guardrail-compliance 1.0.0

package/dist/audit/emitter.d.ts

@@ -0,0 +1,97 @@
+/**
+ * Audit Trail Emitter
+ *
+ * Central audit event emission with tier-gating.
+ * Usage: audit.emit(eventInput) from CLI, MCP, VS Code, etc.
+ */
+import { AuditEvent, AuditEventInput, AuditSurface, AuditActionCategory, AuditResult, AuditTier, AuditEventMetadata } from './events';
+import { AuditStorageAdapter } from './storage';
+interface AuditConfig {
+    enabled: boolean;
+    tier: AuditTier;
+    basePath: string;
+    storageType: 'local' | 'server';
+    serverUrl?: string;
+    serverApiKey?: string;
+    actor?: {
+        id: string;
+        type: 'user' | 'system' | 'ci' | 'api';
+        name?: string;
+        email?: string;
+    };
+}
+/**
+ * Configure the audit system
+ */
+export declare function configureAudit(config: Partial<AuditConfig>): void;
+/**
+ * Get or create storage instance
+ */
+declare function getStorage(): AuditStorageAdapter;
+/**
+ * Check if full audit trail is available (Compliance+ tier)
+ */
+export declare function hasFullAuditAccess(): boolean;
+/**
+ * Emit an audit event
+ */
+export declare function emit(input: AuditEventInput): Promise<AuditEvent | null>;
+/**
+ * Helper to emit with common defaults
+ */
+export declare function emitAction(surface: AuditSurface, action: string, category: AuditActionCategory, target: AuditEvent['target'], result: AuditResult, metadata?: AuditEventMetadata): Promise<AuditEvent | null>;
+export declare function emitScanStart(surface: AuditSurface, projectPath: string, args?: string[]): Promise<AuditEvent | null>;
+export declare function emitScanComplete(surface: AuditSurface, projectPath: string, result: AuditResult, metadata?: {
+    score?: number;
+    grade?: string;
+    issueCount?: number;
+    durationMs?: number;
+}): Promise<AuditEvent | null>;
+export declare function emitShipCheck(surface: AuditSurface, projectPath: string, result: AuditResult, metadata?: {
+    score?: number;
+    grade?: string;
+    canShip?: boolean;
+}): Promise<AuditEvent | null>;
+export declare function emitRealityStart(surface: AuditSurface, url: string, flows?: string[]): Promise<AuditEvent | null>;
+export declare function emitRealityComplete(surface: AuditSurface, url: string, result: AuditResult, metadata?: {
+    durationMs?: number;
+    testsPassed?: number;
+    testsFailed?: number;
+}): Promise<AuditEvent | null>;
+export declare function emitAutopilotAction(surface: AuditSurface, action: 'enable' | 'disable' | 'run' | 'report', projectPath: string, result: AuditResult, metadata?: AuditEventMetadata): Promise<AuditEvent | null>;
+export declare function emitFixPlan(surface: AuditSurface, projectPath: string, result: AuditResult, metadata?: {
+    fixCount?: number;
+    scope?: string;
+}): Promise<AuditEvent | null>;
+export declare function emitFixApply(surface: AuditSurface, projectPath: string, result: AuditResult, metadata?: {
+    fixCount?: number;
+    filesModified?: number;
+}): Promise<AuditEvent | null>;
+export declare function emitGateCheck(surface: AuditSurface, projectPath: string, passed: boolean, metadata?: {
+    policy?: string;
+    score?: number;
+}): Promise<AuditEvent | null>;
+export declare function emitToolInvoke(surface: AuditSurface, toolName: string, args: Record<string, unknown>, result: AuditResult, metadata?: AuditEventMetadata): Promise<AuditEvent | null>;
+export declare function emitAuth(surface: AuditSurface, action: 'login' | 'logout' | 'token_refresh', result: AuditResult, metadata?: {
+    method?: string;
+}): Promise<AuditEvent | null>;
+export declare const audit: {
+    configure: typeof configureAudit;
+    emit: typeof emit;
+    emitAction: typeof emitAction;
+    emitScanStart: typeof emitScanStart;
+    emitScanComplete: typeof emitScanComplete;
+    emitShipCheck: typeof emitShipCheck;
+    emitRealityStart: typeof emitRealityStart;
+    emitRealityComplete: typeof emitRealityComplete;
+    emitAutopilotAction: typeof emitAutopilotAction;
+    emitFixPlan: typeof emitFixPlan;
+    emitFixApply: typeof emitFixApply;
+    emitGateCheck: typeof emitGateCheck;
+    emitToolInvoke: typeof emitToolInvoke;
+    emitAuth: typeof emitAuth;
+    hasFullAccess: typeof hasFullAuditAccess;
+    getStorage: typeof getStorage;
+};
+export default audit;
+//# sourceMappingURL=emitter.d.ts.map

package/dist/audit/emitter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"emitter.d.ts","sourceRoot":"","sources":["../../src/audit/emitter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,UAAU,EACV,eAAe,EACf,YAAY,EACZ,mBAAmB,EACnB,WAAW,EACX,SAAS,EACT,kBAAkB,EAGnB,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,mBAAmB,EAEpB,MAAM,WAAW,CAAC;AAMnB,UAAU,WAAW;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,SAAS,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,OAAO,GAAG,QAAQ,CAAC;IAChC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE;QACN,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,GAAG,QAAQ,GAAG,IAAI,GAAG,KAAK,CAAC;QACvC,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAWD;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG,IAAI,CAKjE;AAED;;GAEG;AACH,iBAAS,UAAU,IAAI,mBAAmB,CAUzC;AAaD;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,OAAO,CAE5C;AAkCD;;GAEG;AACH,wBAAsB,IAAI,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAiB7E;AAED;;GAEG;AACH,wBAAsB,UAAU,CAC9B,OAAO,EAAE,YAAY,EACrB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,mBAAmB,EAC7B,MAAM,EAAE,UAAU,CAAC,QAAQ,CAAC,EAC5B,MAAM,EAAE,WAAW,EACnB,QAAQ,CAAC,EAAE,kBAAkB,GAC5B,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAW5B;AAID,wBAAsB,aAAa,CACjC,OAAO,EAAE,YAAY,EACrB,WAAW,EAAE,MAAM,EACnB,IAAI,CAAC,EAAE,MAAM,EAAE,GACd,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAS5B;AAED,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,YAAY,EACrB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,WAAW,EACnB,QAAQ,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GACtF,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAS5B;AAED,wBAAsB,aAAa,CACjC,OAAO,EAAE,YAAY,EACrB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,WAAW,EACnB,QAAQ,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,GAC/D,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAS5B;AAED,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,YAAY,EACrB,GAAG,EAAE,MAAM,EACX,KAAK,CAAC,EAAE,MAAM,EAAE,GACf,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAS5B;AAED,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,YAAY,EACrB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,WAAW,EACnB,QAAQ,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,GAC7E,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAS5B;AAED,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,YAAY,EACrB,MAAM,EAAE,QAAQ,GAAG,SAAS,GAAG,KAAK,GAAG,QAAQ,EAC/C,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,WAAW,EACnB,QAAQ,CAAC,EAAE,kBAAkB,GAC5B,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAgB5B;AAED,wBAAsB,WAAW,CAC/B,OAAO,EAAE,YAAY,EACrB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,WAAW,EACnB,QAAQ,CAAC,EAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GAC/C,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAS5B;AAED,wBAAsB,YAAY,CAChC,OAAO,EAAE,YAAY,EACrB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,WAAW,EACnB,QAAQ,CAAC,EAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAA;CAAE,GACvD,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAS5B;AAED,wBAAsB,aAAa,CACjC,OAAO,EAAE,YAAY,EACrB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,OAAO,EACf,QAAQ,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GAC7C,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAS5B;AAED,wBAAsB,cAAc,CAClC,OAAO,EAAE,YAAY,EACrB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,MAAM,EAAE,WAAW,EACnB,QAAQ,CAAC,EAAE,kBAAkB,GAC5B,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAS5B;AAED,wBAAsB,QAAQ,CAC5B,OAAO,EAAE,YAAY,EACrB,MAAM,EAAE,OAAO,GAAG,QAAQ,GAAG,eAAe,EAC5C,MAAM,EAAE,WAAW,EACnB,QAAQ,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,GAC7B,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAe5B;AAGD,eAAO,MAAM,KAAK;;;;;;;;;;;;;;;;;CAiBjB,CAAC;AAEF,eAAe,KAAK,CAAC"}

package/dist/audit/emitter.js

@@ -0,0 +1,197 @@
+"use strict";
+/**
+ * Audit Trail Emitter
+ *
+ * Central audit event emission with tier-gating.
+ * Usage: audit.emit(eventInput) from CLI, MCP, VS Code, etc.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.audit = void 0;
+exports.configureAudit = configureAudit;
+exports.hasFullAuditAccess = hasFullAuditAccess;
+exports.emit = emit;
+exports.emitAction = emitAction;
+exports.emitScanStart = emitScanStart;
+exports.emitScanComplete = emitScanComplete;
+exports.emitShipCheck = emitShipCheck;
+exports.emitRealityStart = emitRealityStart;
+exports.emitRealityComplete = emitRealityComplete;
+exports.emitAutopilotAction = emitAutopilotAction;
+exports.emitFixPlan = emitFixPlan;
+exports.emitFixApply = emitFixApply;
+exports.emitGateCheck = emitGateCheck;
+exports.emitToolInvoke = emitToolInvoke;
+exports.emitAuth = emitAuth;
+const events_1 = require("./events");
+const storage_1 = require("./storage");
+// Singleton storage instance
+let storageInstance = null;
+const defaultConfig = {
+    enabled: true,
+    tier: 'free',
+    basePath: process.cwd(),
+    storageType: 'local',
+};
+let currentConfig = { ...defaultConfig };
+/**
+ * Configure the audit system
+ */
+function configureAudit(config) {
+    currentConfig = { ...currentConfig, ...config };
+    // Reset storage instance if config changed
+    storageInstance = null;
+}
+/**
+ * Get or create storage instance
+ */
+function getStorage() {
+    if (!storageInstance) {
+        storageInstance = (0, storage_1.createStorageAdapter)({
+            type: currentConfig.storageType,
+            basePath: currentConfig.basePath,
+            apiUrl: currentConfig.serverUrl,
+            apiKey: currentConfig.serverApiKey,
+        });
+    }
+    return storageInstance;
+}
+/**
+ * Check if audit is enabled for the current tier
+ */
+function isAuditEnabled() {
+    if (!currentConfig.enabled)
+        return false;
+    // Minimal logging for free/starter (just basic events, no full trail)
+    // Full audit trail requires compliance+ tier
+    return true; // Always log something, tier controls detail level
+}
+/**
+ * Check if full audit trail is available (Compliance+ tier)
+ */
+function hasFullAuditAccess() {
+    return ['compliance', 'enterprise', 'unlimited'].includes(currentConfig.tier);
+}
+/**
+ * Get current actor from config or environment
+ */
+function getCurrentActor() {
+    if (currentConfig.actor) {
+        return currentConfig.actor;
+    }
+    const env = process.env;
+    // Try to detect from environment
+    const userId = env['GUARDRAIL_USER_ID'] || env['USER'] || 'anonymous';
+    const userName = env['GUARDRAIL_USER_NAME'] || env['USERNAME'];
+    const userEmail = env['GUARDRAIL_USER_EMAIL'];
+    // Detect CI environment
+    if (env['CI'] || env['GITHUB_ACTIONS'] || env['GITLAB_CI']) {
+        return {
+            id: env['GITHUB_ACTOR'] || env['GITLAB_USER_LOGIN'] || 'ci-system',
+            type: 'ci',
+            name: env['GITHUB_ACTOR'] || env['GITLAB_USER_NAME'],
+        };
+    }
+    return {
+        id: userId,
+        type: 'user',
+        name: userName,
+        email: userEmail,
+    };
+}
+/**
+ * Emit an audit event
+ */
+async function emit(input) {
+    if (!isAuditEnabled()) {
+        return null;
+    }
+    const storage = getStorage();
+    const prevHash = await storage.getLastHash();
+    // Override tier with current config tier (for proper redaction)
+    const event = (0, events_1.createAuditEvent)({
+        ...input,
+        tier: currentConfig.tier,
+    }, prevHash);
+    await storage.append(event);
+    return event;
+}
+/**
+ * Helper to emit with common defaults
+ */
+async function emitAction(surface, action, category, target, result, metadata) {
+    return emit({
+        actor: getCurrentActor(),
+        surface,
+        action,
+        category,
+        target,
+        tier: currentConfig.tier,
+        result,
+        metadata,
+    });
+}
+// Convenience methods for common CLI actions
+async function emitScanStart(surface, projectPath, args) {
+    return emitAction(surface, events_1.AuditActions.SCAN_START, 'scan', { type: 'project', path: projectPath }, 'success', { command: 'scan', args, projectPath });
+}
+async function emitScanComplete(surface, projectPath, result, metadata) {
+    return emitAction(surface, events_1.AuditActions.SCAN_COMPLETE, 'scan', { type: 'project', path: projectPath }, result, { command: 'scan', projectPath, ...metadata });
+}
+async function emitShipCheck(surface, projectPath, result, metadata) {
+    return emitAction(surface, events_1.AuditActions.SHIP_CHECK, 'ship', { type: 'project', path: projectPath }, result, { command: 'ship', projectPath, custom: metadata });
+}
+async function emitRealityStart(surface, url, flows) {
+    return emitAction(surface, events_1.AuditActions.REALITY_START, 'reality', { type: 'url', path: url }, 'success', { command: 'reality', custom: { url, flows } });
+}
+async function emitRealityComplete(surface, url, result, metadata) {
+    return emitAction(surface, events_1.AuditActions.REALITY_COMPLETE, 'reality', { type: 'url', path: url }, result, { command: 'reality', ...metadata });
+}
+async function emitAutopilotAction(surface, action, projectPath, result, metadata) {
+    const actionMap = {
+        enable: events_1.AuditActions.AUTOPILOT_ENABLE,
+        disable: events_1.AuditActions.AUTOPILOT_DISABLE,
+        run: events_1.AuditActions.AUTOPILOT_RUN,
+        report: events_1.AuditActions.AUTOPILOT_REPORT,
+    };
+    return emitAction(surface, actionMap[action], 'autopilot', { type: 'project', path: projectPath }, result, { command: 'autopilot', projectPath, ...metadata });
+}
+async function emitFixPlan(surface, projectPath, result, metadata) {
+    return emitAction(surface, events_1.AuditActions.FIX_PLAN, 'fix', { type: 'project', path: projectPath }, result, { command: 'fix', projectPath, ...metadata });
+}
+async function emitFixApply(surface, projectPath, result, metadata) {
+    return emitAction(surface, events_1.AuditActions.FIX_APPLY, 'fix', { type: 'project', path: projectPath }, result, { command: 'fix', projectPath, ...metadata });
+}
+async function emitGateCheck(surface, projectPath, passed, metadata) {
+    return emitAction(surface, passed ? events_1.AuditActions.GATE_PASS : events_1.AuditActions.GATE_FAIL, 'gate', { type: 'project', path: projectPath }, passed ? 'success' : 'failure', { command: 'gate', projectPath, ...metadata });
+}
+async function emitToolInvoke(surface, toolName, args, result, metadata) {
+    return emitAction(surface, events_1.AuditActions.TOOL_INVOKE, 'tool', { type: 'tool', name: toolName }, result, { command: toolName, custom: { args }, ...metadata });
+}
+async function emitAuth(surface, action, result, metadata) {
+    const actionMap = {
+        login: events_1.AuditActions.AUTH_LOGIN,
+        logout: events_1.AuditActions.AUTH_LOGOUT,
+        token_refresh: events_1.AuditActions.AUTH_TOKEN_REFRESH,
+    };
+    return emitAction(surface, actionMap[action], 'auth', { type: 'auth' }, result, metadata);
+}
+// Export the audit object for convenient usage
+exports.audit = {
+    configure: configureAudit,
+    emit,
+    emitAction,
+    emitScanStart,
+    emitScanComplete,
+    emitShipCheck,
+    emitRealityStart,
+    emitRealityComplete,
+    emitAutopilotAction,
+    emitFixPlan,
+    emitFixApply,
+    emitGateCheck,
+    emitToolInvoke,
+    emitAuth,
+    hasFullAccess: hasFullAuditAccess,
+    getStorage,
+};
+exports.default = exports.audit;

package/dist/audit/events.d.ts

@@ -0,0 +1,304 @@
+/**
+ * Audit Trail Event Schema
+ *
+ * Comprehensive audit logging for Compliance+ tier.
+ * All events are hash-chained for tamper evidence.
+ */
+import { z } from 'zod';
+export type AuditSurface = 'cli' | 'vscode' | 'mcp' | 'web' | 'api' | 'ci';
+export type AuditActionCategory = 'scan' | 'ship' | 'reality' | 'autopilot' | 'fix' | 'gate' | 'auth' | 'config' | 'export' | 'ai' | 'tool' | 'system';
+export type AuditResult = 'success' | 'failure' | 'partial' | 'skipped' | 'error';
+export type AuditTier = 'free' | 'starter' | 'pro' | 'compliance' | 'enterprise' | 'unlimited';
+export declare const AuditEventMetadataSchema: z.ZodObject<{
+    command: z.ZodOptional<z.ZodString>;
+    args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    flags: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    score: z.ZodOptional<z.ZodNumber>;
+    grade: z.ZodOptional<z.ZodString>;
+    issueCount: z.ZodOptional<z.ZodNumber>;
+    fixCount: z.ZodOptional<z.ZodNumber>;
+    projectPath: z.ZodOptional<z.ZodString>;
+    gitBranch: z.ZodOptional<z.ZodString>;
+    gitCommit: z.ZodOptional<z.ZodString>;
+    durationMs: z.ZodOptional<z.ZodNumber>;
+    errorCode: z.ZodOptional<z.ZodString>;
+    errorMessage: z.ZodOptional<z.ZodString>;
+    custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    command: z.ZodOptional<z.ZodString>;
+    args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    flags: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    score: z.ZodOptional<z.ZodNumber>;
+    grade: z.ZodOptional<z.ZodString>;
+    issueCount: z.ZodOptional<z.ZodNumber>;
+    fixCount: z.ZodOptional<z.ZodNumber>;
+    projectPath: z.ZodOptional<z.ZodString>;
+    gitBranch: z.ZodOptional<z.ZodString>;
+    gitCommit: z.ZodOptional<z.ZodString>;
+    durationMs: z.ZodOptional<z.ZodNumber>;
+    errorCode: z.ZodOptional<z.ZodString>;
+    errorMessage: z.ZodOptional<z.ZodString>;
+    custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    command: z.ZodOptional<z.ZodString>;
+    args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    flags: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    score: z.ZodOptional<z.ZodNumber>;
+    grade: z.ZodOptional<z.ZodString>;
+    issueCount: z.ZodOptional<z.ZodNumber>;
+    fixCount: z.ZodOptional<z.ZodNumber>;
+    projectPath: z.ZodOptional<z.ZodString>;
+    gitBranch: z.ZodOptional<z.ZodString>;
+    gitCommit: z.ZodOptional<z.ZodString>;
+    durationMs: z.ZodOptional<z.ZodNumber>;
+    errorCode: z.ZodOptional<z.ZodString>;
+    errorMessage: z.ZodOptional<z.ZodString>;
+    custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.ZodTypeAny, "passthrough">>;
+export type AuditEventMetadata = z.infer<typeof AuditEventMetadataSchema>;
+export declare const AuditEventSchema: z.ZodObject<{
+    id: z.ZodString;
+    timestamp: z.ZodString;
+    actor: z.ZodObject<{
+        id: z.ZodString;
+        type: z.ZodEnum<["user", "system", "ci", "api"]>;
+        name: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodString>;
+        ip: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        type: "api" | "system" | "user" | "ci";
+        id: string;
+        name?: string | undefined;
+        email?: string | undefined;
+        ip?: string | undefined;
+    }, {
+        type: "api" | "system" | "user" | "ci";
+        id: string;
+        name?: string | undefined;
+        email?: string | undefined;
+        ip?: string | undefined;
+    }>;
+    surface: z.ZodEnum<["cli", "vscode", "mcp", "web", "api", "ci"]>;
+    action: z.ZodString;
+    category: z.ZodEnum<["scan", "ship", "reality", "autopilot", "fix", "gate", "auth", "config", "export", "ai", "tool", "system"]>;
+    target: z.ZodObject<{
+        type: z.ZodString;
+        id: z.ZodOptional<z.ZodString>;
+        path: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        type: string;
+        name?: string | undefined;
+        id?: string | undefined;
+        path?: string | undefined;
+    }, {
+        type: string;
+        name?: string | undefined;
+        id?: string | undefined;
+        path?: string | undefined;
+    }>;
+    tier: z.ZodEnum<["free", "starter", "pro", "compliance", "enterprise", "unlimited"]>;
+    result: z.ZodEnum<["success", "failure", "partial", "skipped", "error"]>;
+    metadata: z.ZodOptional<z.ZodObject<{
+        command: z.ZodOptional<z.ZodString>;
+        args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        flags: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        score: z.ZodOptional<z.ZodNumber>;
+        grade: z.ZodOptional<z.ZodString>;
+        issueCount: z.ZodOptional<z.ZodNumber>;
+        fixCount: z.ZodOptional<z.ZodNumber>;
+        projectPath: z.ZodOptional<z.ZodString>;
+        gitBranch: z.ZodOptional<z.ZodString>;
+        gitCommit: z.ZodOptional<z.ZodString>;
+        durationMs: z.ZodOptional<z.ZodNumber>;
+        errorCode: z.ZodOptional<z.ZodString>;
+        errorMessage: z.ZodOptional<z.ZodString>;
+        custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+        command: z.ZodOptional<z.ZodString>;
+        args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        flags: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        score: z.ZodOptional<z.ZodNumber>;
+        grade: z.ZodOptional<z.ZodString>;
+        issueCount: z.ZodOptional<z.ZodNumber>;
+        fixCount: z.ZodOptional<z.ZodNumber>;
+        projectPath: z.ZodOptional<z.ZodString>;
+        gitBranch: z.ZodOptional<z.ZodString>;
+        gitCommit: z.ZodOptional<z.ZodString>;
+        durationMs: z.ZodOptional<z.ZodNumber>;
+        errorCode: z.ZodOptional<z.ZodString>;
+        errorMessage: z.ZodOptional<z.ZodString>;
+        custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+        command: z.ZodOptional<z.ZodString>;
+        args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        flags: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        score: z.ZodOptional<z.ZodNumber>;
+        grade: z.ZodOptional<z.ZodString>;
+        issueCount: z.ZodOptional<z.ZodNumber>;
+        fixCount: z.ZodOptional<z.ZodNumber>;
+        projectPath: z.ZodOptional<z.ZodString>;
+        gitBranch: z.ZodOptional<z.ZodString>;
+        gitCommit: z.ZodOptional<z.ZodString>;
+        durationMs: z.ZodOptional<z.ZodNumber>;
+        errorCode: z.ZodOptional<z.ZodString>;
+        errorMessage: z.ZodOptional<z.ZodString>;
+        custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.ZodTypeAny, "passthrough">>>;
+    hash: z.ZodString;
+    prevHash: z.ZodString;
+    version: z.ZodLiteral<1>;
+}, "strip", z.ZodTypeAny, {
+    timestamp: string;
+    id: string;
+    hash: string;
+    version: 1;
+    actor: {
+        type: "api" | "system" | "user" | "ci";
+        id: string;
+        name?: string | undefined;
+        email?: string | undefined;
+        ip?: string | undefined;
+    };
+    surface: "api" | "ci" | "cli" | "vscode" | "mcp" | "web";
+    action: string;
+    category: "config" | "system" | "auth" | "scan" | "ship" | "reality" | "autopilot" | "fix" | "gate" | "export" | "ai" | "tool";
+    target: {
+        type: string;
+        name?: string | undefined;
+        id?: string | undefined;
+        path?: string | undefined;
+    };
+    tier: "compliance" | "free" | "starter" | "pro" | "enterprise" | "unlimited";
+    result: "partial" | "error" | "success" | "failure" | "skipped";
+    prevHash: string;
+    metadata?: z.objectOutputType<{
+        command: z.ZodOptional<z.ZodString>;
+        args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        flags: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        score: z.ZodOptional<z.ZodNumber>;
+        grade: z.ZodOptional<z.ZodString>;
+        issueCount: z.ZodOptional<z.ZodNumber>;
+        fixCount: z.ZodOptional<z.ZodNumber>;
+        projectPath: z.ZodOptional<z.ZodString>;
+        gitBranch: z.ZodOptional<z.ZodString>;
+        gitCommit: z.ZodOptional<z.ZodString>;
+        durationMs: z.ZodOptional<z.ZodNumber>;
+        errorCode: z.ZodOptional<z.ZodString>;
+        errorMessage: z.ZodOptional<z.ZodString>;
+        custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.ZodTypeAny, "passthrough"> | undefined;
+}, {
+    timestamp: string;
+    id: string;
+    hash: string;
+    version: 1;
+    actor: {
+        type: "api" | "system" | "user" | "ci";
+        id: string;
+        name?: string | undefined;
+        email?: string | undefined;
+        ip?: string | undefined;
+    };
+    surface: "api" | "ci" | "cli" | "vscode" | "mcp" | "web";
+    action: string;
+    category: "config" | "system" | "auth" | "scan" | "ship" | "reality" | "autopilot" | "fix" | "gate" | "export" | "ai" | "tool";
+    target: {
+        type: string;
+        name?: string | undefined;
+        id?: string | undefined;
+        path?: string | undefined;
+    };
+    tier: "compliance" | "free" | "starter" | "pro" | "enterprise" | "unlimited";
+    result: "partial" | "error" | "success" | "failure" | "skipped";
+    prevHash: string;
+    metadata?: z.objectInputType<{
+        command: z.ZodOptional<z.ZodString>;
+        args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        flags: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        score: z.ZodOptional<z.ZodNumber>;
+        grade: z.ZodOptional<z.ZodString>;
+        issueCount: z.ZodOptional<z.ZodNumber>;
+        fixCount: z.ZodOptional<z.ZodNumber>;
+        projectPath: z.ZodOptional<z.ZodString>;
+        gitBranch: z.ZodOptional<z.ZodString>;
+        gitCommit: z.ZodOptional<z.ZodString>;
+        durationMs: z.ZodOptional<z.ZodNumber>;
+        errorCode: z.ZodOptional<z.ZodString>;
+        errorMessage: z.ZodOptional<z.ZodString>;
+        custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.ZodTypeAny, "passthrough"> | undefined;
+}>;
+export type AuditEvent = z.infer<typeof AuditEventSchema>;
+export interface AuditEventInput {
+    actor: AuditEvent['actor'];
+    surface: AuditSurface;
+    action: string;
+    category: AuditActionCategory;
+    target: AuditEvent['target'];
+    tier: AuditTier;
+    result: AuditResult;
+    metadata?: AuditEventMetadata;
+}
+/**
+ * Redact sensitive information from a string
+ */
+export declare function redactSensitive(input: string): string;
+/**
+ * Redact metadata based on tier
+ * - Compliance+: Full metadata
+ * - Pro: Limited metadata (no prompt bodies)
+ * - Free/Starter: Minimal (action + result only)
+ */
+export declare function redactMetadataForTier(metadata: AuditEventMetadata | undefined, tier: AuditTier): AuditEventMetadata | undefined;
+/**
+ * Compute SHA-256 hash of event for chain integrity
+ */
+export declare function computeEventHash(event: Omit<AuditEvent, 'hash'>): string;
+/**
+ * Verify hash chain integrity
+ */
+export declare function verifyEventHash(event: AuditEvent): boolean;
+/**
+ * Create a new audit event with proper hash chaining
+ */
+export declare function createAuditEvent(input: AuditEventInput, prevHash?: string): AuditEvent;
+export declare const AuditActions: {
+    readonly SCAN_START: "scan.start";
+    readonly SCAN_COMPLETE: "scan.complete";
+    readonly SCAN_ERROR: "scan.error";
+    readonly SHIP_CHECK: "ship.check";
+    readonly SHIP_APPROVE: "ship.approve";
+    readonly SHIP_REJECT: "ship.reject";
+    readonly REALITY_START: "reality.start";
+    readonly REALITY_COMPLETE: "reality.complete";
+    readonly REALITY_ERROR: "reality.error";
+    readonly AUTOPILOT_ENABLE: "autopilot.enable";
+    readonly AUTOPILOT_DISABLE: "autopilot.disable";
+    readonly AUTOPILOT_RUN: "autopilot.run";
+    readonly AUTOPILOT_REPORT: "autopilot.report";
+    readonly FIX_PLAN: "fix.plan";
+    readonly FIX_APPLY: "fix.apply";
+    readonly FIX_REVERT: "fix.revert";
+    readonly GATE_CHECK: "gate.check";
+    readonly GATE_PASS: "gate.pass";
+    readonly GATE_FAIL: "gate.fail";
+    readonly AUTH_LOGIN: "auth.login";
+    readonly AUTH_LOGOUT: "auth.logout";
+    readonly AUTH_TOKEN_REFRESH: "auth.token_refresh";
+    readonly CONFIG_UPDATE: "config.update";
+    readonly CONFIG_RESET: "config.reset";
+    readonly EXPORT_REPORT: "export.report";
+    readonly EXPORT_AUDIT: "export.audit";
+    readonly AI_VALIDATE: "ai.validate";
+    readonly AI_SUGGEST: "ai.suggest";
+    readonly AI_CHECKPOINT: "ai.checkpoint";
+    readonly TOOL_INVOKE: "tool.invoke";
+    readonly TOOL_COMPLETE: "tool.complete";
+    readonly TOOL_ERROR: "tool.error";
+    readonly SYSTEM_INIT: "system.init";
+    readonly SYSTEM_UPGRADE: "system.upgrade";
+    readonly SYSTEM_ERROR: "system.error";
+};
+export type AuditActionType = typeof AuditActions[keyof typeof AuditActions];
+//# sourceMappingURL=events.d.ts.map

package/dist/audit/events.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"events.d.ts","sourceRoot":"","sources":["../../src/audit/events.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,MAAM,MAAM,YAAY,GAAG,KAAK,GAAG,QAAQ,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,IAAI,CAAC;AAG3E,MAAM,MAAM,mBAAmB,GAC3B,MAAM,GACN,MAAM,GACN,SAAS,GACT,WAAW,GACX,KAAK,GACL,MAAM,GACN,MAAM,GACN,QAAQ,GACR,QAAQ,GACR,IAAI,GACJ,MAAM,GACN,QAAQ,CAAC;AAGb,MAAM,MAAM,WAAW,GAAG,SAAS,GAAG,SAAS,GAAG,SAAS,GAAG,SAAS,GAAG,OAAO,CAAC;AAGlF,MAAM,MAAM,SAAS,GAAG,MAAM,GAAG,SAAS,GAAG,KAAK,GAAG,YAAY,GAAG,YAAY,GAAG,WAAW,CAAC;AAG/F,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCA0BrB,CAAC;AAEjB,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAE1E,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA0C3B,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAG1D,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC;IAC3B,OAAO,EAAE,YAAY,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,mBAAmB,CAAC;IAC9B,MAAM,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC;IAC7B,IAAI,EAAE,SAAS,CAAC;IAChB,MAAM,EAAE,WAAW,CAAC;IACpB,QAAQ,CAAC,EAAE,kBAAkB,CAAC;CAC/B;AAgBD;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAgBrD;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,kBAAkB,GAAG,SAAS,EACxC,IAAI,EAAE,SAAS,GACd,kBAAkB,GAAG,SAAS,CA2BhC;AA2BD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,GAAG,MAAM,CAiBxE;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAI1D;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,eAAe,EACtB,QAAQ,GAAE,MAAuB,GAChC,UAAU,CA4BZ;AAGD,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2Df,CAAC;AAEX,MAAM,MAAM,eAAe,GAAG,OAAO,YAAY,CAAC,MAAM,OAAO,YAAY,CAAC,CAAC"}