Ciscode-Admin
diff --git a/‎.changeset/thick-maps-raise.md‎
Lines changed: 0 additions & 5 deletions b/‎.changeset/thick-maps-raise.md‎
Lines changed: 0 additions & 5 deletions
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 1 addition & 0 deletions b/‎.github/CODEOWNERS‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/publish.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/publish.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/release-check.yml‎
Lines changed: 150 additions & 38 deletions b/‎.github/workflows/release-check.yml‎
Lines changed: 150 additions & 38 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 16 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 5 additions & 0 deletions b/‎README.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎eslint.config.js‎
Lines changed: 1 addition & 1 deletion b/‎eslint.config.js‎
Lines changed: 1 addition & 1 deletion
@@ -0,0 +1 @@
+* @CISCODE-MA/devops
@@ -58,7 +58,7 @@ jobs:
           echo "TAG_VERSION=$TAG" >> $GITHUB_ENV
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v4
         with:
           node-version: "22"
           registry-url: "https://registry.npmjs.org"
 
@@ -3,50 +3,43 @@ name: CI - Release Check
 on:
   pull_request:
     branches: [master]
-  workflow_dispatch:
-    inputs:
-      sonar:
-        description: "Run SonarCloud analysis"
-        required: true
-        default: "false"
-        type: choice
-        options:
-          - "false"
-          - "true"
 
 concurrency:
   group: ci-release-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  SONAR_HOST_URL: "https://sonarcloud.io"
+  SONAR_ORGANIZATION: "ciscode"
+  SONAR_PROJECT_KEY: "CISCODE-MA_AuditKit"
+  NODE_VERSION: "22"
+
+# ─── Job 1: Static checks (fast feedback, runs in parallel with test) ──────────
 jobs:
-  ci:
-    name: release checks
+  quality:
+    name: Quality Checks
     runs-on: ubuntu-latest
-    timeout-minutes: 25
+    timeout-minutes: 10
 
-    # Config stays in the workflow file (token stays in repo secrets)
-    env:
-      SONAR_HOST_URL: "https://sonarcloud.io"
-      SONAR_ORGANIZATION: "ciscode"
-      SONAR_PROJECT_KEY: "CISCODE-MA_AuditKit"
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@v4
 
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v4
         with:
-          node-version: "22"
+          node-version: ${{ env.NODE_VERSION }}
           cache: "npm"
 
       - name: Install
         run: npm ci
 
-      - name: Audit
-        run: npm audit --production
+      - name: Security Audit
+        # Only fail on high/critical — moderate noise in dev deps is expected
+        run: npm audit --production --audit-level=high
 
       - name: Format
         run: npm run format
@@ -57,30 +50,149 @@ jobs:
       - name: Lint
         run: npm run lint
 
+  # ─── Job 2: Tests + Coverage (artifact passed to Sonar) ────────────────────────
+  test:
+    name: Test & Coverage
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: "npm"
+
+      - name: Install
+        run: npm ci
+
       - name: Test (with coverage)
         run: npm run test:cov
 
+      - name: Upload coverage report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage/
+          retention-days: 1
+
+  # ─── Job 3: Build ──────────────────────────────────────────────────────────────
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    needs: [quality, test]
+    timeout-minutes: 10
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: "npm"
+
+      - name: Install
+        run: npm ci
+
       - name: Build
         run: npm run build
 
+  # ─── Job 4: SonarCloud (depends on test for coverage data) ─────────────────────
+  sonar:
+    name: SonarCloud Analysis
+    runs-on: ubuntu-latest
+    needs: [test]
+    timeout-minutes: 15
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # Full history required for accurate blame & new code detection
+          fetch-depth: 0
+
+      - name: Download coverage report
+        uses: actions/download-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage/
+
+      - name: Cache SonarCloud packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.sonar/cache
+          key: sonar-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: sonar-${{ runner.os }}-
+
       - name: SonarCloud Scan
-        if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.sonar == 'true' }}
-        uses: SonarSource/sonarqube-scan-action@v7
+        uses: SonarSource/sonarqube-scan-action@v6
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           SONAR_HOST_URL: ${{ env.SONAR_HOST_URL }}
         with:
           args: >
-            -Dsonar.organization=${{ env.SONAR_ORGANIZATION }} \
-            -Dsonar.projectKey=${{ env.SONAR_PROJECT_KEY }} \
-            -Dsonar.sources=src \
-            -Dsonar.tests=test \
+            -Dsonar.organization=${{ env.SONAR_ORGANIZATION }}
+            -Dsonar.projectKey=${{ env.SONAR_PROJECT_KEY }}
+            -Dsonar.sources=src
+            -Dsonar.tests=test
+            -Dsonar.test.inclusions=**/*.spec.ts,**/*.test.ts
+            -Dsonar.exclusions=**/node_modules/**,**/dist/**,**/coverage/**,**/*.d.ts
+            -Dsonar.coverage.exclusions=**/*.spec.ts,**/*.test.ts,**/index.ts
             -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info
+            -Dsonar.typescript.tsconfigPath=tsconfig.json
+            -Dsonar.qualitygate.wait=true
+            -Dsonar.qualitygate.timeout=300
 
-      - name: SonarCloud Quality Gate
-        if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.sonar == 'true' }}
-        uses: SonarSource/sonarqube-quality-gate-action@v1
-        timeout-minutes: 10
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SONAR_HOST_URL: ${{ env.SONAR_HOST_URL }}
+  # ─── Job 5: Final status report (always runs) ──────────────────────────────────
+  report:
+    name: Report CI Status
+    runs-on: ubuntu-latest
+    needs: [quality, test, build, sonar]
+    # Run even if upstream jobs failed
+    if: always()
+    timeout-minutes: 5
+
+    permissions:
+      contents: read
+      statuses: write
+
+    steps:
+      - name: Resolve overall result
+        id: result
+        run: |
+          results="${{ needs.quality.result }} ${{ needs.test.result }} ${{ needs.build.result }} ${{ needs.sonar.result }}"
+          if echo "$results" | grep -qE "failure|cancelled"; then
+            echo "state=failure" >> $GITHUB_OUTPUT
+            echo "desc=One or more CI checks failed" >> $GITHUB_OUTPUT
+          else
+            echo "state=success" >> $GITHUB_OUTPUT
+            echo "desc=All CI checks passed" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Post commit status
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha: context.sha,
+              state: '${{ steps.result.outputs.state }}',
+              context: 'CI / Release Check',
+              description: '${{ steps.result.outputs.desc }}',
+              target_url: `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`
+            })
@@ -0,0 +1,16 @@
+# @ciscode/audit-kit
+
+## 0.1.0
+
+### Minor Changes
+
+- Initial feature release of @ciscode/audit-kit.
+  - Cursor-based (keyset) pagination via `queryWithCursor()`
+  - OpenTelemetry-compatible observer hooks (`IAuditObserver`)
+  - Audit event streaming adapter (`IAuditEventPublisher`, `EventEmitterAuditEventPublisher`)
+  - PII redaction, idempotency, and retention policies
+  - Custom repository config (`type: "custom"`) — bring your own repository from a database package
+  - In-memory repository for testing
+  - Stryker mutation testing configuration
+  - Vitest performance benchmarks
+  - CI compatibility matrix (Ubuntu + Windows × Node 20 + 22)
@@ -12,6 +12,11 @@ It provides:
 - Observability hooks (OpenTelemetry-friendly observer port)
 - Event streaming hooks (publisher port + default EventEmitter adapter)
 
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=CISCODE-MA_AuditKit&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=CISCODE-MA_AuditKit)
+[![npm version](https://img.shields.io/npm/v/@ciscode/auditkit.svg)](https://www.npmjs.com/package/@ciscode/auditkit)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![TypeScript](https://img.shields.io/badge/TypeScript-5.7-blue)](https://www.typescriptlang.org/)
+
 ## Install
 
 ```bash
 
@@ -1,7 +1,7 @@
 // @ts-check
 import eslint from "@eslint/js";
 import globals from "globals";
-import importPlugin from "eslint-plugin-import";
+import importPlugin from "eslint-plugin-import-x";
 import tseslint from "@typescript-eslint/eslint-plugin";
 import tsparser from "@typescript-eslint/parser";