@fuzdev/fuz_app 0.1.0

package/dist/auth/audit_log_queries.js

@@ -0,0 +1,205 @@
+/**
+ * Audit log database queries.
+ *
+ * Records and retrieves auth mutation events for security monitoring.
+ * All write operations should use `audit_log_fire_and_forget` to
+ * ensure audit logging never blocks or breaks auth flows.
+ *
+ * Rollback resilience: `audit_log_fire_and_forget` writes to `background_db`
+ * (pool-level), not the handler's transaction-scoped `db`, so audit entries
+ * persist even when the request transaction rolls back.
+ *
+ * @module
+ */
+import { DEV } from 'esm-env';
+import { assert_row } from '../db/assert_row.js';
+import { AUDIT_METADATA_SCHEMAS, } from './audit_log_schema.js';
+/** Default limit for audit log listings. */
+export const AUDIT_LOG_DEFAULT_LIMIT = 50;
+/**
+ * Insert an audit log entry.
+ *
+ * Uses `RETURNING *` to return the full inserted row including
+ * DB-assigned fields (`id`, `seq`, `created_at`).
+ *
+ * In DEV mode, validates metadata against the per-event-type schema
+ * before writing (warns on mismatch, never throws).
+ *
+ * @param deps - query dependencies
+ * @param input - the audit event to record
+ * @returns the inserted audit log row
+ */
+export const query_audit_log = async (deps, input) => {
+    if (DEV && input.metadata != null) {
+        const schema = AUDIT_METADATA_SCHEMAS[input.event_type];
+        const result = schema.safeParse(input.metadata);
+        if (!result.success) {
+            console.warn(`[audit_log] Metadata mismatch for '${input.event_type}':`, result.error.issues);
+        }
+    }
+    const rows = await deps.db.query(`INSERT INTO audit_log (event_type, outcome, actor_id, account_id, target_account_id, ip, metadata)
+		 VALUES ($1, $2, $3, $4, $5, $6, $7)
+		 RETURNING *`, [
+        input.event_type,
+        input.outcome ?? 'success',
+        input.actor_id ?? null,
+        input.account_id ?? null,
+        input.target_account_id ?? null,
+        input.ip ?? null,
+        input.metadata ? JSON.stringify(input.metadata) : null,
+    ]);
+    return assert_row(rows[0], 'INSERT INTO audit_log');
+};
+/**
+ * List audit log entries, newest first.
+ *
+ * @param deps - query dependencies
+ * @param options - filters and pagination
+ * @returns matching audit log entries
+ */
+export const query_audit_log_list = async (deps, options) => {
+    const conditions = [];
+    const params = [];
+    let param_index = 1;
+    if (options?.event_type) {
+        conditions.push(`event_type = $${param_index++}`);
+        params.push(options.event_type);
+    }
+    if (options?.event_type_in && options.event_type_in.length > 0) {
+        const placeholders = options.event_type_in.map(() => `$${param_index++}`);
+        conditions.push(`event_type IN (${placeholders.join(', ')})`);
+        params.push(...options.event_type_in);
+    }
+    if (options?.account_id) {
+        conditions.push(`(account_id = $${param_index} OR target_account_id = $${param_index})`);
+        param_index++;
+        params.push(options.account_id);
+    }
+    if (options?.outcome) {
+        conditions.push(`outcome = $${param_index++}`);
+        params.push(options.outcome);
+    }
+    if (options?.since_seq != null) {
+        conditions.push(`seq > $${param_index++}`);
+        params.push(options.since_seq);
+    }
+    const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : '';
+    const limit = options?.limit ?? AUDIT_LOG_DEFAULT_LIMIT;
+    const offset = options?.offset ?? 0;
+    return deps.db.query(`SELECT * FROM audit_log ${where} ORDER BY seq DESC LIMIT $${param_index++} OFFSET $${param_index}`, [...params, limit, offset]);
+};
+/**
+ * List audit log entries with resolved usernames, newest first.
+ *
+ * @param deps - query dependencies
+ * @param options - filters and pagination
+ * @returns matching audit log entries with `username` and `target_username`
+ */
+export const query_audit_log_list_with_usernames = async (deps, options) => {
+    const conditions = [];
+    const params = [];
+    let param_index = 1;
+    if (options?.event_type) {
+        conditions.push(`al.event_type = $${param_index++}`);
+        params.push(options.event_type);
+    }
+    if (options?.event_type_in && options.event_type_in.length > 0) {
+        const placeholders = options.event_type_in.map(() => `$${param_index++}`);
+        conditions.push(`al.event_type IN (${placeholders.join(', ')})`);
+        params.push(...options.event_type_in);
+    }
+    if (options?.account_id) {
+        conditions.push(`(al.account_id = $${param_index} OR al.target_account_id = $${param_index})`);
+        param_index++;
+        params.push(options.account_id);
+    }
+    if (options?.outcome) {
+        conditions.push(`al.outcome = $${param_index++}`);
+        params.push(options.outcome);
+    }
+    if (options?.since_seq != null) {
+        conditions.push(`al.seq > $${param_index++}`);
+        params.push(options.since_seq);
+    }
+    const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : '';
+    const limit = options?.limit ?? AUDIT_LOG_DEFAULT_LIMIT;
+    const offset = options?.offset ?? 0;
+    return deps.db.query(`SELECT al.*,
+			a1.username AS username,
+			a2.username AS target_username
+		 FROM audit_log al
+		 LEFT JOIN account a1 ON a1.id = al.account_id
+		 LEFT JOIN account a2 ON a2.id = al.target_account_id
+		 ${where} ORDER BY al.seq DESC LIMIT $${param_index++} OFFSET $${param_index}`, [...params, limit, offset]);
+};
+/**
+ * List audit log entries related to an account (as actor or target).
+ *
+ * @param deps - query dependencies
+ * @param account_id - the account to query for
+ * @param limit - maximum entries to return
+ */
+export const query_audit_log_list_for_account = async (deps, account_id, limit = AUDIT_LOG_DEFAULT_LIMIT) => {
+    return deps.db.query(`SELECT * FROM audit_log
+		 WHERE account_id = $1 OR target_account_id = $1
+		 ORDER BY seq DESC LIMIT $2`, [account_id, limit]);
+};
+/**
+ * List permit grant/revoke events with resolved usernames.
+ *
+ * @param deps - query dependencies
+ * @param limit - maximum entries to return
+ * @param offset - number of entries to skip
+ * @returns permit history events with `username` and `target_username`
+ */
+export const query_audit_log_list_permit_history = async (deps, limit = AUDIT_LOG_DEFAULT_LIMIT, offset = 0) => {
+    return deps.db.query(`SELECT al.*,
+			a1.username AS username,
+			a2.username AS target_username
+		 FROM audit_log al
+		 LEFT JOIN account a1 ON a1.id = al.account_id
+		 LEFT JOIN account a2 ON a2.id = al.target_account_id
+		 WHERE al.event_type IN ('permit_grant', 'permit_revoke')
+		 ORDER BY al.seq DESC LIMIT $1 OFFSET $2`, [limit, offset]);
+};
+/**
+ * Delete audit log entries older than the given date.
+ *
+ * @param deps - query dependencies
+ * @param before - delete entries created before this date
+ * @returns the number of entries deleted
+ */
+export const query_audit_log_cleanup_before = async (deps, before) => {
+    const rows = await deps.db.query(`DELETE FROM audit_log WHERE created_at < $1 RETURNING id`, [before.toISOString()]);
+    return rows.length;
+};
+/**
+ * Log an audit event without blocking the caller.
+ *
+ * Errors are logged to console — audit logging never breaks auth flows.
+ * Uses `background_db` so audit entries persist even if the request transaction rolls back.
+ * Write failures and `on_event` callback failures are logged separately
+ * so the error message indicates which phase failed.
+ *
+ * @param route - `background_db` and `pending_effects` from the route context
+ * @param input - the audit event to record
+ * @param log - the logger instance
+ * @param on_event - callback invoked with the inserted row after a successful write
+ * @returns the settled promise (callers may ignore it — fire-and-forget semantics preserved)
+ */
+export const audit_log_fire_and_forget = (route, input, log, on_event) => {
+    const p = query_audit_log({ db: route.background_db }, input)
+        .then((event) => {
+        try {
+            on_event(event);
+        }
+        catch (callback_err) {
+            log.error('Audit log on_event callback failed:', callback_err);
+        }
+    })
+        .catch((err) => {
+        log.error('Audit log write failed:', err);
+    });
+    route.pending_effects.push(p);
+    return p;
+};

package/dist/auth/audit_log_routes.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Audit log and admin observability route specs.
+ *
+ * All routes require admin role by default. Provides audit event listing,
+ * permit history shortcut, and active session overview.
+ *
+ * @module
+ */
+import type { Logger } from '@fuzdev/fuz_util/log.js';
+import type { RouteSpec } from '../http/route_spec.js';
+import { type SseStream, type SseNotification } from '../realtime/sse.js';
+/** Options for audit log route specs. */
+export interface AuditLogRouteOptions {
+    /** Role required to access audit routes. Default `'admin'`. */
+    required_role?: string;
+    /**
+     * When provided, includes an SSE route at `/audit-log/stream` for realtime audit events.
+     * The `subscribe` function receives the stream, channels, and the subscriber's `account_id`
+     * as an identity key — enabling `close_by_identity()` for auth revocation.
+     */
+    stream?: {
+        subscribe: (stream: SseStream<SseNotification>, channels?: Array<string>, identity?: string) => () => void;
+        log: Logger;
+    };
+}
+/**
+ * Create audit log and admin observability route specs.
+ *
+ * @param options - optional options with role override
+ * @returns route specs for audit log and admin session management
+ */
+export declare const create_audit_log_route_specs: (options?: AuditLogRouteOptions) => Array<RouteSpec>;
+//# sourceMappingURL=audit_log_routes.d.ts.map

package/dist/auth/audit_log_routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit_log_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAQpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAQrD,OAAO,EAAsB,KAAK,SAAS,EAAE,KAAK,eAAe,EAAC,MAAM,oBAAoB,CAAC;AAU7F,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACpC,+DAA+D;IAC/D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,MAAM,CAAC,EAAE;QACR,SAAS,EAAE,CACV,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAClC,QAAQ,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,EACxB,QAAQ,CAAC,EAAE,MAAM,KACb,MAAM,IAAI,CAAC;QAChB,GAAG,EAAE,MAAM,CAAC;KACZ,CAAC;CACF;AAED;;;;;GAKG;AACH,eAAO,MAAM,4BAA4B,GAAI,UAAU,oBAAoB,KAAG,KAAK,CAAC,SAAS,CAuF5F,CAAC"}

package/dist/auth/audit_log_routes.js

@@ -0,0 +1,106 @@
+/**
+ * Audit log and admin observability route specs.
+ *
+ * All routes require admin role by default. Provides audit event listing,
+ * permit history shortcut, and active session overview.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { AuditLogEventWithUsernamesJson, AdminSessionJson, AuditEventType, PermitHistoryEventJson, } from './audit_log_schema.js';
+import { AUDIT_LOG_DEFAULT_LIMIT, query_audit_log_list_with_usernames, query_audit_log_list_permit_history, } from './audit_log_queries.js';
+import { query_session_list_all_active } from './session_queries.js';
+import { ERROR_INVALID_EVENT_TYPE } from '../http/error_schemas.js';
+import { create_sse_response } from '../realtime/sse.js';
+import { require_request_context } from './request_context.js';
+// TODO upstream to fuz_util
+/** Parse a string to an integer, returning `undefined` for non-numeric input (including `NaN`). */
+const parse_int_or_undefined = (value) => {
+    const n = parseInt(value, 10);
+    return Number.isFinite(n) ? n : undefined;
+};
+/**
+ * Create audit log and admin observability route specs.
+ *
+ * @param options - optional options with role override
+ * @returns route specs for audit log and admin session management
+ */
+export const create_audit_log_route_specs = (options) => {
+    const role = options?.required_role ?? 'admin';
+    const routes = [
+        {
+            method: 'GET',
+            path: '/audit-log',
+            auth: { type: 'role', role },
+            description: 'List audit log events with optional filters',
+            input: z.null(),
+            output: z.strictObject({ events: z.array(AuditLogEventWithUsernamesJson) }),
+            errors: { 400: z.looseObject({ error: z.literal(ERROR_INVALID_EVENT_TYPE) }) },
+            handler: async (c, route) => {
+                const raw_event_type = c.req.query('event_type') || undefined;
+                if (raw_event_type && !AuditEventType.safeParse(raw_event_type).success) {
+                    return c.json({ error: ERROR_INVALID_EVENT_TYPE }, 400);
+                }
+                const event_type = raw_event_type;
+                const account_id = c.req.query('account_id') || undefined;
+                const limit = Math.max(1, Math.min(200, parseInt(c.req.query('limit') ?? '', 10) || AUDIT_LOG_DEFAULT_LIMIT));
+                const offset = Math.max(0, parseInt(c.req.query('offset') ?? '', 10) || 0);
+                const raw_since_seq = c.req.query('since_seq');
+                const since_seq = raw_since_seq != null ? parse_int_or_undefined(raw_since_seq) : undefined;
+                const events = await query_audit_log_list_with_usernames(route, {
+                    event_type,
+                    account_id,
+                    limit,
+                    offset,
+                    since_seq,
+                });
+                return c.json({ events });
+            },
+        },
+        {
+            method: 'GET',
+            path: '/audit-log/permit-history',
+            auth: { type: 'role', role },
+            description: 'List permit grant and revoke events with usernames',
+            input: z.null(),
+            output: z.strictObject({ events: z.array(PermitHistoryEventJson) }),
+            handler: async (c, route) => {
+                const limit = Math.max(1, Math.min(200, parseInt(c.req.query('limit') ?? '', 10) || AUDIT_LOG_DEFAULT_LIMIT));
+                const offset = Math.max(0, parseInt(c.req.query('offset') ?? '', 10) || 0);
+                const events = await query_audit_log_list_permit_history(route, limit, offset);
+                return c.json({ events });
+            },
+        },
+        {
+            method: 'GET',
+            path: '/sessions',
+            auth: { type: 'role', role },
+            description: 'List all active sessions across all accounts',
+            input: z.null(),
+            output: z.strictObject({ sessions: z.array(AdminSessionJson) }),
+            handler: async (c, route) => {
+                const sessions = await query_session_list_all_active(route);
+                return c.json({ sessions });
+            },
+        },
+    ];
+    if (options?.stream) {
+        const { subscribe, log } = options.stream;
+        routes.push({
+            method: 'GET',
+            path: '/audit-log/stream',
+            auth: { type: 'role', role },
+            description: 'Subscribe to realtime audit log events',
+            input: z.null(),
+            output: z.null(), // SSE — no JSON response
+            handler: (c) => {
+                const ctx = require_request_context(c);
+                const { response, stream } = create_sse_response(c, log);
+                const unsubscribe = subscribe(stream, ['audit_log'], ctx.account.id);
+                stream.on_close(unsubscribe);
+                return response;
+            },
+        });
+    }
+    return routes;
+};

package/dist/auth/audit_log_schema.d.ts

@@ -0,0 +1,259 @@
+/**
+ * Audit log database schema and types.
+ *
+ * Records auth mutations (login, logout, grant, revoke, etc.) for
+ * security monitoring and operational visibility.
+ *
+ * @module
+ */
+import { z } from 'zod';
+/** All tracked auth event types. */
+export declare const AUDIT_EVENT_TYPES: readonly ["login", "logout", "bootstrap", "signup", "password_change", "session_revoke", "session_revoke_all", "token_create", "token_revoke", "token_revoke_all", "permit_grant", "permit_revoke", "invite_create", "invite_delete", "app_settings_update"];
+/** Zod schema for audit event types. */
+export declare const AuditEventType: z.ZodEnum<{
+    login: "login";
+    logout: "logout";
+    bootstrap: "bootstrap";
+    signup: "signup";
+    password_change: "password_change";
+    session_revoke: "session_revoke";
+    session_revoke_all: "session_revoke_all";
+    token_create: "token_create";
+    token_revoke: "token_revoke";
+    token_revoke_all: "token_revoke_all";
+    permit_grant: "permit_grant";
+    permit_revoke: "permit_revoke";
+    invite_create: "invite_create";
+    invite_delete: "invite_delete";
+    app_settings_update: "app_settings_update";
+}>;
+export type AuditEventType = z.infer<typeof AuditEventType>;
+/** Zod schema for audit event outcomes. */
+export declare const AuditOutcome: z.ZodEnum<{
+    success: "success";
+    failure: "failure";
+}>;
+export type AuditOutcome = z.infer<typeof AuditOutcome>;
+/**
+ * Per-event-type metadata Zod schemas.
+ *
+ * Uses `z.looseObject` so consumers can add extra fields
+ * (e.g. visiones `self_service`) while known fields are validated.
+ * Events with outcome-dependent metadata use a union with `z.null()`.
+ */
+export declare const AUDIT_METADATA_SCHEMAS: {
+    login: z.ZodNullable<z.ZodObject<{
+        username: z.ZodString;
+    }, z.core.$loose>>;
+    logout: z.ZodNull;
+    bootstrap: z.ZodNullable<z.ZodObject<{
+        error: z.ZodString;
+    }, z.core.$loose>>;
+    signup: z.ZodObject<{
+        username: z.ZodString;
+        invite_id: z.ZodOptional<z.ZodString>;
+        open_signup: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$loose>;
+    password_change: z.ZodNullable<z.ZodObject<{
+        sessions_revoked: z.ZodNumber;
+    }, z.core.$loose>>;
+    session_revoke: z.ZodObject<{
+        session_id: z.ZodString;
+    }, z.core.$loose>;
+    session_revoke_all: z.ZodObject<{
+        count: z.ZodNumber;
+    }, z.core.$loose>;
+    token_create: z.ZodObject<{
+        token_id: z.ZodString;
+        name: z.ZodString;
+    }, z.core.$loose>;
+    token_revoke: z.ZodObject<{
+        token_id: z.ZodString;
+    }, z.core.$loose>;
+    token_revoke_all: z.ZodObject<{
+        count: z.ZodNumber;
+    }, z.core.$loose>;
+    permit_grant: z.ZodObject<{
+        role: z.ZodString;
+        permit_id: z.ZodString;
+    }, z.core.$loose>;
+    permit_revoke: z.ZodObject<{
+        role: z.ZodString;
+        permit_id: z.ZodString;
+    }, z.core.$loose>;
+    invite_create: z.ZodObject<{
+        invite_id: z.ZodString;
+        email: z.ZodNullable<z.ZodString>;
+        username: z.ZodNullable<z.ZodString>;
+    }, z.core.$loose>;
+    invite_delete: z.ZodObject<{
+        invite_id: z.ZodString;
+    }, z.core.$loose>;
+    app_settings_update: z.ZodObject<{
+        setting: z.ZodString;
+        old_value: z.ZodUnknown;
+        new_value: z.ZodUnknown;
+    }, z.core.$loose>;
+};
+/** Mapped type of metadata shapes per event type, derived from Zod schemas. */
+export type AuditMetadataMap = {
+    [K in AuditEventType]: z.infer<(typeof AUDIT_METADATA_SCHEMAS)[K]>;
+};
+/** Audit log row from the database. */
+export interface AuditLogEvent {
+    id: string;
+    seq: number;
+    event_type: AuditEventType;
+    outcome: AuditOutcome;
+    actor_id: string | null;
+    account_id: string | null;
+    target_account_id: string | null;
+    ip: string | null;
+    created_at: string;
+    metadata: Record<string, unknown> | null;
+}
+/**
+ * Narrow metadata type for a known event type.
+ *
+ * Use after checking `event_type` to get typed metadata access.
+ */
+export declare const get_audit_metadata: <T extends AuditEventType>(event: AuditLogEvent & {
+    event_type: T;
+}) => AuditMetadataMap[T] | null;
+/** Input for creating an audit log entry. */
+export interface AuditLogInput<T extends AuditEventType = AuditEventType> {
+    event_type: T;
+    outcome?: AuditOutcome;
+    actor_id?: string | null;
+    account_id?: string | null;
+    target_account_id?: string | null;
+    ip?: string | null;
+    metadata?: (AuditMetadataMap[T] & Record<string, unknown>) | null;
+}
+/** Options for listing audit log entries. */
+export interface AuditLogListOptions {
+    limit?: number;
+    offset?: number;
+    event_type?: AuditEventType;
+    event_type_in?: Array<AuditEventType>;
+    account_id?: string;
+    outcome?: AuditOutcome;
+    /** When set, only return events with `seq` greater than this value. Enables SSE reconnection gap fill. */
+    since_seq?: number;
+}
+/** Zod schema for client-safe audit log event. */
+export declare const AuditLogEventJson: z.ZodObject<{
+    id: z.ZodString;
+    seq: z.ZodNumber;
+    event_type: z.ZodEnum<{
+        login: "login";
+        logout: "logout";
+        bootstrap: "bootstrap";
+        signup: "signup";
+        password_change: "password_change";
+        session_revoke: "session_revoke";
+        session_revoke_all: "session_revoke_all";
+        token_create: "token_create";
+        token_revoke: "token_revoke";
+        token_revoke_all: "token_revoke_all";
+        permit_grant: "permit_grant";
+        permit_revoke: "permit_revoke";
+        invite_create: "invite_create";
+        invite_delete: "invite_delete";
+        app_settings_update: "app_settings_update";
+    }>;
+    outcome: z.ZodEnum<{
+        success: "success";
+        failure: "failure";
+    }>;
+    actor_id: z.ZodNullable<z.ZodString>;
+    account_id: z.ZodNullable<z.ZodString>;
+    target_account_id: z.ZodNullable<z.ZodString>;
+    ip: z.ZodNullable<z.ZodString>;
+    created_at: z.ZodString;
+    metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strict>;
+export type AuditLogEventJson = z.infer<typeof AuditLogEventJson>;
+/** Zod schema for audit log events with resolved usernames. */
+export declare const AuditLogEventWithUsernamesJson: z.ZodObject<{
+    id: z.ZodString;
+    seq: z.ZodNumber;
+    event_type: z.ZodEnum<{
+        login: "login";
+        logout: "logout";
+        bootstrap: "bootstrap";
+        signup: "signup";
+        password_change: "password_change";
+        session_revoke: "session_revoke";
+        session_revoke_all: "session_revoke_all";
+        token_create: "token_create";
+        token_revoke: "token_revoke";
+        token_revoke_all: "token_revoke_all";
+        permit_grant: "permit_grant";
+        permit_revoke: "permit_revoke";
+        invite_create: "invite_create";
+        invite_delete: "invite_delete";
+        app_settings_update: "app_settings_update";
+    }>;
+    outcome: z.ZodEnum<{
+        success: "success";
+        failure: "failure";
+    }>;
+    actor_id: z.ZodNullable<z.ZodString>;
+    account_id: z.ZodNullable<z.ZodString>;
+    target_account_id: z.ZodNullable<z.ZodString>;
+    ip: z.ZodNullable<z.ZodString>;
+    created_at: z.ZodString;
+    metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    username: z.ZodNullable<z.ZodString>;
+    target_username: z.ZodNullable<z.ZodString>;
+}, z.core.$strict>;
+export type AuditLogEventWithUsernamesJson = z.infer<typeof AuditLogEventWithUsernamesJson>;
+/** Zod schema for permit history events with resolved usernames. */
+export declare const PermitHistoryEventJson: z.ZodObject<{
+    id: z.ZodString;
+    seq: z.ZodNumber;
+    event_type: z.ZodEnum<{
+        login: "login";
+        logout: "logout";
+        bootstrap: "bootstrap";
+        signup: "signup";
+        password_change: "password_change";
+        session_revoke: "session_revoke";
+        session_revoke_all: "session_revoke_all";
+        token_create: "token_create";
+        token_revoke: "token_revoke";
+        token_revoke_all: "token_revoke_all";
+        permit_grant: "permit_grant";
+        permit_revoke: "permit_revoke";
+        invite_create: "invite_create";
+        invite_delete: "invite_delete";
+        app_settings_update: "app_settings_update";
+    }>;
+    outcome: z.ZodEnum<{
+        success: "success";
+        failure: "failure";
+    }>;
+    actor_id: z.ZodNullable<z.ZodString>;
+    account_id: z.ZodNullable<z.ZodString>;
+    target_account_id: z.ZodNullable<z.ZodString>;
+    ip: z.ZodNullable<z.ZodString>;
+    created_at: z.ZodString;
+    metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    username: z.ZodNullable<z.ZodString>;
+    target_username: z.ZodNullable<z.ZodString>;
+}, z.core.$strict>;
+export type PermitHistoryEventJson = z.infer<typeof PermitHistoryEventJson>;
+/** Zod schema for admin session listing (session + username). */
+export declare const AdminSessionJson: z.ZodObject<{
+    id: z.ZodString;
+    account_id: z.ZodString;
+    created_at: z.ZodString;
+    expires_at: z.ZodString;
+    last_seen_at: z.ZodString;
+    username: z.ZodString;
+}, z.core.$strict>;
+export type AdminSessionJson = z.infer<typeof AdminSessionJson>;
+export declare const AUDIT_LOG_SCHEMA = "\nCREATE TABLE IF NOT EXISTS audit_log (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  seq SERIAL NOT NULL,\n  event_type TEXT NOT NULL,\n  outcome TEXT NOT NULL DEFAULT 'success',\n  actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  ip TEXT,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  metadata JSONB\n)";
+export declare const AUDIT_LOG_INDEXES: string[];
+//# sourceMappingURL=audit_log_schema.d.ts.map

package/dist/auth/audit_log_schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAItB,oCAAoC;AACpC,eAAO,MAAM,iBAAiB,8PAgBpB,CAAC;AAEX,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA4BU,CAAC;AAE9C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,uCAAuC;AACvC,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,cAAc,CAAC;IAC3B,OAAO,EAAE,YAAY,CAAC;IACtB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,cAAc,GAAG,cAAc;IACvE,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,QAAQ,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;CAClE;AAED,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,aAAa,CAAC,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,kDAAkD;AAClD,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAW5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,oEAAoE;AACpE,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAIhE,eAAO,MAAM,gBAAgB,gdAY3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAK7B,CAAC"}