore: pgStores.auditStore,
+          budgetStore: pgStores.budgetStore,
+          approvalStore: pgStores.approvalStore,
+        });
+        // Hydrate Postgres stores (restore state after restart)
+        await Promise.all([
+          pgStores.budgetStore.hydrate(),
+          pgStores.auditStore.hydrate(),
+          pgStores.approvalStore.hydrate(),
+        ]);
+        // Populate AuditLogger in-memory buffer from hydrated Postgres store
+        gateway.getAuditLogger().hydrateFromStore();
+        // Populate BudgetManager in-memory maps from hydrated Postgres store
+        gateway.getBudgetManager().hydrateFromStore();
+      }
+      // Register Postgres health check
+      healthChecks.push({
+        name: 'postgres',
+        check: async () => {
+          try {
+            await pool.query('SELECT 1');
+            return { status: 'ok' };
+          } catch (err) {
+            return { status: 'unhealthy', message: (err as Error).message };
+          }
+        },
+      });
+      console.log('PostgreSQL connected:', process.env.DATABASE_URL.replace(/:[^:@]*@/, ':***@'));
+    } catch (err) {
+      console.warn('PostgreSQL connection failed:', (err as Error).message);
+    }
+  }
+  const server = app.listen(config.port, config.host, () => {
+    devLog.serverStart(config.host, config.port, {
+      'Policy': config.policy.pack_path,
+      'Auth': config.auth.enabled,
+      'DLP': config.dlp.enabled,
+      'Audit': config.audit.enabled,
+      'Tracing': config.tracing?.enabled || false,
+      'Redis': !!process.env.REDIS_URL,
+      'PostgreSQL': !!process.env.DATABASE_URL,
+      'OAuth': config.mcp_oauth?.enabled || config.oauth?.enabled || false,
+      'Frontend': config.frontend?.enabled || false,
+      'Proxy': config.proxy?.enabled || false,
+    });
+  });
+  // S7: Track active requests for graceful shutdown
+  let activeRequests = 0;
+  server.on('request', (_req: any, res: any) => {
+    activeRequests++;
+    const decrement = () => { activeRequests = Math.max(0, activeRequests - 1); };
+    res.on('finish', decrement);
+    res.on('close', decrement);
+  });
+  // Start forward proxy server alongside Express
+  if (proxyServer && config.proxy?.enabled) {
+    const proxyPort = config.proxy.port || 3128;
+    proxyServer.listen(proxyPort, () => {
+      console.log(`Forward proxy listening on :${proxyPort}`);
+    });
+  }
+  // Graceful shutdown
+  async function gracefulShutdown(signal: string): Promise<void> {
+    devLog.serverShutdown(signal);
+    // Force exit after timeout (configurable via SHUTDOWN_TIMEOUT_MS env var)
+    const shutdownTimeoutMs = parseInt(process.env.SHUTDOWN_TIMEOUT_MS || '', 10) || 10000;
+    const forceTimer = setTimeout(() => {
+      console.error('Forced shutdown after timeout');
+      process.exit(1);
+    }, shutdownTimeoutMs);
+    forceTimer.unref();
+    // 1. Stop accepting new connections
+    if (proxyServer) {
+      await new Promise<void>((resolve) => {
+        proxyServer!.close(() => {
+          console.log('Proxy server closed');
+          resolve();
+        });
+      });
+    }
+    server.close(() => {
+      console.log('HTTP server closed (no new connections)');
+    });
+    // S7: Wait for active requests to drain (up to 30 seconds)
+    const drainTimeout = 30_000;
+    const drainStart = Date.now();
+    while (activeRequests > 0 && (Date.now() - drainStart) < drainTimeout) {
+      await new Promise<void>((resolve) => setTimeout(resolve, 100));
+    }
+    if (activeRequests > 0) {
+      console.warn(`Shutdown: ${activeRequests} active requests still pending after ${drainTimeout}ms drain timeout, force-closing`);
+    } else {
+      console.log('All active requests drained');
+    }
+    // 2. Shut down gateway (audit logger, idempotency store, rate limiter)
+    await gateway.shutdown();
+    console.log('Gateway shut down');
+    // 3. Flush OTel traces
+    if (tracer) {
+      await tracer.shutdown();
+      console.log('Tracer flushed and shut down');
+    }
+    // 4. Flush metrics
+    metrics.reset();
+    console.log('Metrics reset');
+    console.log('Shutdown complete');
+    process.exit(0);
+  }
+  let shuttingDown = false;
+  for (const signal of ['SIGTERM', 'SIGINT']) {
+    process.on(signal, () => {
+      if (shuttingDown) return;
+      shuttingDown = true;
+      gracefulShutdown(signal).catch((err) => {
+        console.error('Shutdown error:', err);
+        process.exit(1);
+      });
+    });
+  }
+}
+// Direct execution (node dist/src/server/index.js)
+if (require.main === module) {
+  startServer().catch((err) => {
+    console.error('Failed to start gateway:', err);
+    process.exit(1);
+  });
+}

package/src/server/logger.ts ADDED Viewed

@@ -0,0 +1,255 @@
+/**
+ * Pretty console logger for Palaryn dev mode.
+ * Color-coded pipeline steps with box-drawing characters.
+ *
+ * Also exports a Winston `logger` for structured logging (JSON in production,
+ * colorized console in development).
+ */
+import winston from 'winston';
+const isProduction = process.env.NODE_ENV === 'production';
+export const logger = winston.createLogger({
+  level: process.env.LOG_LEVEL || (isProduction ? 'info' : 'debug'),
+  format: isProduction
+    ? winston.format.combine(
+        winston.format.timestamp(),
+        winston.format.json(),
+      )
+    : winston.format.combine(
+        winston.format.timestamp({ format: 'YYYY-MM-DD HH:mm:ss.SSS' }),
+        winston.format.colorize(),
+        winston.format.printf(({ timestamp, level, message, ...meta }) => {
+          const metaStr = Object.keys(meta).length > 0 ? ' ' + JSON.stringify(meta) : '';
+          return `${timestamp} ${level}: ${message}${metaStr}`;
+        }),
+      ),
+  transports: [
+    new winston.transports.Console(),
+  ],
+});
+const RESET = '\x1b[0m';
+const BOLD = '\x1b[1m';
+const DIM = '\x1b[2m';
+const FG = {
+  black: '\x1b[30m',
+  red: '\x1b[31m',
+  green: '\x1b[32m',
+  yellow: '\x1b[33m',
+  blue: '\x1b[34m',
+  magenta: '\x1b[35m',
+  cyan: '\x1b[36m',
+  white: '\x1b[37m',
+  gray: '\x1b[90m',
+};
+const BG = {
+  red: '\x1b[41m',
+  green: '\x1b[42m',
+  yellow: '\x1b[43m',
+  blue: '\x1b[44m',
+  magenta: '\x1b[45m',
+  cyan: '\x1b[46m',
+  white: '\x1b[47m',
+};
+function timestamp(): string {
+  return new Date().toISOString().replace('T', ' ').replace('Z', '');
+}
+function tag(bg: string, fg: string, label: string): string {
+  return `${bg}${fg}${BOLD} ${label} ${RESET}`;
+}
+function indent(text: string, prefix: string = '  '): string {
+  return text.split('\n').map(l => prefix + l).join('\n');
+}
+function truncate(s: string, max: number = 200): string {
+  if (s.length <= max) return s;
+  return s.slice(0, max) + `${DIM}... (${s.length} chars)${RESET}`;
+}
+function jsonPretty(obj: unknown, maxDepth: number = 3): string {
+  try {
+    const s = JSON.stringify(obj, null, 2);
+    return truncate(s, 500);
+  } catch {
+    return String(obj);
+  }
+}
+export const log = {
+  // ── Request lifecycle ─────────────────────────────────────
+  request(method: string, path: string, ip: string, body?: unknown) {
+    const t = timestamp();
+    console.log('');
+    console.log(`${FG.gray}${t}${RESET}`);
+    console.log(`${tag(BG.blue, FG.white, 'REQUEST')} ${BOLD}${method}${RESET} ${FG.cyan}${path}${RESET} ${DIM}from ${ip}${RESET}`);
+    if (body && Object.keys(body as Record<string, unknown>).length > 0) {
+      const b = body as Record<string, unknown>;
+      if (b.tool) {
+        const tool = b.tool as Record<string, unknown>;
+        console.log(`  ${FG.yellow}tool:${RESET} ${BOLD}${tool.name}${RESET} v${tool.version} ${DIM}[${tool.capability}]${RESET}`);
+      }
+      if (b.actor) {
+        const actor = b.actor as Record<string, unknown>;
+        console.log(`  ${FG.yellow}actor:${RESET} ${actor.id} ${DIM}(${actor.type})${RESET}`);
+      }
+      if (b.args) {
+        const args = b.args as Record<string, unknown>;
+        if (args.method && args.url) {
+          console.log(`  ${FG.yellow}target:${RESET} ${args.method} ${FG.cyan}${args.url}${RESET}`);
+        } else {
+          console.log(`  ${FG.yellow}args:${RESET} ${DIM}${truncate(JSON.stringify(args), 120)}${RESET}`);
+        }
+      }
+      if (b.tool_call_id) {
+        console.log(`  ${FG.yellow}call_id:${RESET} ${DIM}${b.tool_call_id}${RESET}`);
+      }
+    }
+  },
+  response(statusCode: number, durationMs: number, body?: unknown) {
+    const color = statusCode < 300 ? FG.green : statusCode < 400 ? FG.yellow : FG.red;
+    const bgColor = statusCode < 300 ? BG.green : statusCode < 400 ? BG.yellow : BG.red;
+    console.log(`${tag(bgColor, FG.white, 'RESPONSE')} ${color}${BOLD}${statusCode}${RESET} ${DIM}in ${durationMs}ms${RESET}`);
+    if (body) {
+      const b = body as Record<string, unknown>;
+      if (b.status) {
+        console.log(`  ${FG.yellow}status:${RESET} ${b.status === 'ok' ? FG.green : FG.red}${b.status}${RESET}`);
+      }
+      if (b.error) {
+        console.log(`  ${FG.red}error:${RESET} ${b.error}`);
+      }
+    }
+    console.log('');
+  },
+  // ── Pipeline steps ────────────────────────────────────────
+  pipelineStart(toolCallId: string, toolName: string) {
+    console.log(`${FG.gray}  ┌─────────────────────────────────────────${RESET}`);
+    console.log(`${FG.gray}  │${RESET} ${tag(BG.magenta, FG.white, 'PIPELINE')} ${BOLD}${toolName}${RESET} ${DIM}(${toolCallId})${RESET}`);
+  },
+  pipelineStep(icon: string, label: string, detail: string, color: string = FG.white) {
+    console.log(`${FG.gray}  │${RESET}  ${icon} ${BOLD}${color}${label}${RESET} ${detail}`);
+  },
+  pipelineEnd(status: string, durationMs: number) {
+    const color = status === 'ok' ? FG.green : status === 'blocked' ? FG.red : FG.yellow;
+    console.log(`${FG.gray}  │${RESET} ${tag(status === 'ok' ? BG.green : status === 'blocked' ? BG.red : BG.yellow, FG.white, 'DONE')} ${color}${BOLD}${status}${RESET} ${DIM}(${durationMs}ms)${RESET}`);
+    console.log(`${FG.gray}  └─────────────────────────────────────────${RESET}`);
+  },
+  // ── Specific pipeline stages ──────────────────────────────
+  idempotencyHit(toolCallId: string) {
+    this.pipelineStep('$', 'CACHE HIT', `${DIM}returning cached result for ${toolCallId}${RESET}`, FG.cyan);
+  },
+  idempotencyMiss() {
+    this.pipelineStep('$', 'CACHE', `${FG.green}miss${RESET} ${DIM}(new call)${RESET}`, FG.cyan);
+  },
+  rateLimit(allowed: boolean, current?: number, limit?: number, blockedBy?: string) {
+    if (allowed) {
+      this.pipelineStep('\u{1F6A6}', 'RATE LIMIT', `${FG.green}pass${RESET} ${DIM}(${current}/${limit})${RESET}`, FG.blue);
+    } else {
+      this.pipelineStep('\u{1F6A6}', 'RATE LIMIT', `${FG.red}BLOCKED${RESET} ${blockedBy}: ${current}/${limit}`, FG.red);
+    }
+  },
+  anomaly(alertCount: number, blocked: boolean) {
+    if (alertCount === 0) {
+      this.pipelineStep('\u{1F50D}', 'ANOMALY', `${FG.green}clean${RESET}`, FG.blue);
+    } else if (blocked) {
+      this.pipelineStep('\u{1F50D}', 'ANOMALY', `${FG.red}BLOCKED${RESET} (${alertCount} alerts)`, FG.red);
+    } else {
+      this.pipelineStep('\u{1F50D}', 'ANOMALY', `${FG.yellow}${alertCount} alert(s) flagged${RESET}`, FG.yellow);
+    }
+  },
+  policy(decision: string, ruleId?: string, reasons?: string[]) {
+    const color = decision === 'allow' ? FG.green : decision === 'deny' ? FG.red : decision === 'transform' ? FG.yellow : FG.magenta;
+    const icon = decision === 'allow' ? '\u{2705}' : decision === 'deny' ? '\u{274C}' : decision === 'transform' ? '\u{1F504}' : '\u{23F3}';
+    this.pipelineStep(icon, 'POLICY', `${color}${BOLD}${decision.toUpperCase()}${RESET} ${DIM}rule: ${ruleId || 'none'}${RESET}`, color);
+    if (reasons && reasons.length > 0) {
+      for (const r of reasons) {
+        console.log(`${FG.gray}  │${RESET}    ${DIM}  -> ${r}${RESET}`);
+      }
+    }
+  },
+  dlp(phase: 'args' | 'output', detected: string[], severity: string, redactionCount: number) {
+    const label = phase === 'args' ? 'DLP ARGS' : 'DLP OUTPUT';
+    if (detected.length === 0) {
+      this.pipelineStep('\u{1F6E1}\u{FE0F}', label, `${FG.green}clean${RESET}`, FG.blue);
+    } else {
+      const sevColor = severity === 'high' ? FG.red : severity === 'medium' ? FG.yellow : FG.cyan;
+      this.pipelineStep('\u{1F6E1}\u{FE0F}', label, `${sevColor}${severity}${RESET} found: ${FG.yellow}${detected.join(', ')}${RESET} ${DIM}(${redactionCount} redactions)${RESET}`, sevColor);
+    }
+  },
+  budget(allowed: boolean, estimated: number, spent: number, remaining: number, reason?: string) {
+    if (allowed) {
+      this.pipelineStep('\u{1F4B0}', 'BUDGET', `${FG.green}pass${RESET} est:$${estimated.toFixed(4)} spent:$${spent.toFixed(4)} left:$${remaining.toFixed(4)}`, FG.green);
+    } else {
+      this.pipelineStep('\u{1F4B0}', 'BUDGET', `${FG.red}BLOCKED${RESET} ${reason}`, FG.red);
+    }
+  },
+  transform(transformations: Array<{ type: string; target: string }>) {
+    for (const t of transformations) {
+      this.pipelineStep('\u{1F504}', 'TRANSFORM', `${FG.yellow}${t.type}${RESET} -> ${t.target}`, FG.yellow);
+    }
+  },
+  executing(toolName: string, target?: string) {
+    const detail = target ? `${FG.cyan}${target}${RESET}` : '';
+    this.pipelineStep('\u{26A1}', 'EXECUTE', `${BOLD}${toolName}${RESET} ${detail}`, FG.magenta);
+  },
+  executed(httpStatus: number, durationMs: number) {
+    const color = httpStatus < 300 ? FG.green : httpStatus < 400 ? FG.yellow : FG.red;
+    this.pipelineStep('\u{26A1}', 'RESULT', `${color}HTTP ${httpStatus}${RESET} ${DIM}(${durationMs}ms)${RESET}`, color);
+  },
+  executionError(error: string) {
+    this.pipelineStep('\u{1F4A5}', 'ERROR', `${FG.red}${error}${RESET}`, FG.red);
+  },
+  // ── Server lifecycle ──────────────────────────────────────
+  serverStart(host: string, port: number, config: Record<string, unknown>) {
+    console.log('');
+    console.log(`${BOLD}${FG.cyan}  ╔════════════════════════════════════════════╗${RESET}`);
+    console.log(`${BOLD}${FG.cyan}  ║${RESET}  ${BOLD}Palaryn Gateway${RESET}  ${DIM}v0.1.0${RESET}                 ${BOLD}${FG.cyan}║${RESET}`);
+    console.log(`${BOLD}${FG.cyan}  ╚════════════════════════════════════════════╝${RESET}`);
+    console.log('');
+    console.log(`  ${FG.green}${BOLD}Server:${RESET}  http://${host}:${port}`);
+    console.log(`  ${FG.green}${BOLD}Admin:${RESET}   http://${host}:${port}/admin`);
+    console.log(`  ${FG.green}${BOLD}Health:${RESET}  http://${host}:${port}/health`);
+    console.log(`  ${FG.green}${BOLD}Metrics:${RESET} http://${host}:${port}/metrics`);
+    console.log('');
+    for (const [key, val] of Object.entries(config)) {
+      const display = typeof val === 'boolean'
+        ? (val ? `${FG.green}enabled${RESET}` : `${FG.gray}disabled${RESET}`)
+        : `${FG.white}${val}${RESET}`;
+      console.log(`  ${DIM}${key}:${RESET} ${display}`);
+    }
+    console.log('');
+    console.log(`${DIM}  Waiting for requests...${RESET}`);
+    console.log('');
+  },
+  serverShutdown(signal: string) {
+    console.log('');
+    console.log(`${tag(BG.red, FG.white, 'SHUTDOWN')} ${signal} received`);
+  },
+};