trusera-sdk 1.0.0 → 1.1.1

package/dist/index.cjs

@@ -42,28 +42,56 @@ __export(index_exports, {
 module.exports = __toCommonJS(index_exports);
 
 // src/client.ts
+var SDK_VERSION = "1.0.0";
 var TruseraClient = class {
   apiKey;
   baseUrl;
   batchSize;
+  maxQueueSize;
   flushInterval;
   debug;
   agentId;
   eventQueue = [];
   flushTimer;
   isClosed = false;
+  // Fleet auto-registration
+  autoRegister;
+  agentName;
+  agentType;
+  environment;
+  heartbeatInterval;
+  fleetAgentId;
+  heartbeatTimer;
   constructor(options) {
     this.apiKey = options.apiKey;
     this.baseUrl = options.baseUrl ?? "https://api.trusera.io";
     this.agentId = options.agentId;
     this.batchSize = options.batchSize ?? 100;
+    this.maxQueueSize = options.maxQueueSize ?? 1e4;
     this.flushInterval = options.flushInterval ?? 5e3;
     this.debug = options.debug ?? false;
+    const envAuto = (typeof process !== "undefined" ? process.env?.TRUSERA_AUTO_REGISTER : void 0) ?? "";
+    if (envAuto.toLowerCase() === "true" || envAuto === "1") {
+      this.autoRegister = true;
+    } else if (envAuto.toLowerCase() === "false" || envAuto === "0") {
+      this.autoRegister = false;
+    } else {
+      this.autoRegister = options.autoRegister ?? false;
+    }
+    const hostname = typeof process !== "undefined" && process.env?.HOSTNAME ? process.env.HOSTNAME : typeof globalThis !== "undefined" && "navigator" in globalThis ? "browser" : "unknown";
+    this.agentName = options.agentName ?? (typeof process !== "undefined" ? process.env?.TRUSERA_AGENT_NAME : void 0) ?? hostname;
+    this.agentType = options.agentType ?? (typeof process !== "undefined" ? process.env?.TRUSERA_AGENT_TYPE : void 0) ?? "";
+    this.environment = options.environment ?? (typeof process !== "undefined" ? process.env?.TRUSERA_ENVIRONMENT : void 0) ?? "";
+    const envHb = typeof process !== "undefined" ? process.env?.TRUSERA_HEARTBEAT_INTERVAL : void 0;
+    this.heartbeatInterval = envHb ? parseInt(envHb, 10) * 1e3 : options.heartbeatInterval ?? 6e4;
     if (!this.apiKey.startsWith("tsk_")) {
       throw new Error("Invalid API key format. Must start with 'tsk_'");
     }
     this.startFlushTimer();
-    this.log("TruseraClient initialized", { baseUrl: this.baseUrl, batchSize: this.batchSize });
+    if (this.autoRegister) {
+      void this.registerWithFleet();
+    }
+    this.log("TruseraClient initialized", { baseUrl: this.baseUrl, batchSize: this.batchSize, autoRegister: this.autoRegister });
   }
   /**
    * Registers a new agent with Trusera backend.
@@ -85,7 +113,7 @@ var TruseraClient = class {
         name,
         framework,
         metadata: {
-          sdk_version: "0.1.0",
+          sdk_version: SDK_VERSION,
           runtime: "node",
           node_version: process.version
         }
@@ -115,10 +143,14 @@ var TruseraClient = class {
       metadata: {
         ...event.metadata,
         agent_id: this.agentId,
-        sdk_version: "0.1.0"
+        sdk_version: SDK_VERSION
       }
     };
     this.eventQueue.push(enrichedEvent);
+    while (this.eventQueue.length > this.maxQueueSize) {
+      this.eventQueue.shift();
+      this.log("Event queue overflow, dropping oldest event");
+    }
     this.log("Event tracked", { type: event.type, name: event.name, queueSize: this.eventQueue.length });
     if (this.eventQueue.length >= this.batchSize) {
       void this.flush();
@@ -167,6 +199,7 @@ var TruseraClient = class {
     this.log("Closing client");
     this.isClosed = true;
     this.stopFlushTimer();
+    this.stopHeartbeat();
     await this.flush();
     this.log("Client closed");
   }
@@ -182,6 +215,102 @@ var TruseraClient = class {
   getAgentId() {
     return this.agentId;
   }
+  // -- Fleet auto-registration --
+  getProcessInfo() {
+    if (typeof process === "undefined") return {};
+    return {
+      pid: process.pid,
+      argv: process.argv?.slice(0, 2),
+      node_version: process.version,
+      platform: process.platform,
+      arch: process.arch
+    };
+  }
+  getNetworkInfo() {
+    const info = {};
+    if (typeof process !== "undefined") {
+      try {
+        const os = require("os");
+        info.hostname = os.hostname?.();
+      } catch {
+        info.hostname = process.env?.HOSTNAME ?? "unknown";
+      }
+    }
+    return info;
+  }
+  async registerWithFleet() {
+    const payload = {
+      name: this.agentName,
+      discovery_method: "sdk",
+      sdk_version: SDK_VERSION,
+      hostname: this.agentName,
+      process_info: this.getProcessInfo(),
+      network_info: this.getNetworkInfo()
+    };
+    if (this.agentType) payload.framework = this.agentType;
+    if (this.environment) payload.environment = this.environment;
+    try {
+      const response = await fetch(`${this.baseUrl}/api/v1/fleet/register`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${this.apiKey}`
+        },
+        body: JSON.stringify(payload)
+      });
+      if (!response.ok) {
+        this.log("Fleet auto-register failed", { status: response.status });
+        return;
+      }
+      const data = await response.json();
+      const agentData = data.data ?? data;
+      const fleetId = agentData.id;
+      if (fleetId) {
+        this.fleetAgentId = String(fleetId);
+        this.startHeartbeat();
+        this.log("Fleet auto-register succeeded", { fleetAgentId: this.fleetAgentId });
+      }
+    } catch (err) {
+      this.log("Fleet auto-register error (continuing without)", { error: String(err) });
+    }
+  }
+  startHeartbeat() {
+    this.heartbeatTimer = setInterval(() => {
+      void this.sendHeartbeat();
+    }, this.heartbeatInterval);
+    if (this.heartbeatTimer.unref) {
+      this.heartbeatTimer.unref();
+    }
+  }
+  stopHeartbeat() {
+    if (this.heartbeatTimer) {
+      clearInterval(this.heartbeatTimer);
+      this.heartbeatTimer = void 0;
+    }
+  }
+  async sendHeartbeat() {
+    if (!this.fleetAgentId) return;
+    try {
+      const payload = {
+        process_info: this.getProcessInfo(),
+        network_info: this.getNetworkInfo()
+      };
+      const response = await fetch(`${this.baseUrl}/api/v1/fleet/${this.fleetAgentId}/heartbeat`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${this.apiKey}`
+        },
+        body: JSON.stringify(payload)
+      });
+      if (!response.ok) {
+        this.log("Fleet heartbeat failed", { status: response.status });
+      }
+    } catch (err) {
+      this.log("Fleet heartbeat error", { error: String(err) });
+    }
+  }
+  // -- Timers --
   startFlushTimer() {
     this.flushTimer = setInterval(() => {
       void this.flush();
@@ -239,13 +368,47 @@ function tryRequire(moduleName) {
     return null;
   }
 }
+var SENSITIVE_HEADERS = /* @__PURE__ */ new Set([
+  "authorization",
+  "cookie",
+  "set-cookie",
+  "x-api-key",
+  "x-n8n-api-key",
+  "proxy-authorization"
+]);
+function redactHeaders(headers) {
+  const redacted = {};
+  for (const [key, value] of Object.entries(headers)) {
+    redacted[key] = SENSITIVE_HEADERS.has(key.toLowerCase()) ? "[REDACTED]" : value;
+  }
+  return redacted;
+}
+var MAX_PATTERN_LENGTH = 500;
+var EVIL_REGEX_PATTERNS = /(\.\*){2,}|(\w\+){2,}|\(\[^[^\]]*\]\*\)\*|\(\.\+\)\+/;
+function safeRegExp(pattern) {
+  if (pattern.length > MAX_PATTERN_LENGTH) {
+    console.warn(`[Trusera] Exclude pattern too long (${pattern.length} > ${MAX_PATTERN_LENGTH}), skipping`);
+    return null;
+  }
+  if (EVIL_REGEX_PATTERNS.test(pattern)) {
+    console.warn(`[Trusera] Potentially dangerous regex pattern detected, skipping: ${pattern.slice(0, 50)}`);
+    return null;
+  }
+  try {
+    return new RegExp(pattern);
+  } catch (e) {
+    console.warn(`[Trusera] Invalid regex pattern, skipping: ${pattern.slice(0, 50)}`);
+    return null;
+  }
+}
 var TruseraInterceptor = class {
   client = null;
   options = {
     enforcement: "log",
     policyUrl: "",
     excludePatterns: [],
-    debug: false
+    debug: false,
+    failClosed: false
   };
   excludeRegexes = [];
   isInstalled = false;
@@ -282,9 +445,10 @@ var TruseraInterceptor = class {
       enforcement: options.enforcement ?? "log",
       policyUrl: options.policyUrl ?? "",
       excludePatterns: options.excludePatterns ?? [],
-      debug: options.debug ?? false
+      debug: options.debug ?? false,
+      failClosed: options.failClosed ?? false
     };
-    this.excludeRegexes = this.options.excludePatterns.map((pattern) => new RegExp(pattern));
+    this.excludeRegexes = this.options.excludePatterns.map((pattern) => safeRegExp(pattern)).filter((r) => r !== null);
     if (originalFetch === null) {
       originalFetch = globalThis.fetch;
     }
@@ -331,7 +495,7 @@ var TruseraInterceptor = class {
     const event = createEvent(
       "api_call" /* API_CALL */,
       eventName,
-      { method, url, headers },
+      { method, url, headers: redactHeaders(headers) },
       { interception_mode: this.options.enforcement }
     );
     if (this.options.policyUrl) {
@@ -606,7 +770,7 @@ var TruseraInterceptor = class {
             response.headers.forEach((v, k) => {
               h[k] = v;
             });
-            return h;
+            return redactHeaders(h);
           })()
         }
       );
@@ -651,7 +815,7 @@ var TruseraInterceptor = class {
         body = "[Binary data]";
       }
     }
-    return { headers, body };
+    return { headers: redactHeaders(headers), body };
   }
   /**
    * Evaluates request against Cedar policies.
@@ -678,11 +842,21 @@ var TruseraInterceptor = class {
       });
       if (!response.ok) {
         console.error(`[Trusera] Policy evaluation failed: ${response.status}`);
+        if (this.options.failClosed && this.options.enforcement === "block") {
+          console.warn("[Trusera] FAIL-CLOSED: Policy service returned error, denying request");
+          return { decision: "Deny", reasons: [`Policy service error: ${response.status}`] };
+        }
+        console.warn("[Trusera] FAIL-OPEN: Policy service returned error, allowing request");
         return { decision: "Allow" };
       }
       return await response.json();
     } catch (error) {
       console.error("[Trusera] Policy evaluation error:", error);
+      if (this.options.failClosed && this.options.enforcement === "block") {
+        console.warn("[Trusera] FAIL-CLOSED: Policy evaluation failed, denying request");
+        return { decision: "Deny", reasons: ["Policy evaluation failed (fail-closed mode)"] };
+      }
+      console.warn("[Trusera] FAIL-OPEN: Policy evaluation failed, allowing request");
       return { decision: "Allow" };
     }
   }
@@ -887,6 +1061,24 @@ var CedarEvaluator = class {
 };
 
 // src/standalone.ts
+var MAX_PATTERN_LENGTH2 = 500;
+var EVIL_REGEX_PATTERNS2 = /(\.\*){2,}|(\w\+){2,}|\(\[^[^\]]*\]\*\)\*|\(\.\+\)\+/;
+function safeRegExp2(pattern) {
+  if (pattern.length > MAX_PATTERN_LENGTH2) {
+    console.warn(`[Trusera Standalone] Exclude pattern too long, skipping`);
+    return null;
+  }
+  if (EVIL_REGEX_PATTERNS2.test(pattern)) {
+    console.warn(`[Trusera Standalone] Potentially dangerous regex pattern, skipping`);
+    return null;
+  }
+  try {
+    return new RegExp(pattern);
+  } catch {
+    console.warn(`[Trusera Standalone] Invalid regex pattern, skipping`);
+    return null;
+  }
+}
 var activeStandaloneInterceptor = null;
 var originalFetch2 = null;
 var StandaloneInterceptor = class {
@@ -903,9 +1095,7 @@ var StandaloneInterceptor = class {
       excludePatterns: options.excludePatterns ?? [],
       debug: options.debug ?? false
     };
-    this.excludeRegexes = this.options.excludePatterns.map(
-      (pattern) => new RegExp(pattern)
-    );
+    this.excludeRegexes = this.options.excludePatterns.map((pattern) => safeRegExp2(pattern)).filter((r) => r !== null);
   }
   /**
    * Installs the standalone interceptor.