@enderworld/onlyapi 1.5.1

package/src/infrastructure/database/mssql/migrations.ts

@@ -0,0 +1,299 @@
+/**
+ * SQL Server migration runner — uses the `mssql` npm package.
+ *
+ * Mirrors the Postgres migration runner pattern but uses T-SQL DDL.
+ * Migrations are idempotent and wrapped in transactions.
+ */
+
+import type sql from "mssql";
+import type { Logger } from "../../../core/ports/logger.js";
+
+interface MssqlMigration {
+  readonly version: string;
+  readonly name: string;
+  readonly up: string; // T-SQL DDL
+  readonly down: string;
+}
+
+/**
+ * All SQL Server migrations — inlined T-SQL strings.
+ * Uses NVARCHAR for text, BIGINT for timestamps (ms), BIT for booleans.
+ */
+const migrations: readonly MssqlMigration[] = [
+  {
+    version: "001",
+    name: "create_users",
+    up: `
+      IF NOT EXISTS (SELECT * FROM sys.tables WHERE name = 'users')
+      CREATE TABLE users (
+        id                    NVARCHAR(36)  NOT NULL PRIMARY KEY,
+        email                 NVARCHAR(255) NOT NULL UNIQUE,
+        password_hash         NVARCHAR(255) NOT NULL,
+        role                  NVARCHAR(20)  NOT NULL DEFAULT 'user',
+        email_verified        BIT           NOT NULL DEFAULT 0,
+        mfa_secret            NVARCHAR(255) NULL,
+        mfa_enabled           BIT           NOT NULL DEFAULT 0,
+        password_changed_at   BIGINT        NULL,
+        failed_login_attempts INT           NOT NULL DEFAULT 0,
+        locked_until          BIGINT        NULL,
+        created_at            BIGINT        NOT NULL,
+        updated_at            BIGINT        NOT NULL
+      );
+
+      IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = 'idx_users_email')
+      CREATE UNIQUE INDEX idx_users_email ON users(email);
+    `,
+    down: `
+      DROP INDEX IF EXISTS idx_users_email ON users;
+      IF EXISTS (SELECT * FROM sys.tables WHERE name = 'users')
+      DROP TABLE users;
+    `,
+  },
+  {
+    version: "002",
+    name: "create_token_blacklist",
+    up: `
+      IF NOT EXISTS (SELECT * FROM sys.tables WHERE name = 'token_blacklist')
+      CREATE TABLE token_blacklist (
+        token_hash  NVARCHAR(128)  NOT NULL PRIMARY KEY,
+        expires_at  BIGINT         NOT NULL,
+        created_at  BIGINT         NOT NULL
+      );
+
+      IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = 'idx_token_blacklist_expires')
+      CREATE INDEX idx_token_blacklist_expires ON token_blacklist(expires_at);
+    `,
+    down: `
+      DROP INDEX IF EXISTS idx_token_blacklist_expires ON token_blacklist;
+      IF EXISTS (SELECT * FROM sys.tables WHERE name = 'token_blacklist')
+      DROP TABLE token_blacklist;
+    `,
+  },
+  {
+    version: "003",
+    name: "create_audit_log",
+    up: `
+      IF NOT EXISTS (SELECT * FROM sys.tables WHERE name = 'audit_log')
+      CREATE TABLE audit_log (
+        id          NVARCHAR(36)   NOT NULL PRIMARY KEY,
+        user_id     NVARCHAR(36)   NULL,
+        action      NVARCHAR(50)   NOT NULL,
+        resource    NVARCHAR(100)  NOT NULL,
+        resource_id NVARCHAR(36)   NULL,
+        detail      NVARCHAR(MAX)  NULL,
+        ip          NVARCHAR(45)   NOT NULL,
+        timestamp   BIGINT         NOT NULL
+      );
+
+      IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = 'idx_audit_log_user')
+      CREATE INDEX idx_audit_log_user ON audit_log(user_id);
+
+      IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = 'idx_audit_log_action')
+      CREATE INDEX idx_audit_log_action ON audit_log(action);
+
+      IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = 'idx_audit_log_timestamp')
+      CREATE INDEX idx_audit_log_timestamp ON audit_log(timestamp);
+    `,
+    down: `
+      DROP INDEX IF EXISTS idx_audit_log_timestamp ON audit_log;
+      DROP INDEX IF EXISTS idx_audit_log_action ON audit_log;
+      DROP INDEX IF EXISTS idx_audit_log_user ON audit_log;
+      IF EXISTS (SELECT * FROM sys.tables WHERE name = 'audit_log')
+      DROP TABLE audit_log;
+    `,
+  },
+  {
+    version: "004",
+    name: "auth_platform",
+    up: `
+      IF NOT EXISTS (SELECT * FROM sys.tables WHERE name = 'verification_tokens')
+      CREATE TABLE verification_tokens (
+        id          NVARCHAR(36)   NOT NULL PRIMARY KEY,
+        user_id     NVARCHAR(36)   NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+        type        NVARCHAR(30)   NOT NULL CHECK (type IN ('email_verification', 'password_reset')),
+        token_hash  NVARCHAR(128)  NOT NULL UNIQUE,
+        expires_at  BIGINT         NOT NULL,
+        used_at     BIGINT         NULL,
+        created_at  BIGINT         NOT NULL
+      );
+
+      IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = 'idx_verification_tokens_hash')
+      CREATE INDEX idx_verification_tokens_hash ON verification_tokens(token_hash);
+
+      IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = 'idx_verification_tokens_user')
+      CREATE INDEX idx_verification_tokens_user ON verification_tokens(user_id, type);
+
+      IF NOT EXISTS (SELECT * FROM sys.tables WHERE name = 'refresh_token_families')
+      CREATE TABLE refresh_token_families (
+        id                  NVARCHAR(36)   NOT NULL PRIMARY KEY,
+        user_id             NVARCHAR(36)   NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+        current_token_hash  NVARCHAR(128)  NOT NULL,
+        revoked             BIT            NOT NULL DEFAULT 0,
+        created_at          BIGINT         NOT NULL,
+        updated_at          BIGINT         NOT NULL
+      );
+
+      IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = 'idx_refresh_families_user')
+      CREATE INDEX idx_refresh_families_user ON refresh_token_families(user_id);
+
+      IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = 'idx_refresh_families_token')
+      CREATE INDEX idx_refresh_families_token ON refresh_token_families(current_token_hash);
+
+      IF NOT EXISTS (SELECT * FROM sys.tables WHERE name = 'api_keys')
+      CREATE TABLE api_keys (
+        id           NVARCHAR(36)   NOT NULL PRIMARY KEY,
+        user_id      NVARCHAR(36)   NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+        name         NVARCHAR(100)  NOT NULL,
+        key_hash     NVARCHAR(128)  NOT NULL UNIQUE,
+        key_prefix   NVARCHAR(20)   NOT NULL,
+        scopes       NVARCHAR(MAX)  NOT NULL DEFAULT '[]',
+        expires_at   BIGINT         NULL,
+        last_used_at BIGINT         NULL,
+        created_at   BIGINT         NOT NULL
+      );
+
+      IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = 'idx_api_keys_hash')
+      CREATE INDEX idx_api_keys_hash ON api_keys(key_hash);
+
+      IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = 'idx_api_keys_user')
+      CREATE INDEX idx_api_keys_user ON api_keys(user_id);
+
+      IF NOT EXISTS (SELECT * FROM sys.tables WHERE name = 'password_history')
+      CREATE TABLE password_history (
+        id              NVARCHAR(36)   NOT NULL PRIMARY KEY,
+        user_id         NVARCHAR(36)   NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+        password_hash   NVARCHAR(255)  NOT NULL,
+        created_at      BIGINT         NOT NULL
+      );
+
+      IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = 'idx_password_history_user')
+      CREATE INDEX idx_password_history_user ON password_history(user_id);
+
+      IF NOT EXISTS (SELECT * FROM sys.tables WHERE name = 'oauth_accounts')
+      CREATE TABLE oauth_accounts (
+        id                NVARCHAR(36)   NOT NULL PRIMARY KEY,
+        user_id           NVARCHAR(36)   NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+        provider          NVARCHAR(30)   NOT NULL,
+        provider_user_id  NVARCHAR(255)  NOT NULL,
+        email             NVARCHAR(255)  NULL,
+        created_at        BIGINT         NOT NULL,
+        UNIQUE(provider, provider_user_id)
+      );
+
+      IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = 'idx_oauth_accounts_user')
+      CREATE INDEX idx_oauth_accounts_user ON oauth_accounts(user_id);
+
+      IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = 'idx_oauth_accounts_provider')
+      CREATE INDEX idx_oauth_accounts_provider ON oauth_accounts(provider, provider_user_id);
+    `,
+    down: `
+      IF EXISTS (SELECT * FROM sys.tables WHERE name = 'oauth_accounts') DROP TABLE oauth_accounts;
+      IF EXISTS (SELECT * FROM sys.tables WHERE name = 'password_history') DROP TABLE password_history;
+      IF EXISTS (SELECT * FROM sys.tables WHERE name = 'api_keys') DROP TABLE api_keys;
+      IF EXISTS (SELECT * FROM sys.tables WHERE name = 'refresh_token_families') DROP TABLE refresh_token_families;
+      IF EXISTS (SELECT * FROM sys.tables WHERE name = 'verification_tokens') DROP TABLE verification_tokens;
+    `,
+  },
+];
+
+const ensureMigrationsTable = async (pool: sql.ConnectionPool): Promise<void> => {
+  await pool.request().query(`
+    IF NOT EXISTS (SELECT * FROM sys.tables WHERE name = '_migrations')
+    CREATE TABLE _migrations (
+      version     NVARCHAR(10) NOT NULL PRIMARY KEY,
+      name        NVARCHAR(100) NOT NULL,
+      applied_at  BIGINT NOT NULL
+    )
+  `);
+};
+
+const getAppliedVersions = async (pool: sql.ConnectionPool): Promise<Set<string>> => {
+  const result = await pool.request().query("SELECT version FROM _migrations ORDER BY version");
+  return new Set(result.recordset.map((r: { version: string }) => r.version));
+};
+
+export const mssqlMigrateUp = async (pool: sql.ConnectionPool, logger: Logger): Promise<number> => {
+  await ensureMigrationsTable(pool);
+  const applied = await getAppliedVersions(pool);
+  let count = 0;
+
+  for (const migration of migrations) {
+    if (applied.has(migration.version)) continue;
+
+    const tx = pool.transaction();
+    await tx.begin();
+
+    try {
+      // T-SQL: execute each batch separated by GO-like blocks (we split on ;; for multi-statement)
+      // Since our DDL uses IF NOT EXISTS guards, we run each statement individually
+      for (const stmt of migration.up.split(";").filter((s: string) => s.trim())) {
+        await tx.request().query(stmt.trim());
+      }
+
+      await tx
+        .request()
+        .input("version", migration.version)
+        .input("name", migration.name)
+        .input("appliedAt", Date.now())
+        .query(
+          "INSERT INTO _migrations (version, name, applied_at) VALUES (@version, @name, @appliedAt)",
+        );
+
+      await tx.commit();
+    } catch (e) {
+      await tx.rollback();
+      throw e;
+    }
+
+    logger.info("Migration applied", {
+      version: migration.version,
+      name: migration.name,
+    });
+    count++;
+  }
+
+  if (count > 0) {
+    logger.info("SQL Server migrations complete", { applied: count });
+  }
+  return count;
+};
+
+export const mssqlMigrateDown = async (
+  pool: sql.ConnectionPool,
+  logger: Logger,
+): Promise<string | null> => {
+  await ensureMigrationsTable(pool);
+  const applied = await getAppliedVersions(pool);
+  const reversed = [...migrations].reverse();
+
+  for (const migration of reversed) {
+    if (!applied.has(migration.version)) continue;
+
+    const tx = pool.transaction();
+    await tx.begin();
+
+    try {
+      for (const stmt of migration.down.split(";").filter((s: string) => s.trim())) {
+        await tx.request().query(stmt.trim());
+      }
+
+      await tx
+        .request()
+        .input("version", migration.version)
+        .query("DELETE FROM _migrations WHERE version = @version");
+
+      await tx.commit();
+    } catch (e) {
+      await tx.rollback();
+      throw e;
+    }
+
+    logger.info("Migration rolled back", {
+      version: migration.version,
+      name: migration.name,
+    });
+    return migration.version;
+  }
+
+  return null;
+};

package/src/infrastructure/database/mssql/mssql-account-lockout.ts

@@ -0,0 +1,95 @@
+/**
+ * SQL Server account lockout adapter.
+ */
+
+import type sql from "mssql";
+import { internal } from "../../../core/errors/app-error.js";
+import type { AppError } from "../../../core/errors/app-error.js";
+import type { AccountLockout } from "../../../core/ports/account-lockout.js";
+import { type Result, err, ok } from "../../../core/types/result.js";
+
+interface LockoutOptions {
+  readonly maxAttempts: number;
+  readonly lockoutDurationMs: number;
+}
+
+export const createMssqlAccountLockout = (
+  pool: sql.ConnectionPool,
+  options: LockoutOptions,
+): AccountLockout => ({
+  async recordFailedAttempt(email: string): Promise<Result<boolean, AppError>> {
+    try {
+      await pool
+        .request()
+        .input("email", email)
+        .query(
+          "UPDATE users SET failed_login_attempts = failed_login_attempts + 1 WHERE email = @email",
+        );
+
+      const result = await pool
+        .request()
+        .input("email", email)
+        .query("SELECT failed_login_attempts FROM users WHERE email = @email");
+
+      if (result.recordset.length === 0) return ok(false);
+
+      const attempts = Number(result.recordset[0].failed_login_attempts);
+      if (attempts >= options.maxAttempts) {
+        const lockUntil = Date.now() + options.lockoutDurationMs;
+        await pool
+          .request()
+          .input("lockUntil", lockUntil)
+          .input("attempts", attempts)
+          .input("email", email)
+          .query(
+            "UPDATE users SET locked_until = @lockUntil, failed_login_attempts = @attempts WHERE email = @email",
+          );
+        return ok(true);
+      }
+      return ok(false);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async resetAttempts(email: string): Promise<Result<void, AppError>> {
+    try {
+      await pool
+        .request()
+        .input("email", email)
+        .query(
+          "UPDATE users SET failed_login_attempts = 0, locked_until = NULL WHERE email = @email",
+        );
+      return ok(undefined);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async isLocked(email: string): Promise<Result<number | null, AppError>> {
+    try {
+      const result = await pool
+        .request()
+        .input("email", email)
+        .query("SELECT locked_until FROM users WHERE email = @email");
+
+      if (result.recordset.length === 0) return ok(null);
+
+      const lockedUntil = result.recordset[0].locked_until;
+      if (lockedUntil === null || lockedUntil === undefined) return ok(null);
+      if (Number(lockedUntil) <= Date.now()) {
+        // Lock expired — clear it
+        await pool
+          .request()
+          .input("email", email)
+          .query(
+            "UPDATE users SET locked_until = NULL, failed_login_attempts = 0 WHERE email = @email",
+          );
+        return ok(null);
+      }
+      return ok(Number(lockedUntil));
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+});

package/src/infrastructure/database/mssql/mssql-api-keys.ts

@@ -0,0 +1,146 @@
+/**
+ * SQL Server API key repository adapter.
+ */
+
+import type sql from "mssql";
+import { internal, notFound } from "../../../core/errors/app-error.js";
+import type { AppError } from "../../../core/errors/app-error.js";
+import type { ApiKey, ApiKeyRepository } from "../../../core/ports/api-key.js";
+import type { UserId } from "../../../core/types/brand.js";
+import { brand } from "../../../core/types/brand.js";
+import { type Result, err, ok } from "../../../core/types/result.js";
+import { generateId } from "../../../shared/utils/id.js";
+
+const KEY_PREFIX = "oapi_";
+
+const rowToApiKey = (row: Record<string, unknown>): ApiKey => ({
+  id: row["id"] as string,
+  userId: brand<string, "UserId">(row["user_id"] as string),
+  name: row["name"] as string,
+  keyPrefix: row["key_prefix"] as string,
+  scopes: JSON.parse((row["scopes"] as string) || "[]") as readonly string[],
+  expiresAt: row["expires_at"] !== null ? Number(row["expires_at"]) : null,
+  lastUsedAt: row["last_used_at"] !== null ? Number(row["last_used_at"]) : null,
+  createdAt: Number(row["created_at"]),
+});
+
+export const createMssqlApiKeyRepository = (pool: sql.ConnectionPool): ApiKeyRepository => ({
+  async create(
+    userId: UserId,
+    name: string,
+    scopes: readonly string[],
+    expiresAt?: number,
+  ): Promise<Result<{ key: ApiKey; rawKey: string }, AppError>> {
+    try {
+      const id = generateId();
+      const rawKey = `${KEY_PREFIX}${generateId()}${generateId()}`;
+      const prefix = rawKey.substring(0, KEY_PREFIX.length + 8);
+
+      const encoder = new TextEncoder();
+      const hashBuffer = await crypto.subtle.digest("SHA-256", encoder.encode(rawKey));
+      const keyHash = [...new Uint8Array(hashBuffer)]
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+
+      const now = Date.now();
+
+      await pool
+        .request()
+        .input("id", id)
+        .input("userId", userId as string)
+        .input("name", name)
+        .input("keyHash", keyHash)
+        .input("keyPrefix", prefix)
+        .input("scopes", JSON.stringify(scopes))
+        .input("expiresAt", expiresAt ?? null)
+        .input("createdAt", now)
+        .query(`
+          INSERT INTO api_keys (id, user_id, name, key_hash, key_prefix, scopes, expires_at, created_at)
+          VALUES (@id, @userId, @name, @keyHash, @keyPrefix, @scopes, @expiresAt, @createdAt)
+        `);
+
+      const key: ApiKey = {
+        id,
+        userId,
+        name,
+        keyPrefix: prefix,
+        scopes,
+        expiresAt: expiresAt ?? null,
+        lastUsedAt: null,
+        createdAt: now,
+      };
+
+      return ok({ key, rawKey });
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async verify(rawKey: string): Promise<Result<ApiKey, AppError>> {
+    try {
+      const encoder = new TextEncoder();
+      const hashBuffer = await crypto.subtle.digest("SHA-256", encoder.encode(rawKey));
+      const keyHash = [...new Uint8Array(hashBuffer)]
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+
+      const result = await pool
+        .request()
+        .input("keyHash", keyHash)
+        .query("SELECT * FROM api_keys WHERE key_hash = @keyHash");
+
+      if (result.recordset.length === 0) return err(notFound("API key"));
+
+      const key = rowToApiKey(result.recordset[0] as Record<string, unknown>);
+      if (key.expiresAt !== null && key.expiresAt < Date.now()) {
+        return err(notFound("API key"));
+      }
+
+      return ok(key);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async listByUser(userId: UserId): Promise<Result<readonly ApiKey[], AppError>> {
+    try {
+      const result = await pool
+        .request()
+        .input("userId", userId as string)
+        .query("SELECT * FROM api_keys WHERE user_id = @userId ORDER BY created_at DESC");
+      return ok(result.recordset.map((r: Record<string, unknown>) => rowToApiKey(r)));
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async revoke(id: string, userId: UserId): Promise<Result<void, AppError>> {
+    try {
+      const result = await pool
+        .request()
+        .input("id", id)
+        .input("userId", userId as string)
+        .query("SELECT id FROM api_keys WHERE id = @id AND user_id = @userId");
+
+      if (result.recordset.length === 0) return err(notFound("API key"));
+
+      await pool.request().input("id", id).query("DELETE FROM api_keys WHERE id = @id");
+      return ok(undefined);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async touch(id: string): Promise<Result<void, AppError>> {
+    try {
+      await pool
+        .request()
+        .input("lastUsedAt", Date.now())
+        .input("id", id)
+        .query("UPDATE api_keys SET last_used_at = @lastUsedAt WHERE id = @id");
+      return ok(undefined);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+});

package/src/infrastructure/database/mssql/mssql-audit-log.ts

@@ -0,0 +1,86 @@
+/**
+ * SQL Server audit log adapter.
+ */
+
+import type sql from "mssql";
+import { internal } from "../../../core/errors/app-error.js";
+import type { AppError } from "../../../core/errors/app-error.js";
+import type { AuditEntry, AuditLog, AuditQueryOptions } from "../../../core/ports/audit-log.js";
+import { type Result, err, ok } from "../../../core/types/result.js";
+import { generateId } from "../../../shared/utils/id.js";
+
+export const createMssqlAuditLog = (pool: sql.ConnectionPool): AuditLog => ({
+  async append(entry: Omit<AuditEntry, "id" | "timestamp">): Promise<Result<void, AppError>> {
+    try {
+      const id = generateId();
+      const timestamp = Date.now();
+      await pool
+        .request()
+        .input("id", id)
+        .input("userId", entry.userId)
+        .input("action", entry.action)
+        .input("resource", entry.resource)
+        .input("resourceId", entry.resourceId)
+        .input("detail", entry.detail)
+        .input("ip", entry.ip)
+        .input("timestamp", timestamp)
+        .query(`
+          INSERT INTO audit_log (id, user_id, action, resource, resource_id, detail, ip, timestamp)
+          VALUES (@id, @userId, @action, @resource, @resourceId, @detail, @ip, @timestamp)
+        `);
+      return ok(undefined);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async query(options: AuditQueryOptions): Promise<Result<readonly AuditEntry[], AppError>> {
+    try {
+      const conditions: string[] = [];
+      const req = pool.request();
+      let paramIdx = 0;
+
+      if (options.userId !== undefined) {
+        const p = `p${paramIdx++}`;
+        conditions.push(`user_id = @${p}`);
+        req.input(p, options.userId);
+      }
+      if (options.action !== undefined) {
+        const p = `p${paramIdx++}`;
+        conditions.push(`action = @${p}`);
+        req.input(p, options.action);
+      }
+      if (options.since !== undefined) {
+        const p = `p${paramIdx++}`;
+        conditions.push(`timestamp >= @${p}`);
+        req.input(p, options.since);
+      }
+
+      const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+      const limit = options.limit ?? 50;
+      const limitParam = `p${paramIdx}`;
+      req.input(limitParam, limit);
+
+      const query = `SELECT TOP (@${limitParam}) * FROM audit_log ${where} ORDER BY timestamp DESC`;
+      const result = await req.query(query);
+
+      return ok(
+        result.recordset.map(
+          (r: Record<string, unknown>) =>
+            ({
+              id: r["id"] as string,
+              userId: (r["user_id"] as string) ?? null,
+              action: r["action"],
+              resource: r["resource"] as string,
+              resourceId: (r["resource_id"] as string) ?? null,
+              detail: (r["detail"] as string) ?? null,
+              ip: r["ip"] as string,
+              timestamp: Number(r["timestamp"]),
+            }) as AuditEntry,
+        ),
+      );
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+});