@usebetterdev/audit-prisma 0.5.0-beta.1 → 0.6.0

package/dist/index.js

@@ -1,3 +1,366 @@
+// src/query.ts
+import { parseDuration } from "@usebetterdev/audit-core";
+
+// src/column-map.ts
+var VALID_OPERATIONS = /* @__PURE__ */ new Set(["INSERT", "UPDATE", "DELETE"]);
+var VALID_SEVERITIES = /* @__PURE__ */ new Set(["low", "medium", "high", "critical"]);
+function isAuditOperation(value) {
+  return VALID_OPERATIONS.has(value);
+}
+function isAuditSeverity(value) {
+  return VALID_SEVERITIES.has(value);
+}
+function rowToAuditLog(row) {
+  const { id, timestamp, table_name, operation, record_id } = row;
+  if (typeof id !== "string") {
+    throw new Error("rowToAuditLog: id must be a string");
+  }
+  if (!(timestamp instanceof Date)) {
+    throw new Error("rowToAuditLog: timestamp must be a Date");
+  }
+  if (typeof table_name !== "string") {
+    throw new Error("rowToAuditLog: table_name must be a string");
+  }
+  if (typeof operation !== "string") {
+    throw new Error("rowToAuditLog: operation must be a string");
+  }
+  if (typeof record_id !== "string") {
+    throw new Error("rowToAuditLog: record_id must be a string");
+  }
+  if (!isAuditOperation(operation)) {
+    throw new Error(
+      `Invalid audit operation: "${operation}". Expected one of: INSERT, UPDATE, DELETE`
+    );
+  }
+  const log = {
+    id,
+    timestamp,
+    tableName: table_name,
+    operation,
+    recordId: record_id
+  };
+  const {
+    actor_id,
+    before_data,
+    after_data,
+    diff,
+    label,
+    description,
+    severity,
+    compliance,
+    notify,
+    reason,
+    metadata,
+    redacted_fields
+  } = row;
+  if (actor_id !== null && actor_id !== void 0) {
+    log.actorId = String(actor_id);
+  }
+  if (before_data !== null && before_data !== void 0) {
+    log.beforeData = before_data;
+  }
+  if (after_data !== null && after_data !== void 0) {
+    log.afterData = after_data;
+  }
+  if (diff !== null && diff !== void 0) {
+    log.diff = diff;
+  }
+  if (label !== null && label !== void 0) {
+    log.label = String(label);
+  }
+  if (description !== null && description !== void 0) {
+    log.description = String(description);
+  }
+  if (severity !== null && severity !== void 0) {
+    const s = String(severity);
+    if (!isAuditSeverity(s)) {
+      throw new Error(
+        `Invalid audit severity: "${s}". Expected one of: low, medium, high, critical`
+      );
+    }
+    log.severity = s;
+  }
+  if (compliance !== null && compliance !== void 0) {
+    log.compliance = compliance;
+  }
+  if (notify !== null && notify !== void 0) {
+    log.notify = Boolean(notify);
+  }
+  if (reason !== null && reason !== void 0) {
+    log.reason = String(reason);
+  }
+  if (metadata !== null && metadata !== void 0) {
+    log.metadata = metadata;
+  }
+  if (redacted_fields !== null && redacted_fields !== void 0) {
+    log.redactedFields = redacted_fields;
+  }
+  return log;
+}
+
+// src/query.ts
+var DEFAULT_LIMIT = 50;
+var MAX_LIMIT = 250;
+var SELECT_COLUMNS = "id, timestamp, table_name, operation, record_id, actor_id, before_data, after_data, diff, label, description, severity, compliance, notify, reason, metadata, redacted_fields";
+var UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+function encodeCursor(timestamp, id) {
+  const payload = JSON.stringify({ t: timestamp.toISOString(), i: id });
+  return btoa(payload);
+}
+function decodeCursor(cursor) {
+  let parsed;
+  try {
+    parsed = JSON.parse(atob(cursor));
+  } catch {
+    throw new Error("Invalid cursor: failed to decode");
+  }
+  if (typeof parsed !== "object" || parsed === null || !("t" in parsed) || !("i" in parsed)) {
+    throw new Error("Invalid cursor: missing required fields");
+  }
+  const { t, i } = parsed;
+  if (typeof t !== "string" || typeof i !== "string") {
+    throw new Error("Invalid cursor: fields must be strings");
+  }
+  const timestamp = new Date(t);
+  if (isNaN(timestamp.getTime())) {
+    throw new Error("Invalid cursor: invalid timestamp");
+  }
+  if (!UUID_PATTERN.test(i)) {
+    throw new Error("Invalid cursor: id must be a valid UUID");
+  }
+  return { timestamp, id: i };
+}
+function escapeLikePattern(input) {
+  return input.replace(/[%_\\]/g, "\\$&");
+}
+function resolveTimeFilter(filter) {
+  if ("date" in filter && filter.date !== void 0) {
+    return filter.date;
+  }
+  if ("duration" in filter && filter.duration !== void 0) {
+    return parseDuration(filter.duration);
+  }
+  throw new Error("TimeFilter must have either date or duration");
+}
+function toCount(value) {
+  if (typeof value === "number") {
+    return value;
+  }
+  if (typeof value === "string") {
+    return Number(value);
+  }
+  if (typeof value === "bigint") {
+    return Number(value);
+  }
+  return 0;
+}
+function addParam(state, value) {
+  state.params.push(value);
+  return `$${state.params.length}`;
+}
+function buildWhereClause(filters, cursor, sortOrder) {
+  const state = { fragments: [], params: [] };
+  if (filters.resource !== void 0) {
+    const p = addParam(state, filters.resource.tableName);
+    state.fragments.push(`table_name = ${p}`);
+    if (filters.resource.recordId !== void 0) {
+      const r = addParam(state, filters.resource.recordId);
+      state.fragments.push(`record_id = ${r}`);
+    }
+  }
+  if (filters.actorIds !== void 0 && filters.actorIds.length > 0) {
+    if (filters.actorIds.length === 1) {
+      const first = filters.actorIds[0];
+      if (first !== void 0) {
+        const p = addParam(state, first);
+        state.fragments.push(`actor_id = ${p}`);
+      }
+    } else {
+      const p = addParam(state, filters.actorIds);
+      state.fragments.push(`actor_id = ANY(${p}::text[])`);
+    }
+  }
+  if (filters.severities !== void 0 && filters.severities.length > 0) {
+    if (filters.severities.length === 1) {
+      const first = filters.severities[0];
+      if (first !== void 0) {
+        const p = addParam(state, first);
+        state.fragments.push(`severity = ${p}`);
+      }
+    } else {
+      const p = addParam(state, filters.severities);
+      state.fragments.push(`severity = ANY(${p}::text[])`);
+    }
+  }
+  if (filters.operations !== void 0 && filters.operations.length > 0) {
+    if (filters.operations.length === 1) {
+      const first = filters.operations[0];
+      if (first !== void 0) {
+        const p = addParam(state, first);
+        state.fragments.push(`operation = ${p}`);
+      }
+    } else {
+      const p = addParam(state, filters.operations);
+      state.fragments.push(`operation = ANY(${p}::text[])`);
+    }
+  }
+  if (filters.since !== void 0) {
+    const date = resolveTimeFilter(filters.since);
+    const p = addParam(state, date.toISOString());
+    state.fragments.push(`timestamp >= ${p}::timestamptz`);
+  }
+  if (filters.until !== void 0) {
+    const date = resolveTimeFilter(filters.until);
+    const p = addParam(state, date.toISOString());
+    state.fragments.push(`timestamp <= ${p}::timestamptz`);
+  }
+  if (filters.searchText !== void 0 && filters.searchText.length > 0) {
+    const escaped = escapeLikePattern(filters.searchText);
+    const pattern = `%${escaped}%`;
+    const p = addParam(state, pattern);
+    state.fragments.push(`(label ILIKE ${p} OR description ILIKE ${p})`);
+  }
+  if (filters.compliance !== void 0 && filters.compliance.length > 0) {
+    const p = addParam(state, JSON.stringify(filters.compliance));
+    state.fragments.push(`compliance @> ${p}::jsonb`);
+  }
+  if (cursor !== void 0) {
+    const tRef = addParam(state, cursor.timestamp.toISOString());
+    const iRef = addParam(state, cursor.id);
+    if (sortOrder === "asc") {
+      state.fragments.push(
+        `(timestamp > ${tRef}::timestamptz OR (timestamp = ${tRef}::timestamptz AND id::text > ${iRef}))`
+      );
+    } else {
+      state.fragments.push(
+        `(timestamp < ${tRef}::timestamptz OR (timestamp = ${tRef}::timestamptz AND id::text < ${iRef}))`
+      );
+    }
+  }
+  return state;
+}
+async function queryLogs(spec, db) {
+  const sortOrder = spec.sortOrder ?? "desc";
+  const limit = Math.min(spec.limit ?? DEFAULT_LIMIT, MAX_LIMIT);
+  const fetchLimit = limit + 1;
+  const cursor = spec.cursor !== void 0 ? decodeCursor(spec.cursor) : void 0;
+  const where = buildWhereClause(spec.filters, cursor, sortOrder);
+  const queryParams = [...where.params, fetchLimit];
+  const limitRef = `$${queryParams.length}`;
+  const orderDir = sortOrder === "asc" ? "ASC" : "DESC";
+  const whereClause = where.fragments.length > 0 ? `WHERE ${where.fragments.join(" AND ")}` : "";
+  const sql = `SELECT ${SELECT_COLUMNS} FROM audit_logs ${whereClause} ORDER BY timestamp ${orderDir}, id ${orderDir} LIMIT ${limitRef}`;
+  const raw = await db.$queryRawUnsafe(sql, ...queryParams);
+  const hasNextPage = raw.length > limit;
+  const resultRows = hasNextPage ? raw.slice(0, -1) : raw;
+  const entries = resultRows.map(rowToAuditLog);
+  if (hasNextPage) {
+    const lastEntry = entries[entries.length - 1];
+    if (lastEntry !== void 0) {
+      return {
+        entries,
+        nextCursor: encodeCursor(lastEntry.timestamp, lastEntry.id)
+      };
+    }
+  }
+  return { entries };
+}
+async function getLogById(id, db) {
+  const sql = `SELECT ${SELECT_COLUMNS} FROM audit_logs WHERE id = $1::uuid LIMIT 1`;
+  const raw = await db.$queryRawUnsafe(sql, id);
+  const row = raw[0];
+  if (row === void 0) {
+    return null;
+  }
+  return rowToAuditLog(row);
+}
+async function purgeLogs(options, db) {
+  if (options.tableName !== void 0 && options.tableName.trim().length === 0) {
+    throw new Error(
+      "purgeLogs: tableName must be a non-empty string when provided"
+    );
+  }
+  let sql = "DELETE FROM audit_logs WHERE timestamp < $1::timestamptz";
+  const params = [options.before.toISOString()];
+  if (options.tableName !== void 0) {
+    params.push(options.tableName);
+    sql += ` AND table_name = $${params.length}`;
+  }
+  const deletedCount = await db.$executeRawUnsafe(sql, ...params);
+  return { deletedCount };
+}
+function buildSinceFragment(paramCount) {
+  const ref = `$${paramCount}::timestamptz`;
+  return {
+    where: ` WHERE timestamp >= ${ref}`,
+    and: ` AND timestamp >= ${ref}`
+  };
+}
+async function getStats(options, db) {
+  const params = [];
+  if (options.since !== void 0) {
+    params.push(options.since.toISOString());
+  }
+  const since = params.length > 0 ? buildSinceFragment(params.length) : { where: "", and: "" };
+  const summaryQuery = db.$queryRawUnsafe(
+    `SELECT COUNT(*) AS total_logs, COUNT(DISTINCT table_name) AS tables_audited FROM audit_logs${since.where}`,
+    ...params
+  );
+  const eventsPerDayQuery = db.$queryRawUnsafe(
+    `SELECT to_char(date_trunc('day', timestamp), 'YYYY-MM-DD') AS date, COUNT(*) AS count FROM audit_logs${since.where} GROUP BY date_trunc('day', timestamp) ORDER BY date_trunc('day', timestamp) LIMIT 365`,
+    ...params
+  );
+  const topActorsQuery = db.$queryRawUnsafe(
+    `SELECT actor_id, COUNT(*) AS count FROM audit_logs WHERE actor_id IS NOT NULL${since.and} GROUP BY actor_id ORDER BY COUNT(*) DESC LIMIT 10`,
+    ...params
+  );
+  const topTablesQuery = db.$queryRawUnsafe(
+    `SELECT table_name, COUNT(*) AS count FROM audit_logs${since.where} GROUP BY table_name ORDER BY COUNT(*) DESC LIMIT 10`,
+    ...params
+  );
+  const operationQuery = db.$queryRawUnsafe(
+    `SELECT operation, COUNT(*) AS count FROM audit_logs${since.where} GROUP BY operation`,
+    ...params
+  );
+  const severityQuery = db.$queryRawUnsafe(
+    `SELECT severity, COUNT(*) AS count FROM audit_logs WHERE severity IS NOT NULL${since.and} GROUP BY severity`,
+    ...params
+  );
+  const [summaryRows, eventsPerDayRows, topActorsRows, topTablesRows, operationRows, severityRows] = await Promise.all([summaryQuery, eventsPerDayQuery, topActorsQuery, topTablesQuery, operationQuery, severityQuery]);
+  const summary = summaryRows[0];
+  const totalLogs = summary !== void 0 ? toCount(summary.total_logs) : 0;
+  const tablesAudited = summary !== void 0 ? toCount(summary.tables_audited) : 0;
+  const eventsPerDay = eventsPerDayRows.map((row) => ({
+    date: String(row.date),
+    count: toCount(row.count)
+  }));
+  const topActors = topActorsRows.map((row) => ({
+    actorId: String(row.actor_id),
+    count: toCount(row.count)
+  }));
+  const topTables = topTablesRows.map((row) => ({
+    tableName: String(row.table_name),
+    count: toCount(row.count)
+  }));
+  const operationBreakdown = {};
+  for (const row of operationRows) {
+    operationBreakdown[String(row.operation)] = toCount(row.count);
+  }
+  const severityBreakdown = {};
+  for (const row of severityRows) {
+    severityBreakdown[String(row.severity)] = toCount(row.count);
+  }
+  return {
+    totalLogs,
+    tablesAudited,
+    eventsPerDay,
+    topActors,
+    topTables,
+    operationBreakdown,
+    severityBreakdown
+  };
+}
+
 // src/adapter.ts
 function prismaAuditAdapter(db) {
   return {
@@ -32,6 +395,18 @@ function prismaAuditAdapter(db) {
         jsonOrNull(log.metadata),
         jsonOrNull(log.redactedFields)
       );
+    },
+    async queryLogs(spec) {
+      return queryLogs(spec, db);
+    },
+    async getLogById(id) {
+      return getLogById(id, db);
+    },
+    async getStats(options) {
+      return getStats(options ?? {}, db);
+    },
+    async purgeLogs(options) {
+      return purgeLogs(options, db);
     }
   };
 }
@@ -98,11 +473,23 @@ function buildTableNameResolver(prisma, transform) {
   return (modelName) => modelName;
 }
 
+// src/tx-store.ts
+import { AsyncLocalStorage } from "async_hooks";
+var txStorage = new AsyncLocalStorage();
+function runWithTxClient(tx, fn) {
+  return txStorage.run(tx, fn);
+}
+function getTxClient() {
+  return txStorage.getStore();
+}
+
 // src/extension.ts
 function withAuditExtension(prisma, captureLog, options = {}) {
   const bulkMode = options.bulkMode ?? "per-row";
   const handleError = buildErrorHandler(options.onError);
   const metadata = options.metadata;
+  const skipBeforeCapture = options.skipBeforeCapture;
+  const maxBeforeStateRows = options.maxBeforeStateRows ?? 100;
   const resolveTableName = buildTableNameResolver(prisma, options.tableNameTransform);
   const extended = prisma.$extends({
     query: {
@@ -113,12 +500,14 @@ function withAuditExtension(prisma, captureLog, options = {}) {
           args,
           query
         }) {
-          const result = await query(args);
           const auditOp = getAuditOperation(operation);
           if (auditOp === void 0) {
-            return result;
+            return query(args);
           }
           const tableName = resolveTableName(model);
+          const shouldSkipBefore = skipBeforeCapture !== void 0 && skipBeforeCapture.includes(tableName);
+          const beforeState = shouldSkipBefore ? { type: "none" } : await fetchBeforeState({ prisma, model, operation, args, handleError, maxBeforeStateRows });
+          const result = await query(args);
           try {
             await fireCaptureLog({
               tableName,
@@ -126,9 +515,11 @@ function withAuditExtension(prisma, captureLog, options = {}) {
               auditOp,
               args,
               result,
+              beforeState,
               captureLog,
               bulkMode,
-              metadata
+              metadata,
+              actorId: getAuditContext()?.actorId
             });
           } catch (err) {
             handleError(err);
@@ -140,17 +531,62 @@ function withAuditExtension(prisma, captureLog, options = {}) {
   });
   return extended;
 }
+async function fetchBeforeState({
+  prisma,
+  model,
+  operation,
+  args,
+  handleError,
+  maxBeforeStateRows
+}) {
+  if (operation === "create" || operation === "createMany" || operation === "createManyAndReturn" || operation === "delete") {
+    return { type: "none" };
+  }
+  const delegate = getModelDelegate(getTxClient() ?? prisma, model);
+  if (delegate === void 0) {
+    return { type: "none" };
+  }
+  if (operation === "update" || operation === "upsert") {
+    const where = getArgsWhere(args);
+    if (where === void 0) {
+      return { type: "single", row: void 0 };
+    }
+    try {
+      const found = await delegate.findUnique({ where });
+      return { type: "single", row: toRecord(found) };
+    } catch (err) {
+      handleError(err);
+      return { type: "single", row: void 0 };
+    }
+  }
+  if (operation === "updateMany" || operation === "deleteMany") {
+    const where = getArgsWhere(args);
+    try {
+      const rows = await delegate.findMany({ where: where ?? {}, take: maxBeforeStateRows + 1 });
+      if (rows.length > maxBeforeStateRows) {
+        return { type: "none" };
+      }
+      const records = rows.map((r) => toRecord(r)).filter((r) => r !== void 0);
+      return { type: "many", rows: records };
+    } catch (err) {
+      handleError(err);
+      return { type: "many", rows: [] };
+    }
+  }
+  return { type: "none" };
+}
 async function fireCaptureLog({
   tableName,
   operation,
   auditOp,
   args,
   result,
+  beforeState,
   captureLog,
   bulkMode,
-  metadata
+  metadata,
+  actorId
 }) {
-  const actorId = getAuditContext()?.actorId;
   if (operation === "createMany") {
     await handleCreateMany({ tableName, auditOp, args, captureLog, bulkMode, metadata, actorId });
     return;
@@ -159,18 +595,30 @@ async function fireCaptureLog({
     await handleCreateManyAndReturn({ tableName, auditOp, result, captureLog, bulkMode, metadata, actorId });
     return;
   }
-  if (operation === "updateMany" || operation === "deleteMany") {
+  if (operation === "updateMany") {
+    await handleUpdateMany({ tableName, auditOp, beforeState, captureLog, bulkMode, metadata, actorId });
+    return;
+  }
+  if (operation === "deleteMany") {
+    await handleDeleteMany({ tableName, auditOp, beforeState, captureLog, bulkMode, metadata, actorId });
+    return;
+  }
+  const row = toRecord(result);
+  const recordId = (row !== void 0 ? extractId(row) : void 0) ?? "unknown";
+  if (operation === "upsert") {
+    const before = beforeState.type === "single" ? beforeState.row : void 0;
+    const effectiveOp = before !== void 0 ? "UPDATE" : "INSERT";
     await captureLog({
       tableName,
-      operation: auditOp,
-      recordId: "unknown",
+      operation: effectiveOp,
+      recordId,
+      ...before !== void 0 && { before },
+      ...row !== void 0 && { after: row },
       ...metadata !== void 0 && { metadata },
       ...actorId !== void 0 && { actorId }
     });
     return;
   }
-  const row = toRecord(result);
-  const recordId = (row !== void 0 ? extractId(row) : void 0) ?? "unknown";
   if (auditOp === "INSERT") {
     await captureLog({
       tableName,
@@ -183,10 +631,12 @@ async function fireCaptureLog({
     return;
   }
   if (auditOp === "UPDATE") {
+    const before = beforeState.type === "single" ? beforeState.row : void 0;
     await captureLog({
       tableName,
       operation: auditOp,
       recordId,
+      ...before !== void 0 && { before },
       ...row !== void 0 && { after: row },
       ...metadata !== void 0 && { metadata },
       ...actorId !== void 0 && { actorId }
@@ -292,6 +742,94 @@ async function handleCreateManyAndReturn({
     })
   );
 }
+async function handleUpdateMany({
+  tableName,
+  auditOp,
+  beforeState,
+  captureLog,
+  bulkMode,
+  metadata,
+  actorId
+}) {
+  if (bulkMode === "bulk") {
+    await captureLog({
+      tableName,
+      operation: auditOp,
+      recordId: "unknown",
+      ...metadata !== void 0 && { metadata },
+      ...actorId !== void 0 && { actorId }
+    });
+    return;
+  }
+  const rows = beforeState.type === "many" ? beforeState.rows : [];
+  if (rows.length === 0) {
+    await captureLog({
+      tableName,
+      operation: auditOp,
+      recordId: "unknown",
+      ...metadata !== void 0 && { metadata },
+      ...actorId !== void 0 && { actorId }
+    });
+    return;
+  }
+  await Promise.all(
+    rows.map((row) => {
+      const recordId = extractId(row) ?? "unknown";
+      return captureLog({
+        tableName,
+        operation: auditOp,
+        recordId,
+        before: row,
+        ...metadata !== void 0 && { metadata },
+        ...actorId !== void 0 && { actorId }
+      });
+    })
+  );
+}
+async function handleDeleteMany({
+  tableName,
+  auditOp,
+  beforeState,
+  captureLog,
+  bulkMode,
+  metadata,
+  actorId
+}) {
+  if (bulkMode === "bulk") {
+    await captureLog({
+      tableName,
+      operation: auditOp,
+      recordId: "unknown",
+      ...metadata !== void 0 && { metadata },
+      ...actorId !== void 0 && { actorId }
+    });
+    return;
+  }
+  const rows = beforeState.type === "many" ? beforeState.rows : [];
+  if (rows.length === 0) {
+    await captureLog({
+      tableName,
+      operation: auditOp,
+      recordId: "unknown",
+      ...metadata !== void 0 && { metadata },
+      ...actorId !== void 0 && { actorId }
+    });
+    return;
+  }
+  await Promise.all(
+    rows.map((row) => {
+      const recordId = extractId(row) ?? "unknown";
+      return captureLog({
+        tableName,
+        operation: auditOp,
+        recordId,
+        before: row,
+        ...metadata !== void 0 && { metadata },
+        ...actorId !== void 0 && { actorId }
+      });
+    })
+  );
+}
 function buildErrorHandler(onError) {
   return (error) => {
     try {
@@ -305,6 +843,20 @@ function buildErrorHandler(onError) {
     }
   };
 }
+function isModelDelegate(value) {
+  if (value === null || value === void 0 || typeof value !== "object") {
+    return false;
+  }
+  return "findUnique" in value && "findMany" in value && typeof Reflect.get(value, "findUnique") === "function" && typeof Reflect.get(value, "findMany") === "function";
+}
+function getModelDelegate(client, model) {
+  const lowerModel = model.charAt(0).toLowerCase() + model.slice(1);
+  const value = Reflect.get(Object(client), lowerModel);
+  if (isModelDelegate(value)) {
+    return value;
+  }
+  return void 0;
+}
 function extractId(record) {
   const id = record["id"];
   if (id !== void 0 && id !== null) {
@@ -320,16 +872,23 @@ function toRecord(value) {
 }
 function getArgsData(args) {
   if (args !== null && typeof args === "object" && "data" in args) {
-    const data = args["data"];
+    const data = Reflect.get(args, "data");
     if (Array.isArray(data)) {
       return data;
     }
   }
   return [];
 }
+function getArgsWhere(args) {
+  if (args !== null && typeof args === "object" && "where" in args) {
+    return Reflect.get(args, "where");
+  }
+  return void 0;
+}
 export {
   prismaAuditAdapter,
   prismaModelMap,
+  runWithTxClient,
   withAuditExtension
 };
 //# sourceMappingURL=index.js.map