@hazeljs/audit 0.2.0-beta.52

package/LICENSE

@@ -0,0 +1,192 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   Copyright 2024 HazelJS Team
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+---
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+   Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+   stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+   that You distribute, all copyright, patent, trademark, and
+   attribution notices from the Source form of the Work,
+   excluding those notices that do not pertain to any part of
+   the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+   distribution, then any Derivative Works that You distribute must
+   include a readable copy of the attribution notices contained
+   within such NOTICE file, excluding those notices that do not
+   pertain to any part of the Derivative Works, in at least one
+   of the following places: within a NOTICE text file distributed
+   as part of the Derivative Works; within the Source form or
+   documentation, if provided along with the Derivative Works; or,
+   within a display generated by the Derivative Works, if and
+   wherever such third-party notices normally appear. The contents
+   of the NOTICE file are for informational purposes only and
+   do not modify the License. You may add Your own attribution
+   notices within Derivative Works that You distribute, alongside
+   or as an addendum to the NOTICE text from the Work, provided
+   that such additional attribution notices cannot be construed
+   as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS

package/README.md

@@ -0,0 +1,164 @@
+# @hazeljs/audit
+
+**Audit logging and event trail for HazelJS. Record who did what, when, and with what outcome.**
+
+Compliance-ready audit events from HTTP requests and custom business logic. Console, file, or Kafka. Redact secrets, add actors from context, and plug in your own transports.
+
+[![npm version](https://img.shields.io/npm/v/@hazeljs/audit.svg)](https://www.npmjs.com/package/@hazeljs/audit)
+[![npm downloads](https://img.shields.io/npm/dm/@hazeljs/audit)](https://www.npmjs.com/package/@hazeljs/audit)
+[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)
+
+## Features
+
+- **HTTP audit** — `AuditInterceptor` logs every request (method, path, result)
+- **Custom events** — Inject `AuditService` and call `log()` with action, resource, actor
+- **Transports** — Console (default), file (JSONL with rotation), Kafka (JSON or Avro)
+- **@Audit decorator** — Mark handlers with action/resource for metadata and tooling
+- **Redaction** — Sensitive keys (password, token, etc.) redacted by default
+- **Actor from context** — `actorFromContext()` maps request user to audit actor
+
+## Installation
+
+```bash
+npm install @hazeljs/audit @hazeljs/core
+```
+
+## Quick Start
+
+### 1. Register the module
+
+```typescript
+import { HazelModule } from '@hazeljs/core';
+import { AuditModule } from '@hazeljs/audit';
+
+@HazelModule({
+  imports: [AuditModule.forRoot()],
+})
+export class AppModule {}
+```
+
+With the module registered, use **AuditInterceptor** to log every HTTP request, or inject **AuditService** and call `log()` for custom events.
+
+### 2. Module options
+
+```typescript
+AuditModule.forRoot({
+  transports: [new ConsoleAuditTransport()], // default
+  includeRequestContext: true,
+  redactKeys: ['password', 'token', 'secret', 'authorization'],
+});
+```
+
+### 3. Custom events with AuditService
+
+```typescript
+import { Injectable } from '@hazeljs/core';
+import { AuditService } from '@hazeljs/audit';
+import type { RequestContext } from '@hazeljs/core';
+
+@Injectable()
+export class OrderService {
+  constructor(private readonly audit: AuditService) {}
+
+  async create(data: CreateOrderDto, context: RequestContext) {
+    const order = await this.repo.create(data);
+    this.audit.log({
+      action: 'order.create',
+      actor: this.audit.actorFromContext(context),
+      resource: 'Order',
+      resourceId: order.id,
+      result: 'success',
+      metadata: { amount: order.total },
+    });
+    return order;
+  }
+}
+```
+
+## Audit event shape
+
+- **action** — e.g. `user.login`, `order.create`
+- **actor** — `{ id, username?, role? }` from request context when available
+- **resource** / **resourceId** — what was affected
+- **result** — `success` | `failure` | `denied`
+- **timestamp** — ISO string (set automatically if omitted)
+- **method** / **path** — from HTTP context when using the interceptor
+- **metadata** — extra structured data (sensitive keys redacted by default)
+
+## Transports
+
+### Console (default)
+
+Writes one JSON line per event to stdout.
+
+```typescript
+import { ConsoleAuditTransport } from '@hazeljs/audit';
+
+transports: [new ConsoleAuditTransport()],
+```
+
+### File (JSONL)
+
+Appends to a file. Creates the file and parent dir on first event. Supports rotation by size or by day.
+
+```typescript
+import { FileAuditTransport } from '@hazeljs/audit';
+
+transports: [
+  new FileAuditTransport({
+    filePath: 'logs/audit.jsonl',
+    ensureDir: true,
+    maxSizeBytes: 10 * 1024 * 1024, // 10MB
+    rollDaily: true, // audit.2025-03-01.jsonl
+  }),
+],
+```
+
+### Kafka
+
+Sends each event to a Kafka topic. Use with [@hazeljs/kafka](https://www.npmjs.com/package/@hazeljs/kafka): pass `KafkaProducerService` as the sender. Optional **key** for partitioning; optional **serialize** for custom format (default JSON). For Avro, pass a `serialize` function that returns a `Buffer` (e.g. using `avsc` or Confluent Schema Registry).
+
+```typescript
+import { KafkaAuditTransport } from '@hazeljs/audit';
+import { KafkaProducerService } from '@hazeljs/kafka';
+
+const transport = new KafkaAuditTransport({
+  sender: kafkaProducerService, // from your app's container
+  topic: 'audit',
+  key: (e) => e.actor?.id?.toString(), // optional partition key
+  // serialize: (e) => avroType.toBuffer(e), // optional Avro
+});
+```
+
+### Custom transport
+
+Implement **AuditTransport** (interface with `log(event: AuditEvent)`) to send events to your database, SIEM, or logging service.
+
+## @Audit decorator
+
+Mark handlers with custom action/resource for metadata and tooling:
+
+```typescript
+import { Controller, Post, Body } from '@hazeljs/core';
+import { Audit } from '@hazeljs/audit';
+
+@Controller('/orders')
+export class OrderController {
+  @Post()
+  @Audit({ action: 'order.create', resource: 'Order' })
+  async create(@Body() dto: CreateOrderDto) {
+    return this.orderService.create(dto);
+  }
+}
+```
+
+## License
+
+Apache 2.0 © [HazelJS](https://hazeljs.com)
+
+## Links
+
+- [Documentation](https://hazeljs.com/docs/packages/auth)
+- [GitHub](https://github.com/hazel-js/hazeljs)
+- [Issues](https://github.com/hazel-js/hazeljs/issues)
+- [Discord](https://discord.gg/hazeljs)

package/dist/audit.module.d.ts

@@ -0,0 +1,11 @@
+/**
+ * AuditModule - Audit logging for HazelJS
+ */
+import type { AuditModuleOptions } from './audit.types';
+export declare const AUDIT_SERVICE_TOKEN = "AuditService";
+export declare class AuditModule {
+    private static options;
+    static forRoot(options?: AuditModuleOptions): typeof AuditModule;
+    static getOptions(): AuditModuleOptions;
+}
+//# sourceMappingURL=audit.module.d.ts.map

package/dist/audit.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.module.d.ts","sourceRoot":"","sources":["../src/audit.module.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAExD,eAAO,MAAM,mBAAmB,iBAAiB,CAAC;AAElD,qBAIa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAC,OAAO,CAA0B;IAEhD,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,kBAAkB,GAAG,OAAO,WAAW;IAQhE,MAAM,CAAC,UAAU,IAAI,kBAAkB;CAGxC"}

package/dist/audit.module.js

@@ -0,0 +1,37 @@
+"use strict";
+/**
+ * AuditModule - Audit logging for HazelJS
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var AuditModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditModule = exports.AUDIT_SERVICE_TOKEN = void 0;
+const core_1 = require("@hazeljs/core");
+const audit_service_1 = require("./audit.service");
+const audit_interceptor_1 = require("./interceptors/audit.interceptor");
+exports.AUDIT_SERVICE_TOKEN = 'AuditService';
+let AuditModule = AuditModule_1 = class AuditModule {
+    static forRoot(options) {
+        AuditModule_1.options = options ?? {};
+        if (options) {
+            audit_service_1.AuditService.configure(options);
+        }
+        return AuditModule_1;
+    }
+    static getOptions() {
+        return AuditModule_1.options;
+    }
+};
+exports.AuditModule = AuditModule;
+AuditModule.options = {};
+exports.AuditModule = AuditModule = AuditModule_1 = __decorate([
+    (0, core_1.HazelModule)({
+        providers: [audit_service_1.AuditService, audit_interceptor_1.AuditInterceptor],
+        exports: [audit_service_1.AuditService, audit_interceptor_1.AuditInterceptor],
+    })
+], AuditModule);

package/dist/audit.service.d.ts

@@ -0,0 +1,32 @@
+/**
+ * AuditService - Record audit events and send to configured transports
+ */
+import type { RequestContext } from '@hazeljs/core';
+import type { AuditEvent, AuditTransport, AuditActor, AuditModuleOptions } from './audit.types';
+export declare class AuditService {
+    private static staticOptions;
+    private transports;
+    private redactKeys;
+    constructor(options?: AuditModuleOptions);
+    static configure(options: AuditModuleOptions): void;
+    /**
+     * Add a transport at runtime (e.g. Kafka after producer is available).
+     */
+    addTransport(transport: AuditTransport): void;
+    /**
+     * Record an audit event. Events are sent to all configured transports.
+     */
+    log(event: Omit<AuditEvent, 'timestamp'> & {
+        timestamp?: string;
+    }): void;
+    /**
+     * Create an actor from RequestContext (e.g. authenticated user).
+     */
+    actorFromContext(context: RequestContext): AuditActor | undefined;
+    /**
+     * Build a minimal audit event from an HTTP request context (for use by AuditInterceptor).
+     */
+    eventFromContext(context: RequestContext, result?: 'success' | 'failure' | 'denied', action?: string): AuditEvent;
+    private sanitize;
+}
+//# sourceMappingURL=audit.service.d.ts.map

package/dist/audit.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.service.d.ts","sourceRoot":"","sources":["../src/audit.service.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AACpD,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAGhG,qBACa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAC,aAAa,CAA0B;IACtD,OAAO,CAAC,UAAU,CAAwB;IAC1C,OAAO,CAAC,UAAU,CAA0B;gBAEhC,OAAO,CAAC,EAAE,kBAAkB;IAgBxC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,kBAAkB,GAAG,IAAI;IAInD;;OAEG;IACH,YAAY,CAAC,SAAS,EAAE,cAAc,GAAG,IAAI;IAI7C;;OAEG;IACH,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,GAAG;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;IAoBxE;;OAEG;IACH,gBAAgB,CAAC,OAAO,EAAE,cAAc,GAAG,UAAU,GAAG,SAAS;IAMjE;;OAEG;IACH,gBAAgB,CACd,OAAO,EAAE,cAAc,EACvB,MAAM,GAAE,SAAS,GAAG,SAAS,GAAG,QAAoB,EACpD,MAAM,CAAC,EAAE,MAAM,GACd,UAAU;IAab,OAAO,CAAC,QAAQ;CAUjB"}

package/dist/audit.service.js

@@ -0,0 +1,108 @@
+"use strict";
+/**
+ * AuditService - Record audit events and send to configured transports
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var AuditService_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditService = void 0;
+const core_1 = require("@hazeljs/core");
+const console_transport_1 = require("./transports/console.transport");
+let AuditService = AuditService_1 = class AuditService {
+    constructor(options) {
+        this.transports = [];
+        this.redactKeys = new Set();
+        const opts = options ?? { ...AuditService_1.staticOptions };
+        this.redactKeys = new Set((opts.redactKeys ?? ['password', 'token', 'secret', 'authorization']).map((k) => k.toLowerCase()));
+        if (opts.transports && opts.transports.length > 0) {
+            this.transports = opts.transports;
+        }
+        else if (AuditService_1.staticOptions.transports?.length) {
+            this.transports = AuditService_1.staticOptions.transports;
+        }
+        else {
+            this.transports = [new console_transport_1.ConsoleAuditTransport()];
+        }
+    }
+    static configure(options) {
+        AuditService_1.staticOptions = { ...AuditService_1.staticOptions, ...options };
+    }
+    /**
+     * Add a transport at runtime (e.g. Kafka after producer is available).
+     */
+    addTransport(transport) {
+        this.transports.push(transport);
+    }
+    /**
+     * Record an audit event. Events are sent to all configured transports.
+     */
+    log(event) {
+        const full = {
+            ...event,
+            timestamp: event.timestamp ?? new Date().toISOString(),
+        };
+        const sanitized = this.sanitize(full);
+        for (const transport of this.transports) {
+            try {
+                const result = transport.log(sanitized);
+                if (result instanceof Promise) {
+                    result.catch((err) => {
+                        core_1.logger.error('[AuditService] transport error:', err);
+                    });
+                }
+            }
+            catch (err) {
+                core_1.logger.error('[AuditService] transport error:', err);
+            }
+        }
+    }
+    /**
+     * Create an actor from RequestContext (e.g. authenticated user).
+     */
+    actorFromContext(context) {
+        if (!context.user)
+            return undefined;
+        const { id, username, role, ...rest } = context.user;
+        return { id, username, role, ...rest };
+    }
+    /**
+     * Build a minimal audit event from an HTTP request context (for use by AuditInterceptor).
+     */
+    eventFromContext(context, result = 'success', action) {
+        const actor = this.actorFromContext(context);
+        return {
+            action: action ?? `http.${context.method?.toLowerCase()}`,
+            actor,
+            result,
+            timestamp: new Date().toISOString(),
+            method: context.method,
+            path: context.url,
+            metadata: context.url ? { path: context.url, method: context.method } : undefined,
+        };
+    }
+    sanitize(event) {
+        if (!event.metadata || this.redactKeys.size === 0)
+            return event;
+        const metadata = { ...event.metadata };
+        for (const key of Object.keys(metadata)) {
+            if (this.redactKeys.has(key.toLowerCase())) {
+                metadata[key] = '[REDACTED]';
+            }
+        }
+        return { ...event, metadata };
+    }
+};
+exports.AuditService = AuditService;
+AuditService.staticOptions = {};
+exports.AuditService = AuditService = AuditService_1 = __decorate([
+    (0, core_1.Injectable)(),
+    __metadata("design:paramtypes", [Object])
+], AuditService);

package/dist/audit.types.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Audit event and module options
+ */
+export interface AuditActor {
+    id: string | number;
+    username?: string;
+    role?: string;
+    [key: string]: unknown;
+}
+export interface AuditEvent {
+    /** Action identifier (e.g. 'user.login', 'order.create') */
+    action: string;
+    /** Who performed the action (optional if not in request context) */
+    actor?: AuditActor;
+    /** Resource affected (e.g. 'User', 'Order', entity id) */
+    resource?: string;
+    /** Resource identifier (e.g. entity id) */
+    resourceId?: string | number;
+    /** Outcome: success, failure, denied */
+    result?: 'success' | 'failure' | 'denied';
+    /** ISO timestamp */
+    timestamp: string;
+    /** Request or correlation id for tracing */
+    requestId?: string;
+    /** HTTP method when from HTTP request */
+    method?: string;
+    /** Path/URL when from HTTP request */
+    path?: string;
+    /** Additional structured data (no PII by default) */
+    metadata?: Record<string, unknown>;
+}
+export interface AuditTransport {
+    /** Send an audit event to the transport (e.g. console, DB, external service) */
+    log(event: AuditEvent): void | Promise<void>;
+}
+export interface AuditModuleOptions {
+    /** Transports to use (default: console) */
+    transports?: AuditTransport[];
+    /** Include request context (method, path) in auto-audit events */
+    includeRequestContext?: boolean;
+    /** Redact sensitive keys from metadata */
+    redactKeys?: string[];
+}
+//# sourceMappingURL=audit.types.d.ts.map

package/dist/audit.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.types.d.ts","sourceRoot":"","sources":["../src/audit.types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,4DAA4D;IAC5D,MAAM,EAAE,MAAM,CAAC;IACf,oEAAoE;IACpE,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,0DAA0D;IAC1D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2CAA2C;IAC3C,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,wCAAwC;IACxC,MAAM,CAAC,EAAE,SAAS,GAAG,SAAS,GAAG,QAAQ,CAAC;IAC1C,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,4CAA4C;IAC5C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,yCAAyC;IACzC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,sCAAsC;IACtC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,cAAc;IAC7B,gFAAgF;IAChF,GAAG,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9C;AAED,MAAM,WAAW,kBAAkB;IACjC,2CAA2C;IAC3C,UAAU,CAAC,EAAE,cAAc,EAAE,CAAC;IAC9B,kEAAkE;IAClE,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,0CAA0C;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB"}

package/dist/audit.types.js

@@ -0,0 +1,5 @@
+"use strict";
+/**
+ * Audit event and module options
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/decorators/audit.decorator.d.ts

@@ -0,0 +1,15 @@
+/**
+ * @Audit - Mark a handler or method as audited with custom action/resource
+ */
+export interface AuditDecoratorOptions {
+    /** Action name (e.g. 'order.create', 'user.login') */
+    action: string;
+    /** Resource type or name (e.g. 'Order', 'User') */
+    resource?: string;
+    /** Include result in audit (success/failure from return or throw) */
+    includeResult?: boolean;
+}
+export declare function Audit(options: AuditDecoratorOptions | string): MethodDecorator;
+export declare function getAuditMetadata(target: object, propertyKey: string | symbol): AuditDecoratorOptions | undefined;
+export declare function hasAuditMetadata(target: object, propertyKey: string | symbol): boolean;
+//# sourceMappingURL=audit.decorator.d.ts.map

package/dist/decorators/audit.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.decorator.d.ts","sourceRoot":"","sources":["../../src/decorators/audit.decorator.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,MAAM,WAAW,qBAAqB;IACpC,sDAAsD;IACtD,MAAM,EAAE,MAAM,CAAC;IACf,mDAAmD;IACnD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,qEAAqE;IACrE,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,wBAAgB,KAAK,CAAC,OAAO,EAAE,qBAAqB,GAAG,MAAM,GAAG,eAAe,CAS9E;AAED,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,GAAG,MAAM,GAC3B,qBAAqB,GAAG,SAAS,CAEnC;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAEtF"}

package/dist/decorators/audit.decorator.js

@@ -0,0 +1,21 @@
+"use strict";
+/**
+ * @Audit - Mark a handler or method as audited with custom action/resource
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Audit = Audit;
+exports.getAuditMetadata = getAuditMetadata;
+exports.hasAuditMetadata = hasAuditMetadata;
+const AUDIT_METADATA_KEY = 'hazel:audit';
+function Audit(options) {
+    const opts = typeof options === 'string' ? { action: options } : options;
+    return function (target, propertyKey, _descriptor) {
+        Reflect.defineMetadata(AUDIT_METADATA_KEY, opts, target, propertyKey);
+    };
+}
+function getAuditMetadata(target, propertyKey) {
+    return Reflect.getMetadata(AUDIT_METADATA_KEY, target, propertyKey);
+}
+function hasAuditMetadata(target, propertyKey) {
+    return Reflect.hasMetadata(AUDIT_METADATA_KEY, target, propertyKey);
+}

package/dist/index.d.ts

@@ -0,0 +1,16 @@
+/**
+ * @hazeljs/audit - Audit logging and event trail for HazelJS
+ */
+export { AuditModule, AUDIT_SERVICE_TOKEN } from './audit.module';
+export { AuditService } from './audit.service';
+export { AuditInterceptor } from './interceptors/audit.interceptor';
+export { ConsoleAuditTransport } from './transports/console.transport';
+export { FileAuditTransport } from './transports/file.transport';
+export { KafkaAuditTransport } from './transports/kafka.transport';
+export { Audit, getAuditMetadata, hasAuditMetadata } from './decorators/audit.decorator';
+export type { AuditEvent, AuditActor, AuditTransport, AuditModuleOptions } from './audit.types';
+export type { AuditDecoratorOptions } from './decorators/audit.decorator';
+export type { AuditInterceptorOptions } from './interceptors/audit.interceptor';
+export type { FileAuditTransportOptions } from './transports/file.transport';
+export type { KafkaAuditTransportOptions, KafkaAuditSender, KafkaAuditSerializer, } from './transports/kafka.transport';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AACpE,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,KAAK,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAEzF,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAChG,YAAY,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAC1E,YAAY,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAChF,YAAY,EAAE,yBAAyB,EAAE,MAAM,6BAA6B,CAAC;AAC7E,YAAY,EACV,0BAA0B,EAC1B,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,8BAA8B,CAAC"}

package/dist/index.js

@@ -0,0 +1,23 @@
+"use strict";
+/**
+ * @hazeljs/audit - Audit logging and event trail for HazelJS
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hasAuditMetadata = exports.getAuditMetadata = exports.Audit = exports.KafkaAuditTransport = exports.FileAuditTransport = exports.ConsoleAuditTransport = exports.AuditInterceptor = exports.AuditService = exports.AUDIT_SERVICE_TOKEN = exports.AuditModule = void 0;
+var audit_module_1 = require("./audit.module");
+Object.defineProperty(exports, "AuditModule", { enumerable: true, get: function () { return audit_module_1.AuditModule; } });
+Object.defineProperty(exports, "AUDIT_SERVICE_TOKEN", { enumerable: true, get: function () { return audit_module_1.AUDIT_SERVICE_TOKEN; } });
+var audit_service_1 = require("./audit.service");
+Object.defineProperty(exports, "AuditService", { enumerable: true, get: function () { return audit_service_1.AuditService; } });
+var audit_interceptor_1 = require("./interceptors/audit.interceptor");
+Object.defineProperty(exports, "AuditInterceptor", { enumerable: true, get: function () { return audit_interceptor_1.AuditInterceptor; } });
+var console_transport_1 = require("./transports/console.transport");
+Object.defineProperty(exports, "ConsoleAuditTransport", { enumerable: true, get: function () { return console_transport_1.ConsoleAuditTransport; } });
+var file_transport_1 = require("./transports/file.transport");
+Object.defineProperty(exports, "FileAuditTransport", { enumerable: true, get: function () { return file_transport_1.FileAuditTransport; } });
+var kafka_transport_1 = require("./transports/kafka.transport");
+Object.defineProperty(exports, "KafkaAuditTransport", { enumerable: true, get: function () { return kafka_transport_1.KafkaAuditTransport; } });
+var audit_decorator_1 = require("./decorators/audit.decorator");
+Object.defineProperty(exports, "Audit", { enumerable: true, get: function () { return audit_decorator_1.Audit; } });
+Object.defineProperty(exports, "getAuditMetadata", { enumerable: true, get: function () { return audit_decorator_1.getAuditMetadata; } });
+Object.defineProperty(exports, "hasAuditMetadata", { enumerable: true, get: function () { return audit_decorator_1.hasAuditMetadata; } });

package/dist/interceptors/audit.interceptor.d.ts

@@ -0,0 +1,18 @@
+/**
+ * AuditInterceptor - Log HTTP requests as audit events
+ */
+import type { Interceptor } from '@hazeljs/core';
+import type { RequestContext } from '@hazeljs/core';
+import { AuditService } from '../audit.service';
+export interface AuditInterceptorOptions {
+    /** Only audit these HTTP methods (default: all) */
+    methods?: string[];
+    /** Path patterns to skip (e.g. ['/health', '/metrics']) */
+    excludePaths?: string[];
+}
+export declare class AuditInterceptor implements Interceptor {
+    private readonly auditService;
+    constructor(auditService: AuditService);
+    intercept(context: RequestContext, next: () => Promise<unknown>): Promise<unknown>;
+}
+//# sourceMappingURL=audit.interceptor.d.ts.map

package/dist/interceptors/audit.interceptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.interceptor.d.ts","sourceRoot":"","sources":["../../src/interceptors/audit.interceptor.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AACjD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAEhD,MAAM,WAAW,uBAAuB;IACtC,mDAAmD;IACnD,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,2DAA2D;IAC3D,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,qBACa,gBAAiB,YAAW,WAAW;IACtC,OAAO,CAAC,QAAQ,CAAC,YAAY;gBAAZ,YAAY,EAAE,YAAY;IAEjD,SAAS,CAAC,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC;CAYzF"}

package/dist/interceptors/audit.interceptor.js

@@ -0,0 +1,41 @@
+"use strict";
+/**
+ * AuditInterceptor - Log HTTP requests as audit events
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditInterceptor = void 0;
+const core_1 = require("@hazeljs/core");
+const audit_service_1 = require("../audit.service");
+let AuditInterceptor = class AuditInterceptor {
+    constructor(auditService) {
+        this.auditService = auditService;
+    }
+    async intercept(context, next) {
+        let result = 'success';
+        try {
+            return await next();
+        }
+        catch (_err) {
+            result = 'failure';
+            throw _err;
+        }
+        finally {
+            const action = context.method ? `http.${context.method.toLowerCase()}` : 'http.request';
+            this.auditService.log(this.auditService.eventFromContext(context, result, action));
+        }
+    }
+};
+exports.AuditInterceptor = AuditInterceptor;
+exports.AuditInterceptor = AuditInterceptor = __decorate([
+    (0, core_1.Injectable)(),
+    __metadata("design:paramtypes", [audit_service_1.AuditService])
+], AuditInterceptor);

package/dist/transports/console.transport.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Console audit transport - logs events to stdout as JSON
+ */
+import type { AuditTransport, AuditEvent } from '../audit.types';
+export declare class ConsoleAuditTransport implements AuditTransport {
+    log(event: AuditEvent): void;
+}
+//# sourceMappingURL=console.transport.d.ts.map

package/dist/transports/console.transport.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"console.transport.d.ts","sourceRoot":"","sources":["../../src/transports/console.transport.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAEjE,qBAAa,qBAAsB,YAAW,cAAc;IAC1D,GAAG,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI;CAO7B"}

package/dist/transports/console.transport.js

@@ -0,0 +1,16 @@
+"use strict";
+/**
+ * Console audit transport - logs events to stdout as JSON
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConsoleAuditTransport = void 0;
+class ConsoleAuditTransport {
+    log(event) {
+        const line = JSON.stringify({
+            ...event,
+            _type: 'audit',
+        });
+        process.stdout.write(line + '\n');
+    }
+}
+exports.ConsoleAuditTransport = ConsoleAuditTransport;

package/dist/transports/file.transport.d.ts

@@ -0,0 +1,29 @@
+/**
+ * File audit transport — appends one JSON line per event. Supports rotation by size or by day.
+ * Parent directory is created at startup (when ensureDir is true); the file itself is created on first audit event.
+ */
+import type { AuditTransport, AuditEvent } from '../audit.types';
+export interface FileAuditTransportOptions {
+    /** Base path, e.g. logs/audit.jsonl. With rollDaily, becomes logs/audit.2025-03-01.jsonl */
+    filePath: string;
+    /** Create parent directory if missing (default: true) */
+    ensureDir?: boolean;
+    /** Rotate when file exceeds this size (bytes). Default: no rotation. Example: 10 * 1024 * 1024 = 10MB */
+    maxSizeBytes?: number;
+    /** Use one file per day (filename gets .YYYY-MM-DD before extension). Default: false */
+    rollDaily?: boolean;
+}
+export declare class FileAuditTransport implements AuditTransport {
+    private readonly basePath;
+    private readonly ensureDir;
+    private readonly maxSizeBytes;
+    private readonly rollDaily;
+    /** Current write path (can change when rolling) */
+    private currentPath;
+    constructor(options: FileAuditTransportOptions);
+    private resolveCurrentPath;
+    private ensureCurrentPath;
+    private shouldRollBySize;
+    log(event: AuditEvent): void;
+}
+//# sourceMappingURL=file.transport.d.ts.map

package/dist/transports/file.transport.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file.transport.d.ts","sourceRoot":"","sources":["../../src/transports/file.transport.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAEjE,MAAM,WAAW,yBAAyB;IACxC,4FAA4F;IAC5F,QAAQ,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,yGAAyG;IACzG,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wFAAwF;IACxF,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAUD,qBAAa,kBAAmB,YAAW,cAAc;IACvD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAU;IACpC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAqB;IAClD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAU;IAEpC,mDAAmD;IACnD,OAAO,CAAC,WAAW,CAAS;gBAEhB,OAAO,EAAE,yBAAyB;IAyB9C,OAAO,CAAC,kBAAkB;IAO1B,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,gBAAgB;IAWxB,GAAG,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI;CAe7B"}

package/dist/transports/file.transport.js

@@ -0,0 +1,120 @@
+"use strict";
+/**
+ * File audit transport — appends one JSON line per event. Supports rotation by size or by day.
+ * Parent directory is created at startup (when ensureDir is true); the file itself is created on first audit event.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FileAuditTransport = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+function getDateSuffix() {
+    const now = new Date();
+    const y = now.getFullYear();
+    const m = String(now.getMonth() + 1).padStart(2, '0');
+    const d = String(now.getDate()).padStart(2, '0');
+    return `${y}-${m}-${d}`;
+}
+class FileAuditTransport {
+    constructor(options) {
+        this.basePath = path.isAbsolute(options.filePath)
+            ? options.filePath
+            : path.resolve(process.cwd(), options.filePath);
+        this.ensureDir = options.ensureDir !== false;
+        this.maxSizeBytes = options.maxSizeBytes;
+        this.rollDaily = options.rollDaily ?? false;
+        this.currentPath = this.resolveCurrentPath();
+        // Create directory and touch file at startup so the path is visible and writable before first event
+        if (this.ensureDir) {
+            const dir = path.dirname(this.currentPath);
+            if (!fs.existsSync(dir)) {
+                fs.mkdirSync(dir, { recursive: true });
+            }
+        }
+        // Ensure file exists so consumers see it immediately and first append succeeds
+        try {
+            if (!fs.existsSync(this.currentPath)) {
+                fs.writeFileSync(this.currentPath, '', 'utf8');
+            }
+        }
+        catch {
+            // ignore (e.g. permission); appendFileSync in log() will create on first write
+        }
+    }
+    resolveCurrentPath() {
+        if (!this.rollDaily)
+            return this.basePath;
+        const ext = path.extname(this.basePath);
+        const base = this.basePath.slice(0, -ext.length);
+        return `${base}.${getDateSuffix()}${ext}`;
+    }
+    ensureCurrentPath() {
+        if (this.ensureDir) {
+            const dir = path.dirname(this.currentPath);
+            if (!fs.existsSync(dir)) {
+                fs.mkdirSync(dir, { recursive: true });
+            }
+        }
+    }
+    shouldRollBySize() {
+        if (this.maxSizeBytes == null)
+            return false;
+        if (!fs.existsSync(this.currentPath))
+            return false;
+        try {
+            const stat = fs.statSync(this.currentPath);
+            return stat.size >= this.maxSizeBytes;
+        }
+        catch {
+            return false;
+        }
+    }
+    log(event) {
+        if (this.rollDaily) {
+            const next = this.resolveCurrentPath();
+            if (next !== this.currentPath)
+                this.currentPath = next;
+        }
+        if (this.shouldRollBySize()) {
+            const ext = path.extname(this.basePath);
+            const base = this.basePath.slice(0, -ext.length);
+            this.currentPath = `${base}.${Date.now()}${ext}`;
+        }
+        this.ensureCurrentPath();
+        const line = JSON.stringify({ ...event, _type: 'audit' }) + '\n';
+        fs.appendFileSync(this.currentPath, line, 'utf8');
+    }
+}
+exports.FileAuditTransport = FileAuditTransport;

package/dist/transports/kafka.transport.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Kafka audit transport — sends each audit event to a Kafka topic.
+ * Use with @hazeljs/kafka: pass KafkaProducerService as the sender.
+ * Supports JSON (default) or custom serialization (e.g. Avro via a serialize function).
+ */
+import type { AuditEvent, AuditTransport } from '../audit.types';
+/**
+ * Minimal sender interface so this package does not depend on @hazeljs/kafka.
+ * KafkaProducerService from @hazeljs/kafka implements this.
+ * Value can be string (JSON) or Buffer (e.g. Avro-encoded).
+ */
+export interface KafkaAuditSender {
+    send(topic: string, messages: {
+        key?: string;
+        value: string | Buffer;
+    } | Array<{
+        key?: string;
+        value: string | Buffer;
+    }>): Promise<void>;
+}
+/**
+ * Serialize an audit event for Kafka. Return string (JSON) or Buffer (e.g. Avro).
+ * For Avro: use `avsc` or Confluent Schema Registry and return the encoded Buffer.
+ */
+export type KafkaAuditSerializer = (event: AuditEvent) => string | Buffer | Promise<string | Buffer>;
+export interface KafkaAuditTransportOptions {
+    /** Sender that can send messages to Kafka (e.g. KafkaProducerService from @hazeljs/kafka) */
+    sender: KafkaAuditSender;
+    /** Topic to publish audit events to */
+    topic: string;
+    /** Optional key for partitioning (e.g. by actor id or resource) */
+    key?: (event: AuditEvent) => string | undefined;
+    /**
+     * Serialize event before sending. Default: JSON.stringify.
+     * For Avro: pass a function that encodes the event to Buffer (e.g. using avsc or @kafkajs/confluent-schema-registry).
+     */
+    serialize?: KafkaAuditSerializer;
+}
+export declare class KafkaAuditTransport implements AuditTransport {
+    private readonly sender;
+    private readonly topic;
+    private readonly keyFn;
+    private readonly serialize;
+    constructor(options: KafkaAuditTransportOptions);
+    log(event: AuditEvent): Promise<void>;
+}
+//# sourceMappingURL=kafka.transport.d.ts.map

package/dist/transports/kafka.transport.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kafka.transport.d.ts","sourceRoot":"","sources":["../../src/transports/kafka.transport.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEjE;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,CACF,KAAK,EAAE,MAAM,EACb,QAAQ,EACJ;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,GACxC,KAAK,CAAC;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAC,GAClD,OAAO,CAAC,IAAI,CAAC,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,MAAM,oBAAoB,GAAG,CACjC,KAAK,EAAE,UAAU,KACd,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC;AAEhD,MAAM,WAAW,0BAA0B;IACzC,6FAA6F;IAC7F,MAAM,EAAE,gBAAgB,CAAC;IACzB,uCAAuC;IACvC,KAAK,EAAE,MAAM,CAAC;IACd,mEAAmE;IACnE,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,UAAU,KAAK,MAAM,GAAG,SAAS,CAAC;IAChD;;;OAGG;IACH,SAAS,CAAC,EAAE,oBAAoB,CAAC;CAClC;AAMD,qBAAa,mBAAoB,YAAW,cAAc;IACxD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAmB;IAC1C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAS;IAC/B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA0D;IAChF,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAuB;gBAErC,OAAO,EAAE,0BAA0B;IAOzC,GAAG,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;CAK5C"}

package/dist/transports/kafka.transport.js

@@ -0,0 +1,25 @@
+"use strict";
+/**
+ * Kafka audit transport — sends each audit event to a Kafka topic.
+ * Use with @hazeljs/kafka: pass KafkaProducerService as the sender.
+ * Supports JSON (default) or custom serialization (e.g. Avro via a serialize function).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KafkaAuditTransport = void 0;
+function defaultSerialize(event) {
+    return JSON.stringify(event);
+}
+class KafkaAuditTransport {
+    constructor(options) {
+        this.sender = options.sender;
+        this.topic = options.topic;
+        this.keyFn = options.key;
+        this.serialize = options.serialize ?? defaultSerialize;
+    }
+    async log(event) {
+        const value = await Promise.resolve(this.serialize(event));
+        const key = this.keyFn?.(event);
+        return this.sender.send(this.topic, key != null ? { key, value } : { value });
+    }
+}
+exports.KafkaAuditTransport = KafkaAuditTransport;

package/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "@hazeljs/audit",
+  "version": "0.2.0-beta.52",
+  "description": "Audit logging and event trail for HazelJS applications",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "test": "jest --coverage --passWithNoTests",
+    "lint": "eslint \"src/**/*.ts\"",
+    "lint:fix": "eslint \"src/**/*.ts\" --fix",
+    "clean": "rm -rf dist"
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.11",
+    "@types/node": "^20.17.50",
+    "@typescript-eslint/eslint-plugin": "^8.18.2",
+    "@typescript-eslint/parser": "^8.18.2",
+    "eslint": "^8.56.0",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.1.2",
+    "typescript": "^5.3.3"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/hazel-js/hazeljs.git",
+    "directory": "packages/audit"
+  },
+  "keywords": [
+    "hazeljs",
+    "audit",
+    "audit-log",
+    "audit-trail",
+    "compliance",
+    "logging"
+  ],
+  "author": "Muhammad Arslan <muhammad.arslan@hazeljs.com>",
+  "license": "Apache-2.0",
+  "bugs": {
+    "url": "https://github.com/hazeljs/hazel-js/issues"
+  },
+  "homepage": "https://hazeljs.com",
+  "peerDependencies": {
+    "@hazeljs/core": ">=0.2.0-beta.0"
+  },
+  "gitHead": "416ae971cf8fc45ab53df8cd6f43ad40439ef2f2"
+}