@de-otio/trellis 0.6.0 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/env.d.ts +21 -0
- package/dist/env.d.ts.map +1 -1
- package/dist/env.js +12 -0
- package/dist/env.js.map +1 -1
- package/dist/lambda/nightly-cron.d.ts.map +1 -1
- package/dist/lambda/nightly-cron.js +5 -2
- package/dist/lambda/nightly-cron.js.map +1 -1
- package/dist/lambda/post-confirmation.d.ts +30 -0
- package/dist/lambda/post-confirmation.d.ts.map +1 -1
- package/dist/lambda/post-confirmation.js +333 -29
- package/dist/lambda/post-confirmation.js.map +1 -1
- package/dist/lambda/pre-token-generation.d.ts +20 -0
- package/dist/lambda/pre-token-generation.d.ts.map +1 -1
- package/dist/lambda/pre-token-generation.js +233 -48
- package/dist/lambda/pre-token-generation.js.map +1 -1
- package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
- package/dist/lib/activitypub/activity-processor.js +2 -1
- package/dist/lib/activitypub/activity-processor.js.map +1 -1
- package/dist/lib/activitypub/group-service.d.ts +2 -2
- package/dist/lib/activitypub/group-service.d.ts.map +1 -1
- package/dist/lib/activitypub/group-service.js +5 -2
- package/dist/lib/activitypub/group-service.js.map +1 -1
- package/dist/lib/age-tier-transition.d.ts.map +1 -1
- package/dist/lib/age-tier-transition.js +19 -10
- package/dist/lib/age-tier-transition.js.map +1 -1
- package/dist/lib/audit/csv-export.d.ts +25 -0
- package/dist/lib/audit/csv-export.d.ts.map +1 -0
- package/dist/lib/audit/csv-export.js +54 -0
- package/dist/lib/audit/csv-export.js.map +1 -0
- package/dist/lib/audit/emit.d.ts +56 -0
- package/dist/lib/audit/emit.d.ts.map +1 -0
- package/dist/lib/audit/emit.js +124 -0
- package/dist/lib/audit/emit.js.map +1 -0
- package/dist/lib/audit/event-types.d.ts +36 -0
- package/dist/lib/audit/event-types.d.ts.map +1 -0
- package/dist/lib/audit/event-types.js +69 -0
- package/dist/lib/audit/event-types.js.map +1 -0
- package/dist/lib/audit/pii-filter.d.ts +22 -0
- package/dist/lib/audit/pii-filter.d.ts.map +1 -0
- package/dist/lib/audit/pii-filter.js +51 -0
- package/dist/lib/audit/pii-filter.js.map +1 -0
- package/dist/lib/audit-logger.js +1 -1
- package/dist/lib/audit-logger.js.map +1 -1
- package/dist/lib/auth/auth-context.d.ts +34 -0
- package/dist/lib/auth/auth-context.d.ts.map +1 -0
- package/dist/lib/auth/auth-context.js +10 -0
- package/dist/lib/auth/auth-context.js.map +1 -0
- package/dist/lib/auth/auth-middleware.d.ts +50 -0
- package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
- package/dist/lib/auth/auth-middleware.js +153 -0
- package/dist/lib/auth/auth-middleware.js.map +1 -0
- package/dist/lib/auth/capabilities.d.ts +40 -0
- package/dist/lib/auth/capabilities.d.ts.map +1 -0
- package/dist/lib/auth/capabilities.js +44 -0
- package/dist/lib/auth/capabilities.js.map +1 -0
- package/dist/lib/auth/claims-cache.d.ts +70 -0
- package/dist/lib/auth/claims-cache.d.ts.map +1 -0
- package/dist/lib/auth/claims-cache.js +139 -0
- package/dist/lib/auth/claims-cache.js.map +1 -0
- package/dist/lib/auth/cognito-jwt.d.ts +6 -0
- package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
- package/dist/lib/auth/cognito-jwt.js.map +1 -1
- package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
- package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
- package/dist/lib/auth/idp-redirect-builder.js +48 -0
- package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
- package/dist/lib/auth/require.d.ts +51 -0
- package/dist/lib/auth/require.d.ts.map +1 -0
- package/dist/lib/auth/require.js +99 -0
- package/dist/lib/auth/require.js.map +1 -0
- package/dist/lib/auth/role-grants.d.ts +18 -0
- package/dist/lib/auth/role-grants.d.ts.map +1 -0
- package/dist/lib/auth/role-grants.js +62 -0
- package/dist/lib/auth/role-grants.js.map +1 -0
- package/dist/lib/cognito/idp-sdk.d.ts +80 -0
- package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
- package/dist/lib/cognito/idp-sdk.js +186 -0
- package/dist/lib/cognito/idp-sdk.js.map +1 -0
- package/dist/lib/cognito/issuer-probe.d.ts +47 -0
- package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
- package/dist/lib/cognito/issuer-probe.js +319 -0
- package/dist/lib/cognito/issuer-probe.js.map +1 -0
- package/dist/lib/comment-handler.d.ts +7 -7
- package/dist/lib/comment-handler.d.ts.map +1 -1
- package/dist/lib/comment-handler.js +23 -20
- package/dist/lib/comment-handler.js.map +1 -1
- package/dist/lib/compliance/baseline.d.ts +15 -0
- package/dist/lib/compliance/baseline.d.ts.map +1 -0
- package/dist/lib/compliance/baseline.js +205 -0
- package/dist/lib/compliance/baseline.js.map +1 -0
- package/dist/lib/compliance/tenant-merge.d.ts +35 -0
- package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
- package/dist/lib/compliance/tenant-merge.js +80 -0
- package/dist/lib/compliance/tenant-merge.js.map +1 -0
- package/dist/lib/compliance/types.d.ts +135 -0
- package/dist/lib/compliance/types.d.ts.map +1 -0
- package/dist/lib/compliance/types.js +9 -0
- package/dist/lib/compliance/types.js.map +1 -0
- package/dist/lib/connection-code-handler.d.ts +4 -4
- package/dist/lib/connection-code-handler.d.ts.map +1 -1
- package/dist/lib/connection-code-handler.js +21 -11
- package/dist/lib/connection-code-handler.js.map +1 -1
- package/dist/lib/feed-handler.d.ts +2 -2
- package/dist/lib/feed-handler.d.ts.map +1 -1
- package/dist/lib/feed-handler.js +5 -9
- package/dist/lib/feed-handler.js.map +1 -1
- package/dist/lib/middleware/idempotency-store.d.ts +86 -0
- package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency-store.js +109 -0
- package/dist/lib/middleware/idempotency-store.js.map +1 -0
- package/dist/lib/middleware/idempotency.d.ts +37 -0
- package/dist/lib/middleware/idempotency.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency.js +358 -0
- package/dist/lib/middleware/idempotency.js.map +1 -0
- package/dist/lib/net/trusted-client-ip.d.ts +39 -0
- package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
- package/dist/lib/net/trusted-client-ip.js +100 -0
- package/dist/lib/net/trusted-client-ip.js.map +1 -0
- package/dist/lib/notification-handler.d.ts +5 -5
- package/dist/lib/notification-handler.d.ts.map +1 -1
- package/dist/lib/notification-handler.js +11 -9
- package/dist/lib/notification-handler.js.map +1 -1
- package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
- package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
- package/dist/lib/oauth/cognito-issuer.js +53 -0
- package/dist/lib/oauth/cognito-issuer.js.map +1 -0
- package/dist/lib/oauth/device-authorization.d.ts +145 -0
- package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
- package/dist/lib/oauth/device-authorization.js +312 -0
- package/dist/lib/oauth/device-authorization.js.map +1 -0
- package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
- package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
- package/dist/lib/oauth/envelope-crypto.js +223 -0
- package/dist/lib/oauth/envelope-crypto.js.map +1 -0
- package/dist/lib/oauth/refresh-detection.d.ts +126 -0
- package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
- package/dist/lib/oauth/refresh-detection.js +248 -0
- package/dist/lib/oauth/refresh-detection.js.map +1 -0
- package/dist/lib/openapi/generator.d.ts +78 -0
- package/dist/lib/openapi/generator.d.ts.map +1 -0
- package/dist/lib/openapi/generator.js +201 -0
- package/dist/lib/openapi/generator.js.map +1 -0
- package/dist/lib/post-handler.d.ts +1 -1
- package/dist/lib/post-handler.d.ts.map +1 -1
- package/dist/lib/post-handler.js +4 -15
- package/dist/lib/post-handler.js.map +1 -1
- package/dist/lib/rate-limit.d.ts.map +1 -1
- package/dist/lib/rate-limit.js +11 -3
- package/dist/lib/rate-limit.js.map +1 -1
- package/dist/lib/routes/agent-authorize.d.ts +32 -0
- package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
- package/dist/lib/routes/agent-authorize.js +479 -0
- package/dist/lib/routes/agent-authorize.js.map +1 -0
- package/dist/lib/routes/agent-sessions.d.ts +20 -0
- package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
- package/dist/lib/routes/agent-sessions.js +124 -0
- package/dist/lib/routes/agent-sessions.js.map +1 -0
- package/dist/lib/routes/agent-surface.d.ts +37 -0
- package/dist/lib/routes/agent-surface.d.ts.map +1 -0
- package/dist/lib/routes/agent-surface.js +208 -0
- package/dist/lib/routes/agent-surface.js.map +1 -0
- package/dist/lib/routes/auth-discover.d.ts +18 -0
- package/dist/lib/routes/auth-discover.d.ts.map +1 -0
- package/dist/lib/routes/auth-discover.js +177 -0
- package/dist/lib/routes/auth-discover.js.map +1 -0
- package/dist/lib/routes/comments.d.ts.map +1 -1
- package/dist/lib/routes/comments.js +36 -7
- package/dist/lib/routes/comments.js.map +1 -1
- package/dist/lib/routes/connection-codes.d.ts.map +1 -1
- package/dist/lib/routes/connection-codes.js +21 -4
- package/dist/lib/routes/connection-codes.js.map +1 -1
- package/dist/lib/routes/content-discovery.d.ts.map +1 -1
- package/dist/lib/routes/content-discovery.js +18 -13
- package/dist/lib/routes/content-discovery.js.map +1 -1
- package/dist/lib/routes/dashboard.js +1 -1
- package/dist/lib/routes/dashboard.js.map +1 -1
- package/dist/lib/routes/employees.d.ts.map +1 -1
- package/dist/lib/routes/employees.js +57 -15
- package/dist/lib/routes/employees.js.map +1 -1
- package/dist/lib/routes/entities.d.ts.map +1 -1
- package/dist/lib/routes/entities.js +35 -19
- package/dist/lib/routes/entities.js.map +1 -1
- package/dist/lib/routes/errors.d.ts +34 -0
- package/dist/lib/routes/errors.d.ts.map +1 -0
- package/dist/lib/routes/errors.js +57 -0
- package/dist/lib/routes/errors.js.map +1 -0
- package/dist/lib/routes/feeds.d.ts.map +1 -1
- package/dist/lib/routes/feeds.js +12 -2
- package/dist/lib/routes/feeds.js.map +1 -1
- package/dist/lib/routes/index.d.ts.map +1 -1
- package/dist/lib/routes/index.js +50 -0
- package/dist/lib/routes/index.js.map +1 -1
- package/dist/lib/routes/mfa.d.ts.map +1 -1
- package/dist/lib/routes/mfa.js +1 -0
- package/dist/lib/routes/mfa.js.map +1 -1
- package/dist/lib/routes/notifications.d.ts.map +1 -1
- package/dist/lib/routes/notifications.js +21 -4
- package/dist/lib/routes/notifications.js.map +1 -1
- package/dist/lib/routes/oauth.d.ts +15 -0
- package/dist/lib/routes/oauth.d.ts.map +1 -0
- package/dist/lib/routes/oauth.js +139 -0
- package/dist/lib/routes/oauth.js.map +1 -0
- package/dist/lib/routes/posts.d.ts.map +1 -1
- package/dist/lib/routes/posts.js +30 -19
- package/dist/lib/routes/posts.js.map +1 -1
- package/dist/lib/routes/products.d.ts.map +1 -1
- package/dist/lib/routes/products.js +19 -22
- package/dist/lib/routes/products.js.map +1 -1
- package/dist/lib/routes/setup-status.d.ts +34 -0
- package/dist/lib/routes/setup-status.d.ts.map +1 -0
- package/dist/lib/routes/setup-status.js +87 -0
- package/dist/lib/routes/setup-status.js.map +1 -0
- package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy-analytics.js +15 -14
- package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
- package/dist/lib/routes/taxonomy.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy.js +19 -16
- package/dist/lib/routes/taxonomy.js.map +1 -1
- package/dist/lib/routes/tenant-audit.d.ts +19 -0
- package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
- package/dist/lib/routes/tenant-audit.js +244 -0
- package/dist/lib/routes/tenant-audit.js.map +1 -0
- package/dist/lib/routes/tenant-compliance.d.ts +21 -0
- package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
- package/dist/lib/routes/tenant-compliance.js +122 -0
- package/dist/lib/routes/tenant-compliance.js.map +1 -0
- package/dist/lib/routes/tenant-domains.d.ts +11 -0
- package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
- package/dist/lib/routes/tenant-domains.js +95 -0
- package/dist/lib/routes/tenant-domains.js.map +1 -0
- package/dist/lib/routes/tenant-idp.d.ts +3 -0
- package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
- package/dist/lib/routes/tenant-idp.js +89 -0
- package/dist/lib/routes/tenant-idp.js.map +1 -0
- package/dist/lib/routes/tenant-members.d.ts +13 -0
- package/dist/lib/routes/tenant-members.d.ts.map +1 -0
- package/dist/lib/routes/tenant-members.js +75 -0
- package/dist/lib/routes/tenant-members.js.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.js +90 -0
- package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
- package/dist/lib/routes/tenants.d.ts +13 -0
- package/dist/lib/routes/tenants.d.ts.map +1 -0
- package/dist/lib/routes/tenants.js +121 -0
- package/dist/lib/routes/tenants.js.map +1 -0
- package/dist/lib/routes/types.d.ts +9 -0
- package/dist/lib/routes/types.d.ts.map +1 -1
- package/dist/lib/schemas.d.ts +2 -2
- package/dist/lib/secrets/idp-secrets.d.ts +51 -0
- package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
- package/dist/lib/secrets/idp-secrets.js +111 -0
- package/dist/lib/secrets/idp-secrets.js.map +1 -0
- package/dist/lib/security-monitor.d.ts.map +1 -1
- package/dist/lib/security-monitor.js +6 -1
- package/dist/lib/security-monitor.js.map +1 -1
- package/dist/lib/session-manager.d.ts +1 -0
- package/dist/lib/session-manager.d.ts.map +1 -1
- package/dist/lib/session-manager.js.map +1 -1
- package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
- package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
- package/dist/lib/taxonomy-handler-factory.js +8 -7
- package/dist/lib/taxonomy-handler-factory.js.map +1 -1
- package/dist/lib/tenant/audit-emit.d.ts +18 -0
- package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
- package/dist/lib/tenant/audit-emit.js +16 -0
- package/dist/lib/tenant/audit-emit.js.map +1 -0
- package/dist/lib/tenant/derive-domain.d.ts +19 -0
- package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
- package/dist/lib/tenant/derive-domain.js +38 -0
- package/dist/lib/tenant/derive-domain.js.map +1 -0
- package/dist/lib/tenant/domain-handler.d.ts +42 -0
- package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
- package/dist/lib/tenant/domain-handler.js +344 -0
- package/dist/lib/tenant/domain-handler.js.map +1 -0
- package/dist/lib/tenant/domain-validator.d.ts +28 -0
- package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
- package/dist/lib/tenant/domain-validator.js +145 -0
- package/dist/lib/tenant/domain-validator.js.map +1 -0
- package/dist/lib/tenant/domain-verifier.d.ts +30 -0
- package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
- package/dist/lib/tenant/domain-verifier.js +53 -0
- package/dist/lib/tenant/domain-verifier.js.map +1 -0
- package/dist/lib/tenant/idp-handler.d.ts +29 -0
- package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
- package/dist/lib/tenant/idp-handler.js +693 -0
- package/dist/lib/tenant/idp-handler.js.map +1 -0
- package/dist/lib/tenant/idp-name.d.ts +2 -0
- package/dist/lib/tenant/idp-name.d.ts.map +1 -0
- package/dist/lib/tenant/idp-name.js +20 -0
- package/dist/lib/tenant/idp-name.js.map +1 -0
- package/dist/lib/tenant/member-handler.d.ts +31 -0
- package/dist/lib/tenant/member-handler.d.ts.map +1 -0
- package/dist/lib/tenant/member-handler.js +343 -0
- package/dist/lib/tenant/member-handler.js.map +1 -0
- package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
- package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
- package/dist/lib/tenant/reserved-slugs.js +116 -0
- package/dist/lib/tenant/reserved-slugs.js.map +1 -0
- package/dist/lib/tenant/resolve-role.d.ts +39 -0
- package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
- package/dist/lib/tenant/resolve-role.js +60 -0
- package/dist/lib/tenant/resolve-role.js.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.js +260 -0
- package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
- package/dist/lib/tenant/setup-status.d.ts +83 -0
- package/dist/lib/tenant/setup-status.d.ts.map +1 -0
- package/dist/lib/tenant/setup-status.js +201 -0
- package/dist/lib/tenant/setup-status.js.map +1 -0
- package/dist/lib/tenant/slug-validator.d.ts +31 -0
- package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
- package/dist/lib/tenant/slug-validator.js +42 -0
- package/dist/lib/tenant/slug-validator.js.map +1 -0
- package/dist/lib/tenant/tenant-handler.d.ts +49 -0
- package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
- package/dist/lib/tenant/tenant-handler.js +377 -0
- package/dist/lib/tenant/tenant-handler.js.map +1 -0
- package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
- package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
- package/dist/lib/tenant/transfer-ownership.js +66 -0
- package/dist/lib/tenant/transfer-ownership.js.map +1 -0
- package/dist/lib/user/derive-handle.d.ts +29 -0
- package/dist/lib/user/derive-handle.d.ts.map +1 -0
- package/dist/lib/user/derive-handle.js +65 -0
- package/dist/lib/user/derive-handle.js.map +1 -0
- package/dist/lib/user-deprovisioning.d.ts +11 -1
- package/dist/lib/user-deprovisioning.d.ts.map +1 -1
- package/dist/lib/user-deprovisioning.js +46 -2
- package/dist/lib/user-deprovisioning.js.map +1 -1
- package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
- package/package.json +6 -3
- package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
- package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
- package/prisma/schema.prisma +324 -74
- package/src/lambda/nightly-cron.ts +4 -1
- package/src/lambda/post-confirmation.ts +405 -29
- package/src/lambda/pre-token-generation.ts +300 -59
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"age-tier-transition.js","sourceRoot":"","sources":["../../src/lib/age-tier-transition.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAUH,wCAKC;AAiDD,
|
|
1
|
+
{"version":3,"file":"age-tier-transition.js","sourceRoot":"","sources":["../../src/lib/age-tier-transition.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAUH,wCAKC;AAiDD,0DAiHC;AA7KD,qCAAkC;AAClC,yDAA8E;AAE9E;;GAEG;AACH,SAAgB,cAAc,CAAC,WAAiB,EAAE,MAAY,IAAI,IAAI,EAAE;IACtE,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;IACrC,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,OAAO,CAAC;IAC7B,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,MAAM,CAAC;IAC5B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,MAAM,CAAC,WAAiB,EAAE,GAAS;IAC1C,IAAI,GAAG,GAAG,GAAG,CAAC,WAAW,EAAE,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IACxD,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,EAAE,GAAG,WAAW,CAAC,QAAQ,EAAE,CAAC;IAC1D,IAAI,SAAS,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,GAAG,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QAChF,GAAG,EAAE,CAAC;IACR,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAC3B,eAAgC,EAChC,WAA4B;IAE5B,MAAM,eAAe,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IAClE,MAAM,OAAO,GAAG,EAAE,MAAM,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IAEzD,OAAO;QACL,2GAA2G;QAC3G,WAAW,EAAE,eAAe,CAAC,WAAW,IAAI,WAAW,CAAC,WAAW;QACnE,gBAAgB,EAAE,eAAe,CAAC,gBAAgB,IAAI,WAAW,CAAC,gBAAgB;QAClF,mBAAmB,EAAE,eAAe,CAAC,mBAAmB,IAAI,WAAW,CAAC,mBAAmB;QAC3F,YAAY,EAAE,eAAe,CAAC,YAAY,IAAI,WAAW,CAAC,YAAY;QACtE,uBAAuB,EAAE,eAAe,CAAC,uBAAuB,IAAI,WAAW,CAAC,uBAAuB;QACvG,2CAA2C;QAC3C,0BAA0B,EAAE,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,0BAA0B,EAAE,WAAW,CAAC,0BAA0B,CAAC;QACxH,eAAe,EAAE,eAAe,CAAC,eAAe,IAAI,WAAW,CAAC,eAAe;QAC/E,4CAA4C;QAC5C,iBAAiB,EACf,eAAe,CAAC,eAAe,CAAC,iBAAiB,CAAC,IAAI,eAAe,CAAC,WAAW,CAAC,iBAAiB,CAAC;YAClG,CAAC,CAAC,eAAe,CAAC,iBAAiB;YACnC,CAAC,CAAC,WAAW,CAAC,iBAAiB;QACnC,oCAAoC;QACpC,QAAQ,EACN,OAAO,CAAC,eAAe,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC;YAChE,CAAC,CAAC,eAAe,CAAC,QAAQ;YAC1B,CAAC,CAAC,WAAW,CAAC,QAAQ;KAC3B,CAAC;AACJ,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,uBAAuB,CAAC,GAAQ;IAIpD,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,OAAO,GAAC,CAAC;IAC/C,MAAM,EAAE,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAC7B,MAAM,MAAM,GAAG,eAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IAEvB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;YACnC,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;YACrC,MAAM,EAAE;gBACN,EAAE,EAAE,IAAI;gBACR,WAAW,EAAE,IAAI;gBACjB,OAAO,EAAE,IAAI;gBACb,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,IAAI;gBACjB,gBAAgB,EAAE,IAAI;gBACtB,mBAAmB,EAAE,IAAI;gBACzB,YAAY,EAAE,IAAI;gBAClB,uBAAuB,EAAE,IAAI;gBAC7B,0BAA0B,EAAE,IAAI;gBAChC,eAAe,EAAE,IAAI;gBACrB,iBAAiB,EAAE,IAAI;gBACvB,QAAQ,EAAE,IAAI;aACf;SACF,CAAC,CAAC;QAEH,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,IAAI,CAAC,IAAI,CAAC,WAAW;oBAAE,SAAS;gBAEhC,MAAM,YAAY,GAAG,cAAc,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;gBAC3D,IAAI,YAAY,KAAK,IAAI,CAAC,OAAO;oBAAE,SAAS;gBAE5C,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;gBAC7B,MAAM,WAAW,GAAG,IAAA,qCAAkB,EAAC,YAAY,CAAC,CAAC;gBAErD,MAAM,eAAe,GAAoB;oBACvC,WAAW,EAAE,IAAI,CAAC,WAAW;oBAC7B,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;oBACvC,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;oBAC7C,YAAY,EAAE,IAAI,CAAC,YAAY;oBAC/B,uBAAuB,EAAE,IAAI,CAAC,uBAAuB;oBACrD,0BAA0B,EAAE,IAAI,CAAC,0BAA0B;oBAC3D,eAAe,EAAE,IAAI,CAAC,eAAe;oBACrC,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;oBACzC,QAAQ,EAAE,IAAI,CAAC,QAAQ;iBACxB,CAAC;gBAEF,qEAAqE;gBACrE,MAAM,MAAM,GAAG,oBAAoB,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;gBAElE,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;oBACnB,KAAK,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE;oBACtB,IAAI,EAAE;wBACJ,OAAO,EAAE,YAAY;wBACrB,GAAG,MAAM;qBACV;iBACF,CAAC,CAAC;gBAEH,2DAA2D;gBAC3D,4DAA4D;gBAC5D,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;oBAC1B,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;wBAC3B,IAAI,EAAE;4BACJ,MAAM,EAAE,IAAI,CAAC,EAAE;4BACf,IAAI,EAAE,QAAQ;4BACd,KAAK,EAAE,kBAAkB;4BACzB,IAAI,EAAE,sCAAsC,OAAO,OAAO,YAAY,uCAAuC;4BAC7G,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE;4BACxC,QAAQ,EAAE,IAAI,CAAC,gBAAgB;yBAChC;qBACF,CAAC,CAAC;gBACL,CAAC;gBAED,+CAA+C;gBAC/C,MAAM,aAAa,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC;oBACnD,KAAK,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE;oBAC7C,OAAO,EAAE,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE,EAAE,EAAE;iBAC9D,CAAC,CAAC;gBAEH,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;oBACjC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB;wBAAE,SAAS;oBAC9C,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;wBAC3B,IAAI,EAAE;4BACJ,MAAM,EAAE,IAAI,CAAC,UAAU;4BACvB,IAAI,EAAE,QAAQ;4BACd,KAAK,EAAE,wBAAwB;4BAC/B,IAAI,EAAE,mDAAmD,OAAO,OAAO,YAAY,GAAG;4BACtF,IAAI,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE;4BAC1D,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,gBAAgB;yBACzC;qBACF,CAAC,CAAC;gBACL,CAAC;gBAED,YAAY,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,EAAE,sBAAsB,OAAO,OAAO,YAAY,EAAE,CAAC,CAAC;YACjF,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,EAAE,CAAC;gBACT,MAAM,CAAC,KAAK,CAAC,4BAA4B,IAAI,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAC;QACzD,MAAM,EAAE,CAAC;IACX,CAAC;IAED,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;AAClC,CAAC"}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* CSV Export for Audit Events (RFC 4180)
|
|
3
|
+
*
|
|
4
|
+
* Fields that contain commas, double-quotes, or newlines are enclosed in
|
|
5
|
+
* double-quotes. Inner double-quotes are doubled per RFC 4180 §2.7.
|
|
6
|
+
*/
|
|
7
|
+
export declare const CSV_HEADERS: readonly ["eventId", "type", "tenantId", "actorUserId", "createdAt", "sourceIp", "payload"];
|
|
8
|
+
export type CsvRow = {
|
|
9
|
+
eventId: string;
|
|
10
|
+
type: string;
|
|
11
|
+
tenantId: string;
|
|
12
|
+
actorUserId: string;
|
|
13
|
+
createdAt: string;
|
|
14
|
+
sourceIp: string;
|
|
15
|
+
payload: string;
|
|
16
|
+
};
|
|
17
|
+
/** Escape a single CSV field per RFC 4180. */
|
|
18
|
+
export declare function escapeCsvField(value: string): string;
|
|
19
|
+
/** Render one CSV row from an array of string values. */
|
|
20
|
+
export declare function renderCsvRow(fields: string[]): string;
|
|
21
|
+
/** Render the header row. */
|
|
22
|
+
export declare function renderCsvHeader(): string;
|
|
23
|
+
/** Render a complete CSV document (header + rows) from an array of row objects. */
|
|
24
|
+
export declare function renderCsv(rows: CsvRow[]): string;
|
|
25
|
+
//# sourceMappingURL=csv-export.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"csv-export.d.ts","sourceRoot":"","sources":["../../../src/lib/audit/csv-export.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,WAAW,6FAQd,CAAC;AAEX,MAAM,MAAM,MAAM,GAAG;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,8CAA8C;AAC9C,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAKpD;AAED,yDAAyD;AACzD,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,CAErD;AAED,6BAA6B;AAC7B,wBAAgB,eAAe,IAAI,MAAM,CAExC;AAED,mFAAmF;AACnF,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,CAgBhD"}
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* CSV Export for Audit Events (RFC 4180)
|
|
4
|
+
*
|
|
5
|
+
* Fields that contain commas, double-quotes, or newlines are enclosed in
|
|
6
|
+
* double-quotes. Inner double-quotes are doubled per RFC 4180 §2.7.
|
|
7
|
+
*/
|
|
8
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
9
|
+
exports.CSV_HEADERS = void 0;
|
|
10
|
+
exports.escapeCsvField = escapeCsvField;
|
|
11
|
+
exports.renderCsvRow = renderCsvRow;
|
|
12
|
+
exports.renderCsvHeader = renderCsvHeader;
|
|
13
|
+
exports.renderCsv = renderCsv;
|
|
14
|
+
exports.CSV_HEADERS = [
|
|
15
|
+
"eventId",
|
|
16
|
+
"type",
|
|
17
|
+
"tenantId",
|
|
18
|
+
"actorUserId",
|
|
19
|
+
"createdAt",
|
|
20
|
+
"sourceIp",
|
|
21
|
+
"payload",
|
|
22
|
+
];
|
|
23
|
+
/** Escape a single CSV field per RFC 4180. */
|
|
24
|
+
function escapeCsvField(value) {
|
|
25
|
+
if (value.includes(",") || value.includes('"') || value.includes("\n") || value.includes("\r")) {
|
|
26
|
+
return `"${value.replace(/"/g, '""')}"`;
|
|
27
|
+
}
|
|
28
|
+
return value;
|
|
29
|
+
}
|
|
30
|
+
/** Render one CSV row from an array of string values. */
|
|
31
|
+
function renderCsvRow(fields) {
|
|
32
|
+
return fields.map(escapeCsvField).join(",");
|
|
33
|
+
}
|
|
34
|
+
/** Render the header row. */
|
|
35
|
+
function renderCsvHeader() {
|
|
36
|
+
return renderCsvRow([...exports.CSV_HEADERS]);
|
|
37
|
+
}
|
|
38
|
+
/** Render a complete CSV document (header + rows) from an array of row objects. */
|
|
39
|
+
function renderCsv(rows) {
|
|
40
|
+
const lines = [renderCsvHeader()];
|
|
41
|
+
for (const row of rows) {
|
|
42
|
+
lines.push(renderCsvRow([
|
|
43
|
+
row.eventId,
|
|
44
|
+
row.type,
|
|
45
|
+
row.tenantId,
|
|
46
|
+
row.actorUserId,
|
|
47
|
+
row.createdAt,
|
|
48
|
+
row.sourceIp,
|
|
49
|
+
row.payload,
|
|
50
|
+
]));
|
|
51
|
+
}
|
|
52
|
+
return lines.join("\r\n");
|
|
53
|
+
}
|
|
54
|
+
//# sourceMappingURL=csv-export.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"csv-export.js","sourceRoot":"","sources":["../../../src/lib/audit/csv-export.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAuBH,wCAKC;AAGD,oCAEC;AAGD,0CAEC;AAGD,8BAgBC;AAvDY,QAAA,WAAW,GAAG;IACzB,SAAS;IACT,MAAM;IACN,UAAU;IACV,aAAa;IACb,WAAW;IACX,UAAU;IACV,SAAS;CACD,CAAC;AAYX,8CAA8C;AAC9C,SAAgB,cAAc,CAAC,KAAa;IAC1C,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/F,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC;IAC1C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,yDAAyD;AACzD,SAAgB,YAAY,CAAC,MAAgB;IAC3C,OAAO,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC9C,CAAC;AAED,6BAA6B;AAC7B,SAAgB,eAAe;IAC7B,OAAO,YAAY,CAAC,CAAC,GAAG,mBAAW,CAAC,CAAC,CAAC;AACxC,CAAC;AAED,mFAAmF;AACnF,SAAgB,SAAS,CAAC,IAAc;IACtC,MAAM,KAAK,GAAa,CAAC,eAAe,EAAE,CAAC,CAAC;IAC5C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,KAAK,CAAC,IAAI,CACR,YAAY,CAAC;YACX,GAAG,CAAC,OAAO;YACX,GAAG,CAAC,IAAI;YACR,GAAG,CAAC,QAAQ;YACZ,GAAG,CAAC,WAAW;YACf,GAAG,CAAC,SAAS;YACb,GAAG,CAAC,QAAQ;YACZ,GAAG,CAAC,OAAO;SACZ,CAAC,CACH,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAC5B,CAAC"}
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* AuditEventEmitter
|
|
3
|
+
*
|
|
4
|
+
* Writes structured audit events to CloudWatch Logs and Postgres security_events.
|
|
5
|
+
* Emission is non-blocking — callers do `void emitter.emit(...)`.
|
|
6
|
+
* CloudWatch failures fall back to a console.error "audit-fallback" line that
|
|
7
|
+
* ops can grep from the log stream.
|
|
8
|
+
*/
|
|
9
|
+
import { CloudWatchLogsClient } from "@aws-sdk/client-cloudwatch-logs";
|
|
10
|
+
import type { AuditEventType } from "./event-types";
|
|
11
|
+
export interface AuditEmitInput {
|
|
12
|
+
type: AuditEventType;
|
|
13
|
+
tenantId: string;
|
|
14
|
+
actorUserId: string;
|
|
15
|
+
payload: Record<string, unknown>;
|
|
16
|
+
/** Source IP — will be anonymised to /24 before storage. */
|
|
17
|
+
sourceIp?: string;
|
|
18
|
+
/** Present when the request was made through an agent session (T9b). */
|
|
19
|
+
agentSessionId?: string;
|
|
20
|
+
}
|
|
21
|
+
export interface AuditRecord {
|
|
22
|
+
eventId: string;
|
|
23
|
+
type: AuditEventType;
|
|
24
|
+
tenantId: string;
|
|
25
|
+
actorUserId: string;
|
|
26
|
+
payload: Record<string, unknown>;
|
|
27
|
+
sourceIp: string;
|
|
28
|
+
agentSessionId: string | null;
|
|
29
|
+
createdAt: Date;
|
|
30
|
+
}
|
|
31
|
+
export declare class AuditEventEmitter {
|
|
32
|
+
private readonly cwClient;
|
|
33
|
+
constructor(cwClient?: CloudWatchLogsClient);
|
|
34
|
+
/**
|
|
35
|
+
* Emit an audit event. Returns a promise but callers should fire-and-forget
|
|
36
|
+
* via `void emitter.emit(...)` — the handler must not await this.
|
|
37
|
+
*/
|
|
38
|
+
emit(input: AuditEmitInput, dbClient: {
|
|
39
|
+
securityEvent: {
|
|
40
|
+
create: (args: {
|
|
41
|
+
data: {
|
|
42
|
+
type: string;
|
|
43
|
+
severity: string;
|
|
44
|
+
tenantId: string;
|
|
45
|
+
userId: string;
|
|
46
|
+
ipAddress: string;
|
|
47
|
+
details: string;
|
|
48
|
+
retentionUntil: Date;
|
|
49
|
+
};
|
|
50
|
+
}) => Promise<unknown>;
|
|
51
|
+
};
|
|
52
|
+
}): Promise<void>;
|
|
53
|
+
private _writeToCloudWatch;
|
|
54
|
+
private _writeToPostgres;
|
|
55
|
+
}
|
|
56
|
+
//# sourceMappingURL=emit.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"emit.d.ts","sourceRoot":"","sources":["../../../src/lib/audit/emit.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,oBAAoB,EAErB,MAAM,iCAAiC,CAAC;AAEzC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAGpD,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,cAAc,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,4DAA4D;IAC5D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,wEAAwE;IACxE,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,cAAc,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,SAAS,EAAE,IAAI,CAAC;CACjB;AAOD,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAuB;gBAEpC,QAAQ,CAAC,EAAE,oBAAoB;IAQ3C;;;OAGG;IACG,IAAI,CACR,KAAK,EAAE,cAAc,EACrB,QAAQ,EAAE;QACR,aAAa,EAAE;YACb,MAAM,EAAE,CAAC,IAAI,EAAE;gBACb,IAAI,EAAE;oBACJ,IAAI,EAAE,MAAM,CAAC;oBACb,QAAQ,EAAE,MAAM,CAAC;oBACjB,QAAQ,EAAE,MAAM,CAAC;oBACjB,MAAM,EAAE,MAAM,CAAC;oBACf,SAAS,EAAE,MAAM,CAAC;oBAClB,OAAO,EAAE,MAAM,CAAC;oBAChB,cAAc,EAAE,IAAI,CAAC;iBACtB,CAAC;aACH,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;SACxB,CAAC;KACH,GACA,OAAO,CAAC,IAAI,CAAC;YA0CF,kBAAkB;YAmClB,gBAAgB;CA4C/B"}
|
|
@@ -0,0 +1,124 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* AuditEventEmitter
|
|
4
|
+
*
|
|
5
|
+
* Writes structured audit events to CloudWatch Logs and Postgres security_events.
|
|
6
|
+
* Emission is non-blocking — callers do `void emitter.emit(...)`.
|
|
7
|
+
* CloudWatch failures fall back to a console.error "audit-fallback" line that
|
|
8
|
+
* ops can grep from the log stream.
|
|
9
|
+
*/
|
|
10
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
11
|
+
exports.AuditEventEmitter = void 0;
|
|
12
|
+
const client_cloudwatch_logs_1 = require("@aws-sdk/client-cloudwatch-logs");
|
|
13
|
+
const crypto_1 = require("crypto");
|
|
14
|
+
const pii_filter_1 = require("./pii-filter");
|
|
15
|
+
function getLogGroup() {
|
|
16
|
+
const stage = process.env.STAGE ?? "dev";
|
|
17
|
+
return process.env.AUDIT_LOG_GROUP ?? `/skybber/${stage}/audit-events`;
|
|
18
|
+
}
|
|
19
|
+
class AuditEventEmitter {
|
|
20
|
+
cwClient;
|
|
21
|
+
constructor(cwClient) {
|
|
22
|
+
this.cwClient =
|
|
23
|
+
cwClient ??
|
|
24
|
+
new client_cloudwatch_logs_1.CloudWatchLogsClient({
|
|
25
|
+
region: process.env.AWS_REGION ?? "eu-central-1",
|
|
26
|
+
});
|
|
27
|
+
}
|
|
28
|
+
/**
|
|
29
|
+
* Emit an audit event. Returns a promise but callers should fire-and-forget
|
|
30
|
+
* via `void emitter.emit(...)` — the handler must not await this.
|
|
31
|
+
*/
|
|
32
|
+
async emit(input, dbClient) {
|
|
33
|
+
const eventId = (0, crypto_1.randomUUID)();
|
|
34
|
+
const createdAt = new Date();
|
|
35
|
+
const anonymisedIp = input.sourceIp ? (0, pii_filter_1.anonymizeIp)(input.sourceIp) : "unknown";
|
|
36
|
+
const { filtered, droppedCount } = (0, pii_filter_1.filterPayload)({
|
|
37
|
+
...input.payload,
|
|
38
|
+
tenantId: input.tenantId,
|
|
39
|
+
actorUserId: input.actorUserId,
|
|
40
|
+
sourceIp: anonymisedIp,
|
|
41
|
+
...(input.agentSessionId ? { agentSessionId: input.agentSessionId } : {}),
|
|
42
|
+
});
|
|
43
|
+
if (droppedCount > 0) {
|
|
44
|
+
console.error(JSON.stringify({
|
|
45
|
+
level: "warn",
|
|
46
|
+
tag: "audit-pii-filter",
|
|
47
|
+
eventId,
|
|
48
|
+
type: input.type,
|
|
49
|
+
droppedCount,
|
|
50
|
+
}));
|
|
51
|
+
}
|
|
52
|
+
const record = {
|
|
53
|
+
eventId,
|
|
54
|
+
type: input.type,
|
|
55
|
+
tenantId: input.tenantId,
|
|
56
|
+
actorUserId: input.actorUserId,
|
|
57
|
+
payload: filtered,
|
|
58
|
+
sourceIp: anonymisedIp,
|
|
59
|
+
agentSessionId: input.agentSessionId ?? null,
|
|
60
|
+
createdAt,
|
|
61
|
+
};
|
|
62
|
+
await Promise.all([
|
|
63
|
+
this._writeToCloudWatch(record),
|
|
64
|
+
this._writeToPostgres(record, dbClient),
|
|
65
|
+
]);
|
|
66
|
+
}
|
|
67
|
+
async _writeToCloudWatch(record) {
|
|
68
|
+
const logGroup = getLogGroup();
|
|
69
|
+
const logStream = `audit-${record.tenantId}`;
|
|
70
|
+
const message = JSON.stringify(record);
|
|
71
|
+
try {
|
|
72
|
+
await this.cwClient.send(new client_cloudwatch_logs_1.PutLogEventsCommand({
|
|
73
|
+
logGroupName: logGroup,
|
|
74
|
+
logStreamName: logStream,
|
|
75
|
+
logEvents: [
|
|
76
|
+
{
|
|
77
|
+
timestamp: record.createdAt.getTime(),
|
|
78
|
+
message,
|
|
79
|
+
},
|
|
80
|
+
],
|
|
81
|
+
}));
|
|
82
|
+
}
|
|
83
|
+
catch (err) {
|
|
84
|
+
console.error(JSON.stringify({
|
|
85
|
+
level: "error",
|
|
86
|
+
tag: "audit-fallback",
|
|
87
|
+
eventId: record.eventId,
|
|
88
|
+
type: record.type,
|
|
89
|
+
tenantId: record.tenantId,
|
|
90
|
+
actorUserId: record.actorUserId,
|
|
91
|
+
createdAt: record.createdAt.toISOString(),
|
|
92
|
+
payload: record.payload,
|
|
93
|
+
cwError: err instanceof Error ? err.message : String(err),
|
|
94
|
+
}));
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
async _writeToPostgres(record, db) {
|
|
98
|
+
const retentionUntil = new Date(record.createdAt);
|
|
99
|
+
retentionUntil.setDate(retentionUntil.getDate() + 30);
|
|
100
|
+
try {
|
|
101
|
+
await db.securityEvent.create({
|
|
102
|
+
data: {
|
|
103
|
+
type: record.type,
|
|
104
|
+
severity: "medium",
|
|
105
|
+
tenantId: record.tenantId,
|
|
106
|
+
userId: record.actorUserId,
|
|
107
|
+
ipAddress: record.sourceIp,
|
|
108
|
+
details: JSON.stringify({ ...record.payload, eventId: record.eventId }),
|
|
109
|
+
retentionUntil,
|
|
110
|
+
},
|
|
111
|
+
});
|
|
112
|
+
}
|
|
113
|
+
catch (err) {
|
|
114
|
+
console.error(JSON.stringify({
|
|
115
|
+
level: "error",
|
|
116
|
+
tag: "audit-fallback",
|
|
117
|
+
eventId: record.eventId,
|
|
118
|
+
pgError: err instanceof Error ? err.message : String(err),
|
|
119
|
+
}));
|
|
120
|
+
}
|
|
121
|
+
}
|
|
122
|
+
}
|
|
123
|
+
exports.AuditEventEmitter = AuditEventEmitter;
|
|
124
|
+
//# sourceMappingURL=emit.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"emit.js","sourceRoot":"","sources":["../../../src/lib/audit/emit.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAEH,4EAGyC;AACzC,mCAAoC;AAEpC,6CAA0D;AAwB1D,SAAS,WAAW;IAClB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,KAAK,CAAC;IACzC,OAAO,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,YAAY,KAAK,eAAe,CAAC;AACzE,CAAC;AAED,MAAa,iBAAiB;IACX,QAAQ,CAAuB;IAEhD,YAAY,QAA+B;QACzC,IAAI,CAAC,QAAQ;YACX,QAAQ;gBACR,IAAI,6CAAoB,CAAC;oBACvB,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,cAAc;iBACjD,CAAC,CAAC;IACP,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,IAAI,CACR,KAAqB,EACrB,QAcC;QAED,MAAM,OAAO,GAAG,IAAA,mBAAU,GAAE,CAAC;QAC7B,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;QAC7B,MAAM,YAAY,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAA,wBAAW,EAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAE9E,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,IAAA,0BAAa,EAAC;YAC/C,GAAG,KAAK,CAAC,OAAO;YAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,QAAQ,EAAE,YAAY;YACtB,GAAG,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC1E,CAAC,CAAC;QAEH,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;YACrB,OAAO,CAAC,KAAK,CACX,IAAI,CAAC,SAAS,CAAC;gBACb,KAAK,EAAE,MAAM;gBACb,GAAG,EAAE,kBAAkB;gBACvB,OAAO;gBACP,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,YAAY;aACb,CAAC,CACH,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAgB;YAC1B,OAAO;YACP,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,OAAO,EAAE,QAAQ;YACjB,QAAQ,EAAE,YAAY;YACtB,cAAc,EAAE,KAAK,CAAC,cAAc,IAAI,IAAI;YAC5C,SAAS;SACV,CAAC;QAEF,MAAM,OAAO,CAAC,GAAG,CAAC;YAChB,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC;YAC/B,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC;SACxC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,kBAAkB,CAAC,MAAmB;QAClD,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,SAAS,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAEvC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CACtB,IAAI,4CAAmB,CAAC;gBACtB,YAAY,EAAE,QAAQ;gBACtB,aAAa,EAAE,SAAS;gBACxB,SAAS,EAAE;oBACT;wBACE,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE;wBACrC,OAAO;qBACR;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CACX,IAAI,CAAC,SAAS,CAAC;gBACb,KAAK,EAAE,OAAO;gBACd,GAAG,EAAE,gBAAgB;gBACrB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE;gBACzC,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aAC1D,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAC5B,MAAmB,EACnB,EAcC;QAED,MAAM,cAAc,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAClD,cAAc,CAAC,OAAO,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;QAEtD,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;gBAC5B,IAAI,EAAE;oBACJ,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,MAAM,EAAE,MAAM,CAAC,WAAW;oBAC1B,SAAS,EAAE,MAAM,CAAC,QAAQ;oBAC1B,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC;oBACvE,cAAc;iBACf;aACF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CACX,IAAI,CAAC,SAAS,CAAC;gBACb,KAAK,EAAE,OAAO;gBACd,GAAG,EAAE,gBAAgB;gBACrB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aAC1D,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC;CACF;AAzJD,8CAyJC"}
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Audit Event Types
|
|
3
|
+
*
|
|
4
|
+
* Canonical catalog of all identity-federation audit events.
|
|
5
|
+
* Every AuditEventType emitted by a handler must appear here.
|
|
6
|
+
*/
|
|
7
|
+
export declare const AuditEventType: {
|
|
8
|
+
readonly TENANT_CREATED: "tenant.created";
|
|
9
|
+
readonly TENANT_MEMBER_INVITED: "tenant.member.invited";
|
|
10
|
+
readonly TENANT_MEMBER_JOINED: "tenant.member.joined";
|
|
11
|
+
readonly TENANT_MEMBER_ROLE_CHANGED: "tenant.member.role_changed";
|
|
12
|
+
readonly TENANT_MEMBER_REMOVED: "tenant.member.removed";
|
|
13
|
+
readonly TENANT_DOMAIN_ADDED: "tenant.domain.added";
|
|
14
|
+
readonly TENANT_DOMAIN_VERIFIED: "tenant.domain.verified";
|
|
15
|
+
readonly TENANT_IDP_CONNECTED: "tenant.idp.connected";
|
|
16
|
+
readonly TENANT_IDP_MODIFIED: "tenant.idp.modified";
|
|
17
|
+
readonly TENANT_IDP_DISABLED: "tenant.idp.disabled";
|
|
18
|
+
readonly TENANT_IDP_DELETED: "tenant.idp.deleted";
|
|
19
|
+
readonly TENANT_ROLE_MAPPING_ADDED: "tenant.role_mapping.added";
|
|
20
|
+
readonly TENANT_ROLE_MAPPING_REMOVED: "tenant.role_mapping.removed";
|
|
21
|
+
readonly TENANT_FEDERATED_LOGIN_SUCCESS: "tenant.federated_login.success";
|
|
22
|
+
readonly TENANT_FEDERATED_LOGIN_DENIED: "tenant.federated_login.denied";
|
|
23
|
+
readonly TENANT_ROLE_REFRESHED_JIT: "tenant.role.refreshed_jit";
|
|
24
|
+
readonly TENANT_OWNERSHIP_TRANSFERRED: "tenant.ownership_transferred";
|
|
25
|
+
readonly TENANT_UPDATED: "tenant.updated";
|
|
26
|
+
readonly AUTH_AGENT_SESSION_APPROVED: "auth.agent_session.approved";
|
|
27
|
+
readonly AUTH_AGENT_SESSION_REVOKED: "auth.agent_session.revoked";
|
|
28
|
+
readonly AUTH_REFRESH_REPLAY: "auth.refresh_replay";
|
|
29
|
+
};
|
|
30
|
+
export type AuditEventType = (typeof AuditEventType)[keyof typeof AuditEventType];
|
|
31
|
+
/**
|
|
32
|
+
* Per-type allowed payload field names (allowlist).
|
|
33
|
+
* Populated by the PII filter — anything outside this set is redacted.
|
|
34
|
+
*/
|
|
35
|
+
export declare const PII_ALLOWED_FIELDS: Set<string>;
|
|
36
|
+
//# sourceMappingURL=event-types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"event-types.d.ts","sourceRoot":"","sources":["../../../src/lib/audit/event-types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;CAsBjB,CAAC;AAEX,MAAM,MAAM,cAAc,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,OAAO,cAAc,CAAC,CAAC;AAElF;;;GAGG;AACH,eAAO,MAAM,kBAAkB,aA+B7B,CAAC"}
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Audit Event Types
|
|
4
|
+
*
|
|
5
|
+
* Canonical catalog of all identity-federation audit events.
|
|
6
|
+
* Every AuditEventType emitted by a handler must appear here.
|
|
7
|
+
*/
|
|
8
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
9
|
+
exports.PII_ALLOWED_FIELDS = exports.AuditEventType = void 0;
|
|
10
|
+
exports.AuditEventType = {
|
|
11
|
+
TENANT_CREATED: "tenant.created",
|
|
12
|
+
TENANT_MEMBER_INVITED: "tenant.member.invited",
|
|
13
|
+
TENANT_MEMBER_JOINED: "tenant.member.joined",
|
|
14
|
+
TENANT_MEMBER_ROLE_CHANGED: "tenant.member.role_changed",
|
|
15
|
+
TENANT_MEMBER_REMOVED: "tenant.member.removed",
|
|
16
|
+
TENANT_DOMAIN_ADDED: "tenant.domain.added",
|
|
17
|
+
TENANT_DOMAIN_VERIFIED: "tenant.domain.verified",
|
|
18
|
+
TENANT_IDP_CONNECTED: "tenant.idp.connected",
|
|
19
|
+
TENANT_IDP_MODIFIED: "tenant.idp.modified",
|
|
20
|
+
TENANT_IDP_DISABLED: "tenant.idp.disabled",
|
|
21
|
+
TENANT_IDP_DELETED: "tenant.idp.deleted",
|
|
22
|
+
TENANT_ROLE_MAPPING_ADDED: "tenant.role_mapping.added",
|
|
23
|
+
TENANT_ROLE_MAPPING_REMOVED: "tenant.role_mapping.removed",
|
|
24
|
+
TENANT_FEDERATED_LOGIN_SUCCESS: "tenant.federated_login.success",
|
|
25
|
+
TENANT_FEDERATED_LOGIN_DENIED: "tenant.federated_login.denied",
|
|
26
|
+
TENANT_ROLE_REFRESHED_JIT: "tenant.role.refreshed_jit",
|
|
27
|
+
TENANT_OWNERSHIP_TRANSFERRED: "tenant.ownership_transferred",
|
|
28
|
+
TENANT_UPDATED: "tenant.updated",
|
|
29
|
+
AUTH_AGENT_SESSION_APPROVED: "auth.agent_session.approved",
|
|
30
|
+
AUTH_AGENT_SESSION_REVOKED: "auth.agent_session.revoked",
|
|
31
|
+
AUTH_REFRESH_REPLAY: "auth.refresh_replay",
|
|
32
|
+
};
|
|
33
|
+
/**
|
|
34
|
+
* Per-type allowed payload field names (allowlist).
|
|
35
|
+
* Populated by the PII filter — anything outside this set is redacted.
|
|
36
|
+
*/
|
|
37
|
+
exports.PII_ALLOWED_FIELDS = new Set([
|
|
38
|
+
"tenantId",
|
|
39
|
+
"actorUserId",
|
|
40
|
+
"targetUserId",
|
|
41
|
+
"targetType",
|
|
42
|
+
"oldRole",
|
|
43
|
+
"newRole",
|
|
44
|
+
"domain",
|
|
45
|
+
"idpStatus",
|
|
46
|
+
"idpKind",
|
|
47
|
+
"issuer",
|
|
48
|
+
"idpGroup",
|
|
49
|
+
"role",
|
|
50
|
+
"source",
|
|
51
|
+
"reason",
|
|
52
|
+
"verificationMethod",
|
|
53
|
+
"changedAttributes",
|
|
54
|
+
"sourceIp",
|
|
55
|
+
"agentSessionId",
|
|
56
|
+
"slug",
|
|
57
|
+
"displayName",
|
|
58
|
+
"type",
|
|
59
|
+
"agentLabel",
|
|
60
|
+
"userAgent",
|
|
61
|
+
// G4 MEDIUM-6/N2: `deviceCodeHash` was previously written into
|
|
62
|
+
// AUTH_AGENT_SESSION_APPROVED audit payloads and could act as a
|
|
63
|
+
// confirmation oracle if a raw device_code ever leaked elsewhere.
|
|
64
|
+
// Removed from the allow-list so a future regression that re-adds
|
|
65
|
+
// the field would fail the audit-emit allow-list check.
|
|
66
|
+
"refreshJti",
|
|
67
|
+
"cognitoUserId",
|
|
68
|
+
]);
|
|
69
|
+
//# sourceMappingURL=event-types.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"event-types.js","sourceRoot":"","sources":["../../../src/lib/audit/event-types.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAEU,QAAA,cAAc,GAAG;IAC5B,cAAc,EAAE,gBAAgB;IAChC,qBAAqB,EAAE,uBAAuB;IAC9C,oBAAoB,EAAE,sBAAsB;IAC5C,0BAA0B,EAAE,4BAA4B;IACxD,qBAAqB,EAAE,uBAAuB;IAC9C,mBAAmB,EAAE,qBAAqB;IAC1C,sBAAsB,EAAE,wBAAwB;IAChD,oBAAoB,EAAE,sBAAsB;IAC5C,mBAAmB,EAAE,qBAAqB;IAC1C,mBAAmB,EAAE,qBAAqB;IAC1C,kBAAkB,EAAE,oBAAoB;IACxC,yBAAyB,EAAE,2BAA2B;IACtD,2BAA2B,EAAE,6BAA6B;IAC1D,8BAA8B,EAAE,gCAAgC;IAChE,6BAA6B,EAAE,+BAA+B;IAC9D,yBAAyB,EAAE,2BAA2B;IACtD,4BAA4B,EAAE,8BAA8B;IAC5D,cAAc,EAAE,gBAAgB;IAChC,2BAA2B,EAAE,6BAA6B;IAC1D,0BAA0B,EAAE,4BAA4B;IACxD,mBAAmB,EAAE,qBAAqB;CAClC,CAAC;AAIX;;;GAGG;AACU,QAAA,kBAAkB,GAAG,IAAI,GAAG,CAAS;IAChD,UAAU;IACV,aAAa;IACb,cAAc;IACd,YAAY;IACZ,SAAS;IACT,SAAS;IACT,QAAQ;IACR,WAAW;IACX,SAAS;IACT,QAAQ;IACR,UAAU;IACV,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,oBAAoB;IACpB,mBAAmB;IACnB,UAAU;IACV,gBAAgB;IAChB,MAAM;IACN,aAAa;IACb,MAAM;IACN,YAAY;IACZ,WAAW;IACX,+DAA+D;IAC/D,gEAAgE;IAChE,kEAAkE;IAClE,kEAAkE;IAClE,wDAAwD;IACxD,YAAY;IACZ,eAAe;CAChB,CAAC,CAAC"}
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* PII Filter for Audit Payloads
|
|
3
|
+
*
|
|
4
|
+
* Allowlist-based field filter. Any key not on the allowlist is replaced
|
|
5
|
+
* with the literal string "<redacted>" and a drop counter is incremented.
|
|
6
|
+
* Claim *names* are fine to store; claim *values* must never appear.
|
|
7
|
+
*/
|
|
8
|
+
export interface FilterResult {
|
|
9
|
+
filtered: Record<string, unknown>;
|
|
10
|
+
droppedCount: number;
|
|
11
|
+
}
|
|
12
|
+
/**
|
|
13
|
+
* Redact IPv4 to /24 and IPv6 to /64 for GDPR-compliant storage.
|
|
14
|
+
* "1.2.3.4" → "1.2.3.0/24", "2001:db8::1" → "2001:db8::/64"
|
|
15
|
+
*/
|
|
16
|
+
export declare function anonymizeIp(ip: string): string;
|
|
17
|
+
/**
|
|
18
|
+
* Filter a raw payload object against the PII allowlist.
|
|
19
|
+
* Returns the cleaned object and the number of dropped fields.
|
|
20
|
+
*/
|
|
21
|
+
export declare function filterPayload(payload: Record<string, unknown>, allowedFields?: Set<string>): FilterResult;
|
|
22
|
+
//# sourceMappingURL=pii-filter.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"pii-filter.d.ts","sourceRoot":"","sources":["../../../src/lib/audit/pii-filter.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAiB9C;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,aAAa,GAAE,GAAG,CAAC,MAAM,CAAsB,GAC9C,YAAY,CAcd"}
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* PII Filter for Audit Payloads
|
|
4
|
+
*
|
|
5
|
+
* Allowlist-based field filter. Any key not on the allowlist is replaced
|
|
6
|
+
* with the literal string "<redacted>" and a drop counter is incremented.
|
|
7
|
+
* Claim *names* are fine to store; claim *values* must never appear.
|
|
8
|
+
*/
|
|
9
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
10
|
+
exports.anonymizeIp = anonymizeIp;
|
|
11
|
+
exports.filterPayload = filterPayload;
|
|
12
|
+
const event_types_1 = require("./event-types");
|
|
13
|
+
/**
|
|
14
|
+
* Redact IPv4 to /24 and IPv6 to /64 for GDPR-compliant storage.
|
|
15
|
+
* "1.2.3.4" → "1.2.3.0/24", "2001:db8::1" → "2001:db8::/64"
|
|
16
|
+
*/
|
|
17
|
+
function anonymizeIp(ip) {
|
|
18
|
+
if (!ip || ip === "unknown")
|
|
19
|
+
return ip;
|
|
20
|
+
if (ip.includes(".")) {
|
|
21
|
+
const parts = ip.split(".");
|
|
22
|
+
if (parts.length === 4) {
|
|
23
|
+
return `${parts[0]}.${parts[1]}.${parts[2]}.0/24`;
|
|
24
|
+
}
|
|
25
|
+
}
|
|
26
|
+
if (ip.includes(":")) {
|
|
27
|
+
const parts = ip.split(":");
|
|
28
|
+
const prefix = parts.slice(0, 4).join(":");
|
|
29
|
+
return `${prefix}::/64`;
|
|
30
|
+
}
|
|
31
|
+
return ip;
|
|
32
|
+
}
|
|
33
|
+
/**
|
|
34
|
+
* Filter a raw payload object against the PII allowlist.
|
|
35
|
+
* Returns the cleaned object and the number of dropped fields.
|
|
36
|
+
*/
|
|
37
|
+
function filterPayload(payload, allowedFields = event_types_1.PII_ALLOWED_FIELDS) {
|
|
38
|
+
const filtered = {};
|
|
39
|
+
let droppedCount = 0;
|
|
40
|
+
for (const [key, value] of Object.entries(payload)) {
|
|
41
|
+
if (allowedFields.has(key)) {
|
|
42
|
+
filtered[key] = value;
|
|
43
|
+
}
|
|
44
|
+
else {
|
|
45
|
+
filtered[key] = "<redacted>";
|
|
46
|
+
droppedCount++;
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
return { filtered, droppedCount };
|
|
50
|
+
}
|
|
51
|
+
//# sourceMappingURL=pii-filter.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"pii-filter.js","sourceRoot":"","sources":["../../../src/lib/audit/pii-filter.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAaH,kCAiBC;AAMD,sCAiBC;AAnDD,+CAAmD;AAOnD;;;GAGG;AACH,SAAgB,WAAW,CAAC,EAAU;IACpC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IAEvC,IAAI,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC;QACpD,CAAC;IACH,CAAC;IAED,IAAI,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3C,OAAO,GAAG,MAAM,OAAO,CAAC;IAC1B,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAC3B,OAAgC,EAChC,gBAA6B,gCAAkB;IAE/C,MAAM,QAAQ,GAA4B,EAAE,CAAC;IAC7C,IAAI,YAAY,GAAG,CAAC,CAAC;IAErB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACnD,IAAI,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAC3B,QAAQ,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACxB,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;YAC7B,YAAY,EAAE,CAAC;QACjB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AACpC,CAAC"}
|
package/dist/lib/audit-logger.js
CHANGED
|
@@ -230,7 +230,7 @@ class AuditLogger {
|
|
|
230
230
|
type: `audit_${event.type}`, // Prefix with 'audit_' to distinguish from security events
|
|
231
231
|
severity: severity,
|
|
232
232
|
userId: event.userId || null,
|
|
233
|
-
|
|
233
|
+
tenantId: null, // T7 will populate this with the tenant context. (renamed from partnerId in T1)
|
|
234
234
|
ipAddress: event.ipAddress || null,
|
|
235
235
|
userAgent: event.userAgent || null,
|
|
236
236
|
details: details,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"audit-logger.js","sourceRoot":"","sources":["../../src/lib/audit-logger.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqYH,8CAKC;AAxYD,qCAAqE;AAErE,yDAAgE;AA8ChE;;;;GAIG;AACH,MAAa,WAAW;IACd,MAAM,CAAS;IACf,SAAS,CAAU;IAE3B,YAAY,GAAe,EAAE,SAAkB;QAC7C,IAAI,CAAC,MAAM,GAAG,eAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,SAAiB;QAC7B,OAAO,IAAI,WAAW,CACpB,EAAE,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,EAAe,EACrD,SAAS,CACV,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa,CACjB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,aAAa;YACjC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,KAAK;YACjC,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa,CACjB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,aAAa;YACjC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,QAAQ,EAAE,6CAA6C;YACnF,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,iBAAiB,CACrB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,gBAAgB;YACpC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,MAAM;YAClC,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,+BAA+B;YAC7F,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,gBAAgB,CACpB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,eAAe;YACnC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,gCAAgC;YAC9F,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,GAAG,CACP,KAAuE,EACvE,GAAmB;QAEnB,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,IAAI,aAAa,CAAC;QAE9C,QAAQ,SAAS,EAAE,CAAC;YAClB,KAAK,aAAa;gBAChB,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACrC,MAAM;YACR,KAAK,aAAa;gBAChB,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACrC,MAAM;YACR,KAAK,gBAAgB;gBACnB,MAAM,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACzC,MAAM;YACR,KAAK,eAAe;gBAClB,MAAM,IAAI,CAAC,gBAAgB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACxC,MAAM;YACR;gBACE,2CAA2C;gBAC3C,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,KAAK,CAAC,aAAa,CACzB,KAAiB,EACjB,GAAmB;QAEnB,IAAI,CAAC;YACH,2CAA2C;YAC3C,IAAI,CAAC,IAAA,gCAAa,EAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6CAA6C,EAAE;oBAC/D,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,MAAM,EAAE,KAAK,CAAC,MAAM;iBACrB,CAAC,CAAC;gBACH,OAAO,CAAC,2BAA2B;YACrC,CAAC;YAED,6CAA6C;YAC7C,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CACjD,KAAK,CAAC,QAAQ,IAAI,KAAK,CACxB,CAAC;YAEF,4CAA4C;YAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC7B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,GAAG,KAAK,CAAC,QAAQ;aAClB,CAAC,CAAC;YAEH,4FAA4F;YAC5F,yEAAyE;YACzE,iEAAiE;YACjE,uEAAuE;YACvE,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC;YACzC,IAAI,CAAC;gBACH,MAAM,EAAE,+BAA+B,EAAE,GAAG,wDAC1C,+BAA+B,GAChC,CAAC;gBACF,MAAM,EAAE,wBAAwB,EAAE,mBAAmB,EAAE,GAAG,wDACxD,mBAAmB,GACpB,CAAC;gBAEF,MAAM,wBAAwB,CAC5B,+BAA+B,EAC/B,KAAK,CAAC,MAAM,EACZ,GAAG,EACH,KAAK,EAAE,EAAE,EAAE,EAAE;oBACX,OAAO,MAAM,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;wBACnC,IAAI,EAAE;4BACJ,IAAI,EAAE,SAAS,KAAK,CAAC,IAAI,EAAE,EAAE,2DAA2D;4BACxF,QAAQ,EAAE,QAAQ;4BAClB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;4BAC5B,
|
|
1
|
+
{"version":3,"file":"audit-logger.js","sourceRoot":"","sources":["../../src/lib/audit-logger.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqYH,8CAKC;AAxYD,qCAAqE;AAErE,yDAAgE;AA8ChE;;;;GAIG;AACH,MAAa,WAAW;IACd,MAAM,CAAS;IACf,SAAS,CAAU;IAE3B,YAAY,GAAe,EAAE,SAAkB;QAC7C,IAAI,CAAC,MAAM,GAAG,eAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,SAAiB;QAC7B,OAAO,IAAI,WAAW,CACpB,EAAE,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,EAAe,EACrD,SAAS,CACV,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa,CACjB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,aAAa;YACjC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,KAAK;YACjC,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa,CACjB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,aAAa;YACjC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,QAAQ,EAAE,6CAA6C;YACnF,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,iBAAiB,CACrB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,gBAAgB;YACpC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,MAAM;YAClC,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,+BAA+B;YAC7F,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,gBAAgB,CACpB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,eAAe;YACnC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,gCAAgC;YAC9F,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,GAAG,CACP,KAAuE,EACvE,GAAmB;QAEnB,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,IAAI,aAAa,CAAC;QAE9C,QAAQ,SAAS,EAAE,CAAC;YAClB,KAAK,aAAa;gBAChB,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACrC,MAAM;YACR,KAAK,aAAa;gBAChB,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACrC,MAAM;YACR,KAAK,gBAAgB;gBACnB,MAAM,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACzC,MAAM;YACR,KAAK,eAAe;gBAClB,MAAM,IAAI,CAAC,gBAAgB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACxC,MAAM;YACR;gBACE,2CAA2C;gBAC3C,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,KAAK,CAAC,aAAa,CACzB,KAAiB,EACjB,GAAmB;QAEnB,IAAI,CAAC;YACH,2CAA2C;YAC3C,IAAI,CAAC,IAAA,gCAAa,EAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6CAA6C,EAAE;oBAC/D,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,MAAM,EAAE,KAAK,CAAC,MAAM;iBACrB,CAAC,CAAC;gBACH,OAAO,CAAC,2BAA2B;YACrC,CAAC;YAED,6CAA6C;YAC7C,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CACjD,KAAK,CAAC,QAAQ,IAAI,KAAK,CACxB,CAAC;YAEF,4CAA4C;YAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC7B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,GAAG,KAAK,CAAC,QAAQ;aAClB,CAAC,CAAC;YAEH,4FAA4F;YAC5F,yEAAyE;YACzE,iEAAiE;YACjE,uEAAuE;YACvE,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC;YACzC,IAAI,CAAC;gBACH,MAAM,EAAE,+BAA+B,EAAE,GAAG,wDAC1C,+BAA+B,GAChC,CAAC;gBACF,MAAM,EAAE,wBAAwB,EAAE,mBAAmB,EAAE,GAAG,wDACxD,mBAAmB,GACpB,CAAC;gBAEF,MAAM,wBAAwB,CAC5B,+BAA+B,EAC/B,KAAK,CAAC,MAAM,EACZ,GAAG,EACH,KAAK,EAAE,EAAE,EAAE,EAAE;oBACX,OAAO,MAAM,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;wBACnC,IAAI,EAAE;4BACJ,IAAI,EAAE,SAAS,KAAK,CAAC,IAAI,EAAE,EAAE,2DAA2D;4BACxF,QAAQ,EAAE,QAAQ;4BAClB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;4BAC5B,QAAQ,EAAE,IAAI,EAAE,gFAAgF;4BAChG,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;4BAClC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;4BAClC,OAAO,EAAE,OAAO;4BAChB,cAAc,EAAE,cAAc;yBAC/B;qBACF,CAAC,CAAC;gBACL,CAAC,EACD;oBACE,GAAG,mBAAmB,CAAC,UAAU,EAAE,wCAAwC;oBAC3E,UAAU,EAAE,CAAC;oBACb,WAAW,EAAE,GAAG;oBAChB,OAAO,EAAE;wBACP,SAAS,EAAE,WAAW;wBACtB,MAAM,EAAE,KAAK,CAAC,MAAM;wBACpB,MAAM,EAAE,KAAK,CAAC,MAAM;qBACrB;iBACF,CACF,CAAC;YACJ,CAAC;YAAC,OAAO,OAAO,EAAE,CAAC;gBACjB,qDAAqD;gBACrD,0CAA0C;gBAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,+EAA+E,EAC/E,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,CACzC,CAAC;YACJ,CAAC;YAED,uDAAuD;YACvD,MAAM,UAAU,GAAG,WAAW,KAAK,CAAC,MAAM,OAAO,KAAK,CAAC,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,EAAE,cAAc,KAAK,CAAC,MAAM,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,iBAAiB,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;YAE9M,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;gBAClB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE;oBAC3B,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,UAAU,EAAE,KAAK,CAAC,UAAU;oBAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;iBACrB,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE;oBAC3B,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,UAAU,EAAE,KAAK,CAAC,UAAU;oBAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,KAAK,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK;iBAC7B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,gDAAgD;YAChD,mCAAmC;YACnC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE;gBAC3D,KAAK;gBACL,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;aACzB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;;;;;;;;OAWG;IACK,uBAAuB,CAAC,QAA4B;QAC1D,MAAM,aAAa,GAAuC;YACxD,QAAQ,EAAE,GAAG,EAAE,kCAAkC;YACjD,IAAI,EAAE,EAAE,EAAE,iCAAiC;YAC3C,MAAM,EAAE,EAAE,EAAE,0BAA0B;YACtC,GAAG,EAAE,CAAC,EAAE,sBAAsB;SAC/B,CAAC;QAEF,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC3C,MAAM,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QACxB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AArUD,kCAqUC;AAED;;;;;;GAMG;AACH,SAAgB,iBAAiB,CAC/B,GAAe,EACf,SAAkB;IAElB,OAAO,IAAI,WAAW,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;AACzC,CAAC"}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* AuthContext — the resolved identity for one authenticated request.
|
|
3
|
+
*
|
|
4
|
+
* Built by authMiddleware from verified Cognito JWT claims. Every route
|
|
5
|
+
* handler that needs auth information receives this rather than the raw
|
|
6
|
+
* token payload.
|
|
7
|
+
*/
|
|
8
|
+
import type { TenantRole, UserRole, TenantMember, Tenant } from "@prisma/client";
|
|
9
|
+
/** The data carried from a Cognito JWT into each request. */
|
|
10
|
+
export interface AuthContext {
|
|
11
|
+
/** Cognito user pool sub (UUID). Stable identifier used for cache keys. */
|
|
12
|
+
cognitoSub: string;
|
|
13
|
+
/** Skybber `User.id` (cuid). */
|
|
14
|
+
userId: string;
|
|
15
|
+
/** Platform-wide role from `users.role`. */
|
|
16
|
+
globalRole: UserRole;
|
|
17
|
+
/** The tenant the user is currently acting as (`custom:activeTenantId`). */
|
|
18
|
+
activeTenantId: string;
|
|
19
|
+
/** Human-readable slug of the active tenant. */
|
|
20
|
+
tenantSlug: string;
|
|
21
|
+
/** Role within the active tenant. */
|
|
22
|
+
tenantRole: TenantRole;
|
|
23
|
+
/** ActivityPub-style handle. */
|
|
24
|
+
handle: string;
|
|
25
|
+
/**
|
|
26
|
+
* Lazy loader for all of the user's tenant memberships.
|
|
27
|
+
* Fetched at most once per request; stored on the context so callers
|
|
28
|
+
* (e.g. tenant-switcher UI) don't duplicate the DB query.
|
|
29
|
+
*/
|
|
30
|
+
membershipsLoader: () => Promise<(TenantMember & {
|
|
31
|
+
tenant: Tenant;
|
|
32
|
+
})[]>;
|
|
33
|
+
}
|
|
34
|
+
//# sourceMappingURL=auth-context.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"auth-context.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth-context.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAEjF,6DAA6D;AAC7D,MAAM,WAAW,WAAW;IAC1B,2EAA2E;IAC3E,UAAU,EAAE,MAAM,CAAC;IACnB,gCAAgC;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,4CAA4C;IAC5C,UAAU,EAAE,QAAQ,CAAC;IACrB,4EAA4E;IAC5E,cAAc,EAAE,MAAM,CAAC;IACvB,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,UAAU,EAAE,UAAU,CAAC;IACvB,gCAAgC;IAChC,MAAM,EAAE,MAAM,CAAC;IACf;;;;OAIG;IACH,iBAAiB,EAAE,MAAM,OAAO,CAAC,CAAC,YAAY,GAAG;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,EAAE,CAAC,CAAC;CACzE"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* AuthContext — the resolved identity for one authenticated request.
|
|
4
|
+
*
|
|
5
|
+
* Built by authMiddleware from verified Cognito JWT claims. Every route
|
|
6
|
+
* handler that needs auth information receives this rather than the raw
|
|
7
|
+
* token payload.
|
|
8
|
+
*/
|
|
9
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
10
|
+
//# sourceMappingURL=auth-context.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"auth-context.js","sourceRoot":"","sources":["../../../src/lib/auth/auth-context.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG"}
|