eslint-plugin-audit-log

ESLint rules that keep audit trails honest:

• mutating-service-must-audit — every mutating service method (create*, update*, delete*, ...) must record an audit event. Catches the silent-gap mistake before it spreads.
• audit-write-must-be-fire-and-forget — audit-log writes must be void audit.record(...), never awaited. A flaky audit table must never block a real request. Autofixes await → void.
• audit-metadata-no-pii — the metadata: of an audit record must not include PII keys. Audit tables are retained for compliance and shouldn't quietly become a PII reservoir.

Install

pnpm add -D @boring-stack-pkg/eslint-plugin-audit-log

Peer deps: eslint >= 8.57, @typescript-eslint/parser >= 8, typescript >= 5.

Use (flat config)

import tsParser from "@typescript-eslint/parser";
import auditLog from "@boring-stack-pkg/eslint-plugin-audit-log";

export default [
  {
    files: ["**/*.{ts,tsx}"],
    languageOptions: { parser: tsParser },
    plugins: { "audit-log": auditLog },
    rules: {
      "audit-log/mutating-service-must-audit": "error",
      "audit-log/audit-write-must-be-fire-and-forget": "error",
      "audit-log/audit-metadata-no-pii": "warn",
    },
  },
];

Or use the bundled config:

import auditLog from "@boring-stack-pkg/eslint-plugin-audit-log";

export default [auditLog.configs.recommended];

Rules

| Rule | Description | Default in recommended | Fixable | | ------------------------------------------------------------------------------------------ | ----------------------------------------------------- | ---------------------- | ------- | | mutating-service-must-audit | Mutating service methods must call the audit recorder | error | – | | audit-write-must-be-fire-and-forget | Audit writes must not be awaited | error | yes | | audit-metadata-no-pii | Audit metadata must not include PII keys | warn | – |

License

MIT.