{"version":3,"file":"security-schema.cjs","names":[],"sources":["../src/security-schema.ts"],"sourcesContent":["/**\n * Security telemetry wire schema — the single source of truth for the\n * `security.*` span-attribute contract emitted by `autotel-audit`\n * (`securityEvent()`, `withSecurity()`, `createSecuritySignalProcessor()`)\n * and consumed by `autotel-subscribers`, `autotel-devtools`, and the\n * `autotel security` CLI commands.\n *\n * Dependency-free and side-effect-free by design: safe to import from\n * browser bundles (devtools widget) and anything else that only needs\n * the constants, without pulling in the OpenTelemetry SDK.\n */\n\nexport type SecuritySeverity = 'info' | 'warning' | 'error' | 'critical';\n\n/** All severities, lowest first. */\nexport const SECURITY_SEVERITIES: readonly SecuritySeverity[] = [\n  'info',\n  'warning',\n  'error',\n  'critical',\n];\n\n/** Numeric rank per severity for threshold comparisons. */\nexport const SECURITY_SEVERITY_RANK: Record<SecuritySeverity, number> = {\n  info: 0,\n  warning: 1,\n  error: 2,\n  critical: 3,\n};\n\n/**\n * Parse an untrusted value (span attribute, event payload field) into a\n * severity, falling back when it is missing or malformed.\n */\nexport function parseSecuritySeverity(\n  value: unknown,\n  fallback: SecuritySeverity = 'info',\n): SecuritySeverity {\n  return typeof value === 'string' && value in SECURITY_SEVERITY_RANK\n    ? (value as SecuritySeverity)\n    : fallback;\n}\n\n/** `true` when `severity` meets or exceeds `min`. */\nexport function securitySeverityAtLeast(\n  severity: SecuritySeverity,\n  min: SecuritySeverity,\n): boolean {\n  return SECURITY_SEVERITY_RANK[severity] >= SECURITY_SEVERITY_RANK[min];\n}\n\n/** The higher-ranked of two severities (e.g. escalate failures to ≥ error). */\nexport function escalateSecuritySeverity(\n  severity: SecuritySeverity,\n  floor: SecuritySeverity,\n): SecuritySeverity {\n  return SECURITY_SEVERITY_RANK[severity] >= SECURITY_SEVERITY_RANK[floor]\n    ? severity\n    : floor;\n}\n\n/**\n * Span attribute keys of the security schema. Emitters and consumers must\n * reference these instead of re-typing the strings.\n */\nexport const SECURITY_ATTR = {\n  /** Marker set on every span carrying a security event. */\n  marker: 'autotel.security',\n  /** Set when the event was force-kept through tail sampling. */\n  forceKeep: 'autotel.security.force_keep',\n  event: 'security.event',\n  category: 'security.category',\n  outcome: 'security.outcome',\n  severity: 'security.severity',\n  actorId: 'security.actor_id',\n  targetType: 'security.target_type',\n  targetId: 'security.target_id',\n  tenantId: 'security.tenant_id',\n  reason: 'security.reason',\n  /** Custom metadata keys dropped because they looked credential-shaped. */\n  droppedKeys: 'security.dropped_keys',\n  /** Set by the signal processor on suspicious request paths. */\n  suspiciousRequest: 'security.suspicious_request',\n  /** Pattern name that flagged a suspicious request, e.g. `path_traversal`. */\n  signal: 'security.signal',\n} as const;\n\n/** Metric names emitted by the security instrumentation. */\nexport const SECURITY_METRICS = {\n  events: 'autotel.security.events',\n  httpSuspicious: 'autotel.security.http.suspicious',\n  httpDenied: 'autotel.security.http.denied',\n  anomaly: 'autotel.security.anomaly',\n  heartbeat: 'autotel.security.heartbeat',\n} as const;\n\n/** HTTP statuses counted as denied responses by default. */\nexport const SECURITY_DENIED_STATUSES: readonly number[] = [401, 403, 429];\n\n/**\n * Span attributes carrying the HTTP response status, current semconv\n * first, legacy fallback second.\n */\nexport const HTTP_STATUS_ATTRIBUTES: readonly string[] = [\n  'http.response.status_code',\n  'http.status_code',\n];\n"],"mappings":";;;;AAeA,MAAa,sBAAmD;CAC9D;CACA;CACA;CACA;AACF;;AAGA,MAAa,yBAA2D;CACtE,MAAM;CACN,SAAS;CACT,OAAO;CACP,UAAU;AACZ;;;;;AAMA,SAAgB,sBACd,OACA,WAA6B,QACX;CAClB,OAAO,OAAO,UAAU,YAAY,SAAS,yBACxC,QACD;AACN;;AAGA,SAAgB,wBACd,UACA,KACS;CACT,OAAO,uBAAuB,aAAa,uBAAuB;AACpE;;AAGA,SAAgB,yBACd,UACA,OACkB;CAClB,OAAO,uBAAuB,aAAa,uBAAuB,SAC9D,WACA;AACN;;;;;AAMA,MAAa,gBAAgB;;CAE3B,QAAQ;;CAER,WAAW;CACX,OAAO;CACP,UAAU;CACV,SAAS;CACT,UAAU;CACV,SAAS;CACT,YAAY;CACZ,UAAU;CACV,UAAU;CACV,QAAQ;;CAER,aAAa;;CAEb,mBAAmB;;CAEnB,QAAQ;AACV;;AAGA,MAAa,mBAAmB;CAC9B,QAAQ;CACR,gBAAgB;CAChB,YAAY;CACZ,SAAS;CACT,WAAW;AACb;;AAGA,MAAa,2BAA8C;CAAC;CAAK;CAAK;AAAG;;;;;AAMzE,MAAa,yBAA4C,CACvD,6BACA,kBACF"}