BetterFrame/server/src/shared/audit.ts

/**
 * Audit logging helper — single inline call from route handlers.
 *
 *   audit(repo, event, "user.login", { result: "ok" });
 *   audit(repo, event, "firmware.upload", { resource_id: rel.id, metadata: { version, channel } });
 *
 * Pulls actor + ip out of the h3 event context. Never throws — logging
 * failure must not break the caller's request.
 */
import type { Repository } from "./db/repository.js";
import type { AuditActorType, AuditResult } from "./types.js";

interface AuditCtx {
  context?: {
    user?: { id?: string; username?: string };
    apiKeyPrefix?: string;
    session?: unknown;
  };
  req?: { headers: { get(name: string): string | null } };
}

export interface AuditInput {
  resource_type?: string;
  resource_id?: string | number;
  metadata?: Record<string, unknown>;
  result?: AuditResult;
  /** Override actor (e.g. when system performs action on behalf of nobody). */
  actor_type?: AuditActorType;
  actor_id?: string | null;
  actor_label?: string | null;
}

export async function audit(
  repo: Repository,
  event: AuditCtx | null,
  action: string,
  input: AuditInput = {},
): Promise<void> {
  try {
    const ctx = event?.context;
    let actor_type: AuditActorType = input.actor_type ?? "system";
    let actor_id: string | null = input.actor_id ?? null;
    let actor_label: string | null = input.actor_label ?? null;

    if (!input.actor_type && ctx) {
      if (ctx.apiKeyPrefix) {
        actor_type = "api_key";
        actor_label = ctx.apiKeyPrefix;
      } else if (ctx.user) {
        actor_type = "user";
        actor_id = ctx.user.id ?? null;
        actor_label = ctx.user.username ?? null;
      }
    }

    const headers = event?.req?.headers;
    const ip = headers?.get("x-real-ip")
      ?? headers?.get("x-forwarded-for")?.split(",")[0]?.trim()
      ?? null;

    await repo.insertAudit({
      actor_type,
      actor_id,
      actor_label,
      action,
      resource_type: input.resource_type ?? null,
      resource_id: input.resource_id != null ? String(input.resource_id) : null,
      ip,
      metadata: input.metadata ?? {},
      result: input.result ?? "ok",
    });
  } catch {
    /* never throw from audit */
  }
}
feat(server): audit log — schema, helper, admin UI, hooks for login/pair/firmware 2026-05-14 05:38:18 +00:00			`/**`
			`* Audit logging helper — single inline call from route handlers.`
			`*`
			`* audit(repo, event, "user.login", { result: "ok" });`
			`* audit(repo, event, "firmware.upload", { resource_id: rel.id, metadata: { version, channel } });`
			`*`
			`* Pulls actor + ip out of the h3 event context. Never throws — logging`
			`* failure must not break the caller's request.`
			`*/`
refactor(db): move service-store from BSB plugin to shared/db library Each service plugin now independently initializes its own DB connection via shared/db/init.ts instead of depending on a central service-store plugin. This removes the inter-plugin dependency ordering and the plugin-registry singleton, making each service self-contained. - Move db-adapter, repository, mappers, migrations, adapters to shared/db/ - Create shared/db/config.ts (reusable dbConfigSchema) and init.ts - Delete service-store plugin and plugin-registry - Add db config block to each service's ConfigSchema + sec-config template - Move event_log purge timer into service-admin-http - Update all import paths across shared modules and plugins Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-05-24 00:48:32 +00:00			`import type { Repository } from "./db/repository.js";`
feat(server): audit log — schema, helper, admin UI, hooks for login/pair/firmware 2026-05-14 05:38:18 +00:00			`import type { AuditActorType, AuditResult } from "./types.js";`

			`interface AuditCtx {`
			`context?: {`
refactor: migrate all auto-increment PKs to UUIDv7 text IDs Replace SERIAL/AUTOINCREMENT integer primary keys with UUIDv7 text IDs across all 15 entity tables (users, api_keys, displays, cameras, camera_streams, layouts, layout_cells, entities, kiosks, labels, kiosk_gpio_bindings, event_log, kiosk_logs, audit_log, camera_event_subscriptions). SetupState keeps id=1 INTEGER singleton. Changes: - types.ts: all id fields number->string, all FK fields number->string - mappers.ts: n(r["id"])->s(r["id"]) for PKs, nn()->sn() for nullable FKs - repository.ts: import uuidv7, generate IDs before INSERT, remove RETURNING id, change all method signatures from number to string - migrations-pg.ts: SERIAL->TEXT NOT NULL PRIMARY KEY, INTEGER FK->TEXT FK - bundle.ts: all bundle interface IDs number->string - pairing.ts, auth.ts: kioskId/userId types number->string - coordinator-registry.ts: kioskId number->string - audit.ts: actor_id number->string - mqtt-bridge.ts: kioskId number->string in publish/subscribe - All route handlers: Number(getRouterParam)->getRouterParam ?? "" - admin-pages.tsx: template function params and Map types number->string - kiosk/src/bundle.rs: flexible serde deserializer that accepts both u32 (old) and String (new) IDs for backward compatibility Fresh PG database -- no data migration needed, just schema changes. SQLite migrations unchanged (dev-only, recreate DB for UUIDv7). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-05-26 05:11:45 +00:00			`user?: { id?: string; username?: string };`
feat(server): audit log — schema, helper, admin UI, hooks for login/pair/firmware 2026-05-14 05:38:18 +00:00			`apiKeyPrefix?: string;`
			`session?: unknown;`
			`};`
			`req?: { headers: { get(name: string): string \| null } };`
			`}`

			`export interface AuditInput {`
			`resource_type?: string;`
			`resource_id?: string \| number;`
			`metadata?: Record<string, unknown>;`
			`result?: AuditResult;`
			`/** Override actor (e.g. when system performs action on behalf of nobody). */`
			`actor_type?: AuditActorType;`
refactor: migrate all auto-increment PKs to UUIDv7 text IDs Replace SERIAL/AUTOINCREMENT integer primary keys with UUIDv7 text IDs across all 15 entity tables (users, api_keys, displays, cameras, camera_streams, layouts, layout_cells, entities, kiosks, labels, kiosk_gpio_bindings, event_log, kiosk_logs, audit_log, camera_event_subscriptions). SetupState keeps id=1 INTEGER singleton. Changes: - types.ts: all id fields number->string, all FK fields number->string - mappers.ts: n(r["id"])->s(r["id"]) for PKs, nn()->sn() for nullable FKs - repository.ts: import uuidv7, generate IDs before INSERT, remove RETURNING id, change all method signatures from number to string - migrations-pg.ts: SERIAL->TEXT NOT NULL PRIMARY KEY, INTEGER FK->TEXT FK - bundle.ts: all bundle interface IDs number->string - pairing.ts, auth.ts: kioskId/userId types number->string - coordinator-registry.ts: kioskId number->string - audit.ts: actor_id number->string - mqtt-bridge.ts: kioskId number->string in publish/subscribe - All route handlers: Number(getRouterParam)->getRouterParam ?? "" - admin-pages.tsx: template function params and Map types number->string - kiosk/src/bundle.rs: flexible serde deserializer that accepts both u32 (old) and String (new) IDs for backward compatibility Fresh PG database -- no data migration needed, just schema changes. SQLite migrations unchanged (dev-only, recreate DB for UUIDv7). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-05-26 05:11:45 +00:00			`actor_id?: string \| null;`
feat(server): audit log — schema, helper, admin UI, hooks for login/pair/firmware 2026-05-14 05:38:18 +00:00			`actor_label?: string \| null;`
			`}`

feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors. 2026-05-23 00:07:44 +00:00			`export async function audit(`
feat(server): audit log — schema, helper, admin UI, hooks for login/pair/firmware 2026-05-14 05:38:18 +00:00			`repo: Repository,`
			`event: AuditCtx \| null,`
			`action: string,`
			`input: AuditInput = {},`
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors. 2026-05-23 00:07:44 +00:00			`): Promise<void> {`
feat(server): audit log — schema, helper, admin UI, hooks for login/pair/firmware 2026-05-14 05:38:18 +00:00			`try {`
			`const ctx = event?.context;`
			`let actor_type: AuditActorType = input.actor_type ?? "system";`
refactor: migrate all auto-increment PKs to UUIDv7 text IDs Replace SERIAL/AUTOINCREMENT integer primary keys with UUIDv7 text IDs across all 15 entity tables (users, api_keys, displays, cameras, camera_streams, layouts, layout_cells, entities, kiosks, labels, kiosk_gpio_bindings, event_log, kiosk_logs, audit_log, camera_event_subscriptions). SetupState keeps id=1 INTEGER singleton. Changes: - types.ts: all id fields number->string, all FK fields number->string - mappers.ts: n(r["id"])->s(r["id"]) for PKs, nn()->sn() for nullable FKs - repository.ts: import uuidv7, generate IDs before INSERT, remove RETURNING id, change all method signatures from number to string - migrations-pg.ts: SERIAL->TEXT NOT NULL PRIMARY KEY, INTEGER FK->TEXT FK - bundle.ts: all bundle interface IDs number->string - pairing.ts, auth.ts: kioskId/userId types number->string - coordinator-registry.ts: kioskId number->string - audit.ts: actor_id number->string - mqtt-bridge.ts: kioskId number->string in publish/subscribe - All route handlers: Number(getRouterParam)->getRouterParam ?? "" - admin-pages.tsx: template function params and Map types number->string - kiosk/src/bundle.rs: flexible serde deserializer that accepts both u32 (old) and String (new) IDs for backward compatibility Fresh PG database -- no data migration needed, just schema changes. SQLite migrations unchanged (dev-only, recreate DB for UUIDv7). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-05-26 05:11:45 +00:00			`let actor_id: string \| null = input.actor_id ?? null;`
feat(server): audit log — schema, helper, admin UI, hooks for login/pair/firmware 2026-05-14 05:38:18 +00:00			`let actor_label: string \| null = input.actor_label ?? null;`

			`if (!input.actor_type && ctx) {`
			`if (ctx.apiKeyPrefix) {`
			`actor_type = "api_key";`
			`actor_label = ctx.apiKeyPrefix;`
			`} else if (ctx.user) {`
			`actor_type = "user";`
			`actor_id = ctx.user.id ?? null;`
			`actor_label = ctx.user.username ?? null;`
			`}`
			`}`

			`const headers = event?.req?.headers;`
			`const ip = headers?.get("x-real-ip")`
			`?? headers?.get("x-forwarded-for")?.split(",")[0]?.trim()`
			`?? null;`

feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors. 2026-05-23 00:07:44 +00:00			`await repo.insertAudit({`
feat(server): audit log — schema, helper, admin UI, hooks for login/pair/firmware 2026-05-14 05:38:18 +00:00			`actor_type,`
			`actor_id,`
			`actor_label,`
			`action,`
			`resource_type: input.resource_type ?? null,`
			`resource_id: input.resource_id != null ? String(input.resource_id) : null,`
			`ip,`
			`metadata: input.metadata ?? {},`
			`result: input.result ?? "ok",`
			`});`
			`} catch {`
			`/* never throw from audit */`
			`}`
			`}`