paygate-mcp 9.2.0 → 9.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +14 -4
- package/dist/audit.d.ts +1 -1
- package/dist/audit.d.ts.map +1 -1
- package/dist/audit.js.map +1 -1
- package/dist/compliance.d.ts +64 -0
- package/dist/compliance.d.ts.map +1 -0
- package/dist/compliance.js +239 -0
- package/dist/compliance.js.map +1 -0
- package/dist/gate.d.ts +13 -2
- package/dist/gate.d.ts.map +1 -1
- package/dist/gate.js +78 -3
- package/dist/gate.js.map +1 -1
- package/dist/guardrails.d.ts +153 -0
- package/dist/guardrails.d.ts.map +1 -0
- package/dist/guardrails.js +347 -0
- package/dist/guardrails.js.map +1 -0
- package/dist/http-proxy.d.ts +1 -1
- package/dist/http-proxy.d.ts.map +1 -1
- package/dist/http-proxy.js +2 -2
- package/dist/http-proxy.js.map +1 -1
- package/dist/index.d.ts +4 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +7 -1
- package/dist/index.js.map +1 -1
- package/dist/proxy.d.ts +2 -2
- package/dist/proxy.d.ts.map +1 -1
- package/dist/proxy.js +3 -3
- package/dist/proxy.js.map +1 -1
- package/dist/router.d.ts +1 -1
- package/dist/router.d.ts.map +1 -1
- package/dist/router.js +1 -1
- package/dist/router.js.map +1 -1
- package/dist/server.d.ts +8 -0
- package/dist/server.d.ts.map +1 -1
- package/dist/server.js +565 -4
- package/dist/server.js.map +1 -1
- package/dist/types.d.ts +21 -0
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -11,7 +11,7 @@ Monetize any MCP server with one command. Add API key auth, per-tool pricing, ra
|
|
|
11
11
|
- [Quick Start](#quick-start)
|
|
12
12
|
- [What It Does](#what-it-does)
|
|
13
13
|
- [Usage](#usage) — Local stdio, remote HTTP, multi-server, client SDK
|
|
14
|
-
- [API Reference](#api-reference) — All
|
|
14
|
+
- [API Reference](#api-reference) — All 148+ endpoints
|
|
15
15
|
- [CLI Options](#cli-options)
|
|
16
16
|
- [Deployment](#deployment) — Docker, docker-compose, systemd, PM2
|
|
17
17
|
- [Load Testing](#load-testing) — k6 benchmarking for production
|
|
@@ -66,7 +66,7 @@ Agent → PayGate (auth + billing) → Your MCP Server (stdio or HTTP)
|
|
|
66
66
|
- **SSE Streaming** — Full MCP Streamable HTTP transport (POST SSE, GET notifications, DELETE sessions)
|
|
67
67
|
- **Audit Log** — Structured audit trail with retention policies, query API, CSV/JSON export
|
|
68
68
|
- **Registry/Discovery** — Agent-discoverable pricing via `/.well-known/mcp-payment`, `/pricing`, and `/.well-known/mcp.json` identity card
|
|
69
|
-
- **OpenAPI 3.1 + Interactive Docs** — Auto-generated spec at `/openapi.json`, Swagger UI at `/docs` — all
|
|
69
|
+
- **OpenAPI 3.1 + Interactive Docs** — Auto-generated spec at `/openapi.json`, Swagger UI at `/docs` — all 148+ endpoints documented
|
|
70
70
|
- **Public Endpoint Rate Limiting** — Configurable per-IP rate limit (default 300/min) on `/health`, `/info`, `/pricing`, `/docs`, `/openapi.json`, `/.well-known/*`, `/robots.txt`, `/` — 429 with Retry-After header
|
|
71
71
|
- **Robots.txt + HEAD Support** — Standard `/robots.txt` (allow public, disallow admin/keys), HEAD method on all public endpoints for uptime monitoring
|
|
72
72
|
- **Prometheus Metrics** — `/metrics` endpoint with counters, gauges, and uptime in standard text format
|
|
@@ -99,7 +99,7 @@ Agent → PayGate (auth + billing) → Your MCP Server (stdio or HTTP)
|
|
|
99
99
|
- **Key Groups** — Policy templates that apply shared ACL, rate limits, pricing overrides, IP allowlists, and quotas to groups of API keys with automatic inheritance and key-level override support
|
|
100
100
|
- **Refund on Failure** — Automatically refund credits when downstream tool calls fail
|
|
101
101
|
- **Credit Transfers** — Atomically transfer credits between API keys with validation, audit trail, and webhook events
|
|
102
|
-
- **Bulk Key Operations** — Execute multiple key operations (create, topup, revoke) in a single request with per-operation error handling and index tracking
|
|
102
|
+
- **Bulk Key Operations** — Execute multiple key operations (create, topup, revoke, suspend, resume) in a single request with per-operation error handling and index tracking
|
|
103
103
|
- **Key Import/Export** — Export all API keys for backup/migration (JSON or CSV) and import with conflict resolution (skip, overwrite, error modes)
|
|
104
104
|
- **Webhook Filters** — Route webhook events to different destinations based on event type and API key prefix with per-filter secrets, independent retry queues, and admin CRUD API
|
|
105
105
|
- **Key Cloning** — `POST /keys/clone` creates a new API key with the same config (ACL, quotas, tags, IP, namespace, group, spending limit, expiry, auto-topup) but fresh counters — ideal for provisioning similar keys
|
|
@@ -150,9 +150,15 @@ Agent → PayGate (auth + billing) → Your MCP Server (stdio or HTTP)
|
|
|
150
150
|
- **Response Caching** — SHA-256 keyed response cache for identical tool calls — skips backend invocation and credit deduction on cache hit, LRU eviction, per-tool or global TTL, `X-Cache: HIT/MISS` header, admin management (`GET/DELETE /admin/cache`), Prometheus gauge
|
|
151
151
|
- **Circuit Breaker** — Three-state circuit breaker (closed → open → half_open) for backend failure detection — opens after N consecutive failures, auto-recovers after cooldown, error code `-32003`, admin management (`GET/POST /admin/circuit`)
|
|
152
152
|
- **Configurable Timeouts** — Per-tool and global timeout for tool calls — returns error code `-32004` on timeout, per-tool override via `toolPricing[tool].timeoutMs`, triggers circuit breaker failure recording
|
|
153
|
+
- **Outcome-Based Pricing** — Charge extra credits based on response output size — `creditsPerKbOutput` per-tool config, post-response billing, `X-Output-Surcharge` header, complements `creditsPerKbInput` for complete size-based pricing
|
|
154
|
+
- **Compliance Audit Export** — Framework-specific compliance reports for SOC 2, GDPR, HIPAA — `GET /admin/compliance/export`, event classification into access control/data processing/config changes/security, JSON or CSV export, configurable time periods
|
|
155
|
+
- **Per-Key Webhook URLs** — Key-level webhook routing — events for a specific key sent to key's webhook URL alongside global webhook, SSRF-protected, HMAC-SHA256 signed, lazy emitter management via `POST/GET/DELETE /keys/webhook`
|
|
153
156
|
- **Security Audit** — `GET /admin/security` security posture analysis identifying keys without IP allowlists, quotas, ACL restrictions, spending limits, or expiry dates, flagging high-credit keys, and computing a composite security score
|
|
154
157
|
- **Revenue Analysis** — `GET /admin/revenue` revenue metrics with per-tool revenue breakdown, per-key spending, hourly revenue trends, credit flow summary (allocated/spent/remaining), and average revenue per call
|
|
155
158
|
- **Key Portfolio Health** — `GET /admin/key-portfolio` portfolio-wide key health with active/inactive/suspended counts, stale keys, expiring-soon keys, age distribution, credit utilization, and namespace breakdown
|
|
159
|
+
- **Content Guardrails** — Regex-based PII detection and redaction for tool call inputs/outputs — 8 built-in rules (credit card, SSN, email, phone, AWS key, API secret, IBAN, passport), 4 actions (log/warn/block/redact), scope filtering (input/output/both), per-tool targeting, violation tracking with query API, admin CRUD endpoints (`/admin/guardrails`, `/admin/guardrails/violations`)
|
|
160
|
+
- **IP Country Restrictions** — Per-key geographic access control with allow/deny country lists (ISO 3166-1 alpha-2) — country code from reverse-proxy headers (`X-Country`, `CF-IPCountry`, configurable), CRUD via `/keys/geo`, enforced at gate evaluation, zero-dependency geo-fencing
|
|
161
|
+
- **Bulk Suspend/Resume** — Added `suspend` and `resume` actions to `POST /keys/bulk` — temporarily disable or re-activate multiple keys in one request with per-operation error handling
|
|
156
162
|
- **Anomaly Detection** — `GET /admin/anomalies` identifies unusual patterns: keys with high denial rates, rapid credit depletion, low remaining credits, with severity ratings and detailed descriptions
|
|
157
163
|
- **Usage Forecasting** — `GET /admin/forecast` predicts future credit consumption with per-key depletion estimates, calls remaining, at-risk key identification, system-wide consumption aggregates, and per-tool cost breakdown
|
|
158
164
|
- **Compliance Report** — `GET /admin/compliance` generates compliance-ready report with key governance (expiry coverage), access control (ACL/IP/spending limit coverage), audit trail completeness, weighted overall score, and actionable recommendations
|
|
@@ -453,6 +459,10 @@ A real-time admin UI for managing keys, viewing usage, and monitoring tool calls
|
|
|
453
459
|
| `/admin/cache` | DELETE | `X-Admin-Key` | Clear cache (all or `?tool=` filter) |
|
|
454
460
|
| `/admin/circuit` | GET | `X-Admin-Key` | Circuit breaker status (state, failures, rejections) |
|
|
455
461
|
| `/admin/circuit` | POST | `X-Admin-Key` | Reset circuit breaker to closed state |
|
|
462
|
+
| `/admin/compliance/export` | GET | `X-Admin-Key` | Compliance audit export (SOC 2/GDPR/HIPAA, JSON/CSV) |
|
|
463
|
+
| `/keys/webhook` | POST | `X-Admin-Key` | Set per-key webhook URL |
|
|
464
|
+
| `/keys/webhook` | GET | `X-Admin-Key` | Get per-key webhook status |
|
|
465
|
+
| `/keys/webhook` | DELETE | `X-Admin-Key` | Remove per-key webhook URL |
|
|
456
466
|
| `/.well-known/oauth-authorization-server` | GET | None | OAuth 2.1 server metadata |
|
|
457
467
|
| `/oauth/register` | POST | None | Dynamic Client Registration (RFC 7591) |
|
|
458
468
|
| `/oauth/authorize` | GET | None | Authorization endpoint (PKCE required) |
|
|
@@ -462,7 +472,7 @@ A real-time admin UI for managing keys, viewing usage, and monitoring tool calls
|
|
|
462
472
|
| `/.well-known/mcp-payment` | GET | None | Server payment metadata (SEP-2007) |
|
|
463
473
|
| `/.well-known/mcp.json` | GET | None | MCP Server Identity card (discovery) |
|
|
464
474
|
| `/pricing` | GET | None | Full per-tool pricing breakdown |
|
|
465
|
-
| `/openapi.json` | GET | None | OpenAPI 3.1 spec (all
|
|
475
|
+
| `/openapi.json` | GET | None | OpenAPI 3.1 spec (all 148+ endpoints) |
|
|
466
476
|
| `/docs` | GET | None | Interactive API docs (Swagger UI) |
|
|
467
477
|
| `/robots.txt` | GET | None | Crawler directives (allow public, disallow admin/keys) |
|
|
468
478
|
| `/portal` | GET | None | Self-service API key portal (browser UI, auth via X-API-Key prompt) |
|
package/dist/audit.d.ts
CHANGED
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
* session lifecycle, and admin operations. Ring buffer with configurable
|
|
6
6
|
* max size and age-based retention. Zero external dependencies.
|
|
7
7
|
*/
|
|
8
|
-
export type AuditEventType = 'key.created' | 'key.revoked' | 'key.suspended' | 'key.resumed' | 'key.cloned' | 'key.rotated' | 'key.topup' | 'key.acl_updated' | 'key.expiry_updated' | 'key.quota_updated' | 'key.tags_updated' | 'key.ip_updated' | 'key.limit_updated' | 'gate.allow' | 'gate.deny' | 'session.created' | 'session.destroyed' | 'oauth.client_registered' | 'oauth.token_issued' | 'oauth.token_revoked' | 'team.created' | 'team.updated' | 'team.deleted' | 'team.key_assigned' | 'team.key_removed' | 'admin.auth_failed' | 'admin.alerts_configured' | 'webhook.dead_letter_cleared' | 'webhook.replayed' | 'webhook.test' | 'webhook.pause' | 'webhook.resume' | 'key.alias_set' | 'key.expiry_warning' | 'template.created' | 'template.updated' | 'template.deleted' | 'token.created' | 'token.revoked' | 'billing.refund' | 'key.auto_topup_configured' | 'key.auto_topped_up' | 'admin_key.created' | 'admin_key.revoked' | 'admin_key.bootstrap_rotated' | 'group.created' | 'group.updated' | 'group.deleted' | 'group.key_assigned' | 'group.key_removed' | 'key.credits_transferred' | 'keys.exported' | 'keys.imported' | 'webhook_filter.created' | 'webhook_filter.updated' | 'webhook_filter.deleted' | 'config.reloaded' | 'config.export' | 'maintenance.enabled' | 'maintenance.disabled' | 'key.note_added' | 'key.note_deleted' | 'schedule.created' | 'schedule.executed' | 'schedule.cancelled' | 'credits.reserved' | 'credits.committed' | 'credits.released' | 'stripe.checkout_created' | 'admin.backup_created' | 'admin.backup_restored' | 'admin.cache_cleared' | 'admin.circuit_reset';
|
|
8
|
+
export type AuditEventType = 'key.created' | 'key.revoked' | 'key.suspended' | 'key.resumed' | 'key.cloned' | 'key.rotated' | 'key.topup' | 'key.acl_updated' | 'key.expiry_updated' | 'key.quota_updated' | 'key.tags_updated' | 'key.ip_updated' | 'key.limit_updated' | 'gate.allow' | 'gate.deny' | 'session.created' | 'session.destroyed' | 'oauth.client_registered' | 'oauth.token_issued' | 'oauth.token_revoked' | 'team.created' | 'team.updated' | 'team.deleted' | 'team.key_assigned' | 'team.key_removed' | 'admin.auth_failed' | 'admin.alerts_configured' | 'webhook.dead_letter_cleared' | 'webhook.replayed' | 'webhook.test' | 'webhook.pause' | 'webhook.resume' | 'key.alias_set' | 'key.expiry_warning' | 'template.created' | 'template.updated' | 'template.deleted' | 'token.created' | 'token.revoked' | 'billing.refund' | 'key.auto_topup_configured' | 'key.auto_topped_up' | 'admin_key.created' | 'admin_key.revoked' | 'admin_key.bootstrap_rotated' | 'group.created' | 'group.updated' | 'group.deleted' | 'group.key_assigned' | 'group.key_removed' | 'key.credits_transferred' | 'keys.exported' | 'keys.imported' | 'webhook_filter.created' | 'webhook_filter.updated' | 'webhook_filter.deleted' | 'config.reloaded' | 'config.export' | 'maintenance.enabled' | 'maintenance.disabled' | 'key.note_added' | 'key.note_deleted' | 'schedule.created' | 'schedule.executed' | 'schedule.cancelled' | 'credits.reserved' | 'credits.committed' | 'credits.released' | 'stripe.checkout_created' | 'admin.backup_created' | 'admin.backup_restored' | 'admin.cache_cleared' | 'admin.circuit_reset' | 'guardrail.block' | 'guardrail.toggle' | 'guardrail.rule_upsert' | 'guardrail.rules_import' | 'guardrail.rule_delete' | 'key.geo_set' | 'key.geo_cleared';
|
|
9
9
|
export interface AuditEvent {
|
|
10
10
|
/** Monotonically increasing ID */
|
|
11
11
|
id: number;
|
package/dist/audit.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,MAAM,MAAM,cAAc,GAEtB,aAAa,GACb,aAAa,GACb,eAAe,GACf,aAAa,GACb,YAAY,GACZ,aAAa,GACb,WAAW,GACX,iBAAiB,GACjB,oBAAoB,GACpB,mBAAmB,GACnB,kBAAkB,GAClB,gBAAgB,GAChB,mBAAmB,GAEnB,YAAY,GACZ,WAAW,GAEX,iBAAiB,GACjB,mBAAmB,GAEnB,yBAAyB,GACzB,oBAAoB,GACpB,qBAAqB,GAErB,cAAc,GACd,cAAc,GACd,cAAc,GACd,mBAAmB,GACnB,kBAAkB,GAElB,mBAAmB,GACnB,yBAAyB,GAEzB,6BAA6B,GAC7B,kBAAkB,GAClB,cAAc,GACd,eAAe,GACf,gBAAgB,GAEhB,eAAe,GAEf,oBAAoB,GAEpB,kBAAkB,GAClB,kBAAkB,GAClB,kBAAkB,GAElB,eAAe,GACf,eAAe,GAEf,gBAAgB,GAEhB,2BAA2B,GAC3B,oBAAoB,GAEpB,mBAAmB,GACnB,mBAAmB,GACnB,6BAA6B,GAE7B,eAAe,GACf,eAAe,GACf,eAAe,GACf,oBAAoB,GACpB,mBAAmB,GAEnB,yBAAyB,GAEzB,eAAe,GACf,eAAe,GAEf,wBAAwB,GACxB,wBAAwB,GACxB,wBAAwB,GAExB,iBAAiB,GACjB,eAAe,GAEf,qBAAqB,GACrB,sBAAsB,GAEtB,gBAAgB,GAChB,kBAAkB,GAElB,kBAAkB,GAClB,mBAAmB,GACnB,oBAAoB,GAEpB,kBAAkB,GAClB,mBAAmB,GACnB,kBAAkB,GAElB,yBAAyB,GAEzB,sBAAsB,GACtB,uBAAuB,GACvB,qBAAqB,GACrB,qBAAqB,CAAC;
|
|
1
|
+
{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,MAAM,MAAM,cAAc,GAEtB,aAAa,GACb,aAAa,GACb,eAAe,GACf,aAAa,GACb,YAAY,GACZ,aAAa,GACb,WAAW,GACX,iBAAiB,GACjB,oBAAoB,GACpB,mBAAmB,GACnB,kBAAkB,GAClB,gBAAgB,GAChB,mBAAmB,GAEnB,YAAY,GACZ,WAAW,GAEX,iBAAiB,GACjB,mBAAmB,GAEnB,yBAAyB,GACzB,oBAAoB,GACpB,qBAAqB,GAErB,cAAc,GACd,cAAc,GACd,cAAc,GACd,mBAAmB,GACnB,kBAAkB,GAElB,mBAAmB,GACnB,yBAAyB,GAEzB,6BAA6B,GAC7B,kBAAkB,GAClB,cAAc,GACd,eAAe,GACf,gBAAgB,GAEhB,eAAe,GAEf,oBAAoB,GAEpB,kBAAkB,GAClB,kBAAkB,GAClB,kBAAkB,GAElB,eAAe,GACf,eAAe,GAEf,gBAAgB,GAEhB,2BAA2B,GAC3B,oBAAoB,GAEpB,mBAAmB,GACnB,mBAAmB,GACnB,6BAA6B,GAE7B,eAAe,GACf,eAAe,GACf,eAAe,GACf,oBAAoB,GACpB,mBAAmB,GAEnB,yBAAyB,GAEzB,eAAe,GACf,eAAe,GAEf,wBAAwB,GACxB,wBAAwB,GACxB,wBAAwB,GAExB,iBAAiB,GACjB,eAAe,GAEf,qBAAqB,GACrB,sBAAsB,GAEtB,gBAAgB,GAChB,kBAAkB,GAElB,kBAAkB,GAClB,mBAAmB,GACnB,oBAAoB,GAEpB,kBAAkB,GAClB,mBAAmB,GACnB,kBAAkB,GAElB,yBAAyB,GAEzB,sBAAsB,GACtB,uBAAuB,GACvB,qBAAqB,GACrB,qBAAqB,GAErB,iBAAiB,GACjB,kBAAkB,GAClB,uBAAuB,GACvB,wBAAwB,GACxB,uBAAuB,GAEvB,aAAa,GACb,iBAAiB,CAAC;AAEtB,MAAM,WAAW,UAAU;IACzB,kCAAkC;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,iDAAiD;IACjD,IAAI,EAAE,cAAc,CAAC;IACrB,sDAAsD;IACtD,KAAK,EAAE,MAAM,CAAC;IACd,iCAAiC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,iDAAiD;IACjD,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,cAAc;IAC7B,0DAA0D;IAC1D,SAAS,EAAE,MAAM,CAAC;IAClB,gFAAgF;IAChF,WAAW,EAAE,MAAM,CAAC;IACpB,wEAAwE;IACxE,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,UAAU;IACzB,+BAA+B;IAC/B,KAAK,CAAC,EAAE,cAAc,EAAE,CAAC;IACzB,uCAAuC;IACvC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,0CAA0C;IAC1C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,yCAAyC;IACzC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,UAAU,EAAE,CAAC;CACtB;AAUD,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAoB;IAClC,OAAO,CAAC,MAAM,CAAK;IACnB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiB;IACxC,OAAO,CAAC,YAAY,CAA+C;IAEnE,mFAAmF;IACnF,OAAO,EAAE,CAAC,CAAC,KAAK,EAAE,UAAU,KAAK,IAAI,CAAC,GAAG,IAAI,CAAQ;gBAEzC,MAAM,CAAC,EAAE,OAAO,CAAC,cAAc,CAAC;IAU5C;;OAEG;IACH,GAAG,CAAC,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAAG,UAAU;IAqC7G;;OAEG;IACH,KAAK,CAAC,CAAC,GAAE,UAAe,GAAG,gBAAgB;IAoC3C;;OAEG;IACH,KAAK,IAAI;QACP,WAAW,EAAE,MAAM,CAAC;QACpB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;QAC3B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;QAC3B,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACrC,cAAc,EAAE,MAAM,CAAC;QACvB,aAAa,EAAE,MAAM,CAAC;KACvB;IA0BD;;OAEG;IACH,SAAS,IAAI,UAAU,EAAE;IAIzB;;OAEG;IACH,SAAS,CAAC,CAAC,GAAE,UAAe,GAAG,MAAM;IASrC;;OAEG;IACH,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED;;OAEG;IACH,gBAAgB,IAAI,MAAM;IAS1B;;OAEG;IACH,KAAK,IAAI,IAAI;IAKb;;OAEG;IACH,OAAO,IAAI,IAAI;CAMhB;AAID,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAGnD"}
|
package/dist/audit.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"audit.js","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;
|
|
1
|
+
{"version":3,"file":"audit.js","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAwWH,0CAGC;AA5MD,MAAM,oBAAoB,GAAmB;IAC3C,SAAS,EAAE,MAAM;IACjB,WAAW,EAAE,GAAG,EAAE,UAAU;IAC5B,iBAAiB,EAAE,MAAM,EAAE,WAAW;CACvC,CAAC;AAEF,gFAAgF;AAEhF,MAAa,WAAW;IACd,MAAM,GAAiB,EAAE,CAAC;IAC1B,MAAM,GAAG,CAAC,CAAC;IACF,MAAM,CAAiB;IAChC,YAAY,GAA0C,IAAI,CAAC;IAEnE,mFAAmF;IACnF,OAAO,GAAyC,IAAI,CAAC;IAErD,YAAY,MAAgC;QAC1C,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,oBAAoB,EAAE,GAAG,MAAM,EAAE,CAAC;QAErD,gCAAgC;QAChC,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,GAAG,CAAC,EAAE,CAAC;YACtC,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,gBAAgB,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAC9F,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC,6BAA6B;QAC1D,CAAC;IACH,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,IAAoB,EAAE,KAAa,EAAE,OAAe,EAAE,WAAoC,EAAE;QAC9F,mFAAmF;QACnF,kFAAkF;QAClF,IAAI,QAAQ,GAAG,QAAQ,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAC5C,IAAI,UAAU,CAAC,MAAM,GAAG,MAAM,EAAE,CAAC;gBAC/B,QAAQ,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,aAAa,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC;YACpE,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,QAAQ,GAAG,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;QACrD,CAAC;QAED,MAAM,KAAK,GAAe;YACxB,EAAE,EAAE,IAAI,CAAC,MAAM,EAAE;YACjB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,IAAI;YACJ,KAAK;YACL,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,qBAAqB;YACtD,QAAQ,EAAE,QAAQ;SACnB,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAExB,sDAAsD;QACtD,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC/C,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC1D,CAAC;QAED,8CAA8C;QAC9C,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,IAAI,CAAC;gBAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,4BAA4B,CAAC,CAAC;QACrE,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAgB,EAAE;QACtB,IAAI,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC;QAE3B,oBAAoB;QACpB,IAAI,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YACjC,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QACvD,CAAC;QAED,oDAAoD;QACpD,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YACZ,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;YACzC,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;QAC9E,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YACZ,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;YAC9C,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,IAAI,SAAS,CAAC,CAAC;QAChF,CAAC;QACD,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YACZ,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;YAC9C,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,IAAI,SAAS,CAAC,CAAC;QAChF,CAAC;QAED,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC;QAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,IAAI,GAAG,CAAC,CAAC,CAAC;QAE1D,uEAAuE;QACvE,MAAM,QAAQ,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,CAAC,CAAC;QAEpD,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAChD,CAAC;IAED;;OAEG;IACH,KAAK;QAQH,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,UAAU,GAAG,GAAG,GAAG,SAAS,CAAC;QACnC,MAAM,SAAS,GAAG,GAAG,GAAG,UAAU,CAAC;QAEnC,MAAM,YAAY,GAA2B,EAAE,CAAC;QAChD,IAAI,cAAc,GAAG,CAAC,CAAC;QACvB,IAAI,aAAa,GAAG,CAAC,CAAC;QAEtB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAC5B,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACvD,MAAM,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;YAC3C,IAAI,EAAE,IAAI,UAAU;gBAAE,cAAc,EAAE,CAAC;YACvC,IAAI,EAAE,IAAI,SAAS;gBAAE,aAAa,EAAE,CAAC;QACvC,CAAC;QAED,OAAO;YACL,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC/B,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI;YACrE,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI;YAC1F,YAAY;YACZ,cAAc;YACd,aAAa;SACd,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,IAAgB,EAAE;QAC1B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,MAAM,EAAE,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,iCAAiC,CAAC;QACjD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CACjC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CACvG,CAAC;QACF,OAAO,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,gBAAgB;QACd,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC;QAE3C,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,GAAG,SAAS,CAAC,CAAC;QAClE,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;QAClC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,IAAI,MAAM,CAAC,CAAC;QACjF,OAAO,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;IACrC,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC;QACjB,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,OAAO;QACL,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACjC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QAC3B,CAAC;IACH,CAAC;CACF;AA7LD,kCA6LC;AAED,gFAAgF;AAEhF,SAAgB,eAAe,CAAC,GAAW;IACzC,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AACjD,CAAC"}
|
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Compliance Export — Generate audit reports for SOC 2, GDPR, and HIPAA compliance.
|
|
3
|
+
*
|
|
4
|
+
* Formats audit events into structured compliance reports with:
|
|
5
|
+
* - Report metadata (period, generation time, framework, version)
|
|
6
|
+
* - Access control events (key management, auth failures)
|
|
7
|
+
* - Data processing events (tool calls, credit operations)
|
|
8
|
+
* - Configuration changes (config reload, webhook updates)
|
|
9
|
+
* - Summary statistics
|
|
10
|
+
*/
|
|
11
|
+
import { AuditLogger } from './audit';
|
|
12
|
+
export type ComplianceFramework = 'soc2' | 'gdpr' | 'hipaa';
|
|
13
|
+
export interface ComplianceReportMeta {
|
|
14
|
+
framework: ComplianceFramework;
|
|
15
|
+
generatedAt: string;
|
|
16
|
+
periodStart: string;
|
|
17
|
+
periodEnd: string;
|
|
18
|
+
serverVersion: string;
|
|
19
|
+
totalEvents: number;
|
|
20
|
+
}
|
|
21
|
+
export interface ComplianceSection {
|
|
22
|
+
title: string;
|
|
23
|
+
description: string;
|
|
24
|
+
events: ComplianceEvent[];
|
|
25
|
+
count: number;
|
|
26
|
+
}
|
|
27
|
+
export interface ComplianceEvent {
|
|
28
|
+
timestamp: string;
|
|
29
|
+
category: string;
|
|
30
|
+
action: string;
|
|
31
|
+
actor: string;
|
|
32
|
+
detail: string;
|
|
33
|
+
severity: 'info' | 'warning' | 'critical';
|
|
34
|
+
metadata?: Record<string, unknown>;
|
|
35
|
+
}
|
|
36
|
+
export interface ComplianceReport {
|
|
37
|
+
meta: ComplianceReportMeta;
|
|
38
|
+
sections: ComplianceSection[];
|
|
39
|
+
summary: ComplianceSummary;
|
|
40
|
+
}
|
|
41
|
+
export interface ComplianceSummary {
|
|
42
|
+
totalAccessControlEvents: number;
|
|
43
|
+
totalDataProcessingEvents: number;
|
|
44
|
+
totalConfigChangeEvents: number;
|
|
45
|
+
totalSecurityEvents: number;
|
|
46
|
+
authFailures: number;
|
|
47
|
+
keysCreated: number;
|
|
48
|
+
keysRevoked: number;
|
|
49
|
+
keysSuspended: number;
|
|
50
|
+
uniqueActors: number;
|
|
51
|
+
}
|
|
52
|
+
/**
|
|
53
|
+
* Generate a compliance report from audit log events.
|
|
54
|
+
*/
|
|
55
|
+
export declare function generateComplianceReport(auditLogger: AuditLogger, framework: ComplianceFramework, options: {
|
|
56
|
+
since?: string;
|
|
57
|
+
until?: string;
|
|
58
|
+
serverVersion: string;
|
|
59
|
+
}): ComplianceReport;
|
|
60
|
+
/**
|
|
61
|
+
* Convert a compliance report to CSV format.
|
|
62
|
+
*/
|
|
63
|
+
export declare function complianceReportToCsv(report: ComplianceReport): string;
|
|
64
|
+
//# sourceMappingURL=compliance.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"compliance.d.ts","sourceRoot":"","sources":["../src/compliance.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAc,WAAW,EAAc,MAAM,SAAS,CAAC;AAI9D,MAAM,MAAM,mBAAmB,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AAE5D,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,mBAAmB,CAAC;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,eAAe,EAAE,CAAC;IAC1B,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,UAAU,CAAC;IAC1C,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,oBAAoB,CAAC;IAC3B,QAAQ,EAAE,iBAAiB,EAAE,CAAC;IAC9B,OAAO,EAAE,iBAAiB,CAAC;CAC5B;AAED,MAAM,WAAW,iBAAiB;IAChC,wBAAwB,EAAE,MAAM,CAAC;IACjC,yBAAyB,EAAE,MAAM,CAAC;IAClC,uBAAuB,EAAE,MAAM,CAAC;IAChC,mBAAmB,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB;AAiID;;GAEG;AACH,wBAAgB,wBAAwB,CACtC,WAAW,EAAE,WAAW,EACxB,SAAS,EAAE,mBAAmB,EAC9B,OAAO,EAAE;IACP,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;CACvB,GACA,gBAAgB,CA8FlB;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAatE"}
|
|
@@ -0,0 +1,239 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Compliance Export — Generate audit reports for SOC 2, GDPR, and HIPAA compliance.
|
|
4
|
+
*
|
|
5
|
+
* Formats audit events into structured compliance reports with:
|
|
6
|
+
* - Report metadata (period, generation time, framework, version)
|
|
7
|
+
* - Access control events (key management, auth failures)
|
|
8
|
+
* - Data processing events (tool calls, credit operations)
|
|
9
|
+
* - Configuration changes (config reload, webhook updates)
|
|
10
|
+
* - Summary statistics
|
|
11
|
+
*/
|
|
12
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
13
|
+
exports.generateComplianceReport = generateComplianceReport;
|
|
14
|
+
exports.complianceReportToCsv = complianceReportToCsv;
|
|
15
|
+
// ─── Event Classification ─────────────────────────────────────────────────────
|
|
16
|
+
const ACCESS_CONTROL_EVENTS = new Set([
|
|
17
|
+
'key.created', 'key.revoked', 'key.suspended', 'key.resumed', 'key.cloned',
|
|
18
|
+
'key.rotated', 'key.acl_updated', 'key.expiry_updated', 'key.ip_updated',
|
|
19
|
+
'admin.auth_failed', 'admin_key.created', 'admin_key.revoked',
|
|
20
|
+
'admin_key.bootstrap_rotated', 'oauth.client_registered',
|
|
21
|
+
'oauth.token_issued', 'oauth.token_revoked', 'token.created', 'token.revoked',
|
|
22
|
+
'team.key_assigned', 'team.key_removed', 'group.key_assigned', 'group.key_removed',
|
|
23
|
+
]);
|
|
24
|
+
const DATA_PROCESSING_EVENTS = new Set([
|
|
25
|
+
'gate.allow', 'gate.deny', 'key.topup', 'key.auto_topped_up',
|
|
26
|
+
'key.credits_transferred', 'credits.reserved', 'credits.committed',
|
|
27
|
+
'credits.released', 'billing.refund', 'keys.exported', 'keys.imported',
|
|
28
|
+
'admin.backup_created', 'admin.backup_restored', 'stripe.checkout_created',
|
|
29
|
+
]);
|
|
30
|
+
const CONFIG_CHANGE_EVENTS = new Set([
|
|
31
|
+
'config.reloaded', 'config.export', 'maintenance.enabled', 'maintenance.disabled',
|
|
32
|
+
'key.quota_updated', 'key.tags_updated', 'key.limit_updated',
|
|
33
|
+
'key.alias_set', 'key.note_added', 'key.note_deleted',
|
|
34
|
+
'admin.alerts_configured', 'admin.cache_cleared', 'admin.circuit_reset',
|
|
35
|
+
'template.created', 'template.updated', 'template.deleted',
|
|
36
|
+
'team.created', 'team.updated', 'team.deleted',
|
|
37
|
+
'group.created', 'group.updated', 'group.deleted',
|
|
38
|
+
'webhook_filter.created', 'webhook_filter.updated', 'webhook_filter.deleted',
|
|
39
|
+
'schedule.created', 'schedule.executed', 'schedule.cancelled',
|
|
40
|
+
]);
|
|
41
|
+
const SECURITY_EVENTS = new Set([
|
|
42
|
+
'admin.auth_failed', 'key.revoked', 'key.suspended',
|
|
43
|
+
'admin_key.revoked', 'admin_key.bootstrap_rotated',
|
|
44
|
+
'oauth.token_revoked', 'token.revoked',
|
|
45
|
+
]);
|
|
46
|
+
// ─── Framework-specific descriptions ──────────────────────────────────────────
|
|
47
|
+
const FRAMEWORK_SECTIONS = {
|
|
48
|
+
soc2: {
|
|
49
|
+
accessControl: {
|
|
50
|
+
title: 'CC6.1 – Logical Access Controls',
|
|
51
|
+
description: 'Access provisioning, de-provisioning, key rotation, and authentication events.',
|
|
52
|
+
},
|
|
53
|
+
dataProcessing: {
|
|
54
|
+
title: 'CC7.2 – System Operations Monitoring',
|
|
55
|
+
description: 'Tool call processing, credit operations, billing, and data import/export events.',
|
|
56
|
+
},
|
|
57
|
+
configChanges: {
|
|
58
|
+
title: 'CC8.1 – Change Management',
|
|
59
|
+
description: 'Configuration changes, maintenance windows, template updates, and system modifications.',
|
|
60
|
+
},
|
|
61
|
+
security: {
|
|
62
|
+
title: 'CC6.8 – Security Incident Detection',
|
|
63
|
+
description: 'Authentication failures, key revocations, suspicious activity, and security events.',
|
|
64
|
+
},
|
|
65
|
+
},
|
|
66
|
+
gdpr: {
|
|
67
|
+
accessControl: {
|
|
68
|
+
title: 'Article 25 – Data Protection by Design',
|
|
69
|
+
description: 'Access control events demonstrating data protection measures and access management.',
|
|
70
|
+
},
|
|
71
|
+
dataProcessing: {
|
|
72
|
+
title: 'Article 30 – Records of Processing Activities',
|
|
73
|
+
description: 'Data processing events including tool calls, data transfers, and billing operations.',
|
|
74
|
+
},
|
|
75
|
+
configChanges: {
|
|
76
|
+
title: 'Article 32 – Security of Processing',
|
|
77
|
+
description: 'System configuration changes and security measure updates.',
|
|
78
|
+
},
|
|
79
|
+
security: {
|
|
80
|
+
title: 'Article 33 – Notification of Data Breaches',
|
|
81
|
+
description: 'Security events, authentication failures, and potential breach indicators.',
|
|
82
|
+
},
|
|
83
|
+
},
|
|
84
|
+
hipaa: {
|
|
85
|
+
accessControl: {
|
|
86
|
+
title: '§164.312(a) – Access Control',
|
|
87
|
+
description: 'Electronic access control events, user authentication, and authorization management.',
|
|
88
|
+
},
|
|
89
|
+
dataProcessing: {
|
|
90
|
+
title: '§164.312(b) – Audit Controls',
|
|
91
|
+
description: 'Information system activity records, data processing, and transaction logs.',
|
|
92
|
+
},
|
|
93
|
+
configChanges: {
|
|
94
|
+
title: '§164.312(e) – Transmission Security',
|
|
95
|
+
description: 'System configuration modifications and security parameter changes.',
|
|
96
|
+
},
|
|
97
|
+
security: {
|
|
98
|
+
title: '§164.308(a)(6) – Security Incident Procedures',
|
|
99
|
+
description: 'Security incidents, unauthorized access attempts, and incident response events.',
|
|
100
|
+
},
|
|
101
|
+
},
|
|
102
|
+
};
|
|
103
|
+
// ─── Severity Mapping ─────────────────────────────────────────────────────────
|
|
104
|
+
function getSeverity(eventType) {
|
|
105
|
+
if (eventType === 'admin.auth_failed')
|
|
106
|
+
return 'critical';
|
|
107
|
+
if (eventType === 'key.revoked' || eventType === 'admin_key.revoked')
|
|
108
|
+
return 'warning';
|
|
109
|
+
if (eventType === 'key.suspended')
|
|
110
|
+
return 'warning';
|
|
111
|
+
if (eventType === 'gate.deny')
|
|
112
|
+
return 'warning';
|
|
113
|
+
if (eventType === 'maintenance.enabled')
|
|
114
|
+
return 'warning';
|
|
115
|
+
if (eventType === 'admin_key.bootstrap_rotated')
|
|
116
|
+
return 'warning';
|
|
117
|
+
return 'info';
|
|
118
|
+
}
|
|
119
|
+
// ─── Report Generator ─────────────────────────────────────────────────────────
|
|
120
|
+
function classifyEvent(event) {
|
|
121
|
+
const parts = event.type.split('.');
|
|
122
|
+
return {
|
|
123
|
+
timestamp: event.timestamp,
|
|
124
|
+
category: parts[0] || 'unknown',
|
|
125
|
+
action: parts.slice(1).join('.') || event.type,
|
|
126
|
+
actor: event.actor,
|
|
127
|
+
detail: event.message,
|
|
128
|
+
severity: getSeverity(event.type),
|
|
129
|
+
metadata: Object.keys(event.metadata).length > 0 ? event.metadata : undefined,
|
|
130
|
+
};
|
|
131
|
+
}
|
|
132
|
+
/**
|
|
133
|
+
* Generate a compliance report from audit log events.
|
|
134
|
+
*/
|
|
135
|
+
function generateComplianceReport(auditLogger, framework, options) {
|
|
136
|
+
const periodEnd = options.until || new Date().toISOString();
|
|
137
|
+
const periodStart = options.since || new Date(Date.now() - 30 * 86_400_000).toISOString(); // Default: last 30 days
|
|
138
|
+
// Query all events in the period
|
|
139
|
+
const query = {
|
|
140
|
+
since: periodStart,
|
|
141
|
+
until: periodEnd,
|
|
142
|
+
limit: 10_000, // Max export size
|
|
143
|
+
};
|
|
144
|
+
const result = auditLogger.query(query);
|
|
145
|
+
const events = result.events;
|
|
146
|
+
const frameworkConfig = FRAMEWORK_SECTIONS[framework];
|
|
147
|
+
// Classify events into sections
|
|
148
|
+
const accessControlEvents = [];
|
|
149
|
+
const dataProcessingEvents = [];
|
|
150
|
+
const configChangeEvents = [];
|
|
151
|
+
const securityEvents = [];
|
|
152
|
+
const actors = new Set();
|
|
153
|
+
let authFailures = 0;
|
|
154
|
+
let keysCreated = 0;
|
|
155
|
+
let keysRevoked = 0;
|
|
156
|
+
let keysSuspended = 0;
|
|
157
|
+
for (const event of events) {
|
|
158
|
+
const classified = classifyEvent(event);
|
|
159
|
+
actors.add(event.actor);
|
|
160
|
+
if (ACCESS_CONTROL_EVENTS.has(event.type)) {
|
|
161
|
+
accessControlEvents.push(classified);
|
|
162
|
+
}
|
|
163
|
+
if (DATA_PROCESSING_EVENTS.has(event.type)) {
|
|
164
|
+
dataProcessingEvents.push(classified);
|
|
165
|
+
}
|
|
166
|
+
if (CONFIG_CHANGE_EVENTS.has(event.type)) {
|
|
167
|
+
configChangeEvents.push(classified);
|
|
168
|
+
}
|
|
169
|
+
if (SECURITY_EVENTS.has(event.type)) {
|
|
170
|
+
securityEvents.push(classified);
|
|
171
|
+
}
|
|
172
|
+
// Count specific events
|
|
173
|
+
if (event.type === 'admin.auth_failed')
|
|
174
|
+
authFailures++;
|
|
175
|
+
if (event.type === 'key.created')
|
|
176
|
+
keysCreated++;
|
|
177
|
+
if (event.type === 'key.revoked')
|
|
178
|
+
keysRevoked++;
|
|
179
|
+
if (event.type === 'key.suspended')
|
|
180
|
+
keysSuspended++;
|
|
181
|
+
}
|
|
182
|
+
return {
|
|
183
|
+
meta: {
|
|
184
|
+
framework,
|
|
185
|
+
generatedAt: new Date().toISOString(),
|
|
186
|
+
periodStart,
|
|
187
|
+
periodEnd,
|
|
188
|
+
serverVersion: options.serverVersion,
|
|
189
|
+
totalEvents: events.length,
|
|
190
|
+
},
|
|
191
|
+
sections: [
|
|
192
|
+
{
|
|
193
|
+
...frameworkConfig.accessControl,
|
|
194
|
+
events: accessControlEvents,
|
|
195
|
+
count: accessControlEvents.length,
|
|
196
|
+
},
|
|
197
|
+
{
|
|
198
|
+
...frameworkConfig.dataProcessing,
|
|
199
|
+
events: dataProcessingEvents,
|
|
200
|
+
count: dataProcessingEvents.length,
|
|
201
|
+
},
|
|
202
|
+
{
|
|
203
|
+
...frameworkConfig.configChanges,
|
|
204
|
+
events: configChangeEvents,
|
|
205
|
+
count: configChangeEvents.length,
|
|
206
|
+
},
|
|
207
|
+
{
|
|
208
|
+
...frameworkConfig.security,
|
|
209
|
+
events: securityEvents,
|
|
210
|
+
count: securityEvents.length,
|
|
211
|
+
},
|
|
212
|
+
],
|
|
213
|
+
summary: {
|
|
214
|
+
totalAccessControlEvents: accessControlEvents.length,
|
|
215
|
+
totalDataProcessingEvents: dataProcessingEvents.length,
|
|
216
|
+
totalConfigChangeEvents: configChangeEvents.length,
|
|
217
|
+
totalSecurityEvents: securityEvents.length,
|
|
218
|
+
authFailures,
|
|
219
|
+
keysCreated,
|
|
220
|
+
keysRevoked,
|
|
221
|
+
keysSuspended,
|
|
222
|
+
uniqueActors: actors.size,
|
|
223
|
+
},
|
|
224
|
+
};
|
|
225
|
+
}
|
|
226
|
+
/**
|
|
227
|
+
* Convert a compliance report to CSV format.
|
|
228
|
+
*/
|
|
229
|
+
function complianceReportToCsv(report) {
|
|
230
|
+
const header = 'section,timestamp,category,action,actor,severity,detail';
|
|
231
|
+
const rows = [];
|
|
232
|
+
for (const section of report.sections) {
|
|
233
|
+
for (const event of section.events) {
|
|
234
|
+
rows.push(`"${section.title}",${event.timestamp},${event.category},${event.action},"${event.actor.replace(/"/g, '""')}",${event.severity},"${event.detail.replace(/"/g, '""')}"`);
|
|
235
|
+
}
|
|
236
|
+
}
|
|
237
|
+
return [header, ...rows].join('\n');
|
|
238
|
+
}
|
|
239
|
+
//# sourceMappingURL=compliance.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"compliance.js","sourceRoot":"","sources":["../src/compliance.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;AAsLH,4DAsGC;AAKD,sDAaC;AA1PD,iFAAiF;AAEjF,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,aAAa,EAAE,aAAa,EAAE,eAAe,EAAE,aAAa,EAAE,YAAY;IAC1E,aAAa,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,gBAAgB;IACxE,mBAAmB,EAAE,mBAAmB,EAAE,mBAAmB;IAC7D,6BAA6B,EAAE,yBAAyB;IACxD,oBAAoB,EAAE,qBAAqB,EAAE,eAAe,EAAE,eAAe;IAC7E,mBAAmB,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,mBAAmB;CACnF,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC;IACrC,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,oBAAoB;IAC5D,yBAAyB,EAAE,kBAAkB,EAAE,mBAAmB;IAClE,kBAAkB,EAAE,gBAAgB,EAAE,eAAe,EAAE,eAAe;IACtE,sBAAsB,EAAE,uBAAuB,EAAE,yBAAyB;CAC3E,CAAC,CAAC;AAEH,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,iBAAiB,EAAE,eAAe,EAAE,qBAAqB,EAAE,sBAAsB;IACjF,mBAAmB,EAAE,kBAAkB,EAAE,mBAAmB;IAC5D,eAAe,EAAE,gBAAgB,EAAE,kBAAkB;IACrD,yBAAyB,EAAE,qBAAqB,EAAE,qBAAqB;IACvE,kBAAkB,EAAE,kBAAkB,EAAE,kBAAkB;IAC1D,cAAc,EAAE,cAAc,EAAE,cAAc;IAC9C,eAAe,EAAE,eAAe,EAAE,eAAe;IACjD,wBAAwB,EAAE,wBAAwB,EAAE,wBAAwB;IAC5E,kBAAkB,EAAE,mBAAmB,EAAE,oBAAoB;CAC9D,CAAC,CAAC;AAEH,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IAC9B,mBAAmB,EAAE,aAAa,EAAE,eAAe;IACnD,mBAAmB,EAAE,6BAA6B;IAClD,qBAAqB,EAAE,eAAe;CACvC,CAAC,CAAC;AAEH,iFAAiF;AAEjF,MAAM,kBAAkB,GAKnB;IACH,IAAI,EAAE;QACJ,aAAa,EAAE;YACb,KAAK,EAAE,iCAAiC;YACxC,WAAW,EAAE,gFAAgF;SAC9F;QACD,cAAc,EAAE;YACd,KAAK,EAAE,sCAAsC;YAC7C,WAAW,EAAE,kFAAkF;SAChG;QACD,aAAa,EAAE;YACb,KAAK,EAAE,2BAA2B;YAClC,WAAW,EAAE,yFAAyF;SACvG;QACD,QAAQ,EAAE;YACR,KAAK,EAAE,qCAAqC;YAC5C,WAAW,EAAE,qFAAqF;SACnG;KACF;IACD,IAAI,EAAE;QACJ,aAAa,EAAE;YACb,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EAAE,qFAAqF;SACnG;QACD,cAAc,EAAE;YACd,KAAK,EAAE,+CAA+C;YACtD,WAAW,EAAE,sFAAsF;SACpG;QACD,aAAa,EAAE;YACb,KAAK,EAAE,qCAAqC;YAC5C,WAAW,EAAE,4DAA4D;SAC1E;QACD,QAAQ,EAAE;YACR,KAAK,EAAE,4CAA4C;YACnD,WAAW,EAAE,4EAA4E;SAC1F;KACF;IACD,KAAK,EAAE;QACL,aAAa,EAAE;YACb,KAAK,EAAE,8BAA8B;YACrC,WAAW,EAAE,sFAAsF;SACpG;QACD,cAAc,EAAE;YACd,KAAK,EAAE,8BAA8B;YACrC,WAAW,EAAE,6EAA6E;SAC3F;QACD,aAAa,EAAE;YACb,KAAK,EAAE,qCAAqC;YAC5C,WAAW,EAAE,oEAAoE;SAClF;QACD,QAAQ,EAAE;YACR,KAAK,EAAE,+CAA+C;YACtD,WAAW,EAAE,iFAAiF;SAC/F;KACF;CACF,CAAC;AAEF,iFAAiF;AAEjF,SAAS,WAAW,CAAC,SAAiB;IACpC,IAAI,SAAS,KAAK,mBAAmB;QAAE,OAAO,UAAU,CAAC;IACzD,IAAI,SAAS,KAAK,aAAa,IAAI,SAAS,KAAK,mBAAmB;QAAE,OAAO,SAAS,CAAC;IACvF,IAAI,SAAS,KAAK,eAAe;QAAE,OAAO,SAAS,CAAC;IACpD,IAAI,SAAS,KAAK,WAAW;QAAE,OAAO,SAAS,CAAC;IAChD,IAAI,SAAS,KAAK,qBAAqB;QAAE,OAAO,SAAS,CAAC;IAC1D,IAAI,SAAS,KAAK,6BAA6B;QAAE,OAAO,SAAS,CAAC;IAClE,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,iFAAiF;AAEjF,SAAS,aAAa,CAAC,KAAiB;IACtC,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,OAAO;QACL,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,SAAS;QAC/B,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI;QAC9C,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,MAAM,EAAE,KAAK,CAAC,OAAO;QACrB,QAAQ,EAAE,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC;QACjC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;KAC9E,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,wBAAwB,CACtC,WAAwB,EACxB,SAA8B,EAC9B,OAIC;IAED,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC5D,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,wBAAwB;IAEnH,iCAAiC;IACjC,MAAM,KAAK,GAAe;QACxB,KAAK,EAAE,WAAW;QAClB,KAAK,EAAE,SAAS;QAChB,KAAK,EAAE,MAAM,EAAE,kBAAkB;KAClC,CAAC;IACF,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IAE7B,MAAM,eAAe,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IAEtD,gCAAgC;IAChC,MAAM,mBAAmB,GAAsB,EAAE,CAAC;IAClD,MAAM,oBAAoB,GAAsB,EAAE,CAAC;IACnD,MAAM,kBAAkB,GAAsB,EAAE,CAAC;IACjD,MAAM,cAAc,GAAsB,EAAE,CAAC;IAE7C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IACjC,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,aAAa,GAAG,CAAC,CAAC;IAEtB,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,UAAU,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;QACxC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAExB,IAAI,qBAAqB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1C,mBAAmB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACvC,CAAC;QACD,IAAI,sBAAsB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3C,oBAAoB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACxC,CAAC;QACD,IAAI,oBAAoB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACzC,kBAAkB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACtC,CAAC;QACD,IAAI,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAClC,CAAC;QAED,wBAAwB;QACxB,IAAI,KAAK,CAAC,IAAI,KAAK,mBAAmB;YAAE,YAAY,EAAE,CAAC;QACvD,IAAI,KAAK,CAAC,IAAI,KAAK,aAAa;YAAE,WAAW,EAAE,CAAC;QAChD,IAAI,KAAK,CAAC,IAAI,KAAK,aAAa;YAAE,WAAW,EAAE,CAAC;QAChD,IAAI,KAAK,CAAC,IAAI,KAAK,eAAe;YAAE,aAAa,EAAE,CAAC;IACtD,CAAC;IAED,OAAO;QACL,IAAI,EAAE;YACJ,SAAS;YACT,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,WAAW;YACX,SAAS;YACT,aAAa,EAAE,OAAO,CAAC,aAAa;YACpC,WAAW,EAAE,MAAM,CAAC,MAAM;SAC3B;QACD,QAAQ,EAAE;YACR;gBACE,GAAG,eAAe,CAAC,aAAa;gBAChC,MAAM,EAAE,mBAAmB;gBAC3B,KAAK,EAAE,mBAAmB,CAAC,MAAM;aAClC;YACD;gBACE,GAAG,eAAe,CAAC,cAAc;gBACjC,MAAM,EAAE,oBAAoB;gBAC5B,KAAK,EAAE,oBAAoB,CAAC,MAAM;aACnC;YACD;gBACE,GAAG,eAAe,CAAC,aAAa;gBAChC,MAAM,EAAE,kBAAkB;gBAC1B,KAAK,EAAE,kBAAkB,CAAC,MAAM;aACjC;YACD;gBACE,GAAG,eAAe,CAAC,QAAQ;gBAC3B,MAAM,EAAE,cAAc;gBACtB,KAAK,EAAE,cAAc,CAAC,MAAM;aAC7B;SACF;QACD,OAAO,EAAE;YACP,wBAAwB,EAAE,mBAAmB,CAAC,MAAM;YACpD,yBAAyB,EAAE,oBAAoB,CAAC,MAAM;YACtD,uBAAuB,EAAE,kBAAkB,CAAC,MAAM;YAClD,mBAAmB,EAAE,cAAc,CAAC,MAAM;YAC1C,YAAY;YACZ,WAAW;YACX,WAAW;YACX,aAAa;YACb,YAAY,EAAE,MAAM,CAAC,IAAI;SAC1B;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CAAC,MAAwB;IAC5D,MAAM,MAAM,GAAG,yDAAyD,CAAC;IACzE,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACtC,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnC,IAAI,CAAC,IAAI,CACP,IAAI,OAAO,CAAC,KAAK,KAAK,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,KAAK,CAAC,QAAQ,KAAK,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CACvK,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACtC,CAAC"}
|
package/dist/gate.d.ts
CHANGED
|
@@ -46,11 +46,13 @@ export declare class Gate {
|
|
|
46
46
|
onCreditsDeducted?: (apiKey: string, amount: number) => void;
|
|
47
47
|
/** Optional hook called when auto-topup is triggered (for audit/webhook). */
|
|
48
48
|
onAutoTopup?: (apiKey: string, amount: number, newBalance: number) => void;
|
|
49
|
+
/** Per-key webhook emitters (lazily created, keyed by API key prefix). */
|
|
50
|
+
private keyWebhooks;
|
|
49
51
|
constructor(config: PayGateConfig, statePath?: string);
|
|
50
52
|
/**
|
|
51
53
|
* Evaluate a tool call request.
|
|
52
54
|
*/
|
|
53
|
-
evaluate(apiKey: string | null, toolCall: ToolCallParams, clientIp?: string, scopedTokenTools?: string[]): GateDecision;
|
|
55
|
+
evaluate(apiKey: string | null, toolCall: ToolCallParams, clientIp?: string, scopedTokenTools?: string[], countryCode?: string): GateDecision;
|
|
54
56
|
/**
|
|
55
57
|
* Evaluate a batch of tool calls atomically (all-or-nothing).
|
|
56
58
|
*
|
|
@@ -60,7 +62,7 @@ export declare class Gate {
|
|
|
60
62
|
*
|
|
61
63
|
* On success, deducts credits for all calls at once.
|
|
62
64
|
*/
|
|
63
|
-
evaluateBatch(apiKey: string | null, calls: BatchToolCall[], clientIp?: string, scopedTokenTools?: string[]): BatchGateResult;
|
|
65
|
+
evaluateBatch(apiKey: string | null, calls: BatchToolCall[], clientIp?: string, scopedTokenTools?: string[], countryCode?: string): BatchGateResult;
|
|
64
66
|
/** Build a shadow-mode batch result (all allowed, zero charges). */
|
|
65
67
|
private shadowBatchResult;
|
|
66
68
|
/**
|
|
@@ -144,6 +146,15 @@ export declare class Gate {
|
|
|
144
146
|
*/
|
|
145
147
|
updateConfig(patch: Partial<PayGateConfig>): string[];
|
|
146
148
|
destroy(): void;
|
|
149
|
+
/**
|
|
150
|
+
* Get or create a per-key webhook emitter.
|
|
151
|
+
* Returns null if the key has no webhookUrl configured.
|
|
152
|
+
*/
|
|
153
|
+
getKeyWebhook(apiKey: string): WebhookEmitter | null;
|
|
154
|
+
/**
|
|
155
|
+
* Remove cached per-key webhook emitter (called when webhook URL is cleared).
|
|
156
|
+
*/
|
|
157
|
+
removeKeyWebhook(apiKey: string): void;
|
|
147
158
|
private recordEvent;
|
|
148
159
|
}
|
|
149
160
|
//# sourceMappingURL=gate.d.ts.map
|
package/dist/gate.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gate.d.ts","sourceRoot":"","sources":["../src/gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,UAAU,EAAE,cAAc,EAAE,YAAY,EAAe,aAAa,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC7I,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAqB,MAAM,UAAU,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAE3C,qBAAa,IAAI;IACf,QAAQ,CAAC,KAAK,EAAE,QAAQ,CAAC;IACzB,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAC;IAC3B,yFAAyF;IACzF,OAAO,EAAE,cAAc,GAAG,IAAI,CAAC;IAC/B,gFAAgF;IAChF,aAAa,EAAE,aAAa,GAAG,IAAI,CAAC;IACpC,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;IACpC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;IACvC,oDAAoD;IACpD,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,8DAA8D;IAC9D,YAAY,CAAC,EAAE,eAAe,CAAC;IAC/B,mEAAmE;IACnE,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,KAAK;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACzF,uDAAuD;IACvD,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACzD,iFAAiF;IACjF,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,UAAU,KAAK,IAAI,CAAC;IAC3C,wEAAwE;IACxE,iBAAiB,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7D,6EAA6E;IAC7E,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,KAAK,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"gate.d.ts","sourceRoot":"","sources":["../src/gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,UAAU,EAAE,cAAc,EAAE,YAAY,EAAe,aAAa,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC7I,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAqB,MAAM,UAAU,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAE3C,qBAAa,IAAI;IACf,QAAQ,CAAC,KAAK,EAAE,QAAQ,CAAC;IACzB,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAC;IAC3B,yFAAyF;IACzF,OAAO,EAAE,cAAc,GAAG,IAAI,CAAC;IAC/B,gFAAgF;IAChF,aAAa,EAAE,aAAa,GAAG,IAAI,CAAC;IACpC,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;IACpC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;IACvC,oDAAoD;IACpD,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,8DAA8D;IAC9D,YAAY,CAAC,EAAE,eAAe,CAAC;IAC/B,mEAAmE;IACnE,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,KAAK;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACzF,uDAAuD;IACvD,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACzD,iFAAiF;IACjF,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,UAAU,KAAK,IAAI,CAAC;IAC3C,wEAAwE;IACxE,iBAAiB,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7D,6EAA6E;IAC7E,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,KAAK,IAAI,CAAC;IAC3E,0EAA0E;IAC1E,OAAO,CAAC,WAAW,CAAqC;gBAE5C,MAAM,EAAE,aAAa,EAAE,SAAS,CAAC,EAAE,MAAM;IAwBrD;;OAEG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,EAAE,QAAQ,EAAE,cAAc,EAAE,QAAQ,CAAC,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAAE,MAAM,EAAE,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,YAAY;IAwO7I;;;;;;;;OAQG;IACH,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,QAAQ,CAAC,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAAE,MAAM,EAAE,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,eAAe;IA2SnJ,oEAAoE;IACpE,OAAO,CAAC,iBAAiB;IAUzB;;OAEG;IACH,OAAO,CAAC,YAAY;IAgBpB;;;OAGG;IACH,OAAO,CAAC,gBAAgB;IAcxB;;;OAGG;IACH,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;KAAE,CAAC,EAAE,gBAAgB,CAAC,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;KAAE,CAAC,GAAG,IAAI;IA+BjL;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAQrC;;;OAGG;IACH,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM;IA4BvF;;OAEG;IACH,SAAS,CAAC,SAAS,CAAC,EAAE,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;IAoB5B;;;OAGG;IACH,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAa/D,2CAA2C;IAC3C,IAAI,eAAe,IAAI,OAAO,CAE7B;IAED;;;;OAIG;IACH,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IA4BvC;;;;;;;OAOG;IACH,YAAY,CAAC,KAAK,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG,MAAM,EAAE;IAsGrD,OAAO,IAAI,IAAI;IAUf;;;OAGG;IACH,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI;IA6BpD;;OAEG;IACH,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAStC,OAAO,CAAC,WAAW;CA6BpB"}
|
package/dist/gate.js
CHANGED
|
@@ -16,6 +16,7 @@ exports.Gate = void 0;
|
|
|
16
16
|
const store_1 = require("./store");
|
|
17
17
|
const rate_limiter_1 = require("./rate-limiter");
|
|
18
18
|
const meter_1 = require("./meter");
|
|
19
|
+
const webhook_1 = require("./webhook");
|
|
19
20
|
const webhook_router_1 = require("./webhook-router");
|
|
20
21
|
const quota_1 = require("./quota");
|
|
21
22
|
class Gate {
|
|
@@ -42,6 +43,8 @@ class Gate {
|
|
|
42
43
|
onCreditsDeducted;
|
|
43
44
|
/** Optional hook called when auto-topup is triggered (for audit/webhook). */
|
|
44
45
|
onAutoTopup;
|
|
46
|
+
/** Per-key webhook emitters (lazily created, keyed by API key prefix). */
|
|
47
|
+
keyWebhooks = new Map();
|
|
45
48
|
constructor(config, statePath) {
|
|
46
49
|
this.config = config;
|
|
47
50
|
this.store = new store_1.KeyStore(statePath);
|
|
@@ -67,7 +70,7 @@ class Gate {
|
|
|
67
70
|
/**
|
|
68
71
|
* Evaluate a tool call request.
|
|
69
72
|
*/
|
|
70
|
-
evaluate(apiKey, toolCall, clientIp, scopedTokenTools) {
|
|
73
|
+
evaluate(apiKey, toolCall, clientIp, scopedTokenTools, countryCode) {
|
|
71
74
|
const toolName = toolCall.name;
|
|
72
75
|
const creditsRequired = this.getToolPrice(toolName, toolCall.arguments, apiKey || undefined);
|
|
73
76
|
// Plugin: beforeGate — short-circuit if any plugin returns a decision
|
|
@@ -133,7 +136,29 @@ class Gate {
|
|
|
133
136
|
return { allowed: false, reason, creditsCharged: 0, remainingCredits: keyRecord.credits };
|
|
134
137
|
}
|
|
135
138
|
}
|
|
136
|
-
// Step
|
|
139
|
+
// Step 3b: Country restriction check
|
|
140
|
+
if (countryCode && countryCode.length === 2) {
|
|
141
|
+
const cc = countryCode.toUpperCase();
|
|
142
|
+
const allowed = keyRecord.allowedCountries;
|
|
143
|
+
const denied = keyRecord.deniedCountries;
|
|
144
|
+
if (allowed && allowed.length > 0 && !allowed.includes(cc)) {
|
|
145
|
+
const reason = `country_not_allowed: ${cc} not in allowed countries`;
|
|
146
|
+
this.recordEvent(apiKey, keyRecord.name, toolName, 0, false, reason, keyRecord.namespace);
|
|
147
|
+
if (this.config.shadowMode) {
|
|
148
|
+
return { allowed: true, reason: `shadow:${reason}`, creditsCharged: 0, remainingCredits: keyRecord.credits };
|
|
149
|
+
}
|
|
150
|
+
return { allowed: false, reason, creditsCharged: 0, remainingCredits: keyRecord.credits };
|
|
151
|
+
}
|
|
152
|
+
if (denied && denied.length > 0 && denied.includes(cc)) {
|
|
153
|
+
const reason = `country_denied: ${cc} is in denied countries list`;
|
|
154
|
+
this.recordEvent(apiKey, keyRecord.name, toolName, 0, false, reason, keyRecord.namespace);
|
|
155
|
+
if (this.config.shadowMode) {
|
|
156
|
+
return { allowed: true, reason: `shadow:${reason}`, creditsCharged: 0, remainingCredits: keyRecord.credits };
|
|
157
|
+
}
|
|
158
|
+
return { allowed: false, reason, creditsCharged: 0, remainingCredits: keyRecord.credits };
|
|
159
|
+
}
|
|
160
|
+
}
|
|
161
|
+
// Step 3c: Tool ACL check (with group policy applied)
|
|
137
162
|
const effectiveRecord = groupPolicy ? {
|
|
138
163
|
...keyRecord,
|
|
139
164
|
allowedTools: groupPolicy.allowedTools,
|
|
@@ -264,7 +289,7 @@ class Gate {
|
|
|
264
289
|
*
|
|
265
290
|
* On success, deducts credits for all calls at once.
|
|
266
291
|
*/
|
|
267
|
-
evaluateBatch(apiKey, calls, clientIp, scopedTokenTools) {
|
|
292
|
+
evaluateBatch(apiKey, calls, clientIp, scopedTokenTools, countryCode) {
|
|
268
293
|
if (calls.length === 0) {
|
|
269
294
|
return { allAllowed: true, totalCredits: 0, decisions: [], remainingCredits: 0, failedIndex: -1 };
|
|
270
295
|
}
|
|
@@ -836,6 +861,51 @@ class Gate {
|
|
|
836
861
|
destroy() {
|
|
837
862
|
this.rateLimiter.destroy();
|
|
838
863
|
this.webhook?.destroy();
|
|
864
|
+
// Destroy per-key webhook emitters
|
|
865
|
+
for (const emitter of this.keyWebhooks.values()) {
|
|
866
|
+
emitter.destroy();
|
|
867
|
+
}
|
|
868
|
+
this.keyWebhooks.clear();
|
|
869
|
+
}
|
|
870
|
+
/**
|
|
871
|
+
* Get or create a per-key webhook emitter.
|
|
872
|
+
* Returns null if the key has no webhookUrl configured.
|
|
873
|
+
*/
|
|
874
|
+
getKeyWebhook(apiKey) {
|
|
875
|
+
const keyRecord = this.store.getKey(apiKey);
|
|
876
|
+
if (!keyRecord?.webhookUrl)
|
|
877
|
+
return null;
|
|
878
|
+
const prefix = apiKey.slice(0, 10);
|
|
879
|
+
const existing = this.keyWebhooks.get(prefix);
|
|
880
|
+
// Return cached if URL hasn't changed
|
|
881
|
+
if (existing && existing.url === keyRecord.webhookUrl) {
|
|
882
|
+
return existing;
|
|
883
|
+
}
|
|
884
|
+
// Destroy old emitter if URL changed
|
|
885
|
+
if (existing) {
|
|
886
|
+
existing.destroy();
|
|
887
|
+
}
|
|
888
|
+
// Create new emitter for this key
|
|
889
|
+
const emitter = new webhook_1.WebhookEmitter(keyRecord.webhookUrl, {
|
|
890
|
+
secret: keyRecord.webhookSecret || null,
|
|
891
|
+
batchSize: 10,
|
|
892
|
+
flushIntervalMs: 5000,
|
|
893
|
+
maxRetries: 3,
|
|
894
|
+
ssrfCheckOnDelivery: this.config.webhookSsrfAtDelivery ?? true,
|
|
895
|
+
});
|
|
896
|
+
this.keyWebhooks.set(prefix, emitter);
|
|
897
|
+
return emitter;
|
|
898
|
+
}
|
|
899
|
+
/**
|
|
900
|
+
* Remove cached per-key webhook emitter (called when webhook URL is cleared).
|
|
901
|
+
*/
|
|
902
|
+
removeKeyWebhook(apiKey) {
|
|
903
|
+
const prefix = apiKey.slice(0, 10);
|
|
904
|
+
const existing = this.keyWebhooks.get(prefix);
|
|
905
|
+
if (existing) {
|
|
906
|
+
existing.destroy();
|
|
907
|
+
this.keyWebhooks.delete(prefix);
|
|
908
|
+
}
|
|
839
909
|
}
|
|
840
910
|
recordEvent(apiKey, keyName, tool, creditsCharged, allowed, denyReason, namespace) {
|
|
841
911
|
const event = {
|
|
@@ -856,6 +926,11 @@ class Gate {
|
|
|
856
926
|
else if (this.webhook) {
|
|
857
927
|
this.webhook.emit(event);
|
|
858
928
|
}
|
|
929
|
+
// Per-key webhook: also emit to key-specific webhook URL
|
|
930
|
+
const keyWebhook = this.getKeyWebhook(apiKey);
|
|
931
|
+
if (keyWebhook) {
|
|
932
|
+
keyWebhook.emit(event);
|
|
933
|
+
}
|
|
859
934
|
this.onUsageEvent?.(event);
|
|
860
935
|
}
|
|
861
936
|
}
|