Feature/audit log

[morelucks]

Summary

Implements issue #54 by adding a compliance-
oriented, append-only audit log and wiring sensitive
backend actions to it.

Closes #54
@greatest0fallt1me

What changed

1) Audit log data model (queryable + append-

only)

• Added migration to create audit_logs with:
  • actor_user_id
  • action
  • resource
  • created_at
  • optional ip
• Added compliance-focused indexes for efficient
  querying by:
  • actor + time
  • action + time
  • resource + time
• Enforced append-only behavior via DB triggers that
  block UPDATE and DELETE.

2) Centralized audit service

• Added AuditService to standardize audit event
  recording.
• Emits structured audit log entries consistently.
• Keeps action taxonomy explicit:
  • user.login
  • api_key.create
  • api_key.revoke
  • api.publish
  • api.update
  • settlement.run

3) Sensitive action instrumentation

Wired audit events into routes for:

• user login
• API key create/revoke
• API publish/update
• settlement run

4) Compliance safeguards

• Ensured no raw keys/secrets are logged.
• Added prefix sanitization for key-related resource
  identifiers.
• Tests assert secret values are not present in
  audit log outputs.

5) Docs + policy

• Updated README with:
  • audit endpoints
  • migration instructions
  • retention policy documentation

6) Pipeline hardening

• Stabilized lint/test setup for current toolchain:
  • migrated to flat ESLint config
  • adjusted Jest/ts-jest config compatibility for
    the project’s TS/ESM setup

Validation

• npm run lint ✅
• npm run typecheck ✅
• npm run build ✅
• npm test ✅

Notes

• This introduces an auditable baseline aligned with
  compliance needs and can be extended to persist
  through a DB-backed repository layer as domain
  services expand.

The key line that auto-closes is: Closes #54.

[greatest0fallt1me]

please resolve the conflicts

[greatest0fallt1me]

@morelucks Can you resolve the conflicts?