@classytic/arc 2.11.3 → 2.13.1

package/dist/EventTransport-CT_52aWU.d.mts

@@ -0,0 +1,34 @@
+import { DeadLetteredEvent, DomainEvent, DomainEvent as DomainEvent$1, EventHandler, EventHandler as EventHandler$1, EventLogger, EventLogger as EventLogger$1, EventTransport, EventTransport as EventTransport$1, PublishManyResult } from "@classytic/primitives/events";
+
+//#region src/events/EventTransport.d.ts
+interface MemoryEventTransportOptions {
+  /** Logger for error/warning messages (default: console) */
+  logger?: EventLogger;
+}
+/**
+ * In-memory event transport (default).
+ *
+ * Events are delivered synchronously within the process. Not suitable for
+ * multi-instance deployments — pair with `RedisEventTransport` /
+ * `RedisStreamTransport` (subpath imports) for those.
+ */
+declare class MemoryEventTransport implements EventTransport {
+  readonly name = "memory";
+  private handlers;
+  private logger;
+  constructor(options?: MemoryEventTransportOptions);
+  publish(event: DomainEvent): Promise<void>;
+  /**
+   * Reference `publishMany` implementation — delegates to `publish()` in order.
+   *
+   * Production transports (Kafka, Redis pipeline, SQS batch) should override
+   * this with a single batched network call. Memory transport has nothing to
+   * batch, so we just loop — the loop still returns a proper result map so
+   * `EventOutbox.relay` can exercise the batched code path in tests.
+   */
+  publishMany(events: readonly DomainEvent[]): Promise<PublishManyResult>;
+  subscribe(pattern: string, handler: EventHandler): Promise<() => void>;
+  close(): Promise<void>;
+}
+//#endregion
+export { EventTransport$1 as a, EventLogger$1 as i, DomainEvent$1 as n, MemoryEventTransport as o, EventHandler$1 as r, MemoryEventTransportOptions as s, DeadLetteredEvent as t };

package/dist/EventTransport-DLWoUMHy.mjs

@@ -0,0 +1,103 @@
+import { createEvent, matchEventPattern } from "@classytic/primitives/events";
+//#region src/events/EventTransport.ts
+/**
+* Internal arc events module — concrete in-memory transport.
+*
+* **Public type contracts moved out (arc 2.12).** `EventMeta`, `DomainEvent`,
+* `EventHandler`, `EventLogger`, `EventTransport`, `DeadLetteredEvent`,
+* `PublishManyResult`, plus the `createEvent` / `createChildEvent` /
+* `matchEventPattern` helpers, are now owned by `@classytic/primitives/events`.
+* Two reasons:
+*
+*   1. The shapes ARE the cross-package contract. arc, arc-next, mongokit's
+*      audit-log plugin, future kits and downstream services all share them.
+*      Owning them in `primitives` (pure types, zero runtime, zero deps)
+*      eliminates the "manually mirror in two places" problem the previous
+*      `primitives/src/events.ts` header explicitly called out.
+*   2. Inverting the dependency direction lets future packages (sqlitekit
+*      audit, billing services) consume the contract without depending on
+*      arc's HTTP-coupled stack.
+*
+* Hosts MUST import the types from primitives directly:
+*
+* ```typescript
+* import type {
+*   EventMeta, DomainEvent, EventHandler, EventTransport,
+*   DeadLetteredEvent, PublishManyResult,
+* } from '@classytic/primitives/events';
+* import { createEvent, createChildEvent } from '@classytic/primitives/events';
+* ```
+*
+* arc's `events/index.ts` barrel does NOT re-export these — by design, so
+* that consumer code is forced into the canonical import path and the org's
+* "no re-exports" rule holds at every public surface.
+*
+* What stays here:
+*   - `MemoryEventTransport` — the in-memory `EventTransport` implementation
+*     used as arc's default transport. Its handler-set state is process-local;
+*     wrong layer for primitives.
+*   - `MemoryEventTransportOptions` — its options shape.
+*
+* Inside arc, files that previously imported types from `./EventTransport.js`
+* keep working: this file re-exports them from primitives for arc's own
+* call sites. That re-export is an internal refactor convenience — the
+* public `events/index.ts` barrel stays clean.
+*/
+/**
+* In-memory event transport (default).
+*
+* Events are delivered synchronously within the process. Not suitable for
+* multi-instance deployments — pair with `RedisEventTransport` /
+* `RedisStreamTransport` (subpath imports) for those.
+*/
+var MemoryEventTransport = class {
+	name = "memory";
+	handlers = /* @__PURE__ */ new Map();
+	logger;
+	constructor(options) {
+		this.logger = options?.logger ?? console;
+	}
+	async publish(event) {
+		const allHandlers = /* @__PURE__ */ new Set();
+		for (const [pattern, handlers] of this.handlers) if (matchEventPattern(pattern, event.type)) for (const h of handlers) allHandlers.add(h);
+		for (const handler of allHandlers) try {
+			await handler(event);
+		} catch (err) {
+			this.logger.error(`[EventTransport] Handler error for ${event.type}:`, err);
+		}
+	}
+	/**
+	* Reference `publishMany` implementation — delegates to `publish()` in order.
+	*
+	* Production transports (Kafka, Redis pipeline, SQS batch) should override
+	* this with a single batched network call. Memory transport has nothing to
+	* batch, so we just loop — the loop still returns a proper result map so
+	* `EventOutbox.relay` can exercise the batched code path in tests.
+	*/
+	async publishMany(events) {
+		const results = /* @__PURE__ */ new Map();
+		for (const event of events) try {
+			await this.publish(event);
+			results.set(event.meta.id, null);
+		} catch (err) {
+			results.set(event.meta.id, err instanceof Error ? err : new Error(String(err)));
+		}
+		return results;
+	}
+	async subscribe(pattern, handler) {
+		if (!this.handlers.has(pattern)) this.handlers.set(pattern, /* @__PURE__ */ new Set());
+		this.handlers.get(pattern)?.add(handler);
+		return () => {
+			const set = this.handlers.get(pattern);
+			if (set) {
+				set.delete(handler);
+				if (set.size === 0) this.handlers.delete(pattern);
+			}
+		};
+	}
+	async close() {
+		this.handlers.clear();
+	}
+};
+//#endregion
+export { createEvent as n, MemoryEventTransport as t };

package/dist/{QueryCache-DOBNHBE0.d.mts → QueryCache-D41bfdBB.d.mts}

@@ -1,4 +1,4 @@
-import { r as CacheStore } from "./interface-Da0r7Lna.mjs";
+import { r as CacheStore } from "./interface-beEtJyWM.mjs";
 
 //#region src/cache/QueryCache.d.ts
 /** Metadata wrapper stored in CacheStore */

package/dist/{ResourceRegistry-DkAeAuTX.mjs → ResourceRegistry-CTERg_2x.mjs}

@@ -1,4 +1,4 @@
-import { t as CRUD_OPERATIONS } from "./constants-BhY1OHoH.mjs";
+import "./constants-Cxde4rpC.mjs";
 //#region src/registry/ResourceRegistry.ts
 /**
 * Resource Registry
@@ -46,7 +46,7 @@ var ResourceRegistry = class {
 			registeredAt: (/* @__PURE__ */ new Date()).toISOString(),
 			disableDefaultRoutes: resource.disableDefaultRoutes,
 			updateMethod: resource.updateMethod,
-			disabledRoutes: resource.disabledRoutes,
+			disabledRoutes: resource.disabledRoutes ? [...resource.disabledRoutes] : void 0,
 			openApiSchemas: options.openApiSchemas,
 			fieldPermissions: extractFieldPermissions(resource.fields),
 			pipelineSteps: extractPipelineSteps(resource.pipe),
@@ -63,6 +63,18 @@ var ResourceRegistry = class {
 					mcp: entry.mcp
 				};
 			}) : void 0,
+			aggregations: resource.aggregations ? Object.entries(resource.aggregations).map(([name, entry]) => ({
+				name,
+				summary: entry.summary,
+				description: entry.description,
+				permissions: entry.permissions,
+				groupBy: entry.groupBy,
+				measures: stringifyMeasureMap(entry.measures),
+				lookupAliases: (entry.lookups ?? []).map((l) => l.as ?? l.from),
+				requireDateRange: entry.requireDateRange,
+				requireFilters: entry.requireFilters,
+				mcp: entry.mcp
+			})) : void 0,
 			plugin: resource.toPlugin()
 		};
 		this._resources.set(resource.name, entry);
@@ -100,6 +112,11 @@ var ResourceRegistry = class {
 	}
 	/**
 	* Get registry statistics
+	*
+	* `totalRoutes` is derived from `enumerateRoutes()` — single source of
+	* truth shared with `getIntrospection()` and consistent with what
+	* OpenAPI / Fastify actually mount. New route sources (e.g. v2.13
+	* aggregations) light up here automatically.
 	*/
 	getStats() {
 		const resources = this.getAll();
@@ -109,82 +126,110 @@ var ResourceRegistry = class {
 			totalResources: resources.length,
 			byModule: this._groupBy(resources, "module"),
 			presetUsage: presetCounts,
-			totalRoutes: resources.reduce((sum, r) => {
-				const actionsCount = (r.actions?.length ?? 0) > 0 ? 1 : 0;
-				if (r.disableDefaultRoutes) return sum + (r.customRoutes?.length ?? 0) + actionsCount;
-				const disabledSet = new Set(r.disabledRoutes ?? []);
-				let defaultCount = CRUD_OPERATIONS.filter((route) => !disabledSet.has(route)).length;
-				if (!disabledSet.has("update") && r.updateMethod === "both") defaultCount += 1;
-				return sum + defaultCount + (r.customRoutes?.length ?? 0) + actionsCount;
-			}, 0),
+			totalRoutes: resources.reduce((sum, r) => sum + this.enumerateRoutes(r).length, 0),
 			totalEvents: resources.reduce((sum, r) => sum + (r.events?.length ?? 0), 0)
 		};
 	}
 	/**
 	* Get full introspection data
+	*
+	* Routes come from `enumerateRoutes()` so consumers see the complete
+	* surface — CRUD + custom + actions + aggregations — and match what
+	* `getStats()` counts.
 	*/
 	getIntrospection() {
 		return {
-			resources: this.getAll().map((r) => {
-				const disabledSet = new Set(r.disabledRoutes ?? []);
-				const updateMethod = r.updateMethod ?? "PATCH";
-				const defaultRoutes = r.disableDefaultRoutes ? [] : [
-					...!disabledSet.has("list") ? [{
-						method: "GET",
-						path: r.prefix,
-						operation: "list"
-					}] : [],
-					...!disabledSet.has("get") ? [{
-						method: "GET",
-						path: `${r.prefix}/:id`,
-						operation: "get"
-					}] : [],
-					...!disabledSet.has("create") ? [{
-						method: "POST",
-						path: r.prefix,
-						operation: "create"
-					}] : [],
-					...!disabledSet.has("update") ? updateMethod === "both" ? [{
-						method: "PUT",
-						path: `${r.prefix}/:id`,
-						operation: "update"
-					}, {
-						method: "PATCH",
-						path: `${r.prefix}/:id`,
-						operation: "update"
-					}] : [{
-						method: updateMethod,
-						path: `${r.prefix}/:id`,
-						operation: "update"
-					}] : [],
-					...!disabledSet.has("delete") ? [{
-						method: "DELETE",
-						path: `${r.prefix}/:id`,
-						operation: "delete"
-					}] : []
-				];
-				return {
-					name: r.name,
-					displayName: r.displayName,
-					prefix: r.prefix,
-					module: r.module,
-					presets: r.presets,
-					permissions: r.permissions,
-					routes: [...defaultRoutes, ...r.customRoutes?.map((ar) => ({
-						method: ar.method,
-						path: `${r.prefix}${ar.path}`,
-						operation: ar.operation ?? (typeof ar.handler === "string" ? ar.handler : "custom"),
-						handler: typeof ar.handler === "string" ? ar.handler : void 0,
-						summary: ar.summary
-					})) ?? []],
-					events: r.events
-				};
-			}),
+			resources: this.getAll().map((r) => ({
+				name: r.name,
+				displayName: r.displayName,
+				prefix: r.prefix,
+				module: r.module,
+				presets: r.presets,
+				permissions: r.permissions,
+				routes: this.enumerateRoutes(r),
+				events: r.events
+			})),
 			stats: this.getStats(),
 			generatedAt: (/* @__PURE__ */ new Date()).toISOString()
 		};
 	}
 	/**
+	* Single source of truth for "what routes does this resource expose?".
+	*
+	* Enumerates every wire route the resource will mount on Fastify:
+	*   - default CRUD (respecting `disabledRoutes` + `updateMethod`)
+	*   - host-declared `customRoutes` (alias: `routes`)
+	*   - the unified `POST /:id/action` endpoint when `actions` is set
+	*   - one `GET /:resource/aggregations/:name` per declared aggregation
+	*
+	* Both `getStats()` and `getIntrospection()` consume this list, so a
+	* new route source (e.g. future webhook routes) only has to be added
+	* here — the count and the introspection contract update together.
+	* Mirrors the same set of paths emitted by `docs/openapi.ts`.
+	*/
+	enumerateRoutes(r) {
+		const routes = [];
+		if (!r.disableDefaultRoutes) {
+			const disabled = new Set(r.disabledRoutes ?? []);
+			const updateMethod = r.updateMethod ?? "PATCH";
+			if (!disabled.has("list")) routes.push({
+				method: "GET",
+				path: r.prefix,
+				operation: "list"
+			});
+			if (!disabled.has("get")) routes.push({
+				method: "GET",
+				path: `${r.prefix}/:id`,
+				operation: "get"
+			});
+			if (!disabled.has("create")) routes.push({
+				method: "POST",
+				path: r.prefix,
+				operation: "create"
+			});
+			if (!disabled.has("update")) if (updateMethod === "both") {
+				routes.push({
+					method: "PUT",
+					path: `${r.prefix}/:id`,
+					operation: "update"
+				});
+				routes.push({
+					method: "PATCH",
+					path: `${r.prefix}/:id`,
+					operation: "update"
+				});
+			} else routes.push({
+				method: updateMethod,
+				path: `${r.prefix}/:id`,
+				operation: "update"
+			});
+			if (!disabled.has("delete")) routes.push({
+				method: "DELETE",
+				path: `${r.prefix}/:id`,
+				operation: "delete"
+			});
+		}
+		for (const ar of r.customRoutes ?? []) routes.push({
+			method: ar.method,
+			path: `${r.prefix}${ar.path}`,
+			operation: ar.operation ?? (typeof ar.handler === "string" ? ar.handler : "custom"),
+			handler: typeof ar.handler === "string" ? ar.handler : void 0,
+			summary: ar.summary
+		});
+		if (r.actions && r.actions.length > 0) routes.push({
+			method: "POST",
+			path: `${r.prefix}/:id/action`,
+			operation: "action"
+		});
+		for (const agg of r.aggregations ?? []) routes.push({
+			method: "GET",
+			path: `${r.prefix}/aggregations/${agg.name}`,
+			operation: `aggregation:${agg.name}`,
+			summary: agg.summary
+		});
+		return routes;
+	}
+	/**
 	* Freeze registry (prevent further registrations)
 	*/
 	freeze() {
@@ -261,5 +306,33 @@ function extractPipelineSteps(pipe) {
 		operations: s.operations ? [...s.operations] : void 0
 	}));
 }
+/**
+* Stringify a measure map for the registry. Object IR (`{ op: 'sum',
+* field: 'price' }`) collapses to its op-tag form (`'sum:price'`) so
+* the OpenAPI / MCP / describe layers can render docs without
+* re-implementing IR walking. Bare `count` (no field) stays `'count'`.
+*
+* Exported so the CLI describe command renders the same string form —
+* single source of truth for "how a measure looks to tooling".
+*/
+function stringifyMeasureMap(measures) {
+	const out = {};
+	for (const [alias, m] of Object.entries(measures)) {
+		if (typeof m === "string") {
+			out[alias] = m;
+			continue;
+		}
+		if (m.op === "count" && !("field" in m && m.field)) {
+			out[alias] = "count";
+			continue;
+		}
+		if ("field" in m && m.field) {
+			out[alias] = `${m.op}:${m.field}`;
+			continue;
+		}
+		out[alias] = m.op;
+	}
+	return out;
+}
 //#endregion
-export { ResourceRegistry as t };
+export { stringifyMeasureMap as n, ResourceRegistry as t };

package/dist/audit/index.d.mts

@@ -1,6 +1,6 @@
-import { jn as RepositoryLike } from "../index-6u4_Gg6G.mjs";
-import { d as UserBase } from "../fields-C8Y0XLAu.mjs";
+import { d as UserBase } from "../fields-COhcH3fk.mjs";
 import { FastifyPluginAsync } from "fastify";
+import { RepositoryLike } from "@classytic/repo-core/adapter";
 
 //#region src/audit/stores/interface.d.ts
 type AuditAction = "create" | "update" | "delete" | "restore" | "custom";

package/dist/audit/index.mjs

@@ -50,7 +50,7 @@ function repositoryAsAuditStore(repository) {
 				page,
 				limit
 			});
-			return (Array.isArray(result) ? result : result.docs ?? []).map((d) => ({
+			return (Array.isArray(result) ? result : result.data ?? []).map((d) => ({
 				id: String(d[idField] ?? ""),
 				resource: d.resource ?? "",
 				documentId: d.documentId ?? "",

package/dist/auth/audit.d.mts

@@ -0,0 +1,199 @@
+import { FastifyInstance } from "fastify";
+
+//#region src/auth/audit.d.ts
+/**
+ * Canonical auth event names emitted by the bridge. Hosts pattern-match
+ * with glob (`session.*`, `mfa.*`, `*.failed`) when listing `events`.
+ *
+ * Names mirror BA's database-hook + endpoint-hook taxonomy. Not exhaustive —
+ * unknown events still flow through when matched, just with the BA-supplied
+ * name verbatim. Use this list for autocomplete-friendly defaults.
+ */
+type AuthEventName = "session.create" | "session.delete" | "session.update" | "user.create" | "user.update" | "user.delete" | "mfa.enroll" | "mfa.verify" | "mfa.failed" | "mfa.disable" | "password.reset.request" | "password.reset.complete" | "email.verify" | "org.create" | "org.delete" | "org.invite.create" | "org.invite.accept" | "org.invite.reject" | "org.member.add" | "org.member.remove" | "org.member.role.update" | "apikey.create" | "apikey.delete" | "apikey.failed" | "endpoint.before" | "endpoint.after" | "endpoint.error";
+/**
+ * Resolved auth event ready for audit. The bridge constructs this from
+ * BA's hook context, then forwards to `app.audit.custom('auth', subjectId,
+ * event.name, event.payload)`.
+ */
+interface AuthEvent {
+  /** Canonical name (see {@link AuthEventName}). */
+  name: string;
+  /**
+   * Subject id — the user / session / org / invite id this event is about.
+   * Empty string when the event is pre-creation (e.g. `mfa.failed` before
+   * the session exists); audit rows accept empty `documentId`.
+   */
+  subjectId: string;
+  /** User performing the action (when known); audit infers from request when omitted. */
+  userId?: string;
+  /** Organization context (when known). */
+  organizationId?: string;
+  /** Free-form payload — provider name, IP, user-agent, MFA method, etc. */
+  payload?: Record<string, unknown>;
+}
+/**
+ * Options for `wireBetterAuthAudit`.
+ */
+interface WireBetterAuthAuditOptions {
+  /**
+   * Glob patterns selecting which events to audit. `*` matches a single
+   * segment (`session.*` matches `session.create` but not `session.create.foo`),
+   * `**` matches deeply. Defaults to `['session.*', 'user.create', 'user.delete']`
+   * — the SOC2/HIPAA minimum. Pass `['**']` to audit everything.
+   */
+  events?: readonly string[];
+  /**
+   * Custom event-name resolver — invoked when the bridge can't classify
+   * an endpoint hook firing. Return a string (used as the audit `action`)
+   * to keep it; return `null` to drop. Default behaviour: emits
+   * `endpoint.before` / `endpoint.after` / `endpoint.error` with the
+   * matched path in `payload.path`.
+   */
+  resolveEndpointEvent?: (phase: "before" | "after" | "error", ctx: {
+    path?: string;
+    method?: string;
+    error?: unknown;
+  }) => string | null;
+  /**
+   * Maximum number of events to buffer before `attach(app)` is called.
+   * Older events are dropped FIFO once full. Default 1000 — enough for
+   * boot-time flow even on slow Fastify init paths.
+   */
+  bufferSize?: number;
+  /**
+   * Optional pre-flight transform — runs before the audit row is written.
+   * Return `null` to drop the event; otherwise the returned event is
+   * forwarded. Use to redact tokens, add custom payload fields, or
+   * map BA-specific event names to your own taxonomy.
+   */
+  transform?: (event: AuthEvent) => AuthEvent | null | Promise<AuthEvent | null>;
+}
+/**
+ * Result of `wireBetterAuthAudit` — duck-typed BA `hooks` + `databaseHooks`
+ * config plus an `attach(app)` method to connect the live audit logger.
+ */
+interface BetterAuthAuditBridge {
+  /**
+   * Spread into `betterAuth({ hooks })`. BA's top-level `hooks.before` /
+   * `hooks.after` slots take a single async function each (not an array).
+   * The bridge collapses its internal endpoint classifier into one dispatcher
+   * per phase. Returns `{}` so BA's `runAfterHooks` reads `.headers` / `.response`
+   * on a real object instead of crashing on undefined. For plugin-author array
+   * form, see {@link asPluginHooks}.
+   */
+  hooks: {
+    before: (ctx: BetterAuthHookContext) => Promise<Record<string, never>>;
+    after: (ctx: BetterAuthHookContext) => Promise<Record<string, never>>;
+  };
+  /**
+   * Plugin-form hooks — array of `{ matcher, handler }` entries suitable for
+   * `betterAuth({ plugins: [{ id, hooks: bridge.asPluginHooks() }] })`. Use
+   * when you're writing a BA plugin and want the audit dispatch to ride along
+   * with your plugin's own hooks instead of occupying the top-level slot.
+   */
+  asPluginHooks(): {
+    before: BetterAuthHookEntry[];
+    after: BetterAuthHookEntry[];
+  };
+  /** Spread into `betterAuth({ databaseHooks })`. */
+  databaseHooks: {
+    user: {
+      create: {
+        after: (user: {
+          id?: string;
+        }) => Promise<void>;
+      };
+      update: {
+        after: (user: {
+          id?: string;
+        }) => Promise<void>;
+      };
+      delete?: {
+        after: (user: {
+          id?: string;
+        }) => Promise<void>;
+      };
+    };
+    session: {
+      create: {
+        after: (session: SessionLike) => Promise<void>;
+      };
+      update?: {
+        after: (session: SessionLike) => Promise<void>;
+      };
+      delete?: {
+        after: (session: SessionLike) => Promise<void>;
+      };
+    };
+  };
+  /**
+   * Connect a live Fastify instance after boot. Buffered events from the
+   * BA construction phase are flushed in order; subsequent events stream
+   * through the connected `app.audit.custom(...)` directly.
+   */
+  attach(app: FastifyInstance): void;
+  /**
+   * Manual emit — for hosts that need to record auth events outside BA's
+   * hook surface (e.g. webhook signature failures, custom MFA flows).
+   */
+  emit(event: AuthEvent): void;
+  /**
+   * Observability counters — surface to your metrics backend. Counters are
+   * cumulative since bridge construction; reset when `wireBetterAuthAudit`
+   * is called again. Useful for Prometheus exporters that scrape periodically.
+   */
+  getStats(): {
+    /** Events buffered during pre-`attach` phase that were dropped due to `bufferSize` overflow. */droppedFromBuffer: number; /** Events that reached `app.audit.custom(...)` but threw (audit store failure). */
+    dispatchFailures: number; /** Total `dispatch` calls — useful to verify BA is actually invoking the bridge's hooks. */
+    dispatchAttempts: number; /** Events currently buffered awaiting `attach`. */
+    pendingBuffered: number;
+  };
+}
+/**
+ * Single BA hook entry — duck-typed to avoid pinning a BA major version.
+ * The shape mirrors `better-auth`'s public `hooks.{before,after}` API.
+ */
+interface BetterAuthHookEntry {
+  matcher: (ctx: BetterAuthHookContext) => boolean;
+  /**
+   * Returns a (possibly empty) object so BA's `runBeforeHooks` /
+   * `runAfterHooks` can read `.headers` / `.response` off the result without
+   * the `Cannot read properties of undefined` crash that hits when handlers
+   * return `void`. The bridge always returns `{}` because it's a side-effect
+   * dispatcher — no header rewrites or response substitution.
+   */
+  handler: (ctx: BetterAuthHookContext) => Promise<Record<string, unknown>> | Record<string, unknown>;
+}
+/** Subset of BA's hook context the bridge actually reads. */
+interface BetterAuthHookContext {
+  path?: string;
+  method?: string;
+  body?: Record<string, unknown>;
+  headers?: Record<string, unknown>;
+  context?: {
+    session?: {
+      user?: {
+        id?: string;
+      };
+      activeOrganizationId?: string;
+    };
+    request?: {
+      ip?: string;
+      headers?: Record<string, string | undefined>;
+    };
+  };
+  returned?: unknown;
+  error?: unknown;
+}
+/** Subset of BA's session shape the bridge reads from databaseHooks. */
+interface SessionLike {
+  id?: string;
+  userId?: string;
+  activeOrganizationId?: string;
+  ipAddress?: string;
+  userAgent?: string;
+  impersonatedBy?: string;
+}
+declare function wireBetterAuthAudit(opts?: WireBetterAuthAuditOptions): BetterAuthAuditBridge;
+//#endregion
+export { AuthEvent, AuthEventName, BetterAuthAuditBridge, BetterAuthHookContext, BetterAuthHookEntry, WireBetterAuthAuditOptions, wireBetterAuthAudit };