@urateam/core 0.1.4 → 0.1.9

package/dist/__tests__/audit/rbac-events.test.js

@@ -0,0 +1,56 @@
+import { describe, it, expect } from "vitest";
+import { dashboardGrantRoleEvent, dashboardRevokeRoleEvent, dashboardBootstrapAdminEvent, dashboardRetryRunEvent, } from "../../audit/events.js";
+import { AuditEventSchema } from "../../types.js";
+describe("rbac audit event builders", () => {
+    it("dashboardGrantRoleEvent", () => {
+        const evt = dashboardGrantRoleEvent({
+            targetUserId: "u_1",
+            targetEmail: "a@b.com",
+            oldRole: "viewer",
+            newRole: "operator",
+            actorUserId: "u_admin",
+            actorEmail: "admin@b.com",
+        });
+        const p = AuditEventSchema.parse(evt);
+        expect(p.eventType).toBe("dashboard.manual_action");
+        expect(p.actor).toBe("dashboard:admin@b.com");
+        expect(p.payload.action).toBe("grant_role");
+        expect(p.payload.oldRole).toBe("viewer");
+        expect(p.payload.newRole).toBe("operator");
+    });
+    it("dashboardRevokeRoleEvent", () => {
+        const evt = dashboardRevokeRoleEvent({
+            targetUserId: "u_1",
+            targetEmail: "a@b.com",
+            oldRole: "operator",
+            newRole: "viewer",
+            actorUserId: "u_admin",
+            actorEmail: "admin@b.com",
+        });
+        expect(evt.payload.action).toBe("revoke_role");
+    });
+    it("dashboardBootstrapAdminEvent", () => {
+        const evt = dashboardBootstrapAdminEvent({
+            targetUserId: "u_1",
+            targetEmail: "alice@acme.com",
+        });
+        expect(evt.eventType).toBe("dashboard.manual_action");
+        expect(evt.actor).toBe("system");
+        expect(evt.actorType).toBe("system");
+        expect(evt.payload.action).toBe("bootstrap_admin");
+    });
+    it("dashboardRetryRunEvent", () => {
+        const evt = dashboardRetryRunEvent({
+            runId: "run_1",
+            issueId: "BEC-42",
+            previousStatus: "failed",
+            actorUserId: "u_op",
+            actorEmail: "op@b.com",
+        });
+        expect(evt.payload.action).toBe("retry_run");
+        expect(evt.runId).toBe("run_1");
+        expect(evt.issueId).toBe("BEC-42");
+        expect(evt.actor).toBe("dashboard:op@b.com");
+    });
+});
+//# sourceMappingURL=rbac-events.test.js.map

package/dist/__tests__/audit/rbac-events.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac-events.test.js","sourceRoot":"","sources":["../../../src/__tests__/audit/rbac-events.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EACL,uBAAuB,EACvB,wBAAwB,EACxB,4BAA4B,EAC5B,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAElD,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,GAAG,GAAG,uBAAuB,CAAC;YAClC,YAAY,EAAE,KAAK;YACnB,WAAW,EAAE,SAAS;YACtB,OAAO,EAAE,QAAQ;YACjB,OAAO,EAAE,UAAU;YACnB,WAAW,EAAE,SAAS;YACtB,UAAU,EAAE,aAAa;SAC1B,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACtC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACpD,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC9C,MAAM,CAAE,CAAC,CAAC,OAAe,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACrD,MAAM,CAAE,CAAC,CAAC,OAAe,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAClD,MAAM,CAAE,CAAC,CAAC,OAAe,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,GAAG,GAAG,wBAAwB,CAAC;YACnC,YAAY,EAAE,KAAK;YACnB,WAAW,EAAE,SAAS;YACtB,OAAO,EAAE,UAAU;YACnB,OAAO,EAAE,QAAQ;YACjB,WAAW,EAAE,SAAS;YACtB,UAAU,EAAE,aAAa;SAC1B,CAAC,CAAC;QACH,MAAM,CAAE,GAAG,CAAC,OAAe,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,GAAG,GAAG,4BAA4B,CAAC;YACvC,YAAY,EAAE,KAAK;YACnB,WAAW,EAAE,gBAAgB;SAC9B,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrC,MAAM,CAAE,GAAG,CAAC,OAAe,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,GAAG,GAAG,sBAAsB,CAAC;YACjC,KAAK,EAAE,OAAO;YACd,OAAO,EAAE,QAAQ;YACjB,cAAc,EAAE,QAAQ;YACxB,WAAW,EAAE,MAAM;YACnB,UAAU,EAAE,UAAU;SACvB,CAAC,CAAC;QACH,MAAM,CAAE,GAAG,CAAC,OAAe,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/audit/reader.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=reader.test.d.ts.map

package/dist/__tests__/audit/reader.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reader.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/audit/reader.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/audit/reader.test.js

@@ -0,0 +1,133 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { createDb } from "../../db/client.js";
+import { pipelineRuns, pmApprovals, budgetAlerts } from "../../db/schema.js";
+import { logAuditEvent } from "../../audit/writer.js";
+import { pmPromotedEvent, budgetRefusedEvent } from "../../audit/events.js";
+import { listAuditEvents, findAuditEventById } from "../../audit/reader.js";
+import { installTestProLicense, restoreLicense } from "../helpers/license.js";
+let db;
+beforeEach(async () => {
+    await installTestProLicense("enterprise");
+    db = await createDb({ connectionString: ":memory:" });
+});
+afterEach(async () => {
+    await restoreLicense();
+});
+async function seed() {
+    // native audit events
+    await logAuditEvent(db, pmPromotedEvent({ issueId: "BEC-1", fromState: "Backlog", toState: "Todo" }));
+    await logAuditEvent(db, budgetRefusedEvent({
+        scope: "team:T1", scopeType: "team", tokensUsed: 100, limit: 100, utilization: 100,
+    }));
+    // projectable: pipeline run
+    await db.insert(pipelineRuns).values({
+        id: "run_1", issueId: "BEC-9", issueTitle: "t", pipelineKey: "auto-implement",
+        repoUrl: "https://x.y/z", status: "completed",
+        startedAt: new Date("2026-04-01T10:00:00Z"),
+        completedAt: new Date("2026-04-01T10:05:00Z"),
+        totalInputTokens: 100, totalOutputTokens: 50, runType: "standard",
+        linearTeamId: "T1",
+    });
+}
+describe("listAuditEvents", () => {
+    it("returns native + projected events merged by time", async () => {
+        await seed();
+        const { events } = await listAuditEvents(db, { limit: 100 });
+        const types = events.map(e => e.eventType).sort();
+        expect(types).toContain("pm.issue_promoted");
+        expect(types).toContain("budget.run_refused");
+        expect(types).toContain("run.started");
+        expect(types).toContain("run.completed");
+    });
+    it("filters by event type", async () => {
+        await seed();
+        const { events } = await listAuditEvents(db, { eventTypes: ["run.completed"], limit: 100 });
+        expect(events.map(e => e.eventType)).toEqual(["run.completed"]);
+    });
+    it("filters by scope prefix-exact", async () => {
+        await seed();
+        const { events } = await listAuditEvents(db, { scope: "team:T1", limit: 100 });
+        for (const e of events)
+            expect(e.scope === "team:T1" || e.scope === null).toBeTruthy();
+        expect(events.some(e => e.scope === "team:T1")).toBe(true);
+    });
+    it("filters by date window", async () => {
+        await seed();
+        const from = new Date("2026-04-01T09:00:00Z");
+        const to = new Date("2026-04-01T10:10:00Z");
+        const { events } = await listAuditEvents(db, { from, to, limit: 100 });
+        for (const e of events) {
+            expect(e.timestamp >= from && e.timestamp <= to).toBe(true);
+        }
+    });
+    it("filters by runId", async () => {
+        await seed();
+        const { events } = await listAuditEvents(db, { runId: "run_1", limit: 100 });
+        expect(events.length).toBeGreaterThan(0);
+        for (const e of events)
+            expect(e.runId).toBe("run_1");
+    });
+    it("findAuditEventById finds native audit_events rows", async () => {
+        await seed();
+        const { events } = await listAuditEvents(db, { eventTypes: ["pm.issue_promoted"], limit: 10 });
+        expect(events.length).toBeGreaterThan(0);
+        const nativeId = events[0].id;
+        const found = await findAuditEventById(db, nativeId);
+        expect(found).not.toBeNull();
+        expect(found.id).toBe(nativeId);
+        expect(found.eventType).toBe("pm.issue_promoted");
+    });
+    it("findAuditEventById resolves projected pipeline_run events", async () => {
+        await seed();
+        const found = await findAuditEventById(db, "proj_run_started_run_1");
+        expect(found).not.toBeNull();
+        expect(found.eventType).toBe("run.started");
+        expect(found.runId).toBe("run_1");
+        const completed = await findAuditEventById(db, "proj_run_completed_run_1");
+        expect(completed).not.toBeNull();
+        expect(completed.eventType).toBe("run.completed");
+    });
+    it("findAuditEventById resolves projected pm_approval events", async () => {
+        await db.insert(pmApprovals).values({
+            id: "appr_1", issueId: "BEC-2", action: "deprioritize", reason: "stale",
+            slackMessageTs: "1234.5678", status: "pending",
+            createdAt: new Date("2026-04-01T10:00:00Z"),
+            resolvedAt: null,
+        });
+        const found = await findAuditEventById(db, "proj_approval_requested_appr_1");
+        expect(found).not.toBeNull();
+        expect(found.eventType).toBe("pm.approval_requested");
+    });
+    it("findAuditEventById resolves projected budget_alert events", async () => {
+        await db.insert(budgetAlerts).values({
+            id: "alert_1", date: "2026-04-01", scope: "team:T1", threshold: 80,
+            firedAt: new Date("2026-04-01T10:00:00Z"),
+        });
+        const found = await findAuditEventById(db, "proj_budget_alert_alert_1");
+        expect(found).not.toBeNull();
+        expect(found.eventType).toBe("budget.alert_fired");
+        expect(found.scope).toBe("team:T1");
+    });
+    it("findAuditEventById returns null for missing events", async () => {
+        await seed();
+        expect(await findAuditEventById(db, "nonexistent")).toBeNull();
+        expect(await findAuditEventById(db, "proj_run_started_missing")).toBeNull();
+        expect(await findAuditEventById(db, "proj_approval_requested_missing")).toBeNull();
+        expect(await findAuditEventById(db, "proj_budget_alert_missing")).toBeNull();
+    });
+    it("paginates via cursor", async () => {
+        // seed 5 promoted events
+        for (let i = 0; i < 5; i++) {
+            await logAuditEvent(db, pmPromotedEvent({ issueId: `BEC-${i}`, fromState: "Backlog", toState: "Todo" }));
+            await new Promise(r => setTimeout(r, 10));
+        }
+        const page1 = await listAuditEvents(db, { limit: 2 });
+        expect(page1.events).toHaveLength(2);
+        expect(page1.nextCursor).not.toBeNull();
+        const page2 = await listAuditEvents(db, { limit: 2, cursor: page1.nextCursor });
+        expect(page2.events).toHaveLength(2);
+        const seen = new Set([...page1.events, ...page2.events].map(e => e.id));
+        expect(seen.size).toBe(4);
+    });
+});
+//# sourceMappingURL=reader.test.js.map

package/dist/__tests__/audit/reader.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reader.test.js","sourceRoot":"","sources":["../../../src/__tests__/audit/reader.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC7E,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC5E,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC5E,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAE9E,IAAI,EAAO,CAAC;AAEZ,UAAU,CAAC,KAAK,IAAI,EAAE;IACpB,MAAM,qBAAqB,CAAC,YAAY,CAAC,CAAC;IAC1C,EAAE,GAAG,MAAM,QAAQ,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;AACxD,CAAC,CAAC,CAAC;AAEH,SAAS,CAAC,KAAK,IAAI,EAAE;IACnB,MAAM,cAAc,EAAE,CAAC;AACzB,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,IAAI;IACjB,sBAAsB;IACtB,MAAM,aAAa,CAAC,EAAE,EAAE,eAAe,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;IACtG,MAAM,aAAa,CAAC,EAAE,EAAE,kBAAkB,CAAC;QACzC,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,WAAW,EAAE,GAAG;KACnF,CAAC,CAAC,CAAC;IACJ,4BAA4B;IAC5B,MAAM,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC;QACnC,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,EAAE,WAAW,EAAE,gBAAgB;QAC7E,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,WAAW;QAC7C,SAAS,EAAE,IAAI,IAAI,CAAC,sBAAsB,CAAC;QAC3C,WAAW,EAAE,IAAI,IAAI,CAAC,sBAAsB,CAAC;QAC7C,gBAAgB,EAAE,GAAG,EAAE,iBAAiB,EAAE,EAAE,EAAE,OAAO,EAAE,UAAU;QACjE,YAAY,EAAE,IAAI;KACnB,CAAC,CAAC;AACL,CAAC;AAED,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,IAAI,EAAE,CAAC;QACb,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7D,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,IAAI,EAAE,CAAC;QAClD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QAC7C,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;QAC9C,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uBAAuB,EAAE,KAAK,IAAI,EAAE;QACrC,MAAM,IAAI,EAAE,CAAC;QACb,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC,eAAe,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;QAC5F,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,IAAI,EAAE,CAAC;QACb,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;QAC/E,KAAK,MAAM,CAAC,IAAI,MAAM;YAAE,MAAM,CAAC,CAAC,CAAC,KAAK,KAAK,SAAS,IAAI,CAAC,CAAC,KAAK,KAAK,IAAI,CAAC,CAAC,UAAU,EAAE,CAAC;QACvF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,KAAK,IAAI,EAAE;QACtC,MAAM,IAAI,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAC9C,MAAM,EAAE,GAAG,IAAI,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAC5C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;QACvE,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,MAAM,CAAC,CAAC,CAAC,SAAS,IAAI,IAAI,IAAI,CAAC,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kBAAkB,EAAE,KAAK,IAAI,EAAE;QAChC,MAAM,IAAI,EAAE,CAAC;QACb,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7E,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACzC,KAAK,MAAM,CAAC,IAAI,MAAM;YAAE,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,IAAI,EAAE,CAAC;QACb,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC,mBAAmB,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;QAC/F,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACzC,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QACrD,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC7B,MAAM,CAAC,KAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,CAAC,KAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,IAAI,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,EAAE,EAAE,wBAAwB,CAAC,CAAC;QACrE,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC7B,MAAM,CAAC,KAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC7C,MAAM,CAAC,KAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEnC,MAAM,SAAS,GAAG,MAAM,kBAAkB,CAAC,EAAE,EAAE,0BAA0B,CAAC,CAAC;QAC3E,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,CAAC,SAAU,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC;YAClC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,OAAO;YACvE,cAAc,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS;YAC9C,SAAS,EAAE,IAAI,IAAI,CAAC,sBAAsB,CAAC;YAC3C,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,EAAE,EAAE,gCAAgC,CAAC,CAAC;QAC7E,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC7B,MAAM,CAAC,KAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC;YACnC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,EAAE;YAClE,OAAO,EAAE,IAAI,IAAI,CAAC,sBAAsB,CAAC;SAC1C,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,EAAE,EAAE,2BAA2B,CAAC,CAAC;QACxE,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC7B,MAAM,CAAC,KAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACpD,MAAM,CAAC,KAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,IAAI,EAAE,CAAC;QACb,MAAM,CAAC,MAAM,kBAAkB,CAAC,EAAE,EAAE,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC/D,MAAM,CAAC,MAAM,kBAAkB,CAAC,EAAE,EAAE,0BAA0B,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC5E,MAAM,CAAC,MAAM,kBAAkB,CAAC,EAAE,EAAE,iCAAiC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QACnF,MAAM,CAAC,MAAM,kBAAkB,CAAC,EAAE,EAAE,2BAA2B,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC/E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE;QACpC,yBAAyB;QACzB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3B,MAAM,aAAa,CAAC,EAAE,EAAE,eAAe,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;YACzG,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;QAC5C,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;QACtD,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QACxC,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,UAAW,EAAE,CAAC,CAAC;QACjF,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACxE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/audit/retention.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=retention.test.d.ts.map

package/dist/__tests__/audit/retention.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"retention.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/audit/retention.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/audit/retention.test.js

@@ -0,0 +1,48 @@
+import { describe, it, expect } from "vitest";
+import { createDb } from "../../db/client.js";
+import { auditEvents, pipelineRuns } from "../../db/schema.js";
+import { pruneAuditLog } from "../../audit/retention.js";
+describe("pruneAuditLog", () => {
+    it("deletes rows older than retentionDays", async () => {
+        const db = await createDb({ connectionString: ":memory:" });
+        const now = Date.now();
+        await db.insert(auditEvents).values([
+            {
+                id: "old",
+                timestamp: new Date(now - 400 * 86400000),
+                eventType: "pm.issue_promoted",
+                actor: "pm-agent",
+                actorType: "pm-agent",
+                payload: "{}",
+            },
+            {
+                id: "new",
+                timestamp: new Date(now - 10 * 86400000),
+                eventType: "pm.issue_promoted",
+                actor: "pm-agent",
+                actorType: "pm-agent",
+                payload: "{}",
+            },
+        ]);
+        const deleted = await pruneAuditLog(db, 365);
+        expect(deleted).toBe(1);
+        const rows = await db.select().from(auditEvents);
+        expect(rows.map((r) => r.id)).toEqual(["new"]);
+    });
+    it("does not touch pipeline_runs", async () => {
+        const db = await createDb({ connectionString: ":memory:" });
+        await db.insert(pipelineRuns).values({
+            id: "r1",
+            issueId: "BEC-1",
+            issueTitle: "t",
+            pipelineKey: "auto-implement",
+            repoUrl: "x",
+            status: "completed",
+            startedAt: new Date(Date.now() - 400 * 86400000),
+        });
+        await pruneAuditLog(db, 365);
+        const rows = await db.select().from(pipelineRuns);
+        expect(rows).toHaveLength(1);
+    });
+});
+//# sourceMappingURL=retention.test.js.map

package/dist/__tests__/audit/retention.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"retention.test.js","sourceRoot":"","sources":["../../../src/__tests__/audit/retention.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAEzD,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;QAC5D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAO,EAAU,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC;YAC3C;gBACE,EAAE,EAAE,KAAK;gBACT,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,GAAG,GAAG,GAAG,QAAQ,CAAC;gBACzC,SAAS,EAAE,mBAAmB;gBAC9B,KAAK,EAAE,UAAU;gBACjB,SAAS,EAAE,UAAU;gBACrB,OAAO,EAAE,IAAI;aACd;YACD;gBACE,EAAE,EAAE,KAAK;gBACT,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,GAAG,EAAE,GAAG,QAAQ,CAAC;gBACxC,SAAS,EAAE,mBAAmB;gBAC9B,KAAK,EAAE,UAAU;gBACjB,SAAS,EAAE,UAAU;gBACrB,OAAO,EAAE,IAAI;aACd;SACF,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAC7C,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxB,MAAM,IAAI,GAAG,MAAO,EAAU,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;QAC5D,MAAO,EAAU,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC;YAC5C,EAAE,EAAE,IAAI;YACR,OAAO,EAAE,OAAO;YAChB,UAAU,EAAE,GAAG;YACf,WAAW,EAAE,gBAAgB;YAC7B,OAAO,EAAE,GAAG;YACZ,MAAM,EAAE,WAAW;YACnB,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,QAAQ,CAAC;SACjD,CAAC,CAAC;QACH,MAAM,aAAa,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAO,EAAU,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3D,MAAM,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/audit/sso-events.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=sso-events.test.d.ts.map

package/dist/__tests__/audit/sso-events.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sso-events.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/audit/sso-events.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/audit/sso-events.test.js

@@ -0,0 +1,49 @@
+import { describe, it, expect } from "vitest";
+import { dashboardLoginEvent, dashboardLogoutEvent, dashboardLoginDeniedEvent, } from "../../audit/events.js";
+describe("SSO audit event builders", () => {
+    describe("dashboardLoginEvent", () => {
+        it("builds a dashboard.login event with user details in payload", () => {
+            const evt = dashboardLoginEvent({
+                userId: "user_123",
+                email: "alice@example.com",
+                workosUserId: "workos_abc",
+            });
+            expect(evt.eventType).toBe("dashboard.login");
+            expect(evt.actorType).toBe("dashboard-user");
+            expect(evt.actor).toBe("dashboard:alice@example.com");
+            expect(evt.payload).toEqual({
+                userId: "user_123",
+                email: "alice@example.com",
+                workosUserId: "workos_abc",
+            });
+            expect(evt.id).toMatch(/^evt_/);
+            expect(evt.timestamp).toBeInstanceOf(Date);
+        });
+    });
+    describe("dashboardLogoutEvent", () => {
+        it("builds a dashboard.logout event with userId in payload", () => {
+            const evt = dashboardLogoutEvent({
+                userId: "user_123",
+                email: "alice@example.com",
+            });
+            expect(evt.eventType).toBe("dashboard.logout");
+            expect(evt.actorType).toBe("dashboard-user");
+            expect(evt.actor).toBe("dashboard:alice@example.com");
+            expect(evt.payload).toEqual({ userId: "user_123" });
+        });
+    });
+    describe("dashboardLoginDeniedEvent", () => {
+        it("builds a dashboard.login_denied event without userId", () => {
+            const evt = dashboardLoginDeniedEvent({
+                email: "intruder@evil.example",
+                reason: "domain-mismatch",
+            });
+            expect(evt.eventType).toBe("dashboard.login_denied");
+            expect(evt.actorType).toBe("dashboard-user");
+            expect(evt.actor).toBe("dashboard:intruder@evil.example");
+            expect(evt.payload).toEqual({ reason: "domain-mismatch" });
+            expect(evt.payload).not.toHaveProperty("userId");
+        });
+    });
+});
+//# sourceMappingURL=sso-events.test.js.map

package/dist/__tests__/audit/sso-events.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sso-events.test.js","sourceRoot":"","sources":["../../../src/__tests__/audit/sso-events.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EACL,mBAAmB,EACnB,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,uBAAuB,CAAC;AAE/B,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;IACxC,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACnC,EAAE,CAAC,6DAA6D,EAAE,GAAG,EAAE;YACrE,MAAM,GAAG,GAAG,mBAAmB,CAAC;gBAC9B,MAAM,EAAE,UAAU;gBAClB,KAAK,EAAE,mBAAmB;gBAC1B,YAAY,EAAE,YAAY;aAC3B,CAAC,CAAC;YAEH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAC9C,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAC7C,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;YACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC;gBAC1B,MAAM,EAAE,UAAU;gBAClB,KAAK,EAAE,mBAAmB;gBAC1B,YAAY,EAAE,YAAY;aAC3B,CAAC,CAAC;YACH,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAChC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;QACpC,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;YAChE,MAAM,GAAG,GAAG,oBAAoB,CAAC;gBAC/B,MAAM,EAAE,UAAU;gBAClB,KAAK,EAAE,mBAAmB;aAC3B,CAAC,CAAC;YAEH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YAC/C,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAC7C,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;YACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACzC,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;YAC9D,MAAM,GAAG,GAAG,yBAAyB,CAAC;gBACpC,KAAK,EAAE,uBAAuB;gBAC9B,MAAM,EAAE,iBAAiB;aAC1B,CAAC,CAAC;YAEH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;YACrD,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAC7C,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;YAC1D,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC,CAAC;YAC3D,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/audit/writer.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=writer.test.d.ts.map

package/dist/__tests__/audit/writer.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"writer.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/audit/writer.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/audit/writer.test.js

@@ -0,0 +1,67 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { createDb } from "../../db/client.js";
+import { auditEvents } from "../../db/schema.js";
+import { logAuditEvent } from "../../audit/writer.js";
+import { pmPromotedEvent } from "../../audit/events.js";
+import { installTestProLicense, restoreLicense } from "../helpers/license.js";
+import { _resetLicenseCache } from "../../license.js";
+describe("logAuditEvent", () => {
+    describe("with enterprise license", () => {
+        beforeEach(async () => {
+            await installTestProLicense("enterprise");
+        });
+        afterEach(async () => {
+            await restoreLicense();
+        });
+        it("persists an event row", async () => {
+            const db = await createDb({ connectionString: ":memory:" });
+            await logAuditEvent(db, pmPromotedEvent({
+                issueId: "BEC-1",
+                fromState: "Backlog",
+                toState: "Todo",
+            }));
+            const rows = await db.select().from(auditEvents);
+            expect(rows).toHaveLength(1);
+            expect(rows[0].eventType).toBe("pm.issue_promoted");
+            expect(JSON.parse(rows[0].payload)).toMatchObject({
+                fromState: "Backlog",
+                toState: "Todo",
+            });
+        });
+        it("does not throw when the db insert fails", async () => {
+            const fakeDb = {
+                insert: () => ({
+                    values: () => {
+                        throw new Error("db down");
+                    },
+                }),
+            };
+            await expect(logAuditEvent(fakeDb, pmPromotedEvent({
+                issueId: "BEC-1",
+                fromState: "Backlog",
+                toState: "Todo",
+            }))).resolves.toBeUndefined();
+        });
+    });
+    describe("without a license (OSS mode)", () => {
+        beforeEach(() => {
+            _resetLicenseCache();
+            delete process.env.URATEAM_LICENSE_KEY;
+        });
+        afterEach(() => {
+            _resetLicenseCache();
+            delete process.env.URATEAM_LICENSE_KEY;
+        });
+        it("is a no-op when the audit-log feature is not licensed", async () => {
+            const db = await createDb({ connectionString: ":memory:" });
+            await logAuditEvent(db, pmPromotedEvent({
+                issueId: "BEC-1",
+                fromState: "Backlog",
+                toState: "Todo",
+            }));
+            const rows = await db.select().from(auditEvents);
+            expect(rows).toHaveLength(0);
+        });
+    });
+});
+//# sourceMappingURL=writer.test.js.map

package/dist/__tests__/audit/writer.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"writer.test.js","sourceRoot":"","sources":["../../../src/__tests__/audit/writer.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC9E,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAEtD,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACvC,UAAU,CAAC,KAAK,IAAI,EAAE;YACpB,MAAM,qBAAqB,CAAC,YAAY,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;QACH,SAAS,CAAC,KAAK,IAAI,EAAE;YACnB,MAAM,cAAc,EAAE,CAAC;QACzB,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uBAAuB,EAAE,KAAK,IAAI,EAAE;YACrC,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;YAC5D,MAAM,aAAa,CACjB,EAAE,EACF,eAAe,CAAC;gBACd,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,SAAS;gBACpB,OAAO,EAAE,MAAM;aAChB,CAAC,CACH,CAAC;YACF,MAAM,IAAI,GAAG,MAAO,EAAU,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC1D,MAAM,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;YACpD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC;gBAChD,SAAS,EAAE,SAAS;gBACpB,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;YACvD,MAAM,MAAM,GAAG;gBACb,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;oBACb,MAAM,EAAE,GAAG,EAAE;wBACX,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;oBAC7B,CAAC;iBACF,CAAC;aACI,CAAC;YACT,MAAM,MAAM,CACV,aAAa,CACX,MAAM,EACN,eAAe,CAAC;gBACd,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,SAAS;gBACpB,OAAO,EAAE,MAAM;aAChB,CAAC,CACH,CACF,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;QAC5C,UAAU,CAAC,GAAG,EAAE;YACd,kBAAkB,EAAE,CAAC;YACrB,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;QACzC,CAAC,CAAC,CAAC;QACH,SAAS,CAAC,GAAG,EAAE;YACb,kBAAkB,EAAE,CAAC;YACrB,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;QACzC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;YACrE,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;YAC5D,MAAM,aAAa,CACjB,EAAE,EACF,eAAe,CAAC;gBACd,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,SAAS;gBACpB,OAAO,EAAE,MAAM;aAChB,CAAC,CACH,CAAC;YACF,MAAM,IAAI,GAAG,MAAO,EAAU,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC1D,MAAM,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/audit-immutability.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=audit-immutability.test.d.ts.map

package/dist/__tests__/audit-immutability.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-immutability.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/audit-immutability.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/audit-immutability.test.js

@@ -0,0 +1,61 @@
+/**
+ * Audit log immutability lint test.
+ *
+ * The audit_events table is append-only by design. Only the retention sweep
+ * (`audit/retention.ts`) may delete rows, and nothing should ever update them.
+ *
+ * This test greps the source tree for `.delete(auditEvents)` / `.update(auditEvents)`
+ * calls and fails if any non-allowlisted file is found.
+ */
+import { describe, it, expect } from "vitest";
+import { execFileSync } from "node:child_process";
+import path from "node:path";
+describe("audit_events immutability", () => {
+    it("only audit/retention.ts may delete or update audit_events rows", () => {
+        const repoRoot = path.resolve(__dirname, "../../../..");
+        const allowed = [
+            "packages/core/src/audit/retention.ts",
+            "packages/core/src/__tests__/audit/retention.test.ts",
+            "packages/core/src/__tests__/audit-immutability.test.ts",
+        ];
+        const patterns = [
+            "\\.delete\\s*\\(\\s*auditEvents",
+            "\\.update\\s*\\(\\s*auditEvents",
+        ];
+        const matches = [];
+        for (const pat of patterns) {
+            try {
+                const out = execFileSync("git", ["grep", "-nE", pat, "--", "packages/**/*.ts"], { cwd: repoRoot, encoding: "utf8" });
+                matches.push(...out.trim().split("\n").filter(Boolean));
+            }
+            catch {
+                // git grep exits non-zero when no matches; safe to ignore
+            }
+        }
+        const offenders = matches
+            .map((line) => line.split(":")[0])
+            .filter((file) => !allowed.some((a) => file.endsWith(a) || file === a));
+        expect(offenders, `Unauthorized audit_events mutation in:\n${offenders.join("\n")}`).toEqual([]);
+    });
+    it("logAuditEventUnchecked is only called from license.ts", () => {
+        const repoRoot = path.resolve(__dirname, "../../../..");
+        const allowed = [
+            "packages/core/src/audit/writer.ts",
+            "packages/core/src/license.ts",
+            "packages/core/src/__tests__/audit-immutability.test.ts",
+        ];
+        let matches = [];
+        try {
+            const out = execFileSync("git", ["grep", "-nE", "logAuditEventUnchecked", "--", "packages/**/*.ts"], { cwd: repoRoot, encoding: "utf8" });
+            matches = out.trim().split("\n").filter(Boolean);
+        }
+        catch {
+            // no matches
+        }
+        const offenders = matches
+            .map((line) => line.split(":")[0])
+            .filter((file) => !allowed.some((a) => file.endsWith(a) || file === a));
+        expect(offenders, `Unauthorized logAuditEventUnchecked usage in:\n${offenders.join("\n")}`).toEqual([]);
+    });
+});
+//# sourceMappingURL=audit-immutability.test.js.map

package/dist/__tests__/audit-immutability.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-immutability.test.js","sourceRoot":"","sources":["../../src/__tests__/audit-immutability.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,EAAE,CAAC,gEAAgE,EAAE,GAAG,EAAE;QACxE,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;QACxD,MAAM,OAAO,GAAG;YACd,sCAAsC;YACtC,qDAAqD;YACrD,wDAAwD;SACzD,CAAC;QAEF,MAAM,QAAQ,GAAG;YACf,iCAAiC;YACjC,iCAAiC;SAClC,CAAC;QAEF,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,YAAY,CACtB,KAAK,EACL,CAAC,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,kBAAkB,CAAC,EAC9C,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,CACpC,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;YAC1D,CAAC;YAAC,MAAM,CAAC;gBACP,0DAA0D;YAC5D,CAAC;QACH,CAAC;QAED,MAAM,SAAS,GAAG,OAAO;aACtB,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;aAClC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC;QAE1E,MAAM,CACJ,SAAS,EACT,2CAA2C,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAClE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAChB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;QACxD,MAAM,OAAO,GAAG;YACd,mCAAmC;YACnC,8BAA8B;YAC9B,wDAAwD;SACzD,CAAC;QAEF,IAAI,OAAO,GAAa,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,YAAY,CACtB,KAAK,EACL,CAAC,MAAM,EAAE,KAAK,EAAE,wBAAwB,EAAE,IAAI,EAAE,kBAAkB,CAAC,EACnE,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,CACpC,CAAC;YACF,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,aAAa;QACf,CAAC;QAED,MAAM,SAAS,GAAG,OAAO;aACtB,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;aAClC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC;QAE1E,MAAM,CACJ,SAAS,EACT,kDAAkD,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACzE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/audit-types.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=audit-types.test.d.ts.map

package/dist/__tests__/audit-types.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-types.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/audit-types.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/audit-types.test.js

@@ -0,0 +1,35 @@
+import { describe, it, expect } from "vitest";
+import { AuditEventSchema, AuditEventTypeSchema } from "../types.js";
+describe("audit event zod schemas", () => {
+    it("accepts all v1 event types", () => {
+        const types = [
+            "run.started", "run.completed", "run.failed", "run.auto_merged", "run.auto_merge_skipped",
+            "pm.approval_requested", "pm.approval_resolved",
+            "pm.issue_promoted", "pm.issue_deprioritized", "pm.issue_cancelled", "pm.triage_classified",
+            "budget.alert_fired", "budget.run_refused",
+            "license.validation_failed", "config.loaded", "dashboard.manual_action",
+        ];
+        for (const t of types)
+            expect(AuditEventTypeSchema.parse(t)).toBe(t);
+    });
+    it("rejects unknown event type", () => {
+        expect(() => AuditEventTypeSchema.parse("nope")).toThrow();
+    });
+    it("parses a minimal valid audit event", () => {
+        const evt = AuditEventSchema.parse({
+            id: "evt_1",
+            timestamp: new Date(),
+            eventType: "pm.issue_promoted",
+            actor: "pm-agent",
+            actorType: "pm-agent",
+            scope: null,
+            runId: null,
+            issueId: "BEC-1",
+            inputTokens: 0,
+            outputTokens: 0,
+            payload: { issueId: "BEC-1" },
+        });
+        expect(evt.eventType).toBe("pm.issue_promoted");
+    });
+});
+//# sourceMappingURL=audit-types.test.js.map

package/dist/__tests__/audit-types.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-types.test.js","sourceRoot":"","sources":["../../src/__tests__/audit-types.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAwB,MAAM,aAAa,CAAC;AAE3F,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;IACvC,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,KAAK,GAAG;YACZ,aAAa,EAAC,eAAe,EAAC,YAAY,EAAC,iBAAiB,EAAC,wBAAwB;YACrF,uBAAuB,EAAC,sBAAsB;YAC9C,mBAAmB,EAAC,wBAAwB,EAAC,oBAAoB,EAAC,sBAAsB;YACxF,oBAAoB,EAAC,oBAAoB;YACzC,2BAA2B,EAAC,eAAe,EAAC,yBAAyB;SACtE,CAAC;QACF,KAAK,MAAM,CAAC,IAAI,KAAK;YAAE,MAAM,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,GAAG,EAAE,CAAC,oBAAoB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,GAAG,GAAG,gBAAgB,CAAC,KAAK,CAAC;YACjC,EAAE,EAAE,OAAO;YACX,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,SAAS,EAAE,mBAAmB;YAC9B,KAAK,EAAE,UAAU;YACjB,SAAS,EAAE,UAAU;YACrB,KAAK,EAAE,IAAI;YACX,KAAK,EAAE,IAAI;YACX,OAAO,EAAE,OAAO;YAChB,WAAW,EAAE,CAAC;YACd,YAAY,EAAE,CAAC;YACf,OAAO,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE;SAC9B,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/auth/session-store.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=session-store.test.d.ts.map

package/dist/__tests__/auth/session-store.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-store.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/auth/session-store.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/auth/session-store.test.js

@@ -0,0 +1,65 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import { createDb } from "../../db/client.js";
+import { upsertUser } from "../../auth/user-store.js";
+import { createSession, getSession, deleteSession, pruneExpiredSessions, touchSessionLastSeen, } from "../../auth/session-store.js";
+let db;
+let userId;
+beforeEach(async () => {
+    db = await createDb({ connectionString: ":memory:" });
+    userId = await upsertUser(db, {
+        email: "a@b.com",
+        name: "A",
+        workosUserId: null,
+    });
+});
+describe("session-store", () => {
+    it("creates a session and reads it back", async () => {
+        const sid = await createSession(db, { userId, durationHours: 24 });
+        expect(sid).toBeTruthy();
+        expect(sid.length).toBeGreaterThan(20);
+        const s = await getSession(db, sid);
+        expect(s?.userId).toBe(userId);
+        expect(s?.expiresAt.getTime()).toBeGreaterThan(Date.now());
+    });
+    it("returns null for unknown session id", async () => {
+        expect(await getSession(db, "nope")).toBeNull();
+    });
+    it("returns null for expired sessions", async () => {
+        const sid = await createSession(db, { userId, durationHours: 24 });
+        await deleteSession(db, sid);
+        const { dashboardSessions } = await import("../../db/schema.js");
+        await db.insert(dashboardSessions).values({
+            id: sid,
+            userId,
+            expiresAt: new Date(Date.now() - 1000),
+        });
+        expect(await getSession(db, sid)).toBeNull();
+    });
+    it("deleteSession removes the row", async () => {
+        const sid = await createSession(db, { userId, durationHours: 24 });
+        await deleteSession(db, sid);
+        expect(await getSession(db, sid)).toBeNull();
+    });
+    it("pruneExpiredSessions removes only expired rows", async () => {
+        const live = await createSession(db, { userId, durationHours: 24 });
+        const dead = "sess_dead";
+        const { dashboardSessions } = await import("../../db/schema.js");
+        await db.insert(dashboardSessions).values({
+            id: dead,
+            userId,
+            expiresAt: new Date(Date.now() - 1000),
+        });
+        const deleted = await pruneExpiredSessions(db);
+        expect(deleted).toBe(1);
+        expect(await getSession(db, live)).not.toBeNull();
+    });
+    it("touchSessionLastSeen updates lastSeenAt", async () => {
+        const sid = await createSession(db, { userId, durationHours: 24 });
+        const before = (await getSession(db, sid)).lastSeenAt;
+        await new Promise((r) => setTimeout(r, 50));
+        await touchSessionLastSeen(db, sid);
+        const after = (await getSession(db, sid)).lastSeenAt;
+        expect(after.getTime()).toBeGreaterThanOrEqual(before.getTime());
+    });
+});
+//# sourceMappingURL=session-store.test.js.map