npm - palaryn - Versions diffs - 0.1.0 - Mend

palaryn 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (607) hide show

package/LICENSE +21 -0
package/README.md +716 -0
package/dist/sdk/typescript/src/client.d.ts +71 -0
package/dist/sdk/typescript/src/client.d.ts.map +1 -0
package/dist/sdk/typescript/src/client.js +176 -0
package/dist/sdk/typescript/src/client.js.map +1 -0
package/dist/sdk/typescript/src/errors.d.ts +50 -0
package/dist/sdk/typescript/src/errors.d.ts.map +1 -0
package/dist/sdk/typescript/src/errors.js +103 -0
package/dist/sdk/typescript/src/errors.js.map +1 -0
package/dist/sdk/typescript/src/index.d.ts +4 -0
package/dist/sdk/typescript/src/index.d.ts.map +1 -0
package/dist/sdk/typescript/src/index.js +15 -0
package/dist/sdk/typescript/src/index.js.map +1 -0
package/dist/sdk/typescript/src/types.d.ts +101 -0
package/dist/sdk/typescript/src/types.d.ts.map +1 -0
package/dist/sdk/typescript/src/types.js +6 -0
package/dist/sdk/typescript/src/types.js.map +1 -0
package/dist/src/admin/index.d.ts +2 -0
package/dist/src/admin/index.d.ts.map +1 -0
package/dist/src/admin/index.js +6 -0
package/dist/src/admin/index.js.map +1 -0
package/dist/src/admin/routes.d.ts +5 -0
package/dist/src/admin/routes.d.ts.map +1 -0
package/dist/src/admin/routes.js +471 -0
package/dist/src/admin/routes.js.map +1 -0
package/dist/src/admin/templates.d.ts +51 -0
package/dist/src/admin/templates.d.ts.map +1 -0
package/dist/src/admin/templates.js +500 -0
package/dist/src/admin/templates.js.map +1 -0
package/dist/src/anomaly/detector.d.ts +141 -0
package/dist/src/anomaly/detector.d.ts.map +1 -0
package/dist/src/anomaly/detector.js +554 -0
package/dist/src/anomaly/detector.js.map +1 -0
package/dist/src/anomaly/index.d.ts +2 -0
package/dist/src/anomaly/index.d.ts.map +1 -0
package/dist/src/anomaly/index.js +7 -0
package/dist/src/anomaly/index.js.map +1 -0
package/dist/src/approval/manager.d.ts +147 -0
package/dist/src/approval/manager.d.ts.map +1 -0
package/dist/src/approval/manager.js +511 -0
package/dist/src/approval/manager.js.map +1 -0
package/dist/src/approval/webhook.d.ts +36 -0
package/dist/src/approval/webhook.d.ts.map +1 -0
package/dist/src/approval/webhook.js +135 -0
package/dist/src/approval/webhook.js.map +1 -0
package/dist/src/audit/logger.d.ts +70 -0
package/dist/src/audit/logger.d.ts.map +1 -0
package/dist/src/audit/logger.js +440 -0
package/dist/src/audit/logger.js.map +1 -0
package/dist/src/auth/index.d.ts +6 -0
package/dist/src/auth/index.d.ts.map +1 -0
package/dist/src/auth/index.js +22 -0
package/dist/src/auth/index.js.map +1 -0
package/dist/src/auth/password.d.ts +3 -0
package/dist/src/auth/password.d.ts.map +1 -0
package/dist/src/auth/password.js +25 -0
package/dist/src/auth/password.js.map +1 -0
package/dist/src/auth/pkce.d.ts +13 -0
package/dist/src/auth/pkce.d.ts.map +1 -0
package/dist/src/auth/pkce.js +58 -0
package/dist/src/auth/pkce.js.map +1 -0
package/dist/src/auth/providers.d.ts +28 -0
package/dist/src/auth/providers.d.ts.map +1 -0
package/dist/src/auth/providers.js +198 -0
package/dist/src/auth/providers.js.map +1 -0
package/dist/src/auth/routes.d.ts +14 -0
package/dist/src/auth/routes.d.ts.map +1 -0
package/dist/src/auth/routes.js +431 -0
package/dist/src/auth/routes.js.map +1 -0
package/dist/src/auth/session.d.ts +24 -0
package/dist/src/auth/session.d.ts.map +1 -0
package/dist/src/auth/session.js +105 -0
package/dist/src/auth/session.js.map +1 -0
package/dist/src/billing/index.d.ts +7 -0
package/dist/src/billing/index.d.ts.map +1 -0
package/dist/src/billing/index.js +14 -0
package/dist/src/billing/index.js.map +1 -0
package/dist/src/billing/plan-enforcer.d.ts +44 -0
package/dist/src/billing/plan-enforcer.d.ts.map +1 -0
package/dist/src/billing/plan-enforcer.js +110 -0
package/dist/src/billing/plan-enforcer.js.map +1 -0
package/dist/src/billing/routes.d.ts +15 -0
package/dist/src/billing/routes.d.ts.map +1 -0
package/dist/src/billing/routes.js +193 -0
package/dist/src/billing/routes.js.map +1 -0
package/dist/src/billing/stripe-client.d.ts +14 -0
package/dist/src/billing/stripe-client.d.ts.map +1 -0
package/dist/src/billing/stripe-client.js +51 -0
package/dist/src/billing/stripe-client.js.map +1 -0
package/dist/src/billing/webhook-handler.d.ts +19 -0
package/dist/src/billing/webhook-handler.d.ts.map +1 -0
package/dist/src/billing/webhook-handler.js +169 -0
package/dist/src/billing/webhook-handler.js.map +1 -0
package/dist/src/billing/webhook-routes.d.ts +5 -0
package/dist/src/billing/webhook-routes.d.ts.map +1 -0
package/dist/src/billing/webhook-routes.js +30 -0
package/dist/src/billing/webhook-routes.js.map +1 -0
package/dist/src/budget/manager.d.ts +95 -0
package/dist/src/budget/manager.d.ts.map +1 -0
package/dist/src/budget/manager.js +547 -0
package/dist/src/budget/manager.js.map +1 -0
package/dist/src/budget/usage-extractor.d.ts +38 -0
package/dist/src/budget/usage-extractor.d.ts.map +1 -0
package/dist/src/budget/usage-extractor.js +165 -0
package/dist/src/budget/usage-extractor.js.map +1 -0
package/dist/src/cli.d.ts +3 -0
package/dist/src/cli.d.ts.map +1 -0
package/dist/src/cli.js +115 -0
package/dist/src/cli.js.map +1 -0
package/dist/src/config/defaults.d.ts +3 -0
package/dist/src/config/defaults.d.ts.map +1 -0
package/dist/src/config/defaults.js +243 -0
package/dist/src/config/defaults.js.map +1 -0
package/dist/src/config/validate.d.ts +15 -0
package/dist/src/config/validate.d.ts.map +1 -0
package/dist/src/config/validate.js +105 -0
package/dist/src/config/validate.js.map +1 -0
package/dist/src/dlp/composite-scanner.d.ts +47 -0
package/dist/src/dlp/composite-scanner.d.ts.map +1 -0
package/dist/src/dlp/composite-scanner.js +186 -0
package/dist/src/dlp/composite-scanner.js.map +1 -0
package/dist/src/dlp/index.d.ts +10 -0
package/dist/src/dlp/index.d.ts.map +1 -0
package/dist/src/dlp/index.js +26 -0
package/dist/src/dlp/index.js.map +1 -0
package/dist/src/dlp/interfaces.d.ts +33 -0
package/dist/src/dlp/interfaces.d.ts.map +1 -0
package/dist/src/dlp/interfaces.js +3 -0
package/dist/src/dlp/interfaces.js.map +1 -0
package/dist/src/dlp/patterns.d.ts +9 -0
package/dist/src/dlp/patterns.d.ts.map +1 -0
package/dist/src/dlp/patterns.js +25 -0
package/dist/src/dlp/patterns.js.map +1 -0
package/dist/src/dlp/prompt-injection-backend.d.ts +68 -0
package/dist/src/dlp/prompt-injection-backend.d.ts.map +1 -0
package/dist/src/dlp/prompt-injection-backend.js +148 -0
package/dist/src/dlp/prompt-injection-backend.js.map +1 -0
package/dist/src/dlp/prompt-injection-patterns.d.ts +32 -0
package/dist/src/dlp/prompt-injection-patterns.d.ts.map +1 -0
package/dist/src/dlp/prompt-injection-patterns.js +290 -0
package/dist/src/dlp/prompt-injection-patterns.js.map +1 -0
package/dist/src/dlp/regex-backend.d.ts +32 -0
package/dist/src/dlp/regex-backend.d.ts.map +1 -0
package/dist/src/dlp/regex-backend.js +153 -0
package/dist/src/dlp/regex-backend.js.map +1 -0
package/dist/src/dlp/scanner.d.ts +122 -0
package/dist/src/dlp/scanner.d.ts.map +1 -0
package/dist/src/dlp/scanner.js +444 -0
package/dist/src/dlp/scanner.js.map +1 -0
package/dist/src/dlp/text-normalizer.d.ts +41 -0
package/dist/src/dlp/text-normalizer.d.ts.map +1 -0
package/dist/src/dlp/text-normalizer.js +203 -0
package/dist/src/dlp/text-normalizer.js.map +1 -0
package/dist/src/dlp/trufflehog-backend.d.ts +64 -0
package/dist/src/dlp/trufflehog-backend.d.ts.map +1 -0
package/dist/src/dlp/trufflehog-backend.js +151 -0
package/dist/src/dlp/trufflehog-backend.js.map +1 -0
package/dist/src/executor/http-executor.d.ts +25 -0
package/dist/src/executor/http-executor.d.ts.map +1 -0
package/dist/src/executor/http-executor.js +333 -0
package/dist/src/executor/http-executor.js.map +1 -0
package/dist/src/executor/index.d.ts +6 -0
package/dist/src/executor/index.d.ts.map +1 -0
package/dist/src/executor/index.js +12 -0
package/dist/src/executor/index.js.map +1 -0
package/dist/src/executor/interfaces.d.ts +11 -0
package/dist/src/executor/interfaces.d.ts.map +1 -0
package/dist/src/executor/interfaces.js +3 -0
package/dist/src/executor/interfaces.js.map +1 -0
package/dist/src/executor/noop-executor.d.ts +13 -0
package/dist/src/executor/noop-executor.d.ts.map +1 -0
package/dist/src/executor/noop-executor.js +21 -0
package/dist/src/executor/noop-executor.js.map +1 -0
package/dist/src/executor/registry.d.ts +30 -0
package/dist/src/executor/registry.d.ts.map +1 -0
package/dist/src/executor/registry.js +62 -0
package/dist/src/executor/registry.js.map +1 -0
package/dist/src/executor/slack-executor.d.ts +24 -0
package/dist/src/executor/slack-executor.d.ts.map +1 -0
package/dist/src/executor/slack-executor.js +147 -0
package/dist/src/executor/slack-executor.js.map +1 -0
package/dist/src/index.d.ts +25 -0
package/dist/src/index.d.ts.map +1 -0
package/dist/src/index.js +74 -0
package/dist/src/index.js.map +1 -0
package/dist/src/mcp/auth-verifier.d.ts +23 -0
package/dist/src/mcp/auth-verifier.d.ts.map +1 -0
package/dist/src/mcp/auth-verifier.js +162 -0
package/dist/src/mcp/auth-verifier.js.map +1 -0
package/dist/src/mcp/bridge.d.ts +132 -0
package/dist/src/mcp/bridge.d.ts.map +1 -0
package/dist/src/mcp/bridge.js +734 -0
package/dist/src/mcp/bridge.js.map +1 -0
package/dist/src/mcp/http-transport.d.ts +32 -0
package/dist/src/mcp/http-transport.d.ts.map +1 -0
package/dist/src/mcp/http-transport.js +538 -0
package/dist/src/mcp/http-transport.js.map +1 -0
package/dist/src/mcp/index.d.ts +10 -0
package/dist/src/mcp/index.d.ts.map +1 -0
package/dist/src/mcp/index.js +17 -0
package/dist/src/mcp/index.js.map +1 -0
package/dist/src/mcp/oauth-pages.d.ts +23 -0
package/dist/src/mcp/oauth-pages.d.ts.map +1 -0
package/dist/src/mcp/oauth-pages.js +121 -0
package/dist/src/mcp/oauth-pages.js.map +1 -0
package/dist/src/mcp/oauth-postgres-stores.d.ts +55 -0
package/dist/src/mcp/oauth-postgres-stores.d.ts.map +1 -0
package/dist/src/mcp/oauth-postgres-stores.js +226 -0
package/dist/src/mcp/oauth-postgres-stores.js.map +1 -0
package/dist/src/mcp/oauth-provider.d.ts +95 -0
package/dist/src/mcp/oauth-provider.d.ts.map +1 -0
package/dist/src/mcp/oauth-provider.js +360 -0
package/dist/src/mcp/oauth-provider.js.map +1 -0
package/dist/src/mcp/oauth-stores.d.ts +62 -0
package/dist/src/mcp/oauth-stores.d.ts.map +1 -0
package/dist/src/mcp/oauth-stores.js +154 -0
package/dist/src/mcp/oauth-stores.js.map +1 -0
package/dist/src/mcp/server.d.ts +18 -0
package/dist/src/mcp/server.d.ts.map +1 -0
package/dist/src/mcp/server.js +51 -0
package/dist/src/mcp/server.js.map +1 -0
package/dist/src/metrics/collector.d.ts +106 -0
package/dist/src/metrics/collector.d.ts.map +1 -0
package/dist/src/metrics/collector.js +311 -0
package/dist/src/metrics/collector.js.map +1 -0
package/dist/src/metrics/index.d.ts +2 -0
package/dist/src/metrics/index.d.ts.map +1 -0
package/dist/src/metrics/index.js +6 -0
package/dist/src/metrics/index.js.map +1 -0
package/dist/src/middleware/auth.d.ts +77 -0
package/dist/src/middleware/auth.d.ts.map +1 -0
package/dist/src/middleware/auth.js +720 -0
package/dist/src/middleware/auth.js.map +1 -0
package/dist/src/middleware/session.d.ts +18 -0
package/dist/src/middleware/session.d.ts.map +1 -0
package/dist/src/middleware/session.js +67 -0
package/dist/src/middleware/session.js.map +1 -0
package/dist/src/middleware/validate.d.ts +3 -0
package/dist/src/middleware/validate.d.ts.map +1 -0
package/dist/src/middleware/validate.js +85 -0
package/dist/src/middleware/validate.js.map +1 -0
package/dist/src/policy/engine.d.ts +107 -0
package/dist/src/policy/engine.d.ts.map +1 -0
package/dist/src/policy/engine.js +646 -0
package/dist/src/policy/engine.js.map +1 -0
package/dist/src/policy/index.d.ts +3 -0
package/dist/src/policy/index.d.ts.map +1 -0
package/dist/src/policy/index.js +8 -0
package/dist/src/policy/index.js.map +1 -0
package/dist/src/policy/opa-engine.d.ts +176 -0
package/dist/src/policy/opa-engine.d.ts.map +1 -0
package/dist/src/policy/opa-engine.js +790 -0
package/dist/src/policy/opa-engine.js.map +1 -0
package/dist/src/proxy/forward-proxy.d.ts +30 -0
package/dist/src/proxy/forward-proxy.d.ts.map +1 -0
package/dist/src/proxy/forward-proxy.js +580 -0
package/dist/src/proxy/forward-proxy.js.map +1 -0
package/dist/src/proxy/index.d.ts +2 -0
package/dist/src/proxy/index.d.ts.map +1 -0
package/dist/src/proxy/index.js +8 -0
package/dist/src/proxy/index.js.map +1 -0
package/dist/src/ratelimit/limiter.d.ts +45 -0
package/dist/src/ratelimit/limiter.d.ts.map +1 -0
package/dist/src/ratelimit/limiter.js +158 -0
package/dist/src/ratelimit/limiter.js.map +1 -0
package/dist/src/replay/engine.d.ts +40 -0
package/dist/src/replay/engine.d.ts.map +1 -0
package/dist/src/replay/engine.js +106 -0
package/dist/src/replay/engine.js.map +1 -0
package/dist/src/replay/index.d.ts +2 -0
package/dist/src/replay/index.d.ts.map +1 -0
package/dist/src/replay/index.js +6 -0
package/dist/src/replay/index.js.map +1 -0
package/dist/src/saas/index.d.ts +2 -0
package/dist/src/saas/index.d.ts.map +1 -0
package/dist/src/saas/index.js +18 -0
package/dist/src/saas/index.js.map +1 -0
package/dist/src/saas/routes.d.ts +18 -0
package/dist/src/saas/routes.d.ts.map +1 -0
package/dist/src/saas/routes.js +1566 -0
package/dist/src/saas/routes.js.map +1 -0
package/dist/src/server/app.d.ts +44 -0
package/dist/src/server/app.d.ts.map +1 -0
package/dist/src/server/app.js +854 -0
package/dist/src/server/app.js.map +1 -0
package/dist/src/server/errors.d.ts +32 -0
package/dist/src/server/errors.d.ts.map +1 -0
package/dist/src/server/errors.js +39 -0
package/dist/src/server/errors.js.map +1 -0
package/dist/src/server/gateway.d.ts +165 -0
package/dist/src/server/gateway.d.ts.map +1 -0
package/dist/src/server/gateway.js +964 -0
package/dist/src/server/gateway.js.map +1 -0
package/dist/src/server/index.d.ts +2 -0
package/dist/src/server/index.d.ts.map +1 -0
package/dist/src/server/index.js +295 -0
package/dist/src/server/index.js.map +1 -0
package/dist/src/server/logger.d.ts +33 -0
package/dist/src/server/logger.d.ts.map +1 -0
package/dist/src/server/logger.js +230 -0
package/dist/src/server/logger.js.map +1 -0
package/dist/src/server/stream-proxy.d.ts +32 -0
package/dist/src/server/stream-proxy.d.ts.map +1 -0
package/dist/src/server/stream-proxy.js +184 -0
package/dist/src/server/stream-proxy.js.map +1 -0
package/dist/src/storage/file-persistence.d.ts +48 -0
package/dist/src/storage/file-persistence.d.ts.map +1 -0
package/dist/src/storage/file-persistence.js +280 -0
package/dist/src/storage/file-persistence.js.map +1 -0
package/dist/src/storage/index.d.ts +5 -0
package/dist/src/storage/index.d.ts.map +1 -0
package/dist/src/storage/index.js +21 -0
package/dist/src/storage/index.js.map +1 -0
package/dist/src/storage/interfaces.d.ts +237 -0
package/dist/src/storage/interfaces.d.ts.map +1 -0
package/dist/src/storage/interfaces.js +3 -0
package/dist/src/storage/interfaces.js.map +1 -0
package/dist/src/storage/memory.d.ts +162 -0
package/dist/src/storage/memory.d.ts.map +1 -0
package/dist/src/storage/memory.js +603 -0
package/dist/src/storage/memory.js.map +1 -0
package/dist/src/storage/postgres.d.ts +267 -0
package/dist/src/storage/postgres.d.ts.map +1 -0
package/dist/src/storage/postgres.js +1555 -0
package/dist/src/storage/postgres.js.map +1 -0
package/dist/src/storage/redis.d.ts +202 -0
package/dist/src/storage/redis.d.ts.map +1 -0
package/dist/src/storage/redis.js +629 -0
package/dist/src/storage/redis.js.map +1 -0
package/dist/src/tracing/index.d.ts +2 -0
package/dist/src/tracing/index.d.ts.map +1 -0
package/dist/src/tracing/index.js +6 -0
package/dist/src/tracing/index.js.map +1 -0
package/dist/src/tracing/provider.d.ts +43 -0
package/dist/src/tracing/provider.d.ts.map +1 -0
package/dist/src/tracing/provider.js +74 -0
package/dist/src/tracing/provider.js.map +1 -0
package/dist/src/trust/calculator.d.ts +54 -0
package/dist/src/trust/calculator.d.ts.map +1 -0
package/dist/src/trust/calculator.js +102 -0
package/dist/src/trust/calculator.js.map +1 -0
package/dist/src/trust/index.d.ts +2 -0
package/dist/src/trust/index.d.ts.map +1 -0
package/dist/src/trust/index.js +7 -0
package/dist/src/trust/index.js.map +1 -0
package/dist/src/types/budget.d.ts +30 -0
package/dist/src/types/budget.d.ts.map +1 -0
package/dist/src/types/budget.js +3 -0
package/dist/src/types/budget.js.map +1 -0
package/dist/src/types/config.d.ts +176 -0
package/dist/src/types/config.d.ts.map +1 -0
package/dist/src/types/config.js +3 -0
package/dist/src/types/config.js.map +1 -0
package/dist/src/types/events.d.ts +24 -0
package/dist/src/types/events.d.ts.map +1 -0
package/dist/src/types/events.js +3 -0
package/dist/src/types/events.js.map +1 -0
package/dist/src/types/index.d.ts +8 -0
package/dist/src/types/index.d.ts.map +1 -0
package/dist/src/types/index.js +24 -0
package/dist/src/types/index.js.map +1 -0
package/dist/src/types/policy.d.ts +60 -0
package/dist/src/types/policy.d.ts.map +1 -0
package/dist/src/types/policy.js +3 -0
package/dist/src/types/policy.js.map +1 -0
package/dist/src/types/stripe-config.d.ts +12 -0
package/dist/src/types/stripe-config.d.ts.map +1 -0
package/dist/src/types/stripe-config.js +3 -0
package/dist/src/types/stripe-config.js.map +1 -0
package/dist/src/types/subscription.d.ts +24 -0
package/dist/src/types/subscription.d.ts.map +1 -0
package/dist/src/types/subscription.js +38 -0
package/dist/src/types/subscription.js.map +1 -0
package/dist/src/types/tool-call.d.ts +42 -0
package/dist/src/types/tool-call.d.ts.map +1 -0
package/dist/src/types/tool-call.js +3 -0
package/dist/src/types/tool-call.js.map +1 -0
package/dist/src/types/tool-result.d.ts +58 -0
package/dist/src/types/tool-result.d.ts.map +1 -0
package/dist/src/types/tool-result.js +3 -0
package/dist/src/types/tool-result.js.map +1 -0
package/dist/src/types/user.d.ts +101 -0
package/dist/src/types/user.d.ts.map +1 -0
package/dist/src/types/user.js +6 -0
package/dist/src/types/user.js.map +1 -0
package/dist/tests/integration/api.test.d.ts +2 -0
package/dist/tests/integration/api.test.d.ts.map +1 -0
package/dist/tests/integration/api.test.js +1199 -0
package/dist/tests/integration/api.test.js.map +1 -0
package/dist/tests/integration/proxy.test.d.ts +2 -0
package/dist/tests/integration/proxy.test.d.ts.map +1 -0
package/dist/tests/integration/proxy.test.js +251 -0
package/dist/tests/integration/proxy.test.js.map +1 -0
package/dist/tests/integration/storage.test.d.ts +16 -0
package/dist/tests/integration/storage.test.d.ts.map +1 -0
package/dist/tests/integration/storage.test.js +826 -0
package/dist/tests/integration/storage.test.js.map +1 -0
package/dist/tests/unit/admin.test.d.ts +2 -0
package/dist/tests/unit/admin.test.d.ts.map +1 -0
package/dist/tests/unit/admin.test.js +698 -0
package/dist/tests/unit/admin.test.js.map +1 -0
package/dist/tests/unit/anomaly-detector.test.d.ts +2 -0
package/dist/tests/unit/anomaly-detector.test.d.ts.map +1 -0
package/dist/tests/unit/anomaly-detector.test.js +903 -0
package/dist/tests/unit/anomaly-detector.test.js.map +1 -0
package/dist/tests/unit/approval-manager.test.d.ts +2 -0
package/dist/tests/unit/approval-manager.test.d.ts.map +1 -0
package/dist/tests/unit/approval-manager.test.js +528 -0
package/dist/tests/unit/approval-manager.test.js.map +1 -0
package/dist/tests/unit/approval-webhook.test.d.ts +2 -0
package/dist/tests/unit/approval-webhook.test.d.ts.map +1 -0
package/dist/tests/unit/approval-webhook.test.js +355 -0
package/dist/tests/unit/approval-webhook.test.js.map +1 -0
package/dist/tests/unit/audit-logger.test.d.ts +2 -0
package/dist/tests/unit/audit-logger.test.d.ts.map +1 -0
package/dist/tests/unit/audit-logger.test.js +635 -0
package/dist/tests/unit/audit-logger.test.js.map +1 -0
package/dist/tests/unit/auth-routes.test.d.ts +2 -0
package/dist/tests/unit/auth-routes.test.d.ts.map +1 -0
package/dist/tests/unit/auth-routes.test.js +281 -0
package/dist/tests/unit/auth-routes.test.js.map +1 -0
package/dist/tests/unit/auth.test.d.ts +2 -0
package/dist/tests/unit/auth.test.d.ts.map +1 -0
package/dist/tests/unit/auth.test.js +1382 -0
package/dist/tests/unit/auth.test.js.map +1 -0
package/dist/tests/unit/billing.test.d.ts +2 -0
package/dist/tests/unit/billing.test.d.ts.map +1 -0
package/dist/tests/unit/billing.test.js +579 -0
package/dist/tests/unit/billing.test.js.map +1 -0
package/dist/tests/unit/budget-manager.test.d.ts +2 -0
package/dist/tests/unit/budget-manager.test.d.ts.map +1 -0
package/dist/tests/unit/budget-manager.test.js +778 -0
package/dist/tests/unit/budget-manager.test.js.map +1 -0
package/dist/tests/unit/budget-race.test.d.ts +2 -0
package/dist/tests/unit/budget-race.test.d.ts.map +1 -0
package/dist/tests/unit/budget-race.test.js +58 -0
package/dist/tests/unit/budget-race.test.js.map +1 -0
package/dist/tests/unit/cli.test.d.ts +2 -0
package/dist/tests/unit/cli.test.d.ts.map +1 -0
package/dist/tests/unit/cli.test.js +93 -0
package/dist/tests/unit/cli.test.js.map +1 -0
package/dist/tests/unit/concurrency.test.d.ts +2 -0
package/dist/tests/unit/concurrency.test.d.ts.map +1 -0
package/dist/tests/unit/concurrency.test.js +1270 -0
package/dist/tests/unit/concurrency.test.js.map +1 -0
package/dist/tests/unit/config-validate.test.d.ts +2 -0
package/dist/tests/unit/config-validate.test.d.ts.map +1 -0
package/dist/tests/unit/config-validate.test.js +230 -0
package/dist/tests/unit/config-validate.test.js.map +1 -0
package/dist/tests/unit/defaults.test.d.ts +2 -0
package/dist/tests/unit/defaults.test.d.ts.map +1 -0
package/dist/tests/unit/defaults.test.js +364 -0
package/dist/tests/unit/defaults.test.js.map +1 -0
package/dist/tests/unit/dlp-backends.test.d.ts +2 -0
package/dist/tests/unit/dlp-backends.test.d.ts.map +1 -0
package/dist/tests/unit/dlp-backends.test.js +563 -0
package/dist/tests/unit/dlp-backends.test.js.map +1 -0
package/dist/tests/unit/dlp-scanner.test.d.ts +2 -0
package/dist/tests/unit/dlp-scanner.test.d.ts.map +1 -0
package/dist/tests/unit/dlp-scanner.test.js +739 -0
package/dist/tests/unit/dlp-scanner.test.js.map +1 -0
package/dist/tests/unit/error-responses.test.d.ts +2 -0
package/dist/tests/unit/error-responses.test.d.ts.map +1 -0
package/dist/tests/unit/error-responses.test.js +101 -0
package/dist/tests/unit/error-responses.test.js.map +1 -0
package/dist/tests/unit/executor-registry.test.d.ts +2 -0
package/dist/tests/unit/executor-registry.test.d.ts.map +1 -0
package/dist/tests/unit/executor-registry.test.js +390 -0
package/dist/tests/unit/executor-registry.test.js.map +1 -0
package/dist/tests/unit/forward-proxy.test.d.ts +2 -0
package/dist/tests/unit/forward-proxy.test.d.ts.map +1 -0
package/dist/tests/unit/forward-proxy.test.js +621 -0
package/dist/tests/unit/forward-proxy.test.js.map +1 -0
package/dist/tests/unit/gateway-features.test.d.ts +2 -0
package/dist/tests/unit/gateway-features.test.d.ts.map +1 -0
package/dist/tests/unit/gateway-features.test.js +753 -0
package/dist/tests/unit/gateway-features.test.js.map +1 -0
package/dist/tests/unit/http-executor.test.d.ts +2 -0
package/dist/tests/unit/http-executor.test.d.ts.map +1 -0
package/dist/tests/unit/http-executor.test.js +310 -0
package/dist/tests/unit/http-executor.test.js.map +1 -0
package/dist/tests/unit/mcp-bridge.test.d.ts +2 -0
package/dist/tests/unit/mcp-bridge.test.d.ts.map +1 -0
package/dist/tests/unit/mcp-bridge.test.js +1136 -0
package/dist/tests/unit/mcp-bridge.test.js.map +1 -0
package/dist/tests/unit/mcp-http-transport.test.d.ts +2 -0
package/dist/tests/unit/mcp-http-transport.test.d.ts.map +1 -0
package/dist/tests/unit/mcp-http-transport.test.js +899 -0
package/dist/tests/unit/mcp-http-transport.test.js.map +1 -0
package/dist/tests/unit/mcp-oauth.test.d.ts +2 -0
package/dist/tests/unit/mcp-oauth.test.d.ts.map +1 -0
package/dist/tests/unit/mcp-oauth.test.js +759 -0
package/dist/tests/unit/mcp-oauth.test.js.map +1 -0
package/dist/tests/unit/mcp-server.test.d.ts +15 -0
package/dist/tests/unit/mcp-server.test.d.ts.map +1 -0
package/dist/tests/unit/mcp-server.test.js +158 -0
package/dist/tests/unit/mcp-server.test.js.map +1 -0
package/dist/tests/unit/metrics.test.d.ts +2 -0
package/dist/tests/unit/metrics.test.d.ts.map +1 -0
package/dist/tests/unit/metrics.test.js +208 -0
package/dist/tests/unit/metrics.test.js.map +1 -0
package/dist/tests/unit/oauth.test.d.ts +2 -0
package/dist/tests/unit/oauth.test.d.ts.map +1 -0
package/dist/tests/unit/oauth.test.js +281 -0
package/dist/tests/unit/oauth.test.js.map +1 -0
package/dist/tests/unit/opa-circuit-breaker.test.d.ts +2 -0
package/dist/tests/unit/opa-circuit-breaker.test.d.ts.map +1 -0
package/dist/tests/unit/opa-circuit-breaker.test.js +297 -0
package/dist/tests/unit/opa-circuit-breaker.test.js.map +1 -0
package/dist/tests/unit/opa-engine.test.d.ts +2 -0
package/dist/tests/unit/opa-engine.test.d.ts.map +1 -0
package/dist/tests/unit/opa-engine.test.js +1813 -0
package/dist/tests/unit/opa-engine.test.js.map +1 -0
package/dist/tests/unit/pipeline-timing.test.d.ts +2 -0
package/dist/tests/unit/pipeline-timing.test.d.ts.map +1 -0
package/dist/tests/unit/pipeline-timing.test.js +528 -0
package/dist/tests/unit/pipeline-timing.test.js.map +1 -0
package/dist/tests/unit/policy-engine.test.d.ts +2 -0
package/dist/tests/unit/policy-engine.test.d.ts.map +1 -0
package/dist/tests/unit/policy-engine.test.js +1345 -0
package/dist/tests/unit/policy-engine.test.js.map +1 -0
package/dist/tests/unit/policy-store.test.d.ts +2 -0
package/dist/tests/unit/policy-store.test.d.ts.map +1 -0
package/dist/tests/unit/policy-store.test.js +60 -0
package/dist/tests/unit/policy-store.test.js.map +1 -0
package/dist/tests/unit/postgres-storage.test.d.ts +2 -0
package/dist/tests/unit/postgres-storage.test.d.ts.map +1 -0
package/dist/tests/unit/postgres-storage.test.js +614 -0
package/dist/tests/unit/postgres-storage.test.js.map +1 -0
package/dist/tests/unit/prompt-injection-backend.test.d.ts +2 -0
package/dist/tests/unit/prompt-injection-backend.test.d.ts.map +1 -0
package/dist/tests/unit/prompt-injection-backend.test.js +621 -0
package/dist/tests/unit/prompt-injection-backend.test.js.map +1 -0
package/dist/tests/unit/proxy-hardening.test.d.ts +2 -0
package/dist/tests/unit/proxy-hardening.test.d.ts.map +1 -0
package/dist/tests/unit/proxy-hardening.test.js +166 -0
package/dist/tests/unit/proxy-hardening.test.js.map +1 -0
package/dist/tests/unit/rate-limiter.test.d.ts +2 -0
package/dist/tests/unit/rate-limiter.test.d.ts.map +1 -0
package/dist/tests/unit/rate-limiter.test.js +443 -0
package/dist/tests/unit/rate-limiter.test.js.map +1 -0
package/dist/tests/unit/redis-storage.test.d.ts +2 -0
package/dist/tests/unit/redis-storage.test.d.ts.map +1 -0
package/dist/tests/unit/redis-storage.test.js +766 -0
package/dist/tests/unit/redis-storage.test.js.map +1 -0
package/dist/tests/unit/replay-engine.test.d.ts +2 -0
package/dist/tests/unit/replay-engine.test.d.ts.map +1 -0
package/dist/tests/unit/replay-engine.test.js +371 -0
package/dist/tests/unit/replay-engine.test.js.map +1 -0
package/dist/tests/unit/saas-routes.test.d.ts +2 -0
package/dist/tests/unit/saas-routes.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes.test.js +1399 -0
package/dist/tests/unit/saas-routes.test.js.map +1 -0
package/dist/tests/unit/session.test.d.ts +2 -0
package/dist/tests/unit/session.test.d.ts.map +1 -0
package/dist/tests/unit/session.test.js +532 -0
package/dist/tests/unit/session.test.js.map +1 -0
package/dist/tests/unit/slack-executor.test.d.ts +2 -0
package/dist/tests/unit/slack-executor.test.d.ts.map +1 -0
package/dist/tests/unit/slack-executor.test.js +209 -0
package/dist/tests/unit/slack-executor.test.js.map +1 -0
package/dist/tests/unit/storage-hardening.test.d.ts +2 -0
package/dist/tests/unit/storage-hardening.test.d.ts.map +1 -0
package/dist/tests/unit/storage-hardening.test.js +165 -0
package/dist/tests/unit/storage-hardening.test.js.map +1 -0
package/dist/tests/unit/storage.test.d.ts +2 -0
package/dist/tests/unit/storage.test.d.ts.map +1 -0
package/dist/tests/unit/storage.test.js +698 -0
package/dist/tests/unit/storage.test.js.map +1 -0
package/dist/tests/unit/text-normalizer.test.d.ts +2 -0
package/dist/tests/unit/text-normalizer.test.d.ts.map +1 -0
package/dist/tests/unit/text-normalizer.test.js +229 -0
package/dist/tests/unit/text-normalizer.test.js.map +1 -0
package/dist/tests/unit/tracing.test.d.ts +2 -0
package/dist/tests/unit/tracing.test.d.ts.map +1 -0
package/dist/tests/unit/tracing.test.js +611 -0
package/dist/tests/unit/tracing.test.js.map +1 -0
package/dist/tests/unit/trust-calculator.test.d.ts +2 -0
package/dist/tests/unit/trust-calculator.test.d.ts.map +1 -0
package/dist/tests/unit/trust-calculator.test.js +497 -0
package/dist/tests/unit/trust-calculator.test.js.map +1 -0
package/dist/tests/unit/ts-sdk.test.d.ts +2 -0
package/dist/tests/unit/ts-sdk.test.d.ts.map +1 -0
package/dist/tests/unit/ts-sdk.test.js +421 -0
package/dist/tests/unit/ts-sdk.test.js.map +1 -0
package/dist/tests/unit/usage-extractor-llm.test.d.ts +2 -0
package/dist/tests/unit/usage-extractor-llm.test.d.ts.map +1 -0
package/dist/tests/unit/usage-extractor-llm.test.js +139 -0
package/dist/tests/unit/usage-extractor-llm.test.js.map +1 -0
package/dist/tests/unit/usage-extractor.test.d.ts +2 -0
package/dist/tests/unit/usage-extractor.test.d.ts.map +1 -0
package/dist/tests/unit/usage-extractor.test.js +271 -0
package/dist/tests/unit/usage-extractor.test.js.map +1 -0
package/dist/tests/unit/user-stores.test.d.ts +2 -0
package/dist/tests/unit/user-stores.test.d.ts.map +1 -0
package/dist/tests/unit/user-stores.test.js +687 -0
package/dist/tests/unit/user-stores.test.js.map +1 -0
package/dist/tests/unit/validate.test.d.ts +2 -0
package/dist/tests/unit/validate.test.d.ts.map +1 -0
package/dist/tests/unit/validate.test.js +545 -0
package/dist/tests/unit/validate.test.js.map +1 -0
package/package.json +86 -0
package/policy-packs/README.md +42 -0
package/policy-packs/default.yaml +46 -0
package/policy-packs/dev_fast.yaml +54 -0
package/policy-packs/prod_strict.yaml +83 -0

package/dist/tests/unit/forward-proxy.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"forward-proxy.test.d.ts","sourceRoot":"","sources":["../../../tests/unit/forward-proxy.test.ts"],"names":[],"mappings":""}

package/dist/tests/unit/forward-proxy.test.js ADDED Viewed

@@ -0,0 +1,621 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const http = __importStar(require("http"));
+const proxy_1 = require("../../src/proxy");
+const auth_1 = require("../../src/middleware/auth");
+// ---------------------------------------------------------------------------
+// buildToolCallFromProxy tests
+// ---------------------------------------------------------------------------
+describe('buildToolCallFromProxy', () => {
+    it('should build a ToolCall from a GET request', () => {
+        const tc = (0, proxy_1.buildToolCallFromProxy)('GET', 'http://api.example.com/v1/data?q=test', { 'accept': 'application/json', 'host': 'api.example.com' }, undefined, 'ws_123', 'agent_456');
+        expect(tc.tool.name).toBe('http.get');
+        expect(tc.tool.capability).toBe('read');
+        expect(tc.args.method).toBe('GET');
+        expect(tc.args.url).toBe('http://api.example.com/v1/data?q=test');
+        expect(tc.workspace_id).toBe('ws_123');
+        expect(tc.actor.id).toBe('agent_456');
+        expect(tc.actor.type).toBe('agent');
+        expect(tc.source.platform).toBe('forward_proxy');
+        expect(tc.tool_call_id).toBeDefined();
+        expect(tc.task_id).toBeDefined();
+        expect(tc.context?.labels).toContain('proxy');
+        expect(tc.context?.labels).toContain('api.example.com');
+    });
+    it('should build a ToolCall from a POST request with JSON body', () => {
+        const tc = (0, proxy_1.buildToolCallFromProxy)('POST', 'http://api.example.com/v1/chat', { 'content-type': 'application/json' }, JSON.stringify({ message: 'hello' }), 'ws_123', 'agent_456');
+        expect(tc.tool.name).toBe('http.post');
+        expect(tc.tool.capability).toBe('write');
+        expect(tc.args.method).toBe('POST');
+        expect(tc.args.body).toEqual({ message: 'hello' });
+    });
+    it('should keep non-JSON body as string', () => {
+        const tc = (0, proxy_1.buildToolCallFromProxy)('POST', 'http://api.example.com/upload', { 'content-type': 'text/plain' }, 'plain text body', 'ws_123', 'agent_456');
+        expect(tc.args.body).toBe('plain text body');
+    });
+    it('should map DELETE to delete capability', () => {
+        const tc = (0, proxy_1.buildToolCallFromProxy)('DELETE', 'http://api.example.com/v1/resource/123', {}, undefined, 'ws_123', 'agent_456');
+        expect(tc.tool.name).toBe('http.delete');
+        expect(tc.tool.capability).toBe('delete');
+    });
+    it('should map HEAD and OPTIONS to read capability', () => {
+        const head = (0, proxy_1.buildToolCallFromProxy)('HEAD', 'http://example.com', {}, undefined, 'ws', 'a');
+        const options = (0, proxy_1.buildToolCallFromProxy)('OPTIONS', 'http://example.com', {}, undefined, 'ws', 'a');
+        expect(head.tool.capability).toBe('read');
+        expect(options.tool.capability).toBe('read');
+    });
+    it('should map PUT and PATCH to write capability', () => {
+        const put = (0, proxy_1.buildToolCallFromProxy)('PUT', 'http://example.com', {}, undefined, 'ws', 'a');
+        const patch = (0, proxy_1.buildToolCallFromProxy)('PATCH', 'http://example.com', {}, undefined, 'ws', 'a');
+        expect(put.tool.capability).toBe('write');
+        expect(patch.tool.capability).toBe('write');
+    });
+    it('should strip proxy-specific and sensitive headers from forwarded headers', () => {
+        const tc = (0, proxy_1.buildToolCallFromProxy)('GET', 'http://example.com', {
+            'proxy-authorization': 'Basic dXNlcjpwYXNz',
+            'proxy-connection': 'keep-alive',
+            'x-palaryn-workspace': 'ws_override',
+            'x-palaryn-actor': 'custom_actor',
+            'accept': 'application/json',
+            'authorization': 'Bearer token123',
+            'cookie': 'session=abc',
+            'x-api-key': 'sk-secret',
+        }, undefined, 'ws_123', 'agent_456');
+        const forwardHeaders = tc.args.headers;
+        expect(forwardHeaders['proxy-authorization']).toBeUndefined();
+        expect(forwardHeaders['proxy-connection']).toBeUndefined();
+        expect(forwardHeaders['x-palaryn-workspace']).toBeUndefined();
+        expect(forwardHeaders['x-palaryn-actor']).toBeUndefined();
+        expect(forwardHeaders['authorization']).toBeUndefined();
+        expect(forwardHeaders['cookie']).toBeUndefined();
+        expect(forwardHeaders['x-api-key']).toBeUndefined();
+        expect(forwardHeaders['accept']).toBe('application/json');
+    });
+});
+// ---------------------------------------------------------------------------
+// parseProxyAuth tests
+// ---------------------------------------------------------------------------
+describe('parseProxyAuth', () => {
+    const baseAuthConfig = {
+        enabled: true,
+        api_keys: {
+            'valid-key-123': { workspace_id: 'ws_1', description: 'Test key' },
+            'revoked-key': { workspace_id: 'ws_2', description: 'Revoked', revoked: true },
+            'expired-key': { workspace_id: 'ws_3', description: 'Expired', expires_at: '2020-01-01T00:00:00Z' },
+        },
+    };
+    const baseProxyConfig = {
+        enabled: true,
+        port: 3128,
+        require_auth: true,
+    };
+    it('should authenticate with valid Proxy-Authorization Basic header', () => {
+        const encoded = Buffer.from('ws_1:valid-key-123').toString('base64');
+        const result = (0, auth_1.parseProxyAuth)({ 'proxy-authorization': `Basic ${encoded}` }, baseProxyConfig, baseAuthConfig);
+        expect(result.authenticated).toBe(true);
+        expect(result.workspace_id).toBe('ws_1');
+        expect(result.api_key).toBe('valid-key-123');
+    });
+    it('should reject invalid Proxy-Authorization format', () => {
+        const result = (0, auth_1.parseProxyAuth)({ 'proxy-authorization': 'Bearer token123' }, baseProxyConfig, baseAuthConfig);
+        expect(result.authenticated).toBe(false);
+        expect(result.error).toContain('Invalid Proxy-Authorization format');
+    });
+    it('should reject missing colon in credentials', () => {
+        const encoded = Buffer.from('noColon').toString('base64');
+        const result = (0, auth_1.parseProxyAuth)({ 'proxy-authorization': `Basic ${encoded}` }, baseProxyConfig, baseAuthConfig);
+        expect(result.authenticated).toBe(false);
+        expect(result.error).toContain('Expected: workspace_id:api_key');
+    });
+    it('should reject empty workspace_id or api_key', () => {
+        const encoded = Buffer.from(':api_key').toString('base64');
+        const result = (0, auth_1.parseProxyAuth)({ 'proxy-authorization': `Basic ${encoded}` }, baseProxyConfig, baseAuthConfig);
+        expect(result.authenticated).toBe(false);
+        expect(result.error).toContain('Empty workspace_id or api_key');
+    });
+    it('should reject invalid API key when auth is enabled', () => {
+        const encoded = Buffer.from('ws_1:wrong-key').toString('base64');
+        const result = (0, auth_1.parseProxyAuth)({ 'proxy-authorization': `Basic ${encoded}` }, baseProxyConfig, baseAuthConfig);
+        expect(result.authenticated).toBe(false);
+        expect(result.error).toContain('Invalid API key');
+    });
+    it('should reject revoked API key', () => {
+        const encoded = Buffer.from('ws_2:revoked-key').toString('base64');
+        const result = (0, auth_1.parseProxyAuth)({ 'proxy-authorization': `Basic ${encoded}` }, baseProxyConfig, baseAuthConfig);
+        expect(result.authenticated).toBe(false);
+        expect(result.error).toContain('revoked');
+    });
+    it('should reject expired API key', () => {
+        const encoded = Buffer.from('ws_3:expired-key').toString('base64');
+        const result = (0, auth_1.parseProxyAuth)({ 'proxy-authorization': `Basic ${encoded}` }, baseProxyConfig, baseAuthConfig);
+        expect(result.authenticated).toBe(false);
+        expect(result.error).toContain('expired');
+    });
+    it('should use sidecar defaults when no auth header present', () => {
+        const sidecarConfig = {
+            ...baseProxyConfig,
+            default_workspace_id: 'ws_sidecar',
+            default_actor_id: 'agent_sidecar',
+        };
+        const result = (0, auth_1.parseProxyAuth)({}, sidecarConfig, baseAuthConfig);
+        expect(result.authenticated).toBe(true);
+        expect(result.workspace_id).toBe('ws_sidecar');
+        expect(result.actor_id).toBe('agent_sidecar');
+    });
+    it('should override sidecar workspace with X-Palaryn-Workspace header', () => {
+        const sidecarConfig = {
+            ...baseProxyConfig,
+            default_workspace_id: 'ws_sidecar',
+        };
+        const result = (0, auth_1.parseProxyAuth)({ 'x-palaryn-workspace': 'ws_override' }, sidecarConfig, baseAuthConfig);
+        expect(result.authenticated).toBe(true);
+        expect(result.workspace_id).toBe('ws_override');
+    });
+    it('should use X-Palaryn-Actor header with Proxy-Authorization', () => {
+        const encoded = Buffer.from('ws_1:valid-key-123').toString('base64');
+        const result = (0, auth_1.parseProxyAuth)({
+            'proxy-authorization': `Basic ${encoded}`,
+            'x-palaryn-actor': 'custom_agent',
+        }, baseProxyConfig, baseAuthConfig);
+        expect(result.authenticated).toBe(true);
+        expect(result.actor_id).toBe('custom_agent');
+    });
+    it('should allow unauthenticated requests when require_auth is false', () => {
+        const permissiveConfig = {
+            ...baseProxyConfig,
+            require_auth: false,
+        };
+        const result = (0, auth_1.parseProxyAuth)({}, permissiveConfig, baseAuthConfig);
+        expect(result.authenticated).toBe(true);
+        expect(result.workspace_id).toBe('ws_default');
+        expect(result.actor_id).toBe('proxy:anonymous');
+    });
+    it('should reject unauthenticated requests when require_auth is true', () => {
+        const result = (0, auth_1.parseProxyAuth)({}, baseProxyConfig, baseAuthConfig);
+        expect(result.authenticated).toBe(false);
+        expect(result.error).toContain('Proxy-Authorization required');
+    });
+    it('should authenticate via X-Palaryn-Workspace header when require_auth is false', () => {
+        const permissiveConfig = {
+            ...baseProxyConfig,
+            require_auth: false,
+        };
+        const result = (0, auth_1.parseProxyAuth)({ 'x-palaryn-workspace': 'ws_header' }, permissiveConfig, baseAuthConfig);
+        expect(result.authenticated).toBe(true);
+        expect(result.workspace_id).toBe('ws_header');
+        expect(result.actor_id).toBe('proxy:ws_header');
+    });
+    it('should reject X-Palaryn-Workspace header when require_auth is true', () => {
+        const result = (0, auth_1.parseProxyAuth)({ 'x-palaryn-workspace': 'ws_header' }, baseProxyConfig, baseAuthConfig);
+        expect(result.authenticated).toBe(false);
+        expect(result.error).toContain('Proxy-Authorization required');
+    });
+    it('should skip API key validation when auth is disabled', () => {
+        const disabledAuth = {
+            enabled: false,
+            api_keys: {},
+        };
+        const encoded = Buffer.from('ws_any:any-key').toString('base64');
+        const result = (0, auth_1.parseProxyAuth)({ 'proxy-authorization': `Basic ${encoded}` }, baseProxyConfig, disabledAuth);
+        expect(result.authenticated).toBe(true);
+        expect(result.workspace_id).toBe('ws_any');
+        expect(result.api_key).toBe('any-key');
+    });
+});
+// ---------------------------------------------------------------------------
+// createForwardProxy tests
+// ---------------------------------------------------------------------------
+describe('createForwardProxy', () => {
+    let targetServer;
+    let targetPort;
+    let proxyServer;
+    let proxyPort;
+    // Mock gateway
+    const mockPreExecute = jest.fn();
+    const mockPostExecute = jest.fn();
+    const mockRateLimiterCheck = jest.fn().mockReturnValue({ allowed: true, current: 1, limit: 100 });
+    const mockAuditLogToolCallReceived = jest.fn();
+    const mockGateway = {
+        preExecute: mockPreExecute,
+        postExecute: mockPostExecute,
+        getRateLimiter: () => ({ check: mockRateLimiterCheck }),
+        getAuditLogger: () => ({ logToolCallReceived: mockAuditLogToolCallReceived }),
+    };
+    function testConfig(overrides) {
+        return {
+            port: 0,
+            host: '127.0.0.1',
+            auth: {
+                enabled: false,
+                api_keys: {},
+            },
+            policy: {
+                pack_path: './policy-packs/dev_fast.yaml',
+                default_effect: 'ALLOW',
+                hot_reload: false,
+            },
+            dlp: {
+                enabled: false,
+                scan_args: false,
+                scan_output: false,
+                secrets_detection: false,
+                pii_detection: false,
+                default_redaction_method: 'mask',
+            },
+            budget: {
+                task_budget_usd: 100,
+                max_steps_per_task: 1000,
+                max_retries_per_call: 3,
+                max_wall_clock_ms: 300000,
+            },
+            audit: {
+                enabled: false,
+                log_dir: '',
+                console_output: false,
+                retention_days: 30,
+            },
+            executor: {
+                http: { timeout_ms: 15000, max_retries: 3, backoff_base_ms: 1000 },
+                cache: { enabled: false, ttl_ms: 0 },
+            },
+            approval: {
+                enabled: false,
+                token_secret: 'test-secret',
+                default_ttl_seconds: 3600,
+            },
+            proxy: {
+                enabled: true,
+                port: 0,
+                require_auth: false,
+                ssrf_protection: false,
+            },
+            ...overrides,
+        };
+    }
+    beforeAll((done) => {
+        // Start a target HTTP server for the proxy to forward to
+        targetServer = http.createServer((req, res) => {
+            if (req.url === '/api/data' && req.method === 'GET') {
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ data: 'success', method: 'GET' }));
+            }
+            else if (req.url === '/api/create' && req.method === 'POST') {
+                let body = '';
+                req.on('data', (chunk) => (body += chunk));
+                req.on('end', () => {
+                    res.writeHead(201, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify({ created: true, received: body }));
+                });
+            }
+            else if (req.url === '/api/slow') {
+                // Do not respond (simulate timeout)
+            }
+            else {
+                res.writeHead(404);
+                res.end('Not found');
+            }
+        });
+        targetServer.listen(0, '127.0.0.1', () => {
+            targetPort = targetServer.address().port;
+            done();
+        });
+    });
+    afterAll((done) => {
+        targetServer.close(done);
+    });
+    beforeEach(() => {
+        mockPreExecute.mockReset();
+        mockPostExecute.mockReset();
+        mockPostExecute.mockResolvedValue({});
+        mockRateLimiterCheck.mockReset();
+        mockRateLimiterCheck.mockReturnValue({ allowed: true, current: 1, limit: 100 });
+        mockAuditLogToolCallReceived.mockReset();
+    });
+    afterEach((done) => {
+        if (proxyServer) {
+            proxyServer.close(() => done());
+        }
+        else {
+            done();
+        }
+    });
+    function startProxy(config) {
+        return new Promise((resolve) => {
+            proxyServer = (0, proxy_1.createForwardProxy)(mockGateway, testConfig(config));
+            proxyServer.listen(0, () => {
+                proxyPort = proxyServer.server.address().port;
+                resolve(proxyPort);
+            });
+        });
+    }
+    function proxyRequest(method, targetUrl, body, headers) {
+        return new Promise((resolve, reject) => {
+            let host = '127.0.0.1';
+            try {
+                const url = new URL(targetUrl);
+                host = url.host;
+            }
+            catch {
+                // Relative URL — just send as-is
+            }
+            const options = {
+                hostname: '127.0.0.1',
+                port: proxyPort,
+                method,
+                path: targetUrl, // Absolute URL for proxy protocol
+                headers: {
+                    'Host': host,
+                    ...headers,
+                },
+            };
+            const req = http.request(options, (res) => {
+                let data = '';
+                res.on('data', (chunk) => (data += chunk));
+                res.on('end', () => {
+                    resolve({ status: res.statusCode || 0, headers: res.headers, body: data });
+                });
+            });
+            req.on('error', reject);
+            if (body)
+                req.write(body);
+            req.end();
+        });
+    }
+    it('should return 400 for non-proxy requests (relative URL)', async () => {
+        await startProxy();
+        const res = await proxyRequest('GET', '/not-a-proxy-request');
+        expect(res.status).toBe(400);
+        expect(JSON.parse(res.body).error).toContain('Not a proxy request');
+    });
+    it('should forward allowed GET requests and return response', async () => {
+        await startProxy();
+        const targetUrl = `http://127.0.0.1:${targetPort}/api/data`;
+        mockPreExecute.mockResolvedValue({
+            allowed: true,
+            stepTimings: {},
+            startTime: Date.now(),
+        });
+        const res = await proxyRequest('GET', targetUrl);
+        expect(res.status).toBe(200);
+        const parsed = JSON.parse(res.body);
+        expect(parsed.data).toBe('success');
+        expect(mockPreExecute).toHaveBeenCalledTimes(1);
+        // Verify the ToolCall passed to preExecute
+        const toolCall = mockPreExecute.mock.calls[0][0];
+        expect(toolCall.tool.name).toBe('http.get');
+        expect(toolCall.tool.capability).toBe('read');
+        expect(toolCall.args.url).toBe(targetUrl);
+        expect(toolCall.workspace_id).toBe('ws_default');
+    });
+    it('should forward POST requests with body', async () => {
+        await startProxy();
+        const targetUrl = `http://127.0.0.1:${targetPort}/api/create`;
+        mockPreExecute.mockResolvedValue({
+            allowed: true,
+            stepTimings: {},
+            startTime: Date.now(),
+        });
+        const res = await proxyRequest('POST', targetUrl, JSON.stringify({ test: true }), {
+            'Content-Type': 'application/json',
+        });
+        expect(res.status).toBe(201);
+        const parsed = JSON.parse(res.body);
+        expect(parsed.created).toBe(true);
+    });
+    it('should return 403 when preExecute denies the request', async () => {
+        await startProxy();
+        const targetUrl = `http://127.0.0.1:${targetPort}/api/data`;
+        mockPreExecute.mockResolvedValue({
+            allowed: false,
+            result: {
+                tool_call_id: 'tc_1',
+                task_id: 'task_1',
+                status: 'blocked',
+                policy: { decision: 'deny', rule_id: 'block_domain', reasons: ['Domain blocked by policy'] },
+                dlp: { detected: [], redactions: [], severity: 'low' },
+                budget: { estimated_cost_usd: 0, spent_cost_usd_task: 0, remaining_cost_usd_task: 0 },
+                timing: { started_at: new Date().toISOString(), duration_ms: 1 },
+            },
+            stepTimings: {},
+            startTime: Date.now(),
+        });
+        const res = await proxyRequest('GET', targetUrl);
+        expect(res.status).toBe(403);
+        const parsed = JSON.parse(res.body);
+        expect(parsed.status).toBe('blocked');
+        expect(parsed.policy.decision).toBe('deny');
+    });
+    it('should return 202 when preExecute requires approval', async () => {
+        await startProxy();
+        const targetUrl = `http://127.0.0.1:${targetPort}/api/data`;
+        mockPreExecute.mockResolvedValue({
+            allowed: false,
+            result: {
+                tool_call_id: 'tc_1',
+                task_id: 'task_1',
+                status: 'needs_approval',
+                policy: { decision: 'require_approval', rule_id: 'require_human', reasons: ['Requires approval'] },
+                dlp: { detected: [], redactions: [], severity: 'low' },
+                budget: { estimated_cost_usd: 0, spent_cost_usd_task: 0, remaining_cost_usd_task: 0 },
+                timing: { started_at: new Date().toISOString(), duration_ms: 1 },
+                approval: { approval_id: 'apr_1', token: 'tok_1' },
+            },
+            stepTimings: {},
+            startTime: Date.now(),
+        });
+        const res = await proxyRequest('GET', targetUrl);
+        expect(res.status).toBe(202);
+    });
+    it('should return 407 when auth is required but missing', async () => {
+        await startProxy({
+            auth: { enabled: true, api_keys: { 'test-key': { workspace_id: 'ws_1' } } },
+            proxy: { enabled: true, port: 0, require_auth: true, ssrf_protection: false },
+        });
+        const targetUrl = `http://127.0.0.1:${targetPort}/api/data`;
+        const res = await proxyRequest('GET', targetUrl);
+        expect(res.status).toBe(407);
+        expect(res.headers['proxy-authenticate']).toBe('Basic realm="Palaryn Proxy"');
+    });
+    it('should authenticate with Proxy-Authorization header', async () => {
+        await startProxy({
+            auth: { enabled: true, api_keys: { 'my-key': { workspace_id: 'ws_proxy' } } },
+            proxy: { enabled: true, port: 0, require_auth: true, ssrf_protection: false },
+        });
+        const targetUrl = `http://127.0.0.1:${targetPort}/api/data`;
+        const encoded = Buffer.from('ws_proxy:my-key').toString('base64');
+        mockPreExecute.mockResolvedValue({
+            allowed: true,
+            stepTimings: {},
+            startTime: Date.now(),
+        });
+        const res = await proxyRequest('GET', targetUrl, undefined, {
+            'Proxy-Authorization': `Basic ${encoded}`,
+        });
+        expect(res.status).toBe(200);
+        // Verify workspace was set correctly
+        const toolCall = mockPreExecute.mock.calls[0][0];
+        expect(toolCall.workspace_id).toBe('ws_proxy');
+    });
+    it('should call postExecute after successful forwarding', async () => {
+        await startProxy();
+        const targetUrl = `http://127.0.0.1:${targetPort}/api/data`;
+        const pre = {
+            allowed: true,
+            stepTimings: {},
+            startTime: Date.now(),
+            policyResult: { decision: 'allow', rule_id: 'default', rule_name: 'Default allow', reasons: [] },
+            argsDlp: { detected: [], redactions: [], severity: 'low' },
+            budgetCheck: { report: { estimated_cost_usd: 0 }, allowed: true },
+        };
+        mockPreExecute.mockResolvedValue(pre);
+        await proxyRequest('GET', targetUrl);
+        // postExecute runs in background, give it a tick
+        await new Promise(resolve => setTimeout(resolve, 100));
+        expect(mockPostExecute).toHaveBeenCalledTimes(1);
+        const [tc, output, passedPre] = mockPostExecute.mock.calls[0];
+        expect(tc.tool.name).toBe('http.get');
+        expect(output.http_status).toBe(200);
+        expect(typeof output.body).toBe('string');
+    });
+    it('should handle CONNECT tunnel requests', async () => {
+        await startProxy();
+        // Send CONNECT request
+        const result = await new Promise((resolve, reject) => {
+            const req = http.request({
+                hostname: '127.0.0.1',
+                port: proxyPort,
+                method: 'CONNECT',
+                path: '127.0.0.1:' + targetPort,
+            });
+            req.on('connect', (res, socket, head) => {
+                // We got a tunnel established response
+                resolve({ status: res.statusCode?.toString() || '', socket });
+                socket.destroy();
+            });
+            req.on('error', (err) => {
+                // CONNECT may fail because we mock gateway - that's fine for unit test
+                // The point is the handler ran
+                resolve({ status: 'error', socket: null });
+            });
+            req.end();
+        });
+        // The CONNECT handler should have been invoked
+        // With mock gateway, preExecute should have been called
+        expect(mockPreExecute).toHaveBeenCalled();
+    });
+    // -- S2: Passthrough domains should still run rate limiting and audit ------
+    it('should run rate limiting for passthrough domains (S2)', async () => {
+        await startProxy({
+            proxy: {
+                enabled: true,
+                port: 0,
+                require_auth: false,
+                ssrf_protection: false,
+                passthrough_domains: ['127.0.0.1'],
+            },
+        });
+        const targetUrl = `http://127.0.0.1:${targetPort}/api/data`;
+        const res = await proxyRequest('GET', targetUrl);
+        // Request should be forwarded (passthrough skips policy)
+        expect(res.status).toBe(200);
+        // Rate limiter should have been checked
+        expect(mockRateLimiterCheck).toHaveBeenCalledTimes(1);
+        // preExecute should NOT have been called (passthrough skips full pipeline)
+        expect(mockPreExecute).not.toHaveBeenCalled();
+    });
+    it('should return 429 when passthrough domain hits rate limit (S2)', async () => {
+        await startProxy({
+            proxy: {
+                enabled: true,
+                port: 0,
+                require_auth: false,
+                ssrf_protection: false,
+                passthrough_domains: ['127.0.0.1'],
+            },
+        });
+        mockRateLimiterCheck.mockReturnValue({
+            allowed: false,
+            current: 101,
+            limit: 100,
+            blocked_by: 'actor',
+        });
+        const targetUrl = `http://127.0.0.1:${targetPort}/api/data`;
+        const res = await proxyRequest('GET', targetUrl);
+        expect(res.status).toBe(429);
+        const body = JSON.parse(res.body);
+        expect(body.error_code).toBe('RATE_LIMIT_EXCEEDED');
+        expect(body.error).toContain('Rate limit exceeded');
+    });
+    it('should run audit logging for passthrough domains (S2)', async () => {
+        await startProxy({
+            proxy: {
+                enabled: true,
+                port: 0,
+                require_auth: false,
+                ssrf_protection: false,
+                passthrough_domains: ['127.0.0.1'],
+            },
+        });
+        const targetUrl = `http://127.0.0.1:${targetPort}/api/data`;
+        await proxyRequest('GET', targetUrl);
+        // Audit logger should have been called
+        expect(mockAuditLogToolCallReceived).toHaveBeenCalledTimes(1);
+        const toolCall = mockAuditLogToolCallReceived.mock.calls[0][0];
+        expect(toolCall.tool.name).toBe('http.get');
+        expect(toolCall.args.url).toBe(targetUrl);
+    });
+});
+//# sourceMappingURL=forward-proxy.test.js.map