identity and trustpackages/iam/audit

audit package

Hash-chained, SHA-256 append-only audit log for actor/tenant actions. SOC 2-grade tamper detection, streaming export, and replay-safe queries.

Open docs

Stability: Stable
Scope: Tenant-scoped
Boundary: packages/iam/audit
Owners: @nebutra/iam

Last 24h12 actions

2m ago

maria.kimuser.invite→ [email protected]

14m ago

j.lopezbilling.cancel→ sub_8f2a

32m ago

tsekaauth.signin→ sso/okta

1h ago

r.patelrole.assign→ org/admins

2h ago

n.brownkey.rotate→ kms/prod

3h ago

d.huangaccess.deny→ vault/secrets

chain · 12,847 entrieshash-verifiedsha-256

Usageaudit.ts

typescript

audit.ts

1import { logAudit } from "@nebutra/audit";
2
3await logAudit({
4  actor: { id: userId, role: "admin" },
5  action: "billing.subscription.cancel",
6  target: { type: "subscription", id: sub.id },
7  metadata: { plan: sub.plan, reason: "user_request" },
8  // Tamper-evident hash chain — entry IDs link sequentially.
9});

More in domain · identity and trustView domain

authPackage

packages/iam/auth

Multi-provider auth — Clerk, Better Auth, or NextAuth. Same React surface, swap providers via preset config. MFA-enforced, session HMAC-signed.

Explore

captchaPackage

packages/iam/captcha

Bot challenge with Cloudflare Turnstile / hCaptcha / reCAPTCHA behind one verify() call. Server-side scoring, per-route enable, no third-party tracker on the client.

Explore

identityPackage

packages/iam/identity

Shared actor primitive — usr_/svc_/api_ ID space, role/membership lookup, tenant attachment. The single identity object every iam package reads.

Explore

oauth-serverPackage

packages/iam/oauth-server

Stand up your own OAuth 2.1 / OIDC provider. Authorization code + PKCE, refresh rotation, third-party app consent, JWT issuance with 1h default TTL.

Explore

audit packagepackage

audit package