@willyim/drizzle-audit 0.1.3

package/dist/src/d1/runtime.d.ts

@@ -0,0 +1,44 @@
+import type { D1AuditSqlExecutor } from "./types.js";
+/**
+ * Sets the audit context for the current transaction by writing to the
+ * _audit_context table. Must be called inside a transaction before any
+ * audited writes.
+ *
+ * D1/SQLite has no session variables, so triggers read context from this table.
+ */
+export declare function setD1AuditContext(db: D1AuditSqlExecutor, actorId: string, options?: {
+    workspaceId?: string;
+    contextTable?: string;
+}): Promise<unknown> | undefined;
+/**
+ * Clears the audit context after a transaction completes.
+ * Called automatically by withD1AuditedTransaction.
+ */
+export declare function clearD1AuditContext(db: D1AuditSqlExecutor, options?: {
+    contextTable?: string;
+}): unknown;
+/**
+ * Wraps a Drizzle SQLite transaction with audit context. Sets the actor
+ * before the callback and clears the context after (success or failure).
+ *
+ * Works with any Drizzle SQLite instance (better-sqlite3, D1, libsql).
+ *
+ * @example
+ * // better-sqlite3 (sync)
+ * withD1AuditedTransaction(db, "user_123", (tx) => {
+ *   tx.insert(users).values({ id: "u1", name: "Ada" }).run()
+ * })
+ *
+ * @example
+ * // D1 (async)
+ * await withD1AuditedTransaction(db, "user_123", async (tx) => {
+ *   await tx.insert(users).values({ id: "u1", name: "Ada" })
+ * })
+ */
+export declare function withD1AuditedTransaction<TDb extends D1AuditSqlExecutor, TResult>(db: TDb & {
+    transaction: (cb: (tx: any) => TResult) => TResult;
+}, actorId: string, callback: (tx: TDb) => TResult, options?: {
+    workspaceId?: string;
+    contextTable?: string;
+}): TResult;
+//# sourceMappingURL=runtime.d.ts.map

package/dist/src/d1/runtime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime.d.ts","sourceRoot":"","sources":["../../../src/d1/runtime.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAA;AAUpD;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,EAAE,EAAE,kBAAkB,EACtB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;IAAE,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,gCAyB1D;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,EAAE,EAAE,kBAAkB,EACtB,OAAO,CAAC,EAAE;IAAE,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,WAMpC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,wBAAwB,CAAC,GAAG,SAAS,kBAAkB,EAAE,OAAO,EAC9E,EAAE,EAAE,GAAG,GAAG;IAAE,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,GAAG,KAAK,OAAO,KAAK,OAAO,CAAA;CAAE,EAChE,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,CAAC,EAAE,EAAE,GAAG,KAAK,OAAO,EAC9B,OAAO,CAAC,EAAE;IAAE,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,GACxD,OAAO,CAWT"}

package/dist/src/d1/runtime.js

@@ -0,0 +1,68 @@
+import { sql } from "drizzle-orm";
+const DEFAULT_CONTEXT_TABLE = "_audit_context";
+function assertActorId(actorId) {
+    if (actorId.trim().length === 0) {
+        throw new Error("actorId must not be empty");
+    }
+}
+/**
+ * Sets the audit context for the current transaction by writing to the
+ * _audit_context table. Must be called inside a transaction before any
+ * audited writes.
+ *
+ * D1/SQLite has no session variables, so triggers read context from this table.
+ */
+export function setD1AuditContext(db, actorId, options) {
+    assertActorId(actorId);
+    const table = options?.contextTable ?? DEFAULT_CONTEXT_TABLE;
+    const result = db.run(sql `INSERT OR REPLACE INTO ${sql.identifier(table)} (key, value) VALUES ('user_id', ${actorId})`);
+    // Handle async drivers (D1) by chaining if result is a Promise
+    if (result && typeof result.then === "function") {
+        return result.then(() => {
+            if (options?.workspaceId !== undefined && options.workspaceId !== "") {
+                return db.run(sql `INSERT OR REPLACE INTO ${sql.identifier(table)} (key, value) VALUES ('workspace_id', ${options.workspaceId})`);
+            }
+        });
+    }
+    if (options?.workspaceId !== undefined && options.workspaceId !== "") {
+        db.run(sql `INSERT OR REPLACE INTO ${sql.identifier(table)} (key, value) VALUES ('workspace_id', ${options.workspaceId})`);
+    }
+}
+/**
+ * Clears the audit context after a transaction completes.
+ * Called automatically by withD1AuditedTransaction.
+ */
+export function clearD1AuditContext(db, options) {
+    const table = options?.contextTable ?? DEFAULT_CONTEXT_TABLE;
+    return db.run(sql `DELETE FROM ${sql.identifier(table)} WHERE key IN ('user_id', 'workspace_id')`);
+}
+/**
+ * Wraps a Drizzle SQLite transaction with audit context. Sets the actor
+ * before the callback and clears the context after (success or failure).
+ *
+ * Works with any Drizzle SQLite instance (better-sqlite3, D1, libsql).
+ *
+ * @example
+ * // better-sqlite3 (sync)
+ * withD1AuditedTransaction(db, "user_123", (tx) => {
+ *   tx.insert(users).values({ id: "u1", name: "Ada" }).run()
+ * })
+ *
+ * @example
+ * // D1 (async)
+ * await withD1AuditedTransaction(db, "user_123", async (tx) => {
+ *   await tx.insert(users).values({ id: "u1", name: "Ada" })
+ * })
+ */
+export function withD1AuditedTransaction(db, actorId, callback, options) {
+    assertActorId(actorId);
+    return db.transaction((tx) => {
+        setD1AuditContext(tx, actorId, options);
+        try {
+            return callback(tx);
+        }
+        finally {
+            clearD1AuditContext(tx, options);
+        }
+    });
+}

package/dist/src/d1/sql.d.ts

@@ -0,0 +1,37 @@
+import type { D1AuditInstallOptions, D1AuditTriggerTarget } from "./types.js";
+/**
+ * Generates SQL to install the audit_logs table and _audit_context table.
+ *
+ * The _audit_context table stores user_id (and optionally workspace_id) for
+ * the current transaction. Since D1/SQLite has no session variables, triggers
+ * read context from this table instead.
+ */
+export declare function createD1AuditInstallSql(options?: D1AuditInstallOptions): string;
+/**
+ * Generates SQL to attach INSERT, UPDATE, and DELETE audit triggers to a single table.
+ *
+ * Unlike the Postgres variant, D1/SQLite triggers cannot serialize full row data dynamically
+ * (no `row_to_json` equivalent). Audit rows capture `table_name`, `operation`, `row_id`,
+ * and `user_id`. For full row snapshots, use `createAttachD1AuditTriggerSqlWithColumns`.
+ */
+export declare function createAttachD1AuditTriggerSql(target: D1AuditTriggerTarget, options?: D1AuditInstallOptions): string;
+export declare function createAttachD1AuditTriggersSql(targets: D1AuditTriggerTarget[], options?: D1AuditInstallOptions): string;
+export type D1AuditTriggerTargetWithColumns = D1AuditTriggerTarget & {
+    /** Column names to capture in old_data/new_data JSON snapshots */
+    columns: string[];
+};
+/**
+ * Column-aware variant: generates triggers that capture full row snapshots
+ * using json_object() with the specified column names.
+ *
+ * Unlike Postgres, SQLite cannot enumerate columns dynamically in triggers,
+ * so you must list the columns to capture.
+ *
+ * @example
+ * createAttachD1AuditTriggerSqlWithColumns(
+ *   { table: "users", columns: ["id", "name", "email"] },
+ * )
+ */
+export declare function createAttachD1AuditTriggerSqlWithColumns(target: D1AuditTriggerTargetWithColumns, options?: D1AuditInstallOptions): string;
+export declare function createAttachD1AuditTriggersSqlWithColumns(targets: D1AuditTriggerTargetWithColumns[], options?: D1AuditInstallOptions): string;
+//# sourceMappingURL=sql.d.ts.map

package/dist/src/d1/sql.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sql.d.ts","sourceRoot":"","sources":["../../../src/d1/sql.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAqB7E;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,GAAE,qBAA0B,UA6C1E;AAoHD;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAC3C,MAAM,EAAE,oBAAoB,EAC5B,OAAO,GAAE,qBAA0B,UAOpC;AAED,wBAAgB,8BAA8B,CAC5C,OAAO,EAAE,oBAAoB,EAAE,EAC/B,OAAO,GAAE,qBAA0B,UAQpC;AAID,MAAM,MAAM,+BAA+B,GAAG,oBAAoB,GAAG;IACnE,kEAAkE;IAClE,OAAO,EAAE,MAAM,EAAE,CAAA;CAClB,CAAA;AA4HD;;;;;;;;;;;GAWG;AACH,wBAAgB,wCAAwC,CACtD,MAAM,EAAE,+BAA+B,EACvC,OAAO,GAAE,qBAA0B,UAUpC;AAED,wBAAgB,yCAAyC,CACvD,OAAO,EAAE,+BAA+B,EAAE,EAC1C,OAAO,GAAE,qBAA0B,UAQpC"}

package/dist/src/d1/sql.js

@@ -0,0 +1,261 @@
+const DEFAULT_AUDIT_TABLE = "audit_logs";
+const DEFAULT_CONTEXT_TABLE = "_audit_context";
+const DEFAULT_ROW_ID_COLUMN = "id";
+function quoteIdent(value) {
+    return `"${value.replaceAll('"', '""')}"`;
+}
+function quoteLiteral(value) {
+    return `'${value.replaceAll("'", "''")}'`;
+}
+function assertNonEmpty(value, label) {
+    if (value.trim().length === 0) {
+        throw new Error(`${label} must not be empty`);
+    }
+    return value;
+}
+/**
+ * Generates SQL to install the audit_logs table and _audit_context table.
+ *
+ * The _audit_context table stores user_id (and optionally workspace_id) for
+ * the current transaction. Since D1/SQLite has no session variables, triggers
+ * read context from this table instead.
+ */
+export function createD1AuditInstallSql(options = {}) {
+    const auditTable = assertNonEmpty(options.auditTable ?? DEFAULT_AUDIT_TABLE, "auditTable");
+    const contextTable = assertNonEmpty(options.contextTable ?? DEFAULT_CONTEXT_TABLE, "contextTable");
+    const workspaceIdColumn = options.workspaceIdColumn?.trim();
+    const auditColumns = [
+        "id INTEGER PRIMARY KEY AUTOINCREMENT",
+        "table_name TEXT NOT NULL",
+        "operation TEXT NOT NULL CHECK (operation IN ('INSERT', 'UPDATE', 'DELETE'))",
+        "row_id TEXT",
+        "user_id TEXT",
+        ...(workspaceIdColumn ? [`${quoteIdent(workspaceIdColumn)} TEXT`] : []),
+        "old_data TEXT",
+        "new_data TEXT",
+        "created_at TEXT NOT NULL DEFAULT (datetime('now'))",
+    ];
+    const contextColumns = [
+        "key TEXT PRIMARY KEY",
+        "value TEXT",
+    ];
+    const indexStatements = [
+        `CREATE INDEX IF NOT EXISTS ${quoteIdent(`${auditTable}_table_name_idx`)} ON ${quoteIdent(auditTable)} (table_name);`,
+        `CREATE INDEX IF NOT EXISTS ${quoteIdent(`${auditTable}_row_id_idx`)} ON ${quoteIdent(auditTable)} (row_id);`,
+        `CREATE INDEX IF NOT EXISTS ${quoteIdent(`${auditTable}_user_id_idx`)} ON ${quoteIdent(auditTable)} (user_id);`,
+        ...(workspaceIdColumn
+            ? [
+                `CREATE INDEX IF NOT EXISTS ${quoteIdent(`${auditTable}_${workspaceIdColumn}_idx`)} ON ${quoteIdent(auditTable)} (${quoteIdent(workspaceIdColumn)});`,
+            ]
+            : []),
+        `CREATE INDEX IF NOT EXISTS ${quoteIdent(`${auditTable}_created_at_idx`)} ON ${quoteIdent(auditTable)} (created_at);`,
+    ];
+    return [
+        `CREATE TABLE IF NOT EXISTS ${quoteIdent(auditTable)} (\n  ${auditColumns.join(",\n  ")}\n);`,
+        `CREATE TABLE IF NOT EXISTS ${quoteIdent(contextTable)} (\n  ${contextColumns.join(",\n  ")}\n);`,
+        ...indexStatements,
+    ].join("\n\n");
+}
+function buildInsertTriggerSql(target, options) {
+    const table = assertNonEmpty(target.table, "table");
+    const rowIdColumn = assertNonEmpty(target.rowIdColumn ?? DEFAULT_ROW_ID_COLUMN, "rowIdColumn");
+    const auditTable = assertNonEmpty(options.auditTable ?? DEFAULT_AUDIT_TABLE, "auditTable");
+    const contextTable = assertNonEmpty(options.contextTable ?? DEFAULT_CONTEXT_TABLE, "contextTable");
+    const triggerPrefix = target.triggerPrefix ?? table;
+    const triggerName = `${triggerPrefix}_audit_insert`;
+    const workspaceIdColumn = options.workspaceIdColumn?.trim();
+    return `
+DROP TRIGGER IF EXISTS ${quoteIdent(triggerName)};
+
+CREATE TRIGGER ${quoteIdent(triggerName)}
+AFTER INSERT ON ${quoteIdent(table)}
+FOR EACH ROW
+BEGIN
+  INSERT INTO ${quoteIdent(auditTable)} (table_name, operation, row_id, user_id${workspaceIdColumn ? `, ${quoteIdent(workspaceIdColumn)}` : ""})
+  VALUES (
+    ${quoteLiteral(table)},
+    'INSERT',
+    NEW.${quoteIdent(rowIdColumn)},
+    (SELECT value FROM ${quoteIdent(contextTable)} WHERE key = 'user_id')${workspaceIdColumn ? `,\n    (SELECT value FROM ${quoteIdent(contextTable)} WHERE key = 'workspace_id')` : ""}
+  );
+END;`.trim();
+}
+function buildUpdateTriggerSql(target, options) {
+    const table = assertNonEmpty(target.table, "table");
+    const rowIdColumn = assertNonEmpty(target.rowIdColumn ?? DEFAULT_ROW_ID_COLUMN, "rowIdColumn");
+    const auditTable = assertNonEmpty(options.auditTable ?? DEFAULT_AUDIT_TABLE, "auditTable");
+    const contextTable = assertNonEmpty(options.contextTable ?? DEFAULT_CONTEXT_TABLE, "contextTable");
+    const triggerPrefix = target.triggerPrefix ?? table;
+    const triggerName = `${triggerPrefix}_audit_update`;
+    const workspaceIdColumn = options.workspaceIdColumn?.trim();
+    return `
+DROP TRIGGER IF EXISTS ${quoteIdent(triggerName)};
+
+CREATE TRIGGER ${quoteIdent(triggerName)}
+AFTER UPDATE ON ${quoteIdent(table)}
+FOR EACH ROW
+BEGIN
+  INSERT INTO ${quoteIdent(auditTable)} (table_name, operation, row_id, user_id${workspaceIdColumn ? `, ${quoteIdent(workspaceIdColumn)}` : ""})
+  VALUES (
+    ${quoteLiteral(table)},
+    'UPDATE',
+    NEW.${quoteIdent(rowIdColumn)},
+    (SELECT value FROM ${quoteIdent(contextTable)} WHERE key = 'user_id')${workspaceIdColumn ? `,\n    (SELECT value FROM ${quoteIdent(contextTable)} WHERE key = 'workspace_id')` : ""}
+  );
+END;`.trim();
+}
+function buildDeleteTriggerSql(target, options) {
+    const table = assertNonEmpty(target.table, "table");
+    const rowIdColumn = assertNonEmpty(target.rowIdColumn ?? DEFAULT_ROW_ID_COLUMN, "rowIdColumn");
+    const auditTable = assertNonEmpty(options.auditTable ?? DEFAULT_AUDIT_TABLE, "auditTable");
+    const contextTable = assertNonEmpty(options.contextTable ?? DEFAULT_CONTEXT_TABLE, "contextTable");
+    const triggerPrefix = target.triggerPrefix ?? table;
+    const triggerName = `${triggerPrefix}_audit_delete`;
+    const workspaceIdColumn = options.workspaceIdColumn?.trim();
+    return `
+DROP TRIGGER IF EXISTS ${quoteIdent(triggerName)};
+
+CREATE TRIGGER ${quoteIdent(triggerName)}
+AFTER DELETE ON ${quoteIdent(table)}
+FOR EACH ROW
+BEGIN
+  INSERT INTO ${quoteIdent(auditTable)} (table_name, operation, row_id, user_id${workspaceIdColumn ? `, ${quoteIdent(workspaceIdColumn)}` : ""})
+  VALUES (
+    ${quoteLiteral(table)},
+    'DELETE',
+    OLD.${quoteIdent(rowIdColumn)},
+    (SELECT value FROM ${quoteIdent(contextTable)} WHERE key = 'user_id')${workspaceIdColumn ? `,\n    (SELECT value FROM ${quoteIdent(contextTable)} WHERE key = 'workspace_id')` : ""}
+  );
+END;`.trim();
+}
+/**
+ * Generates SQL to attach INSERT, UPDATE, and DELETE audit triggers to a single table.
+ *
+ * Unlike the Postgres variant, D1/SQLite triggers cannot serialize full row data dynamically
+ * (no `row_to_json` equivalent). Audit rows capture `table_name`, `operation`, `row_id`,
+ * and `user_id`. For full row snapshots, use `createAttachD1AuditTriggerSqlWithColumns`.
+ */
+export function createAttachD1AuditTriggerSql(target, options = {}) {
+    return [
+        buildInsertTriggerSql(target, options),
+        buildUpdateTriggerSql(target, options),
+        buildDeleteTriggerSql(target, options),
+    ].join("\n\n");
+}
+export function createAttachD1AuditTriggersSql(targets, options = {}) {
+    if (targets.length === 0) {
+        throw new Error("targets must contain at least one audited table");
+    }
+    return targets
+        .map((target) => createAttachD1AuditTriggerSql(target, options))
+        .join("\n\n");
+}
+function buildJsonObjectExpr(columns, ref) {
+    return `json_object(${columns.map((c) => `${quoteLiteral(c)}, ${ref}.${quoteIdent(c)}`).join(", ")})`;
+}
+function buildInsertTriggerWithColumnsSql(target, options) {
+    const table = assertNonEmpty(target.table, "table");
+    const rowIdColumn = assertNonEmpty(target.rowIdColumn ?? DEFAULT_ROW_ID_COLUMN, "rowIdColumn");
+    const auditTable = assertNonEmpty(options.auditTable ?? DEFAULT_AUDIT_TABLE, "auditTable");
+    const contextTable = assertNonEmpty(options.contextTable ?? DEFAULT_CONTEXT_TABLE, "contextTable");
+    const triggerPrefix = target.triggerPrefix ?? table;
+    const triggerName = `${triggerPrefix}_audit_insert`;
+    const workspaceIdColumn = options.workspaceIdColumn?.trim();
+    return `
+DROP TRIGGER IF EXISTS ${quoteIdent(triggerName)};
+
+CREATE TRIGGER ${quoteIdent(triggerName)}
+AFTER INSERT ON ${quoteIdent(table)}
+FOR EACH ROW
+BEGIN
+  INSERT INTO ${quoteIdent(auditTable)} (table_name, operation, row_id, user_id${workspaceIdColumn ? `, ${quoteIdent(workspaceIdColumn)}` : ""}, new_data)
+  VALUES (
+    ${quoteLiteral(table)},
+    'INSERT',
+    NEW.${quoteIdent(rowIdColumn)},
+    (SELECT value FROM ${quoteIdent(contextTable)} WHERE key = 'user_id')${workspaceIdColumn ? `,\n    (SELECT value FROM ${quoteIdent(contextTable)} WHERE key = 'workspace_id')` : ""},
+    ${buildJsonObjectExpr(target.columns, "NEW")}
+  );
+END;`.trim();
+}
+function buildUpdateTriggerWithColumnsSql(target, options) {
+    const table = assertNonEmpty(target.table, "table");
+    const rowIdColumn = assertNonEmpty(target.rowIdColumn ?? DEFAULT_ROW_ID_COLUMN, "rowIdColumn");
+    const auditTable = assertNonEmpty(options.auditTable ?? DEFAULT_AUDIT_TABLE, "auditTable");
+    const contextTable = assertNonEmpty(options.contextTable ?? DEFAULT_CONTEXT_TABLE, "contextTable");
+    const triggerPrefix = target.triggerPrefix ?? table;
+    const triggerName = `${triggerPrefix}_audit_update`;
+    const workspaceIdColumn = options.workspaceIdColumn?.trim();
+    return `
+DROP TRIGGER IF EXISTS ${quoteIdent(triggerName)};
+
+CREATE TRIGGER ${quoteIdent(triggerName)}
+AFTER UPDATE ON ${quoteIdent(table)}
+FOR EACH ROW
+BEGIN
+  INSERT INTO ${quoteIdent(auditTable)} (table_name, operation, row_id, user_id${workspaceIdColumn ? `, ${quoteIdent(workspaceIdColumn)}` : ""}, old_data, new_data)
+  VALUES (
+    ${quoteLiteral(table)},
+    'UPDATE',
+    NEW.${quoteIdent(rowIdColumn)},
+    (SELECT value FROM ${quoteIdent(contextTable)} WHERE key = 'user_id')${workspaceIdColumn ? `,\n    (SELECT value FROM ${quoteIdent(contextTable)} WHERE key = 'workspace_id')` : ""},
+    ${buildJsonObjectExpr(target.columns, "OLD")},
+    ${buildJsonObjectExpr(target.columns, "NEW")}
+  );
+END;`.trim();
+}
+function buildDeleteTriggerWithColumnsSql(target, options) {
+    const table = assertNonEmpty(target.table, "table");
+    const rowIdColumn = assertNonEmpty(target.rowIdColumn ?? DEFAULT_ROW_ID_COLUMN, "rowIdColumn");
+    const auditTable = assertNonEmpty(options.auditTable ?? DEFAULT_AUDIT_TABLE, "auditTable");
+    const contextTable = assertNonEmpty(options.contextTable ?? DEFAULT_CONTEXT_TABLE, "contextTable");
+    const triggerPrefix = target.triggerPrefix ?? table;
+    const triggerName = `${triggerPrefix}_audit_delete`;
+    const workspaceIdColumn = options.workspaceIdColumn?.trim();
+    return `
+DROP TRIGGER IF EXISTS ${quoteIdent(triggerName)};
+
+CREATE TRIGGER ${quoteIdent(triggerName)}
+AFTER DELETE ON ${quoteIdent(table)}
+FOR EACH ROW
+BEGIN
+  INSERT INTO ${quoteIdent(auditTable)} (table_name, operation, row_id, user_id${workspaceIdColumn ? `, ${quoteIdent(workspaceIdColumn)}` : ""}, old_data)
+  VALUES (
+    ${quoteLiteral(table)},
+    'DELETE',
+    OLD.${quoteIdent(rowIdColumn)},
+    (SELECT value FROM ${quoteIdent(contextTable)} WHERE key = 'user_id')${workspaceIdColumn ? `,\n    (SELECT value FROM ${quoteIdent(contextTable)} WHERE key = 'workspace_id')` : ""},
+    ${buildJsonObjectExpr(target.columns, "OLD")}
+  );
+END;`.trim();
+}
+/**
+ * Column-aware variant: generates triggers that capture full row snapshots
+ * using json_object() with the specified column names.
+ *
+ * Unlike Postgres, SQLite cannot enumerate columns dynamically in triggers,
+ * so you must list the columns to capture.
+ *
+ * @example
+ * createAttachD1AuditTriggerSqlWithColumns(
+ *   { table: "users", columns: ["id", "name", "email"] },
+ * )
+ */
+export function createAttachD1AuditTriggerSqlWithColumns(target, options = {}) {
+    if (target.columns.length === 0) {
+        throw new Error("columns must contain at least one column name");
+    }
+    return [
+        buildInsertTriggerWithColumnsSql(target, options),
+        buildUpdateTriggerWithColumnsSql(target, options),
+        buildDeleteTriggerWithColumnsSql(target, options),
+    ].join("\n\n");
+}
+export function createAttachD1AuditTriggersSqlWithColumns(targets, options = {}) {
+    if (targets.length === 0) {
+        throw new Error("targets must contain at least one audited table");
+    }
+    return targets
+        .map((target) => createAttachD1AuditTriggerSqlWithColumns(target, options))
+        .join("\n\n");
+}

package/dist/src/d1/types.d.ts

@@ -0,0 +1,22 @@
+import type { SQL } from "drizzle-orm";
+/**
+ * Minimal interface for executing raw SQL. Any Drizzle SQLite instance
+ * (D1, better-sqlite3, libsql) or transaction satisfies this.
+ */
+export type D1AuditSqlExecutor = {
+    run: (query: SQL) => unknown;
+};
+export type D1AuditInstallOptions = {
+    /** Name of the audit log table (default: "audit_logs") */
+    auditTable?: string;
+    /** Name of the context table used to pass user_id to triggers (default: "_audit_context") */
+    contextTable?: string;
+    /** Optional workspace column name (e.g. "workspace_id") */
+    workspaceIdColumn?: string;
+};
+export type D1AuditTriggerTarget = {
+    table: string;
+    rowIdColumn?: string;
+    triggerPrefix?: string;
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/src/d1/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/d1/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,aAAa,CAAA;AAEtC;;;GAGG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,GAAG,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,OAAO,CAAA;CAC7B,CAAA;AAED,MAAM,MAAM,qBAAqB,GAAG;IAClC,0DAA0D;IAC1D,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,6FAA6F;IAC7F,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,2DAA2D;IAC3D,iBAAiB,CAAC,EAAE,MAAM,CAAA;CAC3B,CAAA;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,KAAK,EAAE,MAAM,CAAA;IACb,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB,CAAA"}

package/dist/src/d1/types.js

@@ -0,0 +1 @@
+export {};

package/dist/src/d1-runtime/index.d.ts

@@ -0,0 +1,3 @@
+export { withAudit } from "./with-audit.js";
+export type { AuditContext, AuditedDb, AuditLogInsertShape, DrizzleSQLiteDb, } from "./with-audit.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/src/d1-runtime/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/d1-runtime/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,YAAY,EACV,YAAY,EACZ,SAAS,EACT,mBAAmB,EACnB,eAAe,GAChB,MAAM,iBAAiB,CAAA"}

package/dist/src/d1-runtime/index.js

@@ -0,0 +1 @@
+export { withAudit } from "./with-audit.js";

package/dist/src/d1-runtime/with-audit.d.ts

@@ -0,0 +1,77 @@
+import { type InferInsertModel, type InferSelectModel, type SQL } from "drizzle-orm";
+import type { SQLiteTable } from "drizzle-orm/sqlite-core";
+export type AuditContext = {
+    userId: string;
+    workspaceId?: string;
+};
+export type AuditLogInsertShape = {
+    table_name: string;
+    operation: string;
+    row_id: string | null;
+    user_id: string;
+    old_data: string | null;
+    new_data: string | null;
+    [key: string]: unknown;
+};
+/**
+ * Minimal interface for a Drizzle SQLite database/transaction.
+ * Works with D1, better-sqlite3, libsql.
+ */
+export type DrizzleSQLiteDb = {
+    insert: (table: any) => any;
+    update: (table: any) => any;
+    delete: (table: any) => any;
+    select: (fields?: any) => any;
+    transaction: (cb: (tx: any) => any) => any;
+};
+export type AuditedDb<TDb extends DrizzleSQLiteDb> = {
+    /**
+     * Insert a row and log an INSERT audit event.
+     * Returns the inserted row.
+     */
+    insert: <T extends SQLiteTable>(table: T, data: InferInsertModel<T>) => InferSelectModel<T>;
+    /**
+     * Update rows matching `where` and log an UPDATE audit event for each affected row.
+     * Captures old_data (before) and new_data (after).
+     * Returns the updated rows.
+     */
+    update: <T extends SQLiteTable>(table: T, where: SQL, data: Partial<InferInsertModel<T>>) => InferSelectModel<T>[];
+    /**
+     * Delete rows matching `where` and log a DELETE audit event for each affected row.
+     * Captures old_data.
+     * Returns the deleted rows.
+     */
+    delete: <T extends SQLiteTable>(table: T, where: SQL) => InferSelectModel<T>[];
+    /** Access the underlying db for non-audited operations. */
+    db: TDb;
+};
+/**
+ * Creates an audited wrapper around a Drizzle SQLite database.
+ * Each insert/update/delete is wrapped in a transaction that atomically
+ * writes to both the target table and the audit_logs table.
+ *
+ * @param db - A Drizzle SQLite database instance (D1, better-sqlite3, libsql)
+ * @param auditTable - The Drizzle table definition for audit_logs
+ * @param context - The audit context (userId, optional workspaceId)
+ *
+ * @example
+ * import { withAudit } from "drizzle-audit/d1-runtime"
+ * import { d1AuditLogTable } from "drizzle-audit/d1"
+ *
+ * const auditLogs = d1AuditLogTable()
+ * const audited = withAudit(db, auditLogs, { userId: session.userId })
+ *
+ * // Audited insert
+ * audited.insert(users, { id: "u1", name: "Ada" })
+ *
+ * // Audited update — captures old + new data
+ * audited.update(users, eq(users.id, "u1"), { name: "Ada Lovelace" })
+ *
+ * // Audited delete — captures deleted data
+ * audited.delete(users, eq(users.id, "u1"))
+ *
+ * // Non-audited access
+ * audited.db.select().from(users).all()
+ */
+export declare function withAudit<TDb extends DrizzleSQLiteDb>(db: TDb, auditTable: SQLiteTable, context: AuditContext): AuditedDb<TDb>;
+//# sourceMappingURL=with-audit.d.ts.map

package/dist/src/d1-runtime/with-audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"with-audit.d.ts","sourceRoot":"","sources":["../../../src/d1-runtime/with-audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,GAAG,EACT,MAAM,aAAa,CAAA;AACpB,OAAO,KAAK,EAAgB,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAIxE,MAAM,MAAM,YAAY,GAAG;IACzB,MAAM,EAAE,MAAM,CAAA;IACd,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB,CAAA;AAED,MAAM,MAAM,mBAAmB,GAAG;IAChC,UAAU,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;IACrB,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;IACvB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;IACvB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACvB,CAAA;AAED;;;GAGG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,MAAM,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,GAAG,CAAA;IAC3B,MAAM,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,GAAG,CAAA;IAC3B,MAAM,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,GAAG,CAAA;IAC3B,MAAM,EAAE,CAAC,MAAM,CAAC,EAAE,GAAG,KAAK,GAAG,CAAA;IAC7B,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,GAAG,KAAK,GAAG,KAAK,GAAG,CAAA;CAC3C,CAAA;AAgBD,MAAM,MAAM,SAAS,CAAC,GAAG,SAAS,eAAe,IAAI;IACnD;;;OAGG;IACH,MAAM,EAAE,CAAC,CAAC,SAAS,WAAW,EAC5B,KAAK,EAAE,CAAC,EACR,IAAI,EAAE,gBAAgB,CAAC,CAAC,CAAC,KACtB,gBAAgB,CAAC,CAAC,CAAC,CAAA;IAExB;;;;OAIG;IACH,MAAM,EAAE,CAAC,CAAC,SAAS,WAAW,EAC5B,KAAK,EAAE,CAAC,EACR,KAAK,EAAE,GAAG,EACV,IAAI,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,KAC/B,gBAAgB,CAAC,CAAC,CAAC,EAAE,CAAA;IAE1B;;;;OAIG;IACH,MAAM,EAAE,CAAC,CAAC,SAAS,WAAW,EAC5B,KAAK,EAAE,CAAC,EACR,KAAK,EAAE,GAAG,KACP,gBAAgB,CAAC,CAAC,CAAC,EAAE,CAAA;IAE1B,2DAA2D;IAC3D,EAAE,EAAE,GAAG,CAAA;CACR,CAAA;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,SAAS,CAAC,GAAG,SAAS,eAAe,EACnD,EAAE,EAAE,GAAG,EACP,UAAU,EAAE,WAAW,EACvB,OAAO,EAAE,YAAY,GACpB,SAAS,CAAC,GAAG,CAAC,CAoHhB"}