@keynv/core 0.1.0-rc.23
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/dist/audit/chain.d.ts +44 -0
- package/dist/audit/chain.d.ts.map +1 -0
- package/dist/audit/chain.js +134 -0
- package/dist/audit/chain.js.map +1 -0
- package/dist/audit/chain.test.d.ts +2 -0
- package/dist/audit/chain.test.d.ts.map +1 -0
- package/dist/audit/chain.test.js +192 -0
- package/dist/audit/chain.test.js.map +1 -0
- package/dist/audit/index.d.ts +5 -0
- package/dist/audit/index.d.ts.map +1 -0
- package/dist/audit/index.js +4 -0
- package/dist/audit/index.js.map +1 -0
- package/dist/audit/payload-schemas.d.ts +343 -0
- package/dist/audit/payload-schemas.d.ts.map +1 -0
- package/dist/audit/payload-schemas.js +112 -0
- package/dist/audit/payload-schemas.js.map +1 -0
- package/dist/audit/payload-schemas.test.d.ts +2 -0
- package/dist/audit/payload-schemas.test.d.ts.map +1 -0
- package/dist/audit/payload-schemas.test.js +93 -0
- package/dist/audit/payload-schemas.test.js.map +1 -0
- package/dist/audit/types.d.ts +34 -0
- package/dist/audit/types.d.ts.map +1 -0
- package/dist/audit/types.js +6 -0
- package/dist/audit/types.js.map +1 -0
- package/dist/crypto/envelope.d.ts +55 -0
- package/dist/crypto/envelope.d.ts.map +1 -0
- package/dist/crypto/envelope.js +108 -0
- package/dist/crypto/envelope.js.map +1 -0
- package/dist/crypto/envelope.test.d.ts +2 -0
- package/dist/crypto/envelope.test.d.ts.map +1 -0
- package/dist/crypto/envelope.test.js +163 -0
- package/dist/crypto/envelope.test.js.map +1 -0
- package/dist/crypto/index.d.ts +5 -0
- package/dist/crypto/index.d.ts.map +1 -0
- package/dist/crypto/index.js +4 -0
- package/dist/crypto/index.js.map +1 -0
- package/dist/crypto/sodium.d.ts +21 -0
- package/dist/crypto/sodium.d.ts.map +1 -0
- package/dist/crypto/sodium.js +43 -0
- package/dist/crypto/sodium.js.map +1 -0
- package/dist/crypto/types.d.ts +37 -0
- package/dist/crypto/types.d.ts.map +1 -0
- package/dist/crypto/types.js +11 -0
- package/dist/crypto/types.js.map +1 -0
- package/dist/index.d.ts +5 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +5 -0
- package/dist/index.js.map +1 -0
- package/dist/reference/index.d.ts +4 -0
- package/dist/reference/index.d.ts.map +1 -0
- package/dist/reference/index.js +3 -0
- package/dist/reference/index.js.map +1 -0
- package/dist/reference/parser-property.test.d.ts +2 -0
- package/dist/reference/parser-property.test.d.ts.map +1 -0
- package/dist/reference/parser-property.test.js +115 -0
- package/dist/reference/parser-property.test.js.map +1 -0
- package/dist/reference/parser.d.ts +54 -0
- package/dist/reference/parser.d.ts.map +1 -0
- package/dist/reference/parser.js +144 -0
- package/dist/reference/parser.js.map +1 -0
- package/dist/reference/parser.test.d.ts +2 -0
- package/dist/reference/parser.test.d.ts.map +1 -0
- package/dist/reference/parser.test.js +195 -0
- package/dist/reference/parser.test.js.map +1 -0
- package/dist/reference/types.d.ts +52 -0
- package/dist/reference/types.d.ts.map +1 -0
- package/dist/reference/types.js +11 -0
- package/dist/reference/types.js.map +1 -0
- package/dist/validation/index.d.ts +33 -0
- package/dist/validation/index.d.ts.map +1 -0
- package/dist/validation/index.js +45 -0
- package/dist/validation/index.js.map +1 -0
- package/dist/validation/schemas.test.d.ts +2 -0
- package/dist/validation/schemas.test.d.ts.map +1 -0
- package/dist/validation/schemas.test.js +18 -0
- package/dist/validation/schemas.test.js.map +1 -0
- package/package.json +48 -0
|
@@ -0,0 +1,343 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Per-event-type payload schemas. The audit pipeline validates every
|
|
3
|
+
* payload against the schema for its event_type before hashing — this
|
|
4
|
+
* closes audit finding H2 (no schema → non-JSON values could hash
|
|
5
|
+
* deterministically without round-tripping through JSON.parse).
|
|
6
|
+
*
|
|
7
|
+
* Every schema is `.strict()` so unknown keys are rejected at compile
|
|
8
|
+
* time, not silently dropped or hashed. Adding a new event type
|
|
9
|
+
* requires extending this map; the type system enforces it.
|
|
10
|
+
*/
|
|
11
|
+
import { z } from 'zod';
|
|
12
|
+
import type { AuditEventType } from './types.js';
|
|
13
|
+
export declare const PAYLOAD_SCHEMAS: {
|
|
14
|
+
readonly 'auth.register': z.ZodObject<{
|
|
15
|
+
email: z.ZodString;
|
|
16
|
+
org_id: z.ZodString;
|
|
17
|
+
org_name: z.ZodString;
|
|
18
|
+
}, "strict", z.ZodTypeAny, {
|
|
19
|
+
email: string;
|
|
20
|
+
org_id: string;
|
|
21
|
+
org_name: string;
|
|
22
|
+
}, {
|
|
23
|
+
email: string;
|
|
24
|
+
org_id: string;
|
|
25
|
+
org_name: string;
|
|
26
|
+
}>;
|
|
27
|
+
readonly 'auth.login.allowed': z.ZodObject<{
|
|
28
|
+
email: z.ZodString;
|
|
29
|
+
}, "strict", z.ZodTypeAny, {
|
|
30
|
+
email: string;
|
|
31
|
+
}, {
|
|
32
|
+
email: string;
|
|
33
|
+
}>;
|
|
34
|
+
readonly 'auth.login.denied': z.ZodObject<{
|
|
35
|
+
email: z.ZodString;
|
|
36
|
+
}, "strict", z.ZodTypeAny, {
|
|
37
|
+
email: string;
|
|
38
|
+
}, {
|
|
39
|
+
email: string;
|
|
40
|
+
}>;
|
|
41
|
+
readonly 'auth.logout': z.ZodObject<{}, "strict", z.ZodTypeAny, {}, {}>;
|
|
42
|
+
readonly 'auth.refresh': z.ZodObject<{}, "strict", z.ZodTypeAny, {}, {}>;
|
|
43
|
+
readonly 'auth.password_change.allowed': z.ZodObject<{}, "strict", z.ZodTypeAny, {}, {}>;
|
|
44
|
+
readonly 'auth.password_change.denied': z.ZodObject<{}, "strict", z.ZodTypeAny, {}, {}>;
|
|
45
|
+
readonly 'cli_token.created': z.ZodObject<{
|
|
46
|
+
token_id: z.ZodString;
|
|
47
|
+
name: z.ZodString;
|
|
48
|
+
}, "strict", z.ZodTypeAny, {
|
|
49
|
+
token_id: string;
|
|
50
|
+
name: string;
|
|
51
|
+
}, {
|
|
52
|
+
token_id: string;
|
|
53
|
+
name: string;
|
|
54
|
+
}>;
|
|
55
|
+
readonly 'cli_token.revoked': z.ZodObject<{
|
|
56
|
+
token_id: z.ZodString;
|
|
57
|
+
name: z.ZodString;
|
|
58
|
+
}, "strict", z.ZodTypeAny, {
|
|
59
|
+
token_id: string;
|
|
60
|
+
name: string;
|
|
61
|
+
}, {
|
|
62
|
+
token_id: string;
|
|
63
|
+
name: string;
|
|
64
|
+
}>;
|
|
65
|
+
readonly 'user.invited': z.ZodObject<{
|
|
66
|
+
target_user_id: z.ZodString;
|
|
67
|
+
email: z.ZodString;
|
|
68
|
+
org_role: z.ZodEnum<["owner", "admin", "developer", "reader"]>;
|
|
69
|
+
org_id: z.ZodString;
|
|
70
|
+
}, "strict", z.ZodTypeAny, {
|
|
71
|
+
email: string;
|
|
72
|
+
org_id: string;
|
|
73
|
+
target_user_id: string;
|
|
74
|
+
org_role: "developer" | "reader" | "owner" | "admin";
|
|
75
|
+
}, {
|
|
76
|
+
email: string;
|
|
77
|
+
org_id: string;
|
|
78
|
+
target_user_id: string;
|
|
79
|
+
org_role: "developer" | "reader" | "owner" | "admin";
|
|
80
|
+
}>;
|
|
81
|
+
readonly 'user.removed': z.ZodObject<{
|
|
82
|
+
target_user_id: z.ZodString;
|
|
83
|
+
email: z.ZodString;
|
|
84
|
+
}, "strict", z.ZodTypeAny, {
|
|
85
|
+
email: string;
|
|
86
|
+
target_user_id: string;
|
|
87
|
+
}, {
|
|
88
|
+
email: string;
|
|
89
|
+
target_user_id: string;
|
|
90
|
+
}>;
|
|
91
|
+
readonly 'user.role_changed': z.ZodObject<{
|
|
92
|
+
target_user_id: z.ZodString;
|
|
93
|
+
org_role: z.ZodEnum<["owner", "admin", "developer", "reader"]>;
|
|
94
|
+
}, "strict", z.ZodTypeAny, {
|
|
95
|
+
target_user_id: string;
|
|
96
|
+
org_role: "developer" | "reader" | "owner" | "admin";
|
|
97
|
+
}, {
|
|
98
|
+
target_user_id: string;
|
|
99
|
+
org_role: "developer" | "reader" | "owner" | "admin";
|
|
100
|
+
}>;
|
|
101
|
+
readonly 'project.created': z.ZodObject<{
|
|
102
|
+
project_id: z.ZodString;
|
|
103
|
+
name: z.ZodString;
|
|
104
|
+
environments: z.ZodArray<z.ZodString, "many">;
|
|
105
|
+
}, "strict", z.ZodTypeAny, {
|
|
106
|
+
name: string;
|
|
107
|
+
project_id: string;
|
|
108
|
+
environments: string[];
|
|
109
|
+
}, {
|
|
110
|
+
name: string;
|
|
111
|
+
project_id: string;
|
|
112
|
+
environments: string[];
|
|
113
|
+
}>;
|
|
114
|
+
readonly 'project.deleted': z.ZodObject<{
|
|
115
|
+
project_id: z.ZodString;
|
|
116
|
+
name: z.ZodString;
|
|
117
|
+
}, "strict", z.ZodTypeAny, {
|
|
118
|
+
name: string;
|
|
119
|
+
project_id: string;
|
|
120
|
+
}, {
|
|
121
|
+
name: string;
|
|
122
|
+
project_id: string;
|
|
123
|
+
}>;
|
|
124
|
+
readonly 'project.dek_rotated': z.ZodObject<{
|
|
125
|
+
project_id: z.ZodString;
|
|
126
|
+
}, "strict", z.ZodTypeAny, {
|
|
127
|
+
project_id: string;
|
|
128
|
+
}, {
|
|
129
|
+
project_id: string;
|
|
130
|
+
}>;
|
|
131
|
+
readonly 'environment.created': z.ZodObject<{
|
|
132
|
+
project_id: z.ZodString;
|
|
133
|
+
environment: z.ZodString;
|
|
134
|
+
tier: z.ZodEnum<["production", "non-production"]>;
|
|
135
|
+
require_approval: z.ZodBoolean;
|
|
136
|
+
}, "strict", z.ZodTypeAny, {
|
|
137
|
+
environment: string;
|
|
138
|
+
project_id: string;
|
|
139
|
+
tier: "production" | "non-production";
|
|
140
|
+
require_approval: boolean;
|
|
141
|
+
}, {
|
|
142
|
+
environment: string;
|
|
143
|
+
project_id: string;
|
|
144
|
+
tier: "production" | "non-production";
|
|
145
|
+
require_approval: boolean;
|
|
146
|
+
}>;
|
|
147
|
+
readonly 'member.added': z.ZodObject<{
|
|
148
|
+
project_id: z.ZodString;
|
|
149
|
+
target_user_id: z.ZodString;
|
|
150
|
+
role: z.ZodEnum<["lead", "developer", "reader"]>;
|
|
151
|
+
}, "strict", z.ZodTypeAny, {
|
|
152
|
+
target_user_id: string;
|
|
153
|
+
project_id: string;
|
|
154
|
+
role: "lead" | "developer" | "reader";
|
|
155
|
+
}, {
|
|
156
|
+
target_user_id: string;
|
|
157
|
+
project_id: string;
|
|
158
|
+
role: "lead" | "developer" | "reader";
|
|
159
|
+
}>;
|
|
160
|
+
readonly 'member.removed': z.ZodObject<{
|
|
161
|
+
project_id: z.ZodString;
|
|
162
|
+
target_user_id: z.ZodString;
|
|
163
|
+
}, "strict", z.ZodTypeAny, {
|
|
164
|
+
target_user_id: string;
|
|
165
|
+
project_id: string;
|
|
166
|
+
}, {
|
|
167
|
+
target_user_id: string;
|
|
168
|
+
project_id: string;
|
|
169
|
+
}>;
|
|
170
|
+
readonly 'member.role_changed': z.ZodObject<{
|
|
171
|
+
project_id: z.ZodString;
|
|
172
|
+
target_user_id: z.ZodString;
|
|
173
|
+
role: z.ZodEnum<["lead", "developer", "reader"]>;
|
|
174
|
+
}, "strict", z.ZodTypeAny, {
|
|
175
|
+
target_user_id: string;
|
|
176
|
+
project_id: string;
|
|
177
|
+
role: "lead" | "developer" | "reader";
|
|
178
|
+
}, {
|
|
179
|
+
target_user_id: string;
|
|
180
|
+
project_id: string;
|
|
181
|
+
role: "lead" | "developer" | "reader";
|
|
182
|
+
}>;
|
|
183
|
+
readonly 'secret.created': z.ZodObject<{
|
|
184
|
+
project_id: z.ZodString;
|
|
185
|
+
env: z.ZodString;
|
|
186
|
+
key: z.ZodString;
|
|
187
|
+
version: z.ZodNumber;
|
|
188
|
+
}, "strict", z.ZodTypeAny, {
|
|
189
|
+
key: string;
|
|
190
|
+
project_id: string;
|
|
191
|
+
env: string;
|
|
192
|
+
version: number;
|
|
193
|
+
}, {
|
|
194
|
+
key: string;
|
|
195
|
+
project_id: string;
|
|
196
|
+
env: string;
|
|
197
|
+
version: number;
|
|
198
|
+
}>;
|
|
199
|
+
readonly 'secret.read.allowed': z.ZodObject<{
|
|
200
|
+
alias: z.ZodString;
|
|
201
|
+
version: z.ZodNumber;
|
|
202
|
+
}, "strict", z.ZodTypeAny, {
|
|
203
|
+
version: number;
|
|
204
|
+
alias: string;
|
|
205
|
+
}, {
|
|
206
|
+
version: number;
|
|
207
|
+
alias: string;
|
|
208
|
+
}>;
|
|
209
|
+
readonly 'secret.read.denied': z.ZodObject<{
|
|
210
|
+
alias: z.ZodString;
|
|
211
|
+
}, "strict", z.ZodTypeAny, {
|
|
212
|
+
alias: string;
|
|
213
|
+
}, {
|
|
214
|
+
alias: string;
|
|
215
|
+
}>;
|
|
216
|
+
readonly 'secret.rotated': z.ZodObject<{
|
|
217
|
+
project_id: z.ZodString;
|
|
218
|
+
env: z.ZodString;
|
|
219
|
+
key: z.ZodString;
|
|
220
|
+
from_version: z.ZodNumber;
|
|
221
|
+
to_version: z.ZodNumber;
|
|
222
|
+
}, "strict", z.ZodTypeAny, {
|
|
223
|
+
key: string;
|
|
224
|
+
project_id: string;
|
|
225
|
+
env: string;
|
|
226
|
+
from_version: number;
|
|
227
|
+
to_version: number;
|
|
228
|
+
}, {
|
|
229
|
+
key: string;
|
|
230
|
+
project_id: string;
|
|
231
|
+
env: string;
|
|
232
|
+
from_version: number;
|
|
233
|
+
to_version: number;
|
|
234
|
+
}>;
|
|
235
|
+
readonly 'secret.deleted': z.ZodObject<{
|
|
236
|
+
project_id: z.ZodString;
|
|
237
|
+
env: z.ZodString;
|
|
238
|
+
key: z.ZodString;
|
|
239
|
+
}, "strict", z.ZodTypeAny, {
|
|
240
|
+
key: string;
|
|
241
|
+
project_id: string;
|
|
242
|
+
env: string;
|
|
243
|
+
}, {
|
|
244
|
+
key: string;
|
|
245
|
+
project_id: string;
|
|
246
|
+
env: string;
|
|
247
|
+
}>;
|
|
248
|
+
readonly 'secret.test.invoked': z.ZodObject<{
|
|
249
|
+
alias: z.ZodString;
|
|
250
|
+
tester: z.ZodString;
|
|
251
|
+
ok: z.ZodBoolean;
|
|
252
|
+
latency_ms: z.ZodNumber;
|
|
253
|
+
}, "strict", z.ZodTypeAny, {
|
|
254
|
+
alias: string;
|
|
255
|
+
tester: string;
|
|
256
|
+
ok: boolean;
|
|
257
|
+
latency_ms: number;
|
|
258
|
+
}, {
|
|
259
|
+
alias: string;
|
|
260
|
+
tester: string;
|
|
261
|
+
ok: boolean;
|
|
262
|
+
latency_ms: number;
|
|
263
|
+
}>;
|
|
264
|
+
readonly 'secret.test.denied': z.ZodObject<{
|
|
265
|
+
alias: z.ZodString;
|
|
266
|
+
}, "strict", z.ZodTypeAny, {
|
|
267
|
+
alias: string;
|
|
268
|
+
}, {
|
|
269
|
+
alias: string;
|
|
270
|
+
}>;
|
|
271
|
+
readonly 'rotation.policy_changed': z.ZodObject<{
|
|
272
|
+
project_id: z.ZodString;
|
|
273
|
+
env: z.ZodString;
|
|
274
|
+
key: z.ZodString;
|
|
275
|
+
interval_days: z.ZodOptional<z.ZodNumber>;
|
|
276
|
+
}, "strict", z.ZodTypeAny, {
|
|
277
|
+
key: string;
|
|
278
|
+
project_id: string;
|
|
279
|
+
env: string;
|
|
280
|
+
interval_days?: number | undefined;
|
|
281
|
+
}, {
|
|
282
|
+
key: string;
|
|
283
|
+
project_id: string;
|
|
284
|
+
env: string;
|
|
285
|
+
interval_days?: number | undefined;
|
|
286
|
+
}>;
|
|
287
|
+
readonly 'approval.requested': z.ZodObject<{
|
|
288
|
+
alias: z.ZodString;
|
|
289
|
+
}, "strict", z.ZodTypeAny, {
|
|
290
|
+
alias: string;
|
|
291
|
+
}, {
|
|
292
|
+
alias: string;
|
|
293
|
+
}>;
|
|
294
|
+
readonly 'approval.granted': z.ZodObject<{
|
|
295
|
+
alias: z.ZodString;
|
|
296
|
+
granted_by: z.ZodString;
|
|
297
|
+
}, "strict", z.ZodTypeAny, {
|
|
298
|
+
alias: string;
|
|
299
|
+
granted_by: string;
|
|
300
|
+
}, {
|
|
301
|
+
alias: string;
|
|
302
|
+
granted_by: string;
|
|
303
|
+
}>;
|
|
304
|
+
readonly 'approval.denied': z.ZodObject<{
|
|
305
|
+
alias: z.ZodString;
|
|
306
|
+
denied_by: z.ZodString;
|
|
307
|
+
}, "strict", z.ZodTypeAny, {
|
|
308
|
+
alias: string;
|
|
309
|
+
denied_by: string;
|
|
310
|
+
}, {
|
|
311
|
+
alias: string;
|
|
312
|
+
denied_by: string;
|
|
313
|
+
}>;
|
|
314
|
+
readonly 'org.created': z.ZodObject<{
|
|
315
|
+
org_id: z.ZodString;
|
|
316
|
+
name: z.ZodString;
|
|
317
|
+
}, "strict", z.ZodTypeAny, {
|
|
318
|
+
org_id: string;
|
|
319
|
+
name: string;
|
|
320
|
+
}, {
|
|
321
|
+
org_id: string;
|
|
322
|
+
name: string;
|
|
323
|
+
}>;
|
|
324
|
+
readonly 'org.updated': z.ZodObject<{
|
|
325
|
+
org_id: z.ZodString;
|
|
326
|
+
name: z.ZodString;
|
|
327
|
+
}, "strict", z.ZodTypeAny, {
|
|
328
|
+
org_id: string;
|
|
329
|
+
name: string;
|
|
330
|
+
}, {
|
|
331
|
+
org_id: string;
|
|
332
|
+
name: string;
|
|
333
|
+
}>;
|
|
334
|
+
};
|
|
335
|
+
/**
|
|
336
|
+
* Validates a payload for the given event type. Returns the parsed
|
|
337
|
+
* (typed) value on success; throws on mismatch — invalid audit
|
|
338
|
+
* payloads are programmer errors and should fail loudly so the
|
|
339
|
+
* triggering route returns 500 rather than recording a malformed
|
|
340
|
+
* chain entry.
|
|
341
|
+
*/
|
|
342
|
+
export declare function validateAuditPayload(eventType: AuditEventType, payload: unknown): Record<string, unknown>;
|
|
343
|
+
//# sourceMappingURL=payload-schemas.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"payload-schemas.d.ts","sourceRoot":"","sources":["../../src/audit/payload-schemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAejD,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuEmD,CAAC;AAEhF;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,SAAS,EAAE,cAAc,EACzB,OAAO,EAAE,OAAO,GACf,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAWzB"}
|
|
@@ -0,0 +1,112 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Per-event-type payload schemas. The audit pipeline validates every
|
|
3
|
+
* payload against the schema for its event_type before hashing — this
|
|
4
|
+
* closes audit finding H2 (no schema → non-JSON values could hash
|
|
5
|
+
* deterministically without round-tripping through JSON.parse).
|
|
6
|
+
*
|
|
7
|
+
* Every schema is `.strict()` so unknown keys are rejected at compile
|
|
8
|
+
* time, not silently dropped or hashed. Adding a new event type
|
|
9
|
+
* requires extending this map; the type system enforces it.
|
|
10
|
+
*/
|
|
11
|
+
import { z } from 'zod';
|
|
12
|
+
const projectId = z.string().min(1);
|
|
13
|
+
const userId = z.string().min(1);
|
|
14
|
+
const alias = z.string().min(1);
|
|
15
|
+
const env = z.string().min(1);
|
|
16
|
+
const key = z.string().min(1);
|
|
17
|
+
const role = z.enum(['lead', 'developer', 'reader']);
|
|
18
|
+
const orgRole = z.enum(['owner', 'admin', 'developer', 'reader']);
|
|
19
|
+
const email = z.string().email();
|
|
20
|
+
const version = z.coerce.number().int().positive();
|
|
21
|
+
const empty = z.object({}).strict();
|
|
22
|
+
const orgId = z.string().min(1);
|
|
23
|
+
export const PAYLOAD_SCHEMAS = {
|
|
24
|
+
'auth.register': z
|
|
25
|
+
.object({
|
|
26
|
+
email,
|
|
27
|
+
org_id: orgId,
|
|
28
|
+
org_name: z.string().min(1),
|
|
29
|
+
})
|
|
30
|
+
.strict(),
|
|
31
|
+
'auth.login.allowed': z.object({ email }).strict(),
|
|
32
|
+
'auth.login.denied': z.object({ email }).strict(),
|
|
33
|
+
'auth.logout': empty,
|
|
34
|
+
'auth.refresh': empty,
|
|
35
|
+
'auth.password_change.allowed': empty,
|
|
36
|
+
'auth.password_change.denied': empty,
|
|
37
|
+
'cli_token.created': z.object({ token_id: z.string().min(1), name: z.string().min(1) }).strict(),
|
|
38
|
+
'cli_token.revoked': z.object({ token_id: z.string().min(1), name: z.string().min(1) }).strict(),
|
|
39
|
+
'user.invited': z
|
|
40
|
+
.object({ target_user_id: userId, email, org_role: orgRole, org_id: orgId })
|
|
41
|
+
.strict(),
|
|
42
|
+
'user.removed': z.object({ target_user_id: userId, email }).strict(),
|
|
43
|
+
'user.role_changed': z.object({ target_user_id: userId, org_role: orgRole }).strict(),
|
|
44
|
+
'project.created': z
|
|
45
|
+
.object({
|
|
46
|
+
project_id: projectId,
|
|
47
|
+
name: z.string().min(1),
|
|
48
|
+
environments: z.array(z.string().min(1)),
|
|
49
|
+
})
|
|
50
|
+
.strict(),
|
|
51
|
+
'project.deleted': z.object({ project_id: projectId, name: z.string() }).strict(),
|
|
52
|
+
'project.dek_rotated': z.object({ project_id: projectId }).strict(),
|
|
53
|
+
'environment.created': z
|
|
54
|
+
.object({
|
|
55
|
+
project_id: projectId,
|
|
56
|
+
environment: z.string().min(1),
|
|
57
|
+
tier: z.enum(['production', 'non-production']),
|
|
58
|
+
require_approval: z.boolean(),
|
|
59
|
+
})
|
|
60
|
+
.strict(),
|
|
61
|
+
'member.added': z.object({ project_id: projectId, target_user_id: userId, role }).strict(),
|
|
62
|
+
'member.removed': z.object({ project_id: projectId, target_user_id: userId }).strict(),
|
|
63
|
+
'member.role_changed': z.object({ project_id: projectId, target_user_id: userId, role }).strict(),
|
|
64
|
+
'secret.created': z.object({ project_id: projectId, env, key, version }).strict(),
|
|
65
|
+
'secret.read.allowed': z.object({ alias, version }).strict(),
|
|
66
|
+
'secret.read.denied': z.object({ alias }).strict(),
|
|
67
|
+
'secret.rotated': z
|
|
68
|
+
.object({
|
|
69
|
+
project_id: projectId,
|
|
70
|
+
env,
|
|
71
|
+
key,
|
|
72
|
+
from_version: version,
|
|
73
|
+
to_version: version,
|
|
74
|
+
})
|
|
75
|
+
.strict(),
|
|
76
|
+
'secret.deleted': z.object({ project_id: projectId, env, key }).strict(),
|
|
77
|
+
'secret.test.invoked': z
|
|
78
|
+
.object({ alias, tester: z.string(), ok: z.boolean(), latency_ms: z.number() })
|
|
79
|
+
.strict(),
|
|
80
|
+
'secret.test.denied': z.object({ alias }).strict(),
|
|
81
|
+
'rotation.policy_changed': z
|
|
82
|
+
.object({
|
|
83
|
+
project_id: projectId,
|
|
84
|
+
env,
|
|
85
|
+
key,
|
|
86
|
+
interval_days: z.number().optional(),
|
|
87
|
+
})
|
|
88
|
+
.strict(),
|
|
89
|
+
'approval.requested': z.object({ alias }).strict(),
|
|
90
|
+
'approval.granted': z.object({ alias, granted_by: userId }).strict(),
|
|
91
|
+
'approval.denied': z.object({ alias, denied_by: userId }).strict(),
|
|
92
|
+
'org.created': z.object({ org_id: orgId, name: z.string().min(1) }).strict(),
|
|
93
|
+
'org.updated': z.object({ org_id: orgId, name: z.string().min(1) }).strict(),
|
|
94
|
+
};
|
|
95
|
+
/**
|
|
96
|
+
* Validates a payload for the given event type. Returns the parsed
|
|
97
|
+
* (typed) value on success; throws on mismatch — invalid audit
|
|
98
|
+
* payloads are programmer errors and should fail loudly so the
|
|
99
|
+
* triggering route returns 500 rather than recording a malformed
|
|
100
|
+
* chain entry.
|
|
101
|
+
*/
|
|
102
|
+
export function validateAuditPayload(eventType, payload) {
|
|
103
|
+
const schema = PAYLOAD_SCHEMAS[eventType];
|
|
104
|
+
const result = schema.safeParse(payload);
|
|
105
|
+
if (!result.success) {
|
|
106
|
+
throw new Error(`audit payload validation failed for '${eventType}': ${result.error.issues
|
|
107
|
+
.map((i) => `${i.path.join('.') || '<root>'}: ${i.message}`)
|
|
108
|
+
.join('; ')}`);
|
|
109
|
+
}
|
|
110
|
+
return result.data;
|
|
111
|
+
}
|
|
112
|
+
//# sourceMappingURL=payload-schemas.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"payload-schemas.js","sourceRoot":"","sources":["../../src/audit/payload-schemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AACpC,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AACjC,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAChC,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAC9B,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAC9B,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC,CAAC;AACrD,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC,CAAC;AAClE,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC;AACjC,MAAM,OAAO,GAAG,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;AAEnD,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;AACpC,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAEhC,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,eAAe,EAAE,CAAC;SACf,MAAM,CAAC;QACN,KAAK;QACL,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;KAC5B,CAAC;SACD,MAAM,EAAE;IACX,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IAClD,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjD,aAAa,EAAE,KAAK;IACpB,cAAc,EAAE,KAAK;IACrB,8BAA8B,EAAE,KAAK;IACrC,6BAA6B,EAAE,KAAK;IACpC,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IAChG,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IAChG,cAAc,EAAE,CAAC;SACd,MAAM,CAAC,EAAE,cAAc,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;SAC3E,MAAM,EAAE;IACX,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACpE,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IACrF,iBAAiB,EAAE,CAAC;SACjB,MAAM,CAAC;QACN,UAAU,EAAE,SAAS;QACrB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACvB,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;KACzC,CAAC;SACD,MAAM,EAAE;IACX,iBAAiB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACjF,qBAAqB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACnE,qBAAqB,EAAE,CAAC;SACrB,MAAM,CAAC;QACN,UAAU,EAAE,SAAS;QACrB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9B,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAC;QAC9C,gBAAgB,EAAE,CAAC,CAAC,OAAO,EAAE;KAC9B,CAAC;SACD,MAAM,EAAE;IACX,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAC1F,gBAAgB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IACtF,qBAAqB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IACjG,gBAAgB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IACjF,qBAAqB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IAC5D,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IAClD,gBAAgB,EAAE,CAAC;SAChB,MAAM,CAAC;QACN,UAAU,EAAE,SAAS;QACrB,GAAG;QACH,GAAG;QACH,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,OAAO;KACpB,CAAC;SACD,MAAM,EAAE;IACX,gBAAgB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACxE,qBAAqB,EAAE,CAAC;SACrB,MAAM,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC;SAC9E,MAAM,EAAE;IACX,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IAClD,yBAAyB,EAAE,CAAC;SACzB,MAAM,CAAC;QACN,UAAU,EAAE,SAAS;QACrB,GAAG;QACH,GAAG;QACH,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACrC,CAAC;SACD,MAAM,EAAE;IACX,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IAClD,kBAAkB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IACpE,iBAAiB,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClE,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IAC5E,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACC,CAAC;AAEhF;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAClC,SAAyB,EACzB,OAAgB;IAEhB,MAAM,MAAM,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CACb,wCAAwC,SAAS,MAAM,MAAM,CAAC,KAAK,CAAC,MAAM;aACvE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aAC3D,IAAI,CAAC,IAAI,CAAC,EAAE,CAChB,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC,IAA+B,CAAC;AAChD,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"payload-schemas.test.d.ts","sourceRoot":"","sources":["../../src/audit/payload-schemas.test.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,93 @@
|
|
|
1
|
+
import { describe, expect, it } from 'vitest';
|
|
2
|
+
import { PAYLOAD_SCHEMAS, validateAuditPayload } from './payload-schemas.js';
|
|
3
|
+
describe('PAYLOAD_SCHEMAS', () => {
|
|
4
|
+
it('has a schema for every documented event type', () => {
|
|
5
|
+
const expected = [
|
|
6
|
+
'auth.login.allowed',
|
|
7
|
+
'auth.login.denied',
|
|
8
|
+
'auth.logout',
|
|
9
|
+
'auth.refresh',
|
|
10
|
+
'auth.password_change.allowed',
|
|
11
|
+
'auth.password_change.denied',
|
|
12
|
+
'cli_token.created',
|
|
13
|
+
'cli_token.revoked',
|
|
14
|
+
'user.invited',
|
|
15
|
+
'user.removed',
|
|
16
|
+
'user.role_changed',
|
|
17
|
+
'project.created',
|
|
18
|
+
'project.deleted',
|
|
19
|
+
'project.dek_rotated',
|
|
20
|
+
'environment.created',
|
|
21
|
+
'member.added',
|
|
22
|
+
'member.removed',
|
|
23
|
+
'member.role_changed',
|
|
24
|
+
'secret.created',
|
|
25
|
+
'secret.read.allowed',
|
|
26
|
+
'secret.read.denied',
|
|
27
|
+
'secret.rotated',
|
|
28
|
+
'secret.deleted',
|
|
29
|
+
'secret.test.invoked',
|
|
30
|
+
'secret.test.denied',
|
|
31
|
+
'approval.requested',
|
|
32
|
+
'approval.granted',
|
|
33
|
+
'approval.denied',
|
|
34
|
+
];
|
|
35
|
+
for (const t of expected) {
|
|
36
|
+
expect(PAYLOAD_SCHEMAS, `missing schema for ${t}`).toHaveProperty(t);
|
|
37
|
+
}
|
|
38
|
+
});
|
|
39
|
+
});
|
|
40
|
+
describe('validateAuditPayload — happy paths', () => {
|
|
41
|
+
it.each([
|
|
42
|
+
['auth.login.allowed', { email: 'a@b.com' }],
|
|
43
|
+
['auth.logout', {}],
|
|
44
|
+
['project.created', { project_id: 'p_1', name: 'demo', environments: ['dev', 'prod'] }],
|
|
45
|
+
['project.deleted', { project_id: 'p_1', name: 'demo' }],
|
|
46
|
+
['member.added', { project_id: 'p_1', target_user_id: 'u_1', role: 'developer' }],
|
|
47
|
+
['secret.created', { project_id: 'p_1', env: 'dev', key: 'db_pass', version: 1 }],
|
|
48
|
+
['secret.read.allowed', { alias: '@p.dev.k', version: 3 }],
|
|
49
|
+
[
|
|
50
|
+
'secret.rotated',
|
|
51
|
+
{ project_id: 'p_1', env: 'dev', key: 'db_pass', from_version: 1, to_version: 2 },
|
|
52
|
+
],
|
|
53
|
+
['approval.requested', { alias: '@p.prod.db' }],
|
|
54
|
+
[
|
|
55
|
+
'user.invited',
|
|
56
|
+
{
|
|
57
|
+
target_user_id: 'u_1',
|
|
58
|
+
email: 'invitee@team.test',
|
|
59
|
+
org_role: 'developer',
|
|
60
|
+
org_id: 'o_1',
|
|
61
|
+
},
|
|
62
|
+
],
|
|
63
|
+
])('accepts %s with %j', (eventType, payload) => {
|
|
64
|
+
expect(() => validateAuditPayload(eventType, payload)).not.toThrow();
|
|
65
|
+
expect(validateAuditPayload(eventType, payload)).toEqual(payload);
|
|
66
|
+
});
|
|
67
|
+
});
|
|
68
|
+
describe('validateAuditPayload — rejections', () => {
|
|
69
|
+
it('rejects unknown fields (strict)', () => {
|
|
70
|
+
expect(() => validateAuditPayload('auth.login.allowed', { email: 'a@b.com', unexpected: 'x' })).toThrow(/audit payload validation failed/);
|
|
71
|
+
});
|
|
72
|
+
it('rejects missing required fields', () => {
|
|
73
|
+
expect(() => validateAuditPayload('secret.created', { project_id: 'p_1' })).toThrow();
|
|
74
|
+
});
|
|
75
|
+
it('rejects non-JSON values (object cannot be coerced to number)', () => {
|
|
76
|
+
expect(() => validateAuditPayload('secret.read.allowed', {
|
|
77
|
+
alias: '@p.dev.k',
|
|
78
|
+
version: { not: 'a number' },
|
|
79
|
+
})).toThrow();
|
|
80
|
+
});
|
|
81
|
+
it('rejects wrong-type fields', () => {
|
|
82
|
+
expect(() => validateAuditPayload('secret.created', {
|
|
83
|
+
project_id: 'p_1',
|
|
84
|
+
env: 'dev',
|
|
85
|
+
key: 'k',
|
|
86
|
+
version: 'one',
|
|
87
|
+
})).toThrow();
|
|
88
|
+
});
|
|
89
|
+
it('rejects event_type / payload mismatch', () => {
|
|
90
|
+
expect(() => validateAuditPayload('auth.logout', { email: 'a@b.com' })).toThrow();
|
|
91
|
+
});
|
|
92
|
+
});
|
|
93
|
+
//# sourceMappingURL=payload-schemas.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"payload-schemas.test.js","sourceRoot":"","sources":["../../src/audit/payload-schemas.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAG7E,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,QAAQ,GAAqB;YACjC,oBAAoB;YACpB,mBAAmB;YACnB,aAAa;YACb,cAAc;YACd,8BAA8B;YAC9B,6BAA6B;YAC7B,mBAAmB;YACnB,mBAAmB;YACnB,cAAc;YACd,cAAc;YACd,mBAAmB;YACnB,iBAAiB;YACjB,iBAAiB;YACjB,qBAAqB;YACrB,qBAAqB;YACrB,cAAc;YACd,gBAAgB;YAChB,qBAAqB;YACrB,gBAAgB;YAChB,qBAAqB;YACrB,oBAAoB;YACpB,gBAAgB;YAChB,gBAAgB;YAChB,qBAAqB;YACrB,oBAAoB;YACpB,oBAAoB;YACpB,kBAAkB;YAClB,iBAAiB;SAClB,CAAC;QACF,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,CAAC,eAAe,EAAE,sBAAsB,CAAC,EAAE,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC;QACvE,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oCAAoC,EAAE,GAAG,EAAE;IAClD,EAAE,CAAC,IAAI,CAAC;QACN,CAAC,oBAAoB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QAC5C,CAAC,aAAa,EAAE,EAAE,CAAC;QACnB,CAAC,iBAAiB,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,CAAC;QACvF,CAAC,iBAAiB,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QACxD,CAAC,cAAc,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;QACjF,CAAC,gBAAgB,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QACjF,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QAC1D;YACE,gBAAgB;YAChB,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE;SAClF;QACD,CAAC,oBAAoB,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;QAC/C;YACE,cAAc;YACd;gBACE,cAAc,EAAE,KAAK;gBACrB,KAAK,EAAE,mBAAmB;gBAC1B,QAAQ,EAAE,WAAW;gBACrB,MAAM,EAAE,KAAK;aACd;SACF;KACkD,CAAC,CACpD,oBAAoB,EACpB,CAAC,SAAS,EAAE,OAAO,EAAE,EAAE;QACrB,MAAM,CAAC,GAAG,EAAE,CAAC,oBAAoB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;QACrE,MAAM,CAAC,oBAAoB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACpE,CAAC,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;IACjD,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,CAAC,GAAG,EAAE,CACV,oBAAoB,CAAC,oBAAoB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAClF,CAAC,OAAO,CAAC,iCAAiC,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,CAAC,GAAG,EAAE,CAAC,oBAAoB,CAAC,gBAAgB,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IACxF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,CAAC,GAAG,EAAE,CACV,oBAAoB,CAAC,qBAAqB,EAAE;YAC1C,KAAK,EAAE,UAAU;YACjB,OAAO,EAAE,EAAE,GAAG,EAAE,UAAU,EAAuB;SAClD,CAAC,CACH,CAAC,OAAO,EAAE,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,CAAC,GAAG,EAAE,CACV,oBAAoB,CAAC,gBAAgB,EAAE;YACrC,UAAU,EAAE,KAAK;YACjB,GAAG,EAAE,KAAK;YACV,GAAG,EAAE,GAAG;YACR,OAAO,EAAE,KAAK;SACf,CAAC,CACH,CAAC,OAAO,EAAE,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,GAAG,EAAE,CACV,oBAAoB,CAAC,aAAa,EAAE,EAAE,KAAK,EAAE,SAAS,EAA6B,CAAC,CACrF,CAAC,OAAO,EAAE,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Canonical event types emitted into the audit chain.
|
|
3
|
+
*
|
|
4
|
+
* Server code must use these constants — string literals risk drift.
|
|
5
|
+
* Adding a new event type is a deliberate decision: extend the union
|
|
6
|
+
* here, then update both the server emitter and the audit-list filter.
|
|
7
|
+
*/
|
|
8
|
+
export type AuditEventType = 'auth.register' | 'auth.login.allowed' | 'auth.login.denied' | 'auth.logout' | 'auth.refresh' | 'auth.password_change.allowed' | 'auth.password_change.denied' | 'cli_token.created' | 'cli_token.revoked' | 'user.invited' | 'user.removed' | 'user.role_changed' | 'project.created' | 'project.deleted' | 'project.dek_rotated' | 'environment.created' | 'member.added' | 'member.removed' | 'member.role_changed' | 'secret.created' | 'secret.read.allowed' | 'secret.read.denied' | 'secret.rotated' | 'secret.deleted' | 'secret.test.invoked' | 'secret.test.denied' | 'approval.requested' | 'approval.granted' | 'approval.denied' | 'rotation.policy_changed' | 'org.created' | 'org.updated';
|
|
9
|
+
/**
|
|
10
|
+
* The pieces of an audit entry that are *input*. The server fills in
|
|
11
|
+
* the chain bookkeeping (id, prev_hash, hash) using `appendEntry`.
|
|
12
|
+
*/
|
|
13
|
+
export interface AuditInput {
|
|
14
|
+
readonly ts: string;
|
|
15
|
+
readonly actor_user_id: string | null;
|
|
16
|
+
readonly actor_agent: string;
|
|
17
|
+
readonly event_type: AuditEventType;
|
|
18
|
+
/** JSON-serializable payload. Must NEVER contain a secret value. */
|
|
19
|
+
readonly payload: Record<string, unknown>;
|
|
20
|
+
}
|
|
21
|
+
/**
|
|
22
|
+
* A persisted audit row.
|
|
23
|
+
*/
|
|
24
|
+
export interface AuditEntry extends AuditInput {
|
|
25
|
+
readonly id: number;
|
|
26
|
+
readonly prev_hash: string;
|
|
27
|
+
readonly hash: string;
|
|
28
|
+
}
|
|
29
|
+
/**
|
|
30
|
+
* The all-zeros 32-byte hex hash used as `prev_hash` of the first
|
|
31
|
+
* entry. Matches the convention documented in 05-encryption-design.md.
|
|
32
|
+
*/
|
|
33
|
+
export declare const GENESIS_HASH: string;
|
|
34
|
+
//# sourceMappingURL=types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/audit/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,MAAM,cAAc,GACtB,eAAe,GACf,oBAAoB,GACpB,mBAAmB,GACnB,aAAa,GACb,cAAc,GACd,8BAA8B,GAC9B,6BAA6B,GAC7B,mBAAmB,GACnB,mBAAmB,GACnB,cAAc,GACd,cAAc,GACd,mBAAmB,GACnB,iBAAiB,GACjB,iBAAiB,GACjB,qBAAqB,GACrB,qBAAqB,GACrB,cAAc,GACd,gBAAgB,GAChB,qBAAqB,GACrB,gBAAgB,GAChB,qBAAqB,GACrB,oBAAoB,GACpB,gBAAgB,GAChB,gBAAgB,GAChB,qBAAqB,GACrB,oBAAoB,GACpB,oBAAoB,GACpB,kBAAkB,GAClB,iBAAiB,GACjB,yBAAyB,GACzB,aAAa,GACb,aAAa,CAAC;AAElB;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,UAAU,EAAE,cAAc,CAAC;IACpC,oEAAoE;IACpE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC3C;AAED;;GAEG;AACH,MAAM,WAAW,UAAW,SAAQ,UAAU;IAC5C,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;GAGG;AACH,eAAO,MAAM,YAAY,QAAiB,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/audit/types.ts"],"names":[],"mappings":"AA+DA;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC"}
|