@vorionsys/platform-core 0.1.0

package/dist/security/pam/session-recording.d.ts

@@ -0,0 +1,1007 @@
+/**
+ * Session Recording System for Privileged Access Audit Trails
+ *
+ * Provides comprehensive recording of privileged access sessions with:
+ * - Tamper-evident hash chain for integrity
+ * - Privacy controls (masking, PII hashing)
+ * - Buffered storage with Redis and database persistence
+ * - Compliance-ready export capabilities
+ *
+ * @packageDocumentation
+ */
+import { z } from 'zod';
+import { VorionError, NotFoundError, ForbiddenError } from '../../common/errors.js';
+import { type RedactionConfig } from '../../common/redaction.js';
+import type { FastifyInstance, FastifyRequest } from 'fastify';
+declare const DEFAULT_RETENTION_DAYS = 90;
+declare const DEFAULT_FLUSH_INTERVAL_MS = 5000;
+declare const DEFAULT_MAX_BUFFER_SIZE = 100;
+/**
+ * Session event types that can be recorded
+ */
+export declare const SessionEventType: {
+    readonly API_CALL: "api_call";
+    readonly DATA_ACCESS: "data_access";
+    readonly PERMISSION_USAGE: "permission_usage";
+    readonly CONFIG_CHANGE: "config_change";
+    readonly AUTH_EVENT: "auth_event";
+    readonly ERROR: "error";
+    readonly CUSTOM: "custom";
+};
+export type SessionEventType = (typeof SessionEventType)[keyof typeof SessionEventType];
+export declare const sessionEventTypeSchema: z.ZodNativeEnum<{
+    readonly API_CALL: "api_call";
+    readonly DATA_ACCESS: "data_access";
+    readonly PERMISSION_USAGE: "permission_usage";
+    readonly CONFIG_CHANGE: "config_change";
+    readonly AUTH_EVENT: "auth_event";
+    readonly ERROR: "error";
+    readonly CUSTOM: "custom";
+}>;
+/**
+ * API call event details
+ */
+export interface ApiCallEvent {
+    type: 'api_call';
+    method: string;
+    path: string;
+    statusCode: number;
+    durationMs: number;
+    requestId?: string;
+    query?: Record<string, unknown>;
+    requestBody?: unknown;
+    responseBody?: unknown;
+    headers?: Record<string, string>;
+}
+/**
+ * Data access event details
+ */
+export interface DataAccessEvent {
+    type: 'data_access';
+    operation: 'read' | 'write' | 'delete' | 'list';
+    resourceType: string;
+    resourceId?: string;
+    resourceIds?: string[];
+    query?: Record<string, unknown>;
+    recordCount?: number;
+    dataClassification?: string;
+}
+/**
+ * Permission usage event details
+ */
+export interface PermissionUsageEvent {
+    type: 'permission_usage';
+    permission: string;
+    action: string;
+    resource?: string;
+    granted: boolean;
+    reason?: string;
+    elevatedFrom?: string;
+}
+/**
+ * Configuration change event details
+ */
+export interface ConfigChangeEvent {
+    type: 'config_change';
+    configType: string;
+    configId?: string;
+    changes: {
+        field: string;
+        oldValue?: unknown;
+        newValue?: unknown;
+    }[];
+    reason?: string;
+}
+/**
+ * Authentication event details
+ */
+export interface AuthEventDetails {
+    type: 'auth_event';
+    action: 'login' | 'logout' | 'token_refresh' | 'mfa_verify' | 'session_extend' | 'impersonate';
+    success: boolean;
+    method?: string;
+    targetUserId?: string;
+    reason?: string;
+}
+/**
+ * Error event details
+ */
+export interface ErrorEvent {
+    type: 'error';
+    errorCode: string;
+    errorMessage: string;
+    stack?: string;
+    context?: Record<string, unknown>;
+    severity: 'warning' | 'error' | 'critical';
+}
+/**
+ * Custom event details
+ */
+export interface CustomEvent {
+    type: 'custom';
+    eventName: string;
+    data: Record<string, unknown>;
+}
+/**
+ * Union type for all event details
+ */
+export type SessionEventDetails = ApiCallEvent | DataAccessEvent | PermissionUsageEvent | ConfigChangeEvent | AuthEventDetails | ErrorEvent | CustomEvent;
+/**
+ * Session event structure
+ */
+export interface SessionEvent {
+    id: string;
+    recordingId: string;
+    timestamp: string;
+    sequenceNumber: number;
+    eventType: SessionEventType;
+    details: SessionEventDetails;
+    previousHash: string | null;
+    eventHash: string;
+}
+export declare const sessionEventSchema: z.ZodObject<{
+    id: z.ZodString;
+    recordingId: z.ZodString;
+    timestamp: z.ZodString;
+    sequenceNumber: z.ZodNumber;
+    eventType: z.ZodNativeEnum<{
+        readonly API_CALL: "api_call";
+        readonly DATA_ACCESS: "data_access";
+        readonly PERMISSION_USAGE: "permission_usage";
+        readonly CONFIG_CHANGE: "config_change";
+        readonly AUTH_EVENT: "auth_event";
+        readonly ERROR: "error";
+        readonly CUSTOM: "custom";
+    }>;
+    details: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+    previousHash: z.ZodNullable<z.ZodString>;
+    eventHash: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    details?: Record<string, unknown>;
+    id?: string;
+    eventType?: "error" | "custom" | "data_access" | "config_change" | "api_call" | "permission_usage" | "auth_event";
+    previousHash?: string;
+    sequenceNumber?: number;
+    timestamp?: string;
+    recordingId?: string;
+    eventHash?: string;
+}, {
+    details?: Record<string, unknown>;
+    id?: string;
+    eventType?: "error" | "custom" | "data_access" | "config_change" | "api_call" | "permission_usage" | "auth_event";
+    previousHash?: string;
+    sequenceNumber?: number;
+    timestamp?: string;
+    recordingId?: string;
+    eventHash?: string;
+}>;
+/**
+ * Recording metadata
+ */
+export interface RecordingMetadata {
+    /** Reason for elevated access */
+    reason: string;
+    /** Associated ticket/request ID */
+    ticketId?: string;
+    /** List of approvers who authorized access */
+    approvers?: string[];
+    /** Business justification */
+    justification?: string;
+    /** Target resources being accessed */
+    targetResources?: string[];
+    /** Expected duration in minutes */
+    expectedDurationMinutes?: number;
+    /** Risk level assessment */
+    riskLevel?: 'low' | 'medium' | 'high' | 'critical';
+    /** Additional custom metadata */
+    custom?: Record<string, unknown>;
+}
+export declare const recordingMetadataSchema: z.ZodObject<{
+    reason: z.ZodString;
+    ticketId: z.ZodOptional<z.ZodString>;
+    approvers: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    justification: z.ZodOptional<z.ZodString>;
+    targetResources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    expectedDurationMinutes: z.ZodOptional<z.ZodNumber>;
+    riskLevel: z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
+    custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    reason?: string;
+    custom?: Record<string, unknown>;
+    justification?: string;
+    riskLevel?: "critical" | "low" | "medium" | "high";
+    approvers?: string[];
+    ticketId?: string;
+    targetResources?: string[];
+    expectedDurationMinutes?: number;
+}, {
+    reason?: string;
+    custom?: Record<string, unknown>;
+    justification?: string;
+    riskLevel?: "critical" | "low" | "medium" | "high";
+    approvers?: string[];
+    ticketId?: string;
+    targetResources?: string[];
+    expectedDurationMinutes?: number;
+}>;
+/**
+ * Recording summary statistics
+ */
+export interface RecordingSummary {
+    totalEvents: number;
+    eventsByType: Record<SessionEventType, number>;
+    dataAccessed: {
+        resourceTypes: string[];
+        totalRecords: number;
+        operations: Record<string, number>;
+    };
+    permissionsUsed: {
+        permissions: string[];
+        denied: number;
+        granted: number;
+    };
+    errors: {
+        count: number;
+        bySeverity: Record<string, number>;
+    };
+    apiCalls: {
+        count: number;
+        avgDurationMs: number;
+        statusCodes: Record<string, number>;
+    };
+    durationSeconds: number;
+    integrityValid: boolean;
+}
+export declare const recordingSummarySchema: z.ZodObject<{
+    totalEvents: z.ZodNumber;
+    eventsByType: z.ZodRecord<z.ZodString, z.ZodNumber>;
+    dataAccessed: z.ZodObject<{
+        resourceTypes: z.ZodArray<z.ZodString, "many">;
+        totalRecords: z.ZodNumber;
+        operations: z.ZodRecord<z.ZodString, z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        totalRecords?: number;
+        resourceTypes?: string[];
+        operations?: Record<string, number>;
+    }, {
+        totalRecords?: number;
+        resourceTypes?: string[];
+        operations?: Record<string, number>;
+    }>;
+    permissionsUsed: z.ZodObject<{
+        permissions: z.ZodArray<z.ZodString, "many">;
+        denied: z.ZodNumber;
+        granted: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        denied?: number;
+        permissions?: string[];
+        granted?: number;
+    }, {
+        denied?: number;
+        permissions?: string[];
+        granted?: number;
+    }>;
+    errors: z.ZodObject<{
+        count: z.ZodNumber;
+        bySeverity: z.ZodRecord<z.ZodString, z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        count?: number;
+        bySeverity?: Record<string, number>;
+    }, {
+        count?: number;
+        bySeverity?: Record<string, number>;
+    }>;
+    apiCalls: z.ZodObject<{
+        count: z.ZodNumber;
+        avgDurationMs: z.ZodNumber;
+        statusCodes: z.ZodRecord<z.ZodString, z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        count?: number;
+        avgDurationMs?: number;
+        statusCodes?: Record<string, number>;
+    }, {
+        count?: number;
+        avgDurationMs?: number;
+        statusCodes?: Record<string, number>;
+    }>;
+    durationSeconds: z.ZodNumber;
+    integrityValid: z.ZodBoolean;
+}, "strip", z.ZodTypeAny, {
+    errors?: {
+        count?: number;
+        bySeverity?: Record<string, number>;
+    };
+    totalEvents?: number;
+    eventsByType?: Record<string, number>;
+    dataAccessed?: {
+        totalRecords?: number;
+        resourceTypes?: string[];
+        operations?: Record<string, number>;
+    };
+    permissionsUsed?: {
+        denied?: number;
+        permissions?: string[];
+        granted?: number;
+    };
+    apiCalls?: {
+        count?: number;
+        avgDurationMs?: number;
+        statusCodes?: Record<string, number>;
+    };
+    durationSeconds?: number;
+    integrityValid?: boolean;
+}, {
+    errors?: {
+        count?: number;
+        bySeverity?: Record<string, number>;
+    };
+    totalEvents?: number;
+    eventsByType?: Record<string, number>;
+    dataAccessed?: {
+        totalRecords?: number;
+        resourceTypes?: string[];
+        operations?: Record<string, number>;
+    };
+    permissionsUsed?: {
+        denied?: number;
+        permissions?: string[];
+        granted?: number;
+    };
+    apiCalls?: {
+        count?: number;
+        avgDurationMs?: number;
+        statusCodes?: Record<string, number>;
+    };
+    durationSeconds?: number;
+    integrityValid?: boolean;
+}>;
+/**
+ * Recording status
+ */
+export declare const RecordingStatus: {
+    readonly ACTIVE: "active";
+    readonly COMPLETED: "completed";
+    readonly FAILED: "failed";
+    readonly ARCHIVED: "archived";
+};
+export type RecordingStatus = (typeof RecordingStatus)[keyof typeof RecordingStatus];
+export declare const recordingStatusSchema: z.ZodNativeEnum<{
+    readonly ACTIVE: "active";
+    readonly COMPLETED: "completed";
+    readonly FAILED: "failed";
+    readonly ARCHIVED: "archived";
+}>;
+/**
+ * Complete recording structure
+ */
+export interface Recording {
+    id: string;
+    sessionId: string;
+    userId: string;
+    tenantId?: string;
+    status: RecordingStatus;
+    startedAt: string;
+    endedAt?: string;
+    events: SessionEvent[];
+    metadata: RecordingMetadata;
+    summary?: RecordingSummary;
+    retentionUntil: string;
+    recordingHash: string;
+    createdBy: string;
+    deletionApprovedBy?: string;
+    deletionApprovedAt?: string;
+}
+export declare const recordingSchema: z.ZodObject<{
+    id: z.ZodString;
+    sessionId: z.ZodString;
+    userId: z.ZodString;
+    tenantId: z.ZodOptional<z.ZodString>;
+    status: z.ZodNativeEnum<{
+        readonly ACTIVE: "active";
+        readonly COMPLETED: "completed";
+        readonly FAILED: "failed";
+        readonly ARCHIVED: "archived";
+    }>;
+    startedAt: z.ZodString;
+    endedAt: z.ZodOptional<z.ZodString>;
+    events: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        recordingId: z.ZodString;
+        timestamp: z.ZodString;
+        sequenceNumber: z.ZodNumber;
+        eventType: z.ZodNativeEnum<{
+            readonly API_CALL: "api_call";
+            readonly DATA_ACCESS: "data_access";
+            readonly PERMISSION_USAGE: "permission_usage";
+            readonly CONFIG_CHANGE: "config_change";
+            readonly AUTH_EVENT: "auth_event";
+            readonly ERROR: "error";
+            readonly CUSTOM: "custom";
+        }>;
+        details: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+        previousHash: z.ZodNullable<z.ZodString>;
+        eventHash: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        details?: Record<string, unknown>;
+        id?: string;
+        eventType?: "error" | "custom" | "data_access" | "config_change" | "api_call" | "permission_usage" | "auth_event";
+        previousHash?: string;
+        sequenceNumber?: number;
+        timestamp?: string;
+        recordingId?: string;
+        eventHash?: string;
+    }, {
+        details?: Record<string, unknown>;
+        id?: string;
+        eventType?: "error" | "custom" | "data_access" | "config_change" | "api_call" | "permission_usage" | "auth_event";
+        previousHash?: string;
+        sequenceNumber?: number;
+        timestamp?: string;
+        recordingId?: string;
+        eventHash?: string;
+    }>, "many">;
+    metadata: z.ZodObject<{
+        reason: z.ZodString;
+        ticketId: z.ZodOptional<z.ZodString>;
+        approvers: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        justification: z.ZodOptional<z.ZodString>;
+        targetResources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        expectedDurationMinutes: z.ZodOptional<z.ZodNumber>;
+        riskLevel: z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
+        custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, "strip", z.ZodTypeAny, {
+        reason?: string;
+        custom?: Record<string, unknown>;
+        justification?: string;
+        riskLevel?: "critical" | "low" | "medium" | "high";
+        approvers?: string[];
+        ticketId?: string;
+        targetResources?: string[];
+        expectedDurationMinutes?: number;
+    }, {
+        reason?: string;
+        custom?: Record<string, unknown>;
+        justification?: string;
+        riskLevel?: "critical" | "low" | "medium" | "high";
+        approvers?: string[];
+        ticketId?: string;
+        targetResources?: string[];
+        expectedDurationMinutes?: number;
+    }>;
+    summary: z.ZodOptional<z.ZodObject<{
+        totalEvents: z.ZodNumber;
+        eventsByType: z.ZodRecord<z.ZodString, z.ZodNumber>;
+        dataAccessed: z.ZodObject<{
+            resourceTypes: z.ZodArray<z.ZodString, "many">;
+            totalRecords: z.ZodNumber;
+            operations: z.ZodRecord<z.ZodString, z.ZodNumber>;
+        }, "strip", z.ZodTypeAny, {
+            totalRecords?: number;
+            resourceTypes?: string[];
+            operations?: Record<string, number>;
+        }, {
+            totalRecords?: number;
+            resourceTypes?: string[];
+            operations?: Record<string, number>;
+        }>;
+        permissionsUsed: z.ZodObject<{
+            permissions: z.ZodArray<z.ZodString, "many">;
+            denied: z.ZodNumber;
+            granted: z.ZodNumber;
+        }, "strip", z.ZodTypeAny, {
+            denied?: number;
+            permissions?: string[];
+            granted?: number;
+        }, {
+            denied?: number;
+            permissions?: string[];
+            granted?: number;
+        }>;
+        errors: z.ZodObject<{
+            count: z.ZodNumber;
+            bySeverity: z.ZodRecord<z.ZodString, z.ZodNumber>;
+        }, "strip", z.ZodTypeAny, {
+            count?: number;
+            bySeverity?: Record<string, number>;
+        }, {
+            count?: number;
+            bySeverity?: Record<string, number>;
+        }>;
+        apiCalls: z.ZodObject<{
+            count: z.ZodNumber;
+            avgDurationMs: z.ZodNumber;
+            statusCodes: z.ZodRecord<z.ZodString, z.ZodNumber>;
+        }, "strip", z.ZodTypeAny, {
+            count?: number;
+            avgDurationMs?: number;
+            statusCodes?: Record<string, number>;
+        }, {
+            count?: number;
+            avgDurationMs?: number;
+            statusCodes?: Record<string, number>;
+        }>;
+        durationSeconds: z.ZodNumber;
+        integrityValid: z.ZodBoolean;
+    }, "strip", z.ZodTypeAny, {
+        errors?: {
+            count?: number;
+            bySeverity?: Record<string, number>;
+        };
+        totalEvents?: number;
+        eventsByType?: Record<string, number>;
+        dataAccessed?: {
+            totalRecords?: number;
+            resourceTypes?: string[];
+            operations?: Record<string, number>;
+        };
+        permissionsUsed?: {
+            denied?: number;
+            permissions?: string[];
+            granted?: number;
+        };
+        apiCalls?: {
+            count?: number;
+            avgDurationMs?: number;
+            statusCodes?: Record<string, number>;
+        };
+        durationSeconds?: number;
+        integrityValid?: boolean;
+    }, {
+        errors?: {
+            count?: number;
+            bySeverity?: Record<string, number>;
+        };
+        totalEvents?: number;
+        eventsByType?: Record<string, number>;
+        dataAccessed?: {
+            totalRecords?: number;
+            resourceTypes?: string[];
+            operations?: Record<string, number>;
+        };
+        permissionsUsed?: {
+            denied?: number;
+            permissions?: string[];
+            granted?: number;
+        };
+        apiCalls?: {
+            count?: number;
+            avgDurationMs?: number;
+            statusCodes?: Record<string, number>;
+        };
+        durationSeconds?: number;
+        integrityValid?: boolean;
+    }>>;
+    retentionUntil: z.ZodString;
+    recordingHash: z.ZodString;
+    createdBy: z.ZodString;
+    deletionApprovedBy: z.ZodOptional<z.ZodString>;
+    deletionApprovedAt: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    id?: string;
+    status?: "completed" | "failed" | "archived" | "active";
+    metadata?: {
+        reason?: string;
+        custom?: Record<string, unknown>;
+        justification?: string;
+        riskLevel?: "critical" | "low" | "medium" | "high";
+        approvers?: string[];
+        ticketId?: string;
+        targetResources?: string[];
+        expectedDurationMinutes?: number;
+    };
+    tenantId?: string;
+    userId?: string;
+    sessionId?: string;
+    events?: {
+        details?: Record<string, unknown>;
+        id?: string;
+        eventType?: "error" | "custom" | "data_access" | "config_change" | "api_call" | "permission_usage" | "auth_event";
+        previousHash?: string;
+        sequenceNumber?: number;
+        timestamp?: string;
+        recordingId?: string;
+        eventHash?: string;
+    }[];
+    createdBy?: string;
+    summary?: {
+        errors?: {
+            count?: number;
+            bySeverity?: Record<string, number>;
+        };
+        totalEvents?: number;
+        eventsByType?: Record<string, number>;
+        dataAccessed?: {
+            totalRecords?: number;
+            resourceTypes?: string[];
+            operations?: Record<string, number>;
+        };
+        permissionsUsed?: {
+            denied?: number;
+            permissions?: string[];
+            granted?: number;
+        };
+        apiCalls?: {
+            count?: number;
+            avgDurationMs?: number;
+            statusCodes?: Record<string, number>;
+        };
+        durationSeconds?: number;
+        integrityValid?: boolean;
+    };
+    startedAt?: string;
+    endedAt?: string;
+    retentionUntil?: string;
+    recordingHash?: string;
+    deletionApprovedBy?: string;
+    deletionApprovedAt?: string;
+}, {
+    id?: string;
+    status?: "completed" | "failed" | "archived" | "active";
+    metadata?: {
+        reason?: string;
+        custom?: Record<string, unknown>;
+        justification?: string;
+        riskLevel?: "critical" | "low" | "medium" | "high";
+        approvers?: string[];
+        ticketId?: string;
+        targetResources?: string[];
+        expectedDurationMinutes?: number;
+    };
+    tenantId?: string;
+    userId?: string;
+    sessionId?: string;
+    events?: {
+        details?: Record<string, unknown>;
+        id?: string;
+        eventType?: "error" | "custom" | "data_access" | "config_change" | "api_call" | "permission_usage" | "auth_event";
+        previousHash?: string;
+        sequenceNumber?: number;
+        timestamp?: string;
+        recordingId?: string;
+        eventHash?: string;
+    }[];
+    createdBy?: string;
+    summary?: {
+        errors?: {
+            count?: number;
+            bySeverity?: Record<string, number>;
+        };
+        totalEvents?: number;
+        eventsByType?: Record<string, number>;
+        dataAccessed?: {
+            totalRecords?: number;
+            resourceTypes?: string[];
+            operations?: Record<string, number>;
+        };
+        permissionsUsed?: {
+            denied?: number;
+            permissions?: string[];
+            granted?: number;
+        };
+        apiCalls?: {
+            count?: number;
+            avgDurationMs?: number;
+            statusCodes?: Record<string, number>;
+        };
+        durationSeconds?: number;
+        integrityValid?: boolean;
+    };
+    startedAt?: string;
+    endedAt?: string;
+    retentionUntil?: string;
+    recordingHash?: string;
+    deletionApprovedBy?: string;
+    deletionApprovedAt?: string;
+}>;
+/**
+ * Recording filter for search
+ */
+export interface RecordingFilter {
+    userId?: string;
+    sessionId?: string;
+    tenantId?: string;
+    status?: RecordingStatus;
+    startedAfter?: string;
+    startedBefore?: string;
+    ticketId?: string;
+    riskLevel?: string;
+    hasErrors?: boolean;
+    permissionUsed?: string;
+    resourceAccessed?: string;
+    limit?: number;
+    offset?: number;
+}
+export declare const recordingFilterSchema: z.ZodObject<{
+    userId: z.ZodOptional<z.ZodString>;
+    sessionId: z.ZodOptional<z.ZodString>;
+    tenantId: z.ZodOptional<z.ZodString>;
+    status: z.ZodOptional<z.ZodNativeEnum<{
+        readonly ACTIVE: "active";
+        readonly COMPLETED: "completed";
+        readonly FAILED: "failed";
+        readonly ARCHIVED: "archived";
+    }>>;
+    startedAfter: z.ZodOptional<z.ZodString>;
+    startedBefore: z.ZodOptional<z.ZodString>;
+    ticketId: z.ZodOptional<z.ZodString>;
+    riskLevel: z.ZodOptional<z.ZodString>;
+    hasErrors: z.ZodOptional<z.ZodBoolean>;
+    permissionUsed: z.ZodOptional<z.ZodString>;
+    resourceAccessed: z.ZodOptional<z.ZodString>;
+    limit: z.ZodOptional<z.ZodNumber>;
+    offset: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    limit?: number;
+    status?: "completed" | "failed" | "archived" | "active";
+    tenantId?: string;
+    userId?: string;
+    sessionId?: string;
+    offset?: number;
+    riskLevel?: string;
+    ticketId?: string;
+    startedAfter?: string;
+    startedBefore?: string;
+    hasErrors?: boolean;
+    permissionUsed?: string;
+    resourceAccessed?: string;
+}, {
+    limit?: number;
+    status?: "completed" | "failed" | "archived" | "active";
+    tenantId?: string;
+    userId?: string;
+    sessionId?: string;
+    offset?: number;
+    riskLevel?: string;
+    ticketId?: string;
+    startedAfter?: string;
+    startedBefore?: string;
+    hasErrors?: boolean;
+    permissionUsed?: string;
+    resourceAccessed?: string;
+}>;
+/**
+ * Session recording error
+ */
+export declare class SessionRecordingError extends VorionError {
+    code: string;
+    statusCode: number;
+    constructor(message: string, details?: Record<string, unknown>);
+}
+/**
+ * Recording not found error
+ */
+export declare class RecordingNotFoundError extends NotFoundError {
+    code: string;
+    constructor(recordingId: string);
+}
+/**
+ * Recording deletion denied error
+ */
+export declare class RecordingDeletionDeniedError extends ForbiddenError {
+    code: string;
+    constructor(recordingId: string, reason: string);
+}
+/**
+ * Privacy configuration for recordings
+ */
+export interface PrivacyConfig {
+    /** Fields to always mask */
+    maskFields: string[];
+    /** Fields to exclude entirely */
+    excludeFields: string[];
+    /** Fields containing PII to hash */
+    piiFields: string[];
+    /** Custom redaction config */
+    redactionConfig?: RedactionConfig;
+    /** Whether to mask request bodies */
+    maskRequestBodies: boolean;
+    /** Whether to mask response bodies */
+    maskResponseBodies: boolean;
+    /** Maximum body size to record (bytes) */
+    maxBodySize: number;
+}
+declare const DEFAULT_PRIVACY_CONFIG: PrivacyConfig;
+/**
+ * Storage interface for recordings
+ */
+export interface RecordingStorage {
+    /** Save a recording */
+    save(recording: Recording): Promise<void>;
+    /** Get a recording by ID */
+    get(recordingId: string): Promise<Recording | null>;
+    /** Update a recording */
+    update(recording: Recording): Promise<void>;
+    /** Search recordings */
+    search(filter: RecordingFilter): Promise<{
+        recordings: Recording[];
+        total: number;
+    }>;
+    /** Delete a recording (requires approval) */
+    delete(recordingId: string, approvedBy: string): Promise<void>;
+    /** Flush buffered events to storage */
+    flushEvents(recordingId: string, events: SessionEvent[]): Promise<void>;
+    /** Get events for a recording */
+    getEvents(recordingId: string): Promise<SessionEvent[]>;
+}
+/**
+ * In-memory storage implementation (for development/testing)
+ */
+export declare class InMemoryRecordingStorage implements RecordingStorage {
+    private recordings;
+    private events;
+    save(recording: Recording): Promise<void>;
+    get(recordingId: string): Promise<Recording | null>;
+    update(recording: Recording): Promise<void>;
+    search(filter: RecordingFilter): Promise<{
+        recordings: Recording[];
+        total: number;
+    }>;
+    delete(recordingId: string, approvedBy: string): Promise<void>;
+    flushEvents(recordingId: string, events: SessionEvent[]): Promise<void>;
+    getEvents(recordingId: string): Promise<SessionEvent[]>;
+}
+/**
+ * Session recorder configuration
+ */
+export interface SessionRecorderConfig {
+    /** Storage backend */
+    storage: RecordingStorage;
+    /** Privacy configuration */
+    privacy?: Partial<PrivacyConfig>;
+    /** Default retention period in days */
+    retentionDays?: number;
+    /** Event buffer flush interval in ms */
+    flushIntervalMs?: number;
+    /** Maximum events to buffer before force flush */
+    maxBufferSize?: number;
+    /** Tenant ID for multi-tenant setups */
+    tenantId?: string;
+}
+/**
+ * Session Recorder Class
+ *
+ * Records privileged access sessions with tamper-evident logging,
+ * privacy controls, and compliance-ready exports.
+ *
+ * @example
+ * ```typescript
+ * const recorder = new SessionRecorder({
+ *   storage: new InMemoryRecordingStorage(),
+ *   retentionDays: 90,
+ * });
+ *
+ * // Start recording
+ * const recording = await recorder.startRecording('session-123', 'user-456', {
+ *   reason: 'Production database maintenance',
+ *   ticketId: 'JIRA-789',
+ *   approvers: ['admin-1', 'admin-2'],
+ * });
+ *
+ * // Record events
+ * await recorder.recordEvent(recording.id, {
+ *   type: 'api_call',
+ *   method: 'GET',
+ *   path: '/api/users',
+ *   statusCode: 200,
+ *   durationMs: 45,
+ * });
+ *
+ * // Stop recording
+ * const summary = await recorder.stopRecording(recording.id);
+ * ```
+ */
+export declare class SessionRecorder {
+    private storage;
+    private privacyConfig;
+    private retentionDays;
+    private flushIntervalMs;
+    private maxBufferSize;
+    private tenantId?;
+    private activeRecordings;
+    private flushTimer;
+    constructor(config: SessionRecorderConfig);
+    /**
+     * Start recording a session
+     */
+    startRecording(sessionId: string, userId: string, metadata: RecordingMetadata): Promise<Recording>;
+    /**
+     * Record an event in a session
+     */
+    recordEvent(recordingId: string, eventDetails: SessionEventDetails): Promise<void>;
+    /**
+     * Stop recording and finalize
+     */
+    stopRecording(recordingId: string): Promise<RecordingSummary>;
+    /**
+     * Get a recording by ID
+     */
+    getRecording(recordingId: string): Promise<Recording>;
+    /**
+     * Search recordings
+     */
+    searchRecordings(filter: RecordingFilter): Promise<Recording[]>;
+    /**
+     * Export recording for audit
+     */
+    exportRecording(recordingId: string, format: 'json' | 'csv'): Promise<string>;
+    /**
+     * Verify recording integrity
+     */
+    verifyIntegrity(recordingId: string): Promise<{
+        valid: boolean;
+        brokenAt?: number;
+        error?: string;
+    }>;
+    /**
+     * Request deletion of a recording (requires admin approval)
+     */
+    requestDeletion(recordingId: string, requestedBy: string, reason: string): Promise<void>;
+    /**
+     * Approve and execute deletion (admin only)
+     */
+    approveDeletion(recordingId: string, approvedBy: string): Promise<void>;
+    /**
+     * Check if a session has an active recording
+     */
+    isRecording(sessionId: string): boolean;
+    /**
+     * Get active recording for a session
+     */
+    getActiveRecordingForSession(sessionId: string): Recording | null;
+    /**
+     * Destroy the recorder and cleanup resources
+     */
+    destroy(): void;
+    private startFlushTimer;
+    private flushAllBuffers;
+    private flushBuffer;
+    private computeEventHash;
+    private computeRecordingHash;
+    private computeSummary;
+}
+/**
+ * Options for the session recording Fastify plugin
+ */
+export interface SessionRecordingPluginOptions {
+    /** Session recorder instance */
+    recorder: SessionRecorder;
+    /** Function to determine if request should be recorded */
+    shouldRecord?: (request: FastifyRequest) => boolean;
+    /** Function to get session ID from request */
+    getSessionId?: (request: FastifyRequest) => string | null;
+    /** Function to get user ID from request */
+    getUserId?: (request: FastifyRequest) => string | null;
+    /** Paths to exclude from recording */
+    excludePaths?: string[];
+    /** Whether to record request bodies */
+    recordRequestBodies?: boolean;
+    /** Whether to record response bodies */
+    recordResponseBodies?: boolean;
+}
+/**
+ * Create a Fastify plugin for auto-recording requests during elevated sessions
+ */
+export declare function createSessionRecordingPlugin(options: SessionRecordingPluginOptions): (fastify: FastifyInstance) => Promise<void>;
+/**
+ * PAM session hooks for auto-starting/stopping recordings
+ */
+export interface PAMSessionHooks {
+    /** Called when a PAM session starts */
+    onSessionStart: (sessionId: string, userId: string, metadata: RecordingMetadata) => Promise<Recording>;
+    /** Called when a PAM session ends */
+    onSessionEnd: (sessionId: string) => Promise<RecordingSummary | null>;
+    /** Record a permission usage event */
+    recordPermissionUsage: (sessionId: string, permission: string, action: string, granted: boolean, details?: Partial<PermissionUsageEvent>) => Promise<void>;
+    /** Record a data access event */
+    recordDataAccess: (sessionId: string, operation: 'read' | 'write' | 'delete' | 'list', resourceType: string, details?: Partial<DataAccessEvent>) => Promise<void>;
+}
+/**
+ * Create PAM session hooks
+ */
+export declare function createPAMSessionHooks(recorder: SessionRecorder): PAMSessionHooks;
+/**
+ * Create a session recorder with default configuration
+ */
+export declare function createSessionRecorder(options?: Partial<SessionRecorderConfig>): SessionRecorder;
+export { DEFAULT_PRIVACY_CONFIG, DEFAULT_RETENTION_DAYS, DEFAULT_FLUSH_INTERVAL_MS, DEFAULT_MAX_BUFFER_SIZE, };
+//# sourceMappingURL=session-recording.d.ts.map