npm - @usebetterdev/audit-core - Versions diffs - 0.4.0-beta.1 - Mend

@usebetterdev/audit-core 0.4.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,1267 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  AUDIT_LOG_SCHEMA: () => AUDIT_LOG_SCHEMA,
+  AuditQueryBuilder: () => AuditQueryBuilder,
+  betterAudit: () => betterAudit,
+  createAuditApi: () => createAuditApi,
+  createAuditConsoleEndpoints: () => createAuditConsoleEndpoints,
+  fromBearerToken: () => fromBearerToken,
+  fromCookie: () => fromCookie,
+  fromHeader: () => fromHeader,
+  getAuditContext: () => getAuditContext,
+  handleMiddleware: () => handleMiddleware,
+  mergeAuditContext: () => mergeAuditContext,
+  normalizeInput: () => normalizeInput,
+  parseDuration: () => parseDuration,
+  runWithAuditContext: () => runWithAuditContext
+});
+module.exports = __toCommonJS(index_exports);
+// src/context.ts
+var import_node_async_hooks = require("async_hooks");
+var storage = new import_node_async_hooks.AsyncLocalStorage();
+function getAuditContext() {
+  return storage.getStore();
+}
+function runWithAuditContext(context, fn) {
+  return Promise.resolve(storage.run(context, () => fn()));
+}
+function mergeAuditContext(override, fn) {
+  const current = storage.getStore() ?? {};
+  const merged = { ...current, ...override };
+  return Promise.resolve(storage.run(merged, () => fn()));
+}
+// src/diff.ts
+function computeDiff(before, after) {
+  const b = before ?? {};
+  const a = after ?? {};
+  const allKeys = /* @__PURE__ */ new Set([...Object.keys(b), ...Object.keys(a)]);
+  const changedFields = [];
+  for (const key of allKeys) {
+    const inBefore = Object.prototype.hasOwnProperty.call(b, key);
+    const inAfter = Object.prototype.hasOwnProperty.call(a, key);
+    if (!inBefore || !inAfter) {
+      changedFields.push(key);
+      continue;
+    }
+    try {
+      if (JSON.stringify(b[key]) !== JSON.stringify(a[key])) {
+        changedFields.push(key);
+      }
+    } catch {
+      changedFields.push(key);
+    }
+  }
+  return { changedFields };
+}
+// src/enrichment-registry.ts
+function makeKey(table, operation) {
+  return `${table}:${operation.toUpperCase()}`;
+}
+function validateRedactInclude(config, key) {
+  if (config.redact !== void 0 && config.redact.length > 0 && config.include !== void 0 && config.include.length > 0) {
+    throw new Error(
+      `Enrichment for "${key}" cannot specify both "redact" and "include". Use one or the other.`
+    );
+  }
+}
+var EnrichmentRegistry = class {
+  entries = /* @__PURE__ */ new Map();
+  register(table, operation, config) {
+    const key = makeKey(table, operation);
+    validateRedactInclude(config, key);
+    const existing = this.entries.get(key);
+    if (existing !== void 0) {
+      existing.push(config);
+    } else {
+      this.entries.set(key, [config]);
+    }
+  }
+  getEntries() {
+    const result = [];
+    for (const [key, configs] of this.entries) {
+      const separatorIndex = key.indexOf(":");
+      const table = key.slice(0, separatorIndex);
+      const operation = key.slice(separatorIndex + 1);
+      result.push({ table, operation, configs });
+    }
+    return result;
+  }
+  resolve(table, operation) {
+    const normalizedOp = operation.toUpperCase();
+    const keysToCheck = [
+      makeKey("*", "*"),
+      makeKey("*", normalizedOp),
+      makeKey(table, "*"),
+      makeKey(table, normalizedOp)
+    ];
+    const allConfigs = [];
+    for (const key of keysToCheck) {
+      const configs = this.entries.get(key);
+      if (configs !== void 0) {
+        for (const config of configs) {
+          allConfigs.push(config);
+        }
+      }
+    }
+    if (allConfigs.length === 0) {
+      return void 0;
+    }
+    return mergeEnrichmentConfigs(allConfigs, `${table}:${normalizedOp}`);
+  }
+};
+function mergeEnrichmentConfigs(configs, contextKey) {
+  const result = {};
+  for (const config of configs) {
+    if (config.label !== void 0) {
+      result.label = config.label;
+    }
+    if (config.description !== void 0) {
+      result.description = config.description;
+    }
+    if (config.severity !== void 0) {
+      result.severity = config.severity;
+    }
+    if (config.notify !== void 0) {
+      result.notify = config.notify;
+    }
+    if (config.compliance !== void 0) {
+      if (result.compliance !== void 0) {
+        const merged = [...result.compliance, ...config.compliance];
+        result.compliance = [...new Set(merged)];
+      } else {
+        result.compliance = [...config.compliance];
+      }
+    }
+    if (config.redact !== void 0) {
+      if (result.redact !== void 0) {
+        const merged = [...result.redact, ...config.redact];
+        result.redact = [...new Set(merged)];
+      } else {
+        result.redact = [...config.redact];
+      }
+    }
+    if (config.include !== void 0) {
+      if (result.include !== void 0) {
+        const merged = [...result.include, ...config.include];
+        result.include = [...new Set(merged)];
+      } else {
+        result.include = [...config.include];
+      }
+    }
+  }
+  if (result.redact !== void 0 && result.redact.length > 0 && result.include !== void 0 && result.include.length > 0) {
+    throw new Error(
+      `Enrichment merge for "${contextKey}" produced both "redact" and "include". These are mutually exclusive \u2014 fix the conflicting registrations.`
+    );
+  }
+  return result;
+}
+function applyFieldRedaction(log, resolved) {
+  const { redact, include } = resolved;
+  const removedFields = /* @__PURE__ */ new Set();
+  if (redact !== void 0 && redact.length > 0) {
+    const redactSet = new Set(redact);
+    if (log.beforeData !== void 0) {
+      for (const key of Object.keys(log.beforeData)) {
+        if (redactSet.has(key)) {
+          removedFields.add(key);
+        }
+      }
+      log.beforeData = filterOutKeys(log.beforeData, redactSet);
+    }
+    if (log.afterData !== void 0) {
+      for (const key of Object.keys(log.afterData)) {
+        if (redactSet.has(key)) {
+          removedFields.add(key);
+        }
+      }
+      log.afterData = filterOutKeys(log.afterData, redactSet);
+    }
+    if (log.diff !== void 0) {
+      log.diff = {
+        changedFields: log.diff.changedFields.filter(
+          (field) => !redactSet.has(field)
+        )
+      };
+    }
+  } else if (include !== void 0 && include.length > 0) {
+    const includeSet = new Set(include);
+    if (log.beforeData !== void 0) {
+      for (const key of Object.keys(log.beforeData)) {
+        if (!includeSet.has(key)) {
+          removedFields.add(key);
+        }
+      }
+      log.beforeData = keepOnlyKeys(log.beforeData, includeSet);
+    }
+    if (log.afterData !== void 0) {
+      for (const key of Object.keys(log.afterData)) {
+        if (!includeSet.has(key)) {
+          removedFields.add(key);
+        }
+      }
+      log.afterData = keepOnlyKeys(log.afterData, includeSet);
+    }
+    if (log.diff !== void 0) {
+      log.diff = {
+        changedFields: log.diff.changedFields.filter(
+          (field) => includeSet.has(field)
+        )
+      };
+    }
+  }
+  if (removedFields.size > 0) {
+    log.redactedFields = [...removedFields].sort();
+  }
+}
+function applyEnrichment(log, resolved) {
+  applyFieldRedaction(log, resolved);
+  if (resolved.description !== void 0 && log.description === void 0) {
+    try {
+      const descriptionContext = {
+        before: log.beforeData !== void 0 ? structuredClone(log.beforeData) : void 0,
+        after: log.afterData !== void 0 ? structuredClone(log.afterData) : void 0,
+        diff: log.diff !== void 0 ? structuredClone(log.diff) : void 0,
+        actorId: log.actorId,
+        metadata: log.metadata !== void 0 ? structuredClone(log.metadata) : void 0
+      };
+      log.description = resolved.description(descriptionContext);
+    } catch {
+    }
+  }
+  if (resolved.label !== void 0 && log.label === void 0) {
+    log.label = resolved.label;
+  }
+  if (resolved.severity !== void 0 && log.severity === void 0) {
+    log.severity = resolved.severity;
+  }
+  if (resolved.notify !== void 0 && log.notify === void 0) {
+    log.notify = resolved.notify;
+  }
+  if (resolved.compliance !== void 0) {
+    if (log.compliance !== void 0) {
+      const merged = [...log.compliance, ...resolved.compliance];
+      log.compliance = [...new Set(merged)];
+    } else {
+      log.compliance = [...resolved.compliance];
+    }
+  }
+}
+function filterOutKeys(data, keysToRemove) {
+  const result = {};
+  for (const [key, value] of Object.entries(data)) {
+    if (!keysToRemove.has(key)) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function keepOnlyKeys(data, keysToKeep) {
+  const result = {};
+  for (const [key, value] of Object.entries(data)) {
+    if (keysToKeep.has(key)) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+// src/normalize.ts
+function normalizeInput(operation, before, after) {
+  switch (operation) {
+    case "INSERT": {
+      return { before: void 0, after };
+    }
+    case "DELETE": {
+      return { before, after: void 0 };
+    }
+    case "UPDATE": {
+      return { before, after };
+    }
+  }
+}
+// src/duration.ts
+var DURATION_PATTERN = /^(\d+)([hdwmy])$/;
+function isValidUnit(raw) {
+  return raw === "h" || raw === "d" || raw === "w" || raw === "m" || raw === "y";
+}
+function parseDuration(input, referenceDate) {
+  const match = DURATION_PATTERN.exec(input);
+  if (match === null) {
+    throw new Error(
+      `Invalid duration "${input}". Expected format: <number><unit> where unit is h, d, w, m, or y (e.g. "4h", "30d", "2w", "3m", "1y").`
+    );
+  }
+  const value = Number(match[1]);
+  const rawUnit = match[2];
+  if (value === 0) {
+    throw new Error(
+      `Invalid duration "${input}". Value must be greater than zero.`
+    );
+  }
+  if (!isValidUnit(rawUnit)) {
+    throw new Error(
+      `Invalid duration unit "${rawUnit}". Expected h, d, w, m, or y.`
+    );
+  }
+  const result = referenceDate !== void 0 ? new Date(referenceDate) : /* @__PURE__ */ new Date();
+  if (rawUnit === "h") {
+    result.setHours(result.getHours() - value);
+  } else if (rawUnit === "d") {
+    result.setDate(result.getDate() - value);
+  } else if (rawUnit === "w") {
+    result.setDate(result.getDate() - value * 7);
+  } else if (rawUnit === "m") {
+    result.setMonth(result.getMonth() - value);
+  } else {
+    result.setFullYear(result.getFullYear() - value);
+  }
+  return result;
+}
+// src/query-builder.ts
+var DEFAULT_MAX_QUERY_LIMIT = 1e3;
+var MAX_SEARCH_TEXT_LENGTH = 500;
+var AuditQueryBuilder = class _AuditQueryBuilder {
+  #executor;
+  #filters;
+  #limit;
+  #cursor;
+  #maxLimit;
+  #sortOrder;
+  constructor(executor, filters, limit, cursor, maxLimit, sortOrder) {
+    this.#executor = executor;
+    this.#filters = filters ?? {};
+    this.#limit = limit;
+    this.#cursor = cursor;
+    this.#maxLimit = maxLimit ?? DEFAULT_MAX_QUERY_LIMIT;
+    this.#sortOrder = sortOrder;
+  }
+  /** Filter by table name and optional record ID. Last-write-wins. */
+  resource(tableName, recordId) {
+    return new _AuditQueryBuilder(
+      this.#executor,
+      {
+        ...this.#filters,
+        resource: recordId !== void 0 ? { tableName, recordId } : { tableName }
+      },
+      this.#limit,
+      this.#cursor,
+      this.#maxLimit,
+      this.#sortOrder
+    );
+  }
+  /** Filter by actor IDs (OR semantics, deduplicates). */
+  actor(...ids) {
+    const existing = this.#filters.actorIds ?? [];
+    const merged = [.../* @__PURE__ */ new Set([...existing, ...ids])];
+    return new _AuditQueryBuilder(
+      this.#executor,
+      { ...this.#filters, actorIds: merged },
+      this.#limit,
+      this.#cursor,
+      this.#maxLimit,
+      this.#sortOrder
+    );
+  }
+  /** Add severity levels to the filter (OR semantics, deduplicates). */
+  severity(...levels) {
+    const existing = this.#filters.severities ?? [];
+    const merged = [.../* @__PURE__ */ new Set([...existing, ...levels])];
+    return new _AuditQueryBuilder(
+      this.#executor,
+      { ...this.#filters, severities: merged },
+      this.#limit,
+      this.#cursor,
+      this.#maxLimit,
+      this.#sortOrder
+    );
+  }
+  /** Add compliance tags to the filter (AND semantics, deduplicates). */
+  compliance(...tags) {
+    const existing = this.#filters.compliance ?? [];
+    const merged = [.../* @__PURE__ */ new Set([...existing, ...tags])];
+    return new _AuditQueryBuilder(
+      this.#executor,
+      { ...this.#filters, compliance: merged },
+      this.#limit,
+      this.#cursor,
+      this.#maxLimit,
+      this.#sortOrder
+    );
+  }
+  /**
+   * Filter entries created after a point in time.
+   *
+   * Accepts a `Date` or a duration string (e.g. "4h", "30d", "2w", "3m", "1y").
+   * Duration strings are eagerly validated but resolved at query time for a fresh "now".
+   * Last-write-wins.
+   */
+  since(value) {
+    const filter = this.#parseTimeFilter(value);
+    return new _AuditQueryBuilder(
+      this.#executor,
+      { ...this.#filters, since: filter },
+      this.#limit,
+      this.#cursor,
+      this.#maxLimit,
+      this.#sortOrder
+    );
+  }
+  /**
+   * Filter entries created before a point in time.
+   *
+   * Accepts a `Date` or a duration string (e.g. "4h", "30d", "2w", "3m", "1y").
+   * Duration strings are eagerly validated but resolved at query time for a fresh "now".
+   * Last-write-wins.
+   */
+  until(value) {
+    const filter = this.#parseTimeFilter(value);
+    return new _AuditQueryBuilder(
+      this.#executor,
+      { ...this.#filters, until: filter },
+      this.#limit,
+      this.#cursor,
+      this.#maxLimit,
+      this.#sortOrder
+    );
+  }
+  /** Full-text search filter. Last-write-wins. Max 500 characters. */
+  search(text) {
+    if (text.length > MAX_SEARCH_TEXT_LENGTH) {
+      throw new Error(
+        `searchText must be at most ${MAX_SEARCH_TEXT_LENGTH} characters, got ${text.length}`
+      );
+    }
+    return new _AuditQueryBuilder(
+      this.#executor,
+      { ...this.#filters, searchText: text },
+      this.#limit,
+      this.#cursor,
+      this.#maxLimit,
+      this.#sortOrder
+    );
+  }
+  /** Add operation types to the filter (OR semantics, deduplicates). */
+  operation(...ops) {
+    const existing = this.#filters.operations ?? [];
+    const merged = [.../* @__PURE__ */ new Set([...existing, ...ops])];
+    return new _AuditQueryBuilder(
+      this.#executor,
+      { ...this.#filters, operations: merged },
+      this.#limit,
+      this.#cursor,
+      this.#maxLimit,
+      this.#sortOrder
+    );
+  }
+  /** Set maximum number of entries to return. Must be > 0 and <= maxLimit. */
+  limit(n) {
+    if (n <= 0) {
+      throw new Error(`limit must be greater than 0, got ${n}`);
+    }
+    if (n > this.#maxLimit) {
+      throw new Error(
+        `limit ${n} exceeds maximum allowed limit of ${this.#maxLimit}`
+      );
+    }
+    return new _AuditQueryBuilder(
+      this.#executor,
+      { ...this.#filters },
+      n,
+      this.#cursor,
+      this.#maxLimit,
+      this.#sortOrder
+    );
+  }
+  /** Set the pagination cursor for fetching the next page. */
+  after(cursor) {
+    return new _AuditQueryBuilder(
+      this.#executor,
+      { ...this.#filters },
+      this.#limit,
+      cursor,
+      this.#maxLimit,
+      this.#sortOrder
+    );
+  }
+  /** Set the sort direction for results. */
+  order(direction) {
+    return new _AuditQueryBuilder(
+      this.#executor,
+      { ...this.#filters },
+      this.#limit,
+      this.#cursor,
+      this.#maxLimit,
+      direction
+    );
+  }
+  /** Returns the query specification without executing. Useful for tests and debugging. */
+  toSpec() {
+    const filters = { ...this.#filters };
+    if (filters.severities !== void 0) {
+      filters.severities = [...filters.severities];
+    }
+    if (filters.operations !== void 0) {
+      filters.operations = [...filters.operations];
+    }
+    if (filters.compliance !== void 0) {
+      filters.compliance = [...filters.compliance];
+    }
+    if (filters.actorIds !== void 0) {
+      filters.actorIds = [...filters.actorIds];
+    }
+    const spec = { filters };
+    const effectiveLimit = this.#limit ?? this.#maxLimit;
+    spec.limit = effectiveLimit;
+    if (this.#cursor !== void 0) {
+      spec.cursor = this.#cursor;
+    }
+    if (this.#sortOrder !== void 0) {
+      spec.sortOrder = this.#sortOrder;
+    }
+    return spec;
+  }
+  /** Execute the query against the adapter. */
+  list() {
+    return this.#executor(this.toSpec());
+  }
+  #parseTimeFilter(value) {
+    if (value instanceof Date) {
+      return { date: value };
+    }
+    parseDuration(value);
+    return { duration: value };
+  }
+};
+// src/audit-api.ts
+var CSV_HEADERS = [
+  "id",
+  "timestamp",
+  "tableName",
+  "operation",
+  "recordId",
+  "actorId",
+  "severity",
+  "label",
+  "description"
+];
+function escapeCsvField(value) {
+  if (value.includes('"') || value.includes(",") || value.includes("\n") || value.includes("\r")) {
+    return `"${value.replace(/"/g, '""')}"`;
+  }
+  return value;
+}
+function logToCsvRow(log) {
+  const fields = [
+    log.id,
+    log.timestamp instanceof Date ? log.timestamp.toISOString() : String(log.timestamp),
+    log.tableName,
+    log.operation,
+    log.recordId,
+    log.actorId ?? "",
+    log.severity ?? "",
+    log.label ?? "",
+    log.description ?? ""
+  ];
+  return fields.map(escapeCsvField).join(",");
+}
+function toTimeFilter(date) {
+  return { date };
+}
+function buildQuerySpec(filters, effectiveLimit) {
+  const limit = Math.min(filters.limit ?? effectiveLimit, effectiveLimit);
+  const spec = {
+    filters: {},
+    limit
+  };
+  if (filters.tableName !== void 0) {
+    spec.filters.resource = { tableName: filters.tableName };
+  }
+  if (filters.actorId !== void 0) {
+    spec.filters.actorIds = [filters.actorId];
+  }
+  if (filters.severity !== void 0) {
+    spec.filters.severities = [filters.severity];
+  }
+  if (filters.compliance !== void 0) {
+    spec.filters.compliance = [filters.compliance];
+  }
+  if (filters.operation !== void 0) {
+    spec.filters.operations = [filters.operation.toUpperCase()];
+  }
+  if (filters.since !== void 0) {
+    spec.filters.since = toTimeFilter(filters.since);
+  }
+  if (filters.until !== void 0) {
+    spec.filters.until = toTimeFilter(filters.until);
+  }
+  if (filters.search !== void 0) {
+    spec.filters.searchText = filters.search;
+  }
+  if (filters.cursor !== void 0) {
+    spec.cursor = filters.cursor;
+  }
+  return spec;
+}
+function createAuditApi(adapter, registry, maxQueryLimit) {
+  const effectiveLimit = maxQueryLimit ?? 1e3;
+  function requireQueryLogs() {
+    if (adapter.queryLogs === void 0) {
+      throw new Error(
+        "Console API requires a database adapter that implements queryLogs(). Check that your ORM adapter supports querying."
+      );
+    }
+    return adapter.queryLogs;
+  }
+  function requireGetLogById() {
+    if (adapter.getLogById === void 0) {
+      throw new Error(
+        "Console API requires a database adapter that implements getLogById(). Check that your ORM adapter supports querying."
+      );
+    }
+    return adapter.getLogById;
+  }
+  function requireGetStats() {
+    if (adapter.getStats === void 0) {
+      throw new Error(
+        "Console API requires a database adapter that implements getStats(). Check that your ORM adapter supports statistics."
+      );
+    }
+    return adapter.getStats;
+  }
+  function requirePurgeLogs() {
+    if (adapter.purgeLogs === void 0) {
+      throw new Error(
+        "Console API requires a database adapter that implements purgeLogs(). Check that your ORM adapter supports log purging."
+      );
+    }
+    return adapter.purgeLogs;
+  }
+  async function queryLogs(filters) {
+    const queryFn = requireQueryLogs();
+    const spec = buildQuerySpec(filters ?? {}, effectiveLimit);
+    const result = await queryFn(spec);
+    return {
+      entries: result.entries,
+      ...result.nextCursor !== void 0 && { nextCursor: result.nextCursor },
+      hasNextPage: result.nextCursor !== void 0
+    };
+  }
+  async function getLog(id) {
+    const getLogFn = requireGetLogById();
+    return getLogFn(id);
+  }
+  async function getStats(options) {
+    const getStatsFn = requireGetStats();
+    return getStatsFn(options);
+  }
+  function getEnrichments() {
+    const entries = registry.getEntries();
+    const summaries = [];
+    for (const entry of entries) {
+      for (const config of entry.configs) {
+        const summary = {
+          table: entry.table,
+          operation: entry.operation
+        };
+        if (config.label !== void 0) {
+          summary.label = config.label;
+        }
+        if (config.severity !== void 0) {
+          summary.severity = config.severity;
+        }
+        if (config.compliance !== void 0) {
+          summary.compliance = config.compliance;
+        }
+        if (config.notify !== void 0) {
+          summary.notify = config.notify;
+        }
+        if (config.redact !== void 0) {
+          summary.redact = config.redact;
+        }
+        if (config.include !== void 0) {
+          summary.include = config.include;
+        }
+        summaries.push(summary);
+      }
+    }
+    return summaries;
+  }
+  async function exportLogs(filters, format) {
+    const exportFormat = format ?? "json";
+    const exportFilters = { ...filters, limit: effectiveLimit };
+    const result = await queryLogs(exportFilters);
+    if (exportFormat === "json") {
+      return JSON.stringify(result.entries);
+    }
+    const rows = [CSV_HEADERS.join(",")];
+    for (const log of result.entries) {
+      rows.push(logToCsvRow(log));
+    }
+    return rows.join("\n");
+  }
+  async function purgeLogs(options) {
+    const purgeFn = requirePurgeLogs();
+    return purgeFn(options);
+  }
+  return { queryLogs, getLog, getStats, getEnrichments, exportLogs, purgeLogs };
+}
+// src/console-endpoints.ts
+var MAX_PARAM_LENGTH = 1e3;
+function exceedsMaxLength(value) {
+  return value !== void 0 && value.length > MAX_PARAM_LENGTH;
+}
+function parsePositiveInt(value, max) {
+  if (value === void 0) {
+    return void 0;
+  }
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return void 0;
+  }
+  return Math.min(Math.floor(parsed), max);
+}
+function parseIsoDate(value) {
+  if (value === void 0) {
+    return void 0;
+  }
+  const date = new Date(value);
+  if (Number.isNaN(date.getTime())) {
+    return void 0;
+  }
+  return date;
+}
+function parseConsoleQueryFilters(query) {
+  const filters = {};
+  const limit = parsePositiveInt(query.limit, 1e3);
+  if (limit !== void 0) {
+    filters.limit = limit;
+  }
+  if (query.tableName !== void 0) {
+    filters.tableName = query.tableName;
+  }
+  if (query.operation !== void 0) {
+    filters.operation = query.operation;
+  }
+  if (query.actorId !== void 0) {
+    filters.actorId = query.actorId;
+  }
+  if (query.severity !== void 0) {
+    filters.severity = query.severity;
+  }
+  if (query.compliance !== void 0) {
+    filters.compliance = query.compliance;
+  }
+  if (query.search !== void 0) {
+    filters.search = query.search;
+  }
+  if (query.cursor !== void 0) {
+    filters.cursor = query.cursor;
+  }
+  const since = parseIsoDate(query.since);
+  if (since !== void 0) {
+    filters.since = since;
+  }
+  const until = parseIsoDate(query.until);
+  if (until !== void 0) {
+    filters.until = until;
+  }
+  return filters;
+}
+function hasLongQueryParam(query) {
+  return exceedsMaxLength(query.tableName) || exceedsMaxLength(query.actorId) || exceedsMaxLength(query.cursor) || exceedsMaxLength(query.operation) || exceedsMaxLength(query.severity) || exceedsMaxLength(query.compliance) || exceedsMaxLength(query.search);
+}
+function createAuditConsoleEndpoints(api) {
+  return [
+    {
+      method: "GET",
+      path: "/logs",
+      requiredPermission: "read",
+      async handler(request) {
+        try {
+          if (hasLongQueryParam(request.query)) {
+            return { status: 400, body: { error: "Query parameter exceeds maximum length" } };
+          }
+          const filters = parseConsoleQueryFilters(request.query);
+          const result = await api.queryLogs(filters);
+          return { status: 200, body: result };
+        } catch {
+          return { status: 500, body: { error: "Internal server error" } };
+        }
+      }
+    },
+    {
+      method: "GET",
+      path: "/logs/:id",
+      requiredPermission: "read",
+      async handler(request) {
+        try {
+          const id = request.params.id?.trim();
+          if (!id) {
+            return { status: 400, body: { error: "Missing log id" } };
+          }
+          const log = await api.getLog(id);
+          if (!log) {
+            return { status: 404, body: { error: "Audit log not found" } };
+          }
+          return { status: 200, body: log };
+        } catch {
+          return { status: 500, body: { error: "Internal server error" } };
+        }
+      }
+    },
+    {
+      method: "GET",
+      path: "/stats",
+      requiredPermission: "read",
+      async handler(request) {
+        try {
+          const options = {};
+          const since = parseIsoDate(request.query.since);
+          if (since !== void 0) {
+            options.since = since;
+          }
+          if (request.query.tenantId !== void 0) {
+            options.tenantId = request.query.tenantId;
+          }
+          const stats = await api.getStats(options);
+          return { status: 200, body: stats };
+        } catch {
+          return { status: 500, body: { error: "Internal server error" } };
+        }
+      }
+    },
+    {
+      method: "GET",
+      path: "/enrichments",
+      requiredPermission: "read",
+      async handler() {
+        try {
+          const enrichments = api.getEnrichments();
+          return { status: 200, body: enrichments };
+        } catch {
+          return { status: 500, body: { error: "Internal server error" } };
+        }
+      }
+    },
+    {
+      method: "GET",
+      path: "/export",
+      requiredPermission: "read",
+      async handler(request) {
+        try {
+          const format = request.query.format;
+          if (format !== void 0 && format !== "csv" && format !== "json") {
+            return { status: 400, body: { error: "Invalid format. Must be 'csv' or 'json'" } };
+          }
+          if (hasLongQueryParam(request.query)) {
+            return { status: 400, body: { error: "Query parameter exceeds maximum length" } };
+          }
+          const filters = parseConsoleQueryFilters(request.query);
+          const data = await api.exportLogs(filters, format);
+          return { status: 200, body: data };
+        } catch {
+          return { status: 500, body: { error: "Internal server error" } };
+        }
+      }
+    },
+    {
+      method: "DELETE",
+      path: "/logs",
+      requiredPermission: "admin",
+      async handler(request) {
+        try {
+          const body = request.body;
+          const beforeValue = body?.before;
+          if (beforeValue === void 0 || beforeValue === null) {
+            return { status: 400, body: { error: "Missing required field: before" } };
+          }
+          const before = new Date(beforeValue);
+          if (Number.isNaN(before.getTime())) {
+            return { status: 400, body: { error: "Invalid date for 'before' field" } };
+          }
+          const options = { before };
+          if (typeof body?.tableName === "string" && body.tableName.length > 0) {
+            options.tableName = body.tableName;
+          }
+          const result = await api.purgeLogs(options);
+          return { status: 200, body: result };
+        } catch {
+          return { status: 500, body: { error: "Internal server error" } };
+        }
+      }
+    }
+  ];
+}
+// src/better-audit.ts
+function withContext(context, fn) {
+  return runWithAuditContext(context, fn);
+}
+function betterAudit(config) {
+  const { database } = config;
+  const auditTables = new Set(config.auditTables);
+  const registry = new EnrichmentRegistry();
+  const beforeLogHooks = config.beforeLog !== void 0 ? [...config.beforeLog] : [];
+  const afterLogHooks = config.afterLog !== void 0 ? [...config.afterLog] : [];
+  function enrich(table, operation, enrichmentConfig) {
+    if (table !== "*" && !auditTables.has(table)) {
+      throw new Error(
+        `Cannot register enrichment for table "${table}": it is not in auditTables. Registered tables: ${[...auditTables].join(", ")}`
+      );
+    }
+    registry.register(table, operation, enrichmentConfig);
+  }
+  function onBeforeLog(hook) {
+    beforeLogHooks.push(hook);
+    return () => {
+      const index = beforeLogHooks.indexOf(hook);
+      if (index !== -1) {
+        beforeLogHooks.splice(index, 1);
+      }
+    };
+  }
+  function onAfterLog(hook) {
+    afterLogHooks.push(hook);
+    return () => {
+      const index = afterLogHooks.indexOf(hook);
+      if (index !== -1) {
+        afterLogHooks.splice(index, 1);
+      }
+    };
+  }
+  async function writeAndRunAfterHooks(log) {
+    await database.writeLog(log);
+    for (const hook of afterLogHooks) {
+      await hook(log);
+    }
+  }
+  async function captureLog(input) {
+    if (!auditTables.has(input.tableName)) {
+      return;
+    }
+    if (input.recordId === "") {
+      throw new Error("captureLog requires a non-empty recordId");
+    }
+    const normalized = normalizeInput(input.operation, input.before, input.after);
+    const context = getAuditContext();
+    const actorId = input.actorId ?? context?.actorId;
+    const label = input.label ?? context?.label;
+    const reason = input.reason ?? context?.reason;
+    const compliance = input.compliance ?? context?.compliance;
+    const metadata = input.metadata ?? context?.metadata;
+    const log = {
+      id: crypto.randomUUID(),
+      timestamp: /* @__PURE__ */ new Date(),
+      tableName: input.tableName,
+      operation: input.operation,
+      recordId: input.recordId,
+      ...actorId !== void 0 && { actorId },
+      ...label !== void 0 && { label },
+      ...reason !== void 0 && { reason },
+      ...compliance !== void 0 && { compliance },
+      ...metadata !== void 0 && { metadata },
+      ...input.description !== void 0 && { description: input.description },
+      ...input.severity !== void 0 && { severity: input.severity },
+      ...input.notify !== void 0 && { notify: input.notify },
+      ...normalized.before !== void 0 && { beforeData: { ...normalized.before } },
+      ...normalized.after !== void 0 && { afterData: { ...normalized.after } }
+    };
+    if (input.operation === "UPDATE") {
+      const diff = computeDiff(normalized.before, normalized.after);
+      if (diff.changedFields.length > 0) {
+        log.diff = diff;
+      }
+    }
+    const resolved = registry.resolve(input.tableName, input.operation);
+    if (resolved !== void 0) {
+      applyEnrichment(log, resolved);
+    }
+    for (const hook of beforeLogHooks) {
+      await hook(log);
+    }
+    const isAsync = input.asyncWrite ?? config.asyncWrite ?? false;
+    if (isAsync) {
+      void writeAndRunAfterHooks(log).catch((error) => {
+        if (config.onError !== void 0) {
+          config.onError(error);
+        } else {
+          const message = error instanceof Error ? error.message : String(error);
+          console.error(`audit: async write failed for ${log.tableName}/${log.id} \u2014 ${message}`);
+        }
+      });
+    } else {
+      await writeAndRunAfterHooks(log);
+    }
+  }
+  function query() {
+    if (database.queryLogs === void 0) {
+      throw new Error(
+        "audit.query() requires a database adapter that implements queryLogs(). Check that your ORM adapter supports querying."
+      );
+    }
+    const queryLogs = database.queryLogs;
+    return new AuditQueryBuilder(
+      (spec) => queryLogs(spec),
+      void 0,
+      void 0,
+      void 0,
+      config.maxQueryLimit
+    );
+  }
+  if (config.console) {
+    const api = createAuditApi(database, registry, config.maxQueryLimit);
+    const endpoints = createAuditConsoleEndpoints(api);
+    config.console.registerProduct({
+      id: "audit",
+      name: "Better Audit",
+      endpoints
+    });
+  }
+  return { captureLog, query, withContext, enrich, onBeforeLog, onAfterLog };
+}
+// src/audit-log-schema.ts
+var AUDIT_LOG_SCHEMA = {
+  tableName: "audit_logs",
+  columns: {
+    id: {
+      type: "uuid",
+      nullable: false,
+      primaryKey: true,
+      defaultExpression: "gen_random_uuid()",
+      description: "Unique identifier for the audit log entry"
+    },
+    timestamp: {
+      type: "timestamptz",
+      nullable: false,
+      defaultExpression: "now()",
+      indexed: true,
+      description: "When the audited event occurred"
+    },
+    table_name: {
+      type: "text",
+      nullable: false,
+      indexed: true,
+      description: "Name of the table that was modified"
+    },
+    operation: {
+      type: "text",
+      nullable: false,
+      indexed: true,
+      description: "Type of operation: INSERT, UPDATE, or DELETE"
+    },
+    record_id: {
+      type: "text",
+      nullable: false,
+      indexed: true,
+      description: "Primary key of the affected record"
+    },
+    actor_id: {
+      type: "text",
+      nullable: true,
+      indexed: true,
+      description: "Identifier of the user or system that performed the action"
+    },
+    before_data: {
+      type: "jsonb",
+      nullable: true,
+      description: "Row snapshot before the mutation (DELETE and UPDATE only)"
+    },
+    after_data: {
+      type: "jsonb",
+      nullable: true,
+      description: "Row snapshot after the mutation (INSERT and UPDATE only)"
+    },
+    diff: {
+      type: "jsonb",
+      nullable: true,
+      description: "Changed field names for UPDATE operations"
+    },
+    label: {
+      type: "text",
+      nullable: true,
+      description: "Human-readable label for the event"
+    },
+    description: {
+      type: "text",
+      nullable: true,
+      description: "Detailed description of what happened"
+    },
+    severity: {
+      type: "text",
+      nullable: true,
+      description: "Severity level: low, medium, high, or critical"
+    },
+    compliance: {
+      type: "jsonb",
+      nullable: true,
+      description: "Compliance framework tags (e.g. soc2, gdpr, hipaa)"
+    },
+    notify: {
+      type: "boolean",
+      nullable: true,
+      description: "Whether this event should trigger notifications"
+    },
+    reason: {
+      type: "text",
+      nullable: true,
+      description: "Justification or reason for the action"
+    },
+    metadata: {
+      type: "jsonb",
+      nullable: true,
+      description: "Arbitrary key-value metadata attached to the event"
+    },
+    redacted_fields: {
+      type: "jsonb",
+      nullable: true,
+      description: "Field names that were removed by redaction rules"
+    }
+  }
+};
+// src/context-extractor.ts
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length < 2) {
+      return null;
+    }
+    const payload = parts[1];
+    if (!payload) {
+      return null;
+    }
+    let base64 = payload.replace(/-/g, "+").replace(/_/g, "/");
+    while (base64.length % 4 !== 0) {
+      base64 += "=";
+    }
+    const decoded = atob(base64);
+    const parsed = JSON.parse(decoded);
+    if (typeof parsed !== "object" || parsed === null) {
+      return null;
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function fromBearerToken(claim) {
+  return (request) => {
+    const authorization = request.headers.get("authorization");
+    if (!authorization) {
+      return void 0;
+    }
+    const parts = authorization.split(" ");
+    if (parts.length !== 2 || parts[0]?.toLowerCase() !== "bearer") {
+      return void 0;
+    }
+    const token = parts[1];
+    if (!token) {
+      return void 0;
+    }
+    const payload = decodeJwtPayload(token);
+    if (!payload) {
+      return void 0;
+    }
+    const value = payload[claim];
+    return typeof value === "string" && value.length > 0 ? value : void 0;
+  };
+}
+function fromCookie(cookieName) {
+  return (request) => {
+    const cookieHeader = request.headers.get("cookie");
+    if (!cookieHeader) {
+      return void 0;
+    }
+    const cookies = cookieHeader.split(";");
+    for (const cookie of cookies) {
+      const separatorIndex = cookie.indexOf("=");
+      if (separatorIndex === -1) {
+        continue;
+      }
+      const name = cookie.slice(0, separatorIndex).trim();
+      if (name === cookieName) {
+        const value = cookie.slice(separatorIndex + 1).trim();
+        return value.length > 0 ? value : void 0;
+      }
+    }
+    return void 0;
+  };
+}
+function fromHeader(headerName) {
+  return (request) => {
+    const value = request.headers.get(headerName);
+    if (!value || value.trim().length === 0) {
+      return void 0;
+    }
+    return value.trim();
+  };
+}
+async function safeExtract(extractor, request, onError) {
+  if (!extractor) {
+    return void 0;
+  }
+  try {
+    return await extractor(request);
+  } catch (error) {
+    if (onError) {
+      onError(error);
+    }
+    return void 0;
+  }
+}
+async function handleMiddleware(extractor, request, next, options = {}) {
+  const actorId = await safeExtract(extractor.actor, request, options.onError);
+  if (actorId === void 0) {
+    await next();
+    return;
+  }
+  const auditContext = { actorId };
+  await runWithAuditContext(auditContext, () => next());
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AUDIT_LOG_SCHEMA,
+  AuditQueryBuilder,
+  betterAudit,
+  createAuditApi,
+  createAuditConsoleEndpoints,
+  fromBearerToken,
+  fromCookie,
+  fromHeader,
+  getAuditContext,
+  handleMiddleware,
+  mergeAuditContext,
+  normalizeInput,
+  parseDuration,
+  runWithAuditContext
+});
+//# sourceMappingURL=index.cjs.map