@webwaka/core 1.3.0

package/src/core/rbac/index.test.ts

@@ -0,0 +1,81 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { requireRole, requirePermissions, Role, UserSession } from './index';
+import { Context } from 'hono';
+
+describe('CORE-6: Universal RBAC & Permissions Engine', () => {
+  
+  const createMockContext = (session?: UserSession): Context => {
+    return {
+      get: vi.fn().mockReturnValue(session),
+      json: vi.fn().mockReturnValue('json-response')
+    } as unknown as Context;
+  };
+
+  let mockNext = vi.fn();
+
+  beforeEach(() => {
+    mockNext = vi.fn();
+  });
+
+  describe('requireRole middleware', () => {
+    it('should allow access if user has required role', async () => {
+      const c = createMockContext({ userId: '1', tenantId: 't1', role: Role.TENANT_ADMIN, permissions: [] });
+      const middleware = requireRole([Role.TENANT_ADMIN, Role.SUPER_ADMIN]);
+      
+      await middleware(c, mockNext);
+      
+      expect(mockNext).toHaveBeenCalled();
+      expect(c.json).not.toHaveBeenCalled();
+    });
+
+    it('should deny access if user lacks required role', async () => {
+      const c = createMockContext({ userId: '1', tenantId: 't1', role: Role.CUSTOMER, permissions: [] });
+      const middleware = requireRole([Role.TENANT_ADMIN]);
+      
+      await middleware(c, mockNext);
+      
+      expect(mockNext).not.toHaveBeenCalled();
+      expect(c.json).toHaveBeenCalledWith({ error: 'Forbidden: Requires one of TENANT_ADMIN' }, 403);
+    });
+
+    it('should deny access if no session exists', async () => {
+      const c = createMockContext(undefined);
+      const middleware = requireRole([Role.TENANT_ADMIN]);
+      
+      await middleware(c, mockNext);
+      
+      expect(mockNext).not.toHaveBeenCalled();
+      expect(c.json).toHaveBeenCalledWith({ error: 'Unauthorized: No session found' }, 401);
+    });
+  });
+
+  describe('requirePermissions middleware', () => {
+    it('should allow access if user has all required permissions', async () => {
+      const c = createMockContext({ userId: '1', tenantId: 't1', role: Role.STAFF, permissions: ['read:users', 'write:users'] });
+      const middleware = requirePermissions(['read:users']);
+      
+      await middleware(c, mockNext);
+      
+      expect(mockNext).toHaveBeenCalled();
+    });
+
+    it('should deny access if user is missing a required permission', async () => {
+      const c = createMockContext({ userId: '1', tenantId: 't1', role: Role.STAFF, permissions: ['read:users'] });
+      const middleware = requirePermissions(['read:users', 'write:users']);
+      
+      await middleware(c, mockNext);
+      
+      expect(mockNext).not.toHaveBeenCalled();
+      expect(c.json).toHaveBeenCalledWith({ error: 'Forbidden: Missing required permissions' }, 403);
+    });
+
+    it('should always allow SUPER_ADMIN regardless of explicit permissions', async () => {
+      const c = createMockContext({ userId: '1', tenantId: 'platform', role: Role.SUPER_ADMIN, permissions: [] });
+      const middleware = requirePermissions(['some:obscure:permission']);
+      
+      await middleware(c, mockNext);
+      
+      expect(mockNext).toHaveBeenCalled();
+    });
+  });
+});

package/src/core/rbac/index.ts

@@ -0,0 +1,85 @@
+/**
+ * CORE-6: Universal RBAC & Permissions Engine
+ * Blueprint Reference: Part 2 Layer 4 (Tenant Resolution & Auth)
+ * 
+ * Implements granular role definitions and Hono middleware for route protection.
+ */
+
+import { Context, Next } from 'hono';
+
+export enum Role {
+  SUPER_ADMIN = 'SUPER_ADMIN',
+  TENANT_ADMIN = 'TENANT_ADMIN',
+  STAFF = 'STAFF',
+  CUSTOMER = 'CUSTOMER'
+}
+
+export interface UserSession {
+  userId: string;
+  tenantId: string;
+  role: Role;
+  permissions: string[];
+}
+
+/**
+ * Middleware to enforce role-based access control on routes.
+ * @param allowedRoles Array of roles permitted to access the route.
+ */
+export const requireRole = (allowedRoles: Role[]) => {
+  return async (c: Context, next: Next) => {
+    const session = c.get('session') as UserSession | undefined;
+
+    if (!session) {
+      return c.json({ error: 'Unauthorized: No session found' }, 401);
+    }
+
+    if (!allowedRoles.includes(session.role)) {
+      return c.json({ error: `Forbidden: Requires one of ${allowedRoles.join(', ')}` }, 403);
+    }
+
+    await next();
+  };
+};
+
+/**
+ * Middleware to enforce specific permissions.
+ * @param requiredPermissions Array of permissions required to access the route.
+ */
+export const requirePermissions = (requiredPermissions: string[]) => {
+  return async (c: Context, next: Next) => {
+    const session = c.get('session') as UserSession | undefined;
+
+    if (!session) {
+      return c.json({ error: 'Unauthorized: No session found' }, 401);
+    }
+
+    // Super Admin bypasses permission checks
+    if (session.role === Role.SUPER_ADMIN) {
+      await next();
+      return;
+    }
+
+    const hasAllPermissions = requiredPermissions.every(p => session.permissions.includes(p));
+
+    if (!hasAllPermissions) {
+      return c.json({ error: `Forbidden: Missing required permissions` }, 403);
+    }
+
+    await next();
+  };
+};
+
+/**
+ * Utility to verify JWT and extract session (Mock implementation for now)
+ * In production, this would verify the JWT signature against Cloudflare Access or custom auth.
+ */
+export const verifyJwt = async (token: string): Promise<UserSession | null> => {
+  // Mock implementation
+  if (token === 'mock-super-admin-token') {
+    return { userId: 'sa-1', tenantId: 'platform', role: Role.SUPER_ADMIN, permissions: ['*'] };
+  }
+  if (token === 'mock-tenant-admin-token') {
+    return { userId: 'ta-1', tenantId: 'tenant-1', role: Role.TENANT_ADMIN, permissions: ['manage_users', 'view_reports'] };
+  }
+  return null;
+};

package/src/events.test.ts

@@ -0,0 +1,43 @@
+import { describe, it, expect } from 'vitest';
+import { CommerceEvents } from './events';
+import type { CommerceEventType } from './events';
+
+describe('CommerceEvents', () => {
+  it('exports all expected event constants', () => {
+    expect(CommerceEvents.INVENTORY_UPDATED).toBe('inventory.updated');
+    expect(CommerceEvents.ORDER_CREATED).toBe('order.created');
+    expect(CommerceEvents.ORDER_READY_DELIVERY).toBe('order.ready_for_delivery');
+    expect(CommerceEvents.PAYMENT_COMPLETED).toBe('payment.completed');
+    expect(CommerceEvents.PAYMENT_REFUNDED).toBe('payment.refunded');
+    expect(CommerceEvents.SHIFT_CLOSED).toBe('shift.closed');
+    expect(CommerceEvents.CART_ABANDONED).toBe('cart.abandoned');
+    expect(CommerceEvents.SUBSCRIPTION_CHARGE).toBe('subscription.charge_due');
+    expect(CommerceEvents.DELIVERY_QUOTE).toBe('delivery.quote');
+    expect(CommerceEvents.DELIVERY_STATUS).toBe('delivery.status_changed');
+    expect(CommerceEvents.VENDOR_KYC_SUBMITTED).toBe('vendor.kyc_submitted');
+    expect(CommerceEvents.VENDOR_KYC_APPROVED).toBe('vendor.kyc_approved');
+    expect(CommerceEvents.VENDOR_KYC_REJECTED).toBe('vendor.kyc_rejected');
+    expect(CommerceEvents.STOCK_ADJUSTED).toBe('stock.adjusted');
+    expect(CommerceEvents.DISPUTE_OPENED).toBe('dispute.opened');
+    expect(CommerceEvents.DISPUTE_RESOLVED).toBe('dispute.resolved');
+    expect(CommerceEvents.PURCHASE_ORDER_RECEIVED).toBe('purchase_order.received');
+    expect(CommerceEvents.FLASH_SALE_STARTED).toBe('flash_sale.started');
+    expect(CommerceEvents.FLASH_SALE_ENDED).toBe('flash_sale.ended');
+  });
+
+  it('has 19 event types', () => {
+    expect(Object.keys(CommerceEvents)).toHaveLength(19);
+  });
+
+  it('all event values are dot-separated strings', () => {
+    for (const value of Object.values(CommerceEvents)) {
+      expect(value).toMatch(/^[a-z_]+\.[a-z_]+$/);
+    }
+  });
+
+  it('CommerceEventType is assignable from event values', () => {
+    // Type-level test — if this compiles, the type is correct
+    const event: CommerceEventType = CommerceEvents.ORDER_CREATED;
+    expect(event).toBe('order.created');
+  });
+});

package/src/events.ts

@@ -0,0 +1,23 @@
+export const CommerceEvents = {
+  INVENTORY_UPDATED: 'inventory.updated',
+  ORDER_CREATED: 'order.created',
+  ORDER_READY_DELIVERY: 'order.ready_for_delivery',
+  PAYMENT_COMPLETED: 'payment.completed',
+  PAYMENT_REFUNDED: 'payment.refunded',
+  SHIFT_CLOSED: 'shift.closed',
+  CART_ABANDONED: 'cart.abandoned',
+  SUBSCRIPTION_CHARGE: 'subscription.charge_due',
+  DELIVERY_QUOTE: 'delivery.quote',
+  DELIVERY_STATUS: 'delivery.status_changed',
+  VENDOR_KYC_SUBMITTED: 'vendor.kyc_submitted',
+  VENDOR_KYC_APPROVED: 'vendor.kyc_approved',
+  VENDOR_KYC_REJECTED: 'vendor.kyc_rejected',
+  STOCK_ADJUSTED: 'stock.adjusted',
+  DISPUTE_OPENED: 'dispute.opened',
+  DISPUTE_RESOLVED: 'dispute.resolved',
+  PURCHASE_ORDER_RECEIVED: 'purchase_order.received',
+  FLASH_SALE_STARTED: 'flash_sale.started',
+  FLASH_SALE_ENDED: 'flash_sale.ended',
+} as const;
+
+export type CommerceEventType = typeof CommerceEvents[keyof typeof CommerceEvents];

package/src/index.test.ts

@@ -0,0 +1,123 @@
+/**
+ * Barrel export coverage test — src/index.ts
+ *
+ * This file imports from the main entry point to ensure the barrel is
+ * exercised by the coverage tool. All actual logic is tested in the
+ * individual module test files.
+ */
+import { describe, it, expect } from 'vitest';
+import {
+  // Auth
+  signJWT,
+  verifyJWT,
+  jwtAuthMiddleware,
+  verifyApiKey,
+  requireRole,
+  requirePermissions,
+  secureCORS,
+  rateLimit,
+  getTenantId,
+  getAuthUser,
+  // Tax
+  TaxEngine,
+  createTaxEngine,
+  // Payment
+  PaystackProvider,
+  createPaymentProvider,
+  // SMS
+  TermiiProvider,
+  createSmsProvider,
+  sendTermiiSms,
+  // Rate limit (KV standalone)
+  checkRateLimit,
+  // Optimistic lock
+  updateWithVersionLock,
+  // PIN
+  hashPin,
+  verifyPin,
+  // AI
+  OpenRouterClient,
+  createAiClient,
+  // Events
+  CommerceEvents,
+  // Nanoid
+  nanoid,
+  genId,
+  // Query helpers
+  parsePagination,
+  metaResponse,
+  applyTenantScope,
+  // NDPR
+  assertNdprConsent,
+  recordNdprConsent,
+} from './index';
+
+describe('@webwaka/core barrel exports', () => {
+  it('exports auth functions', () => {
+    expect(typeof signJWT).toBe('function');
+    expect(typeof verifyJWT).toBe('function');
+    expect(typeof jwtAuthMiddleware).toBe('function');
+    expect(typeof verifyApiKey).toBe('function');
+    expect(typeof requireRole).toBe('function');
+    expect(typeof requirePermissions).toBe('function');
+    expect(typeof secureCORS).toBe('function');
+    expect(typeof rateLimit).toBe('function');
+    expect(typeof getTenantId).toBe('function');
+    expect(typeof getAuthUser).toBe('function');
+  });
+
+  it('exports tax utilities', () => {
+    expect(typeof TaxEngine).toBe('function');
+    expect(typeof createTaxEngine).toBe('function');
+  });
+
+  it('exports payment utilities', () => {
+    expect(typeof PaystackProvider).toBe('function');
+    expect(typeof createPaymentProvider).toBe('function');
+  });
+
+  it('exports SMS utilities', () => {
+    expect(typeof TermiiProvider).toBe('function');
+    expect(typeof createSmsProvider).toBe('function');
+    expect(typeof sendTermiiSms).toBe('function');
+  });
+
+  it('exports rate limit utility', () => {
+    expect(typeof checkRateLimit).toBe('function');
+  });
+
+  it('exports optimistic lock utility', () => {
+    expect(typeof updateWithVersionLock).toBe('function');
+  });
+
+  it('exports PIN utilities', () => {
+    expect(typeof hashPin).toBe('function');
+    expect(typeof verifyPin).toBe('function');
+  });
+
+  it('exports AI client', () => {
+    expect(typeof OpenRouterClient).toBe('function');
+    expect(typeof createAiClient).toBe('function');
+  });
+
+  it('exports CommerceEvents', () => {
+    expect(CommerceEvents).toBeDefined();
+    expect(CommerceEvents.ORDER_CREATED).toBe('order.created');
+  });
+
+  it('exports nanoid utilities', () => {
+    expect(typeof nanoid).toBe('function');
+    expect(typeof genId).toBe('function');
+  });
+
+  it('exports query helpers', () => {
+    expect(typeof parsePagination).toBe('function');
+    expect(typeof metaResponse).toBe('function');
+    expect(typeof applyTenantScope).toBe('function');
+  });
+
+  it('exports NDPR utilities', () => {
+    expect(typeof assertNdprConsent).toBe('function');
+    expect(typeof recordNdprConsent).toBe('function');
+  });
+});

package/src/index.ts

@@ -0,0 +1,97 @@
+/**
+ * @webwaka/core — Main Entry Point
+ * Blueprint Reference: Part 2 (Layer 4 — Tenant Resolution & Auth)
+ *
+ * Re-exports all platform primitives for consumers that import from '@webwaka/core'.
+ * For tree-shaking, consumers can also import from sub-paths:
+ *   import { verifyJWT } from '@webwaka/core/auth'
+ *   import { requireRole } from '@webwaka/core/rbac'
+ */
+
+// ─── Auth (NEW — canonical, replaces all per-repo implementations) ────────────
+export {
+  signJWT,
+  verifyJWT,
+  jwtAuthMiddleware,
+  verifyApiKey,
+  requireRole,
+  requirePermissions,
+  secureCORS,
+  rateLimit,
+  getTenantId,
+  getAuthUser,
+  type JWTPayload,
+  type AuthUser,
+  type WakaUser,
+  type AuthEnv,
+  type RateLimitEnv,
+  type JwtAuthOptions,
+  type SecureCORSOptions,
+  type RateLimitOptions as AuthRateLimitOptions,
+} from './core/auth/index.js';
+
+// ─── Billing ──────────────────────────────────────────────────────────────────
+export * from './core/billing/index.js';
+
+// ─── Logger ───────────────────────────────────────────────────────────────────
+export * from './core/logger/index.js';
+
+// ─── Notifications ────────────────────────────────────────────────────────────
+export * from './core/notifications/index.js';
+
+// ─── AI Engine ────────────────────────────────────────────────────────────────
+export * from './core/ai/AIEngine.js';
+
+// ─── KYC ─────────────────────────────────────────────────────────────────────
+export * from './core/kyc/index.js';
+
+// ─── Geolocation ─────────────────────────────────────────────────────────────
+export * from './core/geolocation/index.js';
+
+// ─── Document ────────────────────────────────────────────────────────────────
+export * from './core/document/index.js';
+
+// ─── Chat ────────────────────────────────────────────────────────────────────
+export * from './core/chat/index.js';
+
+// ─── Booking ─────────────────────────────────────────────────────────────────
+export * from './core/booking/index.js';
+
+// ─── Events ───────────────────────────────────────────────────────────────────
+export * from './core/events/index.js';
+
+// ─── Tax Engine ───────────────────────────────────────────────────────────────
+export * from './tax.js';
+
+// ─── Payment ──────────────────────────────────────────────────────────────────
+export * from './payment.js';
+
+// ─── SMS / OTP ────────────────────────────────────────────────────────────────
+export * from './sms.js';
+
+// ─── KV Rate Limiter ──────────────────────────────────────────────────────────
+export * from './rate-limit.js';
+
+// ─── Optimistic Lock ──────────────────────────────────────────────────────────
+export * from './optimistic-lock.js';
+
+// ─── PIN Hashing ──────────────────────────────────────────────────────────────
+export * from './pin.js';
+
+// ─── KYC Interface ────────────────────────────────────────────────────────────
+export * from './kyc.js';
+
+// ─── OpenRouter AI Client ────────────────────────────────────────────────────
+export * from './ai.js';
+
+// ─── Commerce Events ─────────────────────────────────────────────────────────
+export * from './events.js';
+
+// ─── Nanoid / ID Generation ───────────────────────────────────────────────────
+export * from './nanoid.js';
+
+// ─── Query Helpers ────────────────────────────────────────────────────────────
+export * from './query-helpers.js';
+
+// ─── NDPR Consent ─────────────────────────────────────────────────────────────
+export * from './ndpr.js';

package/src/kyc.ts

@@ -0,0 +1,23 @@
+export interface KycVerificationResult {
+  verified: boolean;
+  matchScore?: number;
+  reason?: string;
+  provider: string;
+}
+
+export interface IKycProvider {
+  verifyBvn(
+    bvnHash: string,
+    firstName: string,
+    lastName: string,
+    dob: string
+  ): Promise<KycVerificationResult>;
+
+  verifyNin(
+    ninHash: string,
+    firstName: string,
+    lastName: string
+  ): Promise<KycVerificationResult>;
+
+  verifyCac(rcNumber: string, businessName: string): Promise<KycVerificationResult>;
+}

package/src/nanoid.test.ts

@@ -0,0 +1,43 @@
+import { describe, it, expect } from 'vitest';
+import { nanoid, genId } from './nanoid';
+
+describe('nanoid', () => {
+  it('generates an ID of the default length (21 chars)', () => {
+    const id = nanoid();
+    expect(id).toHaveLength(21);
+  });
+
+  it('generates an ID with a custom length', () => {
+    const id = nanoid('', 10);
+    expect(id).toHaveLength(10);
+  });
+
+  it('prepends prefix with underscore separator', () => {
+    const id = nanoid('usr', 21);
+    expect(id.startsWith('usr_')).toBe(true);
+    // prefix + '_' + 21 chars
+    expect(id).toHaveLength(4 + 21);
+  });
+
+  it('generates only alphanumeric characters in the ID part', () => {
+    const id = nanoid('', 100);
+    expect(id).toMatch(/^[A-Za-z0-9]+$/);
+  });
+
+  it('generates unique IDs on each call', () => {
+    const ids = new Set(Array.from({ length: 100 }, () => nanoid()));
+    expect(ids.size).toBe(100);
+  });
+
+  it('genId is an alias for nanoid', () => {
+    const id = genId('test', 10);
+    expect(id.startsWith('test_')).toBe(true);
+    expect(id).toHaveLength(5 + 10);
+  });
+
+  it('returns just the id when prefix is empty string', () => {
+    const id = nanoid('', 5);
+    expect(id).toHaveLength(5);
+    expect(id).not.toContain('_');
+  });
+});

package/src/nanoid.ts

@@ -0,0 +1,16 @@
+const CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+
+/**
+ * Cloudflare Worker-compatible nanoid. Uses crypto.getRandomValues.
+ * prefix is prepended to the ID. Default length 21.
+ */
+export function nanoid(prefix = '', length = 21): string {
+  const bytes = crypto.getRandomValues(new Uint8Array(length));
+  const id = Array.from(bytes)
+    .map((b) => CHARS[b % CHARS.length])
+    .join('');
+  return prefix ? `${prefix}_${id}` : id;
+}
+
+/** Alias for nanoid — allows repos to migrate without breaking during transition. */
+export const genId = nanoid;

package/src/ndpr.test.ts

@@ -0,0 +1,68 @@
+import { describe, it, expect, vi } from 'vitest';
+import { assertNdprConsent, recordNdprConsent } from './ndpr';
+
+describe('assertNdprConsent', () => {
+  it('does not throw when ndpr_consent is true', () => {
+    expect(() => assertNdprConsent({ ndpr_consent: true })).not.toThrow();
+  });
+
+  it('throws when ndpr_consent is false', () => {
+    expect(() => assertNdprConsent({ ndpr_consent: false })).toThrow('NDPR consent is required');
+  });
+
+  it('throws when ndpr_consent is missing', () => {
+    expect(() => assertNdprConsent({ name: 'test' })).toThrow('NDPR consent is required');
+  });
+
+  it('throws when body is null', () => {
+    expect(() => assertNdprConsent(null)).toThrow('NDPR consent is required');
+  });
+
+  it('throws when body is a string', () => {
+    expect(() => assertNdprConsent('yes')).toThrow('NDPR consent is required');
+  });
+
+  it('throws when body is a number', () => {
+    expect(() => assertNdprConsent(1)).toThrow('NDPR consent is required');
+  });
+
+  it('attaches status 400 to the thrown error', () => {
+    try {
+      assertNdprConsent({});
+    } catch (err: any) {
+      expect(err.status).toBe(400);
+      expect(err.code).toBe('NDPR_CONSENT_REQUIRED');
+    }
+  });
+});
+
+describe('recordNdprConsent', () => {
+  it('calls db.prepare with INSERT OR IGNORE statement', async () => {
+    const mockRun = vi.fn().mockResolvedValue({ success: true });
+    const mockBind = vi.fn().mockReturnValue({ run: mockRun });
+    const mockPrepare = vi.fn().mockReturnValue({ bind: mockBind });
+    const mockDb = { prepare: mockPrepare } as any;
+
+    await recordNdprConsent(mockDb, 'entity-1', 'user', '1.2.3.4', 'Mozilla/5.0');
+
+    expect(mockPrepare).toHaveBeenCalledWith(
+      expect.stringContaining('INSERT OR IGNORE INTO ndpr_consent_log')
+    );
+    expect(mockBind).toHaveBeenCalled();
+    expect(mockRun).toHaveBeenCalled();
+  });
+
+  it('handles null ipAddress and userAgent', async () => {
+    const mockRun = vi.fn().mockResolvedValue({ success: true });
+    const mockBind = vi.fn().mockReturnValue({ run: mockRun });
+    const mockPrepare = vi.fn().mockReturnValue({ bind: mockBind });
+    const mockDb = { prepare: mockPrepare } as any;
+
+    await expect(
+      recordNdprConsent(mockDb, 'entity-2', 'organisation', null, null)
+    ).resolves.not.toThrow();
+
+    const bindArgs = mockBind.mock.calls[0];
+    expect(bindArgs).toContain(null); // ipAddress null
+  });
+});

package/src/ndpr.ts

@@ -0,0 +1,49 @@
+import type { D1Database } from '@cloudflare/workers-types';
+
+export interface NdprConsentLog {
+  id: string;
+  entity_id: string;
+  entity_type: string;
+  consented_at: number;
+  ip_address: string | null;
+  user_agent: string | null;
+  created_at: number;
+}
+
+export function assertNdprConsent(body: unknown): void {
+  if (
+    typeof body !== 'object' ||
+    body === null ||
+    (body as Record<string, unknown>).ndpr_consent !== true
+  ) {
+    const err = new Error('NDPR consent is required');
+    (err as any).status = 400;
+    (err as any).code = 'NDPR_CONSENT_REQUIRED';
+    throw err;
+  }
+}
+
+export async function recordNdprConsent(
+  db: D1Database,
+  entityId: string,
+  entityType: string,
+  ipAddress: string | null,
+  userAgent: string | null
+): Promise<void> {
+  const now = Date.now();
+  await db
+    .prepare(
+      `INSERT OR IGNORE INTO ndpr_consent_log (id, entity_id, entity_type, consented_at, ip_address, user_agent, created_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?)`
+    )
+    .bind(
+      `ndpr_${now}_${Array.from(crypto.getRandomValues(new Uint8Array(4))).map(b => b.toString(16).padStart(2, '0')).join('')}`,
+      entityId,
+      entityType,
+      now,
+      ipAddress,
+      userAgent,
+      now
+    )
+    .run();
+}