UNPKG

autotel

Version:

Write Once, Observe Anywhere

github.com/jagreehal/autotel

jagreehal/autotel

197 lines (195 loc) 7.36 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
import { t as createStructuredError } from "./structured-error-9--cxBay.js"; import { t as hashJson } from "./stable-hash-ChFBIhNt.js"; import { createCounter } from "./metric-helpers.js"; import { VALIDATION_ATTR, VALIDATION_ISSUE_CAP, VALIDATION_METRICS } from "./validation-attributes.js"; import { trace } from "@opentelemetry/api"; //#region src/validate.ts /** * Validation telemetry — connect runtime input validation (Zod or any * `safeParse` schema) to your traces and metrics at the boundaries where bad * data actually enters: HTTP bodies, events, messages. * * Today a `safeParse` failure either throws (no span, no metric, no alert) or * is silently swallowed in a handler. `defineValidator` makes the mismatch * **observable** — a `validation.*` span attribute set and a counter * incremented — with a per-validator `observe` vs `reject` mode: * * - `reject` (default): record telemetry, then throw a structured 400-shaped * error so the boundary can fail cleanly. * - `observe`: record telemetry, return the raw input so the handler continues * — useful for measuring real-world drift before you enforce it. * * **Not a security feature by default.** A malformed body is usually a bug or * version skew, not an attack. Validation telemetry is first-class on its own * metric; escalation to the security path is a deliberate opt-in via * {@link onValidationMismatch} (e.g. wired by `autotel-audit`), never automatic. * * **PII-safe by construction.** Only field *paths*, issue *codes*, and the * declared *type* are ever recorded — never the offending value, and never a * validator's error `message` (which routinely embeds the received value). */ let mismatchCounter; function counter() { if (!mismatchCounter) mismatchCounter = createCounter(VALIDATION_METRICS.mismatches, { description: "Input payloads that did not match their declared shape" }); return mismatchCounter; } const listeners = /* @__PURE__ */ new Set(); /** * Register an explicit handler called on every recorded mismatch — the opt-in * seam for escalating to security events, a webhook, or a custom sink. There is * no automatic, package-presence-driven escalation: nothing fires here unless * you (or a package you wire up) register a handler. * * Multiple subscribers coexist: a package (e.g. `autotel-audit` bridging to * security events) and your own app code (a webhook, a logger) can both * register and all fire. Returns an unsubscribe fn that removes only this * handler; registering the same function twice is a no-op (Set semantics). */ function onValidationMismatch(handler) { listeners.add(handler); return () => { listeners.delete(handler); }; } const truncate = (values) => values.slice(0, 20).join(","); /** * Record a validation mismatch as telemetry: `validation.*` attributes on the * active span (if any) and an increment on `autotel.validation.mismatches`. * Fail-open — never throws, so instrumentation can't break the boundary. */ function recordValidationMismatch(mismatch) { try { const paths = mismatch.issues.map((i) => i.path).filter(Boolean); const codes = [...new Set(mismatch.issues.map((i) => i.code))]; const span = trace.getActiveSpan(); if (span) span.setAttributes({ [VALIDATION_ATTR.name]: mismatch.name, [VALIDATION_ATTR.boundary]: mismatch.boundary, [VALIDATION_ATTR.mode]: mismatch.mode, [VALIDATION_ATTR.issueCount]: mismatch.issues.length, [VALIDATION_ATTR.issuePaths]: truncate(paths), [VALIDATION_ATTR.issueCodes]: truncate(codes), ...mismatch.hash ? { [VALIDATION_ATTR.hash]: mismatch.hash } : {}, ...mismatch.severity ? { [VALIDATION_ATTR.severity]: mismatch.severity } : {} }); try { counter().add(1, { boundary: mismatch.boundary, validation: mismatch.name, mode: mismatch.mode }); } catch {} for (const listener of listeners) try { listener(mismatch); } catch {} } catch {} } /** * Normalise an arbitrary validation error into PII-safe issues. Reads only * `path`, `code`, and (when it is a declared type name) `expected` — and never * `message`, `received`, or any value-bearing field. Understands the Zod shape * (`error.issues`) and a generic `error.errors` fallback; returns `[]` for * anything unrecognised. */ function formatValidationIssues(error) { return extractRawIssues(error).map((issue) => toSafeIssue(issue)); } function extractRawIssues(error) { if (error && typeof error === "object") { const candidate = error.issues ?? error.errors; if (Array.isArray(candidate)) return candidate.filter((i) => i !== null && typeof i === "object"); } return []; } function toSafeIssue(issue) { const rawPath = issue.path; const path = Array.isArray(rawPath) ? rawPath.map(String).join(".") : typeof rawPath === "string" ? rawPath : ""; const code = typeof issue.code === "string" ? issue.code : "invalid"; const expected = typeof issue.expected === "string" ? issue.expected : void 0; return expected ? { path, code, expected } : { path, code }; } function defaultRejectError(issues, name) { return createStructuredError({ name: "ValidationError", status: 400, code: "validation_failed", message: `Input for "${name}" did not match its declared shape.`, why: `${issues.length} field(s) failed validation: ${issues.map((i) => i.path || "(root)").slice(0, 20).join(", ")}.`, fix: "Send a payload that matches the schema, or switch this validator to observe mode while you investigate.", details: { validation: name, issues } }); } /** * Declare an expected input shape once and get a validator that records every * mismatch as telemetry. * * @example * ```ts * import { z } from 'zod'; * import { defineValidator } from 'autotel/validate'; * * const OrderBody = defineValidator('POST /orders', z.object({ * items: z.array(z.object({ sku: z.string(), qty: z.number().int() })), * }), { boundary: 'http', toJsonSchema: (s) => z.toJSONSchema(s) }); * * // reject mode (default): records + throws a 400-shaped structured error * const order = OrderBody.parse(req.body); * * // observe mode: records, returns the result, never throws * const result = OrderBody.safeParse(req.body); * if (!result.success) metrics.onDrift(result.issues); * ``` */ function defineValidator(name, schema, options = {}) { const mode = options.onMismatch ?? "reject"; const boundary = options.boundary ?? "input"; const hash = options.toJsonSchema ? hashJson(options.toJsonSchema(schema)) : void 0; const record = (issues) => { recordValidationMismatch({ name, boundary, mode, issues, hash, severity: options.severity }); }; return { name, mode, safeParse(input) { const parsed = schema.safeParse(input); if (parsed.success) return { success: true, data: parsed.data }; const issues = formatValidationIssues(parsed.error); record(issues); return { success: false, issues }; }, parse(input) { const parsed = schema.safeParse(input); if (parsed.success) return parsed.data; const issues = formatValidationIssues(parsed.error); record(issues); if (mode === "reject") throw options.onReject?.(issues, name) ?? defaultRejectError(issues, name); return input; } }; } //#endregion export { defineValidator, formatValidationIssues, onValidationMismatch, recordValidationMismatch }; //# sourceMappingURL=validate.js.map