@de-otio/trellis 0.6.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (339) hide show
  1. package/dist/env.d.ts +21 -0
  2. package/dist/env.d.ts.map +1 -1
  3. package/dist/env.js +12 -0
  4. package/dist/env.js.map +1 -1
  5. package/dist/lambda/nightly-cron.d.ts.map +1 -1
  6. package/dist/lambda/nightly-cron.js +5 -2
  7. package/dist/lambda/nightly-cron.js.map +1 -1
  8. package/dist/lambda/post-confirmation.d.ts +30 -0
  9. package/dist/lambda/post-confirmation.d.ts.map +1 -1
  10. package/dist/lambda/post-confirmation.js +333 -29
  11. package/dist/lambda/post-confirmation.js.map +1 -1
  12. package/dist/lambda/pre-token-generation.d.ts +20 -0
  13. package/dist/lambda/pre-token-generation.d.ts.map +1 -1
  14. package/dist/lambda/pre-token-generation.js +233 -48
  15. package/dist/lambda/pre-token-generation.js.map +1 -1
  16. package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
  17. package/dist/lib/activitypub/activity-processor.js +2 -1
  18. package/dist/lib/activitypub/activity-processor.js.map +1 -1
  19. package/dist/lib/activitypub/group-service.d.ts +2 -2
  20. package/dist/lib/activitypub/group-service.d.ts.map +1 -1
  21. package/dist/lib/activitypub/group-service.js +5 -2
  22. package/dist/lib/activitypub/group-service.js.map +1 -1
  23. package/dist/lib/age-tier-transition.d.ts.map +1 -1
  24. package/dist/lib/age-tier-transition.js +19 -10
  25. package/dist/lib/age-tier-transition.js.map +1 -1
  26. package/dist/lib/audit/csv-export.d.ts +25 -0
  27. package/dist/lib/audit/csv-export.d.ts.map +1 -0
  28. package/dist/lib/audit/csv-export.js +54 -0
  29. package/dist/lib/audit/csv-export.js.map +1 -0
  30. package/dist/lib/audit/emit.d.ts +56 -0
  31. package/dist/lib/audit/emit.d.ts.map +1 -0
  32. package/dist/lib/audit/emit.js +124 -0
  33. package/dist/lib/audit/emit.js.map +1 -0
  34. package/dist/lib/audit/event-types.d.ts +36 -0
  35. package/dist/lib/audit/event-types.d.ts.map +1 -0
  36. package/dist/lib/audit/event-types.js +69 -0
  37. package/dist/lib/audit/event-types.js.map +1 -0
  38. package/dist/lib/audit/pii-filter.d.ts +22 -0
  39. package/dist/lib/audit/pii-filter.d.ts.map +1 -0
  40. package/dist/lib/audit/pii-filter.js +51 -0
  41. package/dist/lib/audit/pii-filter.js.map +1 -0
  42. package/dist/lib/audit-logger.js +1 -1
  43. package/dist/lib/audit-logger.js.map +1 -1
  44. package/dist/lib/auth/auth-context.d.ts +34 -0
  45. package/dist/lib/auth/auth-context.d.ts.map +1 -0
  46. package/dist/lib/auth/auth-context.js +10 -0
  47. package/dist/lib/auth/auth-context.js.map +1 -0
  48. package/dist/lib/auth/auth-middleware.d.ts +50 -0
  49. package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
  50. package/dist/lib/auth/auth-middleware.js +153 -0
  51. package/dist/lib/auth/auth-middleware.js.map +1 -0
  52. package/dist/lib/auth/capabilities.d.ts +40 -0
  53. package/dist/lib/auth/capabilities.d.ts.map +1 -0
  54. package/dist/lib/auth/capabilities.js +44 -0
  55. package/dist/lib/auth/capabilities.js.map +1 -0
  56. package/dist/lib/auth/claims-cache.d.ts +70 -0
  57. package/dist/lib/auth/claims-cache.d.ts.map +1 -0
  58. package/dist/lib/auth/claims-cache.js +139 -0
  59. package/dist/lib/auth/claims-cache.js.map +1 -0
  60. package/dist/lib/auth/cognito-jwt.d.ts +6 -0
  61. package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
  62. package/dist/lib/auth/cognito-jwt.js.map +1 -1
  63. package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
  64. package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
  65. package/dist/lib/auth/idp-redirect-builder.js +48 -0
  66. package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
  67. package/dist/lib/auth/require.d.ts +51 -0
  68. package/dist/lib/auth/require.d.ts.map +1 -0
  69. package/dist/lib/auth/require.js +99 -0
  70. package/dist/lib/auth/require.js.map +1 -0
  71. package/dist/lib/auth/role-grants.d.ts +18 -0
  72. package/dist/lib/auth/role-grants.d.ts.map +1 -0
  73. package/dist/lib/auth/role-grants.js +62 -0
  74. package/dist/lib/auth/role-grants.js.map +1 -0
  75. package/dist/lib/cognito/idp-sdk.d.ts +80 -0
  76. package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
  77. package/dist/lib/cognito/idp-sdk.js +186 -0
  78. package/dist/lib/cognito/idp-sdk.js.map +1 -0
  79. package/dist/lib/cognito/issuer-probe.d.ts +47 -0
  80. package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
  81. package/dist/lib/cognito/issuer-probe.js +319 -0
  82. package/dist/lib/cognito/issuer-probe.js.map +1 -0
  83. package/dist/lib/comment-handler.d.ts +7 -7
  84. package/dist/lib/comment-handler.d.ts.map +1 -1
  85. package/dist/lib/comment-handler.js +23 -20
  86. package/dist/lib/comment-handler.js.map +1 -1
  87. package/dist/lib/compliance/baseline.d.ts +15 -0
  88. package/dist/lib/compliance/baseline.d.ts.map +1 -0
  89. package/dist/lib/compliance/baseline.js +205 -0
  90. package/dist/lib/compliance/baseline.js.map +1 -0
  91. package/dist/lib/compliance/tenant-merge.d.ts +35 -0
  92. package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
  93. package/dist/lib/compliance/tenant-merge.js +80 -0
  94. package/dist/lib/compliance/tenant-merge.js.map +1 -0
  95. package/dist/lib/compliance/types.d.ts +135 -0
  96. package/dist/lib/compliance/types.d.ts.map +1 -0
  97. package/dist/lib/compliance/types.js +9 -0
  98. package/dist/lib/compliance/types.js.map +1 -0
  99. package/dist/lib/connection-code-handler.d.ts +4 -4
  100. package/dist/lib/connection-code-handler.d.ts.map +1 -1
  101. package/dist/lib/connection-code-handler.js +21 -11
  102. package/dist/lib/connection-code-handler.js.map +1 -1
  103. package/dist/lib/feed-handler.d.ts +2 -2
  104. package/dist/lib/feed-handler.d.ts.map +1 -1
  105. package/dist/lib/feed-handler.js +5 -9
  106. package/dist/lib/feed-handler.js.map +1 -1
  107. package/dist/lib/middleware/idempotency-store.d.ts +86 -0
  108. package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
  109. package/dist/lib/middleware/idempotency-store.js +109 -0
  110. package/dist/lib/middleware/idempotency-store.js.map +1 -0
  111. package/dist/lib/middleware/idempotency.d.ts +37 -0
  112. package/dist/lib/middleware/idempotency.d.ts.map +1 -0
  113. package/dist/lib/middleware/idempotency.js +358 -0
  114. package/dist/lib/middleware/idempotency.js.map +1 -0
  115. package/dist/lib/net/trusted-client-ip.d.ts +39 -0
  116. package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
  117. package/dist/lib/net/trusted-client-ip.js +100 -0
  118. package/dist/lib/net/trusted-client-ip.js.map +1 -0
  119. package/dist/lib/notification-handler.d.ts +5 -5
  120. package/dist/lib/notification-handler.d.ts.map +1 -1
  121. package/dist/lib/notification-handler.js +11 -9
  122. package/dist/lib/notification-handler.js.map +1 -1
  123. package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
  124. package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
  125. package/dist/lib/oauth/cognito-issuer.js +53 -0
  126. package/dist/lib/oauth/cognito-issuer.js.map +1 -0
  127. package/dist/lib/oauth/device-authorization.d.ts +145 -0
  128. package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
  129. package/dist/lib/oauth/device-authorization.js +312 -0
  130. package/dist/lib/oauth/device-authorization.js.map +1 -0
  131. package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
  132. package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
  133. package/dist/lib/oauth/envelope-crypto.js +223 -0
  134. package/dist/lib/oauth/envelope-crypto.js.map +1 -0
  135. package/dist/lib/oauth/refresh-detection.d.ts +126 -0
  136. package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
  137. package/dist/lib/oauth/refresh-detection.js +248 -0
  138. package/dist/lib/oauth/refresh-detection.js.map +1 -0
  139. package/dist/lib/openapi/generator.d.ts +78 -0
  140. package/dist/lib/openapi/generator.d.ts.map +1 -0
  141. package/dist/lib/openapi/generator.js +201 -0
  142. package/dist/lib/openapi/generator.js.map +1 -0
  143. package/dist/lib/post-handler.d.ts +1 -1
  144. package/dist/lib/post-handler.d.ts.map +1 -1
  145. package/dist/lib/post-handler.js +4 -15
  146. package/dist/lib/post-handler.js.map +1 -1
  147. package/dist/lib/rate-limit.d.ts.map +1 -1
  148. package/dist/lib/rate-limit.js +11 -3
  149. package/dist/lib/rate-limit.js.map +1 -1
  150. package/dist/lib/routes/agent-authorize.d.ts +32 -0
  151. package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
  152. package/dist/lib/routes/agent-authorize.js +479 -0
  153. package/dist/lib/routes/agent-authorize.js.map +1 -0
  154. package/dist/lib/routes/agent-sessions.d.ts +20 -0
  155. package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
  156. package/dist/lib/routes/agent-sessions.js +124 -0
  157. package/dist/lib/routes/agent-sessions.js.map +1 -0
  158. package/dist/lib/routes/agent-surface.d.ts +37 -0
  159. package/dist/lib/routes/agent-surface.d.ts.map +1 -0
  160. package/dist/lib/routes/agent-surface.js +208 -0
  161. package/dist/lib/routes/agent-surface.js.map +1 -0
  162. package/dist/lib/routes/auth-discover.d.ts +18 -0
  163. package/dist/lib/routes/auth-discover.d.ts.map +1 -0
  164. package/dist/lib/routes/auth-discover.js +177 -0
  165. package/dist/lib/routes/auth-discover.js.map +1 -0
  166. package/dist/lib/routes/comments.d.ts.map +1 -1
  167. package/dist/lib/routes/comments.js +36 -7
  168. package/dist/lib/routes/comments.js.map +1 -1
  169. package/dist/lib/routes/connection-codes.d.ts.map +1 -1
  170. package/dist/lib/routes/connection-codes.js +21 -4
  171. package/dist/lib/routes/connection-codes.js.map +1 -1
  172. package/dist/lib/routes/content-discovery.d.ts.map +1 -1
  173. package/dist/lib/routes/content-discovery.js +18 -13
  174. package/dist/lib/routes/content-discovery.js.map +1 -1
  175. package/dist/lib/routes/dashboard.js +1 -1
  176. package/dist/lib/routes/dashboard.js.map +1 -1
  177. package/dist/lib/routes/employees.d.ts.map +1 -1
  178. package/dist/lib/routes/employees.js +57 -15
  179. package/dist/lib/routes/employees.js.map +1 -1
  180. package/dist/lib/routes/entities.d.ts.map +1 -1
  181. package/dist/lib/routes/entities.js +35 -19
  182. package/dist/lib/routes/entities.js.map +1 -1
  183. package/dist/lib/routes/errors.d.ts +34 -0
  184. package/dist/lib/routes/errors.d.ts.map +1 -0
  185. package/dist/lib/routes/errors.js +57 -0
  186. package/dist/lib/routes/errors.js.map +1 -0
  187. package/dist/lib/routes/feeds.d.ts.map +1 -1
  188. package/dist/lib/routes/feeds.js +12 -2
  189. package/dist/lib/routes/feeds.js.map +1 -1
  190. package/dist/lib/routes/index.d.ts.map +1 -1
  191. package/dist/lib/routes/index.js +50 -0
  192. package/dist/lib/routes/index.js.map +1 -1
  193. package/dist/lib/routes/mfa.d.ts.map +1 -1
  194. package/dist/lib/routes/mfa.js +1 -0
  195. package/dist/lib/routes/mfa.js.map +1 -1
  196. package/dist/lib/routes/notifications.d.ts.map +1 -1
  197. package/dist/lib/routes/notifications.js +21 -4
  198. package/dist/lib/routes/notifications.js.map +1 -1
  199. package/dist/lib/routes/oauth.d.ts +15 -0
  200. package/dist/lib/routes/oauth.d.ts.map +1 -0
  201. package/dist/lib/routes/oauth.js +139 -0
  202. package/dist/lib/routes/oauth.js.map +1 -0
  203. package/dist/lib/routes/posts.d.ts.map +1 -1
  204. package/dist/lib/routes/posts.js +30 -19
  205. package/dist/lib/routes/posts.js.map +1 -1
  206. package/dist/lib/routes/products.d.ts.map +1 -1
  207. package/dist/lib/routes/products.js +19 -22
  208. package/dist/lib/routes/products.js.map +1 -1
  209. package/dist/lib/routes/setup-status.d.ts +34 -0
  210. package/dist/lib/routes/setup-status.d.ts.map +1 -0
  211. package/dist/lib/routes/setup-status.js +87 -0
  212. package/dist/lib/routes/setup-status.js.map +1 -0
  213. package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
  214. package/dist/lib/routes/taxonomy-analytics.js +15 -14
  215. package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
  216. package/dist/lib/routes/taxonomy.d.ts.map +1 -1
  217. package/dist/lib/routes/taxonomy.js +19 -16
  218. package/dist/lib/routes/taxonomy.js.map +1 -1
  219. package/dist/lib/routes/tenant-audit.d.ts +19 -0
  220. package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
  221. package/dist/lib/routes/tenant-audit.js +244 -0
  222. package/dist/lib/routes/tenant-audit.js.map +1 -0
  223. package/dist/lib/routes/tenant-compliance.d.ts +21 -0
  224. package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
  225. package/dist/lib/routes/tenant-compliance.js +122 -0
  226. package/dist/lib/routes/tenant-compliance.js.map +1 -0
  227. package/dist/lib/routes/tenant-domains.d.ts +11 -0
  228. package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
  229. package/dist/lib/routes/tenant-domains.js +95 -0
  230. package/dist/lib/routes/tenant-domains.js.map +1 -0
  231. package/dist/lib/routes/tenant-idp.d.ts +3 -0
  232. package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
  233. package/dist/lib/routes/tenant-idp.js +89 -0
  234. package/dist/lib/routes/tenant-idp.js.map +1 -0
  235. package/dist/lib/routes/tenant-members.d.ts +13 -0
  236. package/dist/lib/routes/tenant-members.d.ts.map +1 -0
  237. package/dist/lib/routes/tenant-members.js +75 -0
  238. package/dist/lib/routes/tenant-members.js.map +1 -0
  239. package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
  240. package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
  241. package/dist/lib/routes/tenant-role-mappings.js +90 -0
  242. package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
  243. package/dist/lib/routes/tenants.d.ts +13 -0
  244. package/dist/lib/routes/tenants.d.ts.map +1 -0
  245. package/dist/lib/routes/tenants.js +121 -0
  246. package/dist/lib/routes/tenants.js.map +1 -0
  247. package/dist/lib/routes/types.d.ts +9 -0
  248. package/dist/lib/routes/types.d.ts.map +1 -1
  249. package/dist/lib/schemas.d.ts +2 -2
  250. package/dist/lib/secrets/idp-secrets.d.ts +51 -0
  251. package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
  252. package/dist/lib/secrets/idp-secrets.js +111 -0
  253. package/dist/lib/secrets/idp-secrets.js.map +1 -0
  254. package/dist/lib/security-monitor.d.ts.map +1 -1
  255. package/dist/lib/security-monitor.js +6 -1
  256. package/dist/lib/security-monitor.js.map +1 -1
  257. package/dist/lib/session-manager.d.ts +1 -0
  258. package/dist/lib/session-manager.d.ts.map +1 -1
  259. package/dist/lib/session-manager.js.map +1 -1
  260. package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
  261. package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
  262. package/dist/lib/taxonomy-handler-factory.js +8 -7
  263. package/dist/lib/taxonomy-handler-factory.js.map +1 -1
  264. package/dist/lib/tenant/audit-emit.d.ts +18 -0
  265. package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
  266. package/dist/lib/tenant/audit-emit.js +16 -0
  267. package/dist/lib/tenant/audit-emit.js.map +1 -0
  268. package/dist/lib/tenant/derive-domain.d.ts +19 -0
  269. package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
  270. package/dist/lib/tenant/derive-domain.js +38 -0
  271. package/dist/lib/tenant/derive-domain.js.map +1 -0
  272. package/dist/lib/tenant/domain-handler.d.ts +42 -0
  273. package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
  274. package/dist/lib/tenant/domain-handler.js +344 -0
  275. package/dist/lib/tenant/domain-handler.js.map +1 -0
  276. package/dist/lib/tenant/domain-validator.d.ts +28 -0
  277. package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
  278. package/dist/lib/tenant/domain-validator.js +145 -0
  279. package/dist/lib/tenant/domain-validator.js.map +1 -0
  280. package/dist/lib/tenant/domain-verifier.d.ts +30 -0
  281. package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
  282. package/dist/lib/tenant/domain-verifier.js +53 -0
  283. package/dist/lib/tenant/domain-verifier.js.map +1 -0
  284. package/dist/lib/tenant/idp-handler.d.ts +29 -0
  285. package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
  286. package/dist/lib/tenant/idp-handler.js +693 -0
  287. package/dist/lib/tenant/idp-handler.js.map +1 -0
  288. package/dist/lib/tenant/idp-name.d.ts +2 -0
  289. package/dist/lib/tenant/idp-name.d.ts.map +1 -0
  290. package/dist/lib/tenant/idp-name.js +20 -0
  291. package/dist/lib/tenant/idp-name.js.map +1 -0
  292. package/dist/lib/tenant/member-handler.d.ts +31 -0
  293. package/dist/lib/tenant/member-handler.d.ts.map +1 -0
  294. package/dist/lib/tenant/member-handler.js +343 -0
  295. package/dist/lib/tenant/member-handler.js.map +1 -0
  296. package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
  297. package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
  298. package/dist/lib/tenant/reserved-slugs.js +116 -0
  299. package/dist/lib/tenant/reserved-slugs.js.map +1 -0
  300. package/dist/lib/tenant/resolve-role.d.ts +39 -0
  301. package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
  302. package/dist/lib/tenant/resolve-role.js +60 -0
  303. package/dist/lib/tenant/resolve-role.js.map +1 -0
  304. package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
  305. package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
  306. package/dist/lib/tenant/role-mapping-handler.js +260 -0
  307. package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
  308. package/dist/lib/tenant/setup-status.d.ts +83 -0
  309. package/dist/lib/tenant/setup-status.d.ts.map +1 -0
  310. package/dist/lib/tenant/setup-status.js +201 -0
  311. package/dist/lib/tenant/setup-status.js.map +1 -0
  312. package/dist/lib/tenant/slug-validator.d.ts +31 -0
  313. package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
  314. package/dist/lib/tenant/slug-validator.js +42 -0
  315. package/dist/lib/tenant/slug-validator.js.map +1 -0
  316. package/dist/lib/tenant/tenant-handler.d.ts +49 -0
  317. package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
  318. package/dist/lib/tenant/tenant-handler.js +377 -0
  319. package/dist/lib/tenant/tenant-handler.js.map +1 -0
  320. package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
  321. package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
  322. package/dist/lib/tenant/transfer-ownership.js +66 -0
  323. package/dist/lib/tenant/transfer-ownership.js.map +1 -0
  324. package/dist/lib/user/derive-handle.d.ts +29 -0
  325. package/dist/lib/user/derive-handle.d.ts.map +1 -0
  326. package/dist/lib/user/derive-handle.js +65 -0
  327. package/dist/lib/user/derive-handle.js.map +1 -0
  328. package/dist/lib/user-deprovisioning.d.ts +11 -1
  329. package/dist/lib/user-deprovisioning.d.ts.map +1 -1
  330. package/dist/lib/user-deprovisioning.js +46 -2
  331. package/dist/lib/user-deprovisioning.js.map +1 -1
  332. package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
  333. package/package.json +5 -3
  334. package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
  335. package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
  336. package/prisma/schema.prisma +324 -74
  337. package/src/lambda/nightly-cron.ts +4 -1
  338. package/src/lambda/post-confirmation.ts +405 -29
  339. package/src/lambda/pre-token-generation.ts +300 -59
@@ -1 +1 @@
1
- {"version":3,"file":"age-tier-transition.js","sourceRoot":"","sources":["../../src/lib/age-tier-transition.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAUH,wCAKC;AAiDD,0DAyGC;AArKD,qCAAkC;AAClC,yDAA8E;AAE9E;;GAEG;AACH,SAAgB,cAAc,CAAC,WAAiB,EAAE,MAAY,IAAI,IAAI,EAAE;IACtE,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;IACrC,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,OAAO,CAAC;IAC7B,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,MAAM,CAAC;IAC5B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,MAAM,CAAC,WAAiB,EAAE,GAAS;IAC1C,IAAI,GAAG,GAAG,GAAG,CAAC,WAAW,EAAE,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IACxD,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,EAAE,GAAG,WAAW,CAAC,QAAQ,EAAE,CAAC;IAC1D,IAAI,SAAS,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,GAAG,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QAChF,GAAG,EAAE,CAAC;IACR,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAC3B,eAAgC,EAChC,WAA4B;IAE5B,MAAM,eAAe,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IAClE,MAAM,OAAO,GAAG,EAAE,MAAM,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IAEzD,OAAO;QACL,2GAA2G;QAC3G,WAAW,EAAE,eAAe,CAAC,WAAW,IAAI,WAAW,CAAC,WAAW;QACnE,gBAAgB,EAAE,eAAe,CAAC,gBAAgB,IAAI,WAAW,CAAC,gBAAgB;QAClF,mBAAmB,EAAE,eAAe,CAAC,mBAAmB,IAAI,WAAW,CAAC,mBAAmB;QAC3F,YAAY,EAAE,eAAe,CAAC,YAAY,IAAI,WAAW,CAAC,YAAY;QACtE,uBAAuB,EAAE,eAAe,CAAC,uBAAuB,IAAI,WAAW,CAAC,uBAAuB;QACvG,2CAA2C;QAC3C,0BAA0B,EAAE,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,0BAA0B,EAAE,WAAW,CAAC,0BAA0B,CAAC;QACxH,eAAe,EAAE,eAAe,CAAC,eAAe,IAAI,WAAW,CAAC,eAAe;QAC/E,4CAA4C;QAC5C,iBAAiB,EACf,eAAe,CAAC,eAAe,CAAC,iBAAiB,CAAC,IAAI,eAAe,CAAC,WAAW,CAAC,iBAAiB,CAAC;YAClG,CAAC,CAAC,eAAe,CAAC,iBAAiB;YACnC,CAAC,CAAC,WAAW,CAAC,iBAAiB;QACnC,oCAAoC;QACpC,QAAQ,EACN,OAAO,CAAC,eAAe,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC;YAChE,CAAC,CAAC,eAAe,CAAC,QAAQ;YAC1B,CAAC,CAAC,WAAW,CAAC,QAAQ;KAC3B,CAAC;AACJ,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,uBAAuB,CAAC,GAAQ;IAIpD,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,OAAO,GAAC,CAAC;IAC/C,MAAM,EAAE,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAC7B,MAAM,MAAM,GAAG,eAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IAEvB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;YACnC,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;YACrC,MAAM,EAAE;gBACN,EAAE,EAAE,IAAI;gBACR,WAAW,EAAE,IAAI;gBACjB,OAAO,EAAE,IAAI;gBACb,WAAW,EAAE,IAAI;gBACjB,gBAAgB,EAAE,IAAI;gBACtB,mBAAmB,EAAE,IAAI;gBACzB,YAAY,EAAE,IAAI;gBAClB,uBAAuB,EAAE,IAAI;gBAC7B,0BAA0B,EAAE,IAAI;gBAChC,eAAe,EAAE,IAAI;gBACrB,iBAAiB,EAAE,IAAI;gBACvB,QAAQ,EAAE,IAAI;aACf;SACF,CAAC,CAAC;QAEH,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,IAAI,CAAC,IAAI,CAAC,WAAW;oBAAE,SAAS;gBAEhC,MAAM,YAAY,GAAG,cAAc,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;gBAC3D,IAAI,YAAY,KAAK,IAAI,CAAC,OAAO;oBAAE,SAAS;gBAE5C,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;gBAC7B,MAAM,WAAW,GAAG,IAAA,qCAAkB,EAAC,YAAY,CAAC,CAAC;gBAErD,MAAM,eAAe,GAAoB;oBACvC,WAAW,EAAE,IAAI,CAAC,WAAW;oBAC7B,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;oBACvC,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;oBAC7C,YAAY,EAAE,IAAI,CAAC,YAAY;oBAC/B,uBAAuB,EAAE,IAAI,CAAC,uBAAuB;oBACrD,0BAA0B,EAAE,IAAI,CAAC,0BAA0B;oBAC3D,eAAe,EAAE,IAAI,CAAC,eAAe;oBACrC,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;oBACzC,QAAQ,EAAE,IAAI,CAAC,QAAQ;iBACxB,CAAC;gBAEF,qEAAqE;gBACrE,MAAM,MAAM,GAAG,oBAAoB,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;gBAElE,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;oBACnB,KAAK,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE;oBACtB,IAAI,EAAE;wBACJ,OAAO,EAAE,YAAY;wBACrB,GAAG,MAAM;qBACV;iBACF,CAAC,CAAC;gBAEH,iCAAiC;gBACjC,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;oBAC3B,IAAI,EAAE;wBACJ,MAAM,EAAE,IAAI,CAAC,EAAE;wBACf,IAAI,EAAE,QAAQ;wBACd,KAAK,EAAE,kBAAkB;wBACzB,IAAI,EAAE,sCAAsC,OAAO,OAAO,YAAY,uCAAuC;wBAC7G,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE;qBACzC;iBACF,CAAC,CAAC;gBAEH,+CAA+C;gBAC/C,MAAM,aAAa,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC;oBACnD,KAAK,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE;iBAC9C,CAAC,CAAC;gBAEH,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;oBACjC,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;wBAC3B,IAAI,EAAE;4BACJ,MAAM,EAAE,IAAI,CAAC,UAAU;4BACvB,IAAI,EAAE,QAAQ;4BACd,KAAK,EAAE,wBAAwB;4BAC/B,IAAI,EAAE,mDAAmD,OAAO,OAAO,YAAY,GAAG;4BACtF,IAAI,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE;yBAC3D;qBACF,CAAC,CAAC;gBACL,CAAC;gBAED,YAAY,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,EAAE,sBAAsB,OAAO,OAAO,YAAY,EAAE,CAAC,CAAC;YACjF,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,EAAE,CAAC;gBACT,MAAM,CAAC,KAAK,CAAC,4BAA4B,IAAI,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAC;QACzD,MAAM,EAAE,CAAC;IACX,CAAC;IAED,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;AAClC,CAAC"}
1
+ {"version":3,"file":"age-tier-transition.js","sourceRoot":"","sources":["../../src/lib/age-tier-transition.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAUH,wCAKC;AAiDD,0DAiHC;AA7KD,qCAAkC;AAClC,yDAA8E;AAE9E;;GAEG;AACH,SAAgB,cAAc,CAAC,WAAiB,EAAE,MAAY,IAAI,IAAI,EAAE;IACtE,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;IACrC,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,OAAO,CAAC;IAC7B,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,MAAM,CAAC;IAC5B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,MAAM,CAAC,WAAiB,EAAE,GAAS;IAC1C,IAAI,GAAG,GAAG,GAAG,CAAC,WAAW,EAAE,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IACxD,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,EAAE,GAAG,WAAW,CAAC,QAAQ,EAAE,CAAC;IAC1D,IAAI,SAAS,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,GAAG,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QAChF,GAAG,EAAE,CAAC;IACR,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAC3B,eAAgC,EAChC,WAA4B;IAE5B,MAAM,eAAe,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IAClE,MAAM,OAAO,GAAG,EAAE,MAAM,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IAEzD,OAAO;QACL,2GAA2G;QAC3G,WAAW,EAAE,eAAe,CAAC,WAAW,IAAI,WAAW,CAAC,WAAW;QACnE,gBAAgB,EAAE,eAAe,CAAC,gBAAgB,IAAI,WAAW,CAAC,gBAAgB;QAClF,mBAAmB,EAAE,eAAe,CAAC,mBAAmB,IAAI,WAAW,CAAC,mBAAmB;QAC3F,YAAY,EAAE,eAAe,CAAC,YAAY,IAAI,WAAW,CAAC,YAAY;QACtE,uBAAuB,EAAE,eAAe,CAAC,uBAAuB,IAAI,WAAW,CAAC,uBAAuB;QACvG,2CAA2C;QAC3C,0BAA0B,EAAE,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,0BAA0B,EAAE,WAAW,CAAC,0BAA0B,CAAC;QACxH,eAAe,EAAE,eAAe,CAAC,eAAe,IAAI,WAAW,CAAC,eAAe;QAC/E,4CAA4C;QAC5C,iBAAiB,EACf,eAAe,CAAC,eAAe,CAAC,iBAAiB,CAAC,IAAI,eAAe,CAAC,WAAW,CAAC,iBAAiB,CAAC;YAClG,CAAC,CAAC,eAAe,CAAC,iBAAiB;YACnC,CAAC,CAAC,WAAW,CAAC,iBAAiB;QACnC,oCAAoC;QACpC,QAAQ,EACN,OAAO,CAAC,eAAe,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC;YAChE,CAAC,CAAC,eAAe,CAAC,QAAQ;YAC1B,CAAC,CAAC,WAAW,CAAC,QAAQ;KAC3B,CAAC;AACJ,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,uBAAuB,CAAC,GAAQ;IAIpD,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,OAAO,GAAC,CAAC;IAC/C,MAAM,EAAE,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAC7B,MAAM,MAAM,GAAG,eAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IAEvB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;YACnC,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;YACrC,MAAM,EAAE;gBACN,EAAE,EAAE,IAAI;gBACR,WAAW,EAAE,IAAI;gBACjB,OAAO,EAAE,IAAI;gBACb,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,IAAI;gBACjB,gBAAgB,EAAE,IAAI;gBACtB,mBAAmB,EAAE,IAAI;gBACzB,YAAY,EAAE,IAAI;gBAClB,uBAAuB,EAAE,IAAI;gBAC7B,0BAA0B,EAAE,IAAI;gBAChC,eAAe,EAAE,IAAI;gBACrB,iBAAiB,EAAE,IAAI;gBACvB,QAAQ,EAAE,IAAI;aACf;SACF,CAAC,CAAC;QAEH,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,IAAI,CAAC,IAAI,CAAC,WAAW;oBAAE,SAAS;gBAEhC,MAAM,YAAY,GAAG,cAAc,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;gBAC3D,IAAI,YAAY,KAAK,IAAI,CAAC,OAAO;oBAAE,SAAS;gBAE5C,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;gBAC7B,MAAM,WAAW,GAAG,IAAA,qCAAkB,EAAC,YAAY,CAAC,CAAC;gBAErD,MAAM,eAAe,GAAoB;oBACvC,WAAW,EAAE,IAAI,CAAC,WAAW;oBAC7B,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;oBACvC,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;oBAC7C,YAAY,EAAE,IAAI,CAAC,YAAY;oBAC/B,uBAAuB,EAAE,IAAI,CAAC,uBAAuB;oBACrD,0BAA0B,EAAE,IAAI,CAAC,0BAA0B;oBAC3D,eAAe,EAAE,IAAI,CAAC,eAAe;oBACrC,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;oBACzC,QAAQ,EAAE,IAAI,CAAC,QAAQ;iBACxB,CAAC;gBAEF,qEAAqE;gBACrE,MAAM,MAAM,GAAG,oBAAoB,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;gBAElE,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;oBACnB,KAAK,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE;oBACtB,IAAI,EAAE;wBACJ,OAAO,EAAE,YAAY;wBACrB,GAAG,MAAM;qBACV;iBACF,CAAC,CAAC;gBAEH,2DAA2D;gBAC3D,4DAA4D;gBAC5D,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;oBAC1B,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;wBAC3B,IAAI,EAAE;4BACJ,MAAM,EAAE,IAAI,CAAC,EAAE;4BACf,IAAI,EAAE,QAAQ;4BACd,KAAK,EAAE,kBAAkB;4BACzB,IAAI,EAAE,sCAAsC,OAAO,OAAO,YAAY,uCAAuC;4BAC7G,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE;4BACxC,QAAQ,EAAE,IAAI,CAAC,gBAAgB;yBAChC;qBACF,CAAC,CAAC;gBACL,CAAC;gBAED,+CAA+C;gBAC/C,MAAM,aAAa,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC;oBACnD,KAAK,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE;oBAC7C,OAAO,EAAE,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE,EAAE,EAAE;iBAC9D,CAAC,CAAC;gBAEH,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;oBACjC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB;wBAAE,SAAS;oBAC9C,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;wBAC3B,IAAI,EAAE;4BACJ,MAAM,EAAE,IAAI,CAAC,UAAU;4BACvB,IAAI,EAAE,QAAQ;4BACd,KAAK,EAAE,wBAAwB;4BAC/B,IAAI,EAAE,mDAAmD,OAAO,OAAO,YAAY,GAAG;4BACtF,IAAI,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE;4BAC1D,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,gBAAgB;yBACzC;qBACF,CAAC,CAAC;gBACL,CAAC;gBAED,YAAY,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,EAAE,sBAAsB,OAAO,OAAO,YAAY,EAAE,CAAC,CAAC;YACjF,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,EAAE,CAAC;gBACT,MAAM,CAAC,KAAK,CAAC,4BAA4B,IAAI,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAC;QACzD,MAAM,EAAE,CAAC;IACX,CAAC;IAED,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;AAClC,CAAC"}
@@ -0,0 +1,25 @@
1
+ /**
2
+ * CSV Export for Audit Events (RFC 4180)
3
+ *
4
+ * Fields that contain commas, double-quotes, or newlines are enclosed in
5
+ * double-quotes. Inner double-quotes are doubled per RFC 4180 §2.7.
6
+ */
7
+ export declare const CSV_HEADERS: readonly ["eventId", "type", "tenantId", "actorUserId", "createdAt", "sourceIp", "payload"];
8
+ export type CsvRow = {
9
+ eventId: string;
10
+ type: string;
11
+ tenantId: string;
12
+ actorUserId: string;
13
+ createdAt: string;
14
+ sourceIp: string;
15
+ payload: string;
16
+ };
17
+ /** Escape a single CSV field per RFC 4180. */
18
+ export declare function escapeCsvField(value: string): string;
19
+ /** Render one CSV row from an array of string values. */
20
+ export declare function renderCsvRow(fields: string[]): string;
21
+ /** Render the header row. */
22
+ export declare function renderCsvHeader(): string;
23
+ /** Render a complete CSV document (header + rows) from an array of row objects. */
24
+ export declare function renderCsv(rows: CsvRow[]): string;
25
+ //# sourceMappingURL=csv-export.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"csv-export.d.ts","sourceRoot":"","sources":["../../../src/lib/audit/csv-export.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,WAAW,6FAQd,CAAC;AAEX,MAAM,MAAM,MAAM,GAAG;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,8CAA8C;AAC9C,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAKpD;AAED,yDAAyD;AACzD,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,CAErD;AAED,6BAA6B;AAC7B,wBAAgB,eAAe,IAAI,MAAM,CAExC;AAED,mFAAmF;AACnF,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,CAgBhD"}
@@ -0,0 +1,54 @@
1
+ "use strict";
2
+ /**
3
+ * CSV Export for Audit Events (RFC 4180)
4
+ *
5
+ * Fields that contain commas, double-quotes, or newlines are enclosed in
6
+ * double-quotes. Inner double-quotes are doubled per RFC 4180 §2.7.
7
+ */
8
+ Object.defineProperty(exports, "__esModule", { value: true });
9
+ exports.CSV_HEADERS = void 0;
10
+ exports.escapeCsvField = escapeCsvField;
11
+ exports.renderCsvRow = renderCsvRow;
12
+ exports.renderCsvHeader = renderCsvHeader;
13
+ exports.renderCsv = renderCsv;
14
+ exports.CSV_HEADERS = [
15
+ "eventId",
16
+ "type",
17
+ "tenantId",
18
+ "actorUserId",
19
+ "createdAt",
20
+ "sourceIp",
21
+ "payload",
22
+ ];
23
+ /** Escape a single CSV field per RFC 4180. */
24
+ function escapeCsvField(value) {
25
+ if (value.includes(",") || value.includes('"') || value.includes("\n") || value.includes("\r")) {
26
+ return `"${value.replace(/"/g, '""')}"`;
27
+ }
28
+ return value;
29
+ }
30
+ /** Render one CSV row from an array of string values. */
31
+ function renderCsvRow(fields) {
32
+ return fields.map(escapeCsvField).join(",");
33
+ }
34
+ /** Render the header row. */
35
+ function renderCsvHeader() {
36
+ return renderCsvRow([...exports.CSV_HEADERS]);
37
+ }
38
+ /** Render a complete CSV document (header + rows) from an array of row objects. */
39
+ function renderCsv(rows) {
40
+ const lines = [renderCsvHeader()];
41
+ for (const row of rows) {
42
+ lines.push(renderCsvRow([
43
+ row.eventId,
44
+ row.type,
45
+ row.tenantId,
46
+ row.actorUserId,
47
+ row.createdAt,
48
+ row.sourceIp,
49
+ row.payload,
50
+ ]));
51
+ }
52
+ return lines.join("\r\n");
53
+ }
54
+ //# sourceMappingURL=csv-export.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"csv-export.js","sourceRoot":"","sources":["../../../src/lib/audit/csv-export.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAuBH,wCAKC;AAGD,oCAEC;AAGD,0CAEC;AAGD,8BAgBC;AAvDY,QAAA,WAAW,GAAG;IACzB,SAAS;IACT,MAAM;IACN,UAAU;IACV,aAAa;IACb,WAAW;IACX,UAAU;IACV,SAAS;CACD,CAAC;AAYX,8CAA8C;AAC9C,SAAgB,cAAc,CAAC,KAAa;IAC1C,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/F,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC;IAC1C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,yDAAyD;AACzD,SAAgB,YAAY,CAAC,MAAgB;IAC3C,OAAO,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC9C,CAAC;AAED,6BAA6B;AAC7B,SAAgB,eAAe;IAC7B,OAAO,YAAY,CAAC,CAAC,GAAG,mBAAW,CAAC,CAAC,CAAC;AACxC,CAAC;AAED,mFAAmF;AACnF,SAAgB,SAAS,CAAC,IAAc;IACtC,MAAM,KAAK,GAAa,CAAC,eAAe,EAAE,CAAC,CAAC;IAC5C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,KAAK,CAAC,IAAI,CACR,YAAY,CAAC;YACX,GAAG,CAAC,OAAO;YACX,GAAG,CAAC,IAAI;YACR,GAAG,CAAC,QAAQ;YACZ,GAAG,CAAC,WAAW;YACf,GAAG,CAAC,SAAS;YACb,GAAG,CAAC,QAAQ;YACZ,GAAG,CAAC,OAAO;SACZ,CAAC,CACH,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAC5B,CAAC"}
@@ -0,0 +1,56 @@
1
+ /**
2
+ * AuditEventEmitter
3
+ *
4
+ * Writes structured audit events to CloudWatch Logs and Postgres security_events.
5
+ * Emission is non-blocking — callers do `void emitter.emit(...)`.
6
+ * CloudWatch failures fall back to a console.error "audit-fallback" line that
7
+ * ops can grep from the log stream.
8
+ */
9
+ import { CloudWatchLogsClient } from "@aws-sdk/client-cloudwatch-logs";
10
+ import type { AuditEventType } from "./event-types";
11
+ export interface AuditEmitInput {
12
+ type: AuditEventType;
13
+ tenantId: string;
14
+ actorUserId: string;
15
+ payload: Record<string, unknown>;
16
+ /** Source IP — will be anonymised to /24 before storage. */
17
+ sourceIp?: string;
18
+ /** Present when the request was made through an agent session (T9b). */
19
+ agentSessionId?: string;
20
+ }
21
+ export interface AuditRecord {
22
+ eventId: string;
23
+ type: AuditEventType;
24
+ tenantId: string;
25
+ actorUserId: string;
26
+ payload: Record<string, unknown>;
27
+ sourceIp: string;
28
+ agentSessionId: string | null;
29
+ createdAt: Date;
30
+ }
31
+ export declare class AuditEventEmitter {
32
+ private readonly cwClient;
33
+ constructor(cwClient?: CloudWatchLogsClient);
34
+ /**
35
+ * Emit an audit event. Returns a promise but callers should fire-and-forget
36
+ * via `void emitter.emit(...)` — the handler must not await this.
37
+ */
38
+ emit(input: AuditEmitInput, dbClient: {
39
+ securityEvent: {
40
+ create: (args: {
41
+ data: {
42
+ type: string;
43
+ severity: string;
44
+ tenantId: string;
45
+ userId: string;
46
+ ipAddress: string;
47
+ details: string;
48
+ retentionUntil: Date;
49
+ };
50
+ }) => Promise<unknown>;
51
+ };
52
+ }): Promise<void>;
53
+ private _writeToCloudWatch;
54
+ private _writeToPostgres;
55
+ }
56
+ //# sourceMappingURL=emit.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"emit.d.ts","sourceRoot":"","sources":["../../../src/lib/audit/emit.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,oBAAoB,EAErB,MAAM,iCAAiC,CAAC;AAEzC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAGpD,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,cAAc,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,4DAA4D;IAC5D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,wEAAwE;IACxE,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,cAAc,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,SAAS,EAAE,IAAI,CAAC;CACjB;AAOD,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAuB;gBAEpC,QAAQ,CAAC,EAAE,oBAAoB;IAQ3C;;;OAGG;IACG,IAAI,CACR,KAAK,EAAE,cAAc,EACrB,QAAQ,EAAE;QACR,aAAa,EAAE;YACb,MAAM,EAAE,CAAC,IAAI,EAAE;gBACb,IAAI,EAAE;oBACJ,IAAI,EAAE,MAAM,CAAC;oBACb,QAAQ,EAAE,MAAM,CAAC;oBACjB,QAAQ,EAAE,MAAM,CAAC;oBACjB,MAAM,EAAE,MAAM,CAAC;oBACf,SAAS,EAAE,MAAM,CAAC;oBAClB,OAAO,EAAE,MAAM,CAAC;oBAChB,cAAc,EAAE,IAAI,CAAC;iBACtB,CAAC;aACH,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;SACxB,CAAC;KACH,GACA,OAAO,CAAC,IAAI,CAAC;YA0CF,kBAAkB;YAmClB,gBAAgB;CA4C/B"}
@@ -0,0 +1,124 @@
1
+ "use strict";
2
+ /**
3
+ * AuditEventEmitter
4
+ *
5
+ * Writes structured audit events to CloudWatch Logs and Postgres security_events.
6
+ * Emission is non-blocking — callers do `void emitter.emit(...)`.
7
+ * CloudWatch failures fall back to a console.error "audit-fallback" line that
8
+ * ops can grep from the log stream.
9
+ */
10
+ Object.defineProperty(exports, "__esModule", { value: true });
11
+ exports.AuditEventEmitter = void 0;
12
+ const client_cloudwatch_logs_1 = require("@aws-sdk/client-cloudwatch-logs");
13
+ const crypto_1 = require("crypto");
14
+ const pii_filter_1 = require("./pii-filter");
15
+ function getLogGroup() {
16
+ const stage = process.env.STAGE ?? "dev";
17
+ return process.env.AUDIT_LOG_GROUP ?? `/skybber/${stage}/audit-events`;
18
+ }
19
+ class AuditEventEmitter {
20
+ cwClient;
21
+ constructor(cwClient) {
22
+ this.cwClient =
23
+ cwClient ??
24
+ new client_cloudwatch_logs_1.CloudWatchLogsClient({
25
+ region: process.env.AWS_REGION ?? "eu-central-1",
26
+ });
27
+ }
28
+ /**
29
+ * Emit an audit event. Returns a promise but callers should fire-and-forget
30
+ * via `void emitter.emit(...)` — the handler must not await this.
31
+ */
32
+ async emit(input, dbClient) {
33
+ const eventId = (0, crypto_1.randomUUID)();
34
+ const createdAt = new Date();
35
+ const anonymisedIp = input.sourceIp ? (0, pii_filter_1.anonymizeIp)(input.sourceIp) : "unknown";
36
+ const { filtered, droppedCount } = (0, pii_filter_1.filterPayload)({
37
+ ...input.payload,
38
+ tenantId: input.tenantId,
39
+ actorUserId: input.actorUserId,
40
+ sourceIp: anonymisedIp,
41
+ ...(input.agentSessionId ? { agentSessionId: input.agentSessionId } : {}),
42
+ });
43
+ if (droppedCount > 0) {
44
+ console.error(JSON.stringify({
45
+ level: "warn",
46
+ tag: "audit-pii-filter",
47
+ eventId,
48
+ type: input.type,
49
+ droppedCount,
50
+ }));
51
+ }
52
+ const record = {
53
+ eventId,
54
+ type: input.type,
55
+ tenantId: input.tenantId,
56
+ actorUserId: input.actorUserId,
57
+ payload: filtered,
58
+ sourceIp: anonymisedIp,
59
+ agentSessionId: input.agentSessionId ?? null,
60
+ createdAt,
61
+ };
62
+ await Promise.all([
63
+ this._writeToCloudWatch(record),
64
+ this._writeToPostgres(record, dbClient),
65
+ ]);
66
+ }
67
+ async _writeToCloudWatch(record) {
68
+ const logGroup = getLogGroup();
69
+ const logStream = `audit-${record.tenantId}`;
70
+ const message = JSON.stringify(record);
71
+ try {
72
+ await this.cwClient.send(new client_cloudwatch_logs_1.PutLogEventsCommand({
73
+ logGroupName: logGroup,
74
+ logStreamName: logStream,
75
+ logEvents: [
76
+ {
77
+ timestamp: record.createdAt.getTime(),
78
+ message,
79
+ },
80
+ ],
81
+ }));
82
+ }
83
+ catch (err) {
84
+ console.error(JSON.stringify({
85
+ level: "error",
86
+ tag: "audit-fallback",
87
+ eventId: record.eventId,
88
+ type: record.type,
89
+ tenantId: record.tenantId,
90
+ actorUserId: record.actorUserId,
91
+ createdAt: record.createdAt.toISOString(),
92
+ payload: record.payload,
93
+ cwError: err instanceof Error ? err.message : String(err),
94
+ }));
95
+ }
96
+ }
97
+ async _writeToPostgres(record, db) {
98
+ const retentionUntil = new Date(record.createdAt);
99
+ retentionUntil.setDate(retentionUntil.getDate() + 30);
100
+ try {
101
+ await db.securityEvent.create({
102
+ data: {
103
+ type: record.type,
104
+ severity: "medium",
105
+ tenantId: record.tenantId,
106
+ userId: record.actorUserId,
107
+ ipAddress: record.sourceIp,
108
+ details: JSON.stringify({ ...record.payload, eventId: record.eventId }),
109
+ retentionUntil,
110
+ },
111
+ });
112
+ }
113
+ catch (err) {
114
+ console.error(JSON.stringify({
115
+ level: "error",
116
+ tag: "audit-fallback",
117
+ eventId: record.eventId,
118
+ pgError: err instanceof Error ? err.message : String(err),
119
+ }));
120
+ }
121
+ }
122
+ }
123
+ exports.AuditEventEmitter = AuditEventEmitter;
124
+ //# sourceMappingURL=emit.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"emit.js","sourceRoot":"","sources":["../../../src/lib/audit/emit.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAEH,4EAGyC;AACzC,mCAAoC;AAEpC,6CAA0D;AAwB1D,SAAS,WAAW;IAClB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,KAAK,CAAC;IACzC,OAAO,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,YAAY,KAAK,eAAe,CAAC;AACzE,CAAC;AAED,MAAa,iBAAiB;IACX,QAAQ,CAAuB;IAEhD,YAAY,QAA+B;QACzC,IAAI,CAAC,QAAQ;YACX,QAAQ;gBACR,IAAI,6CAAoB,CAAC;oBACvB,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,cAAc;iBACjD,CAAC,CAAC;IACP,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,IAAI,CACR,KAAqB,EACrB,QAcC;QAED,MAAM,OAAO,GAAG,IAAA,mBAAU,GAAE,CAAC;QAC7B,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;QAC7B,MAAM,YAAY,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAA,wBAAW,EAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAE9E,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,IAAA,0BAAa,EAAC;YAC/C,GAAG,KAAK,CAAC,OAAO;YAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,QAAQ,EAAE,YAAY;YACtB,GAAG,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC1E,CAAC,CAAC;QAEH,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;YACrB,OAAO,CAAC,KAAK,CACX,IAAI,CAAC,SAAS,CAAC;gBACb,KAAK,EAAE,MAAM;gBACb,GAAG,EAAE,kBAAkB;gBACvB,OAAO;gBACP,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,YAAY;aACb,CAAC,CACH,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAgB;YAC1B,OAAO;YACP,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,OAAO,EAAE,QAAQ;YACjB,QAAQ,EAAE,YAAY;YACtB,cAAc,EAAE,KAAK,CAAC,cAAc,IAAI,IAAI;YAC5C,SAAS;SACV,CAAC;QAEF,MAAM,OAAO,CAAC,GAAG,CAAC;YAChB,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC;YAC/B,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC;SACxC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,kBAAkB,CAAC,MAAmB;QAClD,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,SAAS,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAEvC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CACtB,IAAI,4CAAmB,CAAC;gBACtB,YAAY,EAAE,QAAQ;gBACtB,aAAa,EAAE,SAAS;gBACxB,SAAS,EAAE;oBACT;wBACE,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE;wBACrC,OAAO;qBACR;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CACX,IAAI,CAAC,SAAS,CAAC;gBACb,KAAK,EAAE,OAAO;gBACd,GAAG,EAAE,gBAAgB;gBACrB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE;gBACzC,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aAC1D,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAC5B,MAAmB,EACnB,EAcC;QAED,MAAM,cAAc,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAClD,cAAc,CAAC,OAAO,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;QAEtD,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;gBAC5B,IAAI,EAAE;oBACJ,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,MAAM,EAAE,MAAM,CAAC,WAAW;oBAC1B,SAAS,EAAE,MAAM,CAAC,QAAQ;oBAC1B,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC;oBACvE,cAAc;iBACf;aACF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CACX,IAAI,CAAC,SAAS,CAAC;gBACb,KAAK,EAAE,OAAO;gBACd,GAAG,EAAE,gBAAgB;gBACrB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aAC1D,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC;CACF;AAzJD,8CAyJC"}
@@ -0,0 +1,36 @@
1
+ /**
2
+ * Audit Event Types
3
+ *
4
+ * Canonical catalog of all identity-federation audit events.
5
+ * Every AuditEventType emitted by a handler must appear here.
6
+ */
7
+ export declare const AuditEventType: {
8
+ readonly TENANT_CREATED: "tenant.created";
9
+ readonly TENANT_MEMBER_INVITED: "tenant.member.invited";
10
+ readonly TENANT_MEMBER_JOINED: "tenant.member.joined";
11
+ readonly TENANT_MEMBER_ROLE_CHANGED: "tenant.member.role_changed";
12
+ readonly TENANT_MEMBER_REMOVED: "tenant.member.removed";
13
+ readonly TENANT_DOMAIN_ADDED: "tenant.domain.added";
14
+ readonly TENANT_DOMAIN_VERIFIED: "tenant.domain.verified";
15
+ readonly TENANT_IDP_CONNECTED: "tenant.idp.connected";
16
+ readonly TENANT_IDP_MODIFIED: "tenant.idp.modified";
17
+ readonly TENANT_IDP_DISABLED: "tenant.idp.disabled";
18
+ readonly TENANT_IDP_DELETED: "tenant.idp.deleted";
19
+ readonly TENANT_ROLE_MAPPING_ADDED: "tenant.role_mapping.added";
20
+ readonly TENANT_ROLE_MAPPING_REMOVED: "tenant.role_mapping.removed";
21
+ readonly TENANT_FEDERATED_LOGIN_SUCCESS: "tenant.federated_login.success";
22
+ readonly TENANT_FEDERATED_LOGIN_DENIED: "tenant.federated_login.denied";
23
+ readonly TENANT_ROLE_REFRESHED_JIT: "tenant.role.refreshed_jit";
24
+ readonly TENANT_OWNERSHIP_TRANSFERRED: "tenant.ownership_transferred";
25
+ readonly TENANT_UPDATED: "tenant.updated";
26
+ readonly AUTH_AGENT_SESSION_APPROVED: "auth.agent_session.approved";
27
+ readonly AUTH_AGENT_SESSION_REVOKED: "auth.agent_session.revoked";
28
+ readonly AUTH_REFRESH_REPLAY: "auth.refresh_replay";
29
+ };
30
+ export type AuditEventType = (typeof AuditEventType)[keyof typeof AuditEventType];
31
+ /**
32
+ * Per-type allowed payload field names (allowlist).
33
+ * Populated by the PII filter — anything outside this set is redacted.
34
+ */
35
+ export declare const PII_ALLOWED_FIELDS: Set<string>;
36
+ //# sourceMappingURL=event-types.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"event-types.d.ts","sourceRoot":"","sources":["../../../src/lib/audit/event-types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;CAsBjB,CAAC;AAEX,MAAM,MAAM,cAAc,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,OAAO,cAAc,CAAC,CAAC;AAElF;;;GAGG;AACH,eAAO,MAAM,kBAAkB,aA+B7B,CAAC"}
@@ -0,0 +1,69 @@
1
+ "use strict";
2
+ /**
3
+ * Audit Event Types
4
+ *
5
+ * Canonical catalog of all identity-federation audit events.
6
+ * Every AuditEventType emitted by a handler must appear here.
7
+ */
8
+ Object.defineProperty(exports, "__esModule", { value: true });
9
+ exports.PII_ALLOWED_FIELDS = exports.AuditEventType = void 0;
10
+ exports.AuditEventType = {
11
+ TENANT_CREATED: "tenant.created",
12
+ TENANT_MEMBER_INVITED: "tenant.member.invited",
13
+ TENANT_MEMBER_JOINED: "tenant.member.joined",
14
+ TENANT_MEMBER_ROLE_CHANGED: "tenant.member.role_changed",
15
+ TENANT_MEMBER_REMOVED: "tenant.member.removed",
16
+ TENANT_DOMAIN_ADDED: "tenant.domain.added",
17
+ TENANT_DOMAIN_VERIFIED: "tenant.domain.verified",
18
+ TENANT_IDP_CONNECTED: "tenant.idp.connected",
19
+ TENANT_IDP_MODIFIED: "tenant.idp.modified",
20
+ TENANT_IDP_DISABLED: "tenant.idp.disabled",
21
+ TENANT_IDP_DELETED: "tenant.idp.deleted",
22
+ TENANT_ROLE_MAPPING_ADDED: "tenant.role_mapping.added",
23
+ TENANT_ROLE_MAPPING_REMOVED: "tenant.role_mapping.removed",
24
+ TENANT_FEDERATED_LOGIN_SUCCESS: "tenant.federated_login.success",
25
+ TENANT_FEDERATED_LOGIN_DENIED: "tenant.federated_login.denied",
26
+ TENANT_ROLE_REFRESHED_JIT: "tenant.role.refreshed_jit",
27
+ TENANT_OWNERSHIP_TRANSFERRED: "tenant.ownership_transferred",
28
+ TENANT_UPDATED: "tenant.updated",
29
+ AUTH_AGENT_SESSION_APPROVED: "auth.agent_session.approved",
30
+ AUTH_AGENT_SESSION_REVOKED: "auth.agent_session.revoked",
31
+ AUTH_REFRESH_REPLAY: "auth.refresh_replay",
32
+ };
33
+ /**
34
+ * Per-type allowed payload field names (allowlist).
35
+ * Populated by the PII filter — anything outside this set is redacted.
36
+ */
37
+ exports.PII_ALLOWED_FIELDS = new Set([
38
+ "tenantId",
39
+ "actorUserId",
40
+ "targetUserId",
41
+ "targetType",
42
+ "oldRole",
43
+ "newRole",
44
+ "domain",
45
+ "idpStatus",
46
+ "idpKind",
47
+ "issuer",
48
+ "idpGroup",
49
+ "role",
50
+ "source",
51
+ "reason",
52
+ "verificationMethod",
53
+ "changedAttributes",
54
+ "sourceIp",
55
+ "agentSessionId",
56
+ "slug",
57
+ "displayName",
58
+ "type",
59
+ "agentLabel",
60
+ "userAgent",
61
+ // G4 MEDIUM-6/N2: `deviceCodeHash` was previously written into
62
+ // AUTH_AGENT_SESSION_APPROVED audit payloads and could act as a
63
+ // confirmation oracle if a raw device_code ever leaked elsewhere.
64
+ // Removed from the allow-list so a future regression that re-adds
65
+ // the field would fail the audit-emit allow-list check.
66
+ "refreshJti",
67
+ "cognitoUserId",
68
+ ]);
69
+ //# sourceMappingURL=event-types.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"event-types.js","sourceRoot":"","sources":["../../../src/lib/audit/event-types.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAEU,QAAA,cAAc,GAAG;IAC5B,cAAc,EAAE,gBAAgB;IAChC,qBAAqB,EAAE,uBAAuB;IAC9C,oBAAoB,EAAE,sBAAsB;IAC5C,0BAA0B,EAAE,4BAA4B;IACxD,qBAAqB,EAAE,uBAAuB;IAC9C,mBAAmB,EAAE,qBAAqB;IAC1C,sBAAsB,EAAE,wBAAwB;IAChD,oBAAoB,EAAE,sBAAsB;IAC5C,mBAAmB,EAAE,qBAAqB;IAC1C,mBAAmB,EAAE,qBAAqB;IAC1C,kBAAkB,EAAE,oBAAoB;IACxC,yBAAyB,EAAE,2BAA2B;IACtD,2BAA2B,EAAE,6BAA6B;IAC1D,8BAA8B,EAAE,gCAAgC;IAChE,6BAA6B,EAAE,+BAA+B;IAC9D,yBAAyB,EAAE,2BAA2B;IACtD,4BAA4B,EAAE,8BAA8B;IAC5D,cAAc,EAAE,gBAAgB;IAChC,2BAA2B,EAAE,6BAA6B;IAC1D,0BAA0B,EAAE,4BAA4B;IACxD,mBAAmB,EAAE,qBAAqB;CAClC,CAAC;AAIX;;;GAGG;AACU,QAAA,kBAAkB,GAAG,IAAI,GAAG,CAAS;IAChD,UAAU;IACV,aAAa;IACb,cAAc;IACd,YAAY;IACZ,SAAS;IACT,SAAS;IACT,QAAQ;IACR,WAAW;IACX,SAAS;IACT,QAAQ;IACR,UAAU;IACV,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,oBAAoB;IACpB,mBAAmB;IACnB,UAAU;IACV,gBAAgB;IAChB,MAAM;IACN,aAAa;IACb,MAAM;IACN,YAAY;IACZ,WAAW;IACX,+DAA+D;IAC/D,gEAAgE;IAChE,kEAAkE;IAClE,kEAAkE;IAClE,wDAAwD;IACxD,YAAY;IACZ,eAAe;CAChB,CAAC,CAAC"}
@@ -0,0 +1,22 @@
1
+ /**
2
+ * PII Filter for Audit Payloads
3
+ *
4
+ * Allowlist-based field filter. Any key not on the allowlist is replaced
5
+ * with the literal string "<redacted>" and a drop counter is incremented.
6
+ * Claim *names* are fine to store; claim *values* must never appear.
7
+ */
8
+ export interface FilterResult {
9
+ filtered: Record<string, unknown>;
10
+ droppedCount: number;
11
+ }
12
+ /**
13
+ * Redact IPv4 to /24 and IPv6 to /64 for GDPR-compliant storage.
14
+ * "1.2.3.4" → "1.2.3.0/24", "2001:db8::1" → "2001:db8::/64"
15
+ */
16
+ export declare function anonymizeIp(ip: string): string;
17
+ /**
18
+ * Filter a raw payload object against the PII allowlist.
19
+ * Returns the cleaned object and the number of dropped fields.
20
+ */
21
+ export declare function filterPayload(payload: Record<string, unknown>, allowedFields?: Set<string>): FilterResult;
22
+ //# sourceMappingURL=pii-filter.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"pii-filter.d.ts","sourceRoot":"","sources":["../../../src/lib/audit/pii-filter.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAiB9C;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,aAAa,GAAE,GAAG,CAAC,MAAM,CAAsB,GAC9C,YAAY,CAcd"}
@@ -0,0 +1,51 @@
1
+ "use strict";
2
+ /**
3
+ * PII Filter for Audit Payloads
4
+ *
5
+ * Allowlist-based field filter. Any key not on the allowlist is replaced
6
+ * with the literal string "<redacted>" and a drop counter is incremented.
7
+ * Claim *names* are fine to store; claim *values* must never appear.
8
+ */
9
+ Object.defineProperty(exports, "__esModule", { value: true });
10
+ exports.anonymizeIp = anonymizeIp;
11
+ exports.filterPayload = filterPayload;
12
+ const event_types_1 = require("./event-types");
13
+ /**
14
+ * Redact IPv4 to /24 and IPv6 to /64 for GDPR-compliant storage.
15
+ * "1.2.3.4" → "1.2.3.0/24", "2001:db8::1" → "2001:db8::/64"
16
+ */
17
+ function anonymizeIp(ip) {
18
+ if (!ip || ip === "unknown")
19
+ return ip;
20
+ if (ip.includes(".")) {
21
+ const parts = ip.split(".");
22
+ if (parts.length === 4) {
23
+ return `${parts[0]}.${parts[1]}.${parts[2]}.0/24`;
24
+ }
25
+ }
26
+ if (ip.includes(":")) {
27
+ const parts = ip.split(":");
28
+ const prefix = parts.slice(0, 4).join(":");
29
+ return `${prefix}::/64`;
30
+ }
31
+ return ip;
32
+ }
33
+ /**
34
+ * Filter a raw payload object against the PII allowlist.
35
+ * Returns the cleaned object and the number of dropped fields.
36
+ */
37
+ function filterPayload(payload, allowedFields = event_types_1.PII_ALLOWED_FIELDS) {
38
+ const filtered = {};
39
+ let droppedCount = 0;
40
+ for (const [key, value] of Object.entries(payload)) {
41
+ if (allowedFields.has(key)) {
42
+ filtered[key] = value;
43
+ }
44
+ else {
45
+ filtered[key] = "<redacted>";
46
+ droppedCount++;
47
+ }
48
+ }
49
+ return { filtered, droppedCount };
50
+ }
51
+ //# sourceMappingURL=pii-filter.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"pii-filter.js","sourceRoot":"","sources":["../../../src/lib/audit/pii-filter.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAaH,kCAiBC;AAMD,sCAiBC;AAnDD,+CAAmD;AAOnD;;;GAGG;AACH,SAAgB,WAAW,CAAC,EAAU;IACpC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IAEvC,IAAI,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC;QACpD,CAAC;IACH,CAAC;IAED,IAAI,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3C,OAAO,GAAG,MAAM,OAAO,CAAC;IAC1B,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAC3B,OAAgC,EAChC,gBAA6B,gCAAkB;IAE/C,MAAM,QAAQ,GAA4B,EAAE,CAAC;IAC7C,IAAI,YAAY,GAAG,CAAC,CAAC;IAErB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACnD,IAAI,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAC3B,QAAQ,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACxB,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;YAC7B,YAAY,EAAE,CAAC;QACjB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AACpC,CAAC"}
@@ -230,7 +230,7 @@ class AuditLogger {
230
230
  type: `audit_${event.type}`, // Prefix with 'audit_' to distinguish from security events
231
231
  severity: severity,
232
232
  userId: event.userId || null,
233
- partnerId: null, // partnerId (not used for audit events)
233
+ tenantId: null, // T7 will populate this with the tenant context. (renamed from partnerId in T1)
234
234
  ipAddress: event.ipAddress || null,
235
235
  userAgent: event.userAgent || null,
236
236
  details: details,
@@ -1 +1 @@
1
- {"version":3,"file":"audit-logger.js","sourceRoot":"","sources":["../../src/lib/audit-logger.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqYH,8CAKC;AAxYD,qCAAqE;AAErE,yDAAgE;AA8ChE;;;;GAIG;AACH,MAAa,WAAW;IACd,MAAM,CAAS;IACf,SAAS,CAAU;IAE3B,YAAY,GAAe,EAAE,SAAkB;QAC7C,IAAI,CAAC,MAAM,GAAG,eAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,SAAiB;QAC7B,OAAO,IAAI,WAAW,CACpB,EAAE,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,EAAe,EACrD,SAAS,CACV,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa,CACjB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,aAAa;YACjC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,KAAK;YACjC,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa,CACjB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,aAAa;YACjC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,QAAQ,EAAE,6CAA6C;YACnF,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,iBAAiB,CACrB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,gBAAgB;YACpC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,MAAM;YAClC,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,+BAA+B;YAC7F,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,gBAAgB,CACpB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,eAAe;YACnC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,gCAAgC;YAC9F,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,GAAG,CACP,KAAuE,EACvE,GAAmB;QAEnB,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,IAAI,aAAa,CAAC;QAE9C,QAAQ,SAAS,EAAE,CAAC;YAClB,KAAK,aAAa;gBAChB,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACrC,MAAM;YACR,KAAK,aAAa;gBAChB,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACrC,MAAM;YACR,KAAK,gBAAgB;gBACnB,MAAM,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACzC,MAAM;YACR,KAAK,eAAe;gBAClB,MAAM,IAAI,CAAC,gBAAgB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACxC,MAAM;YACR;gBACE,2CAA2C;gBAC3C,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,KAAK,CAAC,aAAa,CACzB,KAAiB,EACjB,GAAmB;QAEnB,IAAI,CAAC;YACH,2CAA2C;YAC3C,IAAI,CAAC,IAAA,gCAAa,EAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6CAA6C,EAAE;oBAC/D,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,MAAM,EAAE,KAAK,CAAC,MAAM;iBACrB,CAAC,CAAC;gBACH,OAAO,CAAC,2BAA2B;YACrC,CAAC;YAED,6CAA6C;YAC7C,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CACjD,KAAK,CAAC,QAAQ,IAAI,KAAK,CACxB,CAAC;YAEF,4CAA4C;YAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC7B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,GAAG,KAAK,CAAC,QAAQ;aAClB,CAAC,CAAC;YAEH,4FAA4F;YAC5F,yEAAyE;YACzE,iEAAiE;YACjE,uEAAuE;YACvE,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC;YACzC,IAAI,CAAC;gBACH,MAAM,EAAE,+BAA+B,EAAE,GAAG,wDAC1C,+BAA+B,GAChC,CAAC;gBACF,MAAM,EAAE,wBAAwB,EAAE,mBAAmB,EAAE,GAAG,wDACxD,mBAAmB,GACpB,CAAC;gBAEF,MAAM,wBAAwB,CAC5B,+BAA+B,EAC/B,KAAK,CAAC,MAAM,EACZ,GAAG,EACH,KAAK,EAAE,EAAE,EAAE,EAAE;oBACX,OAAO,MAAM,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;wBACnC,IAAI,EAAE;4BACJ,IAAI,EAAE,SAAS,KAAK,CAAC,IAAI,EAAE,EAAE,2DAA2D;4BACxF,QAAQ,EAAE,QAAQ;4BAClB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;4BAC5B,SAAS,EAAE,IAAI,EAAE,wCAAwC;4BACzD,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;4BAClC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;4BAClC,OAAO,EAAE,OAAO;4BAChB,cAAc,EAAE,cAAc;yBAC/B;qBACF,CAAC,CAAC;gBACL,CAAC,EACD;oBACE,GAAG,mBAAmB,CAAC,UAAU,EAAE,wCAAwC;oBAC3E,UAAU,EAAE,CAAC;oBACb,WAAW,EAAE,GAAG;oBAChB,OAAO,EAAE;wBACP,SAAS,EAAE,WAAW;wBACtB,MAAM,EAAE,KAAK,CAAC,MAAM;wBACpB,MAAM,EAAE,KAAK,CAAC,MAAM;qBACrB;iBACF,CACF,CAAC;YACJ,CAAC;YAAC,OAAO,OAAO,EAAE,CAAC;gBACjB,qDAAqD;gBACrD,0CAA0C;gBAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,+EAA+E,EAC/E,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,CACzC,CAAC;YACJ,CAAC;YAED,uDAAuD;YACvD,MAAM,UAAU,GAAG,WAAW,KAAK,CAAC,MAAM,OAAO,KAAK,CAAC,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,EAAE,cAAc,KAAK,CAAC,MAAM,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,iBAAiB,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;YAE9M,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;gBAClB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE;oBAC3B,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,UAAU,EAAE,KAAK,CAAC,UAAU;oBAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;iBACrB,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE;oBAC3B,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,UAAU,EAAE,KAAK,CAAC,UAAU;oBAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,KAAK,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK;iBAC7B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,gDAAgD;YAChD,mCAAmC;YACnC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE;gBAC3D,KAAK;gBACL,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;aACzB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;;;;;;;;OAWG;IACK,uBAAuB,CAAC,QAA4B;QAC1D,MAAM,aAAa,GAAuC;YACxD,QAAQ,EAAE,GAAG,EAAE,kCAAkC;YACjD,IAAI,EAAE,EAAE,EAAE,iCAAiC;YAC3C,MAAM,EAAE,EAAE,EAAE,0BAA0B;YACtC,GAAG,EAAE,CAAC,EAAE,sBAAsB;SAC/B,CAAC;QAEF,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC3C,MAAM,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QACxB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AArUD,kCAqUC;AAED;;;;;;GAMG;AACH,SAAgB,iBAAiB,CAC/B,GAAe,EACf,SAAkB;IAElB,OAAO,IAAI,WAAW,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;AACzC,CAAC"}
1
+ {"version":3,"file":"audit-logger.js","sourceRoot":"","sources":["../../src/lib/audit-logger.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqYH,8CAKC;AAxYD,qCAAqE;AAErE,yDAAgE;AA8ChE;;;;GAIG;AACH,MAAa,WAAW;IACd,MAAM,CAAS;IACf,SAAS,CAAU;IAE3B,YAAY,GAAe,EAAE,SAAkB;QAC7C,IAAI,CAAC,MAAM,GAAG,eAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,SAAiB;QAC7B,OAAO,IAAI,WAAW,CACpB,EAAE,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,EAAe,EACrD,SAAS,CACV,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa,CACjB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,aAAa;YACjC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,KAAK;YACjC,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa,CACjB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,aAAa;YACjC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,QAAQ,EAAE,6CAA6C;YACnF,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,iBAAiB,CACrB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,gBAAgB;YACpC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,MAAM;YAClC,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,+BAA+B;YAC7F,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,gBAAgB,CACpB,KAGC,EACD,GAAmB;QAEnB,MAAM,UAAU,GAAe;YAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,eAAe;YACnC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,gCAAgC;YAC9F,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,GAAG,CACP,KAAuE,EACvE,GAAmB;QAEnB,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,IAAI,aAAa,CAAC;QAE9C,QAAQ,SAAS,EAAE,CAAC;YAClB,KAAK,aAAa;gBAChB,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACrC,MAAM;YACR,KAAK,aAAa;gBAChB,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACrC,MAAM;YACR,KAAK,gBAAgB;gBACnB,MAAM,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACzC,MAAM;YACR,KAAK,eAAe;gBAClB,MAAM,IAAI,CAAC,gBAAgB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACxC,MAAM;YACR;gBACE,2CAA2C;gBAC3C,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,KAAK,CAAC,aAAa,CACzB,KAAiB,EACjB,GAAmB;QAEnB,IAAI,CAAC;YACH,2CAA2C;YAC3C,IAAI,CAAC,IAAA,gCAAa,EAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6CAA6C,EAAE;oBAC/D,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,MAAM,EAAE,KAAK,CAAC,MAAM;iBACrB,CAAC,CAAC;gBACH,OAAO,CAAC,2BAA2B;YACrC,CAAC;YAED,6CAA6C;YAC7C,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CACjD,KAAK,CAAC,QAAQ,IAAI,KAAK,CACxB,CAAC;YAEF,4CAA4C;YAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC7B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,GAAG,KAAK,CAAC,QAAQ;aAClB,CAAC,CAAC;YAEH,4FAA4F;YAC5F,yEAAyE;YACzE,iEAAiE;YACjE,uEAAuE;YACvE,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC;YACzC,IAAI,CAAC;gBACH,MAAM,EAAE,+BAA+B,EAAE,GAAG,wDAC1C,+BAA+B,GAChC,CAAC;gBACF,MAAM,EAAE,wBAAwB,EAAE,mBAAmB,EAAE,GAAG,wDACxD,mBAAmB,GACpB,CAAC;gBAEF,MAAM,wBAAwB,CAC5B,+BAA+B,EAC/B,KAAK,CAAC,MAAM,EACZ,GAAG,EACH,KAAK,EAAE,EAAE,EAAE,EAAE;oBACX,OAAO,MAAM,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;wBACnC,IAAI,EAAE;4BACJ,IAAI,EAAE,SAAS,KAAK,CAAC,IAAI,EAAE,EAAE,2DAA2D;4BACxF,QAAQ,EAAE,QAAQ;4BAClB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;4BAC5B,QAAQ,EAAE,IAAI,EAAE,gFAAgF;4BAChG,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;4BAClC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;4BAClC,OAAO,EAAE,OAAO;4BAChB,cAAc,EAAE,cAAc;yBAC/B;qBACF,CAAC,CAAC;gBACL,CAAC,EACD;oBACE,GAAG,mBAAmB,CAAC,UAAU,EAAE,wCAAwC;oBAC3E,UAAU,EAAE,CAAC;oBACb,WAAW,EAAE,GAAG;oBAChB,OAAO,EAAE;wBACP,SAAS,EAAE,WAAW;wBACtB,MAAM,EAAE,KAAK,CAAC,MAAM;wBACpB,MAAM,EAAE,KAAK,CAAC,MAAM;qBACrB;iBACF,CACF,CAAC;YACJ,CAAC;YAAC,OAAO,OAAO,EAAE,CAAC;gBACjB,qDAAqD;gBACrD,0CAA0C;gBAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,+EAA+E,EAC/E,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,CACzC,CAAC;YACJ,CAAC;YAED,uDAAuD;YACvD,MAAM,UAAU,GAAG,WAAW,KAAK,CAAC,MAAM,OAAO,KAAK,CAAC,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,EAAE,cAAc,KAAK,CAAC,MAAM,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,iBAAiB,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;YAE9M,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;gBAClB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE;oBAC3B,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,UAAU,EAAE,KAAK,CAAC,UAAU;oBAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;iBACrB,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE;oBAC3B,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,UAAU,EAAE,KAAK,CAAC,UAAU;oBAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,KAAK,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK;iBAC7B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,gDAAgD;YAChD,mCAAmC;YACnC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE;gBAC3D,KAAK;gBACL,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;aACzB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;;;;;;;;OAWG;IACK,uBAAuB,CAAC,QAA4B;QAC1D,MAAM,aAAa,GAAuC;YACxD,QAAQ,EAAE,GAAG,EAAE,kCAAkC;YACjD,IAAI,EAAE,EAAE,EAAE,iCAAiC;YAC3C,MAAM,EAAE,EAAE,EAAE,0BAA0B;YACtC,GAAG,EAAE,CAAC,EAAE,sBAAsB;SAC/B,CAAC;QAEF,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC3C,MAAM,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QACxB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AArUD,kCAqUC;AAED;;;;;;GAMG;AACH,SAAgB,iBAAiB,CAC/B,GAAe,EACf,SAAkB;IAElB,OAAO,IAAI,WAAW,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;AACzC,CAAC"}
@@ -0,0 +1,34 @@
1
+ /**
2
+ * AuthContext — the resolved identity for one authenticated request.
3
+ *
4
+ * Built by authMiddleware from verified Cognito JWT claims. Every route
5
+ * handler that needs auth information receives this rather than the raw
6
+ * token payload.
7
+ */
8
+ import type { TenantRole, UserRole, TenantMember, Tenant } from "@prisma/client";
9
+ /** The data carried from a Cognito JWT into each request. */
10
+ export interface AuthContext {
11
+ /** Cognito user pool sub (UUID). Stable identifier used for cache keys. */
12
+ cognitoSub: string;
13
+ /** Skybber `User.id` (cuid). */
14
+ userId: string;
15
+ /** Platform-wide role from `users.role`. */
16
+ globalRole: UserRole;
17
+ /** The tenant the user is currently acting as (`custom:activeTenantId`). */
18
+ activeTenantId: string;
19
+ /** Human-readable slug of the active tenant. */
20
+ tenantSlug: string;
21
+ /** Role within the active tenant. */
22
+ tenantRole: TenantRole;
23
+ /** ActivityPub-style handle. */
24
+ handle: string;
25
+ /**
26
+ * Lazy loader for all of the user's tenant memberships.
27
+ * Fetched at most once per request; stored on the context so callers
28
+ * (e.g. tenant-switcher UI) don't duplicate the DB query.
29
+ */
30
+ membershipsLoader: () => Promise<(TenantMember & {
31
+ tenant: Tenant;
32
+ })[]>;
33
+ }
34
+ //# sourceMappingURL=auth-context.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth-context.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth-context.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAEjF,6DAA6D;AAC7D,MAAM,WAAW,WAAW;IAC1B,2EAA2E;IAC3E,UAAU,EAAE,MAAM,CAAC;IACnB,gCAAgC;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,4CAA4C;IAC5C,UAAU,EAAE,QAAQ,CAAC;IACrB,4EAA4E;IAC5E,cAAc,EAAE,MAAM,CAAC;IACvB,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,UAAU,EAAE,UAAU,CAAC;IACvB,gCAAgC;IAChC,MAAM,EAAE,MAAM,CAAC;IACf;;;;OAIG;IACH,iBAAiB,EAAE,MAAM,OAAO,CAAC,CAAC,YAAY,GAAG;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,EAAE,CAAC,CAAC;CACzE"}
@@ -0,0 +1,10 @@
1
+ "use strict";
2
+ /**
3
+ * AuthContext — the resolved identity for one authenticated request.
4
+ *
5
+ * Built by authMiddleware from verified Cognito JWT claims. Every route
6
+ * handler that needs auth information receives this rather than the raw
7
+ * token payload.
8
+ */
9
+ Object.defineProperty(exports, "__esModule", { value: true });
10
+ //# sourceMappingURL=auth-context.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth-context.js","sourceRoot":"","sources":["../../../src/lib/auth/auth-context.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG"}