29 lines
1.3 KiB
Markdown
29 lines
1.3 KiB
Markdown
# @repo/core-audit
|
|
|
|
Optional core package providing DPA-compliant audit logging. Scaffold via `pnpm turbo gen core-package audit`.
|
|
|
|
## Structure
|
|
|
|
```
|
|
src/
|
|
audit-log.interface.ts # IAuditLog extends AuditLogProtocol
|
|
audit-logs-collection.ts # Payload collection (append-only)
|
|
noop-audit-log.ts # NoopAuditLog
|
|
payload-audit-log.ts # PayloadAuditLog (local cache impl)
|
|
stdout-json-audit-log.ts # StdoutJsonAuditLog (log-shipper sink)
|
|
multi-sink-audit-log.ts # MultiSinkAuditLog (fan-out wrapper)
|
|
trace-id-enriching-audit-log.ts # OTel correlation decorator
|
|
pseudonymize.ts # sha256-with-salt for GDPR pseudonymization
|
|
di/bind-audit.ts # bindAudit binder
|
|
integrations/api/router.ts # admin tRPC procedure
|
|
hooks/ # Payload hook factories
|
|
```
|
|
|
|
## Compliance posture
|
|
|
|
- `AuditEntry` type (in `@repo/core-shared/audit`) has no `payload`/`body`/`oldValue`/`newValue` fields — type system enforces DPA "what NOT to log".
|
|
- Append-only Payload collection (`update: () => false`); erasure uses `overrideAccess: true` for the privileged path.
|
|
- `AUDIT_PSEUDONYM_SALT` env REQUIRED in production. Validated at bind time.
|
|
|
|
See `docs/guides/audit-and-compliance.md` for the full guide.
|