evlog 2.12.0 → 2.14.0

package/dist/audit-d9esRZOK.mjs

@@ -0,0 +1,1440 @@
+import { colors, cssColors, detectEnvironment, escapeFormatString, formatDuration, getConsoleMethod, getCssLevelColor, getLevelColor, isClient, isDev, isLevelEnabled, matchesPattern } from "./utils.mjs";
+//#region src/redact.ts
+const DEFAULT_REPLACEMENT = "[REDACTED]";
+/**
+* Built-in PII detection patterns with smart masking.
+* Each builtin preserves just enough signal for debugging while scrubbing PII.
+*/
+const builtinPatterns = {
+	creditCard: {
+		pattern: /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/g,
+		mask: (m) => `****${m.replace(/[\s-]/g, "").slice(-4)}`
+	},
+	email: {
+		pattern: /[\w.+-]+@[\w-]+\.[\w.]+/g,
+		mask: (m) => {
+			if (m.indexOf("@") < 1) return "***@***";
+			const tld = m.slice(m.lastIndexOf("."));
+			return `${m[0]}***@***${tld}`;
+		}
+	},
+	ipv4: {
+		pattern: /\b(?!0\.0\.0\.0\b)(?!127\.0\.0\.1\b)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g,
+		mask: (m) => `***.***.***.${m.split(".").pop()}`
+	},
+	phone: {
+		pattern: /(?:\+\d{1,3}[\s.-]?\(?\d{1,4}\)?|\(\d{1,4}\))(?:[\s.-]?\d{2,4}){2,4}\b/g,
+		mask: (m) => {
+			const digits = m.replace(/[^\d]/g, "");
+			if (m.startsWith("+") && digits.length > 4) {
+				const ccMatch = m.match(/^\+\d{1,3}/);
+				return `${ccMatch ? ccMatch[0] : "+"}******${digits.slice(-2)}`;
+			}
+			if (digits.length > 2) return `${"*".repeat(digits.length - 2)}${digits.slice(-2)}`;
+			return "***";
+		}
+	},
+	jwt: {
+		pattern: /\beyJ[\w-]*\.[\w-]*\.[\w-]*\b/g,
+		mask: () => "eyJ***.***"
+	},
+	bearer: {
+		pattern: /\bBearer\s+[\w\-.~+/]{8,}=*/gi,
+		mask: () => "Bearer ***"
+	},
+	iban: {
+		pattern: /\b[A-Z]{2}\d{2}[\s-]?[\dA-Z]{4}[\s-]?[\dA-Z]{4}[\s-]?[\dA-Z]{4}[\s-]?[\dA-Z]{0,4}[\s-]?[\dA-Z]{0,4}[\s-]?[\dA-Z]{0,4}\b/g,
+		mask: (m) => {
+			const clean = m.replace(/[\s-]/g, "");
+			return `${clean.slice(0, 4)}****${clean.slice(-3)}`;
+		}
+	}
+};
+/**
+* Resolve a `redact` option (boolean or object) into a concrete `RedactConfig`.
+*
+* - `true` → all built-in patterns with smart masking, no custom paths
+* - `{ ... }` → built-in maskers merged with user config (opt-out: `builtins: false`)
+* - `false` / `undefined` → `undefined` (no redaction)
+*/
+function resolveRedactConfig(input) {
+	if (input === void 0 || input === false) return void 0;
+	if (input === true) return { _maskers: allBuiltinMaskers() };
+	if (input.builtins === false) return input;
+	const maskers = Array.isArray(input.builtins) ? input.builtins.map((name) => builtinPatterns[name]).filter(Boolean).map((b) => [cloneRegex(b.pattern), b.mask]) : allBuiltinMaskers();
+	return {
+		...input,
+		_maskers: maskers
+	};
+}
+function allBuiltinMaskers() {
+	return Object.values(builtinPatterns).map((b) => [cloneRegex(b.pattern), b.mask]);
+}
+function cloneRegex(re) {
+	return new RegExp(re.source, re.flags);
+}
+/**
+* Redact sensitive data from a wide event in-place.
+*
+* Three strategies applied in order:
+* 1. **Path-based**: dot-notation paths — the leaf value is replaced with `replacement`.
+* 2. **Masker-based**: built-in patterns with smart partial masking (e.g. `****1111`).
+* 3. **Pattern-based**: custom RegExp patterns replaced with `replacement`.
+*
+* @param event - The wide event object (mutated in-place).
+* @param config - Redaction configuration.
+*/
+function redactEvent(event, config) {
+	const replacement = config.replacement ?? DEFAULT_REPLACEMENT;
+	if (config.paths?.length) for (const path of config.paths) redactPath(event, path.split("."), replacement);
+	if (config._maskers?.length) applyMaskersToTree(event, config._maskers);
+	if (config.patterns?.length) redactPatterns(event, config.patterns, replacement);
+}
+function redactPath(obj, segments, replacement) {
+	let current = obj;
+	for (let i = 0; i < segments.length - 1; i++) {
+		if (current === null || current === void 0 || typeof current !== "object") return;
+		current = current[segments[i]];
+	}
+	if (current === null || current === void 0 || typeof current !== "object") return;
+	const leaf = segments[segments.length - 1];
+	if (leaf in current) current[leaf] = replacement;
+}
+function redactPatterns(obj, patterns, replacement) {
+	if (obj === null || obj === void 0) return;
+	if (Array.isArray(obj)) {
+		for (let i = 0; i < obj.length; i++) if (typeof obj[i] === "string") obj[i] = applyPatterns(obj[i], patterns, replacement);
+		else if (typeof obj[i] === "object") redactPatterns(obj[i], patterns, replacement);
+		return;
+	}
+	if (typeof obj === "object") {
+		const record = obj;
+		for (const key in record) {
+			const val = record[key];
+			if (typeof val === "string") record[key] = applyPatterns(val, patterns, replacement);
+			else if (typeof val === "object") redactPatterns(val, patterns, replacement);
+		}
+	}
+}
+function applyPatterns(value, patterns, replacement) {
+	let result = value;
+	for (const pattern of patterns) {
+		pattern.lastIndex = 0;
+		result = result.replace(pattern, replacement);
+	}
+	return result;
+}
+function applyMaskersToTree(obj, maskers) {
+	if (obj === null || obj === void 0) return;
+	if (Array.isArray(obj)) {
+		for (let i = 0; i < obj.length; i++) if (typeof obj[i] === "string") obj[i] = applyMaskers(obj[i], maskers);
+		else if (typeof obj[i] === "object") applyMaskersToTree(obj[i], maskers);
+		return;
+	}
+	if (typeof obj === "object") {
+		const record = obj;
+		for (const key in record) {
+			const val = record[key];
+			if (typeof val === "string") record[key] = applyMaskers(val, maskers);
+			else if (typeof val === "object") applyMaskersToTree(val, maskers);
+		}
+	}
+}
+function applyMaskers(value, maskers) {
+	let result = value;
+	for (const [pattern, mask] of maskers) {
+		pattern.lastIndex = 0;
+		result = result.replace(pattern, mask);
+	}
+	return result;
+}
+/**
+* Normalize a redact config that may have been deserialized from JSON
+* (e.g. via `process.env.__EVLOG_CONFIG`). Converts pattern strings
+* back to RegExp instances, then resolves built-in patterns.
+*/
+function normalizeRedactConfig(raw) {
+	if (raw === void 0 || raw === false) return void 0;
+	if (raw === true) return resolveRedactConfig(true);
+	const config = {};
+	if (Array.isArray(raw.paths)) config.paths = raw.paths;
+	if (typeof raw.replacement === "string") config.replacement = raw.replacement;
+	if (raw.builtins === false) config.builtins = false;
+	else if (Array.isArray(raw.builtins)) config.builtins = raw.builtins;
+	if (Array.isArray(raw.patterns)) config.patterns = raw.patterns.map((p) => {
+		if (p instanceof RegExp) return p;
+		if (typeof p === "string") return new RegExp(p, "g");
+		if (typeof p === "object" && p !== null) {
+			const obj = p;
+			return new RegExp(obj.source, obj.flags ?? "g");
+		}
+		return null;
+	}).filter((p) => p !== null);
+	return resolveRedactConfig(config);
+}
+//#endregion
+//#region src/logger.ts
+function isPlainObject(val) {
+	return val !== null && typeof val === "object" && !Array.isArray(val);
+}
+const _tsDate = /* @__PURE__ */ new Date();
+function isoNow() {
+	_tsDate.setTime(Date.now());
+	return _tsDate.toISOString();
+}
+/** Shown after post-emit warnings so users can fix fire-and-forget / ALS continuations. */
+const POST_EMIT_FORK_HINT = "For intentional background work tied to this request, use log.fork('label', fn) when your integration supports it (see https://evlog.dev).";
+function warnPostEmit(method, detail) {
+	console.warn(`[evlog] ${method} called after the wide event was emitted — ${detail} This data will not appear in observability. ${POST_EMIT_FORK_HINT}`);
+}
+function mergeInto(target, source) {
+	for (const key in source) {
+		const sourceVal = source[key];
+		if (sourceVal === void 0 || sourceVal === null) continue;
+		const targetVal = target[key];
+		if (isPlainObject(sourceVal) && isPlainObject(targetVal)) mergeInto(targetVal, sourceVal);
+		else if (Array.isArray(targetVal) && Array.isArray(sourceVal)) target[key] = [...targetVal, ...sourceVal];
+		else target[key] = sourceVal;
+	}
+}
+let globalEnv = {
+	service: "app",
+	environment: "development"
+};
+let globalPretty = isDev();
+let globalSampling = {};
+let globalStringify = true;
+let globalDrain;
+let globalRedact;
+let globalEnabled = true;
+let globalSilent = false;
+/** Minimum level for the global `log` API only (`ownsEvent === false`). Default: all levels. */
+let globalMinLevel = "debug";
+let _locked = false;
+/**
+* Initialize the logger with configuration.
+* Call this once at application startup.
+*/
+function initLogger(config = {}) {
+	globalEnabled = config.enabled ?? true;
+	const detected = detectEnvironment();
+	globalEnv = {
+		service: config.env?.service ?? detected.service ?? "app",
+		environment: config.env?.environment ?? detected.environment ?? "development",
+		version: config.env?.version ?? detected.version,
+		commitHash: config.env?.commitHash ?? detected.commitHash,
+		region: config.env?.region ?? detected.region
+	};
+	globalPretty = config.pretty ?? isDev();
+	globalSampling = config.sampling ?? {};
+	globalStringify = config.stringify ?? true;
+	globalDrain = config.drain;
+	globalRedact = resolveRedactConfig(config.redact ?? !isDev());
+	globalSilent = config.silent ?? false;
+	globalMinLevel = config.minLevel ?? "debug";
+	if (globalSilent && !globalDrain && !config._suppressDrainWarning) console.warn("[evlog] silent mode is enabled but no drain is configured. Events will be built and sampled but not output anywhere. Set a drain via initLogger({ drain }) or a framework hook (evlog:drain).");
+}
+/**
+* Check if logging is globally enabled.
+*/
+function isEnabled() {
+	return globalEnabled;
+}
+/**
+* @internal Lock the logger to prevent re-initialization.
+* Called by instrumentation register() after setting up the logger with drain.
+* Prevents configureHandler() from overwriting the drain config.
+*/
+function lockLogger() {
+	_locked = true;
+}
+/**
+* @internal Check if the logger has been locked by instrumentation.
+*/
+function isLoggerLocked() {
+	return _locked;
+}
+/**
+* @internal Get the globally configured drain callback.
+* Used by framework middleware to fall back to the global drain
+* when no middleware-level drain is provided.
+*/
+function getGlobalDrain() {
+	return globalDrain;
+}
+/**
+* Determine if a log at the given level should be emitted based on sampling config.
+* Error level defaults to 100% (always logged) unless explicitly configured otherwise.
+*/
+function shouldSample(level) {
+	const { rates } = globalSampling;
+	if (!rates) return true;
+	const percentage = level === "error" && rates.error === void 0 ? 100 : rates[level] ?? 100;
+	if (percentage <= 0) return false;
+	if (percentage >= 100) return true;
+	return Math.random() * 100 < percentage;
+}
+/**
+* Evaluate tail sampling conditions to determine if a log should be force-kept.
+* Returns true if ANY condition matches (OR logic).
+*/
+function shouldKeep(ctx) {
+	const { keep } = globalSampling;
+	if (!keep?.length) return false;
+	return keep.some((condition) => {
+		if (condition.status !== void 0 && ctx.status !== void 0 && ctx.status >= condition.status) return true;
+		if (condition.duration !== void 0 && ctx.duration !== void 0 && ctx.duration >= condition.duration) return true;
+		if (condition.path && ctx.path && matchesPattern(ctx.path, condition.path)) return true;
+		return false;
+	});
+}
+function emitWideEvent(level, event, deferDrain = false, ownsEvent = false) {
+	if (!globalEnabled) return null;
+	if (!ownsEvent) {
+		if (!isLevelEnabled(level, globalMinLevel)) return null;
+		if (!shouldSample(level)) return null;
+	}
+	let formatted;
+	if (ownsEvent) {
+		event.timestamp = isoNow();
+		event.level = level;
+		if (event.service === void 0) event.service = globalEnv.service;
+		if (event.environment === void 0) event.environment = globalEnv.environment;
+		if (globalEnv.version !== void 0 && event.version === void 0) event.version = globalEnv.version;
+		if (globalEnv.commitHash !== void 0 && event.commitHash === void 0) event.commitHash = globalEnv.commitHash;
+		if (globalEnv.region !== void 0 && event.region === void 0) event.region = globalEnv.region;
+		formatted = event;
+	} else formatted = {
+		timestamp: isoNow(),
+		level,
+		...globalEnv,
+		...event
+	};
+	finalizeAudit(formatted);
+	if (globalRedact) redactEvent(formatted, globalRedact);
+	if (!globalSilent) if (globalPretty) prettyPrintWideEvent(formatted);
+	else if (globalStringify) console[getConsoleMethod(level)](JSON.stringify(formatted));
+	else console[getConsoleMethod(level)](formatted);
+	if (globalDrain && !deferDrain) Promise.resolve(globalDrain({ event: formatted })).catch((err) => {
+		console.error("[evlog] drain failed:", err);
+	});
+	return formatted;
+}
+function emitTaggedLog(level, tag, message) {
+	if (!globalEnabled) return;
+	if (globalPretty && !globalSilent) {
+		if (!isLevelEnabled(level, globalMinLevel)) return;
+		if (!shouldSample(level)) return;
+		if (isClient()) {
+			const levelColor = getCssLevelColor(level);
+			const timestamp = isoNow().slice(11, 23);
+			console.log(`%c${timestamp}%c %c[${escapeFormatString(tag)}]%c ${escapeFormatString(message)}`, cssColors.dim, cssColors.reset, levelColor, cssColors.reset);
+		} else {
+			const color = getLevelColor(level);
+			const timestamp = isoNow().slice(11, 23);
+			console.log(`${colors.dim}${timestamp}${colors.reset} ${color}[${tag}]${colors.reset} ${message}`);
+		}
+		return;
+	}
+	emitWideEvent(level, {
+		tag,
+		message
+	});
+}
+function formatValue(value) {
+	if (value === null || value === void 0) return String(value);
+	if (typeof value === "object") {
+		const pairs = [];
+		for (const [k, v] of Object.entries(value)) if (v !== void 0 && v !== null) if (typeof v === "object") pairs.push(`${k}=${JSON.stringify(v)}`);
+		else pairs.push(`${k}=${v}`);
+		return pairs.join(" ");
+	}
+	return String(value);
+}
+function formatCost(cost) {
+	if (cost < .01) return `$${cost.toFixed(6)}`;
+	if (cost < 1) return `$${cost.toFixed(4)}`;
+	return `$${cost.toFixed(2)}`;
+}
+function buildAIEntries(ai) {
+	const entries = [];
+	const headerParts = [];
+	if (ai.model) {
+		let m = String(ai.model);
+		if (ai.provider) m += ` (${ai.provider})`;
+		headerParts.push(m);
+	}
+	if (ai.calls) headerParts.push(`${ai.calls} call${ai.calls > 1 ? "s" : ""}`);
+	if (ai.steps && ai.steps > 1) headerParts.push(`${ai.steps} steps`);
+	entries.push({
+		key: "ai",
+		value: headerParts.join(" · ")
+	});
+	const inputTokens = ai.inputTokens;
+	const outputTokens = ai.outputTokens;
+	const totalTokens = ai.totalTokens;
+	if (inputTokens !== void 0 && outputTokens !== void 0) {
+		let tokLine = `${inputTokens} in → ${outputTokens} out`;
+		if (totalTokens) tokLine += ` (${totalTokens} total)`;
+		const extras = [];
+		if (ai.cacheReadTokens) extras.push(`${ai.cacheReadTokens} cache read`);
+		if (ai.cacheWriteTokens) extras.push(`${ai.cacheWriteTokens} cache write`);
+		if (ai.reasoningTokens) extras.push(`${ai.reasoningTokens} reasoning`);
+		if (extras.length) tokLine += ` · ${extras.join(" · ")}`;
+		entries.push({
+			key: "ai.tokens",
+			value: tokLine
+		});
+	}
+	const msFirst = ai.msToFirstChunk;
+	const msFinish = ai.msToFinish;
+	const tps = ai.tokensPerSecond;
+	if (msFirst !== void 0 || msFinish !== void 0) {
+		const parts = [];
+		if (msFirst !== void 0) parts.push(`${formatDuration(msFirst)} to first chunk`);
+		if (msFinish !== void 0) parts.push(`${formatDuration(msFinish)} total`);
+		let streamLine = parts.join(" → ");
+		if (tps) streamLine += ` · ${tps} tok/s`;
+		entries.push({
+			key: "ai.streaming",
+			value: streamLine
+		});
+	}
+	if (ai.estimatedCost !== void 0) entries.push({
+		key: "ai.cost",
+		value: formatCost(ai.estimatedCost)
+	});
+	if (ai.totalDurationMs !== void 0) entries.push({
+		key: "ai.totalDuration",
+		value: formatDuration(ai.totalDurationMs)
+	});
+	const toolCalls = ai.toolCalls;
+	const tools = ai.tools;
+	const hasInputs = toolCalls?.length ? typeof toolCalls[0] === "object" : false;
+	if (tools?.length) {
+		const children = tools.map((t, idx) => {
+			const mark = t.success ? "✓" : "✗";
+			let line = `${t.name} ${formatDuration(t.durationMs)} ${mark}`;
+			if (t.error) line += ` ${t.error}`;
+			if (hasInputs && toolCalls && idx < toolCalls.length) {
+				const tc = toolCalls[idx];
+				const inputStr = typeof tc.input === "string" ? tc.input : JSON.stringify(tc.input);
+				const truncated = inputStr.length > 100 ? `${inputStr.slice(0, 100)}…` : inputStr;
+				line += ` ${truncated}`;
+			}
+			return line;
+		});
+		entries.push({
+			key: "ai.tools",
+			value: "",
+			children
+		});
+	} else if (toolCalls?.length) if (hasInputs) {
+		const children = toolCalls.map((tc) => {
+			const inputStr = typeof tc.input === "string" ? tc.input : JSON.stringify(tc.input);
+			const truncated = inputStr.length > 100 ? `${inputStr.slice(0, 100)}…` : inputStr;
+			return `${tc.name}(${truncated})`;
+		});
+		entries.push({
+			key: "ai.tools",
+			value: "",
+			children
+		});
+	} else entries.push({
+		key: "ai.tools",
+		value: toolCalls.join(", ")
+	});
+	const stepsUsage = ai.stepsUsage;
+	if (stepsUsage?.length) {
+		const allSameModel = stepsUsage.every((s) => s.model === stepsUsage[0].model);
+		const children = stepsUsage.map((s) => {
+			let line = `${allSameModel ? "" : `${s.model} `}${s.inputTokens} in → ${s.outputTokens} out`;
+			const stepTools = s.toolCalls;
+			if (stepTools?.length) line += ` [${stepTools.join(", ")}]`;
+			return line;
+		});
+		entries.push({
+			key: "ai.steps",
+			value: "",
+			children
+		});
+	} else if (ai.steps && ai.steps > 1) entries.push({
+		key: "ai.steps",
+		value: String(ai.steps)
+	});
+	const embedding = ai.embedding;
+	if (embedding) {
+		const parts = [];
+		if (embedding.model) parts.push(String(embedding.model));
+		parts.push(`${embedding.tokens} tokens`);
+		if (embedding.dimensions) parts.push(`${embedding.dimensions}d`);
+		if (embedding.count) parts.push(`${embedding.count} items`);
+		entries.push({
+			key: "ai.embedding",
+			value: parts.join(" · ")
+		});
+	}
+	if (ai.finishReason) entries.push({
+		key: "ai.finishReason",
+		value: String(ai.finishReason)
+	});
+	if (ai.error) entries.push({
+		key: "ai.error",
+		value: String(ai.error)
+	});
+	if (ai.responseId) entries.push({
+		key: "ai.responseId",
+		value: String(ai.responseId)
+	});
+	return entries;
+}
+function prettyPrintWideEvent(event) {
+	const { timestamp, level, service, environment, version, ...rest } = event;
+	const ts = timestamp.slice(11, 23);
+	const browser = isClient();
+	const parts = [];
+	const styles = [];
+	if (browser) {
+		const lc = getCssLevelColor(level);
+		parts.push(`%c${ts}%c %c${level.toUpperCase()}%c %c[${escapeFormatString(String(service))}]%c`);
+		styles.push(cssColors.dim, cssColors.reset, lc, cssColors.reset, cssColors.cyan, cssColors.reset);
+	} else {
+		const lc = getLevelColor(level);
+		parts.push(`${colors.dim}${ts}${colors.reset} ${lc}${level.toUpperCase()}${colors.reset} ${colors.cyan}[${service}]${colors.reset}`);
+	}
+	if (rest.method && rest.path) {
+		parts.push(browser ? ` ${escapeFormatString(String(rest.method))} ${escapeFormatString(String(rest.path))}` : ` ${rest.method} ${rest.path}`);
+		delete rest.method;
+		delete rest.path;
+	}
+	if (rest.status) {
+		const sc = browser ? rest.status >= 400 ? cssColors.red : cssColors.green : rest.status >= 400 ? colors.red : colors.green;
+		if (browser) {
+			parts.push(` %c${rest.status}%c`);
+			styles.push(sc, cssColors.reset);
+		} else parts.push(` ${sc}${rest.status}${colors.reset}`);
+		delete rest.status;
+	}
+	if (rest.duration) {
+		if (browser) {
+			parts.push(` %c${escapeFormatString(`in ${rest.duration}`)}%c`);
+			styles.push(cssColors.dim, cssColors.reset);
+		} else parts.push(` ${colors.dim}in ${rest.duration}${colors.reset}`);
+		delete rest.duration;
+	}
+	console.log(parts.join(""), ...styles);
+	const aiData = rest.ai;
+	if (aiData && typeof aiData === "object") delete rest.ai;
+	const restEntries = Object.entries(rest).filter(([_, v]) => v !== void 0);
+	const aiEntries = aiData ? buildAIEntries(aiData) : [];
+	const allEntries = [...restEntries.map(([key, value]) => ({
+		key,
+		value: formatValue(value)
+	})), ...aiEntries];
+	for (let i = 0; i < allEntries.length; i++) {
+		const entry = allEntries[i];
+		const hasChildren = entry.children && entry.children.length > 0;
+		const prefix = i === allEntries.length - 1 && !hasChildren ? "└─" : "├─";
+		if (browser) {
+			const val = entry.value ? ` ${escapeFormatString(entry.value)}` : "";
+			console.log(`  %c${prefix}%c %c${escapeFormatString(entry.key)}:%c${val}`, cssColors.dim, cssColors.reset, cssColors.cyan, cssColors.reset);
+		} else {
+			const val = entry.value ? ` ${entry.value}` : "";
+			console.log(`  ${colors.dim}${prefix}${colors.reset} ${colors.cyan}${entry.key}:${colors.reset}${val}`);
+		}
+		if (hasChildren) {
+			const connector = i === allEntries.length - 1 ? " " : "│";
+			for (let j = 0; j < entry.children.length; j++) {
+				const child = entry.children[j];
+				const childPrefix = j === entry.children.length - 1 ? "└─" : "├─";
+				if (browser) console.log(`  %c${connector}  ${childPrefix}%c ${escapeFormatString(child)}`, cssColors.dim, cssColors.reset);
+				else console.log(`  ${colors.dim}${connector}  ${childPrefix}${colors.reset} ${child}`);
+			}
+		}
+	}
+}
+function createLogMethod(level) {
+	return function logMethod(tagOrEvent, message) {
+		if (typeof tagOrEvent === "string" && message !== void 0) emitTaggedLog(level, tagOrEvent, message);
+		else if (typeof tagOrEvent === "object") emitWideEvent(level, tagOrEvent);
+		else emitTaggedLog(level, "log", String(tagOrEvent));
+	};
+}
+/**
+* Simple logging API - as easy as console.log
+*
+* @example
+* ```ts
+* log.info('auth', 'User logged in')
+* log.error({ action: 'payment', error: 'failed' })
+* ```
+*/
+const _log = {
+	info: createLogMethod("info"),
+	error: createLogMethod("error"),
+	warn: createLogMethod("warn"),
+	debug: createLogMethod("debug")
+};
+const noopLogger = {
+	set() {},
+	error() {},
+	info() {},
+	warn() {},
+	emit() {
+		return null;
+	},
+	getContext() {
+		return {};
+	},
+	audit: Object.assign(() => {}, { deny: () => {} })
+};
+/**
+* Create a scoped logger for building wide events.
+* Use this for any context: workflows, jobs, scripts, queues, etc.
+*
+* After `emit()` (including when sampling returns `null`), the logger is sealed and
+* further mutations log `[evlog]` warnings. Standalone loggers do not have `fork`;
+* that method is only attached by supported framework integrations.
+*
+* @example
+* ```ts
+* const log = createLogger({ jobId: job.id, queue: 'emails' })
+* log.set({ batch: { size: 50, processed: 12 } })
+* log.emit()
+* ```
+*/
+function createLogger(initialContext = {}, internalOptions) {
+	if (!globalEnabled) return noopLogger;
+	const deferDrain = internalOptions?._deferDrain ?? false;
+	const startTime = Date.now();
+	const context = { ...initialContext };
+	let hasError = false;
+	let hasWarn = false;
+	let emitted = false;
+	function addLog(level, message) {
+		if (!Array.isArray(context.requestLogs)) context.requestLogs = [];
+		context.requestLogs.push({
+			level,
+			message,
+			timestamp: isoNow()
+		});
+	}
+	const auditMethod = function audit(input) {
+		if (emitted) {
+			warnPostEmit("log.audit()", `Audit dropped: action=${input.action}.`);
+			return;
+		}
+		const fields = buildAuditFields(input);
+		if (!isPlainObject(context.audit)) context.audit = fields;
+		else mergeInto(context.audit, fields);
+		context._auditForceKeep = true;
+	};
+	auditMethod.deny = function deny(reason, input) {
+		auditMethod({
+			...input,
+			outcome: "denied",
+			reason
+		});
+	};
+	return {
+		audit: auditMethod,
+		set(data) {
+			if (emitted) {
+				const keys = Object.keys(data);
+				warnPostEmit("log.set()", `Keys dropped: ${keys.length ? keys.join(", ") : "(empty)"}.`);
+				return;
+			}
+			mergeInto(context, data);
+		},
+		error(error, errorContext) {
+			if (emitted) {
+				warnPostEmit("log.error()", `Keys dropped: ${(errorContext ? [...Object.keys(errorContext), "error"] : ["error"]).join(", ")}.`);
+				return;
+			}
+			hasError = true;
+			const err = typeof error === "string" ? new Error(error) : error;
+			if (errorContext) mergeInto(context, errorContext);
+			const errorObj = {
+				name: err.name,
+				message: err.message,
+				stack: err.stack
+			};
+			const errRecord = err;
+			for (const k of [
+				"status",
+				"statusText",
+				"statusCode",
+				"statusMessage",
+				"data",
+				"cause",
+				"internal"
+			]) if (k in err) errorObj[k] = errRecord[k];
+			if (isPlainObject(context.error)) mergeInto(context.error, errorObj);
+			else context.error = errorObj;
+		},
+		info(message, infoContext) {
+			if (emitted) {
+				warnPostEmit("log.info()", `Keys dropped: ${(infoContext ? ["message", ...Object.keys(infoContext).filter((k) => k !== "requestLogs")] : ["message"]).join(", ")}.`);
+				return;
+			}
+			addLog("info", message);
+			if (infoContext) {
+				const { requestLogs: _, ...rest } = infoContext;
+				mergeInto(context, rest);
+			}
+		},
+		warn(message, warnContext) {
+			if (emitted) {
+				warnPostEmit("log.warn()", `Keys dropped: ${(warnContext ? ["message", ...Object.keys(warnContext).filter((k) => k !== "requestLogs")] : ["message"]).join(", ")}.`);
+				return;
+			}
+			hasWarn = true;
+			addLog("warn", message);
+			if (warnContext) {
+				const { requestLogs: _, ...rest } = warnContext;
+				mergeInto(context, rest);
+			}
+		},
+		emit(overrides) {
+			if (emitted) {
+				warnPostEmit("log.emit()", "Ignoring duplicate emit.");
+				return null;
+			}
+			const durationMs = Date.now() - startTime;
+			const level = hasError ? "error" : hasWarn ? "warn" : "info";
+			let forceKeep = false;
+			if (overrides?._forceKeep) forceKeep = true;
+			else if (consumeAuditForceKeep(context)) forceKeep = true;
+			else if (globalSampling.keep?.length) forceKeep = shouldKeep({
+				status: overrides?.status ?? context.status,
+				duration: durationMs,
+				path: context.path,
+				method: context.method,
+				context
+			});
+			if (!forceKeep && !shouldSample(level)) {
+				emitted = true;
+				return null;
+			}
+			if (overrides) {
+				const obj = overrides;
+				for (const key in obj) if (key !== "_forceKeep") context[key] = obj[key];
+			}
+			context.duration = formatDuration(durationMs);
+			const wide = emitWideEvent(level, context, deferDrain, true);
+			emitted = true;
+			return wide;
+		},
+		getContext() {
+			return { ...context };
+		}
+	};
+}
+/**
+* Create a request-scoped logger for building wide events.
+* Convenience wrapper around `createLogger` that pre-populates HTTP request fields.
+*
+* @example
+* ```ts
+* const log = createRequestLogger({ method: 'POST', path: '/checkout' })
+* log.set({ user: { id: '123' } })
+* log.set({ cart: { items: 3 } })
+* log.emit()
+* ```
+*/
+function createRequestLogger(options = {}, internalOptions) {
+	const initial = {};
+	if (options.method !== void 0) initial.method = options.method;
+	if (options.path !== void 0) initial.path = options.path;
+	if (options.requestId !== void 0) initial.requestId = options.requestId;
+	return createLogger(initial, internalOptions);
+}
+/**
+* Get the current environment context.
+*/
+function getEnvironment() {
+	return { ...globalEnv };
+}
+if (typeof __EVLOG_CONFIG__ !== "undefined") initLogger(__EVLOG_CONFIG__);
+//#endregion
+//#region src/audit.ts
+/**
+* Current version of the audit envelope. Bumped when `AuditFields` evolves
+* in a backward-incompatible way so downstream pipelines can branch on it.
+*/
+const AUDIT_SCHEMA_VERSION = 1;
+/**
+* @internal Stable JSON stringification with deterministic key order.
+* Used by `idempotencyKey` and `hash-chain` so the same logical event always
+* produces the same digest, regardless of how object keys were added.
+*/
+function stableStringify(value) {
+	if (value === null || typeof value !== "object") return JSON.stringify(value);
+	if (Array.isArray(value)) return `[${value.map(stableStringify).join(",")}]`;
+	return `{${Object.keys(value).sort().map((k) => `${JSON.stringify(k)}:${stableStringify(value[k])}`).join(",")}}`;
+}
+/**
+* @internal Sync, isomorphic 32-bit FNV-1a. Used to derive the idempotency
+* key without pulling `node:crypto` into the static import graph (which would
+* break browser / Cloudflare Workers bundles that import `evlog` for types
+* or shared utilities). Idempotency keys are dedup tokens, not security
+* primitives — collision resistance at 128 bits is more than sufficient.
+*/
+function fnv1a32(input, seed) {
+	let h = seed >>> 0;
+	for (let i = 0; i < input.length; i++) {
+		h ^= input.charCodeAt(i) & 255;
+		h = Math.imul(h, 16777619) >>> 0;
+	}
+	return h >>> 0;
+}
+/**
+* @internal Compute the deterministic idempotency key for an audit event.
+* Includes `action`, `actor.{type,id}`, `target.{type,id}`, `outcome`, and
+* `timestamp` rounded to the second so retries within the same second collapse.
+*
+* Uses four interleaved FNV-1a 32-bit hashes (128-bit output, 32 hex chars)
+* so the implementation stays sync and isomorphic across Node, browsers,
+* Bun, Deno, and Cloudflare Workers.
+*/
+function computeIdempotencyKey(audit, timestamp) {
+	const seconds = timestamp.slice(0, 19);
+	const payload = stableStringify({
+		action: audit.action,
+		actor: {
+			type: audit.actor.type,
+			id: audit.actor.id
+		},
+		target: audit.target ? {
+			type: audit.target.type,
+			id: audit.target.id
+		} : void 0,
+		outcome: audit.outcome,
+		timestamp: seconds
+	});
+	const a = fnv1a32(payload, 2166136261).toString(16).padStart(8, "0");
+	const b = fnv1a32(payload, 3735928559).toString(16).padStart(8, "0");
+	const c = fnv1a32(payload, 528734635).toString(16).padStart(8, "0");
+	const d = fnv1a32(payload, 1541459225).toString(16).padStart(8, "0");
+	return a + b + c + d;
+}
+/**
+* Build a normalised {@link AuditFields} from caller input. Defaults:
+* - `outcome` → `'success'`
+* - `version` → {@link AUDIT_SCHEMA_VERSION}
+*
+* `idempotencyKey` is filled at emit time with the event timestamp so retries
+* stay deterministic.
+*/
+function buildAuditFields(input) {
+	return {
+		action: input.action,
+		actor: input.actor,
+		target: input.target,
+		outcome: input.outcome ?? "success",
+		reason: input.reason,
+		changes: input.changes,
+		causationId: input.causationId,
+		correlationId: input.correlationId,
+		version: input.version ?? 1
+	};
+}
+/**
+* @internal Test-collector hook installed by {@link mockAudit}. When set, every
+* audit event flowing through `log.audit()` / `audit()` is also pushed to it.
+*/
+let _testCollector = null;
+/** @internal Emit-time decoration: assign timestamp-based idempotency key. */
+function decorateAudit(audit, timestamp) {
+	if (audit.idempotencyKey) return audit;
+	return {
+		...audit,
+		idempotencyKey: computeIdempotencyKey(audit, timestamp)
+	};
+}
+/**
+* Add audit semantics to an existing {@link RequestLogger}.
+*
+* Mutates the logger in place by adding an `audit` method (with a `.deny()`
+* sub-method). Strictly equivalent to calling `log.set({ audit: ... })` plus
+* `_forceKeep` on emit. Idempotent: calling twice on the same logger only
+* attaches the methods once.
+*
+* @example
+* ```ts
+* const log = withAuditMethods(createLogger())
+* log.audit({
+*   action: 'invoice.refund',
+*   actor: { type: 'user', id: user.id },
+*   target: { type: 'invoice', id: 'inv_889' },
+* })
+* ```
+*/
+function withAuditMethods(logger) {
+	const target = logger;
+	if (target.audit) return target;
+	const audit = function audit(input) {
+		const fields = buildAuditFields(input);
+		target.set({ audit: fields });
+		markForceKeep(target);
+	};
+	audit.deny = function deny(reason, input) {
+		audit({
+			...input,
+			outcome: "denied",
+			reason
+		});
+	};
+	target.audit = audit;
+	return target;
+}
+/**
+* @internal Mark a logger so its next `emit()` is force-kept past tail sampling.
+* Implemented by stamping a hidden flag on the accumulated context which
+* `emit()` reads via `_forceKeep`.
+*/
+function markForceKeep(logger) {
+	const ctx = logger.getContext();
+	ctx._auditForceKeep = true;
+}
+/**
+* Standalone audit emitter for non-request contexts (jobs, scripts, CLIs).
+*
+* Creates a one-shot logger, sets the audit fields, and emits immediately.
+* The event is force-kept past tail sampling. Returns the emitted wide event,
+* or `null` if logging is globally disabled.
+*
+* @example
+* ```ts
+* import { audit } from 'evlog'
+*
+* audit({
+*   action: 'cron.cleanup',
+*   actor: { type: 'system', id: 'cron' },
+*   target: { type: 'job', id: 'cleanup-stale-sessions' },
+*   outcome: 'success',
+* })
+* ```
+*/
+function audit(input) {
+	const fields = buildAuditFields(input);
+	const wide = createLogger({ audit: fields }).emit({ _forceKeep: true });
+	_testCollector?.(fields, wide);
+	return wide;
+}
+/**
+* Wrap a function so its outcome (success / failure / denied) is automatically
+* audited.
+*
+* Behaviour:
+* - If `fn` resolves, an audit event with `outcome: 'success'` is emitted.
+* - If `fn` throws an `EvlogError` (or any error) with `status === 403`, the
+*   audit event is recorded as `'denied'` with the error message as `reason`.
+* - Any other thrown error produces `outcome: 'failure'` and re-throws.
+*
+* Use {@link AuditDeniedError} to signal denial without an HTTP status.
+*
+* @example
+* ```ts
+* const refundInvoice = withAudit(
+*   { action: 'invoice.refund', target: (input) => ({ type: 'invoice', id: input.id }) },
+*   async (input: { id: string }, ctx: { actor: AuditActor }) => {
+*     await db.invoices.refund(input.id)
+*   }
+* )
+*
+* await refundInvoice({ id: 'inv_889' }, { actor: { type: 'user', id: user.id } })
+* ```
+*/
+function withAudit(options, fn) {
+	return async (input, ctx) => {
+		const target = typeof options.target === "function" ? options.target(input) : options.target;
+		try {
+			const result = await fn(input, ctx);
+			audit({
+				action: options.action,
+				actor: ctx.actor,
+				target,
+				outcome: "success",
+				causationId: ctx.causationId,
+				correlationId: ctx.correlationId
+			});
+			return result;
+		} catch (err) {
+			const error = err;
+			const status = error.status ?? error.statusCode;
+			const denied = err instanceof AuditDeniedError || status === 403;
+			audit({
+				action: options.action,
+				actor: ctx.actor,
+				target,
+				outcome: denied ? "denied" : "failure",
+				reason: error.message,
+				causationId: ctx.causationId,
+				correlationId: ctx.correlationId
+			});
+			throw err;
+		}
+	};
+}
+/**
+* Throw inside a {@link withAudit} body to mark the action as `outcome: 'denied'`
+* regardless of the underlying HTTP status. The constructor message becomes the
+* audit `reason`.
+*/
+var AuditDeniedError = class extends Error {
+	constructor(reason) {
+		super(reason);
+		this.name = "AuditDeniedError";
+	}
+};
+/**
+* Compute a compact, redact-aware diff between two objects for the
+* `changes` field. Output is a JSON Patch-style array (RFC 6902 subset:
+* `add`, `remove`, `replace`) — small enough to ship over the wire.
+*
+* Object keys whose name matches one of the `redactPaths` (dot-notation, e.g.
+* `'user.password'`, `'card.cvv'`) are replaced with `'[REDACTED]'` so PII
+* never leaks through the diff.
+*
+* @example
+* ```ts
+* log.audit({
+*   action: 'user.update',
+*   actor: { type: 'user', id: user.id },
+*   target: { type: 'user', id: 'usr_42' },
+*   changes: auditDiff(before, after, { redactPaths: ['password'] }),
+* })
+* ```
+*/
+function auditDiff(before, after, options = {}) {
+	const replacement = options.replacement ?? "[REDACTED]";
+	const redactSet = new Set((options.redactPaths ?? []).map((p) => p));
+	const patch = [];
+	function isRedacted(path) {
+		if (redactSet.size === 0) return false;
+		if (redactSet.has(path)) return true;
+		for (const p of redactSet) if (path.endsWith(`.${p}`)) return true;
+		return false;
+	}
+	function diff(a, b, path) {
+		if (a === b) return;
+		if (a === void 0 && b !== void 0) {
+			patch.push({
+				op: "add",
+				path: path || "/",
+				value: redactValue(b, path)
+			});
+			return;
+		}
+		if (a !== void 0 && b === void 0) {
+			patch.push({
+				op: "remove",
+				path: path || "/"
+			});
+			return;
+		}
+		if (a !== null && b !== null && typeof a === "object" && typeof b === "object" && !Array.isArray(a) && !Array.isArray(b)) {
+			const keys = new Set([...Object.keys(a), ...Object.keys(b)]);
+			for (const key of keys) diff(a[key], b[key], `${path}/${key}`);
+			return;
+		}
+		patch.push({
+			op: "replace",
+			path: path || "/",
+			value: redactValue(b, path)
+		});
+	}
+	function redactValue(value, path) {
+		if (value === null || typeof value !== "object") {
+			const segs = path.split("/").filter(Boolean);
+			const last = segs[segs.length - 1];
+			if (last && isRedacted(last)) return replacement;
+			return value;
+		}
+		if (Array.isArray(value)) return value.map((v, i) => redactValue(v, `${path}/${i}`));
+		const out = {};
+		for (const [k, v] of Object.entries(value)) out[k] = isRedacted(k) ? replacement : redactValue(v, `${path}/${k}`);
+		return out;
+	}
+	diff(before, after, "");
+	const result = { patch };
+	if (options.includeBefore) result.before = redactValue(before, "");
+	if (options.includeAfter) result.after = redactValue(after, "");
+	return result;
+}
+/**
+* Define a typed audit action with an optional fixed target type.
+*
+* Returns a curried helper that fills in the action name (and target shape
+* if provided) so call sites stay terse and the action set is discoverable
+* in one place.
+*
+* @example
+* ```ts
+* const refund = defineAuditAction('invoice.refund', { target: 'invoice' })
+*
+* log.audit(refund({
+*   actor: { type: 'user', id: user.id },
+*   target: { id: 'inv_889' }, // type inferred as 'invoice'
+*   outcome: 'success',
+* }))
+* ```
+*/
+function defineAuditAction(action, options) {
+	const targetType = options?.target;
+	return (input) => {
+		const merged = {
+			...input,
+			action
+		};
+		if (targetType && input.target && !input.target.type) merged.target = {
+			...input.target,
+			type: targetType
+		};
+		return merged;
+	};
+}
+/**
+* Test helper that captures every audit event emitted while it is active.
+*
+* Returns `{ events, restore, expect }`:
+* - `events` — live array of captured `AuditFields`, populated as audits fire.
+* - `restore()` — uninstall the collector. Call from `afterEach()`.
+* - `expect.toIncludeAuditOf(matcher)` — assertion helper used inside `expect`
+*   blocks, returns `true` if at least one captured event matches.
+*
+* Only captures audits going through `log.audit()` and the standalone
+* `audit()` function. Events emitted via raw `log.set({ audit })` skip the
+* collector by design — wrap them with `log.audit()` to make them visible to
+* tests.
+*
+* @example
+* ```ts
+* const captured = mockAudit()
+* await refundInvoice('inv_889')
+* expect(captured.events).toHaveLength(1)
+* expect(captured.toIncludeAuditOf({ action: 'invoice.refund' })).toBe(true)
+* captured.restore()
+* ```
+*/
+function mockAudit() {
+	const events = [];
+	const previous = _testCollector;
+	_testCollector = (event) => {
+		events.push(event);
+	};
+	return {
+		events,
+		restore() {
+			_testCollector = previous;
+		},
+		toIncludeAuditOf(matcher) {
+			return events.some((event) => matchesAudit(event, matcher));
+		}
+	};
+}
+function matchesAudit(event, matcher) {
+	if (matcher.action !== void 0) {
+		if (matcher.action instanceof RegExp) {
+			if (!matcher.action.test(event.action)) return false;
+		} else if (event.action !== matcher.action) return false;
+	}
+	if (matcher.outcome !== void 0 && event.outcome !== matcher.outcome) return false;
+	if (matcher.actor) {
+		for (const [k, v] of Object.entries(matcher.actor)) if (event.actor[k] !== v) return false;
+	}
+	if (matcher.target) {
+		if (!event.target) return false;
+		for (const [k, v] of Object.entries(matcher.target)) if (event.target[k] !== v) return false;
+	}
+	return true;
+}
+/**
+* @internal Hook used by `RequestLogger.emit()` to detect audit-driven
+* force-keep flags on the accumulated context. Returns whether the event was
+* marked by `log.audit()` and clears the flag.
+*/
+function consumeAuditForceKeep(context) {
+	if (context._auditForceKeep) {
+		delete context._auditForceKeep;
+		return true;
+	}
+	if (context.audit) return true;
+	return false;
+}
+/**
+* @internal Decorate the audit field on an event right before drain — fills
+* in the deterministic idempotency key. Called by the logger pipeline so
+* it works for both `log.audit()` and direct `log.set({ audit })` paths.
+*/
+function finalizeAudit(event) {
+	const a = event.audit;
+	if (!a) return;
+	event.audit = decorateAudit(a, String(event.timestamp));
+}
+/**
+* Enrich audit-bearing wide events with request, runtime, and tenant context.
+*
+* Runs only when `event.audit` is present — every other event passes through
+* untouched. Populates:
+* - `event.audit.context.requestId` from `ctx.request.requestId`
+* - `event.audit.context.traceId`   from `event.traceId`
+* - `event.audit.context.ip`        from `x-forwarded-for` / `x-real-ip`
+* - `event.audit.context.userAgent` from `user-agent`
+* - `event.audit.context.tenantId`  from `options.tenantId(ctx)`
+*
+* Optionally fills `event.audit.actor` from the better-auth bridge when the
+* caller did not provide one. Anything else (custom actor strategies,
+* extra context) belongs in a custom enricher — replace this one entirely.
+*/
+function auditEnricher(options = {}) {
+	return async (ctx) => {
+		const event = ctx.event;
+		const a = event.audit;
+		if (!a) return;
+		const context = { ...a.context ?? {} };
+		function setIfMissing(key, value) {
+			if (value === void 0) return;
+			if (options.overwrite || context[key] === void 0) context[key] = value;
+		}
+		setIfMissing("requestId", ctx.request?.requestId);
+		setIfMissing("traceId", typeof event.traceId === "string" ? event.traceId : void 0);
+		setIfMissing("ip", getHeader(ctx.headers, "x-forwarded-for")?.split(",")[0]?.trim() ?? getHeader(ctx.headers, "x-real-ip"));
+		setIfMissing("userAgent", getHeader(ctx.headers, "user-agent"));
+		if (options.tenantId) {
+			const tid = options.tenantId(ctx);
+			if (tid !== void 0) setIfMissing("tenantId", tid);
+		}
+		let { actor } = a;
+		if (!actor && options.bridge) {
+			const fromBridge = await options.bridge.getSession(ctx);
+			if (fromBridge) actor = fromBridge;
+		}
+		event.audit = {
+			...a,
+			context,
+			actor: actor ?? a.actor
+		};
+	};
+}
+function getHeader(headers, name) {
+	if (!headers) return void 0;
+	if (headers[name] !== void 0) return headers[name];
+	const lower = name.toLowerCase();
+	if (headers[lower] !== void 0) return headers[lower];
+	for (const [k, v] of Object.entries(headers)) if (k.toLowerCase() === lower) return v;
+}
+/**
+* Wrap any drain so it only receives events that carry an `audit` field.
+*
+* Use to route audit events to dedicated storage (separate Axiom dataset,
+* append-only Postgres table, FS journal) without affecting your main drain.
+*
+* Per-sink failure isolation comes from `initLogger({ drain: [...] })`: each
+* drain in the array is invoked independently, so a crashed Axiom call never
+* blocks the FS audit drain.
+*
+* @example
+* ```ts
+* import { initLogger, auditOnly } from 'evlog'
+* import { createAxiomDrain } from 'evlog/axiom'
+* import { createFsDrain } from 'evlog/fs'
+*
+* initLogger({
+*   drain: [
+*     createAxiomDrain({ dataset: 'logs' }),
+*     auditOnly(createFsDrain({ dir: '.audit' }), { await: true }),
+*   ],
+* })
+* ```
+*/
+function auditOnly(drain, options = {}) {
+	return async (ctx) => {
+		if (!ctx.event.audit) return;
+		if (options.await) {
+			await drain(ctx);
+			return;
+		}
+		drain(ctx);
+	};
+}
+/**
+* Wrap a drain so every event passing through gains tamper-evident integrity.
+*
+* - `'hmac'` — adds `event.audit.signature` (HMAC of the canonical event).
+* - `'hash-chain'` — adds `event.audit.prevHash` and `event.audit.hash` so the
+*   sequence of events forms a verifiable chain. State persists in memory
+*   by default; pass a `state: { load, save }` for cross-process / durable
+*   chains (Redis, file, Postgres).
+*
+* The signature is computed before the event is forwarded to the wrapped
+* drain — combine with {@link auditOnly} when you only want integrity for
+* audit events.
+*
+* @example
+* ```ts
+* import { initLogger, auditOnly, signed } from 'evlog'
+* import { createFsDrain } from 'evlog/fs'
+*
+* initLogger({
+*   drain: auditOnly(
+*     signed(createFsDrain({ dir: '.audit' }), { strategy: 'hash-chain' }),
+*     { await: true },
+*   ),
+* })
+* ```
+*/
+function signed(drain, options) {
+	if (options.strategy === "hmac") {
+		const algorithm = options.algorithm ?? "sha256";
+		const { secret } = options;
+		return async (ctx) => {
+			const a = ctx.event.audit;
+			if (a) {
+				const signature = await hmacHex(algorithm, secret, stableStringify(stripIntegrity(ctx.event)));
+				ctx.event.audit = {
+					...a,
+					signature
+				};
+			}
+			await drain(ctx);
+		};
+	}
+	const algorithm = options.algorithm ?? "sha256";
+	const { state } = options;
+	let inMemoryPrev = null;
+	let initialised = !state;
+	let queue = Promise.resolve();
+	return (ctx) => {
+		queue = queue.then(async () => {
+			const a = ctx.event.audit;
+			if (a) {
+				if (!initialised && state) {
+					inMemoryPrev = await state.load() ?? null;
+					initialised = true;
+				}
+				const prevHash = inMemoryPrev ?? void 0;
+				const hash = await digestHex(algorithm, stableStringify({
+					...stripIntegrity(ctx.event),
+					audit: {
+						...stripIntegrity(ctx.event).audit,
+						prevHash
+					}
+				}));
+				ctx.event.audit = {
+					...a,
+					prevHash,
+					hash
+				};
+				inMemoryPrev = hash;
+				await state?.save(hash);
+			}
+			await drain(ctx);
+		}).catch((err) => {
+			console.error("[evlog/audit] signed drain failed:", err);
+		});
+		return queue;
+	};
+}
+/**
+* @internal Resolve the Web Crypto SubtleCrypto interface. Available natively
+* in browsers, Node 19+, Bun, Deno, and Cloudflare Workers. Falls back to
+* Node's `webcrypto` for Node 18 (where `globalThis.crypto` is gated behind
+* a flag). The dynamic import keeps `node:crypto` out of browser bundles.
+*/
+async function getSubtle() {
+	const c = globalThis.crypto;
+	if (c?.subtle) return c.subtle;
+	return (await import(
+		/* @vite-ignore */
+		"node:crypto"
+)).webcrypto.subtle;
+}
+function normalizeAlgo(algorithm) {
+	switch (algorithm.toLowerCase()) {
+		case "sha1":
+		case "sha-1": return "SHA-1";
+		case "sha256":
+		case "sha-256": return "SHA-256";
+		case "sha384":
+		case "sha-384": return "SHA-384";
+		case "sha512":
+		case "sha-512": return "SHA-512";
+		default: return "SHA-256";
+	}
+}
+function bufToHex(buf) {
+	let out = "";
+	for (const byte of new Uint8Array(buf)) out += byte.toString(16).padStart(2, "0");
+	return out;
+}
+async function digestHex(algorithm, data) {
+	return bufToHex(await (await getSubtle()).digest(normalizeAlgo(algorithm), new TextEncoder().encode(data)));
+}
+async function hmacHex(algorithm, secret, data) {
+	const subtle = await getSubtle();
+	const hash = normalizeAlgo(algorithm);
+	const key = await subtle.importKey("raw", new TextEncoder().encode(secret), {
+		name: "HMAC",
+		hash
+	}, false, ["sign"]);
+	return bufToHex(await subtle.sign("HMAC", key, new TextEncoder().encode(data)));
+}
+/** @internal Strip integrity fields before hashing so signatures stay stable. */
+function stripIntegrity(event) {
+	const a = event.audit;
+	if (!a) return event;
+	const { signature, prevHash, hash, ...rest } = a;
+	return {
+		...event,
+		audit: rest
+	};
+}
+/**
+* Strict redact preset for audit events.
+*
+* Combine with the user's existing redact configuration via spread:
+* `initLogger({ redact: { paths: [...auditRedactPreset.paths!, ...mine] } })`.
+*
+* Hardens PII handling:
+* - Drops `Authorization` and `Cookie` headers anywhere they appear.
+* - Drops common credential field names (`password`, `passwordHash`, `token`,
+*   `apiKey`, `secret`, `accessToken`, `refreshToken`, `cardNumber`, `cvv`,
+*   `ssn`).
+*
+* Built-in pattern maskers (email, credit card, …) keep their default
+* behaviour — partial masking, not full redaction — so audit trails retain
+* enough signal to be useful.
+*/
+const auditRedactPreset = { paths: [
+	"audit.changes.before.password",
+	"audit.changes.before.passwordHash",
+	"audit.changes.before.token",
+	"audit.changes.before.apiKey",
+	"audit.changes.before.secret",
+	"audit.changes.before.accessToken",
+	"audit.changes.before.refreshToken",
+	"audit.changes.before.cardNumber",
+	"audit.changes.before.cvv",
+	"audit.changes.before.ssn",
+	"audit.changes.after.password",
+	"audit.changes.after.passwordHash",
+	"audit.changes.after.token",
+	"audit.changes.after.apiKey",
+	"audit.changes.after.secret",
+	"audit.changes.after.accessToken",
+	"audit.changes.after.refreshToken",
+	"audit.changes.after.cardNumber",
+	"audit.changes.after.cvv",
+	"audit.changes.after.ssn",
+	"headers.authorization",
+	"headers.cookie",
+	"headers.set-cookie",
+	"audit.context.headers.authorization",
+	"audit.context.headers.cookie"
+] };
+//#endregion
+export { shouldKeep as C, resolveRedactConfig as E, lockLogger as S, redactEvent as T, getEnvironment as _, auditEnricher as a, isEnabled as b, buildAuditFields as c, signed as d, withAudit as f, createRequestLogger as g, createLogger as h, auditDiff as i, defineAuditAction as l, _log as m, AuditDeniedError as n, auditOnly as o, withAuditMethods as p, audit as r, auditRedactPreset as s, AUDIT_SCHEMA_VERSION as t, mockAudit as u, getGlobalDrain as v, normalizeRedactConfig as w, isLoggerLocked as x, initLogger as y };
+
+//# sourceMappingURL=audit-d9esRZOK.mjs.map