@objectstack/plugin-audit 3.2.5

package/dist/index.js

@@ -0,0 +1,126 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  SysAuditLog: () => SysAuditLog
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/objects/sys-audit-log.object.ts
+var import_data = require("@objectstack/spec/data");
+var SysAuditLog = import_data.ObjectSchema.create({
+  namespace: "sys",
+  name: "audit_log",
+  label: "Audit Log",
+  pluralLabel: "Audit Logs",
+  icon: "scroll-text",
+  isSystem: true,
+  description: "Immutable audit trail for platform events",
+  titleFormat: "{action} on {object_name} by {user_id}",
+  compactLayout: ["action", "object_name", "user_id", "created_at"],
+  fields: {
+    id: import_data.Field.text({
+      label: "Audit Log ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: import_data.Field.datetime({
+      label: "Timestamp",
+      required: true,
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    user_id: import_data.Field.text({
+      label: "User ID",
+      required: false,
+      description: "User who performed the action (null for system actions)"
+    }),
+    action: import_data.Field.select(["create", "update", "delete", "restore", "login", "logout", "permission_change", "config_change", "export", "import"], {
+      label: "Action",
+      required: true,
+      description: "Action type (snake_case). Values: create, update, delete, restore, login, logout, permission_change, config_change, export, import"
+    }),
+    object_name: import_data.Field.text({
+      label: "Object Name",
+      required: false,
+      maxLength: 255,
+      description: "Target object (e.g. sys_user, project_task)"
+    }),
+    record_id: import_data.Field.text({
+      label: "Record ID",
+      required: false,
+      description: "ID of the affected record"
+    }),
+    old_value: import_data.Field.textarea({
+      label: "Old Value",
+      required: false,
+      description: "JSON-serialized previous state"
+    }),
+    new_value: import_data.Field.textarea({
+      label: "New Value",
+      required: false,
+      description: "JSON-serialized new state"
+    }),
+    ip_address: import_data.Field.text({
+      label: "IP Address",
+      required: false,
+      maxLength: 45
+    }),
+    user_agent: import_data.Field.textarea({
+      label: "User Agent",
+      required: false
+    }),
+    tenant_id: import_data.Field.text({
+      label: "Tenant ID",
+      required: false,
+      description: "Tenant context for multi-tenant isolation"
+    }),
+    metadata: import_data.Field.textarea({
+      label: "Metadata",
+      required: false,
+      description: "JSON-serialized additional context"
+    })
+  },
+  indexes: [
+    { fields: ["created_at"] },
+    { fields: ["user_id"] },
+    { fields: ["object_name", "record_id"] },
+    { fields: ["action"] },
+    { fields: ["tenant_id"] }
+  ],
+  enable: {
+    trackHistory: false,
+    // Audit logs are themselves the audit trail
+    searchable: true,
+    apiEnabled: true,
+    apiMethods: ["get", "list"],
+    // Read-only — audit logs are immutable; creation happens via internal system hooks only
+    trash: false,
+    // Never soft-delete audit logs
+    mru: false,
+    clone: false
+  }
+});
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  SysAuditLog
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts","../src/objects/sys-audit-log.object.ts"],"sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\n/**\n * @objectstack/plugin-audit\n *\n * Audit Plugin for ObjectStack\n * Provides the sys_audit_log system object definition for immutable audit trails.\n */\n\n// System Object Definitions (sys namespace)\nexport { SysAuditLog } from './objects/index.js';\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_audit_log — System Audit Log Object\n *\n * Immutable audit trail for all significant platform events.\n * Records who did what, when, and the before/after state.\n *\n * @namespace sys\n */\nexport const SysAuditLog = ObjectSchema.create({\n  namespace: 'sys',\n  name: 'audit_log',\n  label: 'Audit Log',\n  pluralLabel: 'Audit Logs',\n  icon: 'scroll-text',\n  isSystem: true,\n  description: 'Immutable audit trail for platform events',\n  titleFormat: '{action} on {object_name} by {user_id}',\n  compactLayout: ['action', 'object_name', 'user_id', 'created_at'],\n  \n  fields: {\n    id: Field.text({\n      label: 'Audit Log ID',\n      required: true,\n      readonly: true,\n    }),\n    \n    created_at: Field.datetime({\n      label: 'Timestamp',\n      required: true,\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    user_id: Field.text({\n      label: 'User ID',\n      required: false,\n      description: 'User who performed the action (null for system actions)',\n    }),\n    \n    action: Field.select(['create', 'update', 'delete', 'restore', 'login', 'logout', 'permission_change', 'config_change', 'export', 'import'], {\n      label: 'Action',\n      required: true,\n      description: 'Action type (snake_case). Values: create, update, delete, restore, login, logout, permission_change, config_change, export, import',\n    }),\n    \n    object_name: Field.text({\n      label: 'Object Name',\n      required: false,\n      maxLength: 255,\n      description: 'Target object (e.g. sys_user, project_task)',\n    }),\n    \n    record_id: Field.text({\n      label: 'Record ID',\n      required: false,\n      description: 'ID of the affected record',\n    }),\n    \n    old_value: Field.textarea({\n      label: 'Old Value',\n      required: false,\n      description: 'JSON-serialized previous state',\n    }),\n    \n    new_value: Field.textarea({\n      label: 'New Value',\n      required: false,\n      description: 'JSON-serialized new state',\n    }),\n    \n    ip_address: Field.text({\n      label: 'IP Address',\n      required: false,\n      maxLength: 45,\n    }),\n    \n    user_agent: Field.textarea({\n      label: 'User Agent',\n      required: false,\n    }),\n    \n    tenant_id: Field.text({\n      label: 'Tenant ID',\n      required: false,\n      description: 'Tenant context for multi-tenant isolation',\n    }),\n    \n    metadata: Field.textarea({\n      label: 'Metadata',\n      required: false,\n      description: 'JSON-serialized additional context',\n    }),\n  },\n  \n  indexes: [\n    { fields: ['created_at'] },\n    { fields: ['user_id'] },\n    { fields: ['object_name', 'record_id'] },\n    { fields: ['action'] },\n    { fields: ['tenant_id'] },\n  ],\n  \n  enable: {\n    trackHistory: false, // Audit logs are themselves the audit trail\n    searchable: true,\n    apiEnabled: true,\n    apiMethods: ['get', 'list'], // Read-only — audit logs are immutable; creation happens via internal system hooks only\n    trash: false, // Never soft-delete audit logs\n    mru: false,\n    clone: false,\n  },\n});\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACEA,kBAAoC;AAU7B,IAAM,cAAc,yBAAa,OAAO;AAAA,EAC7C,WAAW;AAAA,EACX,MAAM;AAAA,EACN,OAAO;AAAA,EACP,aAAa;AAAA,EACb,MAAM;AAAA,EACN,UAAU;AAAA,EACV,aAAa;AAAA,EACb,aAAa;AAAA,EACb,eAAe,CAAC,UAAU,eAAe,WAAW,YAAY;AAAA,EAEhE,QAAQ;AAAA,IACN,IAAI,kBAAM,KAAK;AAAA,MACb,OAAO;AAAA,MACP,UAAU;AAAA,MACV,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,kBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,SAAS,kBAAM,KAAK;AAAA,MAClB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,QAAQ,kBAAM,OAAO,CAAC,UAAU,UAAU,UAAU,WAAW,SAAS,UAAU,qBAAqB,iBAAiB,UAAU,QAAQ,GAAG;AAAA,MAC3I,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,aAAa,kBAAM,KAAK;AAAA,MACtB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,WAAW;AAAA,MACX,aAAa;AAAA,IACf,CAAC;AAAA,IAED,WAAW,kBAAM,KAAK;AAAA,MACpB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,WAAW,kBAAM,SAAS;AAAA,MACxB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,WAAW,kBAAM,SAAS;AAAA,MACxB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,YAAY,kBAAM,KAAK;AAAA,MACrB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,WAAW;AAAA,IACb,CAAC;AAAA,IAED,YAAY,kBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,WAAW,kBAAM,KAAK;AAAA,MACpB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,UAAU,kBAAM,SAAS;AAAA,MACvB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,EACH;AAAA,EAEA,SAAS;AAAA,IACP,EAAE,QAAQ,CAAC,YAAY,EAAE;AAAA,IACzB,EAAE,QAAQ,CAAC,SAAS,EAAE;AAAA,IACtB,EAAE,QAAQ,CAAC,eAAe,WAAW,EAAE;AAAA,IACvC,EAAE,QAAQ,CAAC,QAAQ,EAAE;AAAA,IACrB,EAAE,QAAQ,CAAC,WAAW,EAAE;AAAA,EAC1B;AAAA,EAEA,QAAQ;AAAA,IACN,cAAc;AAAA;AAAA,IACd,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,YAAY,CAAC,OAAO,MAAM;AAAA;AAAA,IAC1B,OAAO;AAAA;AAAA,IACP,KAAK;AAAA,IACL,OAAO;AAAA,EACT;AACF,CAAC;","names":[]}

package/dist/index.mjs

@@ -0,0 +1,99 @@
+// src/objects/sys-audit-log.object.ts
+import { ObjectSchema, Field } from "@objectstack/spec/data";
+var SysAuditLog = ObjectSchema.create({
+  namespace: "sys",
+  name: "audit_log",
+  label: "Audit Log",
+  pluralLabel: "Audit Logs",
+  icon: "scroll-text",
+  isSystem: true,
+  description: "Immutable audit trail for platform events",
+  titleFormat: "{action} on {object_name} by {user_id}",
+  compactLayout: ["action", "object_name", "user_id", "created_at"],
+  fields: {
+    id: Field.text({
+      label: "Audit Log ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: Field.datetime({
+      label: "Timestamp",
+      required: true,
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    user_id: Field.text({
+      label: "User ID",
+      required: false,
+      description: "User who performed the action (null for system actions)"
+    }),
+    action: Field.select(["create", "update", "delete", "restore", "login", "logout", "permission_change", "config_change", "export", "import"], {
+      label: "Action",
+      required: true,
+      description: "Action type (snake_case). Values: create, update, delete, restore, login, logout, permission_change, config_change, export, import"
+    }),
+    object_name: Field.text({
+      label: "Object Name",
+      required: false,
+      maxLength: 255,
+      description: "Target object (e.g. sys_user, project_task)"
+    }),
+    record_id: Field.text({
+      label: "Record ID",
+      required: false,
+      description: "ID of the affected record"
+    }),
+    old_value: Field.textarea({
+      label: "Old Value",
+      required: false,
+      description: "JSON-serialized previous state"
+    }),
+    new_value: Field.textarea({
+      label: "New Value",
+      required: false,
+      description: "JSON-serialized new state"
+    }),
+    ip_address: Field.text({
+      label: "IP Address",
+      required: false,
+      maxLength: 45
+    }),
+    user_agent: Field.textarea({
+      label: "User Agent",
+      required: false
+    }),
+    tenant_id: Field.text({
+      label: "Tenant ID",
+      required: false,
+      description: "Tenant context for multi-tenant isolation"
+    }),
+    metadata: Field.textarea({
+      label: "Metadata",
+      required: false,
+      description: "JSON-serialized additional context"
+    })
+  },
+  indexes: [
+    { fields: ["created_at"] },
+    { fields: ["user_id"] },
+    { fields: ["object_name", "record_id"] },
+    { fields: ["action"] },
+    { fields: ["tenant_id"] }
+  ],
+  enable: {
+    trackHistory: false,
+    // Audit logs are themselves the audit trail
+    searchable: true,
+    apiEnabled: true,
+    apiMethods: ["get", "list"],
+    // Read-only — audit logs are immutable; creation happens via internal system hooks only
+    trash: false,
+    // Never soft-delete audit logs
+    mru: false,
+    clone: false
+  }
+});
+export {
+  SysAuditLog
+};
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/objects/sys-audit-log.object.ts"],"sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_audit_log — System Audit Log Object\n *\n * Immutable audit trail for all significant platform events.\n * Records who did what, when, and the before/after state.\n *\n * @namespace sys\n */\nexport const SysAuditLog = ObjectSchema.create({\n  namespace: 'sys',\n  name: 'audit_log',\n  label: 'Audit Log',\n  pluralLabel: 'Audit Logs',\n  icon: 'scroll-text',\n  isSystem: true,\n  description: 'Immutable audit trail for platform events',\n  titleFormat: '{action} on {object_name} by {user_id}',\n  compactLayout: ['action', 'object_name', 'user_id', 'created_at'],\n  \n  fields: {\n    id: Field.text({\n      label: 'Audit Log ID',\n      required: true,\n      readonly: true,\n    }),\n    \n    created_at: Field.datetime({\n      label: 'Timestamp',\n      required: true,\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    user_id: Field.text({\n      label: 'User ID',\n      required: false,\n      description: 'User who performed the action (null for system actions)',\n    }),\n    \n    action: Field.select(['create', 'update', 'delete', 'restore', 'login', 'logout', 'permission_change', 'config_change', 'export', 'import'], {\n      label: 'Action',\n      required: true,\n      description: 'Action type (snake_case). Values: create, update, delete, restore, login, logout, permission_change, config_change, export, import',\n    }),\n    \n    object_name: Field.text({\n      label: 'Object Name',\n      required: false,\n      maxLength: 255,\n      description: 'Target object (e.g. sys_user, project_task)',\n    }),\n    \n    record_id: Field.text({\n      label: 'Record ID',\n      required: false,\n      description: 'ID of the affected record',\n    }),\n    \n    old_value: Field.textarea({\n      label: 'Old Value',\n      required: false,\n      description: 'JSON-serialized previous state',\n    }),\n    \n    new_value: Field.textarea({\n      label: 'New Value',\n      required: false,\n      description: 'JSON-serialized new state',\n    }),\n    \n    ip_address: Field.text({\n      label: 'IP Address',\n      required: false,\n      maxLength: 45,\n    }),\n    \n    user_agent: Field.textarea({\n      label: 'User Agent',\n      required: false,\n    }),\n    \n    tenant_id: Field.text({\n      label: 'Tenant ID',\n      required: false,\n      description: 'Tenant context for multi-tenant isolation',\n    }),\n    \n    metadata: Field.textarea({\n      label: 'Metadata',\n      required: false,\n      description: 'JSON-serialized additional context',\n    }),\n  },\n  \n  indexes: [\n    { fields: ['created_at'] },\n    { fields: ['user_id'] },\n    { fields: ['object_name', 'record_id'] },\n    { fields: ['action'] },\n    { fields: ['tenant_id'] },\n  ],\n  \n  enable: {\n    trackHistory: false, // Audit logs are themselves the audit trail\n    searchable: true,\n    apiEnabled: true,\n    apiMethods: ['get', 'list'], // Read-only — audit logs are immutable; creation happens via internal system hooks only\n    trash: false, // Never soft-delete audit logs\n    mru: false,\n    clone: false,\n  },\n});\n"],"mappings":";AAEA,SAAS,cAAc,aAAa;AAU7B,IAAM,cAAc,aAAa,OAAO;AAAA,EAC7C,WAAW;AAAA,EACX,MAAM;AAAA,EACN,OAAO;AAAA,EACP,aAAa;AAAA,EACb,MAAM;AAAA,EACN,UAAU;AAAA,EACV,aAAa;AAAA,EACb,aAAa;AAAA,EACb,eAAe,CAAC,UAAU,eAAe,WAAW,YAAY;AAAA,EAEhE,QAAQ;AAAA,IACN,IAAI,MAAM,KAAK;AAAA,MACb,OAAO;AAAA,MACP,UAAU;AAAA,MACV,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,MAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,SAAS,MAAM,KAAK;AAAA,MAClB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,QAAQ,MAAM,OAAO,CAAC,UAAU,UAAU,UAAU,WAAW,SAAS,UAAU,qBAAqB,iBAAiB,UAAU,QAAQ,GAAG;AAAA,MAC3I,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,aAAa,MAAM,KAAK;AAAA,MACtB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,WAAW;AAAA,MACX,aAAa;AAAA,IACf,CAAC;AAAA,IAED,WAAW,MAAM,KAAK;AAAA,MACpB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,WAAW,MAAM,SAAS;AAAA,MACxB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,WAAW,MAAM,SAAS;AAAA,MACxB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,YAAY,MAAM,KAAK;AAAA,MACrB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,WAAW;AAAA,IACb,CAAC;AAAA,IAED,YAAY,MAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,WAAW,MAAM,KAAK;AAAA,MACpB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,UAAU,MAAM,SAAS;AAAA,MACvB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,EACH;AAAA,EAEA,SAAS;AAAA,IACP,EAAE,QAAQ,CAAC,YAAY,EAAE;AAAA,IACzB,EAAE,QAAQ,CAAC,SAAS,EAAE;AAAA,IACtB,EAAE,QAAQ,CAAC,eAAe,WAAW,EAAE;AAAA,IACvC,EAAE,QAAQ,CAAC,QAAQ,EAAE;AAAA,IACrB,EAAE,QAAQ,CAAC,WAAW,EAAE;AAAA,EAC1B;AAAA,EAEA,QAAQ;AAAA,IACN,cAAc;AAAA;AAAA,IACd,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,YAAY,CAAC,OAAO,MAAM;AAAA;AAAA,IAC1B,OAAO;AAAA;AAAA,IACP,KAAK;AAAA,IACL,OAAO;AAAA,EACT;AACF,CAAC;","names":[]}

package/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "@objectstack/plugin-audit",
+  "version": "3.2.5",
+  "license": "Apache-2.0",
+  "description": "Audit Plugin for ObjectStack — System audit log object and audit trail",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
+  "dependencies": {
+    "@objectstack/spec": "3.2.5"
+  },
+  "devDependencies": {
+    "@types/node": "^25.3.5",
+    "typescript": "^5.0.0",
+    "vitest": "^4.0.18"
+  },
+  "scripts": {
+    "build": "tsup --config ../../../tsup.config.ts",
+    "test": "vitest run"
+  }
+}

package/src/index.ts

@@ -0,0 +1,11 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+/**
+ * @objectstack/plugin-audit
+ *
+ * Audit Plugin for ObjectStack
+ * Provides the sys_audit_log system object definition for immutable audit trails.
+ */
+
+// System Object Definitions (sys namespace)
+export { SysAuditLog } from './objects/index.js';

package/src/objects/index.ts

@@ -0,0 +1,9 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+/**
+ * Audit Plugin — System Object Definitions (sys namespace)
+ *
+ * Canonical ObjectSchema definitions for audit-related system objects.
+ */
+
+export { SysAuditLog } from './sys-audit-log.object.js';

package/src/objects/sys-audit-log.object.ts

@@ -0,0 +1,116 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import { ObjectSchema, Field } from '@objectstack/spec/data';
+
+/**
+ * sys_audit_log — System Audit Log Object
+ *
+ * Immutable audit trail for all significant platform events.
+ * Records who did what, when, and the before/after state.
+ *
+ * @namespace sys
+ */
+export const SysAuditLog = ObjectSchema.create({
+  namespace: 'sys',
+  name: 'audit_log',
+  label: 'Audit Log',
+  pluralLabel: 'Audit Logs',
+  icon: 'scroll-text',
+  isSystem: true,
+  description: 'Immutable audit trail for platform events',
+  titleFormat: '{action} on {object_name} by {user_id}',
+  compactLayout: ['action', 'object_name', 'user_id', 'created_at'],
+  
+  fields: {
+    id: Field.text({
+      label: 'Audit Log ID',
+      required: true,
+      readonly: true,
+    }),
+    
+    created_at: Field.datetime({
+      label: 'Timestamp',
+      required: true,
+      defaultValue: 'NOW()',
+      readonly: true,
+    }),
+    
+    user_id: Field.text({
+      label: 'User ID',
+      required: false,
+      description: 'User who performed the action (null for system actions)',
+    }),
+    
+    action: Field.select(['create', 'update', 'delete', 'restore', 'login', 'logout', 'permission_change', 'config_change', 'export', 'import'], {
+      label: 'Action',
+      required: true,
+      description: 'Action type (snake_case). Values: create, update, delete, restore, login, logout, permission_change, config_change, export, import',
+    }),
+    
+    object_name: Field.text({
+      label: 'Object Name',
+      required: false,
+      maxLength: 255,
+      description: 'Target object (e.g. sys_user, project_task)',
+    }),
+    
+    record_id: Field.text({
+      label: 'Record ID',
+      required: false,
+      description: 'ID of the affected record',
+    }),
+    
+    old_value: Field.textarea({
+      label: 'Old Value',
+      required: false,
+      description: 'JSON-serialized previous state',
+    }),
+    
+    new_value: Field.textarea({
+      label: 'New Value',
+      required: false,
+      description: 'JSON-serialized new state',
+    }),
+    
+    ip_address: Field.text({
+      label: 'IP Address',
+      required: false,
+      maxLength: 45,
+    }),
+    
+    user_agent: Field.textarea({
+      label: 'User Agent',
+      required: false,
+    }),
+    
+    tenant_id: Field.text({
+      label: 'Tenant ID',
+      required: false,
+      description: 'Tenant context for multi-tenant isolation',
+    }),
+    
+    metadata: Field.textarea({
+      label: 'Metadata',
+      required: false,
+      description: 'JSON-serialized additional context',
+    }),
+  },
+  
+  indexes: [
+    { fields: ['created_at'] },
+    { fields: ['user_id'] },
+    { fields: ['object_name', 'record_id'] },
+    { fields: ['action'] },
+    { fields: ['tenant_id'] },
+  ],
+  
+  enable: {
+    trackHistory: false, // Audit logs are themselves the audit trail
+    searchable: true,
+    apiEnabled: true,
+    apiMethods: ['get', 'list'], // Read-only — audit logs are immutable; creation happens via internal system hooks only
+    trash: false, // Never soft-delete audit logs
+    mru: false,
+    clone: false,
+  },
+});

package/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../../../tsconfig.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "rootDir": "./src"
+  },
+  "include": ["src/**/*"],
+  "exclude": ["dist", "node_modules", "**/*.test.ts"]
+}