@keynv/core 0.1.0-rc.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (78) hide show
  1. package/LICENSE +21 -0
  2. package/dist/audit/chain.d.ts +44 -0
  3. package/dist/audit/chain.d.ts.map +1 -0
  4. package/dist/audit/chain.js +134 -0
  5. package/dist/audit/chain.js.map +1 -0
  6. package/dist/audit/chain.test.d.ts +2 -0
  7. package/dist/audit/chain.test.d.ts.map +1 -0
  8. package/dist/audit/chain.test.js +192 -0
  9. package/dist/audit/chain.test.js.map +1 -0
  10. package/dist/audit/index.d.ts +5 -0
  11. package/dist/audit/index.d.ts.map +1 -0
  12. package/dist/audit/index.js +4 -0
  13. package/dist/audit/index.js.map +1 -0
  14. package/dist/audit/payload-schemas.d.ts +343 -0
  15. package/dist/audit/payload-schemas.d.ts.map +1 -0
  16. package/dist/audit/payload-schemas.js +112 -0
  17. package/dist/audit/payload-schemas.js.map +1 -0
  18. package/dist/audit/payload-schemas.test.d.ts +2 -0
  19. package/dist/audit/payload-schemas.test.d.ts.map +1 -0
  20. package/dist/audit/payload-schemas.test.js +93 -0
  21. package/dist/audit/payload-schemas.test.js.map +1 -0
  22. package/dist/audit/types.d.ts +34 -0
  23. package/dist/audit/types.d.ts.map +1 -0
  24. package/dist/audit/types.js +6 -0
  25. package/dist/audit/types.js.map +1 -0
  26. package/dist/crypto/envelope.d.ts +55 -0
  27. package/dist/crypto/envelope.d.ts.map +1 -0
  28. package/dist/crypto/envelope.js +108 -0
  29. package/dist/crypto/envelope.js.map +1 -0
  30. package/dist/crypto/envelope.test.d.ts +2 -0
  31. package/dist/crypto/envelope.test.d.ts.map +1 -0
  32. package/dist/crypto/envelope.test.js +163 -0
  33. package/dist/crypto/envelope.test.js.map +1 -0
  34. package/dist/crypto/index.d.ts +5 -0
  35. package/dist/crypto/index.d.ts.map +1 -0
  36. package/dist/crypto/index.js +4 -0
  37. package/dist/crypto/index.js.map +1 -0
  38. package/dist/crypto/sodium.d.ts +21 -0
  39. package/dist/crypto/sodium.d.ts.map +1 -0
  40. package/dist/crypto/sodium.js +43 -0
  41. package/dist/crypto/sodium.js.map +1 -0
  42. package/dist/crypto/types.d.ts +37 -0
  43. package/dist/crypto/types.d.ts.map +1 -0
  44. package/dist/crypto/types.js +11 -0
  45. package/dist/crypto/types.js.map +1 -0
  46. package/dist/index.d.ts +5 -0
  47. package/dist/index.d.ts.map +1 -0
  48. package/dist/index.js +5 -0
  49. package/dist/index.js.map +1 -0
  50. package/dist/reference/index.d.ts +4 -0
  51. package/dist/reference/index.d.ts.map +1 -0
  52. package/dist/reference/index.js +3 -0
  53. package/dist/reference/index.js.map +1 -0
  54. package/dist/reference/parser-property.test.d.ts +2 -0
  55. package/dist/reference/parser-property.test.d.ts.map +1 -0
  56. package/dist/reference/parser-property.test.js +115 -0
  57. package/dist/reference/parser-property.test.js.map +1 -0
  58. package/dist/reference/parser.d.ts +54 -0
  59. package/dist/reference/parser.d.ts.map +1 -0
  60. package/dist/reference/parser.js +144 -0
  61. package/dist/reference/parser.js.map +1 -0
  62. package/dist/reference/parser.test.d.ts +2 -0
  63. package/dist/reference/parser.test.d.ts.map +1 -0
  64. package/dist/reference/parser.test.js +195 -0
  65. package/dist/reference/parser.test.js.map +1 -0
  66. package/dist/reference/types.d.ts +52 -0
  67. package/dist/reference/types.d.ts.map +1 -0
  68. package/dist/reference/types.js +11 -0
  69. package/dist/reference/types.js.map +1 -0
  70. package/dist/validation/index.d.ts +33 -0
  71. package/dist/validation/index.d.ts.map +1 -0
  72. package/dist/validation/index.js +45 -0
  73. package/dist/validation/index.js.map +1 -0
  74. package/dist/validation/schemas.test.d.ts +2 -0
  75. package/dist/validation/schemas.test.d.ts.map +1 -0
  76. package/dist/validation/schemas.test.js +18 -0
  77. package/dist/validation/schemas.test.js.map +1 -0
  78. package/package.json +48 -0
@@ -0,0 +1,343 @@
1
+ /**
2
+ * Per-event-type payload schemas. The audit pipeline validates every
3
+ * payload against the schema for its event_type before hashing — this
4
+ * closes audit finding H2 (no schema → non-JSON values could hash
5
+ * deterministically without round-tripping through JSON.parse).
6
+ *
7
+ * Every schema is `.strict()` so unknown keys are rejected at compile
8
+ * time, not silently dropped or hashed. Adding a new event type
9
+ * requires extending this map; the type system enforces it.
10
+ */
11
+ import { z } from 'zod';
12
+ import type { AuditEventType } from './types.js';
13
+ export declare const PAYLOAD_SCHEMAS: {
14
+ readonly 'auth.register': z.ZodObject<{
15
+ email: z.ZodString;
16
+ org_id: z.ZodString;
17
+ org_name: z.ZodString;
18
+ }, "strict", z.ZodTypeAny, {
19
+ email: string;
20
+ org_id: string;
21
+ org_name: string;
22
+ }, {
23
+ email: string;
24
+ org_id: string;
25
+ org_name: string;
26
+ }>;
27
+ readonly 'auth.login.allowed': z.ZodObject<{
28
+ email: z.ZodString;
29
+ }, "strict", z.ZodTypeAny, {
30
+ email: string;
31
+ }, {
32
+ email: string;
33
+ }>;
34
+ readonly 'auth.login.denied': z.ZodObject<{
35
+ email: z.ZodString;
36
+ }, "strict", z.ZodTypeAny, {
37
+ email: string;
38
+ }, {
39
+ email: string;
40
+ }>;
41
+ readonly 'auth.logout': z.ZodObject<{}, "strict", z.ZodTypeAny, {}, {}>;
42
+ readonly 'auth.refresh': z.ZodObject<{}, "strict", z.ZodTypeAny, {}, {}>;
43
+ readonly 'auth.password_change.allowed': z.ZodObject<{}, "strict", z.ZodTypeAny, {}, {}>;
44
+ readonly 'auth.password_change.denied': z.ZodObject<{}, "strict", z.ZodTypeAny, {}, {}>;
45
+ readonly 'cli_token.created': z.ZodObject<{
46
+ token_id: z.ZodString;
47
+ name: z.ZodString;
48
+ }, "strict", z.ZodTypeAny, {
49
+ token_id: string;
50
+ name: string;
51
+ }, {
52
+ token_id: string;
53
+ name: string;
54
+ }>;
55
+ readonly 'cli_token.revoked': z.ZodObject<{
56
+ token_id: z.ZodString;
57
+ name: z.ZodString;
58
+ }, "strict", z.ZodTypeAny, {
59
+ token_id: string;
60
+ name: string;
61
+ }, {
62
+ token_id: string;
63
+ name: string;
64
+ }>;
65
+ readonly 'user.invited': z.ZodObject<{
66
+ target_user_id: z.ZodString;
67
+ email: z.ZodString;
68
+ org_role: z.ZodEnum<["owner", "admin", "developer", "reader"]>;
69
+ org_id: z.ZodString;
70
+ }, "strict", z.ZodTypeAny, {
71
+ email: string;
72
+ org_id: string;
73
+ target_user_id: string;
74
+ org_role: "developer" | "reader" | "owner" | "admin";
75
+ }, {
76
+ email: string;
77
+ org_id: string;
78
+ target_user_id: string;
79
+ org_role: "developer" | "reader" | "owner" | "admin";
80
+ }>;
81
+ readonly 'user.removed': z.ZodObject<{
82
+ target_user_id: z.ZodString;
83
+ email: z.ZodString;
84
+ }, "strict", z.ZodTypeAny, {
85
+ email: string;
86
+ target_user_id: string;
87
+ }, {
88
+ email: string;
89
+ target_user_id: string;
90
+ }>;
91
+ readonly 'user.role_changed': z.ZodObject<{
92
+ target_user_id: z.ZodString;
93
+ org_role: z.ZodEnum<["owner", "admin", "developer", "reader"]>;
94
+ }, "strict", z.ZodTypeAny, {
95
+ target_user_id: string;
96
+ org_role: "developer" | "reader" | "owner" | "admin";
97
+ }, {
98
+ target_user_id: string;
99
+ org_role: "developer" | "reader" | "owner" | "admin";
100
+ }>;
101
+ readonly 'project.created': z.ZodObject<{
102
+ project_id: z.ZodString;
103
+ name: z.ZodString;
104
+ environments: z.ZodArray<z.ZodString, "many">;
105
+ }, "strict", z.ZodTypeAny, {
106
+ name: string;
107
+ project_id: string;
108
+ environments: string[];
109
+ }, {
110
+ name: string;
111
+ project_id: string;
112
+ environments: string[];
113
+ }>;
114
+ readonly 'project.deleted': z.ZodObject<{
115
+ project_id: z.ZodString;
116
+ name: z.ZodString;
117
+ }, "strict", z.ZodTypeAny, {
118
+ name: string;
119
+ project_id: string;
120
+ }, {
121
+ name: string;
122
+ project_id: string;
123
+ }>;
124
+ readonly 'project.dek_rotated': z.ZodObject<{
125
+ project_id: z.ZodString;
126
+ }, "strict", z.ZodTypeAny, {
127
+ project_id: string;
128
+ }, {
129
+ project_id: string;
130
+ }>;
131
+ readonly 'environment.created': z.ZodObject<{
132
+ project_id: z.ZodString;
133
+ environment: z.ZodString;
134
+ tier: z.ZodEnum<["production", "non-production"]>;
135
+ require_approval: z.ZodBoolean;
136
+ }, "strict", z.ZodTypeAny, {
137
+ environment: string;
138
+ project_id: string;
139
+ tier: "production" | "non-production";
140
+ require_approval: boolean;
141
+ }, {
142
+ environment: string;
143
+ project_id: string;
144
+ tier: "production" | "non-production";
145
+ require_approval: boolean;
146
+ }>;
147
+ readonly 'member.added': z.ZodObject<{
148
+ project_id: z.ZodString;
149
+ target_user_id: z.ZodString;
150
+ role: z.ZodEnum<["lead", "developer", "reader"]>;
151
+ }, "strict", z.ZodTypeAny, {
152
+ target_user_id: string;
153
+ project_id: string;
154
+ role: "lead" | "developer" | "reader";
155
+ }, {
156
+ target_user_id: string;
157
+ project_id: string;
158
+ role: "lead" | "developer" | "reader";
159
+ }>;
160
+ readonly 'member.removed': z.ZodObject<{
161
+ project_id: z.ZodString;
162
+ target_user_id: z.ZodString;
163
+ }, "strict", z.ZodTypeAny, {
164
+ target_user_id: string;
165
+ project_id: string;
166
+ }, {
167
+ target_user_id: string;
168
+ project_id: string;
169
+ }>;
170
+ readonly 'member.role_changed': z.ZodObject<{
171
+ project_id: z.ZodString;
172
+ target_user_id: z.ZodString;
173
+ role: z.ZodEnum<["lead", "developer", "reader"]>;
174
+ }, "strict", z.ZodTypeAny, {
175
+ target_user_id: string;
176
+ project_id: string;
177
+ role: "lead" | "developer" | "reader";
178
+ }, {
179
+ target_user_id: string;
180
+ project_id: string;
181
+ role: "lead" | "developer" | "reader";
182
+ }>;
183
+ readonly 'secret.created': z.ZodObject<{
184
+ project_id: z.ZodString;
185
+ env: z.ZodString;
186
+ key: z.ZodString;
187
+ version: z.ZodNumber;
188
+ }, "strict", z.ZodTypeAny, {
189
+ key: string;
190
+ project_id: string;
191
+ env: string;
192
+ version: number;
193
+ }, {
194
+ key: string;
195
+ project_id: string;
196
+ env: string;
197
+ version: number;
198
+ }>;
199
+ readonly 'secret.read.allowed': z.ZodObject<{
200
+ alias: z.ZodString;
201
+ version: z.ZodNumber;
202
+ }, "strict", z.ZodTypeAny, {
203
+ version: number;
204
+ alias: string;
205
+ }, {
206
+ version: number;
207
+ alias: string;
208
+ }>;
209
+ readonly 'secret.read.denied': z.ZodObject<{
210
+ alias: z.ZodString;
211
+ }, "strict", z.ZodTypeAny, {
212
+ alias: string;
213
+ }, {
214
+ alias: string;
215
+ }>;
216
+ readonly 'secret.rotated': z.ZodObject<{
217
+ project_id: z.ZodString;
218
+ env: z.ZodString;
219
+ key: z.ZodString;
220
+ from_version: z.ZodNumber;
221
+ to_version: z.ZodNumber;
222
+ }, "strict", z.ZodTypeAny, {
223
+ key: string;
224
+ project_id: string;
225
+ env: string;
226
+ from_version: number;
227
+ to_version: number;
228
+ }, {
229
+ key: string;
230
+ project_id: string;
231
+ env: string;
232
+ from_version: number;
233
+ to_version: number;
234
+ }>;
235
+ readonly 'secret.deleted': z.ZodObject<{
236
+ project_id: z.ZodString;
237
+ env: z.ZodString;
238
+ key: z.ZodString;
239
+ }, "strict", z.ZodTypeAny, {
240
+ key: string;
241
+ project_id: string;
242
+ env: string;
243
+ }, {
244
+ key: string;
245
+ project_id: string;
246
+ env: string;
247
+ }>;
248
+ readonly 'secret.test.invoked': z.ZodObject<{
249
+ alias: z.ZodString;
250
+ tester: z.ZodString;
251
+ ok: z.ZodBoolean;
252
+ latency_ms: z.ZodNumber;
253
+ }, "strict", z.ZodTypeAny, {
254
+ alias: string;
255
+ tester: string;
256
+ ok: boolean;
257
+ latency_ms: number;
258
+ }, {
259
+ alias: string;
260
+ tester: string;
261
+ ok: boolean;
262
+ latency_ms: number;
263
+ }>;
264
+ readonly 'secret.test.denied': z.ZodObject<{
265
+ alias: z.ZodString;
266
+ }, "strict", z.ZodTypeAny, {
267
+ alias: string;
268
+ }, {
269
+ alias: string;
270
+ }>;
271
+ readonly 'rotation.policy_changed': z.ZodObject<{
272
+ project_id: z.ZodString;
273
+ env: z.ZodString;
274
+ key: z.ZodString;
275
+ interval_days: z.ZodOptional<z.ZodNumber>;
276
+ }, "strict", z.ZodTypeAny, {
277
+ key: string;
278
+ project_id: string;
279
+ env: string;
280
+ interval_days?: number | undefined;
281
+ }, {
282
+ key: string;
283
+ project_id: string;
284
+ env: string;
285
+ interval_days?: number | undefined;
286
+ }>;
287
+ readonly 'approval.requested': z.ZodObject<{
288
+ alias: z.ZodString;
289
+ }, "strict", z.ZodTypeAny, {
290
+ alias: string;
291
+ }, {
292
+ alias: string;
293
+ }>;
294
+ readonly 'approval.granted': z.ZodObject<{
295
+ alias: z.ZodString;
296
+ granted_by: z.ZodString;
297
+ }, "strict", z.ZodTypeAny, {
298
+ alias: string;
299
+ granted_by: string;
300
+ }, {
301
+ alias: string;
302
+ granted_by: string;
303
+ }>;
304
+ readonly 'approval.denied': z.ZodObject<{
305
+ alias: z.ZodString;
306
+ denied_by: z.ZodString;
307
+ }, "strict", z.ZodTypeAny, {
308
+ alias: string;
309
+ denied_by: string;
310
+ }, {
311
+ alias: string;
312
+ denied_by: string;
313
+ }>;
314
+ readonly 'org.created': z.ZodObject<{
315
+ org_id: z.ZodString;
316
+ name: z.ZodString;
317
+ }, "strict", z.ZodTypeAny, {
318
+ org_id: string;
319
+ name: string;
320
+ }, {
321
+ org_id: string;
322
+ name: string;
323
+ }>;
324
+ readonly 'org.updated': z.ZodObject<{
325
+ org_id: z.ZodString;
326
+ name: z.ZodString;
327
+ }, "strict", z.ZodTypeAny, {
328
+ org_id: string;
329
+ name: string;
330
+ }, {
331
+ org_id: string;
332
+ name: string;
333
+ }>;
334
+ };
335
+ /**
336
+ * Validates a payload for the given event type. Returns the parsed
337
+ * (typed) value on success; throws on mismatch — invalid audit
338
+ * payloads are programmer errors and should fail loudly so the
339
+ * triggering route returns 500 rather than recording a malformed
340
+ * chain entry.
341
+ */
342
+ export declare function validateAuditPayload(eventType: AuditEventType, payload: unknown): Record<string, unknown>;
343
+ //# sourceMappingURL=payload-schemas.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"payload-schemas.d.ts","sourceRoot":"","sources":["../../src/audit/payload-schemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAejD,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuEmD,CAAC;AAEhF;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,SAAS,EAAE,cAAc,EACzB,OAAO,EAAE,OAAO,GACf,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAWzB"}
@@ -0,0 +1,112 @@
1
+ /**
2
+ * Per-event-type payload schemas. The audit pipeline validates every
3
+ * payload against the schema for its event_type before hashing — this
4
+ * closes audit finding H2 (no schema → non-JSON values could hash
5
+ * deterministically without round-tripping through JSON.parse).
6
+ *
7
+ * Every schema is `.strict()` so unknown keys are rejected at compile
8
+ * time, not silently dropped or hashed. Adding a new event type
9
+ * requires extending this map; the type system enforces it.
10
+ */
11
+ import { z } from 'zod';
12
+ const projectId = z.string().min(1);
13
+ const userId = z.string().min(1);
14
+ const alias = z.string().min(1);
15
+ const env = z.string().min(1);
16
+ const key = z.string().min(1);
17
+ const role = z.enum(['lead', 'developer', 'reader']);
18
+ const orgRole = z.enum(['owner', 'admin', 'developer', 'reader']);
19
+ const email = z.string().email();
20
+ const version = z.coerce.number().int().positive();
21
+ const empty = z.object({}).strict();
22
+ const orgId = z.string().min(1);
23
+ export const PAYLOAD_SCHEMAS = {
24
+ 'auth.register': z
25
+ .object({
26
+ email,
27
+ org_id: orgId,
28
+ org_name: z.string().min(1),
29
+ })
30
+ .strict(),
31
+ 'auth.login.allowed': z.object({ email }).strict(),
32
+ 'auth.login.denied': z.object({ email }).strict(),
33
+ 'auth.logout': empty,
34
+ 'auth.refresh': empty,
35
+ 'auth.password_change.allowed': empty,
36
+ 'auth.password_change.denied': empty,
37
+ 'cli_token.created': z.object({ token_id: z.string().min(1), name: z.string().min(1) }).strict(),
38
+ 'cli_token.revoked': z.object({ token_id: z.string().min(1), name: z.string().min(1) }).strict(),
39
+ 'user.invited': z
40
+ .object({ target_user_id: userId, email, org_role: orgRole, org_id: orgId })
41
+ .strict(),
42
+ 'user.removed': z.object({ target_user_id: userId, email }).strict(),
43
+ 'user.role_changed': z.object({ target_user_id: userId, org_role: orgRole }).strict(),
44
+ 'project.created': z
45
+ .object({
46
+ project_id: projectId,
47
+ name: z.string().min(1),
48
+ environments: z.array(z.string().min(1)),
49
+ })
50
+ .strict(),
51
+ 'project.deleted': z.object({ project_id: projectId, name: z.string() }).strict(),
52
+ 'project.dek_rotated': z.object({ project_id: projectId }).strict(),
53
+ 'environment.created': z
54
+ .object({
55
+ project_id: projectId,
56
+ environment: z.string().min(1),
57
+ tier: z.enum(['production', 'non-production']),
58
+ require_approval: z.boolean(),
59
+ })
60
+ .strict(),
61
+ 'member.added': z.object({ project_id: projectId, target_user_id: userId, role }).strict(),
62
+ 'member.removed': z.object({ project_id: projectId, target_user_id: userId }).strict(),
63
+ 'member.role_changed': z.object({ project_id: projectId, target_user_id: userId, role }).strict(),
64
+ 'secret.created': z.object({ project_id: projectId, env, key, version }).strict(),
65
+ 'secret.read.allowed': z.object({ alias, version }).strict(),
66
+ 'secret.read.denied': z.object({ alias }).strict(),
67
+ 'secret.rotated': z
68
+ .object({
69
+ project_id: projectId,
70
+ env,
71
+ key,
72
+ from_version: version,
73
+ to_version: version,
74
+ })
75
+ .strict(),
76
+ 'secret.deleted': z.object({ project_id: projectId, env, key }).strict(),
77
+ 'secret.test.invoked': z
78
+ .object({ alias, tester: z.string(), ok: z.boolean(), latency_ms: z.number() })
79
+ .strict(),
80
+ 'secret.test.denied': z.object({ alias }).strict(),
81
+ 'rotation.policy_changed': z
82
+ .object({
83
+ project_id: projectId,
84
+ env,
85
+ key,
86
+ interval_days: z.number().optional(),
87
+ })
88
+ .strict(),
89
+ 'approval.requested': z.object({ alias }).strict(),
90
+ 'approval.granted': z.object({ alias, granted_by: userId }).strict(),
91
+ 'approval.denied': z.object({ alias, denied_by: userId }).strict(),
92
+ 'org.created': z.object({ org_id: orgId, name: z.string().min(1) }).strict(),
93
+ 'org.updated': z.object({ org_id: orgId, name: z.string().min(1) }).strict(),
94
+ };
95
+ /**
96
+ * Validates a payload for the given event type. Returns the parsed
97
+ * (typed) value on success; throws on mismatch — invalid audit
98
+ * payloads are programmer errors and should fail loudly so the
99
+ * triggering route returns 500 rather than recording a malformed
100
+ * chain entry.
101
+ */
102
+ export function validateAuditPayload(eventType, payload) {
103
+ const schema = PAYLOAD_SCHEMAS[eventType];
104
+ const result = schema.safeParse(payload);
105
+ if (!result.success) {
106
+ throw new Error(`audit payload validation failed for '${eventType}': ${result.error.issues
107
+ .map((i) => `${i.path.join('.') || '<root>'}: ${i.message}`)
108
+ .join('; ')}`);
109
+ }
110
+ return result.data;
111
+ }
112
+ //# sourceMappingURL=payload-schemas.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"payload-schemas.js","sourceRoot":"","sources":["../../src/audit/payload-schemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AACpC,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AACjC,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAChC,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAC9B,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAC9B,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC,CAAC;AACrD,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC,CAAC;AAClE,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC;AACjC,MAAM,OAAO,GAAG,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;AAEnD,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;AACpC,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAEhC,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,eAAe,EAAE,CAAC;SACf,MAAM,CAAC;QACN,KAAK;QACL,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;KAC5B,CAAC;SACD,MAAM,EAAE;IACX,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IAClD,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjD,aAAa,EAAE,KAAK;IACpB,cAAc,EAAE,KAAK;IACrB,8BAA8B,EAAE,KAAK;IACrC,6BAA6B,EAAE,KAAK;IACpC,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IAChG,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IAChG,cAAc,EAAE,CAAC;SACd,MAAM,CAAC,EAAE,cAAc,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;SAC3E,MAAM,EAAE;IACX,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACpE,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IACrF,iBAAiB,EAAE,CAAC;SACjB,MAAM,CAAC;QACN,UAAU,EAAE,SAAS;QACrB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACvB,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;KACzC,CAAC;SACD,MAAM,EAAE;IACX,iBAAiB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACjF,qBAAqB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACnE,qBAAqB,EAAE,CAAC;SACrB,MAAM,CAAC;QACN,UAAU,EAAE,SAAS;QACrB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9B,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAC;QAC9C,gBAAgB,EAAE,CAAC,CAAC,OAAO,EAAE;KAC9B,CAAC;SACD,MAAM,EAAE;IACX,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAC1F,gBAAgB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IACtF,qBAAqB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IACjG,gBAAgB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IACjF,qBAAqB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IAC5D,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IAClD,gBAAgB,EAAE,CAAC;SAChB,MAAM,CAAC;QACN,UAAU,EAAE,SAAS;QACrB,GAAG;QACH,GAAG;QACH,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,OAAO;KACpB,CAAC;SACD,MAAM,EAAE;IACX,gBAAgB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACxE,qBAAqB,EAAE,CAAC;SACrB,MAAM,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC;SAC9E,MAAM,EAAE;IACX,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IAClD,yBAAyB,EAAE,CAAC;SACzB,MAAM,CAAC;QACN,UAAU,EAAE,SAAS;QACrB,GAAG;QACH,GAAG;QACH,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACrC,CAAC;SACD,MAAM,EAAE;IACX,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IAClD,kBAAkB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IACpE,iBAAiB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClE,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IAC5E,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACC,CAAC;AAEhF;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAClC,SAAyB,EACzB,OAAgB;IAEhB,MAAM,MAAM,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CACb,wCAAwC,SAAS,MAAM,MAAM,CAAC,KAAK,CAAC,MAAM;aACvE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aAC3D,IAAI,CAAC,IAAI,CAAC,EAAE,CAChB,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC,IAA+B,CAAC;AAChD,CAAC"}
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=payload-schemas.test.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"payload-schemas.test.d.ts","sourceRoot":"","sources":["../../src/audit/payload-schemas.test.ts"],"names":[],"mappings":""}
@@ -0,0 +1,93 @@
1
+ import { describe, expect, it } from 'vitest';
2
+ import { PAYLOAD_SCHEMAS, validateAuditPayload } from './payload-schemas.js';
3
+ describe('PAYLOAD_SCHEMAS', () => {
4
+ it('has a schema for every documented event type', () => {
5
+ const expected = [
6
+ 'auth.login.allowed',
7
+ 'auth.login.denied',
8
+ 'auth.logout',
9
+ 'auth.refresh',
10
+ 'auth.password_change.allowed',
11
+ 'auth.password_change.denied',
12
+ 'cli_token.created',
13
+ 'cli_token.revoked',
14
+ 'user.invited',
15
+ 'user.removed',
16
+ 'user.role_changed',
17
+ 'project.created',
18
+ 'project.deleted',
19
+ 'project.dek_rotated',
20
+ 'environment.created',
21
+ 'member.added',
22
+ 'member.removed',
23
+ 'member.role_changed',
24
+ 'secret.created',
25
+ 'secret.read.allowed',
26
+ 'secret.read.denied',
27
+ 'secret.rotated',
28
+ 'secret.deleted',
29
+ 'secret.test.invoked',
30
+ 'secret.test.denied',
31
+ 'approval.requested',
32
+ 'approval.granted',
33
+ 'approval.denied',
34
+ ];
35
+ for (const t of expected) {
36
+ expect(PAYLOAD_SCHEMAS, `missing schema for ${t}`).toHaveProperty(t);
37
+ }
38
+ });
39
+ });
40
+ describe('validateAuditPayload — happy paths', () => {
41
+ it.each([
42
+ ['auth.login.allowed', { email: 'a@b.com' }],
43
+ ['auth.logout', {}],
44
+ ['project.created', { project_id: 'p_1', name: 'demo', environments: ['dev', 'prod'] }],
45
+ ['project.deleted', { project_id: 'p_1', name: 'demo' }],
46
+ ['member.added', { project_id: 'p_1', target_user_id: 'u_1', role: 'developer' }],
47
+ ['secret.created', { project_id: 'p_1', env: 'dev', key: 'db_pass', version: 1 }],
48
+ ['secret.read.allowed', { alias: '@p.dev.k', version: 3 }],
49
+ [
50
+ 'secret.rotated',
51
+ { project_id: 'p_1', env: 'dev', key: 'db_pass', from_version: 1, to_version: 2 },
52
+ ],
53
+ ['approval.requested', { alias: '@p.prod.db' }],
54
+ [
55
+ 'user.invited',
56
+ {
57
+ target_user_id: 'u_1',
58
+ email: 'invitee@team.test',
59
+ org_role: 'developer',
60
+ org_id: 'o_1',
61
+ },
62
+ ],
63
+ ])('accepts %s with %j', (eventType, payload) => {
64
+ expect(() => validateAuditPayload(eventType, payload)).not.toThrow();
65
+ expect(validateAuditPayload(eventType, payload)).toEqual(payload);
66
+ });
67
+ });
68
+ describe('validateAuditPayload — rejections', () => {
69
+ it('rejects unknown fields (strict)', () => {
70
+ expect(() => validateAuditPayload('auth.login.allowed', { email: 'a@b.com', unexpected: 'x' })).toThrow(/audit payload validation failed/);
71
+ });
72
+ it('rejects missing required fields', () => {
73
+ expect(() => validateAuditPayload('secret.created', { project_id: 'p_1' })).toThrow();
74
+ });
75
+ it('rejects non-JSON values (object cannot be coerced to number)', () => {
76
+ expect(() => validateAuditPayload('secret.read.allowed', {
77
+ alias: '@p.dev.k',
78
+ version: { not: 'a number' },
79
+ })).toThrow();
80
+ });
81
+ it('rejects wrong-type fields', () => {
82
+ expect(() => validateAuditPayload('secret.created', {
83
+ project_id: 'p_1',
84
+ env: 'dev',
85
+ key: 'k',
86
+ version: 'one',
87
+ })).toThrow();
88
+ });
89
+ it('rejects event_type / payload mismatch', () => {
90
+ expect(() => validateAuditPayload('auth.logout', { email: 'a@b.com' })).toThrow();
91
+ });
92
+ });
93
+ //# sourceMappingURL=payload-schemas.test.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"payload-schemas.test.js","sourceRoot":"","sources":["../../src/audit/payload-schemas.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAG7E,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,QAAQ,GAAqB;YACjC,oBAAoB;YACpB,mBAAmB;YACnB,aAAa;YACb,cAAc;YACd,8BAA8B;YAC9B,6BAA6B;YAC7B,mBAAmB;YACnB,mBAAmB;YACnB,cAAc;YACd,cAAc;YACd,mBAAmB;YACnB,iBAAiB;YACjB,iBAAiB;YACjB,qBAAqB;YACrB,qBAAqB;YACrB,cAAc;YACd,gBAAgB;YAChB,qBAAqB;YACrB,gBAAgB;YAChB,qBAAqB;YACrB,oBAAoB;YACpB,gBAAgB;YAChB,gBAAgB;YAChB,qBAAqB;YACrB,oBAAoB;YACpB,oBAAoB;YACpB,kBAAkB;YAClB,iBAAiB;SAClB,CAAC;QACF,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,CAAC,eAAe,EAAE,sBAAsB,CAAC,EAAE,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC;QACvE,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oCAAoC,EAAE,GAAG,EAAE;IAClD,EAAE,CAAC,IAAI,CAAC;QACN,CAAC,oBAAoB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QAC5C,CAAC,aAAa,EAAE,EAAE,CAAC;QACnB,CAAC,iBAAiB,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,CAAC;QACvF,CAAC,iBAAiB,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QACxD,CAAC,cAAc,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;QACjF,CAAC,gBAAgB,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QACjF,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QAC1D;YACE,gBAAgB;YAChB,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE;SAClF;QACD,CAAC,oBAAoB,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;QAC/C;YACE,cAAc;YACd;gBACE,cAAc,EAAE,KAAK;gBACrB,KAAK,EAAE,mBAAmB;gBAC1B,QAAQ,EAAE,WAAW;gBACrB,MAAM,EAAE,KAAK;aACd;SACF;KACkD,CAAC,CACpD,oBAAoB,EACpB,CAAC,SAAS,EAAE,OAAO,EAAE,EAAE;QACrB,MAAM,CAAC,GAAG,EAAE,CAAC,oBAAoB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;QACrE,MAAM,CAAC,oBAAoB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACpE,CAAC,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;IACjD,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,CAAC,GAAG,EAAE,CACV,oBAAoB,CAAC,oBAAoB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAClF,CAAC,OAAO,CAAC,iCAAiC,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,CAAC,GAAG,EAAE,CAAC,oBAAoB,CAAC,gBAAgB,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IACxF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,CAAC,GAAG,EAAE,CACV,oBAAoB,CAAC,qBAAqB,EAAE;YAC1C,KAAK,EAAE,UAAU;YACjB,OAAO,EAAE,EAAE,GAAG,EAAE,UAAU,EAAuB;SAClD,CAAC,CACH,CAAC,OAAO,EAAE,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,CAAC,GAAG,EAAE,CACV,oBAAoB,CAAC,gBAAgB,EAAE;YACrC,UAAU,EAAE,KAAK;YACjB,GAAG,EAAE,KAAK;YACV,GAAG,EAAE,GAAG;YACR,OAAO,EAAE,KAAK;SACf,CAAC,CACH,CAAC,OAAO,EAAE,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,GAAG,EAAE,CACV,oBAAoB,CAAC,aAAa,EAAE,EAAE,KAAK,EAAE,SAAS,EAA6B,CAAC,CACrF,CAAC,OAAO,EAAE,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
@@ -0,0 +1,34 @@
1
+ /**
2
+ * Canonical event types emitted into the audit chain.
3
+ *
4
+ * Server code must use these constants — string literals risk drift.
5
+ * Adding a new event type is a deliberate decision: extend the union
6
+ * here, then update both the server emitter and the audit-list filter.
7
+ */
8
+ export type AuditEventType = 'auth.register' | 'auth.login.allowed' | 'auth.login.denied' | 'auth.logout' | 'auth.refresh' | 'auth.password_change.allowed' | 'auth.password_change.denied' | 'cli_token.created' | 'cli_token.revoked' | 'user.invited' | 'user.removed' | 'user.role_changed' | 'project.created' | 'project.deleted' | 'project.dek_rotated' | 'environment.created' | 'member.added' | 'member.removed' | 'member.role_changed' | 'secret.created' | 'secret.read.allowed' | 'secret.read.denied' | 'secret.rotated' | 'secret.deleted' | 'secret.test.invoked' | 'secret.test.denied' | 'approval.requested' | 'approval.granted' | 'approval.denied' | 'rotation.policy_changed' | 'org.created' | 'org.updated';
9
+ /**
10
+ * The pieces of an audit entry that are *input*. The server fills in
11
+ * the chain bookkeeping (id, prev_hash, hash) using `appendEntry`.
12
+ */
13
+ export interface AuditInput {
14
+ readonly ts: string;
15
+ readonly actor_user_id: string | null;
16
+ readonly actor_agent: string;
17
+ readonly event_type: AuditEventType;
18
+ /** JSON-serializable payload. Must NEVER contain a secret value. */
19
+ readonly payload: Record<string, unknown>;
20
+ }
21
+ /**
22
+ * A persisted audit row.
23
+ */
24
+ export interface AuditEntry extends AuditInput {
25
+ readonly id: number;
26
+ readonly prev_hash: string;
27
+ readonly hash: string;
28
+ }
29
+ /**
30
+ * The all-zeros 32-byte hex hash used as `prev_hash` of the first
31
+ * entry. Matches the convention documented in 05-encryption-design.md.
32
+ */
33
+ export declare const GENESIS_HASH: string;
34
+ //# sourceMappingURL=types.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/audit/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,MAAM,cAAc,GACtB,eAAe,GACf,oBAAoB,GACpB,mBAAmB,GACnB,aAAa,GACb,cAAc,GACd,8BAA8B,GAC9B,6BAA6B,GAC7B,mBAAmB,GACnB,mBAAmB,GACnB,cAAc,GACd,cAAc,GACd,mBAAmB,GACnB,iBAAiB,GACjB,iBAAiB,GACjB,qBAAqB,GACrB,qBAAqB,GACrB,cAAc,GACd,gBAAgB,GAChB,qBAAqB,GACrB,gBAAgB,GAChB,qBAAqB,GACrB,oBAAoB,GACpB,gBAAgB,GAChB,gBAAgB,GAChB,qBAAqB,GACrB,oBAAoB,GACpB,oBAAoB,GACpB,kBAAkB,GAClB,iBAAiB,GACjB,yBAAyB,GACzB,aAAa,GACb,aAAa,CAAC;AAElB;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,UAAU,EAAE,cAAc,CAAC;IACpC,oEAAoE;IACpE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC3C;AAED;;GAEG;AACH,MAAM,WAAW,UAAW,SAAQ,UAAU;IAC5C,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;GAGG;AACH,eAAO,MAAM,YAAY,QAAiB,CAAC"}
@@ -0,0 +1,6 @@
1
+ /**
2
+ * The all-zeros 32-byte hex hash used as `prev_hash` of the first
3
+ * entry. Matches the convention documented in 05-encryption-design.md.
4
+ */
5
+ export const GENESIS_HASH = '0'.repeat(64);
6
+ //# sourceMappingURL=types.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/audit/types.ts"],"names":[],"mappings":"AA+DA;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC"}