feat(tess): add safe runtime observability
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful

This commit is contained in:
Jarvis
2026-07-12 19:50:11 -05:00
parent 753a360517
commit adfa5c0697
12 changed files with 391 additions and 24 deletions

View File

@@ -0,0 +1,52 @@
import { describe, expect, it } from 'vitest';
import { createRuntimeAuditLogEntry } from './runtime-audit.js';
describe('createRuntimeAuditLogEntry', (): void => {
it('serializes only allowlisted runtime audit metadata', (): void => {
const entry = createRuntimeAuditLogEntry({
providerId: 'fleet',
operation: 'session.send',
outcome: 'succeeded',
actorId: 'actor-1',
tenantId: 'tenant-1',
channelId: 'discord',
correlationId: 'correlation-1',
resourceId: 'session-1',
durationMs: 12,
});
expect(entry).toMatchObject({
sessionId: 'runtime:fleet',
userId: 'actor-1',
level: 'info',
category: 'tool_use',
content: 'runtime.provider.audit',
metadata: {
providerId: 'fleet',
operation: 'session.send',
outcome: 'succeeded',
correlationId: 'correlation-1',
resourceId: expect.stringMatching(/^sha256:/),
durationMs: 12,
},
});
expect(JSON.stringify(entry)).not.toContain('approvalRef');
});
it('hashes every resource ID without blocking a runtime audit or persisting its raw value', (): void => {
const entry = createRuntimeAuditLogEntry({
providerId: 'fleet',
operation: 'session.send',
outcome: 'succeeded',
actorId: 'actor-1',
tenantId: 'tenant-1',
channelId: 'discord',
correlationId: 'correlation-1',
resourceId: 'credential-canary:secret-value',
durationMs: 12,
});
expect(entry.metadata).toMatchObject({ resourceId: expect.stringMatching(/^sha256:/) });
expect(JSON.stringify(entry)).not.toContain('secret-value');
});
});