@valentinkolb/cloud 0.4.0 → 0.5.0

package/src/services/accounts/users.ts

@@ -5,6 +5,7 @@ import { renderTemplate } from "../settings/templates";
 import { session } from "../session";
 import { freeipa } from "../../server/services";
 import { providers } from "../providers";
+import { getServiceIpaSession } from "../ipa/service-account";
 import { transitionIpaUserToLocal } from "./switching";
 import {
   canPersistStoredAdmin,
@@ -25,6 +26,7 @@ import {
   recursiveGroupNamesSubquery,
 } from "./group-sql";
 import { getFreeIpaConfig } from "../freeipa-config";
+import { createAuthLoginUrl } from "../../shared/redirect";
 import type {
   BaseUser,
   MutationResult,
@@ -82,7 +84,7 @@ const sendMagicLinkEmail = async (email: string): Promise<void> => {
   const token = await providers.local.auth.createMagicLinkToken({ email, ttlSeconds: 300 });
   const rawAppUrl = await settings.get<string>("app.url");
   const appUrl = rawAppUrl.startsWith("http") ? rawAppUrl : `https://${rawAppUrl}`;
-  const magicLink = `${appUrl}/auth/login?token=${token}`;
+  const magicLink = createAuthLoginUrl(appUrl, { token });
   const appName = await settings.get<string>("app.name");
   const template = await settings.get<string>("mail.magic_link_login");
 
@@ -113,17 +115,21 @@ const buildUser = (row: DbRow, groupsAdmin: string[]): User => {
   const memberofGroupIds = (row.member_group_ids as string[]) ?? [];
   const manages = (row.manages as string[]) ?? [];
   const managesGroupIds = (row.manages_group_ids as string[]) ?? [];
+  const effectiveAdmin =
+    row.effective_admin !== undefined
+      ? Boolean(row.effective_admin)
+      : resolveEffectiveAdminState({
+          provider,
+          storedAdmin: Boolean(row.admin),
+          memberofGroup,
+          groupsAdmin,
+        });
   const roles = buildRoles({
     provider,
     profile,
     memberofGroup,
     manages,
-    admin: resolveEffectiveAdminState({
-      provider,
-      storedAdmin: Boolean(row.admin),
-      memberofGroup,
-      groupsAdmin,
-    }),
+    admin: effectiveAdmin,
   });
   const common = {
     id: row.id as string,
@@ -160,9 +166,19 @@ const buildUser = (row: DbRow, groupsAdmin: string[]): User => {
 export const get = async (params: { id: string } | { uid: string }): Promise<User | null> => {
   const whereClause = "id" in params ? sql`u.id = ${params.id}` : sql`u.uid = ${params.uid}`;
   const userIdExpr = "id" in params ? sql`${params.id}` : sql`u.id`;
+  const { groupsAdmin } = await getFreeIpaConfig();
   const rows = await sql<DbRow[]>`
     SELECT u.*,
       ${userIpaDataColumns},
+      CASE
+        WHEN u.provider = 'local' THEN u.admin
+        ELSE EXISTS(
+          SELECT 1
+          FROM auth.ipa_user_effective_groups eg
+          WHERE eg.user_id = u.id
+            AND eg.group_name = ANY(${toPgTextArray(groupsAdmin)}::text[])
+        )
+      END AS effective_admin,
       COALESCE(ARRAY(
         SELECT g.name
         FROM auth.user_groups_v2 ug
@@ -188,7 +204,6 @@ export const get = async (params: { id: string } | { uid: string }): Promise<Use
     WHERE ${whereClause}
   `;
   if (rows.length === 0) return null;
-  const { groupsAdmin } = await getFreeIpaConfig();
   return buildUser(rows[0]!, groupsAdmin);
 };
 
@@ -203,13 +218,22 @@ export const getMinimal = async (params: { id: string } | { uid: string }): Prom
   return buildUserMutationTarget(rows[0]!);
 };
 
-/**
- * Minimal user lookup by UID. Returns id + roles WITHOUT group-derived roles.
- * IPA admin status from group membership is NOT resolved here.
- * Use the full `get()` for authorization decisions that depend on group-derived admin.
- */
 export const getByUid = async (params: { uid: string }): Promise<{ id: string; roles: Role[] } | null> => {
-  const rows = await sql<DbRow[]>`SELECT id, provider, profile, admin FROM auth.users WHERE uid = ${params.uid}`;
+  const { groupsAdmin } = await getFreeIpaConfig();
+  const rows = await sql<DbRow[]>`
+    SELECT u.id, u.provider, u.profile, u.admin,
+      CASE
+        WHEN u.provider = 'local' THEN u.admin
+        ELSE EXISTS(
+          SELECT 1
+          FROM auth.ipa_user_effective_groups eg
+          WHERE eg.user_id = u.id
+            AND eg.group_name = ANY(${toPgTextArray(groupsAdmin)}::text[])
+        )
+      END AS effective_admin
+    FROM auth.users u
+    WHERE u.uid = ${params.uid}
+  `;
   if (rows.length === 0) return null;
   const { provider, profile } = resolveProviderProfile(rows[0]!);
   const roles = buildRoles({
@@ -217,10 +241,7 @@ export const getByUid = async (params: { uid: string }): Promise<{ id: string; r
     profile,
     memberofGroup: [],
     manages: [],
-    admin: resolveEffectiveAdminState({
-      provider,
-      storedAdmin: Boolean(rows[0]!.admin),
-    }),
+    admin: Boolean(rows[0]!.effective_admin),
   });
   return { id: rows[0]!.id as string, roles };
 };
@@ -281,11 +302,9 @@ export const list = async (params: {
         WHEN u.provider = 'local' THEN u.admin
         ELSE EXISTS(
           SELECT 1
-            FROM auth.user_groups_v2 ug
-            JOIN auth.groups g_admin ON g_admin.id = ug.group_id
-            WHERE ug.user_id = u.id
-            AND g_admin.provider = 'ipa'
-            AND g_admin.name = ANY(${toPgTextArray(groupsAdmin)}::text[])
+          FROM auth.ipa_user_effective_groups eg
+          WHERE eg.user_id = u.id
+            AND eg.group_name = ANY(${toPgTextArray(groupsAdmin)}::text[])
         )
       END AS effective_admin
     FROM auth.users u
@@ -384,7 +403,6 @@ export const getManagedGroupIds = async (params: { id: string; recursive?: boole
 };
 
 export const demoteToGuest = async (params: {
-  ipaSession?: string | null;
   id: string;
   actor: { userId: string; uid: string };
 }): Promise<MutationResult<void>> => {
@@ -393,19 +411,17 @@ export const demoteToGuest = async (params: {
   if (user.provider !== "ipa") {
     return { ok: false, error: "Only IPA-backed accounts can be demoted to local guests", status: 400 };
   }
-  if (!params.ipaSession) {
-    return { ok: false, error: "IPA session required to demote IPA-backed users", status: 401 };
-  }
+  const serviceSession = await getServiceIpaSession();
+  if (!serviceSession.ok) return serviceSession;
 
   return providers.ipa.users.demoteToGuest({
-    ipaSession: params.ipaSession,
+    ipaSession: serviceSession.data,
     id: params.id,
     actor: params.actor,
   });
 };
 
 export const create = async (params: {
-  ipaSession?: string | null;
   data: CreateUserData;
 }): Promise<MutationResult<{ user: User; temporaryPassword?: string }>> => {
   if (params.data.provider === "local" && params.data.admin && !canPersistStoredAdmin("local", params.data.profile)) {
@@ -436,12 +452,11 @@ export const create = async (params: {
     return { ok: true, data: { user } };
   }
 
-  if (!params.ipaSession) {
-    return { ok: false, error: "IPA session required to create IPA-backed users", status: 401 };
-  }
+  const serviceSession = await getServiceIpaSession();
+  if (!serviceSession.ok) return serviceSession;
 
   const created = await providers.ipa.users.create({
-    ipaSession: params.ipaSession,
+    ipaSession: serviceSession.data,
     profile: params.data.profile,
     accountExpires,
     data: {
@@ -466,7 +481,6 @@ export const create = async (params: {
 };
 
 export const update = async (params: {
-  ipaSession?: string | null;
   id: string;
   data: UpdateUserData;
 }): Promise<MutationResult<void>> => {
@@ -474,9 +488,10 @@ export const update = async (params: {
   if (!user) return { ok: false, error: "User not found", status: 404 };
 
   if (user.provider === "ipa") {
-    if (!params.ipaSession) return { ok: false, error: "IPA session required to update IPA-backed users", status: 401 };
+    const serviceSession = await getServiceIpaSession();
+    if (!serviceSession.ok) return serviceSession;
     return providers.ipa.users.update({
-      ipaSession: params.ipaSession,
+      ipaSession: serviceSession.data,
       id: params.id,
       data: params.data,
     });
@@ -528,17 +543,27 @@ export const setAdmin = async (params: {
 };
 
 export const setExpiry = async (params: {
-  ipaSession?: string | null;
+  actor?: { userId: string; uid: string; roles: string[] };
   id: string;
   expiryDate: string | null;
 }): Promise<MutationResult<void>> => {
   const user = await getMinimal({ id: params.id });
   if (!user) return { ok: false, error: "User not found", status: 404 };
 
+  const selfTarget = params.actor?.userId === params.id;
+  if (selfTarget && !params.actor?.roles.includes("admin")) {
+    return { ok: false, error: "Only admins can change their own account expiry.", status: 403 };
+  }
+
+  // Explicit account-expiry management is allowed to target the acting admin
+  // as well. Automatic self-extension remains handled separately by the
+  // account-lifecycle service and must not turn non-expiring accounts back into
+  // expiring ones implicitly.
   if (user.provider === "ipa") {
-    if (!params.ipaSession) return { ok: false, error: "IPA session required to update IPA-backed expiry", status: 401 };
+    const serviceSession = await getServiceIpaSession();
+    if (!serviceSession.ok) return serviceSession;
     return providers.ipa.users.setExpiry({
-      ipaSession: params.ipaSession,
+      ipaSession: serviceSession.data,
       id: params.id,
       expiryDate: params.expiryDate,
     });
@@ -590,14 +615,13 @@ export const createLoginToken = async (params: {
     ok: true,
     data: {
       token,
-      magicLink: `${appUrl}/auth/login?token=${token}`,
+      magicLink: createAuthLoginUrl(appUrl, { token }),
       expiresInSeconds,
     },
   };
 };
 
 export const resetPassword = async (params: {
-  ipaSession?: string | null;
   id: string;
 }): Promise<MutationResult<{ password: string }>> => {
   const user = await getMinimal({ id: params.id });
@@ -605,16 +629,16 @@ export const resetPassword = async (params: {
   if (user.provider !== "ipa") {
     return { ok: false, error: "Password resets are only available for IPA-backed accounts", status: 400 };
   }
-  if (!params.ipaSession) return { ok: false, error: "IPA session required to reset IPA-backed passwords", status: 401 };
+  const serviceSession = await getServiceIpaSession();
+  if (!serviceSession.ok) return serviceSession;
 
   return providers.ipa.users.resetPassword({
-    ipaSession: params.ipaSession,
+    ipaSession: serviceSession.data,
     id: params.id,
   });
 };
 
 export const switchProvider = async (params: {
-  ipaSession?: string | null;
   id: string;
   provider: UserProvider;
 }): Promise<MutationResult<void>> => {
@@ -634,9 +658,8 @@ export const switchProvider = async (params: {
     return { ok: false, error: "FreeIPA is disabled.", status: 400 };
   }
 
-  if (!params.ipaSession) {
-    return { ok: false, error: "IPA session required to switch account providers", status: 401 };
-  }
+  const serviceSession = await getServiceIpaSession();
+  if (!serviceSession.ok) return serviceSession;
 
   if (params.provider === "ipa") {
     if (!user.mail) {
@@ -644,7 +667,7 @@ export const switchProvider = async (params: {
     }
 
     const result = await providers.ipa.users.create({
-      ipaSession: params.ipaSession,
+      ipaSession: serviceSession.data,
       profile: currentProfile,
       accountExpires: currentExpiry,
       data: {
@@ -661,7 +684,7 @@ export const switchProvider = async (params: {
 
   const response = await freeipa.client.call({
     url: freeIpaConfig.url,
-    ipaSession: params.ipaSession,
+    ipaSession: serviceSession.data,
     method: "user_del",
     args: [user.uid],
     options: {},
@@ -691,7 +714,6 @@ export const switchProvider = async (params: {
 };
 
 export const remove = async (params: {
-  ipaSession?: string | null;
   id: string;
   actor: { userId: string; uid: string };
 }): Promise<MutationResult<void>> => {
@@ -699,9 +721,10 @@ export const remove = async (params: {
   if (!user) return { ok: false, error: "User not found", status: 404 };
 
   if (user.provider === "ipa") {
-    if (!params.ipaSession) return { ok: false, error: "IPA session required to delete IPA-backed users", status: 401 };
+    const serviceSession = await getServiceIpaSession();
+    if (!serviceSession.ok) return serviceSession;
     return providers.ipa.users.remove({
-      ipaSession: params.ipaSession,
+      ipaSession: serviceSession.data,
       id: params.id,
       actor: params.actor,
     });

package/src/services/announcements/index.test.ts

@@ -0,0 +1,32 @@
+import { describe, expect, test } from "bun:test";
+import type { AnnouncementEntry } from "../../contracts/announcements";
+import { selectVisibleForState } from "./index";
+
+const entry = (version: number, kind: AnnouncementEntry["kind"]): AnnouncementEntry => ({
+  id: crypto.randomUUID(),
+  version,
+  kind,
+  title: `${kind} ${version}`,
+  body: `**Body ${version}**`,
+  tone: "info",
+  publishedAt: new Date("2026-06-09T12:00:00.000Z").toISOString(),
+  expiresAt: null,
+  createdAt: new Date("2026-06-09T12:00:00.000Z").toISOString(),
+  updatedAt: new Date("2026-06-09T12:00:00.000Z").toISOString(),
+  createdBy: null,
+  updatedBy: null,
+});
+
+describe("selectVisibleForState", () => {
+  test("returns unseen announcements and undismissed banners", () => {
+    const result = selectVisibleForState([entry(4, "announcement"), entry(3, "announcement"), entry(2, "banner"), entry(1, "banner")], {
+      seenAnnouncementVersion: 3,
+      dismissedBannerVersions: [1],
+    });
+
+    expect(result.announcements.map((item) => item.version)).toEqual([4]);
+    expect(result.banners.map((item) => item.version)).toEqual([2]);
+    expect(result.latestAnnouncementVersion).toBe(4);
+    expect(result.announcements[0]?.bodyHtml).toContain("<strong>Body 4</strong>");
+  });
+});

package/src/services/announcements/index.ts

@@ -0,0 +1,224 @@
+import { err, fail, ok, type Result } from "@valentinkolb/stdlib";
+import { sql } from "bun";
+import type {
+  AnnouncementCookieState,
+  AnnouncementDisplayEntry,
+  AnnouncementEntry,
+  CreateAnnouncement,
+  UpdateAnnouncement,
+} from "../../contracts/announcements";
+import { markdown } from "../../shared/markdown";
+import { logger } from "../logging";
+
+const log = logger("announcements");
+const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+
+type AnnouncementRow = {
+  id: string;
+  version: number;
+  kind: "announcement" | "banner";
+  title: string;
+  body: string;
+  tone: "info" | "success" | "warning" | "danger";
+  published_at: Date;
+  expires_at: Date | null;
+  created_at: Date;
+  updated_at: Date;
+  created_by: string | null;
+  updated_by: string | null;
+};
+
+type ListAdminConfig = {
+  filter?: {
+    kind?: "announcement" | "banner";
+    query?: string;
+  };
+};
+
+const mapRow = (row: AnnouncementRow): AnnouncementEntry => ({
+  id: row.id,
+  version: row.version,
+  kind: row.kind,
+  title: row.title,
+  body: row.body,
+  tone: row.tone,
+  publishedAt: row.published_at.toISOString(),
+  expiresAt: row.expires_at?.toISOString() ?? null,
+  createdAt: row.created_at.toISOString(),
+  updatedAt: row.updated_at.toISOString(),
+  createdBy: row.created_by,
+  updatedBy: row.updated_by,
+});
+
+export const renderAnnouncement = (entry: AnnouncementEntry): AnnouncementDisplayEntry => {
+  const { body, ...rest } = entry;
+  return { ...rest, bodyHtml: markdown.renderSync(body) };
+};
+
+const validateDates = (input: Pick<CreateAnnouncement | UpdateAnnouncement, "publishedAt" | "expiresAt">) => {
+  const publishedAt = input.publishedAt ? new Date(input.publishedAt) : null;
+  const expiresAt = input.expiresAt ? new Date(input.expiresAt) : null;
+  if (publishedAt && Number.isNaN(publishedAt.getTime())) return fail(err.badInput("Invalid publish date."));
+  if (expiresAt && Number.isNaN(expiresAt.getTime())) return fail(err.badInput("Invalid expiry date."));
+  if (publishedAt && expiresAt && expiresAt.getTime() <= publishedAt.getTime()) {
+    return fail(err.badInput("Expiry date must be after publish date."));
+  }
+  return ok({ publishedAt, expiresAt });
+};
+
+const listAdmin = async (config: ListAdminConfig = {}): Promise<AnnouncementEntry[]> => {
+  const kind = config.filter?.kind;
+  const query = config.filter?.query?.trim();
+  const search = query ? `%${query.replace(/\\/g, "\\\\").replace(/%/g, "\\%").replace(/_/g, "\\_")}%` : null;
+
+  const rows = await sql<AnnouncementRow[]>`
+    SELECT id, version, kind, title, body, tone, published_at, expires_at,
+      created_at, updated_at, created_by, updated_by
+    FROM announcements.entries
+    WHERE (${kind ?? null}::text IS NULL OR kind = ${kind ?? null})
+      AND (
+        ${search}::text IS NULL
+        OR title ILIKE ${search} ESCAPE '\\'
+        OR body ILIKE ${search} ESCAPE '\\'
+      )
+    ORDER BY published_at DESC, version DESC
+  `;
+  return rows.map(mapRow);
+};
+
+const get = async (params: { id: string }): Promise<AnnouncementEntry | null> => {
+  if (!UUID_PATTERN.test(params.id)) return null;
+  const [row] = await sql<AnnouncementRow[]>`
+    SELECT id, version, kind, title, body, tone, published_at, expires_at,
+      created_at, updated_at, created_by, updated_by
+    FROM announcements.entries
+    WHERE id = ${params.id}::uuid
+  `;
+  return row ? mapRow(row) : null;
+};
+
+const create = async (params: { data: CreateAnnouncement; actorId: string }): Promise<Result<AnnouncementEntry>> => {
+  const dateResult = validateDates(params.data);
+  if (!dateResult.ok) return dateResult;
+
+  try {
+    const [row] = await sql<AnnouncementRow[]>`
+      INSERT INTO announcements.entries (
+        kind, title, body, tone, published_at, expires_at, created_by, updated_by
+      )
+      VALUES (
+        ${params.data.kind},
+        ${params.data.title},
+        ${params.data.body},
+        ${params.data.tone},
+        COALESCE(${params.data.publishedAt ?? null}::timestamptz, now()),
+        ${params.data.expiresAt ?? null}::timestamptz,
+        ${params.actorId}::uuid,
+        ${params.actorId}::uuid
+      )
+      RETURNING id, version, kind, title, body, tone, published_at, expires_at,
+        created_at, updated_at, created_by, updated_by
+    `;
+    return row ? ok(mapRow(row)) : fail(err.internal("Failed to create announcement."));
+  } catch (error) {
+    log.error("Failed to create announcement", { error: error instanceof Error ? error.message : String(error) });
+    return fail(err.internal("Failed to create announcement."));
+  }
+};
+
+const update = async (params: { id: string; data: UpdateAnnouncement; actorId: string }): Promise<Result<AnnouncementEntry>> => {
+  if (!UUID_PATTERN.test(params.id)) return fail(err.notFound("Announcement"));
+
+  try {
+    const existing = await get({ id: params.id });
+    if (!existing) return fail(err.notFound("Announcement"));
+    const dateResult = validateDates({
+      publishedAt: params.data.publishedAt ?? existing.publishedAt,
+      expiresAt: "expiresAt" in params.data ? params.data.expiresAt : existing.expiresAt,
+    });
+    if (!dateResult.ok) return dateResult;
+
+    const [row] = await sql<AnnouncementRow[]>`
+      UPDATE announcements.entries
+      SET
+        kind = COALESCE(${params.data.kind ?? null}, kind),
+        title = COALESCE(${params.data.title ?? null}, title),
+        body = COALESCE(${params.data.body ?? null}, body),
+        tone = COALESCE(${params.data.tone ?? null}, tone),
+        published_at = COALESCE(${params.data.publishedAt ?? null}::timestamptz, published_at),
+        expires_at = CASE
+          WHEN ${"expiresAt" in params.data} THEN ${params.data.expiresAt ?? null}::timestamptz
+          ELSE expires_at
+        END,
+        updated_at = now(),
+        updated_by = ${params.actorId}::uuid
+      WHERE id = ${params.id}::uuid
+      RETURNING id, version, kind, title, body, tone, published_at, expires_at,
+        created_at, updated_at, created_by, updated_by
+    `;
+    return row ? ok(mapRow(row)) : fail(err.notFound("Announcement"));
+  } catch (error) {
+    log.error("Failed to update announcement", { id: params.id, error: error instanceof Error ? error.message : String(error) });
+    return fail(err.internal("Failed to update announcement."));
+  }
+};
+
+const remove = async (params: { id: string }): Promise<Result<void>> => {
+  if (!UUID_PATTERN.test(params.id)) return fail(err.notFound("Announcement"));
+  const result = await sql`DELETE FROM announcements.entries WHERE id = ${params.id}::uuid`;
+  return result.count > 0 ? ok() : fail(err.notFound("Announcement"));
+};
+
+const listActive = async (params: { now?: Date } = {}): Promise<AnnouncementEntry[]> => {
+  const now = params.now ?? new Date();
+  const rows = await sql<AnnouncementRow[]>`
+    SELECT id, version, kind, title, body, tone, published_at, expires_at,
+      created_at, updated_at, created_by, updated_by
+    FROM announcements.entries
+    WHERE published_at <= ${now}
+      AND (expires_at IS NULL OR expires_at > ${now})
+    ORDER BY version DESC
+  `;
+  return rows.map(mapRow);
+};
+
+export const selectVisibleForState = (
+  entries: AnnouncementEntry[],
+  state: AnnouncementCookieState,
+): { banners: AnnouncementDisplayEntry[]; announcements: AnnouncementDisplayEntry[]; latestAnnouncementVersion: number } => {
+  const dismissedBanners = new Set(state.dismissedBannerVersions);
+  const activeAnnouncements = entries.filter((entry) => entry.kind === "announcement");
+  const latestAnnouncementVersion = activeAnnouncements.reduce((max, entry) => Math.max(max, entry.version), state.seenAnnouncementVersion);
+  return {
+    banners: entries
+      .filter((entry) => entry.kind === "banner" && !dismissedBanners.has(entry.version))
+      .sort((a, b) => b.version - a.version)
+      .map(renderAnnouncement),
+    announcements: activeAnnouncements
+      .filter((entry) => entry.version > state.seenAnnouncementVersion)
+      .sort((a, b) => b.version - a.version)
+      .map(renderAnnouncement),
+    latestAnnouncementVersion,
+  };
+};
+
+const activeForState = async (params: { state: AnnouncementCookieState; now?: Date }) =>
+  selectVisibleForState(await listActive({ now: params.now }), params.state);
+
+export const announcements = {
+  admin: {
+    list: listAdmin,
+    get,
+    create,
+    update,
+    remove,
+  },
+  active: {
+    list: listActive,
+    forState: activeForState,
+    selectForState: selectVisibleForState,
+  },
+  render: renderAnnouncement,
+};
+
+export type AnnouncementsService = typeof announcements;

package/src/services/audit/index.test.ts

@@ -0,0 +1,84 @@
+import { sql } from "bun";
+import { describe, expect, test } from "bun:test";
+import { audit, sanitizeAuditMetadata, sanitizeAuditText } from "./index";
+
+describe("sanitizeAuditMetadata", () => {
+  test("redacts sensitive nested metadata keys", () => {
+    expect(
+      sanitizeAuditMetadata({
+        changedFields: ["mail"],
+        password: "secret",
+        nested: {
+          apiToken: "token",
+          ipaSession: "cookie",
+          safe: "value",
+        },
+      }),
+    ).toEqual({
+      changedFields: ["mail"],
+      password: "[REDACTED]",
+      nested: {
+        apiToken: "[REDACTED]",
+        ipaSession: "[REDACTED]",
+        safe: "value",
+      },
+    });
+  });
+
+  test("truncates large values and arrays", () => {
+    const sanitized = sanitizeAuditMetadata({
+      text: "x".repeat(510),
+      values: Array.from({ length: 52 }, (_, index) => index),
+    }) as Record<string, unknown>;
+
+    expect(sanitized.text).toBe(`${"x".repeat(500)}...`);
+    expect(sanitized.values).toEqual([...Array.from({ length: 50 }, (_, index) => index), "[2 more]"]);
+  });
+
+  test("redacts sensitive reason and error text", () => {
+    expect(sanitizeAuditText("IPA session required to update IPA-backed users")).toBe("[REDACTED]");
+    expect(sanitizeAuditText("Current password is incorrect.")).toBe("[REDACTED]");
+    expect(sanitizeAuditText("Access denied")).toBe("Access denied");
+  });
+
+  test("lists only safe actor-owned self-service activity", async () => {
+    const userId = crypto.randomUUID();
+    const otherUserId = crypto.randomUUID();
+    const requestId = `self-service-activity-${crypto.randomUUID()}`;
+
+    try {
+      await audit.record({
+        action: "service_account_credential.create",
+        outcome: "allowed",
+        actor: { userId, uid: "current-user", provider: "local" },
+        target: { type: "service_account_credential", id: crypto.randomUUID(), label: "Test key" },
+        requestId,
+      });
+      await audit.record({
+        action: "service_account_credential.create",
+        outcome: "allowed",
+        actor: { userId: otherUserId, uid: "other-user", provider: "local" },
+        target: { type: "service_account_credential", id: crypto.randomUUID(), label: "Other key" },
+        requestId,
+      });
+      await audit.record({
+        action: "accounts.user.set_expiry",
+        outcome: "allowed",
+        actor: { userId: otherUserId, uid: "admin", provider: "local" },
+        target: { type: "user", id: userId, label: "current-user" },
+        requestId,
+      });
+
+      const page = await audit.listSelfServiceActivity({ userId, days: 30, pagination: { page: 1, perPage: 20 } });
+
+      expect(page.total).toBe(1);
+      expect(page.items[0]).toMatchObject({
+        action: "service_account_credential.create",
+        label: "API key created",
+        context: "Test key",
+      });
+    } finally {
+      await sql`DELETE FROM audit.events WHERE request_id = ${requestId}`;
+    }
+  });
+});