securepool 1.0.0

package/packages/infrastructure/src/jwt/JwtTokenService.ts

@@ -0,0 +1,32 @@
+import jwt, { SignOptions, Algorithm } from "jsonwebtoken";
+import crypto from "crypto";
+import { ITokenService } from "@securepool/application";
+
+export class JwtTokenService implements ITokenService {
+  private algorithm: Algorithm = "RS256";
+
+  constructor(
+    private privateKey: string,
+    private publicKey: string,
+    private accessTokenExpirySeconds: number = 900 // 15 minutes
+  ) {}
+
+  async generateAccessToken(userId: string, tenantId: string): Promise<string> {
+    const options: SignOptions = {
+      algorithm: this.algorithm,
+      expiresIn: this.accessTokenExpirySeconds,
+    };
+    return jwt.sign({ sub: userId, tenantId }, this.privateKey, options);
+  }
+
+  async generateRefreshToken(_userId: string): Promise<string> {
+    return crypto.randomBytes(64).toString("hex");
+  }
+
+  async verifyAccessToken(token: string): Promise<{ sub: string; tenantId: string }> {
+    const payload = jwt.verify(token, this.publicKey, {
+      algorithms: [this.algorithm],
+    }) as any;
+    return { sub: payload.sub, tenantId: payload.tenantId };
+  }
+}

package/packages/infrastructure/src/otp/OtpServiceImpl.ts

@@ -0,0 +1,50 @@
+import crypto from "crypto";
+import { IOtpService, IOtpRepository } from "@securepool/application";
+import { OtpCode } from "@securepool/core";
+
+export class OtpServiceImpl implements IOtpService {
+  private maxAttempts: number;
+  private expiryMinutes: number;
+
+  constructor(
+    private otpRepo: IOtpRepository,
+    options?: { maxAttempts?: number; expiryMinutes?: number }
+  ) {
+    this.maxAttempts = options?.maxAttempts ?? 5;
+    this.expiryMinutes = options?.expiryMinutes ?? 5;
+  }
+
+  async generate(userId: string, metadata?: Record<string, string>): Promise<string> {
+    await this.otpRepo.deleteAllForUser(userId);
+
+    const code = Math.floor(100000 + Math.random() * 900000).toString();
+    const otp = new OtpCode(
+      crypto.randomUUID(),
+      userId,
+      code,
+      new Date(Date.now() + this.expiryMinutes * 60 * 1000),
+      0,
+      metadata,
+    );
+
+    await this.otpRepo.save(otp);
+    return code;
+  }
+
+  async verify(userId: string, code: string): Promise<{ valid: boolean; metadata?: Record<string, string> }> {
+    const record = await this.otpRepo.findLatest(userId);
+    if (!record) throw new Error("OTP not found");
+    if (record.expiresAt < new Date()) throw new Error("OTP expired");
+    if (record.attempts >= this.maxAttempts) throw new Error("Too many attempts");
+
+    if (record.code !== code) {
+      record.attempts++;
+      await this.otpRepo.update(record);
+      throw new Error("Invalid OTP");
+    }
+
+    const metadata = record.metadata;
+    await this.otpRepo.deleteAllForUser(userId);
+    return { valid: true, metadata };
+  }
+}

package/packages/infrastructure/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist"
+  },
+  "include": ["src"]
+}

package/packages/persistence/package.json

@@ -0,0 +1,22 @@
+{
+  "name": "@securepool/persistence",
+  "version": "1.0.0",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "npx prisma generate && tsc",
+    "clean": "rm -rf dist",
+    "prisma:generate": "npx prisma generate",
+    "prisma:migrate": "npx prisma migrate dev"
+  },
+  "dependencies": {
+    "@securepool/core": "1.0.0",
+    "@securepool/application": "1.0.0",
+    "mongoose": "^8.5.0",
+    "@prisma/client": "^5.18.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.5.0",
+    "prisma": "^5.18.0"
+  }
+}

package/packages/persistence/prisma/schema.prisma

@@ -0,0 +1,88 @@
+generator client {
+  provider = "prisma-client-js"
+}
+
+datasource db {
+  provider = "postgresql"
+  url      = env("DATABASE_URL")
+}
+
+model User {
+  id           String     @id @default(uuid())
+  tenantId     String
+  email        String
+  passwordHash String?
+  isVerified   Boolean    @default(false)
+  createdAt    DateTime   @default(now())
+
+  roles        UserRole[]
+  sessions     Session[]
+  auditLogs    AuditLog[]
+
+  @@unique([email, tenantId])
+  @@index([tenantId])
+}
+
+model Role {
+  id    String     @id @default(uuid())
+  name  String     @unique
+  users UserRole[]
+}
+
+model UserRole {
+  userId String
+  roleId String
+  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
+  role   Role   @relation(fields: [roleId], references: [id], onDelete: Cascade)
+
+  @@id([userId, roleId])
+}
+
+model RefreshToken {
+  id        String   @id @default(uuid())
+  userId    String
+  tokenHash String
+  expiresAt DateTime
+  isRevoked Boolean  @default(false)
+
+  @@index([userId])
+  @@index([tokenHash])
+}
+
+model OtpCode {
+  id        String   @id @default(uuid())
+  userId    String
+  code      String
+  expiresAt DateTime
+  attempts  Int      @default(0)
+
+  @@index([userId])
+}
+
+model Session {
+  id        String   @id @default(uuid())
+  userId    String
+  device    String
+  ip        String
+  createdAt DateTime @default(now())
+  isActive  Boolean  @default(true)
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@index([userId])
+}
+
+model AuditLog {
+  id        String   @id @default(uuid())
+  userId    String
+  tenantId  String
+  action    String
+  ip        String
+  metadata  Json     @default("{}")
+  timestamp DateTime @default(now())
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@index([userId])
+  @@index([tenantId])
+}

package/packages/persistence/src/factory.ts

@@ -0,0 +1,48 @@
+import { PrismaClient } from "@prisma/client";
+import { IUserRepository, ITokenRepository, IOtpRepository, ISessionRepository, IAuditLogRepository, IRoleRepository } from "@securepool/application";
+import { connectMongo } from "./mongo/connection";
+import { MongoUserRepository } from "./mongo/repositories/MongoUserRepository";
+import { MongoTokenRepository } from "./mongo/repositories/MongoTokenRepository";
+import { MongoOtpRepository } from "./mongo/repositories/MongoOtpRepository";
+import { MongoSessionRepository } from "./mongo/repositories/MongoSessionRepository";
+import { MongoAuditLogRepository } from "./mongo/repositories/MongoAuditLogRepository";
+import { MongoRoleRepository } from "./mongo/repositories/MongoRoleRepository";
+import { PrismaUserRepository } from "./prisma/repositories/PrismaUserRepository";
+import { PrismaTokenRepository } from "./prisma/repositories/PrismaTokenRepository";
+import { PrismaOtpRepository } from "./prisma/repositories/PrismaOtpRepository";
+import { PrismaSessionRepository } from "./prisma/repositories/PrismaSessionRepository";
+import { PrismaAuditLogRepository } from "./prisma/repositories/PrismaAuditLogRepository";
+import { PrismaRoleRepository } from "./prisma/repositories/PrismaRoleRepository";
+
+export interface Repositories {
+  userRepo: IUserRepository;
+  tokenRepo: ITokenRepository;
+  otpRepo: IOtpRepository;
+  sessionRepo: ISessionRepository;
+  auditLogRepo: IAuditLogRepository;
+  roleRepo: IRoleRepository;
+}
+
+export async function createRepositories(config: { type: "mongo" | "postgres"; url: string }): Promise<Repositories> {
+  if (config.type === "mongo") {
+    await connectMongo(config.url);
+    return {
+      userRepo: new MongoUserRepository(),
+      tokenRepo: new MongoTokenRepository(),
+      otpRepo: new MongoOtpRepository(),
+      sessionRepo: new MongoSessionRepository(),
+      auditLogRepo: new MongoAuditLogRepository(),
+      roleRepo: new MongoRoleRepository(),
+    };
+  }
+
+  const prisma = new PrismaClient({ datasourceUrl: config.url });
+  return {
+    userRepo: new PrismaUserRepository(prisma),
+    tokenRepo: new PrismaTokenRepository(prisma),
+    otpRepo: new PrismaOtpRepository(prisma),
+    sessionRepo: new PrismaSessionRepository(prisma),
+    auditLogRepo: new PrismaAuditLogRepository(prisma),
+    roleRepo: new PrismaRoleRepository(prisma),
+  };
+}

package/packages/persistence/src/index.ts

@@ -0,0 +1,30 @@
+// Factory
+export { createRepositories, Repositories } from "./factory";
+
+// MongoDB connection helpers
+export { connectMongo, disconnectMongo } from "./mongo/connection";
+
+// MongoDB models
+export { UserModel } from "./mongo/models/UserModel";
+export { RefreshTokenModel } from "./mongo/models/RefreshTokenModel";
+export { OtpModel } from "./mongo/models/OtpModel";
+export { SessionModel } from "./mongo/models/SessionModel";
+export { AuditLogModel } from "./mongo/models/AuditLogModel";
+export { RoleModel } from "./mongo/models/RoleModel";
+export { UserRoleModel } from "./mongo/models/UserRoleModel";
+
+// MongoDB repositories
+export { MongoUserRepository } from "./mongo/repositories/MongoUserRepository";
+export { MongoTokenRepository } from "./mongo/repositories/MongoTokenRepository";
+export { MongoOtpRepository } from "./mongo/repositories/MongoOtpRepository";
+export { MongoSessionRepository } from "./mongo/repositories/MongoSessionRepository";
+export { MongoAuditLogRepository } from "./mongo/repositories/MongoAuditLogRepository";
+export { MongoRoleRepository } from "./mongo/repositories/MongoRoleRepository";
+
+// Prisma repositories
+export { PrismaUserRepository } from "./prisma/repositories/PrismaUserRepository";
+export { PrismaTokenRepository } from "./prisma/repositories/PrismaTokenRepository";
+export { PrismaOtpRepository } from "./prisma/repositories/PrismaOtpRepository";
+export { PrismaSessionRepository } from "./prisma/repositories/PrismaSessionRepository";
+export { PrismaAuditLogRepository } from "./prisma/repositories/PrismaAuditLogRepository";
+export { PrismaRoleRepository } from "./prisma/repositories/PrismaRoleRepository";

package/packages/persistence/src/mongo/connection.ts

@@ -0,0 +1,9 @@
+import mongoose from "mongoose";
+
+export async function connectMongo(url: string): Promise<typeof mongoose> {
+  return mongoose.connect(url, { retryWrites: true });
+}
+
+export async function disconnectMongo(): Promise<void> {
+  await mongoose.disconnect();
+}

package/packages/persistence/src/mongo/models/AuditLogModel.ts

@@ -0,0 +1,21 @@
+import mongoose, { Schema, Document } from "mongoose";
+
+export interface IAuditLogDocument extends Document {
+  userId: string;
+  tenantId: string;
+  action: string;
+  ip: string;
+  metadata: Record<string, unknown>;
+  timestamp: Date;
+}
+
+const AuditLogSchema = new Schema<IAuditLogDocument>({
+  userId: { type: String, required: true, index: true },
+  tenantId: { type: String, required: true, index: true },
+  action: { type: String, required: true },
+  ip: { type: String, default: "unknown" },
+  metadata: { type: Schema.Types.Mixed, default: {} },
+  timestamp: { type: Date, default: Date.now },
+});
+
+export const AuditLogModel = mongoose.model<IAuditLogDocument>("AuditLog", AuditLogSchema);

package/packages/persistence/src/mongo/models/OtpModel.ts

@@ -0,0 +1,19 @@
+import mongoose, { Schema, Document } from "mongoose";
+
+export interface IOtpDocument extends Document {
+  userId: string;
+  code: string;
+  expiresAt: Date;
+  attempts: number;
+  metadata?: Record<string, string>;
+}
+
+const OtpSchema = new Schema<IOtpDocument>({
+  userId: { type: String, required: true, index: true },
+  code: { type: String, required: true },
+  expiresAt: { type: Date, required: true },
+  attempts: { type: Number, default: 0 },
+  metadata: { type: Schema.Types.Mixed, default: undefined },
+});
+
+export const OtpModel = mongoose.model<IOtpDocument>("OtpCode", OtpSchema);

package/packages/persistence/src/mongo/models/RefreshTokenModel.ts

@@ -0,0 +1,17 @@
+import mongoose, { Schema, Document } from "mongoose";
+
+export interface IRefreshTokenDocument extends Document {
+  userId: string;
+  tokenHash: string;
+  expiresAt: Date;
+  isRevoked: boolean;
+}
+
+const RefreshTokenSchema = new Schema<IRefreshTokenDocument>({
+  userId: { type: String, required: true, index: true },
+  tokenHash: { type: String, required: true, index: true },
+  expiresAt: { type: Date, required: true },
+  isRevoked: { type: Boolean, default: false },
+});
+
+export const RefreshTokenModel = mongoose.model<IRefreshTokenDocument>("RefreshToken", RefreshTokenSchema);

package/packages/persistence/src/mongo/models/RoleModel.ts

@@ -0,0 +1,11 @@
+import mongoose, { Schema, Document } from "mongoose";
+
+export interface IRoleDocument extends Document {
+  name: string;
+}
+
+const RoleSchema = new Schema<IRoleDocument>({
+  name: { type: String, required: true, unique: true },
+});
+
+export const RoleModel = mongoose.model<IRoleDocument>("Role", RoleSchema);

package/packages/persistence/src/mongo/models/SessionModel.ts

@@ -0,0 +1,19 @@
+import mongoose, { Schema, Document } from "mongoose";
+
+export interface ISessionDocument extends Document {
+  userId: string;
+  device: string;
+  ip: string;
+  createdAt: Date;
+  isActive: boolean;
+}
+
+const SessionSchema = new Schema<ISessionDocument>({
+  userId: { type: String, required: true, index: true },
+  device: { type: String, required: true },
+  ip: { type: String, required: true },
+  createdAt: { type: Date, default: Date.now },
+  isActive: { type: Boolean, default: true },
+});
+
+export const SessionModel = mongoose.model<ISessionDocument>("Session", SessionSchema);

package/packages/persistence/src/mongo/models/UserModel.ts

@@ -0,0 +1,21 @@
+import mongoose, { Schema, Document } from "mongoose";
+
+export interface IUserDocument extends Document {
+  tenantId: string;
+  email: string;
+  passwordHash: string | null;
+  isVerified: boolean;
+  createdAt: Date;
+}
+
+const UserSchema = new Schema<IUserDocument>({
+  tenantId: { type: String, required: true, index: true },
+  email: { type: String, required: true },
+  passwordHash: { type: String, default: null },
+  isVerified: { type: Boolean, default: false },
+  createdAt: { type: Date, default: Date.now },
+});
+
+UserSchema.index({ email: 1, tenantId: 1 }, { unique: true });
+
+export const UserModel = mongoose.model<IUserDocument>("User", UserSchema);

package/packages/persistence/src/mongo/models/UserRoleModel.ts

@@ -0,0 +1,15 @@
+import mongoose, { Schema, Document } from "mongoose";
+
+export interface IUserRoleDocument extends Document {
+  userId: string;
+  roleId: string;
+}
+
+const UserRoleSchema = new Schema<IUserRoleDocument>({
+  userId: { type: String, required: true },
+  roleId: { type: String, required: true },
+});
+
+UserRoleSchema.index({ userId: 1, roleId: 1 }, { unique: true });
+
+export const UserRoleModel = mongoose.model<IUserRoleDocument>("UserRole", UserRoleSchema);

package/packages/persistence/src/mongo/repositories/MongoAuditLogRepository.ts

@@ -0,0 +1,29 @@
+import { AuditLog } from "@securepool/core";
+import { IAuditLogRepository } from "@securepool/application";
+import { AuditLogModel } from "../models/AuditLogModel";
+
+export class MongoAuditLogRepository implements IAuditLogRepository {
+  async log(entry: AuditLog): Promise<void> {
+    await AuditLogModel.create({
+      userId: entry.userId,
+      tenantId: entry.tenantId,
+      action: entry.action,
+      ip: entry.ip,
+      metadata: entry.metadata,
+      timestamp: entry.timestamp,
+    });
+  }
+
+  async findByUserId(userId: string): Promise<AuditLog[]> {
+    const docs = await AuditLogModel.find({ userId }).sort({ timestamp: -1 });
+    return docs.map(doc => new AuditLog(
+      doc._id.toString(),
+      doc.userId,
+      doc.tenantId,
+      doc.action,
+      doc.ip,
+      doc.metadata,
+      doc.timestamp,
+    ));
+  }
+}

package/packages/persistence/src/mongo/repositories/MongoOtpRepository.ts

@@ -0,0 +1,34 @@
+import { OtpCode } from "@securepool/core";
+import { IOtpRepository } from "@securepool/application";
+import { OtpModel } from "../models/OtpModel";
+
+export class MongoOtpRepository implements IOtpRepository {
+  async save(otp: OtpCode): Promise<void> {
+    const doc = await OtpModel.create({
+      userId: otp.userId,
+      code: otp.code,
+      expiresAt: otp.expiresAt,
+      attempts: otp.attempts,
+      metadata: otp.metadata,
+    });
+    otp.id = doc._id.toString();
+  }
+
+  async findLatest(userId: string): Promise<OtpCode | null> {
+    const doc = await OtpModel.findOne({ userId }).sort({ expiresAt: -1 });
+    if (!doc) return null;
+    return new OtpCode(doc._id.toString(), doc.userId, doc.code, doc.expiresAt, doc.attempts, doc.metadata as Record<string, string> | undefined);
+  }
+
+  async update(otp: OtpCode): Promise<void> {
+    await OtpModel.findByIdAndUpdate(otp.id, {
+      code: otp.code,
+      expiresAt: otp.expiresAt,
+      attempts: otp.attempts,
+    });
+  }
+
+  async deleteAllForUser(userId: string): Promise<void> {
+    await OtpModel.deleteMany({ userId });
+  }
+}

package/packages/persistence/src/mongo/repositories/MongoRoleRepository.ts

@@ -0,0 +1,32 @@
+import { Role, UserRole } from "@securepool/core";
+import { IRoleRepository } from "@securepool/application";
+import { RoleModel } from "../models/RoleModel";
+import { UserRoleModel } from "../models/UserRoleModel";
+
+export class MongoRoleRepository implements IRoleRepository {
+  async findById(id: string): Promise<Role | null> {
+    const doc = await RoleModel.findById(id);
+    if (!doc) return null;
+    return new Role(doc._id.toString(), doc.name);
+  }
+
+  async findByName(name: string): Promise<Role | null> {
+    const doc = await RoleModel.findOne({ name });
+    if (!doc) return null;
+    return new Role(doc._id.toString(), doc.name);
+  }
+
+  async assignRole(userRole: UserRole): Promise<void> {
+    await UserRoleModel.create({
+      userId: userRole.userId,
+      roleId: userRole.roleId,
+    });
+  }
+
+  async getUserRoles(userId: string): Promise<Role[]> {
+    const userRoleDocs = await UserRoleModel.find({ userId });
+    const roleIds = userRoleDocs.map(doc => doc.roleId);
+    const roleDocs = await RoleModel.find({ _id: { $in: roleIds } });
+    return roleDocs.map(doc => new Role(doc._id.toString(), doc.name));
+  }
+}

package/packages/persistence/src/mongo/repositories/MongoSessionRepository.ts

@@ -0,0 +1,29 @@
+import { Session } from "@securepool/core";
+import { ISessionRepository } from "@securepool/application";
+import { SessionModel } from "../models/SessionModel";
+
+export class MongoSessionRepository implements ISessionRepository {
+  async create(session: Session): Promise<void> {
+    const doc = await SessionModel.create({
+      userId: session.userId,
+      device: session.device,
+      ip: session.ip,
+      createdAt: session.createdAt,
+      isActive: session.isActive,
+    });
+    session.id = doc._id.toString();
+  }
+
+  async findByUserId(userId: string): Promise<Session[]> {
+    const docs = await SessionModel.find({ userId, isActive: true });
+    return docs.map(doc => new Session(doc._id.toString(), doc.userId, doc.device, doc.ip, doc.createdAt, doc.isActive));
+  }
+
+  async deactivate(sessionId: string): Promise<void> {
+    await SessionModel.findByIdAndUpdate(sessionId, { isActive: false });
+  }
+
+  async deactivateAllForUser(userId: string): Promise<void> {
+    await SessionModel.updateMany({ userId }, { isActive: false });
+  }
+}

package/packages/persistence/src/mongo/repositories/MongoTokenRepository.ts

@@ -0,0 +1,34 @@
+import { RefreshToken } from "@securepool/core";
+import { ITokenRepository } from "@securepool/application";
+import { RefreshTokenModel } from "../models/RefreshTokenModel";
+
+export class MongoTokenRepository implements ITokenRepository {
+  async save(token: RefreshToken): Promise<void> {
+    const doc = await RefreshTokenModel.create({
+      userId: token.userId,
+      tokenHash: token.tokenHash,
+      expiresAt: token.expiresAt,
+      isRevoked: token.isRevoked,
+    });
+    token.id = doc._id.toString();
+  }
+
+  async findByTokenHash(tokenHash: string): Promise<RefreshToken | null> {
+    const doc = await RefreshTokenModel.findOne({ tokenHash });
+    if (!doc) return null;
+    return new RefreshToken(doc._id.toString(), doc.userId, doc.tokenHash, doc.expiresAt, doc.isRevoked);
+  }
+
+  async findActiveByUserId(userId: string): Promise<RefreshToken[]> {
+    const docs = await RefreshTokenModel.find({ userId, isRevoked: false, expiresAt: { $gt: new Date() } });
+    return docs.map(doc => new RefreshToken(doc._id.toString(), doc.userId, doc.tokenHash, doc.expiresAt, doc.isRevoked));
+  }
+
+  async revoke(tokenId: string): Promise<void> {
+    await RefreshTokenModel.findByIdAndUpdate(tokenId, { isRevoked: true });
+  }
+
+  async revokeAllForUser(userId: string): Promise<void> {
+    await RefreshTokenModel.updateMany({ userId }, { isRevoked: true });
+  }
+}

package/packages/persistence/src/mongo/repositories/MongoUserRepository.ts

@@ -0,0 +1,37 @@
+import { User } from "@securepool/core";
+import { IUserRepository } from "@securepool/application";
+import { UserModel } from "../models/UserModel";
+
+export class MongoUserRepository implements IUserRepository {
+  async findById(id: string): Promise<User | null> {
+    const doc = await UserModel.findById(id);
+    if (!doc) return null;
+    return new User(doc._id.toString(), doc.tenantId, doc.email, doc.passwordHash, doc.isVerified, doc.createdAt);
+  }
+
+  async findByEmail(email: string, tenantId: string): Promise<User | null> {
+    const doc = await UserModel.findOne({ email, tenantId });
+    if (!doc) return null;
+    return new User(doc._id.toString(), doc.tenantId, doc.email, doc.passwordHash, doc.isVerified, doc.createdAt);
+  }
+
+  async create(user: User): Promise<void> {
+    const doc = await UserModel.create({
+      tenantId: user.tenantId,
+      email: user.email,
+      passwordHash: user.passwordHash,
+      isVerified: user.isVerified,
+      createdAt: user.createdAt,
+    });
+    // Update the user's id with the Mongo-generated ObjectId
+    user.id = doc._id.toString();
+  }
+
+  async update(user: User): Promise<void> {
+    await UserModel.findByIdAndUpdate(user.id, {
+      email: user.email,
+      passwordHash: user.passwordHash,
+      isVerified: user.isVerified,
+    });
+  }
+}

package/packages/persistence/src/prisma/repositories/PrismaAuditLogRepository.ts

@@ -0,0 +1,37 @@
+import { PrismaClient } from "@prisma/client";
+import { AuditLog } from "@securepool/core";
+import { IAuditLogRepository } from "@securepool/application";
+
+export class PrismaAuditLogRepository implements IAuditLogRepository {
+  constructor(private readonly prisma: PrismaClient) {}
+
+  async log(entry: AuditLog): Promise<void> {
+    await this.prisma.auditLog.create({
+      data: {
+        id: entry.id,
+        userId: entry.userId,
+        tenantId: entry.tenantId,
+        action: entry.action,
+        ip: entry.ip,
+        metadata: entry.metadata as any,
+        timestamp: entry.timestamp,
+      },
+    });
+  }
+
+  async findByUserId(userId: string): Promise<AuditLog[]> {
+    const records = await this.prisma.auditLog.findMany({
+      where: { userId },
+      orderBy: { timestamp: "desc" },
+    });
+    return records.map((record: any) => new AuditLog(
+      record.id,
+      record.userId,
+      record.tenantId,
+      record.action,
+      record.ip,
+      record.metadata as Record<string, unknown>,
+      record.timestamp,
+    ));
+  }
+}