feat(tess): add safe runtime observability
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
This commit is contained in:
52
packages/log/src/runtime-audit.test.ts
Normal file
52
packages/log/src/runtime-audit.test.ts
Normal file
@@ -0,0 +1,52 @@
|
||||
import { describe, expect, it } from 'vitest';
|
||||
import { createRuntimeAuditLogEntry } from './runtime-audit.js';
|
||||
|
||||
describe('createRuntimeAuditLogEntry', (): void => {
|
||||
it('serializes only allowlisted runtime audit metadata', (): void => {
|
||||
const entry = createRuntimeAuditLogEntry({
|
||||
providerId: 'fleet',
|
||||
operation: 'session.send',
|
||||
outcome: 'succeeded',
|
||||
actorId: 'actor-1',
|
||||
tenantId: 'tenant-1',
|
||||
channelId: 'discord',
|
||||
correlationId: 'correlation-1',
|
||||
resourceId: 'session-1',
|
||||
durationMs: 12,
|
||||
});
|
||||
|
||||
expect(entry).toMatchObject({
|
||||
sessionId: 'runtime:fleet',
|
||||
userId: 'actor-1',
|
||||
level: 'info',
|
||||
category: 'tool_use',
|
||||
content: 'runtime.provider.audit',
|
||||
metadata: {
|
||||
providerId: 'fleet',
|
||||
operation: 'session.send',
|
||||
outcome: 'succeeded',
|
||||
correlationId: 'correlation-1',
|
||||
resourceId: expect.stringMatching(/^sha256:/),
|
||||
durationMs: 12,
|
||||
},
|
||||
});
|
||||
expect(JSON.stringify(entry)).not.toContain('approvalRef');
|
||||
});
|
||||
|
||||
it('hashes every resource ID without blocking a runtime audit or persisting its raw value', (): void => {
|
||||
const entry = createRuntimeAuditLogEntry({
|
||||
providerId: 'fleet',
|
||||
operation: 'session.send',
|
||||
outcome: 'succeeded',
|
||||
actorId: 'actor-1',
|
||||
tenantId: 'tenant-1',
|
||||
channelId: 'discord',
|
||||
correlationId: 'correlation-1',
|
||||
resourceId: 'credential-canary:secret-value',
|
||||
durationMs: 12,
|
||||
});
|
||||
|
||||
expect(entry.metadata).toMatchObject({ resourceId: expect.stringMatching(/^sha256:/) });
|
||||
expect(JSON.stringify(entry)).not.toContain('secret-value');
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user