sandstream-kit 1.0.0

package/dist/audit-logging-service.js

@@ -0,0 +1,367 @@
+import { randomUUID } from "node:crypto";
+const auditEntries = new Map();
+const userActivity = new Map();
+const changeHistory = new Map();
+const complianceReports = new Map();
+const auditLogs = new Map();
+const dataExports = new Map();
+const sessionAudits = new Map();
+/**
+ * Record audit entry
+ */
+export function recordAuditEntry(action, resource, resource_id, actor_id, actor_name, status = "success", details = {}, severity = "low", team_id, actor_ip) {
+    const entry = {
+        id: `audit_${randomUUID()}`,
+        action,
+        resource,
+        resource_id,
+        actor_id,
+        actor_name,
+        actor_ip,
+        team_id,
+        status,
+        details,
+        severity,
+        timestamp: new Date().toISOString(),
+        created_at: new Date().toISOString(),
+    };
+    auditEntries.set(entry.id, entry);
+    // Update user activity
+    updateUserActivity(actor_id, actor_name, team_id);
+    // Create audit log entry
+    const log = {
+        id: `log_${randomUUID()}`,
+        team_id,
+        action,
+        resource,
+        resource_id,
+        actor_id,
+        actor_name,
+        status,
+        severity,
+        details,
+        timestamp: entry.timestamp,
+        created_at: entry.created_at,
+    };
+    auditLogs.set(log.id, log);
+    return { entry };
+}
+/**
+ * Record change history
+ */
+export function recordChangeHistory(resource_id, resource_type, change_type, current_state, changed_by, changed_by_name, previous_state, reason, team_id) {
+    const history = {
+        id: `hist_${randomUUID()}`,
+        resource_id,
+        resource_type,
+        team_id,
+        change_type,
+        current_state,
+        previous_state,
+        changed_by,
+        changed_by_name,
+        reason,
+        timestamp: new Date().toISOString(),
+        created_at: new Date().toISOString(),
+    };
+    changeHistory.set(history.id, history);
+    return { history };
+}
+/**
+ * Query audit entries
+ */
+export function queryAuditEntries(query) {
+    let results = Array.from(auditEntries.values());
+    if (query.team_id) {
+        results = results.filter((e) => e.team_id === query.team_id);
+    }
+    if (query.actor_id) {
+        results = results.filter((e) => e.actor_id === query.actor_id);
+    }
+    if (query.resource) {
+        results = results.filter((e) => e.resource === query.resource);
+    }
+    if (query.action) {
+        results = results.filter((e) => e.action === query.action);
+    }
+    if (query.status) {
+        results = results.filter((e) => e.status === query.status);
+    }
+    if (query.severity) {
+        results = results.filter((e) => e.severity === query.severity);
+    }
+    if (query.start_date) {
+        const startDate = new Date(query.start_date);
+        results = results.filter((e) => new Date(e.timestamp) >= startDate);
+    }
+    if (query.end_date) {
+        const endDate = new Date(query.end_date);
+        results = results.filter((e) => new Date(e.timestamp) <= endDate);
+    }
+    // Sort by timestamp descending
+    results.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
+    const limit = query.limit || 100;
+    const offset = query.offset || 0;
+    const total = results.length;
+    return { entries: results.slice(offset, offset + limit), total };
+}
+/**
+ * Get user activity
+ */
+export function getUserActivity(user_id) {
+    const activity = userActivity.get(user_id);
+    return {
+        activity: activity || null,
+        error: activity ? undefined : "User activity not found",
+    };
+}
+/**
+ * List user activities
+ */
+export function listUserActivities(team_id, limit = 50, offset = 0) {
+    let all = Array.from(userActivity.values());
+    if (team_id) {
+        all = all.filter((a) => a.team_id === team_id);
+    }
+    all.sort((a, b) => new Date(b.updated_at).getTime() - new Date(a.updated_at).getTime());
+    const total = all.length;
+    return { activities: all.slice(offset, offset + limit), total };
+}
+/**
+ * Get change history for resource
+ */
+export function getChangeHistory(resource_id, limit = 50, offset = 0) {
+    let all = Array.from(changeHistory.values()).filter((h) => h.resource_id === resource_id);
+    all.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
+    const total = all.length;
+    return { history: all.slice(offset, offset + limit), total };
+}
+/**
+ * Generate compliance report
+ */
+export function generateComplianceReport(standard, period_start, period_end, generated_by, team_id) {
+    const startDate = new Date(period_start);
+    const endDate = new Date(period_end);
+    const entries = Array.from(auditEntries.values()).filter((e) => {
+        const timestamp = new Date(e.timestamp);
+        const teamMatch = !team_id || e.team_id === team_id;
+        const dateMatch = timestamp >= startDate && timestamp <= endDate;
+        return teamMatch && dateMatch;
+    });
+    const issues = [];
+    // Identify compliance issues
+    const failedOps = entries.filter((e) => e.status === "failure");
+    failedOps.forEach((e) => {
+        if (failedOps.length > 10) {
+            // Threshold for concern
+            issues.push({
+                id: `issue_${randomUUID()}`,
+                severity: "medium",
+                type: "high_failure_rate",
+                description: `High rate of failed operations detected (${failedOps.length} in period)`,
+                timestamp: new Date().toISOString(),
+            });
+        }
+    });
+    const criticalEvents = entries.filter((e) => e.severity === "critical");
+    if (criticalEvents.length > 0) {
+        criticalEvents.forEach((e) => {
+            issues.push({
+                id: `issue_${randomUUID()}`,
+                severity: "critical",
+                type: "critical_event",
+                description: `Critical event: ${e.action} on ${e.resource}`,
+                resource_id: e.resource_id,
+                resource_type: e.resource,
+                actor_id: e.actor_id,
+                timestamp: e.timestamp,
+            });
+        });
+    }
+    // Calculate compliance score
+    let score = 100;
+    score -= failedOps.length * 2;
+    score -= criticalEvents.length * 10;
+    score = Math.max(0, Math.min(100, score));
+    const report = {
+        id: `report_${randomUUID()}`,
+        standard,
+        period_start,
+        period_end,
+        team_id,
+        total_audit_entries: entries.length,
+        security_events: entries.filter((e) => e.severity === "critical" || e.severity === "high")
+            .length,
+        failed_operations: failedOps.length,
+        data_access_events: entries.filter((e) => e.action === "read" ||
+            e.action === "export" ||
+            e.action === "import").length,
+        deletion_events: entries.filter((e) => e.action === "delete").length,
+        role_changes: entries.filter((e) => e.resource === "role" && e.action === "update").length,
+        permission_changes: entries.filter((e) => e.resource === "permission").length,
+        compliance_score: score,
+        issues,
+        generated_at: new Date().toISOString(),
+        generated_by,
+        created_at: new Date().toISOString(),
+    };
+    complianceReports.set(report.id, report);
+    return { report };
+}
+/**
+ * List compliance reports
+ */
+export function listComplianceReports(team_id, limit = 50, offset = 0) {
+    let all = Array.from(complianceReports.values());
+    if (team_id) {
+        all = all.filter((r) => r.team_id === team_id);
+    }
+    all.sort((a, b) => new Date(b.created_at).getTime() - new Date(a.created_at).getTime());
+    const total = all.length;
+    return { reports: all.slice(offset, offset + limit), total };
+}
+/**
+ * Request data export for compliance
+ */
+export function requestDataExport(user_id, format, data_types, team_id, start_date, end_date) {
+    const request = {
+        id: `export_${randomUUID()}`,
+        user_id,
+        team_id,
+        export_type: "filtered",
+        data_types,
+        start_date,
+        end_date,
+        format,
+        status: "pending",
+        requested_at: new Date().toISOString(),
+        created_at: new Date().toISOString(),
+    };
+    dataExports.set(request.id, request);
+    // Simulate processing (in real system would be async)
+    setTimeout(() => {
+        const exp = dataExports.get(request.id);
+        if (exp) {
+            exp.status = "completed";
+            exp.download_url = `https://api.example.com/exports/${request.id}`;
+            const expiresAt = new Date();
+            expiresAt.setDate(expiresAt.getDate() + 7);
+            exp.expires_at = expiresAt.toISOString();
+            exp.completed_at = new Date().toISOString();
+        }
+    }, 1000);
+    return { request };
+}
+/**
+ * Get data export status
+ */
+export function getDataExportStatus(export_id) {
+    const request = dataExports.get(export_id);
+    return {
+        request: request || null,
+        error: request ? undefined : "Export request not found",
+    };
+}
+/**
+ * Record session audit
+ */
+export function recordSessionAudit(user_id, session_id, ip_address, user_agent) {
+    const session = {
+        id: `session_${randomUUID()}`,
+        user_id,
+        session_id,
+        ip_address,
+        user_agent,
+        login_time: new Date().toISOString(),
+        actions_count: 0,
+        last_activity_at: new Date().toISOString(),
+        is_active: true,
+        created_at: new Date().toISOString(),
+    };
+    sessionAudits.set(session.id, session);
+    return { session };
+}
+/**
+ * End session audit
+ */
+export function endSessionAudit(session_id) {
+    const session = Array.from(sessionAudits.values()).find((s) => s.session_id === session_id);
+    if (!session) {
+        return { success: false, error: "Session not found" };
+    }
+    session.is_active = false;
+    session.logout_time = new Date().toISOString();
+    session.duration_minutes = Math.round((new Date(session.logout_time).getTime() - new Date(session.login_time).getTime()) /
+        60000);
+    return { success: true };
+}
+/**
+ * Get audit metrics
+ */
+export function getAuditMetrics(team_id) {
+    const now = new Date();
+    const last24h = new Date(now.getTime() - 24 * 60 * 60 * 1000);
+    const last7d = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1000);
+    const last30d = new Date(now.getTime() - 30 * 24 * 60 * 60 * 1000);
+    let entries = Array.from(auditEntries.values());
+    if (team_id) {
+        entries = entries.filter((e) => e.team_id === team_id);
+    }
+    const entries24h = entries.filter((e) => new Date(e.timestamp) >= last24h).length;
+    const entries7d = entries.filter((e) => new Date(e.timestamp) >= last7d).length;
+    const entries30d = entries.filter((e) => new Date(e.timestamp) >= last30d).length;
+    const uniqueUsers = new Set(entries.map((e) => e.actor_id)).size;
+    const uniqueResources = new Set(entries.map((e) => e.resource_id)).size;
+    const failedOps = entries.filter((e) => e.status === "failure").length;
+    const criticalEvents = entries.filter((e) => e.severity === "critical").length;
+    const actionCounts = {};
+    const resourceCounts = {};
+    entries.forEach((e) => {
+        actionCounts[e.action] = (actionCounts[e.action] || 0) + 1;
+        resourceCounts[e.resource] = (resourceCounts[e.resource] || 0) + 1;
+    });
+    const mostCommonAction = Object.entries(actionCounts).sort((a, b) => b[1] - a[1])[0]?.[0] || "none";
+    const mostAccessedResource = Object.entries(resourceCounts).sort((a, b) => b[1] - a[1])[0]?.[0] || "none";
+    return {
+        total_entries: entries.length,
+        entries_last_24h: entries24h,
+        entries_last_7d: entries7d,
+        entries_last_30d: entries30d,
+        unique_users: uniqueUsers,
+        unique_resources: uniqueResources,
+        failed_operations_count: failedOps,
+        critical_events_count: criticalEvents,
+        average_actions_per_user: uniqueUsers > 0 ? Math.round(entries.length / uniqueUsers) : 0,
+        most_common_action: mostCommonAction,
+        most_accessed_resource: mostAccessedResource,
+    };
+}
+/**
+ * Update user activity (internal)
+ */
+function updateUserActivity(user_id, user_name, team_id) {
+    const existing = userActivity.get(user_id);
+    if (existing) {
+        existing.action_count += 1;
+        existing.last_action_at = new Date().toISOString();
+        existing.updated_at = new Date().toISOString();
+    }
+    else {
+        const activity = {
+            id: `activity_${randomUUID()}`,
+            user_id,
+            user_name,
+            team_id,
+            action_count: 1,
+            first_action_at: new Date().toISOString(),
+            last_action_at: new Date().toISOString(),
+            login_count: 0,
+            unique_resources_accessed: 1,
+            is_active: true,
+            created_at: new Date().toISOString(),
+            updated_at: new Date().toISOString(),
+        };
+        userActivity.set(user_id, activity);
+    }
+}
+//# sourceMappingURL=audit-logging-service.js.map

package/dist/audit-logging-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logging-service.js","sourceRoot":"","sources":["../src/audit-logging-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAkBzC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAsB,CAAC;AACnD,MAAM,YAAY,GAAG,IAAI,GAAG,EAAwB,CAAC;AACrD,MAAM,aAAa,GAAG,IAAI,GAAG,EAAyB,CAAC;AACvD,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAA4B,CAAC;AAC9D,MAAM,SAAS,GAAG,IAAI,GAAG,EAAoB,CAAC;AAC9C,MAAM,WAAW,GAAG,IAAI,GAAG,EAA6B,CAAC;AACzD,MAAM,aAAa,GAAG,IAAI,GAAG,EAAwB,CAAC;AAEtD;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,MAAmB,EACnB,QAAuB,EACvB,WAAmB,EACnB,QAAgB,EAChB,UAAkB,EAClB,SAAgC,SAAS,EACzC,UAAmC,EAAE,EACrC,WAA0B,KAAK,EAC/B,OAAgB,EAChB,QAAiB;IAEjB,MAAM,KAAK,GAAe;QACxB,EAAE,EAAE,SAAS,UAAU,EAAE,EAAE;QAC3B,MAAM;QACN,QAAQ;QACR,WAAW;QACX,QAAQ;QACR,UAAU;QACV,QAAQ;QACR,OAAO;QACP,MAAM;QACN,OAAO;QACP,QAAQ;QACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;IAEF,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IAElC,uBAAuB;IACvB,kBAAkB,CAAC,QAAQ,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;IAElD,yBAAyB;IACzB,MAAM,GAAG,GAAa;QACpB,EAAE,EAAE,OAAO,UAAU,EAAE,EAAE;QACzB,OAAO;QACP,MAAM;QACN,QAAQ;QACR,WAAW;QACX,QAAQ;QACR,UAAU;QACV,MAAM;QACN,QAAQ;QACR,OAAO;QACP,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,UAAU,EAAE,KAAK,CAAC,UAAU;KAC7B,CAAC;IAEF,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;IAE3B,OAAO,EAAE,KAAK,EAAE,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,WAAmB,EACnB,aAA4B,EAC5B,WAA8C,EAC9C,aAAsC,EACtC,UAAkB,EAClB,eAAuB,EACvB,cAAwC,EACxC,MAAe,EACf,OAAgB;IAEhB,MAAM,OAAO,GAAkB;QAC7B,EAAE,EAAE,QAAQ,UAAU,EAAE,EAAE;QAC1B,WAAW;QACX,aAAa;QACb,OAAO;QACP,WAAW;QACX,aAAa;QACb,cAAc;QACd,UAAU;QACV,eAAe;QACf,MAAM;QACN,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;IAEF,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IAEvC,OAAO,EAAE,OAAO,EAAE,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,KAAiB;IAEjB,IAAI,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;IAEhD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC;IAED,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QACnB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QACnB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QACnB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC7C,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,CAAC;IACtE,CAAC;IAED,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QACnB,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QACzC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,CAAC;IACpE,CAAC;IAED,+BAA+B;IAC/B,OAAO,CAAC,IAAI,CACV,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CACpE,CAAC;IAEF,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,IAAI,GAAG,CAAC;IACjC,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC;IACjC,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC;IAE7B,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;AACnE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAC3C,OAAO;QACL,QAAQ,EAAE,QAAQ,IAAI,IAAI;QAC1B,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,yBAAyB;KACxD,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAgB,EAChB,QAAgB,EAAE,EAClB,SAAiB,CAAC;IAElB,IAAI,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;IAE5C,IAAI,OAAO,EAAE,CAAC;QACZ,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC;IACjD,CAAC;IAED,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IAExF,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC;IACzB,OAAO,EAAE,UAAU,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;AAClE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,WAAmB,EACnB,QAAgB,EAAE,EAClB,SAAiB,CAAC;IAElB,IAAI,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,WAAW,CAAC,CAAC;IAE1F,GAAG,CAAC,IAAI,CACN,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CACpE,CAAC;IAEF,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC;IACzB,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;AAC/D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB,CACtC,QAA4B,EAC5B,YAAoB,EACpB,UAAkB,EAClB,YAAoB,EACpB,OAAgB;IAEhB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC;IAErC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAC7D,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QACxC,MAAM,SAAS,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC;QACpD,MAAM,SAAS,GAAG,SAAS,IAAI,SAAS,IAAI,SAAS,IAAI,OAAO,CAAC;QACjE,OAAO,SAAS,IAAI,SAAS,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAsB,EAAE,CAAC;IAErC,6BAA6B;IAC7B,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC;IAChE,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE;QACtB,IAAI,SAAS,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC1B,wBAAwB;YACxB,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,SAAS,UAAU,EAAE,EAAE;gBAC3B,QAAQ,EAAE,QAAQ;gBAClB,IAAI,EAAE,mBAAmB;gBACzB,WAAW,EAAE,4CAA4C,SAAS,CAAC,MAAM,aAAa;gBACtF,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC;IACxE,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE;YAC3B,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,SAAS,UAAU,EAAE,EAAE;gBAC3B,QAAQ,EAAE,UAAU;gBACpB,IAAI,EAAE,gBAAgB;gBACtB,WAAW,EAAE,mBAAmB,CAAC,CAAC,MAAM,OAAO,CAAC,CAAC,QAAQ,EAAE;gBAC3D,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,aAAa,EAAE,CAAC,CAAC,QAAQ;gBACzB,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,SAAS,EAAE,CAAC,CAAC,SAAS;aACvB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,6BAA6B;IAC7B,IAAI,KAAK,GAAG,GAAG,CAAC;IAChB,KAAK,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC;IAC9B,KAAK,IAAI,cAAc,CAAC,MAAM,GAAG,EAAE,CAAC;IACpC,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;IAE1C,MAAM,MAAM,GAAqB;QAC/B,EAAE,EAAE,UAAU,UAAU,EAAE,EAAE;QAC5B,QAAQ;QACR,YAAY;QACZ,UAAU;QACV,OAAO;QACP,mBAAmB,EAAE,OAAO,CAAC,MAAM;QACnC,eAAe,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC;aACvF,MAAM;QACT,iBAAiB,EAAE,SAAS,CAAC,MAAM;QACnC,kBAAkB,EAAE,OAAO,CAAC,MAAM,CAChC,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,MAAM,KAAK,MAAM;YACnB,CAAC,CAAC,MAAM,KAAK,QAAQ;YACrB,CAAC,CAAC,MAAM,KAAK,QAAQ,CACxB,CAAC,MAAM;QACR,eAAe,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,MAAM;QACpE,YAAY,EAAE,OAAO,CAAC,MAAM,CAC1B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,CAAC,MAAM,KAAK,QAAQ,CACtD,CAAC,MAAM;QACR,kBAAkB,EAAE,OAAO,CAAC,MAAM,CAChC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,YAAY,CACnC,CAAC,MAAM;QACR,gBAAgB,EAAE,KAAK;QACvB,MAAM;QACN,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtC,YAAY;QACZ,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;IAEF,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAEzC,OAAO,EAAE,MAAM,EAAE,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,OAAgB,EAChB,QAAgB,EAAE,EAClB,SAAiB,CAAC;IAElB,IAAI,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,CAAC,CAAC;IAEjD,IAAI,OAAO,EAAE,CAAC;QACZ,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC;IACjD,CAAC;IAED,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IAExF,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC;IACzB,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;AAC/D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,OAAe,EACf,MAAkC,EAClC,UAA2B,EAC3B,OAAgB,EAChB,UAAmB,EACnB,QAAiB;IAEjB,MAAM,OAAO,GAAsB;QACjC,EAAE,EAAE,UAAU,UAAU,EAAE,EAAE;QAC5B,OAAO;QACP,OAAO;QACP,WAAW,EAAE,UAAU;QACvB,UAAU;QACV,UAAU;QACV,QAAQ;QACR,MAAM;QACN,MAAM,EAAE,SAAS;QACjB,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;IAEF,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IAErC,sDAAsD;IACtD,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACxC,IAAI,GAAG,EAAE,CAAC;YACR,GAAG,CAAC,MAAM,GAAG,WAAW,CAAC;YACzB,GAAG,CAAC,YAAY,GAAG,mCAAmC,OAAO,CAAC,EAAE,EAAE,CAAC;YACnE,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;YAC7B,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;YAC3C,GAAG,CAAC,UAAU,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;YACzC,GAAG,CAAC,YAAY,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC9C,CAAC;IACH,CAAC,EAAE,IAAI,CAAC,CAAC;IAET,OAAO,EAAE,OAAO,EAAE,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAiB;IACnD,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC3C,OAAO;QACL,OAAO,EAAE,OAAO,IAAI,IAAI;QACxB,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,0BAA0B;KACxD,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,UAAkB,EAClB,UAAkB,EAClB,UAAkB;IAElB,MAAM,OAAO,GAAiB;QAC5B,EAAE,EAAE,WAAW,UAAU,EAAE,EAAE;QAC7B,OAAO;QACP,UAAU;QACV,UAAU;QACV,UAAU;QACV,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,aAAa,EAAE,CAAC;QAChB,gBAAgB,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC1C,SAAS,EAAE,IAAI;QACf,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;IAEF,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IAEvC,OAAO,EAAE,OAAO,EAAE,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,UAAkB;IAChD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,UAAU,CAAC,CAAC;IAC5F,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACxD,CAAC;IAED,OAAO,CAAC,SAAS,GAAG,KAAK,CAAC;IAC1B,OAAO,CAAC,WAAW,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC/C,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,KAAK,CACnC,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,CAAC;QAChF,KAAK,CACR,CAAC;IAEF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAAgB;IAC9C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC9D,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IACjE,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEnE,IAAI,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;IAChD,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,CAAC,MAAM,CAAC;IAClF,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,MAAM,CAAC,CAAC,MAAM,CAAC;IAChF,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,CAAC,MAAM,CAAC;IAElF,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;IACjE,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;IACxE,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM,CAAC;IACvE,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;IAE/E,MAAM,YAAY,GAA2B,EAAE,CAAC;IAChD,MAAM,cAAc,GAA2B,EAAE,CAAC;IAElD,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE;QACpB,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QAC3D,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;IACpG,MAAM,oBAAoB,GAAG,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;IAE1G,OAAO;QACL,aAAa,EAAE,OAAO,CAAC,MAAM;QAC7B,gBAAgB,EAAE,UAAU;QAC5B,eAAe,EAAE,SAAS;QAC1B,gBAAgB,EAAE,UAAU;QAC5B,YAAY,EAAE,WAAW;QACzB,gBAAgB,EAAE,eAAe;QACjC,uBAAuB,EAAE,SAAS;QAClC,qBAAqB,EAAE,cAAc;QACrC,wBAAwB,EAAE,WAAW,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;QACxF,kBAAkB,EAAE,gBAAgB;QACpC,sBAAsB,EAAE,oBAAoB;KAC7C,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,OAAe,EAAE,SAAiB,EAAE,OAAgB;IAC9E,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAE3C,IAAI,QAAQ,EAAE,CAAC;QACb,QAAQ,CAAC,YAAY,IAAI,CAAC,CAAC;QAC3B,QAAQ,CAAC,cAAc,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACnD,QAAQ,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACjD,CAAC;SAAM,CAAC;QACN,MAAM,QAAQ,GAAiB;YAC7B,EAAE,EAAE,YAAY,UAAU,EAAE,EAAE;YAC9B,OAAO;YACP,SAAS;YACT,OAAO;YACP,YAAY,EAAE,CAAC;YACf,eAAe,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACzC,cAAc,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACxC,WAAW,EAAE,CAAC;YACd,yBAAyB,EAAE,CAAC;YAC5B,SAAS,EAAE,IAAI;YACf,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACpC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACrC,CAAC;QACF,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACtC,CAAC;AACH,CAAC"}

package/dist/audit-secrets.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Forensics view on the audit log filtered to secret-touching operations.
+ *
+ * After a leak it's invaluable to know:
+ *   - Which agent / user resolved each key, and when
+ *   - Which migrate / rotate / register-fake / propagate events touched it
+ *   - Whether the key appeared in any service-output that flowed to disk
+ *
+ * Reads `.kit-audit.jsonl` (the JSONL append-only log written by the
+ * existing `logAuditEvent` helper). Filters + groups events per key.
+ */
+import type { AuditEvent } from "./audit.js";
+export interface SecretAccessEntry {
+    timestamp: string;
+    operation: string;
+    agent?: string;
+    detail: string;
+    success: boolean;
+}
+export interface SecretAuditReport {
+    key: string;
+    events: SecretAccessEntry[];
+}
+export declare function readSecretAuditEvents(cwd?: string, sinceDays?: number): Promise<AuditEvent[]>;
+/**
+ * Extracts secret-related event details, attempting to attribute each event
+ * to one or more specific keys via the metadata payload.
+ */
+export declare function groupBySecret(events: AuditEvent[]): {
+    reports: SecretAuditReport[];
+    unattributed: SecretAccessEntry[];
+};
+export interface AuditSummary {
+    totalEvents: number;
+    keyCount: number;
+    topKey?: {
+        key: string;
+        count: number;
+    };
+    windowDays: number;
+}
+export declare function summarize(reports: SecretAuditReport[], windowDays: number): AuditSummary;

package/dist/audit-secrets.js

@@ -0,0 +1,126 @@
+/**
+ * Forensics view on the audit log filtered to secret-touching operations.
+ *
+ * After a leak it's invaluable to know:
+ *   - Which agent / user resolved each key, and when
+ *   - Which migrate / rotate / register-fake / propagate events touched it
+ *   - Whether the key appeared in any service-output that flowed to disk
+ *
+ * Reads `.kit-audit.jsonl` (the JSONL append-only log written by the
+ * existing `logAuditEvent` helper). Filters + groups events per key.
+ */
+import { readFile, access } from "node:fs/promises";
+import { resolve } from "node:path";
+const AUDIT_FILE = ".kit-audit.jsonl";
+const SECRET_OPERATIONS = new Set([
+    "secrets.generate",
+    "secrets.sync",
+    "secrets.migrate",
+    "secrets.rotate",
+    "secrets.onecli.register",
+    "secrets.propagate",
+    "services.login",
+    "fix",
+]);
+export async function readSecretAuditEvents(cwd = process.cwd(), sinceDays = 30) {
+    const path = resolve(cwd, AUDIT_FILE);
+    try {
+        await access(path);
+    }
+    catch {
+        return [];
+    }
+    const text = await readFile(path, "utf-8");
+    const lines = text.split("\n").filter((l) => l.trim().length > 0);
+    const cutoff = Date.now() - sinceDays * 24 * 3600 * 1000;
+    const events = [];
+    for (const line of lines) {
+        try {
+            const e = JSON.parse(line);
+            if (!SECRET_OPERATIONS.has(e.operation))
+                continue;
+            const ts = Date.parse(e.timestamp);
+            if (!Number.isFinite(ts) || ts < cutoff)
+                continue;
+            events.push(e);
+        }
+        catch {
+            // skip malformed line
+        }
+    }
+    return events;
+}
+/**
+ * Extracts secret-related event details, attempting to attribute each event
+ * to one or more specific keys via the metadata payload.
+ */
+export function groupBySecret(events) {
+    const byKey = new Map();
+    const unattributed = [];
+    for (const e of events) {
+        const meta = (e.metadata ?? {});
+        const keys = collectKeyNames(meta);
+        const entry = {
+            timestamp: e.timestamp,
+            operation: e.operation,
+            agent: e.agent_name ?? e.agent_id,
+            detail: summarizeEvent(e),
+            success: e.success,
+        };
+        if (keys.length === 0) {
+            unattributed.push(entry);
+            continue;
+        }
+        for (const k of keys) {
+            const arr = byKey.get(k) ?? [];
+            arr.push(entry);
+            byKey.set(k, arr);
+        }
+    }
+    const reports = [...byKey.entries()]
+        .map(([key, events]) => ({
+        key,
+        events: events.sort((a, b) => a.timestamp.localeCompare(b.timestamp)),
+    }))
+        .sort((a, b) => b.events.length - a.events.length);
+    return { reports, unattributed };
+}
+function collectKeyNames(meta) {
+    const names = [];
+    if (typeof meta.key === "string")
+        names.push(meta.key);
+    if (Array.isArray(meta.keys)) {
+        for (const k of meta.keys)
+            if (typeof k === "string")
+                names.push(k);
+    }
+    if (typeof meta.name === "string")
+        names.push(meta.name);
+    return [...new Set(names)];
+}
+function summarizeEvent(e) {
+    const meta = (e.metadata ?? {});
+    const parts = [];
+    if (typeof meta.store === "string")
+        parts.push(`store=${meta.store}`);
+    if (typeof meta.target === "string")
+        parts.push(`target=${meta.target}`);
+    if (typeof meta.source === "string")
+        parts.push(`source=${meta.source}`);
+    if (e.error)
+        parts.push(`error=${e.error.split("\n")[0]}`);
+    if (e.environment)
+        parts.push(`env=${e.environment}`);
+    return parts.join("  ");
+}
+export function summarize(reports, windowDays) {
+    const totalEvents = reports.reduce((sum, r) => sum + r.events.length, 0);
+    const top = reports[0];
+    return {
+        totalEvents,
+        keyCount: reports.length,
+        topKey: top ? { key: top.key, count: top.events.length } : undefined,
+        windowDays,
+    };
+}
+//# sourceMappingURL=audit-secrets.js.map

package/dist/audit-secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-secrets.js","sourceRoot":"","sources":["../src/audit-secrets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAgBpC,MAAM,UAAU,GAAG,kBAAkB,CAAC;AAEtC,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,kBAAkB;IAClB,cAAc;IACd,iBAAiB;IACjB,gBAAgB;IAChB,yBAAyB;IACzB,mBAAmB;IACnB,gBAAgB;IAChB,KAAK;CACN,CAAC,CAAC;AAEH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,MAAc,OAAO,CAAC,GAAG,EAAE,EAC3B,SAAS,GAAG,EAAE;IAEd,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAElE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;IACzD,MAAM,MAAM,GAAiB,EAAE,CAAC;IAChC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAe,CAAC;YACzC,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;gBAAE,SAAS;YAClD,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;YACnC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,MAAM;gBAAE,SAAS;YAClD,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAAC,MAAM,CAAC;YACP,sBAAsB;QACxB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,MAAoB;IAEpB,MAAM,KAAK,GAAG,IAAI,GAAG,EAA+B,CAAC;IACrD,MAAM,YAAY,GAAwB,EAAE,CAAC;IAE7C,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,QAAQ,IAAI,EAAE,CAA4B,CAAC;QAC3D,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,KAAK,GAAsB;YAC/B,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,KAAK,EAAE,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,QAAQ;YACjC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC;YACzB,OAAO,EAAE,CAAC,CAAC,OAAO;SACnB,CAAC;QACF,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACzB,SAAS;QACX,CAAC;QACD,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;YACrB,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC/B,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAChB,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAwB,CAAC,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;SACtD,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC;QACvB,GAAG;QACH,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;KACtE,CAAC,CAAC;SACF,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAErD,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC;AACnC,CAAC;AAED,SAAS,eAAe,CAAC,IAA6B;IACpD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ;QAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACvD,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI;YAAE,IAAI,OAAO,CAAC,KAAK,QAAQ;gBAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ;QAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzD,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,cAAc,CAAC,CAAa;IACnC,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,QAAQ,IAAI,EAAE,CAA4B,CAAC;IAC3D,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;QAAE,KAAK,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;IACtE,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACzE,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACzE,IAAI,CAAC,CAAC,KAAK;QAAE,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC3D,IAAI,CAAC,CAAC,WAAW;QAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACtD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AASD,MAAM,UAAU,SAAS,CACvB,OAA4B,EAC5B,UAAkB;IAElB,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACzE,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IACvB,OAAO;QACL,WAAW;QACX,QAAQ,EAAE,OAAO,CAAC,MAAM;QACxB,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,SAAS;QACpE,UAAU;KACX,CAAC;AACJ,CAAC"}

package/dist/audit.d.ts

@@ -0,0 +1,43 @@
+import type { GovernanceConfig } from "./config.js";
+export interface AuditEvent {
+    timestamp: string;
+    agent_id?: string;
+    agent_name?: string;
+    operation: string;
+    environment: string;
+    success: boolean;
+    duration_ms?: number;
+    error?: string;
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Append an audit event directly to .kit-audit.jsonl without requiring a
+ * governance config to be loaded. Used by code paths that *must* log without
+ * the possibility of being short-circuited by missing config — primarily the
+ * elevation gate, the prod-key bypass, and the rate-limiter fail-open hatch.
+ *
+ * Returns true on success, false if the append failed. Callers that gate
+ * destructive ops on auditability should treat `false` as "do not proceed".
+ *
+ * `cwd` lets tests/hooks point at a sandbox; production callers pass nothing.
+ */
+export declare function appendAuditEventDirect(event: Omit<AuditEvent, "timestamp">, opts?: {
+    cwd?: string;
+    logFile?: string;
+}): Promise<boolean>;
+/**
+ * Log an audit event to the configured audit log file and Remote API
+ */
+export declare function logAuditEvent(config: Required<GovernanceConfig>, event: Omit<AuditEvent, "timestamp" | "agent_id" | "agent_name">, companyId?: string): Promise<void>;
+/**
+ * Test-only: reset the module-scoped warning flag.
+ */
+export declare function _resetRemotePushWarningForTests(): void;
+/**
+ * Read recent audit log entries
+ */
+export declare function readAuditLog(logFile: string, limit?: number): Promise<AuditEvent[]>;
+/**
+ * Format audit log for display
+ */
+export declare function formatAuditLog(events: AuditEvent[]): string;