feat(opsserver): add health, audit, cluster health, and durable credential management hardening

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@lossless.zone/objectstorage',
-  version: '1.8.1',
+  version: '1.9.0',
   description: 'object storage server with management UI powered by smartstorage'
 }

ts/classes/auditlogger.ts

@@ -0,0 +1,63 @@
+import type * as interfaces from '../../ts_interfaces/index.ts';
+
+export interface IAuditLogEntry {
+  timestamp: number;
+  actorUserId: string;
+  action: string;
+  targetType: string;
+  targetId?: string;
+  success: boolean;
+  message?: string;
+  metadata?: Record<string, string | number | boolean>;
+}
+
+export class AuditLogger {
+  constructor(private storageDirectory: string) {}
+
+  public get auditLogPath(): string {
+    return `${this.storageDirectory}/.objectstorage/audit.log`;
+  }
+
+  public async log(entry: Omit<IAuditLogEntry, 'timestamp'>): Promise<void> {
+    const logEntry: IAuditLogEntry = {
+      timestamp: Date.now(),
+      ...entry,
+    };
+    const dirPath = this.auditLogPath.substring(0, this.auditLogPath.lastIndexOf('/'));
+    await Deno.mkdir(dirPath, { recursive: true });
+    await Deno.writeTextFile(this.auditLogPath, `${JSON.stringify(logEntry)}\n`, {
+      append: true,
+      create: true,
+      mode: 0o600,
+    });
+    await this.restrictAuditLogPermissions();
+  }
+
+  public async listRecent(limit = 100): Promise<interfaces.data.IAuditEntry[]> {
+    let content = '';
+    try {
+      content = await Deno.readTextFile(this.auditLogPath);
+    } catch (error) {
+      if (error instanceof Deno.errors.NotFound) {
+        return [];
+      }
+      throw error;
+    }
+
+    return content
+      .trim()
+      .split('\n')
+      .filter(Boolean)
+      .slice(-limit)
+      .map((line) => JSON.parse(line) as interfaces.data.IAuditEntry)
+      .reverse();
+  }
+
+  private async restrictAuditLogPermissions(): Promise<void> {
+    try {
+      await Deno.chmod(this.auditLogPath, 0o600);
+    } catch {
+      // chmod is not available on every platform Deno supports.
+    }
+  }
+}

ts/classes/objectstoragecontainer.ts

@@ -1,8 +1,13 @@
 import * as plugins from '../plugins.ts';
-import { type IObjectStorageConfig, defaultConfig } from '../types.ts';
+import { defaultConfig, type IObjectStorageConfig } from '../types.ts';
 import type * as interfaces from '../../ts_interfaces/index.ts';
 import { OpsServer } from '../opsserver/index.ts';
 import { PolicyManager } from './policymanager.ts';
+import { AuditLogger } from './auditlogger.ts';
+
+interface IPersistedAdminConfig {
+  accessCredentials?: Array<{ accessKeyId: string; secretAccessKey: string }>;
+}
 
 export class ObjectStorageContainer {
   public config: IObjectStorageConfig;
@@ -10,7 +15,9 @@ export class ObjectStorageContainer {
   public s3Client!: plugins.S3Client;
   public opsServer: OpsServer;
   public policyManager: PolicyManager;
+  public auditLogger: AuditLogger;
   public startedAt: number = 0;
+  private envAccessCredentialsProvided = false;
 
   constructor(configArg?: Partial<IObjectStorageConfig>) {
     this.config = { ...defaultConfig, ...configArg };
@@ -28,6 +35,7 @@ export class ObjectStorageContainer {
     const envAccessKey = Deno.env.get('OBJST_ACCESS_KEY');
     const envSecretKey = Deno.env.get('OBJST_SECRET_KEY');
     if (envAccessKey && envSecretKey) {
+      this.envAccessCredentialsProvided = true;
       this.config.accessCredentials = [
         { accessKeyId: envAccessKey, secretAccessKey: envSecretKey },
       ];
@@ -41,7 +49,9 @@ export class ObjectStorageContainer {
 
     // Cluster environment variables
     const envClusterEnabled = Deno.env.get('OBJST_CLUSTER_ENABLED');
-    if (envClusterEnabled) this.config.clusterEnabled = envClusterEnabled === 'true' || envClusterEnabled === '1';
+    if (envClusterEnabled) {
+      this.config.clusterEnabled = envClusterEnabled === 'true' || envClusterEnabled === '1';
+    }
 
     const envClusterNodeId = Deno.env.get('OBJST_CLUSTER_NODE_ID');
     if (envClusterNodeId) this.config.clusterNodeId = envClusterNodeId;
@@ -50,31 +60,47 @@ export class ObjectStorageContainer {
     if (envClusterQuicPort) this.config.clusterQuicPort = parseInt(envClusterQuicPort, 10);
 
     const envClusterSeedNodes = Deno.env.get('OBJST_CLUSTER_SEED_NODES');
-    if (envClusterSeedNodes) this.config.clusterSeedNodes = envClusterSeedNodes.split(',').map(s => s.trim()).filter(Boolean);
+    if (envClusterSeedNodes) {
+      this.config.clusterSeedNodes = envClusterSeedNodes.split(',').map((s) => s.trim()).filter(
+        Boolean,
+      );
+    }
 
     const envDrivePaths = Deno.env.get('OBJST_DRIVE_PATHS');
-    if (envDrivePaths) this.config.drivePaths = envDrivePaths.split(',').map(s => s.trim()).filter(Boolean);
+    if (envDrivePaths) {
+      this.config.drivePaths = envDrivePaths.split(',').map((s) => s.trim()).filter(Boolean);
+    }
 
     const envErasureDataShards = Deno.env.get('OBJST_ERASURE_DATA_SHARDS');
     if (envErasureDataShards) this.config.erasureDataShards = parseInt(envErasureDataShards, 10);
 
     const envErasureParityShards = Deno.env.get('OBJST_ERASURE_PARITY_SHARDS');
-    if (envErasureParityShards) this.config.erasureParityShards = parseInt(envErasureParityShards, 10);
+    if (envErasureParityShards) {
+      this.config.erasureParityShards = parseInt(envErasureParityShards, 10);
+    }
 
     const envErasureChunkSize = Deno.env.get('OBJST_ERASURE_CHUNK_SIZE');
     if (envErasureChunkSize) this.config.erasureChunkSizeBytes = parseInt(envErasureChunkSize, 10);
 
     const envHeartbeatInterval = Deno.env.get('OBJST_HEARTBEAT_INTERVAL_MS');
-    if (envHeartbeatInterval) this.config.clusterHeartbeatIntervalMs = parseInt(envHeartbeatInterval, 10);
+    if (envHeartbeatInterval) {
+      this.config.clusterHeartbeatIntervalMs = parseInt(envHeartbeatInterval, 10);
+    }
 
     const envHeartbeatTimeout = Deno.env.get('OBJST_HEARTBEAT_TIMEOUT_MS');
-    if (envHeartbeatTimeout) this.config.clusterHeartbeatTimeoutMs = parseInt(envHeartbeatTimeout, 10);
+    if (envHeartbeatTimeout) {
+      this.config.clusterHeartbeatTimeoutMs = parseInt(envHeartbeatTimeout, 10);
+    }
 
     this.opsServer = new OpsServer(this);
     this.policyManager = new PolicyManager(this);
+    this.auditLogger = new AuditLogger(this.config.storageDirectory);
   }
 
   public async start(): Promise<void> {
+    this.assertSecureStartupConfig();
+    await this.loadPersistedAdminConfig();
+
     console.log(`Starting ObjectStorage...`);
     console.log(`  Storage port: ${this.config.objstPort}`);
     console.log(`  UI port: ${this.config.uiPort}`);
@@ -85,64 +111,24 @@ export class ObjectStorageContainer {
       console.log(`  Node ID: ${this.config.clusterNodeId || '(auto-generated)'}`);
       console.log(`  QUIC Port: ${this.config.clusterQuicPort}`);
       console.log(`  Seed Nodes: ${this.config.clusterSeedNodes.join(', ') || '(none)'}`);
-      console.log(`  Drives: ${this.config.drivePaths.length > 0 ? this.config.drivePaths.join(', ') : this.config.storageDirectory}`);
+      console.log(
+        `  Drives: ${
+          this.config.drivePaths.length > 0
+            ? this.config.drivePaths.join(', ')
+            : this.config.storageDirectory
+        }`,
+      );
       console.log(`  Erasure: ${this.config.erasureDataShards}+${this.config.erasureParityShards}`);
     }
 
-    // Build smartstorage config
-    const smartstorageConfig: any = {
-      server: {
-        port: this.config.objstPort,
-        address: '0.0.0.0',
-        region: this.config.region,
-      },
-      storage: {
-        directory: this.config.storageDirectory,
-      },
-      auth: {
-        enabled: true,
-        credentials: this.config.accessCredentials,
-      },
-    };
-
-    if (this.config.clusterEnabled) {
-      smartstorageConfig.cluster = {
-        enabled: true,
-        nodeId: this.config.clusterNodeId || crypto.randomUUID().slice(0, 8),
-        quicPort: this.config.clusterQuicPort,
-        seedNodes: this.config.clusterSeedNodes,
-        erasure: {
-          dataShards: this.config.erasureDataShards,
-          parityShards: this.config.erasureParityShards,
-          chunkSizeBytes: this.config.erasureChunkSizeBytes,
-        },
-        drives: {
-          paths: this.config.drivePaths.length > 0
-            ? this.config.drivePaths
-            : [this.config.storageDirectory],
-        },
-        heartbeatIntervalMs: this.config.clusterHeartbeatIntervalMs,
-        heartbeatTimeoutMs: this.config.clusterHeartbeatTimeoutMs,
-      };
-    }
-
-    // Start smartstorage
-    this.smartstorageInstance = await plugins.smartstorage.SmartStorage.createAndStart(smartstorageConfig);
+    this.smartstorageInstance = await plugins.smartstorage.SmartStorage.createAndStart(
+      this.buildSmartstorageConfig(),
+    );
 
     this.startedAt = Date.now();
     console.log(`Storage server started on port ${this.config.objstPort}`);
 
-    // Create S3 client for management operations
-    const descriptor = await this.smartstorageInstance.getStorageDescriptor();
-    this.s3Client = new plugins.S3Client({
-      endpoint: `http://${descriptor.endpoint}:${descriptor.port}`,
-      region: this.config.region,
-      credentials: {
-        accessKeyId: descriptor.accessKey,
-        secretAccessKey: descriptor.accessSecret,
-      },
-      forcePathStyle: true,
-    });
+    await this.refreshManagementClient();
 
     // Load named policies
     await this.policyManager.load();
@@ -159,41 +145,54 @@ export class ObjectStorageContainer {
     console.log('ObjectStorage stopped.');
   }
 
+  public async replaceAccessCredentials(
+    credentials: Array<{ accessKeyId: string; secretAccessKey: string }>,
+  ): Promise<void> {
+    const nextCredentials = credentials.map((credential) => ({ ...credential }));
+    const previousCredentials = this.config.accessCredentials.map((credential) => ({
+      ...credential,
+    }));
+
+    if (this.smartstorageInstance) {
+      await this.smartstorageInstance.replaceCredentials(nextCredentials);
+    }
+
+    this.config.accessCredentials = nextCredentials;
+    try {
+      await this.savePersistedAdminConfig();
+    } catch (error) {
+      this.config.accessCredentials = previousCredentials;
+      if (this.smartstorageInstance) {
+        await this.smartstorageInstance.replaceCredentials(previousCredentials);
+        await this.refreshManagementClient();
+      }
+      throw error;
+    }
+
+    if (this.smartstorageInstance) {
+      await this.refreshManagementClient();
+    }
+  }
+
+  public async listAccessCredentials(): Promise<Array<{ accessKeyId: string }>> {
+    if (!this.smartstorageInstance) {
+      return this.config.accessCredentials.map((credential) => ({
+        accessKeyId: credential.accessKeyId,
+      }));
+    }
+    return await this.smartstorageInstance.listCredentials();
+  }
+
   // ── Management methods ──
 
   public async listBuckets(): Promise<interfaces.data.IBucketInfo[]> {
-    const response = await this.s3Client.send(new plugins.ListBucketsCommand({}));
-    const buckets: interfaces.data.IBucketInfo[] = [];
-
-    for (const bucket of response.Buckets || []) {
-      const name = bucket.Name || '';
-      const creationDate = bucket.CreationDate?.getTime() || 0;
-
-      // Get object count and size for each bucket
-      let objectCount = 0;
-      let totalSizeBytes = 0;
-      let continuationToken: string | undefined;
-
-      do {
-        const listResp = await this.s3Client.send(
-          new plugins.ListObjectsV2Command({
-            Bucket: name,
-            ContinuationToken: continuationToken,
-          }),
-        );
-
-        for (const obj of listResp.Contents || []) {
-          objectCount++;
-          totalSizeBytes += obj.Size || 0;
-        }
-
-        continuationToken = listResp.IsTruncated ? listResp.NextContinuationToken : undefined;
-      } while (continuationToken);
-
-      buckets.push({ name, creationDate, objectCount, totalSizeBytes });
-    }
-
-    return buckets;
+    const summaries = await this.smartstorageInstance.listBucketSummaries();
+    return summaries.map((bucket) => ({
+      name: bucket.name,
+      creationDate: bucket.creationDate || 0,
+      objectCount: bucket.objectCount,
+      totalSizeBytes: bucket.totalSizeBytes,
+    }));
   }
 
   public async createBucket(bucketName: string): Promise<void> {
@@ -377,13 +376,7 @@ export class ObjectStorageContainer {
   }
 
   public async getServerStats(): Promise<interfaces.data.IServerStatus> {
-    const buckets = await this.listBuckets();
-    let totalObjectCount = 0;
-    let totalStorageBytes = 0;
-    for (const b of buckets) {
-      totalObjectCount += b.objectCount;
-      totalStorageBytes += b.totalSizeBytes;
-    }
+    const stats = await this.smartstorageInstance.getStorageStats();
 
     return {
       running: true,
@@ -391,15 +384,19 @@ export class ObjectStorageContainer {
       uiPort: this.config.uiPort,
       uptime: Math.floor((Date.now() - this.startedAt) / 1000),
       startedAt: this.startedAt,
-      bucketCount: buckets.length,
-      totalObjectCount,
-      totalStorageBytes,
-      storageDirectory: this.config.storageDirectory,
+      bucketCount: stats.bucketCount,
+      totalObjectCount: stats.totalObjectCount,
+      totalStorageBytes: stats.totalStorageBytes,
+      storageDirectory: stats.storageDirectory,
       region: this.config.region,
       authEnabled: true,
     };
   }
 
+  public async getClusterHealth(): Promise<interfaces.data.IClusterHealth> {
+    return await this.smartstorageInstance.getClusterHealth();
+  }
+
   public async getBucketPolicy(bucketName: string): Promise<string | null> {
     try {
       const response = await this.s3Client.send(
@@ -436,4 +433,186 @@ export class ObjectStorageContainer {
       region: this.config.region,
     };
   }
+
+  public isReady(): boolean {
+    return Boolean(this.smartstorageInstance && this.s3Client && this.startedAt);
+  }
+
+  public async getOperationalHealth(): Promise<Record<string, unknown>> {
+    const clusterHealth = this.smartstorageInstance
+      ? await this.getClusterHealth()
+      : { enabled: false };
+    const stats = this.smartstorageInstance
+      ? await this.getServerStats()
+      : null;
+    const ready = this.isReady();
+    return {
+      ok: ready,
+      status: ready ? 'healthy' : 'starting',
+      startedAt: this.startedAt || null,
+      uptimeSeconds: this.startedAt ? Math.floor((Date.now() - this.startedAt) / 1000) : 0,
+      storageDirectory: this.config.storageDirectory,
+      stats,
+      cluster: clusterHealth,
+    };
+  }
+
+  public async getOperationalMetrics(): Promise<string> {
+    const stats = this.smartstorageInstance
+      ? await this.smartstorageInstance.getStorageStats()
+      : null;
+    const clusterHealth = this.smartstorageInstance
+      ? await this.smartstorageInstance.getClusterHealth()
+      : { enabled: false };
+    return [
+      '# HELP objectstorage_ready ObjectStorage readiness state.',
+      '# TYPE objectstorage_ready gauge',
+      `objectstorage_ready ${this.isReady() ? 1 : 0}`,
+      '# HELP objectstorage_buckets_total Runtime bucket count.',
+      '# TYPE objectstorage_buckets_total gauge',
+      `objectstorage_buckets_total ${stats?.bucketCount ?? 0}`,
+      '# HELP objectstorage_objects_total Runtime object count.',
+      '# TYPE objectstorage_objects_total gauge',
+      `objectstorage_objects_total ${stats?.totalObjectCount ?? 0}`,
+      '# HELP objectstorage_cluster_enabled Cluster mode enabled.',
+      '# TYPE objectstorage_cluster_enabled gauge',
+      `objectstorage_cluster_enabled ${clusterHealth.enabled ? 1 : 0}`,
+      '',
+    ].join('\n');
+  }
+
+  private get persistedAdminConfigPath(): string {
+    return `${this.config.storageDirectory}/.objectstorage/admin-config.json`;
+  }
+
+  private async loadPersistedAdminConfig(): Promise<void> {
+    if (this.envAccessCredentialsProvided) {
+      return;
+    }
+
+    try {
+      const content = await Deno.readTextFile(this.persistedAdminConfigPath);
+      const persistedConfig = JSON.parse(content) as IPersistedAdminConfig;
+      const persistedCredentials = persistedConfig.accessCredentials;
+
+      if (!Array.isArray(persistedCredentials) || persistedCredentials.length === 0) {
+        return;
+      }
+
+      const validCredentials = persistedCredentials
+        .filter((credential) => credential?.accessKeyId && credential?.secretAccessKey)
+        .map((credential) => ({
+          accessKeyId: credential.accessKeyId,
+          secretAccessKey: credential.secretAccessKey,
+        }));
+
+      if (validCredentials.length === 0) {
+        return;
+      }
+
+      this.config.accessCredentials = validCredentials;
+    } catch (error) {
+      if (error instanceof Deno.errors.NotFound) {
+        return;
+      }
+      throw error;
+    }
+  }
+
+  private async savePersistedAdminConfig(): Promise<void> {
+    const dirPath = this.persistedAdminConfigPath.substring(
+      0,
+      this.persistedAdminConfigPath.lastIndexOf('/'),
+    );
+    await Deno.mkdir(dirPath, { recursive: true });
+    const persistedConfig: IPersistedAdminConfig = {
+      accessCredentials: this.config.accessCredentials,
+    };
+    await Deno.writeTextFile(
+      this.persistedAdminConfigPath,
+      JSON.stringify(persistedConfig, null, 2),
+      { mode: 0o600 },
+    );
+    await this.restrictPersistedAdminConfigPermissions();
+  }
+
+  private async refreshManagementClient(): Promise<void> {
+    const descriptor = await this.smartstorageInstance.getStorageDescriptor();
+    this.s3Client = new plugins.S3Client({
+      endpoint: `http://${descriptor.endpoint}:${descriptor.port}`,
+      region: this.config.region,
+      credentials: {
+        accessKeyId: descriptor.accessKey,
+        secretAccessKey: descriptor.accessSecret,
+      },
+      forcePathStyle: true,
+    });
+  }
+
+  private buildSmartstorageConfig(): any {
+    const smartstorageConfig: any = {
+      server: {
+        port: this.config.objstPort,
+        address: '0.0.0.0',
+        region: this.config.region,
+      },
+      storage: {
+        directory: this.config.storageDirectory,
+      },
+      auth: {
+        enabled: true,
+        credentials: this.config.accessCredentials,
+      },
+    };
+
+    if (this.config.clusterEnabled) {
+      smartstorageConfig.cluster = {
+        enabled: true,
+        nodeId: this.config.clusterNodeId || crypto.randomUUID().slice(0, 8),
+        quicPort: this.config.clusterQuicPort,
+        seedNodes: this.config.clusterSeedNodes,
+        erasure: {
+          dataShards: this.config.erasureDataShards,
+          parityShards: this.config.erasureParityShards,
+          chunkSizeBytes: this.config.erasureChunkSizeBytes,
+        },
+        drives: {
+          paths: this.config.drivePaths.length > 0
+            ? this.config.drivePaths
+            : [this.config.storageDirectory],
+        },
+        heartbeatIntervalMs: this.config.clusterHeartbeatIntervalMs,
+        heartbeatTimeoutMs: this.config.clusterHeartbeatTimeoutMs,
+      };
+    }
+
+    return smartstorageConfig;
+  }
+
+  private assertSecureStartupConfig(): void {
+    const allowInsecureDefaults = Deno.env.get('OBJST_ALLOW_INSECURE_DEFAULTS') === 'true';
+    const usesDefaultAdminPassword = this.config.adminPassword === 'admin';
+    const usesDefaultAccessCredential = this.config.accessCredentials.some((credential) => {
+      return credential.accessKeyId === 'admin' && credential.secretAccessKey === 'admin';
+    });
+    const looksLikePersistentProductionStorage = this.config.storageDirectory === '/data';
+
+    if (
+      looksLikePersistentProductionStorage &&
+      !allowInsecureDefaults &&
+      (usesDefaultAdminPassword || usesDefaultAccessCredential)
+    ) {
+      throw new Error(
+        'Refusing to start with default admin credentials on persistent /data storage. Set OBJST_ADMIN_PASSWORD and OBJST_ACCESS_KEY/OBJST_SECRET_KEY, or set OBJST_ALLOW_INSECURE_DEFAULTS=true for disposable development.',
+      );
+    }
+  }
+
+  private async restrictPersistedAdminConfigPermissions(): Promise<void> {
+    try {
+      await Deno.chmod(this.persistedAdminConfigPath, 0o600);
+    } catch {
+      // chmod is not available on every platform Deno supports.
+    }
+  }
 }

ts/cli.ts

@@ -113,5 +113,6 @@ Environment Variables:
   OBJST_ERASURE_CHUNK_SIZE Erasure chunk size in bytes (default: 4194304)
   OBJST_HEARTBEAT_INTERVAL_MS Cluster heartbeat interval (default: 5000)
   OBJST_HEARTBEAT_TIMEOUT_MS  Cluster heartbeat timeout (default: 30000)
+  OBJST_ALLOW_INSECURE_DEFAULTS Allow admin/admin defaults on /data for disposable development
   `);
 }

ts/opsserver/classes.opsserver.ts

@@ -16,6 +16,7 @@ export class OpsServer {
   public configHandler!: handlers.ConfigHandler;
   public credentialsHandler!: handlers.CredentialsHandler;
   public policiesHandler!: handlers.PoliciesHandler;
+  public auditHandler!: handlers.AuditHandler;
 
   constructor(objectStorageRef: ObjectStorageContainer) {
     this.objectStorageRef = objectStorageRef;
@@ -26,6 +27,27 @@ export class OpsServer {
       domain: 'localhost',
       feedMetadata: undefined,
       bundledContent: bundledFiles,
+      addCustomRoutes: async (typedserver) => {
+        typedserver.addRoute('/livez', 'GET', async () => {
+          return this.jsonResponse({ ok: true, status: 'alive' });
+        });
+        typedserver.addRoute('/readyz', 'GET', async () => {
+          const ready = await this.objectStorageRef.isReady();
+          return this.jsonResponse(
+            { ok: ready, status: ready ? 'ready' : 'starting' },
+            ready ? 200 : 503,
+          );
+        });
+        typedserver.addRoute('/healthz', 'GET', async () => {
+          return this.jsonResponse(await this.objectStorageRef.getOperationalHealth());
+        });
+        typedserver.addRoute('/metrics', 'GET', async () => {
+          const metrics = await this.objectStorageRef.getOperationalMetrics();
+          return new Response(metrics, {
+            headers: { 'content-type': 'text/plain; version=0.0.4' },
+          });
+        });
+      },
     });
 
     // Chain typedrouters: server -> opsServer -> individual handlers
@@ -50,6 +72,7 @@ export class OpsServer {
     this.configHandler = new handlers.ConfigHandler(this);
     this.credentialsHandler = new handlers.CredentialsHandler(this);
     this.policiesHandler = new handlers.PoliciesHandler(this);
+    this.auditHandler = new handlers.AuditHandler(this);
 
     console.log('OpsServer TypedRequest handlers initialized');
   }
@@ -60,4 +83,11 @@ export class OpsServer {
       console.log('OpsServer stopped');
     }
   }
+
+  private jsonResponse(data: unknown, status = 200): Response {
+    return new Response(JSON.stringify(data), {
+      status,
+      headers: { 'content-type': 'application/json' },
+    });
+  }
 }

ts/opsserver/handlers/admin.handler.ts

@@ -4,6 +4,7 @@ import * as interfaces from '../../../ts_interfaces/index.ts';
 
 export interface IJwtData {
   userId: string;
+  role: 'admin';
   status: 'loggedIn' | 'loggedOut';
   expiresAt: number;
 }
@@ -11,6 +12,8 @@ export interface IJwtData {
 export class AdminHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
   public smartjwtInstance!: plugins.smartjwt.SmartJwt<IJwtData>;
+  private revokedTokens = new Set<string>();
+  private failedLoginAttempts = new Map<string, { count: number; firstAttemptAt: number }>();
 
   constructor(private opsServerRef: OpsServer) {
     this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
@@ -29,19 +32,37 @@ export class AdminHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
         'adminLoginWithUsernameAndPassword',
         async (dataArg) => {
+          this.assertLoginNotRateLimited(dataArg.username);
           const adminPassword = this.opsServerRef.objectStorageRef.config.adminPassword;
           if (dataArg.username !== 'admin' || dataArg.password !== adminPassword) {
+            this.recordFailedLogin(dataArg.username);
+            await this.opsServerRef.objectStorageRef.auditLogger.log({
+              actorUserId: dataArg.username || 'anonymous',
+              action: 'admin.login',
+              targetType: 'adminSession',
+              success: false,
+              message: 'Invalid credentials',
+            });
             throw new plugins.typedrequest.TypedResponseError('Invalid credentials');
           }
 
+          this.failedLoginAttempts.delete(dataArg.username);
           const expiresAt = Date.now() + 24 * 3600 * 1000;
           const userId = 'admin';
           const jwt = await this.smartjwtInstance.createJWT({
             userId,
+            role: 'admin',
             status: 'loggedIn',
             expiresAt,
           });
 
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: userId,
+            action: 'admin.login',
+            targetType: 'adminSession',
+            success: true,
+          });
+
           console.log('Admin user logged in');
 
           return {
@@ -61,7 +82,16 @@ export class AdminHandler {
     this.typedrouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AdminLogout>(
         'adminLogout',
-        async (_dataArg) => {
+        async (dataArg) => {
+          if (dataArg.identity?.jwt) {
+            this.revokedTokens.add(dataArg.identity.jwt);
+            await this.opsServerRef.objectStorageRef.auditLogger.log({
+              actorUserId: dataArg.identity.userId,
+              action: 'admin.logout',
+              targetType: 'adminSession',
+              success: true,
+            });
+          }
           return { ok: true };
         },
       ),
@@ -75,18 +105,20 @@ export class AdminHandler {
           if (!dataArg.identity?.jwt) {
             return { valid: false };
           }
+          if (this.revokedTokens.has(dataArg.identity.jwt)) return { valid: false };
           try {
             const jwtData = await this.smartjwtInstance.verifyJWTAndGetData(dataArg.identity.jwt);
             if (jwtData.expiresAt < Date.now()) return { valid: false };
             if (jwtData.status !== 'loggedIn') return { valid: false };
+            if (jwtData.role !== 'admin') return { valid: false };
             return {
               valid: true,
               identity: {
                 jwt: dataArg.identity.jwt,
                 userId: jwtData.userId,
-                username: dataArg.identity.username,
+                username: jwtData.userId,
                 expiresAt: jwtData.expiresAt,
-                role: dataArg.identity.role,
+                role: jwtData.role,
               },
             };
           } catch {
@@ -103,12 +135,15 @@ export class AdminHandler {
   }>(
     async (dataArg) => {
       if (!dataArg.identity?.jwt) return false;
+      if (this.revokedTokens.has(dataArg.identity.jwt)) return false;
       try {
         const jwtData = await this.smartjwtInstance.verifyJWTAndGetData(dataArg.identity.jwt);
         if (jwtData.expiresAt < Date.now()) return false;
         if (jwtData.status !== 'loggedIn') return false;
+        if (jwtData.role !== 'admin') return false;
         if (dataArg.identity.expiresAt !== jwtData.expiresAt) return false;
         if (dataArg.identity.userId !== jwtData.userId) return false;
+        if (dataArg.identity.role !== jwtData.role) return false;
         return true;
       } catch {
         return false;
@@ -122,10 +157,33 @@ export class AdminHandler {
     identity: interfaces.data.IIdentity;
   }>(
     async (dataArg) => {
-      const isValid = await this.validIdentityGuard.exec(dataArg);
-      if (!isValid) return false;
-      return dataArg.identity.role === 'admin';
+      return await this.validIdentityGuard.exec(dataArg);
     },
     { failedHint: 'user is not admin', name: 'adminIdentityGuard' },
   );
+
+  private assertLoginNotRateLimited(username: string): void {
+    const attempt = this.failedLoginAttempts.get(username);
+    if (!attempt) return;
+
+    const windowMs = 60 * 1000;
+    if (Date.now() - attempt.firstAttemptAt > windowMs) {
+      this.failedLoginAttempts.delete(username);
+      return;
+    }
+
+    if (attempt.count >= 5) {
+      throw new plugins.typedrequest.TypedResponseError('Too many failed login attempts');
+    }
+  }
+
+  private recordFailedLogin(username: string): void {
+    const now = Date.now();
+    const attempt = this.failedLoginAttempts.get(username);
+    if (!attempt || now - attempt.firstAttemptAt > 60 * 1000) {
+      this.failedLoginAttempts.set(username, { count: 1, firstAttemptAt: now });
+      return;
+    }
+    attempt.count++;
+  }
 }

ts/opsserver/handlers/audit.handler.ts

@@ -0,0 +1,28 @@
+import * as plugins from '../../plugins.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireAdminIdentity } from '../helpers/guards.ts';
+
+export class AuditHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private registerHandlers(): void {
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListAuditEntries>(
+        'listAuditEntries',
+        async (dataArg) => {
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const entries = await this.opsServerRef.objectStorageRef.auditLogger.listRecent(
+            dataArg.limit ?? 100,
+          );
+          return { entries };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/buckets.handler.ts

@@ -1,7 +1,14 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity, requireValidIdentity } from '../helpers/guards.ts';
+
+const getStorageErrorCode = (error: unknown): string | undefined => {
+  if (!(error instanceof Error)) {
+    return undefined;
+  }
+  return (error as Error & { Code?: string }).Code || error.name;
+};
 
 export class BucketsHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -29,8 +36,27 @@ export class BucketsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateBucket>(
         'createBucket',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          await this.opsServerRef.objectStorageRef.createBucket(dataArg.bucketName);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          try {
+            await this.opsServerRef.objectStorageRef.createBucket(dataArg.bucketName);
+            await this.opsServerRef.objectStorageRef.auditLogger.log({
+              actorUserId: dataArg.identity.userId,
+              action: 'bucket.create',
+              targetType: 'bucket',
+              targetId: dataArg.bucketName,
+              success: true,
+            });
+          } catch (error) {
+            await this.opsServerRef.objectStorageRef.auditLogger.log({
+              actorUserId: dataArg.identity.userId,
+              action: 'bucket.create',
+              targetType: 'bucket',
+              targetId: dataArg.bucketName,
+              success: false,
+              message: error instanceof Error ? error.message : String(error),
+            });
+            throw error;
+          }
           return { ok: true };
         },
       ),
@@ -41,9 +67,25 @@ export class BucketsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteBucket>(
         'deleteBucket',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          await this.opsServerRef.objectStorageRef.deleteBucket(dataArg.bucketName);
-          await this.opsServerRef.objectStorageRef.policyManager.onBucketDeleted(dataArg.bucketName);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          try {
+            await this.opsServerRef.objectStorageRef.deleteBucket(dataArg.bucketName);
+          } catch (error) {
+            if (getStorageErrorCode(error) === 'NoSuchBucket') {
+              throw new plugins.typedrequest.TypedResponseError('Bucket not found');
+            }
+            throw error;
+          }
+          await this.opsServerRef.objectStorageRef.policyManager.onBucketDeleted(
+            dataArg.bucketName,
+          );
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'bucket.delete',
+            targetType: 'bucket',
+            targetId: dataArg.bucketName,
+            success: true,
+          });
           return { ok: true };
         },
       ),
@@ -54,8 +96,16 @@ export class BucketsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetBucketPolicy>(
         'getBucketPolicy',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          const policy = await this.opsServerRef.objectStorageRef.getBucketPolicy(dataArg.bucketName);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          let policy: string | null;
+          try {
+            policy = await this.opsServerRef.objectStorageRef.getBucketPolicy(dataArg.bucketName);
+          } catch (error) {
+            if (getStorageErrorCode(error) === 'NoSuchBucket') {
+              throw new plugins.typedrequest.TypedResponseError('Bucket not found');
+            }
+            throw error;
+          }
           return { policy };
         },
       ),
@@ -66,14 +116,24 @@ export class BucketsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_PutBucketPolicy>(
         'putBucketPolicy',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           // Validate JSON
           try {
             JSON.parse(dataArg.policy);
           } catch {
-            throw new Error('Invalid JSON policy document');
+            throw new plugins.typedrequest.TypedResponseError('Invalid JSON policy document');
+          }
+          try {
+            await this.opsServerRef.objectStorageRef.putBucketPolicy(
+              dataArg.bucketName,
+              dataArg.policy,
+            );
+          } catch (error) {
+            if (getStorageErrorCode(error) === 'NoSuchBucket') {
+              throw new plugins.typedrequest.TypedResponseError('Bucket not found');
+            }
+            throw error;
           }
-          await this.opsServerRef.objectStorageRef.putBucketPolicy(dataArg.bucketName, dataArg.policy);
           return { ok: true };
         },
       ),
@@ -84,8 +144,15 @@ export class BucketsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteBucketPolicy>(
         'deleteBucketPolicy',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          await this.opsServerRef.objectStorageRef.deleteBucketPolicy(dataArg.bucketName);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          try {
+            await this.opsServerRef.objectStorageRef.deleteBucketPolicy(dataArg.bucketName);
+          } catch (error) {
+            if (getStorageErrorCode(error) === 'NoSuchBucket') {
+              throw new plugins.typedrequest.TypedResponseError('Bucket not found');
+            }
+            throw error;
+          }
           return { ok: true };
         },
       ),

ts/opsserver/handlers/credentials.handler.ts

@@ -1,7 +1,7 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity, requireValidIdentity } from '../helpers/guards.ts';
 
 export class CredentialsHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -18,10 +18,12 @@ export class CredentialsHandler {
         'getCredentials',
         async (dataArg) => {
           await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          const credentials = this.opsServerRef.objectStorageRef.config.accessCredentials.map(
+          const activeCredentials = await this.opsServerRef.objectStorageRef
+            .listAccessCredentials();
+          const credentials = activeCredentials.map(
             (cred) => ({
               accessKeyId: cred.accessKeyId,
-              secretAccessKey: cred.secretAccessKey.slice(0, 4) + '****',
+              secretAccessKey: '********',
             }),
           );
           return { credentials };
@@ -34,14 +36,38 @@ export class CredentialsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AddCredential>(
         'addCredential',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          this.opsServerRef.objectStorageRef.config.accessCredentials.push({
-            accessKeyId: dataArg.accessKeyId,
-            secretAccessKey: dataArg.secretAccessKey,
-          });
-          // Update the smartstorage auth config
-          this.opsServerRef.objectStorageRef.smartstorageInstance.config.auth!.credentials =
-            this.opsServerRef.objectStorageRef.config.accessCredentials;
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const credentials = this.opsServerRef.objectStorageRef.config.accessCredentials;
+          if (credentials.some((credential) => credential.accessKeyId === dataArg.accessKeyId)) {
+            throw new plugins.typedrequest.TypedResponseError('Credential already exists');
+          }
+
+          try {
+            await this.opsServerRef.objectStorageRef.replaceAccessCredentials([
+              ...credentials,
+              {
+                accessKeyId: dataArg.accessKeyId,
+                secretAccessKey: dataArg.secretAccessKey,
+              },
+            ]);
+            await this.opsServerRef.objectStorageRef.auditLogger.log({
+              actorUserId: dataArg.identity.userId,
+              action: 'credential.add',
+              targetType: 'credential',
+              targetId: dataArg.accessKeyId,
+              success: true,
+            });
+          } catch (error) {
+            await this.opsServerRef.objectStorageRef.auditLogger.log({
+              actorUserId: dataArg.identity.userId,
+              action: 'credential.add',
+              targetType: 'credential',
+              targetId: dataArg.accessKeyId,
+              success: false,
+              message: error instanceof Error ? error.message : String(error),
+            });
+            throw error;
+          }
           return { ok: true };
         },
       ),
@@ -52,19 +78,38 @@ export class CredentialsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RemoveCredential>(
         'removeCredential',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const creds = this.opsServerRef.objectStorageRef.config.accessCredentials;
+          if (!creds.some((credential) => credential.accessKeyId === dataArg.accessKeyId)) {
+            throw new plugins.typedrequest.TypedResponseError('Credential not found');
+          }
           if (creds.length <= 1) {
             throw new plugins.typedrequest.TypedResponseError(
               'Cannot remove the last credential',
             );
           }
-          this.opsServerRef.objectStorageRef.config.accessCredentials = creds.filter(
-            (c) => c.accessKeyId !== dataArg.accessKeyId,
-          );
-          // Update the smartstorage auth config
-          this.opsServerRef.objectStorageRef.smartstorageInstance.config.auth!.credentials =
-            this.opsServerRef.objectStorageRef.config.accessCredentials;
+          try {
+            await this.opsServerRef.objectStorageRef.replaceAccessCredentials(
+              creds.filter((credential) => credential.accessKeyId !== dataArg.accessKeyId),
+            );
+            await this.opsServerRef.objectStorageRef.auditLogger.log({
+              actorUserId: dataArg.identity.userId,
+              action: 'credential.remove',
+              targetType: 'credential',
+              targetId: dataArg.accessKeyId,
+              success: true,
+            });
+          } catch (error) {
+            await this.opsServerRef.objectStorageRef.auditLogger.log({
+              actorUserId: dataArg.identity.userId,
+              action: 'credential.remove',
+              targetType: 'credential',
+              targetId: dataArg.accessKeyId,
+              success: false,
+              message: error instanceof Error ? error.message : String(error),
+            });
+            throw error;
+          }
           return { ok: true };
         },
       ),

ts/opsserver/handlers/index.ts

@@ -5,3 +5,4 @@ export { ObjectsHandler } from './objects.handler.ts';
 export { ConfigHandler } from './config.handler.ts';
 export { CredentialsHandler } from './credentials.handler.ts';
 export { PoliciesHandler } from './policies.handler.ts';
+export { AuditHandler } from './audit.handler.ts';

ts/opsserver/handlers/objects.handler.ts

@@ -1,7 +1,7 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity, requireValidIdentity } from '../helpers/guards.ts';
 
 export class ObjectsHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -34,8 +34,15 @@ export class ObjectsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteObject>(
         'deleteObject',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await this.opsServerRef.objectStorageRef.deleteObject(dataArg.bucketName, dataArg.key);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'object.delete',
+            targetType: 'object',
+            targetId: `${dataArg.bucketName}/${dataArg.key}`,
+            success: true,
+          });
           return { ok: true };
         },
       ),
@@ -57,13 +64,20 @@ export class ObjectsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_PutObject>(
         'putObject',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await this.opsServerRef.objectStorageRef.putObject(
             dataArg.bucketName,
             dataArg.key,
             dataArg.base64Content,
             dataArg.contentType,
           );
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'object.put',
+            targetType: 'object',
+            targetId: `${dataArg.bucketName}/${dataArg.key}`,
+            success: true,
+          });
           return { ok: true };
         },
       ),
@@ -74,8 +88,15 @@ export class ObjectsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeletePrefix>(
         'deletePrefix',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await this.opsServerRef.objectStorageRef.deletePrefix(dataArg.bucketName, dataArg.prefix);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'objectPrefix.delete',
+            targetType: 'objectPrefix',
+            targetId: `${dataArg.bucketName}/${dataArg.prefix}`,
+            success: true,
+          });
           return { ok: true };
         },
       ),
@@ -98,12 +119,22 @@ export class ObjectsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_MoveObject>(
         'moveObject',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          return await this.opsServerRef.objectStorageRef.moveObject(
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const result = await this.opsServerRef.objectStorageRef.moveObject(
             dataArg.bucketName,
             dataArg.sourceKey,
             dataArg.destKey,
           );
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'object.move',
+            targetType: 'object',
+            targetId: `${dataArg.bucketName}/${dataArg.sourceKey}`,
+            success: result.success,
+            metadata: { destKey: dataArg.destKey },
+            message: result.error,
+          });
+          return result;
         },
       ),
     );
@@ -113,12 +144,22 @@ export class ObjectsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_MovePrefix>(
         'movePrefix',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          return await this.opsServerRef.objectStorageRef.movePrefix(
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const result = await this.opsServerRef.objectStorageRef.movePrefix(
             dataArg.bucketName,
             dataArg.sourcePrefix,
             dataArg.destPrefix,
           );
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'objectPrefix.move',
+            targetType: 'objectPrefix',
+            targetId: `${dataArg.bucketName}/${dataArg.sourcePrefix}`,
+            success: result.success,
+            metadata: { destPrefix: dataArg.destPrefix },
+            message: result.error,
+          });
+          return result;
         },
       ),
     );

ts/opsserver/handlers/policies.handler.ts

@@ -1,7 +1,7 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity, requireValidIdentity } from '../helpers/guards.ts';
 
 export class PoliciesHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -30,8 +30,15 @@ export class PoliciesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateNamedPolicy>(
         'createNamedPolicy',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const policy = await pm().createPolicy(dataArg.name, dataArg.description, dataArg.statements);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'policy.create',
+            targetType: 'policy',
+            targetId: policy.id,
+            success: true,
+          });
           return { policy };
         },
       ),
@@ -42,8 +49,15 @@ export class PoliciesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateNamedPolicy>(
         'updateNamedPolicy',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const policy = await pm().updatePolicy(dataArg.policyId, dataArg.name, dataArg.description, dataArg.statements);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'policy.update',
+            targetType: 'policy',
+            targetId: dataArg.policyId,
+            success: true,
+          });
           return { policy };
         },
       ),
@@ -54,8 +68,15 @@ export class PoliciesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteNamedPolicy>(
         'deleteNamedPolicy',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await pm().deletePolicy(dataArg.policyId);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'policy.delete',
+            targetType: 'policy',
+            targetId: dataArg.policyId,
+            success: true,
+          });
           return { ok: true };
         },
       ),
@@ -77,8 +98,16 @@ export class PoliciesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AttachPolicyToBucket>(
         'attachPolicyToBucket',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await pm().attachPolicyToBucket(dataArg.policyId, dataArg.bucketName);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'policy.attach',
+            targetType: 'bucket',
+            targetId: dataArg.bucketName,
+            success: true,
+            metadata: { policyId: dataArg.policyId },
+          });
           return { ok: true };
         },
       ),
@@ -89,8 +118,16 @@ export class PoliciesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DetachPolicyFromBucket>(
         'detachPolicyFromBucket',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await pm().detachPolicyFromBucket(dataArg.policyId, dataArg.bucketName);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'policy.detach',
+            targetType: 'bucket',
+            targetId: dataArg.bucketName,
+            success: true,
+            metadata: { policyId: dataArg.policyId },
+          });
           return { ok: true };
         },
       ),
@@ -118,8 +155,16 @@ export class PoliciesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SetPolicyBuckets>(
         'setPolicyBuckets',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await pm().setPolicyBuckets(dataArg.policyId, dataArg.bucketNames);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'policy.setBuckets',
+            targetType: 'policy',
+            targetId: dataArg.policyId,
+            success: true,
+            metadata: { bucketCount: dataArg.bucketNames.length },
+          });
           return { ok: true };
         },
       ),

ts/opsserver/handlers/status.handler.ts

@@ -23,5 +23,16 @@ export class StatusHandler {
         },
       ),
     );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetClusterHealth>(
+        'getClusterHealth',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const clusterHealth = await this.opsServerRef.objectStorageRef.getClusterHealth();
+          return { clusterHealth };
+        },
+      ),
+    );
   }
 }