@rubytech/create-maxy 1.0.742 → 1.0.744

package/payload/platform/lib/graph-write/dist/__tests__/audit.test.js

@@ -0,0 +1,147 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const node_test_1 = __importDefault(require("node:test"));
+const strict_1 = __importDefault(require("node:assert/strict"));
+const audit_js_1 = require("../audit.js");
+const baseInput = {
+    schema: {
+        labels: new Set(["Person", "Organization", "Task", "KnowledgeDocument"]),
+        relationshipTypes: new Set(["KNOWS", "PARTICIPANT", "REFERENCES", "MENTIONS", "PART_OF"]),
+    },
+    agentName: "database-operator",
+    sessionId: "session-abc",
+    nodesCreated: 0,
+    relsCreated: 0,
+    orphanIds: [],
+};
+(0, node_test_1.default)("audit: clean write with provenance + known types yields zero warnings", () => {
+    const cypher = `
+    MATCH (p:Person {name: $name}), (o:Organization {name: $org})
+    MERGE (p)-[r:KNOWS]->(o)
+    SET r.createdAt = datetime(),
+        r.createdByAgent = $agent,
+        r.createdByTool = 'graph-cypher-write',
+        r.createdBySession = $sessionId
+  `;
+    const warnings = (0, audit_js_1.auditCypherWrite)({ ...baseInput, cypher, relsCreated: 1 });
+    strict_1.default.deepEqual(warnings, []);
+});
+(0, node_test_1.default)("audit: unknown edge type yields unknown-type-warning", () => {
+    const cypher = "MATCH (a:Person), (b:Person) CREATE (a)-[:HAS_KNOWN]->(b)";
+    const warnings = (0, audit_js_1.auditCypherWrite)({ ...baseInput, cypher, relsCreated: 1 });
+    const w = warnings.find((x) => x.kind === "unknown-type-warning");
+    strict_1.default.ok(w, "expected unknown-type-warning");
+    strict_1.default.equal(w.kind, "unknown-type-warning");
+    if (w.kind === "unknown-type-warning") {
+        strict_1.default.equal(w.type, "HAS_KNOWN");
+    }
+});
+(0, node_test_1.default)("audit: known APOC edge in YIELD does not trip unknown-type", () => {
+    const cypher = "MATCH (a:Person), (b:Person) WHERE a.email = b.email AND id(a) < id(b) WITH a, b CALL apoc.refactor.mergeNodes([a, b]) YIELD node RETURN node";
+    const warnings = (0, audit_js_1.auditCypherWrite)({ ...baseInput, cypher });
+    const unknownTypeWarn = warnings.find((x) => x.kind === "unknown-type-warning");
+    strict_1.default.equal(unknownTypeWarn, undefined);
+});
+(0, node_test_1.default)("audit: CREATE with no provenance stamps yields missing-provenance-warning", () => {
+    const cypher = "CREATE (n:Person {name: 'Foo'})";
+    const warnings = (0, audit_js_1.auditCypherWrite)({ ...baseInput, cypher, nodesCreated: 1 });
+    const w = warnings.find((x) => x.kind === "missing-provenance-warning");
+    strict_1.default.ok(w, "expected missing-provenance-warning");
+    if (w.kind === "missing-provenance-warning") {
+        strict_1.default.equal(w.created, 1);
+        strict_1.default.equal(w.stamped, 0);
+    }
+});
+(0, node_test_1.default)("audit: MERGE with createdBy* stamps does not trip missing-provenance", () => {
+    const cypher = "MERGE (n:Person {email: $email}) ON CREATE SET n.createdByAgent = $agent, n.createdBySession = $sid";
+    const warnings = (0, audit_js_1.auditCypherWrite)({ ...baseInput, cypher, nodesCreated: 1 });
+    const w = warnings.find((x) => x.kind === "missing-provenance-warning");
+    strict_1.default.equal(w, undefined);
+});
+(0, node_test_1.default)("audit: provenance check ignores stamps inside string literals", () => {
+    const cypher = "CREATE (n:Person {bio: 'I have createdByAgent in my bio'})";
+    const warnings = (0, audit_js_1.auditCypherWrite)({ ...baseInput, cypher, nodesCreated: 1 });
+    const w = warnings.find((x) => x.kind === "missing-provenance-warning");
+    strict_1.default.ok(w, "expected missing-provenance-warning despite stamp-like substring in literal");
+});
+(0, node_test_1.default)("audit: idempotent MERGE that matched existing node (nodesCreated=0) emits no missing-provenance-warning", () => {
+    // Reviewer-flagged false-positive case. MERGE (n:Person {email}) without
+    // ON CREATE SET stamps — static count = 1, stamps = 0. If the node
+    // already existed, upstream reports nodesCreated=0 and no provenance was
+    // needed; the audit must not warn.
+    const cypher = "MERGE (n:Person {email: $email})";
+    const warnings = (0, audit_js_1.auditCypherWrite)({ ...baseInput, cypher, nodesCreated: 0 });
+    const w = warnings.find((x) => x.kind === "missing-provenance-warning");
+    strict_1.default.equal(w, undefined, "must not warn when nodesCreated=0");
+});
+(0, node_test_1.default)("audit: orphanIds populated yields orphan-warning", () => {
+    const warnings = (0, audit_js_1.auditCypherWrite)({
+        ...baseInput,
+        cypher: "CREATE (n:Person)",
+        nodesCreated: 1,
+        orphanIds: ["4:abc:1", "4:abc:2"],
+    });
+    const w = warnings.find((x) => x.kind === "orphan-warning");
+    strict_1.default.ok(w, "expected orphan-warning");
+    if (w.kind === "orphan-warning") {
+        strict_1.default.deepEqual(w.orphanIds, ["4:abc:1", "4:abc:2"]);
+    }
+});
+(0, node_test_1.default)("audit: empty orphanIds emits no orphan-warning", () => {
+    const warnings = (0, audit_js_1.auditCypherWrite)({
+        ...baseInput,
+        cypher: "MATCH (a:Person), (b:Person) CREATE (a)-[:KNOWS]->(b)",
+        relsCreated: 1,
+        orphanIds: [],
+    });
+    const w = warnings.find((x) => x.kind === "orphan-warning");
+    strict_1.default.equal(w, undefined);
+});
+(0, node_test_1.default)("formatAuditLine: accepted line includes counters + provenance", () => {
+    const line = (0, audit_js_1.formatAuditLine)({
+        kind: "accepted",
+        cypherPrefix: "MATCH (a:Person) CREATE",
+        nodesCreated: 1,
+        relsCreated: 4,
+        agentName: "database-operator",
+        sessionId: "abc-123",
+    });
+    strict_1.default.match(line, /^\[graph-cypher-write\] accepted /);
+    strict_1.default.match(line, /nodesCreated=1/);
+    strict_1.default.match(line, /relsCreated=4/);
+    strict_1.default.match(line, /agentName=database-operator/);
+    strict_1.default.match(line, /sessionId=abc-123/);
+});
+(0, node_test_1.default)("formatAuditLine: orphan-warning line lists orphanIds", () => {
+    const line = (0, audit_js_1.formatAuditLine)({
+        kind: "orphan-warning",
+        cypherPrefix: "CREATE (n:Person)",
+        orphanIds: ["4:abc:1", "4:abc:2"],
+    });
+    strict_1.default.match(line, /^\[graph-cypher-write\] orphan-warning /);
+    strict_1.default.match(line, /orphanIds=4:abc:1,4:abc:2/);
+});
+(0, node_test_1.default)("formatAuditLine: unknown-type-warning names the type", () => {
+    const line = (0, audit_js_1.formatAuditLine)({
+        kind: "unknown-type-warning",
+        cypherPrefix: "CREATE (a)-[:HAS_KNOWN]->(b)",
+        type: "HAS_KNOWN",
+    });
+    strict_1.default.match(line, /^\[graph-cypher-write\] unknown-type-warning /);
+    strict_1.default.match(line, /type=HAS_KNOWN/);
+});
+(0, node_test_1.default)("formatAuditLine: missing-provenance-warning shows created vs stamped counts", () => {
+    const line = (0, audit_js_1.formatAuditLine)({
+        kind: "missing-provenance-warning",
+        cypherPrefix: "CREATE (n:Person)",
+        created: 3,
+        stamped: 1,
+    });
+    strict_1.default.match(line, /^\[graph-cypher-write\] missing-provenance-warning /);
+    strict_1.default.match(line, /created=3/);
+    strict_1.default.match(line, /stamped=1/);
+});
+//# sourceMappingURL=audit.test.js.map

package/payload/platform/lib/graph-write/dist/__tests__/audit.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.test.js","sourceRoot":"","sources":["../../src/__tests__/audit.test.ts"],"names":[],"mappings":";;;;;AAAA,0DAA6B;AAC7B,gEAAwC;AACxC,0CAIqB;AAErB,MAAM,SAAS,GAA0C;IACvD,MAAM,EAAE;QACN,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,cAAc,EAAE,MAAM,EAAE,mBAAmB,CAAC,CAAC;QACxE,iBAAiB,EAAE,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;KAC1F;IACD,SAAS,EAAE,mBAAmB;IAC9B,SAAS,EAAE,aAAa;IACxB,YAAY,EAAE,CAAC;IACf,WAAW,EAAE,CAAC;IACd,SAAS,EAAE,EAAE;CACd,CAAC;AAEF,IAAA,mBAAI,EAAC,uEAAuE,EAAE,GAAG,EAAE;IACjF,MAAM,MAAM,GAAG;;;;;;;GAOd,CAAC;IACF,MAAM,QAAQ,GAAG,IAAA,2BAAgB,EAAC,EAAE,GAAG,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC,CAAC;IAC5E,gBAAM,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;AACjC,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,sDAAsD,EAAE,GAAG,EAAE;IAChE,MAAM,MAAM,GAAG,2DAA2D,CAAC;IAC3E,MAAM,QAAQ,GAAG,IAAA,2BAAgB,EAAC,EAAE,GAAG,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC,CAAC;IAC5E,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,sBAAsB,CAAC,CAAC;IAClE,gBAAM,CAAC,EAAE,CAAC,CAAC,EAAE,+BAA+B,CAAC,CAAC;IAC9C,gBAAM,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,sBAAsB,CAAC,CAAC;IAC7C,IAAI,CAAC,CAAC,IAAI,KAAK,sBAAsB,EAAE,CAAC;QACtC,gBAAM,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACpC,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,4DAA4D,EAAE,GAAG,EAAE;IACtE,MAAM,MAAM,GACV,+IAA+I,CAAC;IAClJ,MAAM,QAAQ,GAAG,IAAA,2BAAgB,EAAC,EAAE,GAAG,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;IAC5D,MAAM,eAAe,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,sBAAsB,CAAC,CAAC;IAChF,gBAAM,CAAC,KAAK,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC;AAC3C,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,2EAA2E,EAAE,GAAG,EAAE;IACrF,MAAM,MAAM,GAAG,iCAAiC,CAAC;IACjD,MAAM,QAAQ,GAAG,IAAA,2BAAgB,EAAC,EAAE,GAAG,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC,CAAC;IAC7E,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,4BAA4B,CAAC,CAAC;IACxE,gBAAM,CAAC,EAAE,CAAC,CAAC,EAAE,qCAAqC,CAAC,CAAC;IACpD,IAAI,CAAC,CAAC,IAAI,KAAK,4BAA4B,EAAE,CAAC;QAC5C,gBAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAC3B,gBAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IAC7B,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,sEAAsE,EAAE,GAAG,EAAE;IAChF,MAAM,MAAM,GACV,qGAAqG,CAAC;IACxG,MAAM,QAAQ,GAAG,IAAA,2BAAgB,EAAC,EAAE,GAAG,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC,CAAC;IAC7E,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,4BAA4B,CAAC,CAAC;IACxE,gBAAM,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;AAC7B,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,+DAA+D,EAAE,GAAG,EAAE;IACzE,MAAM,MAAM,GACV,4DAA4D,CAAC;IAC/D,MAAM,QAAQ,GAAG,IAAA,2BAAgB,EAAC,EAAE,GAAG,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC,CAAC;IAC7E,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,4BAA4B,CAAC,CAAC;IACxE,gBAAM,CAAC,EAAE,CAAC,CAAC,EAAE,6EAA6E,CAAC,CAAC;AAC9F,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,yGAAyG,EAAE,GAAG,EAAE;IACnH,yEAAyE;IACzE,mEAAmE;IACnE,yEAAyE;IACzE,mCAAmC;IACnC,MAAM,MAAM,GAAG,kCAAkC,CAAC;IAClD,MAAM,QAAQ,GAAG,IAAA,2BAAgB,EAAC,EAAE,GAAG,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC,CAAC;IAC7E,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,4BAA4B,CAAC,CAAC;IACxE,gBAAM,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,EAAE,mCAAmC,CAAC,CAAC;AAClE,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,kDAAkD,EAAE,GAAG,EAAE;IAC5D,MAAM,QAAQ,GAAG,IAAA,2BAAgB,EAAC;QAChC,GAAG,SAAS;QACZ,MAAM,EAAE,mBAAmB;QAC3B,YAAY,EAAE,CAAC;QACf,SAAS,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;KAClC,CAAC,CAAC;IACH,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,gBAAgB,CAAC,CAAC;IAC5D,gBAAM,CAAC,EAAE,CAAC,CAAC,EAAE,yBAAyB,CAAC,CAAC;IACxC,IAAI,CAAC,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAChC,gBAAM,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;IACxD,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,gDAAgD,EAAE,GAAG,EAAE;IAC1D,MAAM,QAAQ,GAAG,IAAA,2BAAgB,EAAC;QAChC,GAAG,SAAS;QACZ,MAAM,EAAE,uDAAuD;QAC/D,WAAW,EAAE,CAAC;QACd,SAAS,EAAE,EAAE;KACd,CAAC,CAAC;IACH,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,gBAAgB,CAAC,CAAC;IAC5D,gBAAM,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;AAC7B,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,+DAA+D,EAAE,GAAG,EAAE;IACzE,MAAM,IAAI,GAAG,IAAA,0BAAe,EAAC;QAC3B,IAAI,EAAE,UAAU;QAChB,YAAY,EAAE,yBAAyB;QACvC,YAAY,EAAE,CAAC;QACf,WAAW,EAAE,CAAC;QACd,SAAS,EAAE,mBAAmB;QAC9B,SAAS,EAAE,SAAS;KACrB,CAAC,CAAC;IACH,gBAAM,CAAC,KAAK,CAAC,IAAI,EAAE,mCAAmC,CAAC,CAAC;IACxD,gBAAM,CAAC,KAAK,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;IACrC,gBAAM,CAAC,KAAK,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;IACpC,gBAAM,CAAC,KAAK,CAAC,IAAI,EAAE,6BAA6B,CAAC,CAAC;IAClD,gBAAM,CAAC,KAAK,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;AAC1C,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,sDAAsD,EAAE,GAAG,EAAE;IAChE,MAAM,IAAI,GAAG,IAAA,0BAAe,EAAC;QAC3B,IAAI,EAAE,gBAAgB;QACtB,YAAY,EAAE,mBAAmB;QACjC,SAAS,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;KAClC,CAAC,CAAC;IACH,gBAAM,CAAC,KAAK,CAAC,IAAI,EAAE,yCAAyC,CAAC,CAAC;IAC9D,gBAAM,CAAC,KAAK,CAAC,IAAI,EAAE,2BAA2B,CAAC,CAAC;AAClD,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,sDAAsD,EAAE,GAAG,EAAE;IAChE,MAAM,IAAI,GAAG,IAAA,0BAAe,EAAC;QAC3B,IAAI,EAAE,sBAAsB;QAC5B,YAAY,EAAE,8BAA8B;QAC5C,IAAI,EAAE,WAAW;KAClB,CAAC,CAAC;IACH,gBAAM,CAAC,KAAK,CAAC,IAAI,EAAE,+CAA+C,CAAC,CAAC;IACpE,gBAAM,CAAC,KAAK,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;AACvC,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,6EAA6E,EAAE,GAAG,EAAE;IACvF,MAAM,IAAI,GAAG,IAAA,0BAAe,EAAC;QAC3B,IAAI,EAAE,4BAA4B;QAClC,YAAY,EAAE,mBAAmB;QACjC,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,CAAC;KACX,CAAC,CAAC;IACH,gBAAM,CAAC,KAAK,CAAC,IAAI,EAAE,qDAAqD,CAAC,CAAC;IAC1E,gBAAM,CAAC,KAAK,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IAChC,gBAAM,CAAC,KAAK,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;AAClC,CAAC,CAAC,CAAC"}

package/payload/platform/lib/graph-write/dist/audit.d.ts

@@ -0,0 +1,84 @@
+/**
+ * Post-write audit for the database-operator's raw `write_neo4j_cypher` tool
+ * (Task 796). Sibling to `[graph-write] accepted` for the wrapped writers
+ * (`memory-write`, `contact-create`, etc. — Task 673) — same module so the
+ * `[graph-*]` log family stays uniform across both write surfaces.
+ *
+ * Design posture:
+ *   - Static parse first. Pre-flight regex on the cypher text catches missing
+ *     provenance stamps and unknown edge types cheaply, no driver round-trip.
+ *   - Dynamic orphan detection is the caller's responsibility — the graph-mcp
+ *     shim runs the detection query against Neo4j after the upstream commits
+ *     and passes the resulting elementId list as `orphanIds`. Keeping the
+ *     module pure (no neo4j-driver import) makes it unit-testable without a
+ *     live database.
+ *   - Audit is observational. Warnings never block the write. The
+ *     prompt-level Graph Stewardship Doctrine in
+ *     [database-operator.md](../../../templates/specialists/agents/database-operator.md)
+ *     names the discipline; the audit is the verification stream.
+ *
+ * String literals are stripped before pattern checks so that property values
+ * containing words like `'createdByAgent in my bio'` cannot trip a false
+ * provenance count, and edge-like patterns inside quoted strings cannot
+ * trip a false unknown-type warning. The regex shape is duplicated from
+ * [cypher-validate.ts](../../graph-mcp/src/cypher-validate.ts) intentionally:
+ * graph-write does not depend on graph-mcp, and a one-line regex helper
+ * doesn't justify a third package. Drift in either copy is a regression
+ * surfaced by both the validator tests and the audit tests.
+ */
+export interface SchemaSnapshot {
+    readonly labels: ReadonlySet<string>;
+    readonly relationshipTypes: ReadonlySet<string>;
+}
+export interface CypherWriteAuditInput {
+    cypher: string;
+    schema: SchemaSnapshot;
+    agentName: string;
+    sessionId: string;
+    /** Counter from upstream response — drives missing-provenance arithmetic. */
+    nodesCreated: number;
+    /** Counter from upstream response — informational only. */
+    relsCreated: number;
+    /**
+     * elementIds of nodes the post-write orphan query identified. Caller scopes
+     * the query to (createdBySession, createdAt >= writeStartTimestamp) so this
+     * list cannot include nodes from prior writes in the same session. Empty
+     * array = no orphans (or no scope to check).
+     */
+    orphanIds: string[];
+}
+export type AuditWarning = {
+    kind: "orphan-warning";
+    orphanIds: string[];
+} | {
+    kind: "unknown-type-warning";
+    type: string;
+} | {
+    kind: "missing-provenance-warning";
+    created: number;
+    stamped: number;
+};
+export type AuditLine = {
+    kind: "accepted";
+    cypherPrefix: string;
+    nodesCreated: number;
+    relsCreated: number;
+    agentName: string;
+    sessionId: string;
+} | {
+    kind: "orphan-warning";
+    cypherPrefix: string;
+    orphanIds: string[];
+} | {
+    kind: "unknown-type-warning";
+    cypherPrefix: string;
+    type: string;
+} | {
+    kind: "missing-provenance-warning";
+    cypherPrefix: string;
+    created: number;
+    stamped: number;
+};
+export declare function auditCypherWrite(input: CypherWriteAuditInput): AuditWarning[];
+export declare function formatAuditLine(line: AuditLine): string;
+//# sourceMappingURL=audit.d.ts.map

package/payload/platform/lib/graph-write/dist/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IACrC,QAAQ,CAAC,iBAAiB,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;CACjD;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,cAAc,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,YAAY,EAAE,MAAM,CAAC;IACrB,2DAA2D;IAC3D,WAAW,EAAE,MAAM,CAAC;IACpB;;;;;OAKG;IACH,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,MAAM,YAAY,GACpB;IAAE,IAAI,EAAE,gBAAgB,CAAC;IAAC,SAAS,EAAE,MAAM,EAAE,CAAA;CAAE,GAC/C;IAAE,IAAI,EAAE,sBAAsB,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAC9C;IAAE,IAAI,EAAE,4BAA4B,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAE7E,MAAM,MAAM,SAAS,GACjB;IACE,IAAI,EAAE,UAAU,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB,GACD;IAAE,IAAI,EAAE,gBAAgB,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,EAAE,CAAA;CAAE,GACrE;IAAE,IAAI,EAAE,sBAAsB,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACpE;IACE,IAAI,EAAE,4BAA4B,CAAC;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AA8CN,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,qBAAqB,GAAG,YAAY,EAAE,CAgD7E;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,SAAS,GAAG,MAAM,CAYvD"}

package/payload/platform/lib/graph-write/dist/audit.js

@@ -0,0 +1,129 @@
+"use strict";
+/**
+ * Post-write audit for the database-operator's raw `write_neo4j_cypher` tool
+ * (Task 796). Sibling to `[graph-write] accepted` for the wrapped writers
+ * (`memory-write`, `contact-create`, etc. — Task 673) — same module so the
+ * `[graph-*]` log family stays uniform across both write surfaces.
+ *
+ * Design posture:
+ *   - Static parse first. Pre-flight regex on the cypher text catches missing
+ *     provenance stamps and unknown edge types cheaply, no driver round-trip.
+ *   - Dynamic orphan detection is the caller's responsibility — the graph-mcp
+ *     shim runs the detection query against Neo4j after the upstream commits
+ *     and passes the resulting elementId list as `orphanIds`. Keeping the
+ *     module pure (no neo4j-driver import) makes it unit-testable without a
+ *     live database.
+ *   - Audit is observational. Warnings never block the write. The
+ *     prompt-level Graph Stewardship Doctrine in
+ *     [database-operator.md](../../../templates/specialists/agents/database-operator.md)
+ *     names the discipline; the audit is the verification stream.
+ *
+ * String literals are stripped before pattern checks so that property values
+ * containing words like `'createdByAgent in my bio'` cannot trip a false
+ * provenance count, and edge-like patterns inside quoted strings cannot
+ * trip a false unknown-type warning. The regex shape is duplicated from
+ * [cypher-validate.ts](../../graph-mcp/src/cypher-validate.ts) intentionally:
+ * graph-write does not depend on graph-mcp, and a one-line regex helper
+ * doesn't justify a third package. Drift in either copy is a regression
+ * surfaced by both the validator tests and the audit tests.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.auditCypherWrite = auditCypherWrite;
+exports.formatAuditLine = formatAuditLine;
+// Mirrors cypher-validate's pattern. Captures TYPE(|TYPE)* alternation; the
+// audit splits on `|` to enumerate every referenced type.
+const EDGE_PATTERN = /\[[^\]]*?:([A-Z_][A-Za-z0-9_]*(?:\|[A-Z_][A-Za-z0-9_]*)*)[^\]]*?\]/g;
+// Counts CREATE (n:Label) and MERGE (n:Label) statements that introduce a
+// node. The trailing `[A-Z]` requires at least one label (so `CREATE INDEX`
+// and bare `CREATE (a)-[:R]->(b)` shapes don't trip this — bare patterns
+// reference a previously-MATCHed alias and don't introduce new nodes).
+const CREATE_OR_MERGE_NODE = /\b(?:CREATE|MERGE)\s*\(\s*[A-Za-z_][A-Za-z0-9_]*\s*:\s*[A-Z]/g;
+// Stamp tokens — at least one of these MUST appear per created node for the
+// write to satisfy provenance discipline. The audit counts occurrences;
+// stamp-count >= node-count is the pass criterion.
+const PROVENANCE_TOKEN = /\bcreatedBy(?:Agent|Tool|Session|Source)\b/g;
+function stripStringLiterals(cypher) {
+    // Identical regex to cypher-validate.ts. Replaces single- and double-
+    // quoted literals with empty quotes so e.g. 'CREATE (n:Person)' inside a
+    // property value cannot inflate the create-count.
+    return cypher.replace(/'[^']*'|"[^"]*"/g, '""');
+}
+function extractEdgeTypes(cleaned) {
+    const out = new Set();
+    // Use String.matchAll for stateless iteration — no shared regex lastIndex.
+    for (const m of cleaned.matchAll(EDGE_PATTERN)) {
+        for (const t of m[1].split("|")) {
+            const clean = t.trim();
+            if (clean)
+                out.add(clean);
+        }
+    }
+    return out;
+}
+function countCreateOrMergeNodes(cleaned) {
+    const matches = cleaned.match(CREATE_OR_MERGE_NODE);
+    return matches ? matches.length : 0;
+}
+function countProvenanceStamps(cleaned) {
+    const matches = cleaned.match(PROVENANCE_TOKEN);
+    return matches ? matches.length : 0;
+}
+function auditCypherWrite(input) {
+    const warnings = [];
+    const cleaned = stripStringLiterals(input.cypher);
+    // 1. Unknown edge type — cypher names a type not in the live ontology.
+    //    Enumerate every referenced type; emit one warning per unknown.
+    const referencedTypes = extractEdgeTypes(cleaned);
+    for (const t of referencedTypes) {
+        if (!input.schema.relationshipTypes.has(t)) {
+            warnings.push({ kind: "unknown-type-warning", type: t });
+        }
+    }
+    // 2. Missing provenance — count CREATE/MERGE-with-label statements vs
+    //    `createdBy*` token occurrences. Stamps may live in inline maps
+    //    (`{createdByAgent: $agent}`) or SET clauses; both shapes contribute
+    //    to the token count. The arithmetic is precision-imprecise — a
+    //    multi-stamp single CREATE inflates `stamped`, a multi-CREATE single
+    //    SET undercounts — but the directional signal (zero stamps for many
+    //    creates) catches the failure mode this audit exists to surface.
+    //
+    //    nodesCreated=0 short-circuits the check: the upstream counter is
+    //    ground truth for whether any node was actually persisted. An
+    //    idempotent MERGE that matched an existing node has a static
+    //    create-count of 1 but contributed no new node — no provenance was
+    //    needed, and warning here would be a false positive.
+    if (input.nodesCreated > 0) {
+        const createOrMergeNodes = countCreateOrMergeNodes(cleaned);
+        if (createOrMergeNodes > 0) {
+            const stamps = countProvenanceStamps(cleaned);
+            if (stamps < createOrMergeNodes) {
+                warnings.push({
+                    kind: "missing-provenance-warning",
+                    created: createOrMergeNodes,
+                    stamped: stamps,
+                });
+            }
+        }
+    }
+    // 3. Orphans — caller-supplied. The dynamic detection happens at the
+    //    graph-mcp shim layer (which has the Neo4j driver); the audit module
+    //    only renders the warning shape.
+    if (input.orphanIds.length > 0) {
+        warnings.push({ kind: "orphan-warning", orphanIds: input.orphanIds });
+    }
+    return warnings;
+}
+function formatAuditLine(line) {
+    const prefixField = `query="${line.cypherPrefix.replace(/"/g, "'")}"`;
+    switch (line.kind) {
+        case "accepted":
+            return `[graph-cypher-write] accepted ${prefixField} nodesCreated=${line.nodesCreated} relsCreated=${line.relsCreated} agentName=${line.agentName} sessionId=${line.sessionId}`;
+        case "orphan-warning":
+            return `[graph-cypher-write] orphan-warning ${prefixField} orphanIds=${line.orphanIds.join(",")}`;
+        case "unknown-type-warning":
+            return `[graph-cypher-write] unknown-type-warning ${prefixField} type=${line.type}`;
+        case "missing-provenance-warning":
+            return `[graph-cypher-write] missing-provenance-warning ${prefixField} created=${line.created} stamped=${line.stamped}`;
+    }
+}
+//# sourceMappingURL=audit.js.map

package/payload/platform/lib/graph-write/dist/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;;AA4FH,4CAgDC;AAED,0CAYC;AA1GD,4EAA4E;AAC5E,0DAA0D;AAC1D,MAAM,YAAY,GAAG,qEAAqE,CAAC;AAE3F,0EAA0E;AAC1E,4EAA4E;AAC5E,yEAAyE;AACzE,uEAAuE;AACvE,MAAM,oBAAoB,GAAG,+DAA+D,CAAC;AAE7F,4EAA4E;AAC5E,wEAAwE;AACxE,mDAAmD;AACnD,MAAM,gBAAgB,GAAG,6CAA6C,CAAC;AAEvE,SAAS,mBAAmB,CAAC,MAAc;IACzC,sEAAsE;IACtE,yEAAyE;IACzE,kDAAkD;IAClD,OAAO,MAAM,CAAC,OAAO,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAe;IACvC,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,2EAA2E;IAC3E,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAC/C,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACvB,IAAI,KAAK;gBAAE,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,uBAAuB,CAAC,OAAe;IAC9C,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACpD,OAAO,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,qBAAqB,CAAC,OAAe;IAC5C,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAChD,OAAO,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;AACtC,CAAC;AAED,SAAgB,gBAAgB,CAAC,KAA4B;IAC3D,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,MAAM,OAAO,GAAG,mBAAmB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAElD,uEAAuE;IACvE,oEAAoE;IACpE,MAAM,eAAe,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAClD,KAAK,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;QAChC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,sEAAsE;IACtE,oEAAoE;IACpE,yEAAyE;IACzE,mEAAmE;IACnE,yEAAyE;IACzE,wEAAwE;IACxE,qEAAqE;IACrE,EAAE;IACF,sEAAsE;IACtE,kEAAkE;IAClE,iEAAiE;IACjE,uEAAuE;IACvE,yDAAyD;IACzD,IAAI,KAAK,CAAC,YAAY,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,kBAAkB,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;QAC5D,IAAI,kBAAkB,GAAG,CAAC,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;YAC9C,IAAI,MAAM,GAAG,kBAAkB,EAAE,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,4BAA4B;oBAClC,OAAO,EAAE,kBAAkB;oBAC3B,OAAO,EAAE,MAAM;iBAChB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,yEAAyE;IACzE,qCAAqC;IACrC,IAAI,KAAK,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,gBAAgB,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAgB,eAAe,CAAC,IAAe;IAC7C,MAAM,WAAW,GAAG,UAAU,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC;IACtE,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,KAAK,UAAU;YACb,OAAO,iCAAiC,WAAW,iBAAiB,IAAI,CAAC,YAAY,gBAAgB,IAAI,CAAC,WAAW,cAAc,IAAI,CAAC,SAAS,cAAc,IAAI,CAAC,SAAS,EAAE,CAAC;QAClL,KAAK,gBAAgB;YACnB,OAAO,uCAAuC,WAAW,cAAc,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACpG,KAAK,sBAAsB;YACzB,OAAO,6CAA6C,WAAW,SAAS,IAAI,CAAC,IAAI,EAAE,CAAC;QACtF,KAAK,4BAA4B;YAC/B,OAAO,mDAAmD,WAAW,YAAY,IAAI,CAAC,OAAO,YAAY,IAAI,CAAC,OAAO,EAAE,CAAC;IAC5H,CAAC;AACH,CAAC"}

package/payload/platform/lib/graph-write/dist/index.d.ts

@@ -1,3 +1,4 @@
+export * from "./audit.js";
 /**
  * Write doctrine (Task 673): a node without at least one adjacency is noise,
  * not knowledge. `writeNodeWithEdges` is the single primitive every graph

package/payload/platform/lib/graph-write/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,UAAU,GAAG,UAAU,CAAC;IACnC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,SAAS;IACxB,6EAA6E;IAC7E,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6FAA6F;IAC7F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iFAAiF;IACjF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,uFAAuF;IACvF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,4EAA4E;IAC5E,aAAa,EAAE,iBAAiB,EAAE,CAAC;IACnC,SAAS,EAAE,SAAS,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,uDAAuD;AACvD,wBAAgB,cAAc,CAC5B,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC9B,SAAS,EAAE,SAAS,GACnB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAQzB;AAED;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,wBAAwB,GAC/B,OAAO,CAAC,eAAe,CAAC,CA8G1B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,cAAc,YAAY,CAAC;AAE3B;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,UAAU,GAAG,UAAU,CAAC;IACnC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,SAAS;IACxB,6EAA6E;IAC7E,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6FAA6F;IAC7F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iFAAiF;IACjF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,uFAAuF;IACvF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,4EAA4E;IAC5E,aAAa,EAAE,iBAAiB,EAAE,CAAC;IACnC,SAAS,EAAE,SAAS,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,uDAAuD;AACvD,wBAAgB,cAAc,CAC5B,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC9B,SAAS,EAAE,SAAS,GACnB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAQzB;AAED;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,wBAAwB,GAC/B,OAAO,CAAC,eAAe,CAAC,CA8G1B"}

package/payload/platform/lib/graph-write/dist/index.js

@@ -1,29 +1,25 @@
 "use strict";
-/**
- * Write doctrine (Task 673): a node without at least one adjacency is noise,
- * not knowledge. `writeNodeWithEdges` is the single primitive every graph
- * writer should call; it rejects zero-relationship writes, verifies every
- * relationship target resolves before the node is created, and commits the
- * node + all edges in one managed transaction. Provenance is stamped on the
- * node as flattened `createdBy*` properties (Neo4j does not persist nested
- * maps, and flat props are queryable — `MATCH (n) WHERE n.createdBySession
- * = $id RETURN n` is the forensic entry point).
- *
- * Rejection paths (every one emits a stderr log the admin server pipes to
- * server.log, so orphan pressure is visible per-write not just in the
- * hourly [graph-health] signal):
- *   - zero relationships      → `[graph-write] reject reason=zero-relationships`
- *   - unresolved target id    → `[graph-write] reject reason=unresolved-target`
- *
- * The `createdBy.agent` field is advisory, not authoritative — it is sourced
- * from the MCP server's AGENT_SLUG env var, which is set by the trusted
- * spawning code (admin server / workflow runner). A misconfigured spawner
- * will write "unknown"; that's the signal something is wrong. Do not use
- * this field for access control — it is forensic, not a security boundary.
- */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.stampCreatedBy = stampCreatedBy;
 exports.writeNodeWithEdges = writeNodeWithEdges;
+// Task 796: re-export the post-write audit so consumers (graph-mcp shim)
+// import from the same package as `writeNodeWithEdges`. Keeps the
+// `[graph-*]` log family colocated.
+__exportStar(require("./audit.js"), exports);
 /** Stamp flattened provenance into node properties. */
 function stampCreatedBy(props, createdBy) {
     return {

package/payload/platform/lib/graph-write/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;;AAqCH,wCAWC;AAQD,gDAgHC;AApID,uDAAuD;AACvD,SAAgB,cAAc,CAC5B,KAA8B,EAC9B,SAAoB;IAEpB,OAAO;QACL,GAAG,KAAK;QACR,cAAc,EAAE,SAAS,CAAC,KAAK,IAAI,SAAS;QAC5C,gBAAgB,EAAE,SAAS,CAAC,OAAO,IAAI,SAAS;QAChD,aAAa,EAAE,SAAS,CAAC,IAAI,IAAI,IAAI;QACrC,eAAe,EAAE,SAAS,CAAC,MAAM,IAAI,IAAI;KAC1C,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,kBAAkB,CACtC,MAAgC;IAEhC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAEpE,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,IAAI,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC;IACpE,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAElC,IAAI,CAAC,aAAa,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,yDAAyD,QAAQ,UAAU,UAAU,IAAI,CAC1F,CAAC;QACF,MAAM,IAAI,KAAK,CACb,sHAAsH,CACvH,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3E,MAAM,SAAS,GAAG,cAAc,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;IAEnD,OAAO,MAAM,OAAO,CAAC,YAAY,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QAC7C,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;QAC3D,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,GAAG,CACxB,uFAAuF,EACvF,EAAE,GAAG,EAAE,SAAS,EAAE,CACnB,CAAC;QACF,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;QACvD,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;QAChD,IAAI,KAAK,KAAK,eAAe,EAAE,CAAC;YAC9B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,wDAAwD,QAAQ,UAAU,UAAU,cAAc,eAAe,UAAU,KAAK,IAAI,CACrI,CAAC;YACF,MAAM,IAAI,KAAK,CACb,4BAA4B,eAAe,GAAG,KAAK,OAAO,eAAe,gFAAgF,CAC1J,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC;QACZ,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,EAAE,CAAC,GAAG,CACpB,aAAa,QAAQ,iEAAiE,EACtF,EAAE,KAAK,EAAE,SAAS,EAAE,CACrB,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,sEAAsE;YACtE,oEAAoE;YACpE,uEAAuE;YACvE,kEAAkE;YAClE,sEAAsE;YACtE,+DAA+D;YAC/D,sEAAsE;YACtE,iCAAiC;YACjC,MAAM,IAAI,GAAI,GAAgC,EAAE,IAAI,IAAI,EAAE,CAAC;YAC3D,IAAI,IAAI,KAAK,mDAAmD,IAAI,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBACnG,MAAM,aAAa,GAAI,SAAqC,CAAC,SAAS,CAAC;gBACvE,MAAM,UAAU,GAAI,SAAqC,CAAC,MAAM,CAAC;gBACjE,MAAM,SAAS,GAAG,OAAO,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;gBAC5F,MAAM,SAAS,GAAG,OAAO,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;gBACtF,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,2EAA2E,SAAS,WAAW,SAAS,WAAW,UAAU,IAAI,CAClI,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAW,CAAC;QAC1D,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAa,CAAC;QAEpE,uEAAuE;QACvE,iEAAiE;QACjE,uEAAuE;QACvE,wEAAwE;QACxE,oEAAoE;QACpE,uEAAuE;QACvE,iEAAiE;QACjE,IAAI,YAAY,GAAG,CAAC,CAAC;QACrB,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACxC,MAAM,CAAC,GACL,GAAG,CAAC,SAAS,KAAK,UAAU;gBAC1B,CAAC,CAAC,mFAAmF,IAAI,UAAU;gBACnG,CAAC,CAAC,mFAAmF,IAAI,UAAU,CAAC;YACxG,MAAM,CAAC,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,GAAG,CAAC,YAAY,EAAE,CAAC,CAAC;YAClE,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,oBAAoB,CAAC;YAClE,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;gBAClB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,kEAAkE,QAAQ,UAAU,UAAU,YAAY,GAAG,CAAC,IAAI,aAAa,GAAG,CAAC,YAAY,IAAI,CACpJ,CAAC;gBACF,MAAM,IAAI,KAAK,CACb,0DAA0D,GAAG,CAAC,YAAY,kGAAkG,CAC7K,CAAC;YACJ,CAAC;YACD,YAAY,IAAI,OAAO,CAAC;QAC1B,CAAC;QAED,IAAI,YAAY,KAAK,aAAa,CAAC,MAAM,EAAE,CAAC;YAC1C,mEAAmE;YACnE,+DAA+D;YAC/D,+CAA+C;YAC/C,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,0DAA0D,QAAQ,UAAU,UAAU,cAAc,aAAa,CAAC,MAAM,YAAY,YAAY,IAAI,CACrJ,CAAC;YACF,MAAM,IAAI,KAAK,CACb,qCAAqC,aAAa,CAAC,MAAM,mBAAmB,YAAY,4BAA4B,CACrH,CAAC;QACJ,CAAC;QAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,iCAAiC,QAAQ,UAAU,YAAY,mBAAmB,SAAS,CAAC,KAAK,IAAI,SAAS,kBAAkB,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,MAAM,IAAI,SAAS,IAAI,CACpL,CAAC;QAEF,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC;IACtD,CAAC,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AA+DA,wCAWC;AAQD,gDAgHC;AAlMD,yEAAyE;AACzE,kEAAkE;AAClE,oCAAoC;AACpC,6CAA2B;AA2D3B,uDAAuD;AACvD,SAAgB,cAAc,CAC5B,KAA8B,EAC9B,SAAoB;IAEpB,OAAO;QACL,GAAG,KAAK;QACR,cAAc,EAAE,SAAS,CAAC,KAAK,IAAI,SAAS;QAC5C,gBAAgB,EAAE,SAAS,CAAC,OAAO,IAAI,SAAS;QAChD,aAAa,EAAE,SAAS,CAAC,IAAI,IAAI,IAAI;QACrC,eAAe,EAAE,SAAS,CAAC,MAAM,IAAI,IAAI;KAC1C,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,kBAAkB,CACtC,MAAgC;IAEhC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAEpE,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,IAAI,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC;IACpE,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAElC,IAAI,CAAC,aAAa,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,yDAAyD,QAAQ,UAAU,UAAU,IAAI,CAC1F,CAAC;QACF,MAAM,IAAI,KAAK,CACb,sHAAsH,CACvH,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3E,MAAM,SAAS,GAAG,cAAc,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;IAEnD,OAAO,MAAM,OAAO,CAAC,YAAY,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QAC7C,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;QAC3D,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,GAAG,CACxB,uFAAuF,EACvF,EAAE,GAAG,EAAE,SAAS,EAAE,CACnB,CAAC;QACF,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;QACvD,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;QAChD,IAAI,KAAK,KAAK,eAAe,EAAE,CAAC;YAC9B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,wDAAwD,QAAQ,UAAU,UAAU,cAAc,eAAe,UAAU,KAAK,IAAI,CACrI,CAAC;YACF,MAAM,IAAI,KAAK,CACb,4BAA4B,eAAe,GAAG,KAAK,OAAO,eAAe,gFAAgF,CAC1J,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC;QACZ,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,EAAE,CAAC,GAAG,CACpB,aAAa,QAAQ,iEAAiE,EACtF,EAAE,KAAK,EAAE,SAAS,EAAE,CACrB,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,sEAAsE;YACtE,oEAAoE;YACpE,uEAAuE;YACvE,kEAAkE;YAClE,sEAAsE;YACtE,+DAA+D;YAC/D,sEAAsE;YACtE,iCAAiC;YACjC,MAAM,IAAI,GAAI,GAAgC,EAAE,IAAI,IAAI,EAAE,CAAC;YAC3D,IAAI,IAAI,KAAK,mDAAmD,IAAI,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBACnG,MAAM,aAAa,GAAI,SAAqC,CAAC,SAAS,CAAC;gBACvE,MAAM,UAAU,GAAI,SAAqC,CAAC,MAAM,CAAC;gBACjE,MAAM,SAAS,GAAG,OAAO,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;gBAC5F,MAAM,SAAS,GAAG,OAAO,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;gBACtF,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,2EAA2E,SAAS,WAAW,SAAS,WAAW,UAAU,IAAI,CAClI,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAW,CAAC;QAC1D,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAa,CAAC;QAEpE,uEAAuE;QACvE,iEAAiE;QACjE,uEAAuE;QACvE,wEAAwE;QACxE,oEAAoE;QACpE,uEAAuE;QACvE,iEAAiE;QACjE,IAAI,YAAY,GAAG,CAAC,CAAC;QACrB,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACxC,MAAM,CAAC,GACL,GAAG,CAAC,SAAS,KAAK,UAAU;gBAC1B,CAAC,CAAC,mFAAmF,IAAI,UAAU;gBACnG,CAAC,CAAC,mFAAmF,IAAI,UAAU,CAAC;YACxG,MAAM,CAAC,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,GAAG,CAAC,YAAY,EAAE,CAAC,CAAC;YAClE,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,oBAAoB,CAAC;YAClE,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;gBAClB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,kEAAkE,QAAQ,UAAU,UAAU,YAAY,GAAG,CAAC,IAAI,aAAa,GAAG,CAAC,YAAY,IAAI,CACpJ,CAAC;gBACF,MAAM,IAAI,KAAK,CACb,0DAA0D,GAAG,CAAC,YAAY,kGAAkG,CAC7K,CAAC;YACJ,CAAC;YACD,YAAY,IAAI,OAAO,CAAC;QAC1B,CAAC;QAED,IAAI,YAAY,KAAK,aAAa,CAAC,MAAM,EAAE,CAAC;YAC1C,mEAAmE;YACnE,+DAA+D;YAC/D,+CAA+C;YAC/C,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,0DAA0D,QAAQ,UAAU,UAAU,cAAc,aAAa,CAAC,MAAM,YAAY,YAAY,IAAI,CACrJ,CAAC;YACF,MAAM,IAAI,KAAK,CACb,qCAAqC,aAAa,CAAC,MAAM,mBAAmB,YAAY,4BAA4B,CACrH,CAAC;QACJ,CAAC;QAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,iCAAiC,QAAQ,UAAU,YAAY,mBAAmB,SAAS,CAAC,KAAK,IAAI,SAAS,kBAAkB,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,MAAM,IAAI,SAAS,IAAI,CACpL,CAAC;QAEF,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC;IACtD,CAAC,CAAC,CAAC;AACL,CAAC"}

package/payload/platform/lib/graph-write/src/__tests__/audit.test.ts

@@ -0,0 +1,162 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import {
+  auditCypherWrite,
+  formatAuditLine,
+  type CypherWriteAuditInput,
+} from "../audit.js";
+
+const baseInput: Omit<CypherWriteAuditInput, "cypher"> = {
+  schema: {
+    labels: new Set(["Person", "Organization", "Task", "KnowledgeDocument"]),
+    relationshipTypes: new Set(["KNOWS", "PARTICIPANT", "REFERENCES", "MENTIONS", "PART_OF"]),
+  },
+  agentName: "database-operator",
+  sessionId: "session-abc",
+  nodesCreated: 0,
+  relsCreated: 0,
+  orphanIds: [],
+};
+
+test("audit: clean write with provenance + known types yields zero warnings", () => {
+  const cypher = `
+    MATCH (p:Person {name: $name}), (o:Organization {name: $org})
+    MERGE (p)-[r:KNOWS]->(o)
+    SET r.createdAt = datetime(),
+        r.createdByAgent = $agent,
+        r.createdByTool = 'graph-cypher-write',
+        r.createdBySession = $sessionId
+  `;
+  const warnings = auditCypherWrite({ ...baseInput, cypher, relsCreated: 1 });
+  assert.deepEqual(warnings, []);
+});
+
+test("audit: unknown edge type yields unknown-type-warning", () => {
+  const cypher = "MATCH (a:Person), (b:Person) CREATE (a)-[:HAS_KNOWN]->(b)";
+  const warnings = auditCypherWrite({ ...baseInput, cypher, relsCreated: 1 });
+  const w = warnings.find((x) => x.kind === "unknown-type-warning");
+  assert.ok(w, "expected unknown-type-warning");
+  assert.equal(w.kind, "unknown-type-warning");
+  if (w.kind === "unknown-type-warning") {
+    assert.equal(w.type, "HAS_KNOWN");
+  }
+});
+
+test("audit: known APOC edge in YIELD does not trip unknown-type", () => {
+  const cypher =
+    "MATCH (a:Person), (b:Person) WHERE a.email = b.email AND id(a) < id(b) WITH a, b CALL apoc.refactor.mergeNodes([a, b]) YIELD node RETURN node";
+  const warnings = auditCypherWrite({ ...baseInput, cypher });
+  const unknownTypeWarn = warnings.find((x) => x.kind === "unknown-type-warning");
+  assert.equal(unknownTypeWarn, undefined);
+});
+
+test("audit: CREATE with no provenance stamps yields missing-provenance-warning", () => {
+  const cypher = "CREATE (n:Person {name: 'Foo'})";
+  const warnings = auditCypherWrite({ ...baseInput, cypher, nodesCreated: 1 });
+  const w = warnings.find((x) => x.kind === "missing-provenance-warning");
+  assert.ok(w, "expected missing-provenance-warning");
+  if (w.kind === "missing-provenance-warning") {
+    assert.equal(w.created, 1);
+    assert.equal(w.stamped, 0);
+  }
+});
+
+test("audit: MERGE with createdBy* stamps does not trip missing-provenance", () => {
+  const cypher =
+    "MERGE (n:Person {email: $email}) ON CREATE SET n.createdByAgent = $agent, n.createdBySession = $sid";
+  const warnings = auditCypherWrite({ ...baseInput, cypher, nodesCreated: 1 });
+  const w = warnings.find((x) => x.kind === "missing-provenance-warning");
+  assert.equal(w, undefined);
+});
+
+test("audit: provenance check ignores stamps inside string literals", () => {
+  const cypher =
+    "CREATE (n:Person {bio: 'I have createdByAgent in my bio'})";
+  const warnings = auditCypherWrite({ ...baseInput, cypher, nodesCreated: 1 });
+  const w = warnings.find((x) => x.kind === "missing-provenance-warning");
+  assert.ok(w, "expected missing-provenance-warning despite stamp-like substring in literal");
+});
+
+test("audit: idempotent MERGE that matched existing node (nodesCreated=0) emits no missing-provenance-warning", () => {
+  // Reviewer-flagged false-positive case. MERGE (n:Person {email}) without
+  // ON CREATE SET stamps — static count = 1, stamps = 0. If the node
+  // already existed, upstream reports nodesCreated=0 and no provenance was
+  // needed; the audit must not warn.
+  const cypher = "MERGE (n:Person {email: $email})";
+  const warnings = auditCypherWrite({ ...baseInput, cypher, nodesCreated: 0 });
+  const w = warnings.find((x) => x.kind === "missing-provenance-warning");
+  assert.equal(w, undefined, "must not warn when nodesCreated=0");
+});
+
+test("audit: orphanIds populated yields orphan-warning", () => {
+  const warnings = auditCypherWrite({
+    ...baseInput,
+    cypher: "CREATE (n:Person)",
+    nodesCreated: 1,
+    orphanIds: ["4:abc:1", "4:abc:2"],
+  });
+  const w = warnings.find((x) => x.kind === "orphan-warning");
+  assert.ok(w, "expected orphan-warning");
+  if (w.kind === "orphan-warning") {
+    assert.deepEqual(w.orphanIds, ["4:abc:1", "4:abc:2"]);
+  }
+});
+
+test("audit: empty orphanIds emits no orphan-warning", () => {
+  const warnings = auditCypherWrite({
+    ...baseInput,
+    cypher: "MATCH (a:Person), (b:Person) CREATE (a)-[:KNOWS]->(b)",
+    relsCreated: 1,
+    orphanIds: [],
+  });
+  const w = warnings.find((x) => x.kind === "orphan-warning");
+  assert.equal(w, undefined);
+});
+
+test("formatAuditLine: accepted line includes counters + provenance", () => {
+  const line = formatAuditLine({
+    kind: "accepted",
+    cypherPrefix: "MATCH (a:Person) CREATE",
+    nodesCreated: 1,
+    relsCreated: 4,
+    agentName: "database-operator",
+    sessionId: "abc-123",
+  });
+  assert.match(line, /^\[graph-cypher-write\] accepted /);
+  assert.match(line, /nodesCreated=1/);
+  assert.match(line, /relsCreated=4/);
+  assert.match(line, /agentName=database-operator/);
+  assert.match(line, /sessionId=abc-123/);
+});
+
+test("formatAuditLine: orphan-warning line lists orphanIds", () => {
+  const line = formatAuditLine({
+    kind: "orphan-warning",
+    cypherPrefix: "CREATE (n:Person)",
+    orphanIds: ["4:abc:1", "4:abc:2"],
+  });
+  assert.match(line, /^\[graph-cypher-write\] orphan-warning /);
+  assert.match(line, /orphanIds=4:abc:1,4:abc:2/);
+});
+
+test("formatAuditLine: unknown-type-warning names the type", () => {
+  const line = formatAuditLine({
+    kind: "unknown-type-warning",
+    cypherPrefix: "CREATE (a)-[:HAS_KNOWN]->(b)",
+    type: "HAS_KNOWN",
+  });
+  assert.match(line, /^\[graph-cypher-write\] unknown-type-warning /);
+  assert.match(line, /type=HAS_KNOWN/);
+});
+
+test("formatAuditLine: missing-provenance-warning shows created vs stamped counts", () => {
+  const line = formatAuditLine({
+    kind: "missing-provenance-warning",
+    cypherPrefix: "CREATE (n:Person)",
+    created: 3,
+    stamped: 1,
+  });
+  assert.match(line, /^\[graph-cypher-write\] missing-provenance-warning /);
+  assert.match(line, /created=3/);
+  assert.match(line, /stamped=1/);
+});