evlog 2.13.0 → 2.14.0

package/dist/{logger-DnobymUQ.mjs → audit-d9esRZOK.mjs}

@@ -23,7 +23,7 @@ const builtinPatterns = {
 		mask: (m) => `***.***.***.${m.split(".").pop()}`
 	},
 	phone: {
-		pattern: /(?:\+\d{1,3}[\s.-]?)?\(?\d{1,4}\)?[\s.-]?\d{2,4}[\s.-]?\d{2,4}[\s.-]?\d{2,4}\b/g,
+		pattern: /(?:\+\d{1,3}[\s.-]?\(?\d{1,4}\)?|\(\d{1,4}\))(?:[\s.-]?\d{2,4}){2,4}\b/g,
 		mask: (m) => {
 			const digits = m.replace(/[^\d]/g, "");
 			if (m.startsWith("+") && digits.length > 4) {
@@ -310,6 +310,7 @@ function emitWideEvent(level, event, deferDrain = false, ownsEvent = false) {
 		...globalEnv,
 		...event
 	};
+	finalizeAudit(formatted);
 	if (globalRedact) redactEvent(formatted, globalRedact);
 	if (!globalSilent) if (globalPretty) prettyPrintWideEvent(formatted);
 	else if (globalStringify) console[getConsoleMethod(level)](JSON.stringify(formatted));
@@ -584,7 +585,8 @@ const noopLogger = {
 	},
 	getContext() {
 		return {};
-	}
+	},
+	audit: Object.assign(() => {}, { deny: () => {} })
 };
 /**
 * Create a scoped logger for building wide events.
@@ -617,7 +619,25 @@ function createLogger(initialContext = {}, internalOptions) {
 			timestamp: isoNow()
 		});
 	}
+	const auditMethod = function audit(input) {
+		if (emitted) {
+			warnPostEmit("log.audit()", `Audit dropped: action=${input.action}.`);
+			return;
+		}
+		const fields = buildAuditFields(input);
+		if (!isPlainObject(context.audit)) context.audit = fields;
+		else mergeInto(context.audit, fields);
+		context._auditForceKeep = true;
+	};
+	auditMethod.deny = function deny(reason, input) {
+		auditMethod({
+			...input,
+			outcome: "denied",
+			reason
+		});
+	};
 	return {
+		audit: auditMethod,
 		set(data) {
 			if (emitted) {
 				const keys = Object.keys(data);
@@ -684,6 +704,7 @@ function createLogger(initialContext = {}, internalOptions) {
 			const level = hasError ? "error" : hasWarn ? "warn" : "info";
 			let forceKeep = false;
 			if (overrides?._forceKeep) forceKeep = true;
+			else if (consumeAuditForceKeep(context)) forceKeep = true;
 			else if (globalSampling.keep?.length) forceKeep = shouldKeep({
 				status: overrides?.status ?? context.status,
 				duration: durationMs,
@@ -736,6 +757,684 @@ function getEnvironment() {
 }
 if (typeof __EVLOG_CONFIG__ !== "undefined") initLogger(__EVLOG_CONFIG__);
 //#endregion
-export { getGlobalDrain as a, isLoggerLocked as c, normalizeRedactConfig as d, redactEvent as f, getEnvironment as i, lockLogger as l, createLogger as n, initLogger as o, resolveRedactConfig as p, createRequestLogger as r, isEnabled as s, _log as t, shouldKeep as u };
+//#region src/audit.ts
+/**
+* Current version of the audit envelope. Bumped when `AuditFields` evolves
+* in a backward-incompatible way so downstream pipelines can branch on it.
+*/
+const AUDIT_SCHEMA_VERSION = 1;
+/**
+* @internal Stable JSON stringification with deterministic key order.
+* Used by `idempotencyKey` and `hash-chain` so the same logical event always
+* produces the same digest, regardless of how object keys were added.
+*/
+function stableStringify(value) {
+	if (value === null || typeof value !== "object") return JSON.stringify(value);
+	if (Array.isArray(value)) return `[${value.map(stableStringify).join(",")}]`;
+	return `{${Object.keys(value).sort().map((k) => `${JSON.stringify(k)}:${stableStringify(value[k])}`).join(",")}}`;
+}
+/**
+* @internal Sync, isomorphic 32-bit FNV-1a. Used to derive the idempotency
+* key without pulling `node:crypto` into the static import graph (which would
+* break browser / Cloudflare Workers bundles that import `evlog` for types
+* or shared utilities). Idempotency keys are dedup tokens, not security
+* primitives — collision resistance at 128 bits is more than sufficient.
+*/
+function fnv1a32(input, seed) {
+	let h = seed >>> 0;
+	for (let i = 0; i < input.length; i++) {
+		h ^= input.charCodeAt(i) & 255;
+		h = Math.imul(h, 16777619) >>> 0;
+	}
+	return h >>> 0;
+}
+/**
+* @internal Compute the deterministic idempotency key for an audit event.
+* Includes `action`, `actor.{type,id}`, `target.{type,id}`, `outcome`, and
+* `timestamp` rounded to the second so retries within the same second collapse.
+*
+* Uses four interleaved FNV-1a 32-bit hashes (128-bit output, 32 hex chars)
+* so the implementation stays sync and isomorphic across Node, browsers,
+* Bun, Deno, and Cloudflare Workers.
+*/
+function computeIdempotencyKey(audit, timestamp) {
+	const seconds = timestamp.slice(0, 19);
+	const payload = stableStringify({
+		action: audit.action,
+		actor: {
+			type: audit.actor.type,
+			id: audit.actor.id
+		},
+		target: audit.target ? {
+			type: audit.target.type,
+			id: audit.target.id
+		} : void 0,
+		outcome: audit.outcome,
+		timestamp: seconds
+	});
+	const a = fnv1a32(payload, 2166136261).toString(16).padStart(8, "0");
+	const b = fnv1a32(payload, 3735928559).toString(16).padStart(8, "0");
+	const c = fnv1a32(payload, 528734635).toString(16).padStart(8, "0");
+	const d = fnv1a32(payload, 1541459225).toString(16).padStart(8, "0");
+	return a + b + c + d;
+}
+/**
+* Build a normalised {@link AuditFields} from caller input. Defaults:
+* - `outcome` → `'success'`
+* - `version` → {@link AUDIT_SCHEMA_VERSION}
+*
+* `idempotencyKey` is filled at emit time with the event timestamp so retries
+* stay deterministic.
+*/
+function buildAuditFields(input) {
+	return {
+		action: input.action,
+		actor: input.actor,
+		target: input.target,
+		outcome: input.outcome ?? "success",
+		reason: input.reason,
+		changes: input.changes,
+		causationId: input.causationId,
+		correlationId: input.correlationId,
+		version: input.version ?? 1
+	};
+}
+/**
+* @internal Test-collector hook installed by {@link mockAudit}. When set, every
+* audit event flowing through `log.audit()` / `audit()` is also pushed to it.
+*/
+let _testCollector = null;
+/** @internal Emit-time decoration: assign timestamp-based idempotency key. */
+function decorateAudit(audit, timestamp) {
+	if (audit.idempotencyKey) return audit;
+	return {
+		...audit,
+		idempotencyKey: computeIdempotencyKey(audit, timestamp)
+	};
+}
+/**
+* Add audit semantics to an existing {@link RequestLogger}.
+*
+* Mutates the logger in place by adding an `audit` method (with a `.deny()`
+* sub-method). Strictly equivalent to calling `log.set({ audit: ... })` plus
+* `_forceKeep` on emit. Idempotent: calling twice on the same logger only
+* attaches the methods once.
+*
+* @example
+* ```ts
+* const log = withAuditMethods(createLogger())
+* log.audit({
+*   action: 'invoice.refund',
+*   actor: { type: 'user', id: user.id },
+*   target: { type: 'invoice', id: 'inv_889' },
+* })
+* ```
+*/
+function withAuditMethods(logger) {
+	const target = logger;
+	if (target.audit) return target;
+	const audit = function audit(input) {
+		const fields = buildAuditFields(input);
+		target.set({ audit: fields });
+		markForceKeep(target);
+	};
+	audit.deny = function deny(reason, input) {
+		audit({
+			...input,
+			outcome: "denied",
+			reason
+		});
+	};
+	target.audit = audit;
+	return target;
+}
+/**
+* @internal Mark a logger so its next `emit()` is force-kept past tail sampling.
+* Implemented by stamping a hidden flag on the accumulated context which
+* `emit()` reads via `_forceKeep`.
+*/
+function markForceKeep(logger) {
+	const ctx = logger.getContext();
+	ctx._auditForceKeep = true;
+}
+/**
+* Standalone audit emitter for non-request contexts (jobs, scripts, CLIs).
+*
+* Creates a one-shot logger, sets the audit fields, and emits immediately.
+* The event is force-kept past tail sampling. Returns the emitted wide event,
+* or `null` if logging is globally disabled.
+*
+* @example
+* ```ts
+* import { audit } from 'evlog'
+*
+* audit({
+*   action: 'cron.cleanup',
+*   actor: { type: 'system', id: 'cron' },
+*   target: { type: 'job', id: 'cleanup-stale-sessions' },
+*   outcome: 'success',
+* })
+* ```
+*/
+function audit(input) {
+	const fields = buildAuditFields(input);
+	const wide = createLogger({ audit: fields }).emit({ _forceKeep: true });
+	_testCollector?.(fields, wide);
+	return wide;
+}
+/**
+* Wrap a function so its outcome (success / failure / denied) is automatically
+* audited.
+*
+* Behaviour:
+* - If `fn` resolves, an audit event with `outcome: 'success'` is emitted.
+* - If `fn` throws an `EvlogError` (or any error) with `status === 403`, the
+*   audit event is recorded as `'denied'` with the error message as `reason`.
+* - Any other thrown error produces `outcome: 'failure'` and re-throws.
+*
+* Use {@link AuditDeniedError} to signal denial without an HTTP status.
+*
+* @example
+* ```ts
+* const refundInvoice = withAudit(
+*   { action: 'invoice.refund', target: (input) => ({ type: 'invoice', id: input.id }) },
+*   async (input: { id: string }, ctx: { actor: AuditActor }) => {
+*     await db.invoices.refund(input.id)
+*   }
+* )
+*
+* await refundInvoice({ id: 'inv_889' }, { actor: { type: 'user', id: user.id } })
+* ```
+*/
+function withAudit(options, fn) {
+	return async (input, ctx) => {
+		const target = typeof options.target === "function" ? options.target(input) : options.target;
+		try {
+			const result = await fn(input, ctx);
+			audit({
+				action: options.action,
+				actor: ctx.actor,
+				target,
+				outcome: "success",
+				causationId: ctx.causationId,
+				correlationId: ctx.correlationId
+			});
+			return result;
+		} catch (err) {
+			const error = err;
+			const status = error.status ?? error.statusCode;
+			const denied = err instanceof AuditDeniedError || status === 403;
+			audit({
+				action: options.action,
+				actor: ctx.actor,
+				target,
+				outcome: denied ? "denied" : "failure",
+				reason: error.message,
+				causationId: ctx.causationId,
+				correlationId: ctx.correlationId
+			});
+			throw err;
+		}
+	};
+}
+/**
+* Throw inside a {@link withAudit} body to mark the action as `outcome: 'denied'`
+* regardless of the underlying HTTP status. The constructor message becomes the
+* audit `reason`.
+*/
+var AuditDeniedError = class extends Error {
+	constructor(reason) {
+		super(reason);
+		this.name = "AuditDeniedError";
+	}
+};
+/**
+* Compute a compact, redact-aware diff between two objects for the
+* `changes` field. Output is a JSON Patch-style array (RFC 6902 subset:
+* `add`, `remove`, `replace`) — small enough to ship over the wire.
+*
+* Object keys whose name matches one of the `redactPaths` (dot-notation, e.g.
+* `'user.password'`, `'card.cvv'`) are replaced with `'[REDACTED]'` so PII
+* never leaks through the diff.
+*
+* @example
+* ```ts
+* log.audit({
+*   action: 'user.update',
+*   actor: { type: 'user', id: user.id },
+*   target: { type: 'user', id: 'usr_42' },
+*   changes: auditDiff(before, after, { redactPaths: ['password'] }),
+* })
+* ```
+*/
+function auditDiff(before, after, options = {}) {
+	const replacement = options.replacement ?? "[REDACTED]";
+	const redactSet = new Set((options.redactPaths ?? []).map((p) => p));
+	const patch = [];
+	function isRedacted(path) {
+		if (redactSet.size === 0) return false;
+		if (redactSet.has(path)) return true;
+		for (const p of redactSet) if (path.endsWith(`.${p}`)) return true;
+		return false;
+	}
+	function diff(a, b, path) {
+		if (a === b) return;
+		if (a === void 0 && b !== void 0) {
+			patch.push({
+				op: "add",
+				path: path || "/",
+				value: redactValue(b, path)
+			});
+			return;
+		}
+		if (a !== void 0 && b === void 0) {
+			patch.push({
+				op: "remove",
+				path: path || "/"
+			});
+			return;
+		}
+		if (a !== null && b !== null && typeof a === "object" && typeof b === "object" && !Array.isArray(a) && !Array.isArray(b)) {
+			const keys = new Set([...Object.keys(a), ...Object.keys(b)]);
+			for (const key of keys) diff(a[key], b[key], `${path}/${key}`);
+			return;
+		}
+		patch.push({
+			op: "replace",
+			path: path || "/",
+			value: redactValue(b, path)
+		});
+	}
+	function redactValue(value, path) {
+		if (value === null || typeof value !== "object") {
+			const segs = path.split("/").filter(Boolean);
+			const last = segs[segs.length - 1];
+			if (last && isRedacted(last)) return replacement;
+			return value;
+		}
+		if (Array.isArray(value)) return value.map((v, i) => redactValue(v, `${path}/${i}`));
+		const out = {};
+		for (const [k, v] of Object.entries(value)) out[k] = isRedacted(k) ? replacement : redactValue(v, `${path}/${k}`);
+		return out;
+	}
+	diff(before, after, "");
+	const result = { patch };
+	if (options.includeBefore) result.before = redactValue(before, "");
+	if (options.includeAfter) result.after = redactValue(after, "");
+	return result;
+}
+/**
+* Define a typed audit action with an optional fixed target type.
+*
+* Returns a curried helper that fills in the action name (and target shape
+* if provided) so call sites stay terse and the action set is discoverable
+* in one place.
+*
+* @example
+* ```ts
+* const refund = defineAuditAction('invoice.refund', { target: 'invoice' })
+*
+* log.audit(refund({
+*   actor: { type: 'user', id: user.id },
+*   target: { id: 'inv_889' }, // type inferred as 'invoice'
+*   outcome: 'success',
+* }))
+* ```
+*/
+function defineAuditAction(action, options) {
+	const targetType = options?.target;
+	return (input) => {
+		const merged = {
+			...input,
+			action
+		};
+		if (targetType && input.target && !input.target.type) merged.target = {
+			...input.target,
+			type: targetType
+		};
+		return merged;
+	};
+}
+/**
+* Test helper that captures every audit event emitted while it is active.
+*
+* Returns `{ events, restore, expect }`:
+* - `events` — live array of captured `AuditFields`, populated as audits fire.
+* - `restore()` — uninstall the collector. Call from `afterEach()`.
+* - `expect.toIncludeAuditOf(matcher)` — assertion helper used inside `expect`
+*   blocks, returns `true` if at least one captured event matches.
+*
+* Only captures audits going through `log.audit()` and the standalone
+* `audit()` function. Events emitted via raw `log.set({ audit })` skip the
+* collector by design — wrap them with `log.audit()` to make them visible to
+* tests.
+*
+* @example
+* ```ts
+* const captured = mockAudit()
+* await refundInvoice('inv_889')
+* expect(captured.events).toHaveLength(1)
+* expect(captured.toIncludeAuditOf({ action: 'invoice.refund' })).toBe(true)
+* captured.restore()
+* ```
+*/
+function mockAudit() {
+	const events = [];
+	const previous = _testCollector;
+	_testCollector = (event) => {
+		events.push(event);
+	};
+	return {
+		events,
+		restore() {
+			_testCollector = previous;
+		},
+		toIncludeAuditOf(matcher) {
+			return events.some((event) => matchesAudit(event, matcher));
+		}
+	};
+}
+function matchesAudit(event, matcher) {
+	if (matcher.action !== void 0) {
+		if (matcher.action instanceof RegExp) {
+			if (!matcher.action.test(event.action)) return false;
+		} else if (event.action !== matcher.action) return false;
+	}
+	if (matcher.outcome !== void 0 && event.outcome !== matcher.outcome) return false;
+	if (matcher.actor) {
+		for (const [k, v] of Object.entries(matcher.actor)) if (event.actor[k] !== v) return false;
+	}
+	if (matcher.target) {
+		if (!event.target) return false;
+		for (const [k, v] of Object.entries(matcher.target)) if (event.target[k] !== v) return false;
+	}
+	return true;
+}
+/**
+* @internal Hook used by `RequestLogger.emit()` to detect audit-driven
+* force-keep flags on the accumulated context. Returns whether the event was
+* marked by `log.audit()` and clears the flag.
+*/
+function consumeAuditForceKeep(context) {
+	if (context._auditForceKeep) {
+		delete context._auditForceKeep;
+		return true;
+	}
+	if (context.audit) return true;
+	return false;
+}
+/**
+* @internal Decorate the audit field on an event right before drain — fills
+* in the deterministic idempotency key. Called by the logger pipeline so
+* it works for both `log.audit()` and direct `log.set({ audit })` paths.
+*/
+function finalizeAudit(event) {
+	const a = event.audit;
+	if (!a) return;
+	event.audit = decorateAudit(a, String(event.timestamp));
+}
+/**
+* Enrich audit-bearing wide events with request, runtime, and tenant context.
+*
+* Runs only when `event.audit` is present — every other event passes through
+* untouched. Populates:
+* - `event.audit.context.requestId` from `ctx.request.requestId`
+* - `event.audit.context.traceId`   from `event.traceId`
+* - `event.audit.context.ip`        from `x-forwarded-for` / `x-real-ip`
+* - `event.audit.context.userAgent` from `user-agent`
+* - `event.audit.context.tenantId`  from `options.tenantId(ctx)`
+*
+* Optionally fills `event.audit.actor` from the better-auth bridge when the
+* caller did not provide one. Anything else (custom actor strategies,
+* extra context) belongs in a custom enricher — replace this one entirely.
+*/
+function auditEnricher(options = {}) {
+	return async (ctx) => {
+		const event = ctx.event;
+		const a = event.audit;
+		if (!a) return;
+		const context = { ...a.context ?? {} };
+		function setIfMissing(key, value) {
+			if (value === void 0) return;
+			if (options.overwrite || context[key] === void 0) context[key] = value;
+		}
+		setIfMissing("requestId", ctx.request?.requestId);
+		setIfMissing("traceId", typeof event.traceId === "string" ? event.traceId : void 0);
+		setIfMissing("ip", getHeader(ctx.headers, "x-forwarded-for")?.split(",")[0]?.trim() ?? getHeader(ctx.headers, "x-real-ip"));
+		setIfMissing("userAgent", getHeader(ctx.headers, "user-agent"));
+		if (options.tenantId) {
+			const tid = options.tenantId(ctx);
+			if (tid !== void 0) setIfMissing("tenantId", tid);
+		}
+		let { actor } = a;
+		if (!actor && options.bridge) {
+			const fromBridge = await options.bridge.getSession(ctx);
+			if (fromBridge) actor = fromBridge;
+		}
+		event.audit = {
+			...a,
+			context,
+			actor: actor ?? a.actor
+		};
+	};
+}
+function getHeader(headers, name) {
+	if (!headers) return void 0;
+	if (headers[name] !== void 0) return headers[name];
+	const lower = name.toLowerCase();
+	if (headers[lower] !== void 0) return headers[lower];
+	for (const [k, v] of Object.entries(headers)) if (k.toLowerCase() === lower) return v;
+}
+/**
+* Wrap any drain so it only receives events that carry an `audit` field.
+*
+* Use to route audit events to dedicated storage (separate Axiom dataset,
+* append-only Postgres table, FS journal) without affecting your main drain.
+*
+* Per-sink failure isolation comes from `initLogger({ drain: [...] })`: each
+* drain in the array is invoked independently, so a crashed Axiom call never
+* blocks the FS audit drain.
+*
+* @example
+* ```ts
+* import { initLogger, auditOnly } from 'evlog'
+* import { createAxiomDrain } from 'evlog/axiom'
+* import { createFsDrain } from 'evlog/fs'
+*
+* initLogger({
+*   drain: [
+*     createAxiomDrain({ dataset: 'logs' }),
+*     auditOnly(createFsDrain({ dir: '.audit' }), { await: true }),
+*   ],
+* })
+* ```
+*/
+function auditOnly(drain, options = {}) {
+	return async (ctx) => {
+		if (!ctx.event.audit) return;
+		if (options.await) {
+			await drain(ctx);
+			return;
+		}
+		drain(ctx);
+	};
+}
+/**
+* Wrap a drain so every event passing through gains tamper-evident integrity.
+*
+* - `'hmac'` — adds `event.audit.signature` (HMAC of the canonical event).
+* - `'hash-chain'` — adds `event.audit.prevHash` and `event.audit.hash` so the
+*   sequence of events forms a verifiable chain. State persists in memory
+*   by default; pass a `state: { load, save }` for cross-process / durable
+*   chains (Redis, file, Postgres).
+*
+* The signature is computed before the event is forwarded to the wrapped
+* drain — combine with {@link auditOnly} when you only want integrity for
+* audit events.
+*
+* @example
+* ```ts
+* import { initLogger, auditOnly, signed } from 'evlog'
+* import { createFsDrain } from 'evlog/fs'
+*
+* initLogger({
+*   drain: auditOnly(
+*     signed(createFsDrain({ dir: '.audit' }), { strategy: 'hash-chain' }),
+*     { await: true },
+*   ),
+* })
+* ```
+*/
+function signed(drain, options) {
+	if (options.strategy === "hmac") {
+		const algorithm = options.algorithm ?? "sha256";
+		const { secret } = options;
+		return async (ctx) => {
+			const a = ctx.event.audit;
+			if (a) {
+				const signature = await hmacHex(algorithm, secret, stableStringify(stripIntegrity(ctx.event)));
+				ctx.event.audit = {
+					...a,
+					signature
+				};
+			}
+			await drain(ctx);
+		};
+	}
+	const algorithm = options.algorithm ?? "sha256";
+	const { state } = options;
+	let inMemoryPrev = null;
+	let initialised = !state;
+	let queue = Promise.resolve();
+	return (ctx) => {
+		queue = queue.then(async () => {
+			const a = ctx.event.audit;
+			if (a) {
+				if (!initialised && state) {
+					inMemoryPrev = await state.load() ?? null;
+					initialised = true;
+				}
+				const prevHash = inMemoryPrev ?? void 0;
+				const hash = await digestHex(algorithm, stableStringify({
+					...stripIntegrity(ctx.event),
+					audit: {
+						...stripIntegrity(ctx.event).audit,
+						prevHash
+					}
+				}));
+				ctx.event.audit = {
+					...a,
+					prevHash,
+					hash
+				};
+				inMemoryPrev = hash;
+				await state?.save(hash);
+			}
+			await drain(ctx);
+		}).catch((err) => {
+			console.error("[evlog/audit] signed drain failed:", err);
+		});
+		return queue;
+	};
+}
+/**
+* @internal Resolve the Web Crypto SubtleCrypto interface. Available natively
+* in browsers, Node 19+, Bun, Deno, and Cloudflare Workers. Falls back to
+* Node's `webcrypto` for Node 18 (where `globalThis.crypto` is gated behind
+* a flag). The dynamic import keeps `node:crypto` out of browser bundles.
+*/
+async function getSubtle() {
+	const c = globalThis.crypto;
+	if (c?.subtle) return c.subtle;
+	return (await import(
+		/* @vite-ignore */
+		"node:crypto"
+)).webcrypto.subtle;
+}
+function normalizeAlgo(algorithm) {
+	switch (algorithm.toLowerCase()) {
+		case "sha1":
+		case "sha-1": return "SHA-1";
+		case "sha256":
+		case "sha-256": return "SHA-256";
+		case "sha384":
+		case "sha-384": return "SHA-384";
+		case "sha512":
+		case "sha-512": return "SHA-512";
+		default: return "SHA-256";
+	}
+}
+function bufToHex(buf) {
+	let out = "";
+	for (const byte of new Uint8Array(buf)) out += byte.toString(16).padStart(2, "0");
+	return out;
+}
+async function digestHex(algorithm, data) {
+	return bufToHex(await (await getSubtle()).digest(normalizeAlgo(algorithm), new TextEncoder().encode(data)));
+}
+async function hmacHex(algorithm, secret, data) {
+	const subtle = await getSubtle();
+	const hash = normalizeAlgo(algorithm);
+	const key = await subtle.importKey("raw", new TextEncoder().encode(secret), {
+		name: "HMAC",
+		hash
+	}, false, ["sign"]);
+	return bufToHex(await subtle.sign("HMAC", key, new TextEncoder().encode(data)));
+}
+/** @internal Strip integrity fields before hashing so signatures stay stable. */
+function stripIntegrity(event) {
+	const a = event.audit;
+	if (!a) return event;
+	const { signature, prevHash, hash, ...rest } = a;
+	return {
+		...event,
+		audit: rest
+	};
+}
+/**
+* Strict redact preset for audit events.
+*
+* Combine with the user's existing redact configuration via spread:
+* `initLogger({ redact: { paths: [...auditRedactPreset.paths!, ...mine] } })`.
+*
+* Hardens PII handling:
+* - Drops `Authorization` and `Cookie` headers anywhere they appear.
+* - Drops common credential field names (`password`, `passwordHash`, `token`,
+*   `apiKey`, `secret`, `accessToken`, `refreshToken`, `cardNumber`, `cvv`,
+*   `ssn`).
+*
+* Built-in pattern maskers (email, credit card, …) keep their default
+* behaviour — partial masking, not full redaction — so audit trails retain
+* enough signal to be useful.
+*/
+const auditRedactPreset = { paths: [
+	"audit.changes.before.password",
+	"audit.changes.before.passwordHash",
+	"audit.changes.before.token",
+	"audit.changes.before.apiKey",
+	"audit.changes.before.secret",
+	"audit.changes.before.accessToken",
+	"audit.changes.before.refreshToken",
+	"audit.changes.before.cardNumber",
+	"audit.changes.before.cvv",
+	"audit.changes.before.ssn",
+	"audit.changes.after.password",
+	"audit.changes.after.passwordHash",
+	"audit.changes.after.token",
+	"audit.changes.after.apiKey",
+	"audit.changes.after.secret",
+	"audit.changes.after.accessToken",
+	"audit.changes.after.refreshToken",
+	"audit.changes.after.cardNumber",
+	"audit.changes.after.cvv",
+	"audit.changes.after.ssn",
+	"headers.authorization",
+	"headers.cookie",
+	"headers.set-cookie",
+	"audit.context.headers.authorization",
+	"audit.context.headers.cookie"
+] };
+//#endregion
+export { shouldKeep as C, resolveRedactConfig as E, lockLogger as S, redactEvent as T, getEnvironment as _, auditEnricher as a, isEnabled as b, buildAuditFields as c, signed as d, withAudit as f, createRequestLogger as g, createLogger as h, auditDiff as i, defineAuditAction as l, _log as m, AuditDeniedError as n, auditOnly as o, withAuditMethods as p, audit as r, auditRedactPreset as s, AUDIT_SCHEMA_VERSION as t, mockAudit as u, getGlobalDrain as v, normalizeRedactConfig as w, isLoggerLocked as x, initLogger as y };
 
-//# sourceMappingURL=logger-DnobymUQ.mjs.map
+//# sourceMappingURL=audit-d9esRZOK.mjs.map