@urateam/core 0.1.4 → 0.1.9

package/dist/audit/reader.js

@@ -0,0 +1,243 @@
+import { and, desc, eq, gte, inArray, lte } from "drizzle-orm";
+import { auditEvents, pipelineRuns, pmApprovals, budgetAlerts } from "../db/schema.js";
+import { projectPipelineRun, projectPmApproval, projectBudgetAlert } from "./projection.js";
+function encodeCursor(c) {
+    return Buffer.from(JSON.stringify(c), "utf8").toString("base64url");
+}
+function decodeCursor(s) {
+    return JSON.parse(Buffer.from(s, "base64url").toString("utf8"));
+}
+function parseNativeRow(row) {
+    return {
+        id: row.id,
+        timestamp: row.timestamp,
+        eventType: row.eventType,
+        actor: row.actor,
+        actorType: row.actorType,
+        scope: row.scope ?? null,
+        runId: row.runId ?? null,
+        issueId: row.issueId ?? null,
+        inputTokens: row.inputTokens ?? 0,
+        outputTokens: row.outputTokens ?? 0,
+        payload: (() => {
+            try {
+                return JSON.parse(row.payload ?? "{}");
+            }
+            catch {
+                return {};
+            }
+        })(),
+    };
+}
+/**
+ * Lists audit events by merging native `audit_events` rows with events
+ * projected from `pipeline_runs`, `pm_approvals`, and `budget_alerts`.
+ *
+ * Supports filtering by time window, scope, event type, actor prefix, run/issue id,
+ * and full-text search on payload/actor. Paginates via opaque cursor, sorted desc
+ * by (timestamp, id).
+ */
+export async function listAuditEvents(db, filters = {}) {
+    const limit = Math.min(filters.limit ?? 50, 500);
+    const cursor = filters.cursor ? decodeCursor(filters.cursor) : null;
+    const cursorTs = cursor ? new Date(cursor.ts) : null;
+    // Native audit_events query
+    const nativeConditions = [];
+    if (filters.from)
+        nativeConditions.push(gte(auditEvents.timestamp, filters.from));
+    if (filters.to)
+        nativeConditions.push(lte(auditEvents.timestamp, filters.to));
+    if (filters.scope)
+        nativeConditions.push(eq(auditEvents.scope, filters.scope));
+    if (filters.eventTypes?.length)
+        nativeConditions.push(inArray(auditEvents.eventType, filters.eventTypes));
+    if (filters.runId)
+        nativeConditions.push(eq(auditEvents.runId, filters.runId));
+    if (filters.issueId)
+        nativeConditions.push(eq(auditEvents.issueId, filters.issueId));
+    if (cursorTs)
+        nativeConditions.push(lte(auditEvents.timestamp, cursorTs));
+    const nativeRows = await db
+        .select()
+        .from(auditEvents)
+        .where(nativeConditions.length ? and(...nativeConditions) : undefined)
+        .orderBy(desc(auditEvents.timestamp))
+        .limit(limit * 4);
+    // Projected: pipeline_runs
+    const runConditions = [];
+    if (filters.from)
+        runConditions.push(gte(pipelineRuns.startedAt, filters.from));
+    if (filters.to)
+        runConditions.push(lte(pipelineRuns.startedAt, filters.to));
+    if (filters.runId)
+        runConditions.push(eq(pipelineRuns.id, filters.runId));
+    if (filters.issueId)
+        runConditions.push(eq(pipelineRuns.issueId, filters.issueId));
+    if (cursorTs)
+        runConditions.push(lte(pipelineRuns.startedAt, cursorTs));
+    const runRows = await db
+        .select()
+        .from(pipelineRuns)
+        .where(runConditions.length ? and(...runConditions) : undefined)
+        .orderBy(desc(pipelineRuns.startedAt))
+        .limit(limit * 4);
+    // Projected: pm_approvals (filter by createdAt)
+    // Projected pm_approvals always have scope=null, so skip the query entirely
+    // when a scope filter is set — avoids an unbounded fetch.
+    let apprRows = [];
+    if (!filters.scope) {
+        const apprConditions = [];
+        if (filters.from)
+            apprConditions.push(gte(pmApprovals.createdAt, filters.from));
+        if (filters.to)
+            apprConditions.push(lte(pmApprovals.createdAt, filters.to));
+        if (cursorTs)
+            apprConditions.push(lte(pmApprovals.createdAt, cursorTs));
+        apprRows = await db
+            .select()
+            .from(pmApprovals)
+            .where(apprConditions.length ? and(...apprConditions) : undefined)
+            .orderBy(desc(pmApprovals.createdAt))
+            .limit(limit * 4);
+    }
+    // Projected: budget_alerts (filter by firedAt)
+    const alertConditions = [];
+    if (filters.from)
+        alertConditions.push(gte(budgetAlerts.firedAt, filters.from));
+    if (filters.to)
+        alertConditions.push(lte(budgetAlerts.firedAt, filters.to));
+    if (filters.scope)
+        alertConditions.push(eq(budgetAlerts.scope, filters.scope));
+    if (cursorTs)
+        alertConditions.push(lte(budgetAlerts.firedAt, cursorTs));
+    const alertRows = await db
+        .select()
+        .from(budgetAlerts)
+        .where(alertConditions.length ? and(...alertConditions) : undefined)
+        .orderBy(desc(budgetAlerts.firedAt))
+        .limit(limit * 4);
+    const merged = [
+        ...nativeRows.map(parseNativeRow),
+        ...runRows.flatMap((r) => projectPipelineRun(r)),
+        ...apprRows.flatMap((r) => projectPmApproval(r)),
+        ...alertRows.map((r) => projectBudgetAlert(r)),
+    ];
+    // Apply filters that weren't pushed to SQL (actor prefix, q, eventType on projected,
+    // scope on projected, and the cursor tiebreak).
+    const filtered = merged.filter((e) => {
+        if (filters.from && e.timestamp < filters.from)
+            return false;
+        if (filters.to && e.timestamp > filters.to)
+            return false;
+        if (filters.scope && e.scope !== filters.scope)
+            return false;
+        if (filters.eventTypes?.length && !filters.eventTypes.includes(e.eventType))
+            return false;
+        if (filters.actor && !e.actor.startsWith(filters.actor))
+            return false;
+        if (filters.runId && e.runId !== filters.runId)
+            return false;
+        if (filters.issueId && e.issueId !== filters.issueId)
+            return false;
+        if (filters.q) {
+            const hay = JSON.stringify(e.payload) + " " + e.actor;
+            if (!hay.toLowerCase().includes(filters.q.toLowerCase()))
+                return false;
+        }
+        if (cursor) {
+            const cTs = new Date(cursor.ts).getTime();
+            if (e.timestamp.getTime() > cTs)
+                return false;
+            if (e.timestamp.getTime() === cTs && e.id >= cursor.id)
+                return false;
+        }
+        return true;
+    });
+    // Sort desc by (timestamp, id)
+    filtered.sort((a, b) => {
+        const d = b.timestamp.getTime() - a.timestamp.getTime();
+        return d !== 0 ? d : b.id > a.id ? 1 : -1;
+    });
+    const page = filtered.slice(0, limit);
+    const nextCursor = filtered.length > limit
+        ? encodeCursor({
+            ts: page[page.length - 1].timestamp.toISOString(),
+            id: page[page.length - 1].id,
+        })
+        : null;
+    return { events: page, nextCursor };
+}
+/**
+ * Finds a single audit event by ID. Supports both native audit_events rows
+ * (looked up directly) and projected events (IDs with `proj_` prefix resolved
+ * by querying the source table and re-projecting).
+ *
+ * Returns null if no matching event is found.
+ *
+ * Projected ID formats:
+ * - `proj_run_started_<runId>`, `proj_run_completed_<runId>`, `proj_run_failed_<runId>`,
+ *   `proj_run_auto_merged_<runId>`, `proj_run_auto_merge_skipped_<runId>` → pipeline_runs
+ * - `proj_approval_requested_<approvalId>`, `proj_approval_resolved_<approvalId>` → pm_approvals
+ * - `proj_budget_alert_<alertId>` → budget_alerts
+ */
+export async function findAuditEventById(db, id) {
+    if (!id.startsWith("proj_")) {
+        const rows = await db
+            .select()
+            .from(auditEvents)
+            .where(eq(auditEvents.id, id))
+            .limit(1);
+        return rows.length > 0 ? parseNativeRow(rows[0]) : null;
+    }
+    // Parse projected ID prefixes. Listed in the order they appear in projection.ts;
+    // no prefix is a strict prefix of another, so matching order is defensive only.
+    const runPrefixes = [
+        "proj_run_auto_merge_skipped_",
+        "proj_run_auto_merged_",
+        "proj_run_started_",
+        "proj_run_completed_",
+        "proj_run_failed_",
+    ];
+    for (const prefix of runPrefixes) {
+        if (id.startsWith(prefix)) {
+            const runId = id.slice(prefix.length);
+            const rows = await db
+                .select()
+                .from(pipelineRuns)
+                .where(eq(pipelineRuns.id, runId))
+                .limit(1);
+            if (rows.length === 0)
+                return null;
+            const projected = projectPipelineRun(rows[0]);
+            return projected.find((e) => e.id === id) ?? null;
+        }
+    }
+    const approvalPrefixes = ["proj_approval_requested_", "proj_approval_resolved_"];
+    for (const prefix of approvalPrefixes) {
+        if (id.startsWith(prefix)) {
+            const approvalId = id.slice(prefix.length);
+            const rows = await db
+                .select()
+                .from(pmApprovals)
+                .where(eq(pmApprovals.id, approvalId))
+                .limit(1);
+            if (rows.length === 0)
+                return null;
+            const projected = projectPmApproval(rows[0]);
+            return projected.find((e) => e.id === id) ?? null;
+        }
+    }
+    if (id.startsWith("proj_budget_alert_")) {
+        const alertId = id.slice("proj_budget_alert_".length);
+        const rows = await db
+            .select()
+            .from(budgetAlerts)
+            .where(eq(budgetAlerts.id, alertId))
+            .limit(1);
+        if (rows.length === 0)
+            return null;
+        return projectBudgetAlert(rows[0]);
+    }
+    return null;
+}
+//# sourceMappingURL=reader.js.map

package/dist/audit/reader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reader.js","sourceRoot":"","sources":["../../src/audit/reader.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAE/D,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEvF,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAyB5F,SAAS,YAAY,CAAC,CAAS;IAC7B,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,cAAc,CAAC,GAAQ;IAC9B,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,IAAI;QACxB,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,IAAI;QACxB,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,IAAI;QAC5B,WAAW,EAAE,GAAG,CAAC,WAAW,IAAI,CAAC;QACjC,YAAY,EAAE,GAAG,CAAC,YAAY,IAAI,CAAC;QACnC,OAAO,EAAE,CAAC,GAAG,EAAE;YACb,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,IAAI,IAAI,CAAC,CAAC;YACzC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,EAAE;KACL,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,EAAS,EACT,UAAkC,EAAE;IAEpC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE,EAAE,GAAG,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACpE,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAErD,4BAA4B;IAC5B,MAAM,gBAAgB,GAAU,EAAE,CAAC;IACnC,IAAI,OAAO,CAAC,IAAI;QAAE,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAClF,IAAI,OAAO,CAAC,EAAE;QAAE,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;IAC9E,IAAI,OAAO,CAAC,KAAK;QAAE,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;IAC/E,IAAI,OAAO,CAAC,UAAU,EAAE,MAAM;QAC5B,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;IAC5E,IAAI,OAAO,CAAC,KAAK;QAAE,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;IAC/E,IAAI,OAAO,CAAC,OAAO;QAAE,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IACrF,IAAI,QAAQ;QAAE,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC;IAE1E,MAAM,UAAU,GAAG,MAAO,EAAU;SACjC,MAAM,EAAE;SACR,IAAI,CAAC,WAAW,CAAC;SACjB,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;SACrE,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;SACpC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;IAEpB,2BAA2B;IAC3B,MAAM,aAAa,GAAU,EAAE,CAAC;IAChC,IAAI,OAAO,CAAC,IAAI;QAAE,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAChF,IAAI,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5E,IAAI,OAAO,CAAC,KAAK;QAAE,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;IAC1E,IAAI,OAAO,CAAC,OAAO;QAAE,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IACnF,IAAI,QAAQ;QAAE,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC;IACxE,MAAM,OAAO,GAAG,MAAO,EAAU;SAC9B,MAAM,EAAE;SACR,IAAI,CAAC,YAAY,CAAC;SAClB,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;SAC/D,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;SACrC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;IAEpB,gDAAgD;IAChD,4EAA4E;IAC5E,0DAA0D;IAC1D,IAAI,QAAQ,GAAU,EAAE,CAAC;IACzB,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,cAAc,GAAU,EAAE,CAAC;QACjC,IAAI,OAAO,CAAC,IAAI;YAAE,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QAChF,IAAI,OAAO,CAAC,EAAE;YAAE,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5E,IAAI,QAAQ;YAAE,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC;QACxE,QAAQ,GAAG,MAAO,EAAU;aACzB,MAAM,EAAE;aACR,IAAI,CAAC,WAAW,CAAC;aACjB,KAAK,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;aACjE,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;aACpC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;IACtB,CAAC;IAED,+CAA+C;IAC/C,MAAM,eAAe,GAAU,EAAE,CAAC;IAClC,IAAI,OAAO,CAAC,IAAI;QAAE,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAChF,IAAI,OAAO,CAAC,EAAE;QAAE,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5E,IAAI,OAAO,CAAC,KAAK;QAAE,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;IAC/E,IAAI,QAAQ;QAAE,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IACxE,MAAM,SAAS,GAAG,MAAO,EAAU;SAChC,MAAM,EAAE;SACR,IAAI,CAAC,YAAY,CAAC;SAClB,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;SACnE,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;SACnC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;IAEpB,MAAM,MAAM,GAAiB;QAC3B,GAAG,UAAU,CAAC,GAAG,CAAC,cAAc,CAAC;QACjC,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC;QACrD,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC;QACrD,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC;KACpD,CAAC;IAEF,qFAAqF;IACrF,gDAAgD;IAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACnC,IAAI,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,SAAS,GAAG,OAAO,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QAC7D,IAAI,OAAO,CAAC,EAAE,IAAI,CAAC,CAAC,SAAS,GAAG,OAAO,CAAC,EAAE;YAAE,OAAO,KAAK,CAAC;QACzD,IAAI,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QAC7D,IAAI,OAAO,CAAC,UAAU,EAAE,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YAAE,OAAO,KAAK,CAAC;QAC1F,IAAI,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QACtE,IAAI,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QAC7D,IAAI,OAAO,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,OAAO;YAAE,OAAO,KAAK,CAAC;QACnE,IAAI,OAAO,CAAC,CAAC,EAAE,CAAC;YACd,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC;YACtD,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;gBAAE,OAAO,KAAK,CAAC;QACzE,CAAC;QACD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;YAC1C,IAAI,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,GAAG;gBAAE,OAAO,KAAK,CAAC;YAC9C,IAAI,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,KAAK,GAAG,IAAI,CAAC,CAAC,EAAE,IAAI,MAAM,CAAC,EAAE;gBAAE,OAAO,KAAK,CAAC;QACvE,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,+BAA+B;IAC/B,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACrB,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;QACxD,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACtC,MAAM,UAAU,GACd,QAAQ,CAAC,MAAM,GAAG,KAAK;QACrB,CAAC,CAAC,YAAY,CAAC;YACX,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,WAAW,EAAE;YACjD,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE;SAC7B,CAAC;QACJ,CAAC,CAAC,IAAI,CAAC;IAEX,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AACtC,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,EAAS,EACT,EAAU;IAEV,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,MAAO,EAAU;aAC3B,MAAM,EAAE;aACR,IAAI,CAAC,WAAW,CAAC;aACjB,KAAK,CAAC,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;aAC7B,KAAK,CAAC,CAAC,CAAC,CAAC;QACZ,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC1D,CAAC;IAED,iFAAiF;IACjF,gFAAgF;IAChF,MAAM,WAAW,GAAG;QAClB,8BAA8B;QAC9B,uBAAuB;QACvB,mBAAmB;QACnB,qBAAqB;QACrB,kBAAkB;KACnB,CAAC;IACF,KAAK,MAAM,MAAM,IAAI,WAAW,EAAE,CAAC;QACjC,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACtC,MAAM,IAAI,GAAG,MAAO,EAAU;iBAC3B,MAAM,EAAE;iBACR,IAAI,CAAC,YAAY,CAAC;iBAClB,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;iBACjC,KAAK,CAAC,CAAC,CAAC,CAAC;YACZ,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACnC,MAAM,SAAS,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YAC9C,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,IAAI,IAAI,CAAC;QACpD,CAAC;IACH,CAAC;IAED,MAAM,gBAAgB,GAAG,CAAC,0BAA0B,EAAE,yBAAyB,CAAC,CAAC;IACjF,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1B,MAAM,UAAU,GAAG,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,IAAI,GAAG,MAAO,EAAU;iBAC3B,MAAM,EAAE;iBACR,IAAI,CAAC,WAAW,CAAC;iBACjB,KAAK,CAAC,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;iBACrC,KAAK,CAAC,CAAC,CAAC,CAAC;YACZ,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACnC,MAAM,SAAS,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YAC7C,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,IAAI,IAAI,CAAC;QACpD,CAAC;IACH,CAAC;IAED,IAAI,EAAE,CAAC,UAAU,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACxC,MAAM,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;QACtD,MAAM,IAAI,GAAG,MAAO,EAAU;aAC3B,MAAM,EAAE;aACR,IAAI,CAAC,YAAY,CAAC;aAClB,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;aACnC,KAAK,CAAC,CAAC,CAAC,CAAC;QACZ,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IACrC,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/audit/retention.d.ts

@@ -0,0 +1,12 @@
+import type { AnyDb } from "../db/client.js";
+/**
+ * Deletes audit_events rows older than `retentionDays`.
+ *
+ * This is the SOLE authorized mutation on the audit_events table. The
+ * audit-immutability lint test grep-checks that no other file in the
+ * codebase calls `update(auditEvents)` or `delete(auditEvents)`.
+ *
+ * Returns the number of rows deleted.
+ */
+export declare function pruneAuditLog(db: AnyDb, retentionDays: number): Promise<number>;
+//# sourceMappingURL=retention.d.ts.map

package/dist/audit/retention.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"retention.d.ts","sourceRoot":"","sources":["../../src/audit/retention.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AAM7C;;;;;;;;GAQG;AACH,wBAAsB,aAAa,CACjC,EAAE,EAAE,KAAK,EACT,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,CAYjB"}

package/dist/audit/retention.js

@@ -0,0 +1,23 @@
+import { lt } from "drizzle-orm";
+import { auditEvents } from "../db/schema.js";
+import { createLogger } from "../logger.js";
+const log = createLogger({ component: "audit.retention" });
+/**
+ * Deletes audit_events rows older than `retentionDays`.
+ *
+ * This is the SOLE authorized mutation on the audit_events table. The
+ * audit-immutability lint test grep-checks that no other file in the
+ * codebase calls `update(auditEvents)` or `delete(auditEvents)`.
+ *
+ * Returns the number of rows deleted.
+ */
+export async function pruneAuditLog(db, retentionDays) {
+    const cutoff = new Date(Date.now() - retentionDays * 86400_000);
+    const result = await db
+        .delete(auditEvents)
+        .where(lt(auditEvents.timestamp, cutoff));
+    const n = result?.changes ?? result?.rowCount ?? 0;
+    log.info({ retentionDays, cutoff, deleted: n }, "audit log pruned");
+    return n;
+}
+//# sourceMappingURL=retention.js.map

package/dist/audit/retention.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"retention.js","sourceRoot":"","sources":["../../src/audit/retention.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AAEjC,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,GAAG,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,iBAAiB,EAAE,CAAC,CAAC;AAE3D;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,EAAS,EACT,aAAqB;IAErB,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,SAAS,CAAC,CAAC;IAChE,MAAM,MAAM,GAAG,MAAO,EAAU;SAC7B,MAAM,CAAC,WAAW,CAAC;SACnB,KAAK,CAAC,EAAE,CAAC,WAAW,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;IAC5C,MAAM,CAAC,GACJ,MAAc,EAAE,OAAO,IAAK,MAAc,EAAE,QAAQ,IAAI,CAAC,CAAC;IAC7D,GAAG,CAAC,IAAI,CACN,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,EAAE,EACrC,kBAAkB,CACnB,CAAC;IACF,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/audit/writer.d.ts

@@ -0,0 +1,26 @@
+import type { AnyDb } from "../db/client.js";
+import type { AuditEvent } from "../types.js";
+/**
+ * Fire-and-forget insert of an audit event. Write failures are logged but
+ * never propagated — audit writes must not crash the caller.
+ *
+ * Gated on the `audit-log` enterprise feature (spec §8): when unlicensed,
+ * this is a no-op so OSS/Pro deployments do not accumulate audit_events rows
+ * indefinitely (retention sweep is also gated).
+ *
+ * Uses a dynamic import of `../license.js` to avoid a circular-import cycle
+ * (license.ts calls into this module to record license-validation failures
+ * via `logAuditEventUnchecked`).
+ *
+ * Callers should use `void logAuditEvent(...)` when they don't await.
+ */
+export declare function logAuditEvent(db: AnyDb, event: AuditEvent): Promise<void>;
+/**
+ * Unchecked writer used by the license-validation failure path itself.
+ * Bypasses the `audit-log` feature gate because (a) recording why a license
+ * was rejected must not depend on that license being valid, and (b) the
+ * event is emitted at most once per process (license status is cached).
+ * Do not use this from other call sites.
+ */
+export declare function logAuditEventUnchecked(db: AnyDb, event: AuditEvent): Promise<void>;
+//# sourceMappingURL=writer.d.ts.map

package/dist/audit/writer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"writer.d.ts","sourceRoot":"","sources":["../../src/audit/writer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AAG7C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AA2B9C;;;;;;;;;;;;;GAaG;AACH,wBAAsB,aAAa,CACjC,EAAE,EAAE,KAAK,EACT,KAAK,EAAE,UAAU,GAChB,OAAO,CAAC,IAAI,CAAC,CAIf;AAED;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAC1C,EAAE,EAAE,KAAK,EACT,KAAK,EAAE,UAAU,GAChB,OAAO,CAAC,IAAI,CAAC,CAEf"}

package/dist/audit/writer.js

@@ -0,0 +1,54 @@
+import { auditEvents } from "../db/schema.js";
+import { createLogger } from "../logger.js";
+const log = createLogger({ component: "audit.writer" });
+async function insertAuditEvent(db, event) {
+    try {
+        await db.insert(auditEvents).values({
+            id: event.id,
+            timestamp: event.timestamp,
+            eventType: event.eventType,
+            actor: event.actor,
+            actorType: event.actorType,
+            scope: event.scope,
+            runId: event.runId,
+            issueId: event.issueId,
+            inputTokens: event.inputTokens,
+            outputTokens: event.outputTokens,
+            payload: JSON.stringify(event.payload ?? {}),
+        });
+    }
+    catch (err) {
+        log.warn({ err, eventType: event.eventType, id: event.id }, "audit event write failed");
+    }
+}
+/**
+ * Fire-and-forget insert of an audit event. Write failures are logged but
+ * never propagated — audit writes must not crash the caller.
+ *
+ * Gated on the `audit-log` enterprise feature (spec §8): when unlicensed,
+ * this is a no-op so OSS/Pro deployments do not accumulate audit_events rows
+ * indefinitely (retention sweep is also gated).
+ *
+ * Uses a dynamic import of `../license.js` to avoid a circular-import cycle
+ * (license.ts calls into this module to record license-validation failures
+ * via `logAuditEventUnchecked`).
+ *
+ * Callers should use `void logAuditEvent(...)` when they don't await.
+ */
+export async function logAuditEvent(db, event) {
+    const { isFeatureLicensed } = await import("../license.js");
+    if (!isFeatureLicensed("audit-log"))
+        return;
+    await insertAuditEvent(db, event);
+}
+/**
+ * Unchecked writer used by the license-validation failure path itself.
+ * Bypasses the `audit-log` feature gate because (a) recording why a license
+ * was rejected must not depend on that license being valid, and (b) the
+ * event is emitted at most once per process (license status is cached).
+ * Do not use this from other call sites.
+ */
+export async function logAuditEventUnchecked(db, event) {
+    await insertAuditEvent(db, event);
+}
+//# sourceMappingURL=writer.js.map

package/dist/audit/writer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"writer.js","sourceRoot":"","sources":["../../src/audit/writer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAG5C,MAAM,GAAG,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,cAAc,EAAE,CAAC,CAAC;AAExD,KAAK,UAAU,gBAAgB,CAAC,EAAS,EAAE,KAAiB;IAC1D,IAAI,CAAC;QACH,MAAO,EAAU,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC;YAC3C,EAAE,EAAE,KAAK,CAAC,EAAE;YACZ,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,IAAI,EAAE,CAAC;SAC7C,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,IAAI,CACN,EAAE,GAAG,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,EACjD,0BAA0B,CAC3B,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,EAAS,EACT,KAAiB;IAEjB,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;IAC5D,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC;QAAE,OAAO;IAC5C,MAAM,gBAAgB,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;AACpC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,EAAS,EACT,KAAiB;IAEjB,MAAM,gBAAgB,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;AACpC,CAAC"}

package/dist/auth/index.d.ts

@@ -0,0 +1,5 @@
+export * from "./sso-config.js";
+export * from "./user-store.js";
+export * from "./session-store.js";
+export * from "./workos-client.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,cAAc,oBAAoB,CAAC"}

package/dist/auth/index.js

@@ -0,0 +1,5 @@
+export * from "./sso-config.js";
+export * from "./user-store.js";
+export * from "./session-store.js";
+export * from "./workos-client.js";
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,cAAc,oBAAoB,CAAC"}

package/dist/auth/session-store.d.ts

@@ -0,0 +1,17 @@
+import type { AnyDb } from "../db/client.js";
+export interface DashboardSession {
+    id: string;
+    userId: string;
+    createdAt: Date;
+    expiresAt: Date;
+    lastSeenAt: Date;
+}
+export declare function createSession(db: AnyDb, args: {
+    userId: string;
+    durationHours: number;
+}): Promise<string>;
+export declare function getSession(db: AnyDb, id: string): Promise<DashboardSession | null>;
+export declare function deleteSession(db: AnyDb, id: string): Promise<void>;
+export declare function pruneExpiredSessions(db: AnyDb): Promise<number>;
+export declare function touchSessionLastSeen(db: AnyDb, id: string): Promise<void>;
+//# sourceMappingURL=session-store.d.ts.map

package/dist/auth/session-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-store.d.ts","sourceRoot":"","sources":["../../src/auth/session-store.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AAM7C,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;IAChB,UAAU,EAAE,IAAI,CAAC;CAClB;AAED,wBAAsB,aAAa,CACjC,EAAE,EAAE,KAAK,EACT,IAAI,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAA;CAAE,GAC9C,OAAO,CAAC,MAAM,CAAC,CAUjB;AAED,wBAAsB,UAAU,CAC9B,EAAE,EAAE,KAAK,EACT,EAAE,EAAE,MAAM,GACT,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAmBlC;AAED,wBAAsB,aAAa,CAAC,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAExE;AAED,wBAAsB,oBAAoB,CAAC,EAAE,EAAE,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,CAUrE;AAED,wBAAsB,oBAAoB,CACxC,EAAE,EAAE,KAAK,EACT,EAAE,EAAE,MAAM,GACT,OAAO,CAAC,IAAI,CAAC,CAcf"}

package/dist/auth/session-store.js

@@ -0,0 +1,59 @@
+import { randomBytes } from "node:crypto";
+import { and, eq, gt, lt } from "drizzle-orm";
+import { dashboardSessions } from "../db/schema.js";
+import { createLogger } from "../logger.js";
+const log = createLogger({ component: "auth.session" });
+export async function createSession(db, args) {
+    const id = randomBytes(32).toString("base64url");
+    const expiresAt = new Date(Date.now() + args.durationHours * 3600_000);
+    await db.insert(dashboardSessions).values({
+        id,
+        userId: args.userId,
+        expiresAt,
+        lastSeenAt: new Date(),
+    });
+    return id;
+}
+export async function getSession(db, id) {
+    const rows = await db
+        .select()
+        .from(dashboardSessions)
+        .where(and(eq(dashboardSessions.id, id), gt(dashboardSessions.expiresAt, new Date())));
+    if (rows.length === 0)
+        return null;
+    const r = rows[0];
+    return {
+        id: r.id,
+        userId: r.userId,
+        createdAt: r.createdAt,
+        expiresAt: r.expiresAt,
+        lastSeenAt: r.lastSeenAt,
+    };
+}
+export async function deleteSession(db, id) {
+    await db.delete(dashboardSessions).where(eq(dashboardSessions.id, id));
+}
+export async function pruneExpiredSessions(db) {
+    const result = await db
+        .delete(dashboardSessions)
+        .where(lt(dashboardSessions.expiresAt, new Date()));
+    const n = result?.changes ??
+        result?.rowCount ??
+        0;
+    log.info({ deleted: n }, "expired sessions pruned");
+    return n;
+}
+export async function touchSessionLastSeen(db, id) {
+    try {
+        await db
+            .update(dashboardSessions)
+            .set({ lastSeenAt: new Date() })
+            .where(eq(dashboardSessions.id, id));
+    }
+    catch (err) {
+        // Session IDs are bearer credentials — never log them in full. Log a
+        // short prefix for correlation only.
+        log.warn({ err, idPrefix: id.slice(0, 8) + "…" }, "touchSessionLastSeen failed");
+    }
+}
+//# sourceMappingURL=session-store.js.map

package/dist/auth/session-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-store.js","sourceRoot":"","sources":["../../src/auth/session-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,GAAG,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,cAAc,EAAE,CAAC,CAAC;AAUxD,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,EAAS,EACT,IAA+C;IAE/C,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,aAAa,GAAG,QAAQ,CAAC,CAAC;IACvE,MAAM,EAAE,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAAC;QACxC,EAAE;QACF,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,SAAS;QACT,UAAU,EAAE,IAAI,IAAI,EAAE;KACvB,CAAC,CAAC;IACH,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,EAAS,EACT,EAAU;IAEV,MAAM,IAAI,GAAG,MAAM,EAAE;SAClB,MAAM,EAAE;SACR,IAAI,CAAC,iBAAiB,CAAC;SACvB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,iBAAiB,CAAC,EAAE,EAAE,EAAE,CAAC,EAC5B,EAAE,CAAC,iBAAiB,CAAC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,CAC5C,CACF,CAAC;IACJ,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC;IACnB,OAAO;QACL,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,UAAU,EAAE,CAAC,CAAC,UAAU;KACzB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,EAAS,EAAE,EAAU;IACvD,MAAM,EAAE,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,iBAAiB,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;AACzE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,EAAS;IAClD,MAAM,MAAM,GAAG,MAAM,EAAE;SACpB,MAAM,CAAC,iBAAiB,CAAC;SACzB,KAAK,CAAC,EAAE,CAAC,iBAAiB,CAAC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC;IACtD,MAAM,CAAC,GACJ,MAAkD,EAAE,OAAO;QAC3D,MAAkD,EAAE,QAAQ;QAC7D,CAAC,CAAC;IACJ,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,EAAE,yBAAyB,CAAC,CAAC;IACpD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,EAAS,EACT,EAAU;IAEV,IAAI,CAAC;QACH,MAAM,EAAE;aACL,MAAM,CAAC,iBAAiB,CAAC;aACzB,GAAG,CAAC,EAAE,UAAU,EAAE,IAAI,IAAI,EAAE,EAAE,CAAC;aAC/B,KAAK,CAAC,EAAE,CAAC,iBAAiB,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,qEAAqE;QACrE,qCAAqC;QACrC,GAAG,CAAC,IAAI,CACN,EAAE,GAAG,EAAE,QAAQ,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,GAAG,EAAE,EACvC,6BAA6B,CAC9B,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/auth/sso-config.d.ts

@@ -0,0 +1,14 @@
+interface StatePayload {
+    next: string;
+    nonce: string;
+}
+export declare function signState(payload: StatePayload, secret: string): string;
+export declare function verifyState(signed: string, secret: string): StatePayload | null;
+/**
+ * Validate that `next` is a same-origin absolute path. Reject scheme-relative
+ * (`//evil.com`), absolute (`https://evil.com`), and backslash variants.
+ * Falls back to "/" on any rejection.
+ */
+export declare function validateNextPath(next: string | undefined | null): string;
+export {};
+//# sourceMappingURL=sso-config.d.ts.map

package/dist/auth/sso-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sso-config.d.ts","sourceRoot":"","sources":["../../src/auth/sso-config.ts"],"names":[],"mappings":"AAEA,UAAU,YAAY;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED,wBAAgB,SAAS,CAAC,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAKvE;AAED,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI,CAmB/E;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,MAAM,CAMxE"}

package/dist/auth/sso-config.js

@@ -0,0 +1,50 @@
+import { createHmac, timingSafeEqual } from "node:crypto";
+export function signState(payload, secret) {
+    const json = JSON.stringify(payload);
+    const b64 = Buffer.from(json, "utf8").toString("base64url");
+    const hmac = createHmac("sha256", secret).update(b64).digest("base64url");
+    return `${b64}.${hmac}`;
+}
+export function verifyState(signed, secret) {
+    if (!signed || typeof signed !== "string")
+        return null;
+    const idx = signed.lastIndexOf(".");
+    if (idx <= 0 || idx === signed.length - 1)
+        return null;
+    const b64 = signed.slice(0, idx);
+    const sig = signed.slice(idx + 1);
+    const expected = createHmac("sha256", secret).update(b64).digest("base64url");
+    const sigBuf = Buffer.from(sig, "base64url");
+    const expBuf = Buffer.from(expected, "base64url");
+    if (sigBuf.length !== expBuf.length)
+        return null;
+    if (!timingSafeEqual(sigBuf, expBuf))
+        return null;
+    try {
+        const json = Buffer.from(b64, "base64url").toString("utf8");
+        const parsed = JSON.parse(json);
+        if (typeof parsed?.next !== "string" || typeof parsed?.nonce !== "string")
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Validate that `next` is a same-origin absolute path. Reject scheme-relative
+ * (`//evil.com`), absolute (`https://evil.com`), and backslash variants.
+ * Falls back to "/" on any rejection.
+ */
+export function validateNextPath(next) {
+    if (!next || typeof next !== "string")
+        return "/";
+    if (!next.startsWith("/"))
+        return "/";
+    if (next.startsWith("//"))
+        return "/";
+    if (next.startsWith("/\\") || next.includes("\\"))
+        return "/";
+    return next;
+}
+//# sourceMappingURL=sso-config.js.map

package/dist/auth/sso-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sso-config.js","sourceRoot":"","sources":["../../src/auth/sso-config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAO1D,MAAM,UAAU,SAAS,CAAC,OAAqB,EAAE,MAAc;IAC7D,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC5D,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC1E,OAAO,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,MAAc,EAAE,MAAc;IACxD,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACvD,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,KAAK,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACvD,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACjC,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IAClC,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC9E,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IAClD,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC5D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChC,IAAI,OAAO,MAAM,EAAE,IAAI,KAAK,QAAQ,IAAI,OAAO,MAAM,EAAE,KAAK,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QACvF,OAAO,MAAsB,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAA+B;IAC9D,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IAClD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IACtC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,GAAG,CAAC;IACtC,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,GAAG,CAAC;IAC9D,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/auth/user-store.d.ts

@@ -0,0 +1,33 @@
+import type { AnyDb } from "../db/client.js";
+import type { Role } from "../rbac/types.js";
+export interface DashboardUser {
+    id: string;
+    email: string;
+    name: string | null;
+    workosUserId: string | null;
+    createdAt: Date;
+    lastLoginAt: Date | null;
+    role: Role;
+}
+export interface UpsertUserInput {
+    email: string;
+    name: string | null;
+    workosUserId: string | null;
+}
+/**
+ * Insert or update a dashboard user by normalized email. Returns the
+ * canonical user id. On update, `name`, `workosUserId`, and `lastLoginAt`
+ * are refreshed; `id` and `createdAt` are preserved.
+ *
+ * Implemented as an atomic upsert (`onConflictDoUpdate` on the unique
+ * `email` column) so that two concurrent `/auth/callback` requests for the
+ * same email cannot both see `existing.length === 0` and race on INSERT.
+ * The generated `id` is only used if no row exists; on conflict we read
+ * back the canonical id from the surviving row.
+ */
+export declare function upsertUser(db: AnyDb, input: UpsertUserInput): Promise<string>;
+/**
+ * Look up a dashboard user by id. Returns `null` when not found.
+ */
+export declare function getUserById(db: AnyDb, id: string): Promise<DashboardUser | null>;
+//# sourceMappingURL=user-store.d.ts.map

package/dist/auth/user-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-store.d.ts","sourceRoot":"","sources":["../../src/auth/user-store.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AAE7C,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAE7C,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,SAAS,EAAE,IAAI,CAAC;IAChB,WAAW,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,IAAI,EAAE,IAAI,CAAC;CACZ;AAED,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAMD;;;;;;;;;;GAUG;AACH,wBAAsB,UAAU,CAC9B,EAAE,EAAE,KAAK,EACT,KAAK,EAAE,eAAe,GACrB,OAAO,CAAC,MAAM,CAAC,CAgCjB;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,EAAE,EAAE,KAAK,EACT,EAAE,EAAE,MAAM,GACT,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAiB/B"}